3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
28 # include <winsock2.h>
36 # include <sys/capability.h>
39 #ifndef HAVE_GETOPT_LONG
40 #include "wsutil/wsgetopt.h"
45 #include <epan/exceptions.h>
46 #include <epan/epan.h>
48 #include <wsutil/clopts_common.h>
49 #include <wsutil/cmdarg_err.h>
50 #include <wsutil/crash_info.h>
51 #include <wsutil/filesystem.h>
52 #include <wsutil/file_util.h>
53 #include <wsutil/privileges.h>
54 #include <wsutil/report_message.h>
55 #include <version_info.h>
56 #include <wiretap/wtap_opttypes.h>
57 #include <wiretap/pcapng.h>
60 #include <epan/timestamp.h>
61 #include <epan/packet.h>
63 #include <epan/wslua/init_wslua.h>
65 #include "frame_tvbuff.h"
66 #include <epan/disabled_protos.h>
67 #include <epan/prefs.h>
68 #include <epan/column.h>
69 #include <epan/decode_as.h>
70 #include <epan/print.h>
71 #include <epan/addr_resolv.h>
73 #include "ui/capture_ui_utils.h"
77 #include "ui/ws_ui_util.h"
78 #include "ui/decode_as_utils.h"
79 #include "ui/filter_files.h"
80 #include "ui/cli/tshark-tap.h"
81 #include "ui/cli/tap-exportobject.h"
82 #include "ui/tap_export_pdu.h"
83 #include "ui/dissect_opts.h"
84 #include "ui/failure_message.h"
85 #if defined(HAVE_LIBSMI)
86 #include "epan/oids.h"
88 #include "epan/maxmind_db.h"
89 #include "epan/register.h"
90 #include <epan/epan_dissect.h>
92 #include <epan/stat_tap_ui.h>
93 #include <epan/conversation_table.h>
94 #include <epan/srt_table.h>
95 #include <epan/rtd_table.h>
96 #include <epan/ex-opt.h>
97 #include <epan/exported_pdu.h>
99 #include "capture_opts.h"
101 #include "caputils/capture-pcap-util.h"
104 #include "caputils/capture_ifinfo.h"
106 #include "caputils/capture-wpcap.h"
107 #include <wsutil/unicode-utils.h>
109 #include <capchild/capture_session.h>
110 #include <capchild/capture_sync.h>
111 #include <capture_info.h>
112 #endif /* HAVE_LIBPCAP */
114 #include <epan/funnel.h>
116 #include <wsutil/str_util.h>
117 #include <wsutil/utf8_entities.h>
122 #include <wsutil/plugins.h>
126 #define INVALID_OPTION 1
127 #define INVALID_INTERFACE 2
128 #define INVALID_FILE 2
129 #define INVALID_FILTER 2
130 #define INVALID_EXPORT 2
131 #define INVALID_CAPABILITY 2
132 #define INVALID_TAP 2
133 #define INVALID_DATA_LINK 2
134 #define INVALID_TIMESTAMP_TYPE 2
135 #define INVALID_CAPTURE 2
136 #define INIT_FAILED 2
139 * values 128..65535 are capture+dissect options, 65536 is used by
140 * ui/commandline.c, so start tshark-specific options 1000 after this
142 #define LONGOPT_COLOR (65536+1000)
143 #define LONGOPT_NO_DUPLICATE_KEYS (65536+1001)
145 #define LONGOPT_ELASTIC_MAPPING_FILTER (65536+1002)
149 #define tshark_debug(...) g_warning(__VA_ARGS__)
151 #define tshark_debug(...)
156 static guint32 cum_bytes;
157 static frame_data ref_frame;
158 static frame_data prev_dis_frame;
159 static frame_data prev_cap_frame;
161 static gboolean perform_two_pass_analysis;
162 static guint32 epan_auto_reset_count = 0;
163 static gboolean epan_auto_reset = FALSE;
166 * The way the packet decode is to be written.
169 WRITE_TEXT, /* summary or detail text */
170 WRITE_XML, /* PDML or PSML */
171 WRITE_FIELDS, /* User defined list of fields */
172 WRITE_JSON, /* JSON */
173 WRITE_JSON_RAW, /* JSON only raw hex */
174 WRITE_EK /* JSON bulk insert to Elasticsearch */
175 /* Add CSV and the like here */
178 static output_action_e output_action;
179 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
180 static gboolean print_packet_info; /* TRUE if we're to print packet information */
181 static gboolean print_summary; /* TRUE if we're to print packet summary information */
182 static gboolean print_details; /* TRUE if we're to print packet details information */
183 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
184 static gboolean line_buffered;
185 static gboolean really_quiet = FALSE;
186 static gchar* delimiter_char = " ";
187 static gboolean dissect_color = FALSE;
189 static print_format_e print_format = PR_FMT_TEXT;
190 static print_stream_t *print_stream = NULL;
192 static output_fields_t* output_fields = NULL;
193 static gchar **protocolfilter = NULL;
194 static pf_flags protocolfilter_flags = PF_NONE;
196 static gboolean no_duplicate_keys = FALSE;
197 static proto_node_children_grouper_func node_children_grouper = proto_node_group_children_by_unique;
199 /* The line separator used between packets, changeable via the -S option */
200 static const char *separator = "";
202 static gboolean prefs_loaded = FALSE;
206 * TRUE if we're to print packet counts to keep track of captured packets.
208 static gboolean print_packet_counts;
210 static capture_options global_capture_opts;
211 static capture_session global_capture_session;
212 static info_data_t global_info_data;
215 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
216 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
219 static gboolean capture(void);
220 static void report_counts(void);
222 static BOOL WINAPI capture_cleanup(DWORD);
224 static void capture_cleanup(int);
226 static void report_counts_siginfo(int);
230 #else /* HAVE_LIBPCAP */
232 static char *output_file_name;
234 #endif /* HAVE_LIBPCAP */
236 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
237 static gboolean process_cap_file(capture_file *, char *, int, gboolean, int, gint64);
238 static gboolean process_packet_single_pass(capture_file *cf,
239 epan_dissect_t *edt, gint64 offset, wtap_rec *rec,
240 const guchar *pd, guint tap_flags);
241 static void show_print_file_io_error(int err);
242 static gboolean write_preamble(capture_file *cf);
243 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
244 static gboolean write_finale(void);
246 static void failure_warning_message(const char *msg_format, va_list ap);
247 static void open_failure_message(const char *filename, int err,
248 gboolean for_writing);
249 static void read_failure_message(const char *filename, int err);
250 static void write_failure_message(const char *filename, int err);
251 static void failure_message_cont(const char *msg_format, va_list ap);
253 static GHashTable *output_only_tables = NULL;
256 const char *sstr; /* The short string */
257 const char *lstr; /* The long string */
261 string_compare(gconstpointer a, gconstpointer b)
263 return strcmp(((const struct string_elem *)a)->sstr,
264 ((const struct string_elem *)b)->sstr);
268 string_elem_print(gpointer data)
270 fprintf(stderr, " %s - %s\n",
271 ((struct string_elem *)data)->sstr,
272 ((struct string_elem *)data)->lstr);
276 list_capture_types(void) {
278 struct string_elem *captypes;
281 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
283 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
284 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
285 if (wtap_dump_can_open(i)) {
286 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
287 captypes[i].lstr = wtap_file_type_subtype_string(i);
288 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
291 g_slist_free_full(list, string_elem_print);
296 list_read_capture_types(void) {
298 struct string_elem *captypes;
300 const char *magic = "Magic-value-based";
301 const char *heuristic = "Heuristics-based";
303 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
304 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
306 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
307 for (i = 0; open_routines[i].name != NULL; i++) {
308 captypes[i].sstr = open_routines[i].name;
309 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
310 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
312 g_slist_free_full(list, string_elem_print);
317 print_usage(FILE *output)
319 fprintf(output, "\n");
320 fprintf(output, "Usage: tshark [options] ...\n");
321 fprintf(output, "\n");
324 fprintf(output, "Capture interface:\n");
325 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
326 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
327 #ifdef HAVE_PCAP_CREATE
328 fprintf(output, " -s <snaplen> packet snapshot length (def: appropriate maximum)\n");
330 fprintf(output, " -s <snaplen> packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
332 fprintf(output, " -p don't capture in promiscuous mode\n");
333 #ifdef HAVE_PCAP_CREATE
334 fprintf(output, " -I capture in monitor mode, if available\n");
336 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
337 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
339 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
340 fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
341 fprintf(output, " -D print list of interfaces and exit\n");
342 fprintf(output, " -L print list of link-layer types of iface and exit\n");
343 fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
344 fprintf(output, "\n");
345 fprintf(output, "Capture stop conditions:\n");
346 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
347 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
348 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
349 fprintf(output, " files:NUM - stop after NUM files\n");
350 /*fprintf(output, "\n");*/
351 fprintf(output, "Capture output:\n");
352 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
353 fprintf(output, " interval:NUM - create time intervals of NUM secs\n");
354 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
355 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
356 #endif /* HAVE_LIBPCAP */
357 #ifdef HAVE_PCAP_REMOTE
358 fprintf(output, "RPCAP options:\n");
359 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
361 /*fprintf(output, "\n");*/
362 fprintf(output, "Input file:\n");
363 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
365 fprintf(output, "\n");
366 fprintf(output, "Processing:\n");
367 fprintf(output, " -2 perform a two-pass analysis\n");
368 fprintf(output, " -M <packet count> perform session auto reset\n");
369 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
370 fprintf(output, " (requires -2)\n");
371 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
372 fprintf(output, " syntax\n");
373 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
374 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
375 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
376 fprintf(output, " \"Decode As\", see the man page for details\n");
377 fprintf(output, " Example: tcp.port==8888,http\n");
378 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
379 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
380 fprintf(output, " --enable-protocol <proto_name>\n");
381 fprintf(output, " enable dissection of proto_name\n");
382 fprintf(output, " --disable-protocol <proto_name>\n");
383 fprintf(output, " disable dissection of proto_name\n");
384 fprintf(output, " --enable-heuristic <short_name>\n");
385 fprintf(output, " enable dissection of heuristic protocol\n");
386 fprintf(output, " --disable-heuristic <short_name>\n");
387 fprintf(output, " disable dissection of heuristic protocol\n");
389 /*fprintf(output, "\n");*/
390 fprintf(output, "Output:\n");
391 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
392 fprintf(output, " (or to the standard output for \"-\")\n");
393 fprintf(output, " -C <config profile> start with specified configuration profile\n");
394 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
395 fprintf(output, " an empty \"-F\" option will list the file types\n");
396 fprintf(output, " -V add output of packet tree (Packet Details)\n");
397 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
398 fprintf(output, " separated\n");
399 fprintf(output, " -P print packet summary even when writing to a file\n");
400 fprintf(output, " -S <separator> the line separator to print between packets\n");
401 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
402 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
403 fprintf(output, " format of text output (def: text)\n");
404 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
405 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
406 fprintf(output, " nodes, unless child is specified also in the filter)\n");
407 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
408 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
409 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
410 fprintf(output, " _ws.col.Info)\n");
411 fprintf(output, " this option can be repeated to print multiple fields\n");
412 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
413 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
414 fprintf(output, " header=y|n switch headers on and off\n");
415 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
416 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
417 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
418 fprintf(output, " aggregator\n");
419 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
420 fprintf(output, " -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)\n");
421 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
422 fprintf(output, " -l flush standard output after each packet\n");
423 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
424 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
425 fprintf(output, " -g enable group read access on the output file(s)\n");
426 fprintf(output, " -W n Save extra information in the file, if supported.\n");
427 fprintf(output, " n = write network address resolution information\n");
428 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
429 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
430 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
431 fprintf(output, " --capture-comment <comment>\n");
432 fprintf(output, " add a capture comment to the newly created\n");
433 fprintf(output, " output file (only for pcapng)\n");
434 fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
435 fprintf(output, " a directory named \"destdir\"\n");
436 fprintf(output, " --color color output text similarly to the Wireshark GUI,\n");
437 fprintf(output, " requires a terminal with 24-bit color support\n");
438 fprintf(output, " Also supplies color attributes to pdml and psml formats\n");
439 fprintf(output, " (Note that attributes are nonstandard)\n");
440 fprintf(output, " --no-duplicate-keys If -T json is specified, merge duplicate keys in an object\n");
441 fprintf(output, " into a single key with as value a json array containing all\n");
442 fprintf(output, " values\n");
444 fprintf(output, " --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the\n");
445 fprintf(output, " specified protocols within the mapping file\n");
448 fprintf(output, "\n");
449 fprintf(output, "Miscellaneous:\n");
450 fprintf(output, " -h display this help and exit\n");
451 fprintf(output, " -v display version info and exit\n");
452 fprintf(output, " -o <name>:<value> ... override preference setting\n");
453 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
454 fprintf(output, " -G [report] dump one of several available reports and exit\n");
455 fprintf(output, " default report=\"fields\"\n");
456 fprintf(output, " use \"-G help\" for more help\n");
458 fprintf(output, "\n");
459 fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
460 fprintf(output, "You might want to enable it by executing:\n");
461 fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
462 fprintf(output, "Note that this can make your system less secure!\n");
468 glossary_option_help(void)
474 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
476 fprintf(output, "\n");
477 fprintf(output, "Usage: tshark -G [report]\n");
478 fprintf(output, "\n");
479 fprintf(output, "Glossary table reports:\n");
480 fprintf(output, " -G column-formats dump column format codes and exit\n");
481 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
482 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
484 fprintf(output, " -G elastic-mapping dump ElasticSearch mapping file\n");
486 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
487 fprintf(output, " -G fields dump fields glossary and exit\n");
488 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
489 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
490 fprintf(output, " -G plugins dump installed plugins and exit\n");
491 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
492 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
493 fprintf(output, "\n");
494 fprintf(output, "Preference reports:\n");
495 fprintf(output, " -G currentprefs dump current preferences and exit\n");
496 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
497 fprintf(output, " -G folders dump about:folders\n");
498 fprintf(output, "\n");
502 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
503 const gchar *message, gpointer user_data)
505 /* ignore log message, if log_level isn't interesting based
506 upon the console log preferences.
507 If the preferences haven't been loaded yet, display the
510 The default console_log_level preference value is such that only
511 ERROR, CRITICAL and WARNING level messages are processed;
512 MESSAGE, INFO and DEBUG level messages are ignored.
514 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
515 ERROR and CRITICAL level messages so the current code is a behavioral
516 change. The current behavior is the same as in Wireshark.
518 if (prefs_loaded && (log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0) {
522 g_log_default_handler(log_domain, log_level, message, user_data);
527 print_current_user(void) {
528 gchar *cur_user, *cur_group;
530 if (started_with_special_privs()) {
531 cur_user = get_cur_username();
532 cur_group = get_cur_groupname();
533 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
534 cur_user, cur_group);
537 if (running_with_special_privs()) {
538 fprintf(stderr, " This could be dangerous.");
540 fprintf(stderr, "\n");
545 get_tshark_compiled_version_info(GString *str)
547 /* Capture libraries */
548 get_compiled_caplibs_version(str);
552 get_tshark_runtime_version_info(GString *str)
555 /* Capture libraries */
556 g_string_append(str, ", ");
557 get_runtime_caplibs_version(str);
560 /* stuff used by libwireshark */
561 epan_get_runtime_version_info(str);
567 const char *constpath;
575 * Fetching the "File" dialogs folder not implemented.
576 * This is arguably just a pwd for a ui/cli .
580 printf("%-21s\t%s\n", "Temp:", g_get_tmp_dir());
583 path = get_persconffile_path("", FALSE);
584 printf("%-21s\t%s\n", "Personal configuration:", path);
588 constpath = get_datafile_dir();
589 if (constpath != NULL) {
590 printf("%-21s\t%s\n", "Global configuration:", constpath);
594 constpath = get_systemfile_dir();
595 printf("%-21s\t%s\n", "System:", constpath);
598 constpath = get_progfile_dir();
599 printf("%-21s\t%s\n", "Program:", constpath);
603 printf("%-21s\t%s\n", "Personal Plugins:", get_plugins_pers_dir_with_version());
606 printf("%-21s\t%s\n", "Global Plugins:", get_plugins_dir_with_version());
610 /* pers lua plugins */
611 printf("%-21s\t%s\n", "Personal Lua Plugins:", get_plugins_pers_dir());
613 /* global lua plugins */
614 printf("%-21s\t%s\n", "Global Lua Plugins:", get_plugins_dir());
618 constpath = get_extcap_dir();
620 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
621 for(i = 0; resultArray[i]; i++)
622 printf("%-21s\t%s\n", "Extcap path:", g_strstrip(resultArray[i]));
624 g_strfreev(resultArray);
627 path = maxmind_db_get_paths();
629 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
631 for(i = 0; resultArray[i]; i++)
632 printf("%-21s\t%s\n", "MaxMind database path:", g_strstrip(resultArray[i]));
634 g_strfreev(resultArray);
639 path = oid_get_default_mib_path();
641 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 20);
643 for(i = 0; resultArray[i]; i++)
644 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
646 g_strfreev(resultArray);
653 must_do_dissection(dfilter_t *rfcode, dfilter_t *dfcode,
654 gchar *volatile pdu_export_arg)
656 /* We have to dissect each packet if:
658 we're printing information about each packet;
660 we're using a read filter on the packets;
662 we're using a display filter on the packets;
664 we're exporting PDUs;
666 we're using any taps that need dissection. */
667 return print_packet_info || rfcode || dfcode || pdu_export_arg ||
668 tap_listeners_require_dissection() || dissect_color;
672 main(int argc, char *argv[])
674 GString *comp_info_str;
675 GString *runtime_info_str;
676 char *init_progfile_dir_error;
678 static const struct option long_options[] = {
679 {"help", no_argument, NULL, 'h'},
680 {"version", no_argument, NULL, 'v'},
681 LONGOPT_CAPTURE_COMMON
682 LONGOPT_DISSECT_COMMON
683 {"print", no_argument, NULL, 'P'},
684 {"export-objects", required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
685 {"color", no_argument, NULL, LONGOPT_COLOR},
686 {"no-duplicate-keys", no_argument, NULL, LONGOPT_NO_DUPLICATE_KEYS},
688 {"elastic-mapping-filter", required_argument, NULL, LONGOPT_ELASTIC_MAPPING_FILTER},
692 gboolean arg_error = FALSE;
700 volatile gboolean success;
701 volatile int exit_status = EXIT_SUCCESS;
703 int caps_queries = 0;
704 gboolean start_capture = FALSE;
708 gboolean capture_option_specified = FALSE;
710 gboolean quiet = FALSE;
711 #ifdef PCAP_NG_DEFAULT
712 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
714 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
716 volatile gboolean out_file_name_res = FALSE;
717 volatile int in_file_type = WTAP_TYPE_AUTO;
718 gchar *volatile cf_name = NULL;
719 gchar *rfilter = NULL;
720 gchar *dfilter = NULL;
721 #ifdef HAVE_PCAP_OPEN_DEAD
722 struct bpf_program fcode;
724 dfilter_t *rfcode = NULL;
725 dfilter_t *dfcode = NULL;
729 gchar *output_only = NULL;
730 gchar *volatile pdu_export_arg = NULL;
731 const char *volatile exp_pdu_filename = NULL;
732 exp_pdu_t exp_pdu_tap_data;
734 const gchar* elastic_mapping_filter = NULL;
738 * The leading + ensures that getopt_long() does not permute the argv[]
741 * We have to make sure that the first getopt_long() preserves the content
742 * of argv[] for the subsequent getopt_long() call.
744 * We use getopt_long() in both cases to ensure that we're using a routine
745 * whose permutation behavior we can control in the same fashion on all
746 * platforms, and so that, if we ever need to process a long argument before
747 * doing further initialization, we can do so.
749 * Glibc and Solaris libc document that a leading + disables permutation
750 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
751 * and macOS don't document it, but do so anyway.
753 * We do *not* use a leading - because the behavior of a leading - is
754 * platform-dependent.
756 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQr:R:S:T:U:vVw:W:xX:Y:z:"
758 static const char optstring[] = OPTSTRING;
760 tshark_debug("tshark started with %d args", argc);
762 /* Set the C-language locale to the native environment. */
763 setlocale(LC_ALL, "");
765 cmdarg_err_init(failure_warning_message, failure_message_cont);
768 arg_list_utf_16to8(argc, argv);
769 create_app_running_mutex();
773 * Get credential information for later use, and drop privileges
774 * before doing anything else.
775 * Let the user know if anything happened.
777 init_process_policies();
778 relinquish_special_privs_perm();
779 print_current_user();
782 * Attempt to get the pathname of the directory containing the
785 init_progfile_dir_error = init_progfile_dir(argv[0]);
786 if (init_progfile_dir_error != NULL) {
788 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
789 "It won't be possible to capture traffic.\n"
790 "Report this to the Wireshark developers.",
791 init_progfile_dir_error);
792 g_free(init_progfile_dir_error);
795 initialize_funnel_ops();
798 ws_init_dll_search_path();
800 /* Load wpcap if possible. Do this before collecting the run-time version information */
802 #endif /* HAVE_LIBPCAP */
805 /* Get the compile-time version information string */
806 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
807 epan_get_compiled_version_info);
809 /* Get the run-time version information string */
810 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
812 /* Add it to the information to be reported on a crash. */
813 ws_add_crash_info("TShark (Wireshark) %s\n"
818 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
819 g_string_free(comp_info_str, TRUE);
820 g_string_free(runtime_info_str, TRUE);
822 /* Fail sometimes. Useful for testing fuzz scripts. */
823 /* if (g_random_int_range(0, 100) < 5) abort(); */
826 * In order to have the -X opts assigned before the wslua machine starts
827 * we need to call getopt_long before epan_init() gets called.
829 * In order to handle, for example, -o options, we also need to call it
830 * *after* epan_init() gets called, so that the dissectors have had a
831 * chance to register their preferences.
833 * XXX - can we do this all with one getopt_long() call, saving the
834 * arguments we can't handle until after initializing libwireshark,
835 * and then process them after initializing libwireshark?
839 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
841 case 'C': /* Configuration Profile */
842 if (profile_exists (optarg, FALSE)) {
843 set_profile_name (optarg);
845 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
846 exit_status = INVALID_OPTION;
850 case 'P': /* Print packet summary info even when writing to a file */
851 print_packet_info = TRUE;
852 print_summary = TRUE;
854 case 'O': /* Only output these protocols */
855 output_only = g_strdup(optarg);
857 case 'V': /* Verbose */
858 print_details = TRUE;
859 print_packet_info = TRUE;
861 case 'x': /* Print packet data in hex (and ASCII) */
863 /* The user asked for hex output, so let's ensure they get it,
864 * even if they're writing to a file.
866 print_packet_info = TRUE;
872 case LONGOPT_ELASTIC_MAPPING_FILTER:
873 elastic_mapping_filter = optarg;
881 /** Send All g_log messages to our own handler **/
885 G_LOG_LEVEL_CRITICAL|
890 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
892 g_log_set_handler(NULL,
893 (GLogLevelFlags)log_flags,
894 tshark_log_handler, NULL /* user_data */);
895 g_log_set_handler(LOG_DOMAIN_MAIN,
896 (GLogLevelFlags)log_flags,
897 tshark_log_handler, NULL /* user_data */);
900 g_log_set_handler(LOG_DOMAIN_CAPTURE,
901 (GLogLevelFlags)log_flags,
902 tshark_log_handler, NULL /* user_data */);
903 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
904 (GLogLevelFlags)log_flags,
905 tshark_log_handler, NULL /* user_data */);
908 init_report_message(failure_warning_message, failure_warning_message,
909 open_failure_message, read_failure_message,
910 write_failure_message);
913 capture_opts_init(&global_capture_opts);
914 capture_session_init(&global_capture_session, &cfile);
917 timestamp_set_type(TS_RELATIVE);
918 timestamp_set_precision(TS_PREC_AUTO);
919 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
923 /* Register all dissectors; we must do this before checking for the
924 "-G" flag, as the "-G" flag dumps information registered by the
925 dissectors, and we must do it before we read the preferences, in
926 case any dissectors register preferences. */
927 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
929 exit_status = INIT_FAILED;
933 /* Register all tap listeners; we do this before we parse the arguments,
934 as the "-z" argument can specify a registered tap. */
936 /* we register the plugin taps before the other taps because
937 stats_tree taps plugins will be registered as tap listeners
938 by stats_tree_stat.c and need to registered before that */
940 register_all_plugin_tap_listeners();
942 extcap_register_preferences();
943 /* Register all tap listeners. */
944 for (tap_reg_t *t = tap_reg_listener; t->cb_func != NULL; t++) {
947 conversation_table_set_gui_info(init_iousers);
948 hostlist_table_set_gui_info(init_hostlists);
949 srt_table_iterate_tables(register_srt_tables, NULL);
950 rtd_table_iterate_tables(register_rtd_tables, NULL);
951 stat_tap_iterate_tables(register_simple_stat_tables, NULL);
953 /* If invoked with the "-G" flag, we dump out information based on
954 the argument to the "-G" flag; if no argument is specified,
955 for backwards compatibility we dump out a glossary of display
958 XXX - we do this here, for now, to support "-G" with no arguments.
959 If none of our build or other processes uses "-G" with no arguments,
960 we can just process it with the other arguments. */
961 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
962 proto_initialize_all_prefixes();
965 proto_registrar_dump_fields();
967 if (strcmp(argv[2], "column-formats") == 0)
968 column_dump_column_formats();
969 else if (strcmp(argv[2], "currentprefs") == 0) {
970 epan_load_settings();
973 else if (strcmp(argv[2], "decodes") == 0)
974 dissector_dump_decodes();
975 else if (strcmp(argv[2], "defaultprefs") == 0)
977 else if (strcmp(argv[2], "dissector-tables") == 0)
978 dissector_dump_dissector_tables();
980 else if (strcmp(argv[2], "elastic-mapping") == 0)
981 proto_registrar_dump_elastic(elastic_mapping_filter);
983 else if (strcmp(argv[2], "fieldcount") == 0) {
984 /* return value for the test suite */
985 exit_status = proto_registrar_dump_fieldcount();
987 } else if (strcmp(argv[2], "fields") == 0)
988 proto_registrar_dump_fields();
989 else if (strcmp(argv[2], "folders") == 0) {
990 epan_load_settings();
992 } else if (strcmp(argv[2], "ftypes") == 0)
993 proto_registrar_dump_ftypes();
994 else if (strcmp(argv[2], "heuristic-decodes") == 0)
995 dissector_dump_heur_decodes();
996 else if (strcmp(argv[2], "plugins") == 0) {
1001 wslua_plugins_dump_all();
1004 else if (strcmp(argv[2], "protocols") == 0)
1005 proto_registrar_dump_protocols();
1006 else if (strcmp(argv[2], "values") == 0)
1007 proto_registrar_dump_values();
1008 else if (strcmp(argv[2], "help") == 0)
1009 glossary_option_help();
1010 /* These are supported only for backwards compatibility and may or may not work
1011 * for a given user in a given directory on a given operating system with a given
1012 * command-line interpreter.
1014 else if (strcmp(argv[2], "?") == 0)
1015 glossary_option_help();
1016 else if (strcmp(argv[2], "-?") == 0)
1017 glossary_option_help();
1019 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G help for more help.", argv[2]);
1020 exit_status = INVALID_OPTION;
1024 exit_status = EXIT_SUCCESS;
1028 tshark_debug("tshark reading settings");
1030 /* Load libwireshark settings from the current profile. */
1031 prefs_p = epan_load_settings();
1032 prefs_loaded = TRUE;
1034 read_filter_list(CFILTER_LIST);
1036 cap_file_init(&cfile);
1038 /* Print format defaults to this. */
1039 print_format = PR_FMT_TEXT;
1040 delimiter_char = " ";
1042 output_fields = output_fields_new();
1045 * To reset the options parser, set optreset to 1 on platforms that
1046 * have optreset (documented in *BSD and macOS, apparently present but
1047 * not documented in Solaris - the Illumos repository seems to
1048 * suggest that the first Solaris getopt_long(), at least as of 2004,
1049 * was based on the NetBSD one, it had optreset) and set optind to 1,
1050 * and set optind to 0 otherwise (documented as working in the GNU
1051 * getopt_long(). Setting optind to 0 didn't originally work in the
1052 * NetBSD one, but that was added later - we don't want to depend on
1053 * it if we have optreset).
1055 * Also reset opterr to 1, so that error messages are printed by
1058 #ifdef HAVE_OPTRESET
1066 /* Now get our args */
1067 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1069 case '2': /* Perform two pass analysis */
1070 if(epan_auto_reset){
1071 cmdarg_err("-2 does not support auto session reset.");
1074 perform_two_pass_analysis = TRUE;
1077 if(perform_two_pass_analysis){
1078 cmdarg_err("-M does not support two pass analysis.");
1081 epan_auto_reset_count = get_positive_int(optarg, "epan reset count");
1082 epan_auto_reset = TRUE;
1084 case 'a': /* autostop criteria */
1085 case 'b': /* Ringbuffer option */
1086 case 'c': /* Capture x packets */
1087 case 'f': /* capture filter */
1088 case 'g': /* enable group read access on file(s) */
1089 case 'i': /* Use interface x */
1090 case LONGOPT_SET_TSTAMP_TYPE: /* Set capture timestamp type */
1091 case 'p': /* Don't capture in promiscuous mode */
1092 #ifdef HAVE_PCAP_REMOTE
1093 case 'A': /* Authentication */
1095 #ifdef HAVE_PCAP_CREATE
1096 case 'I': /* Capture in monitor mode, if available */
1098 case 's': /* Set the snapshot (capture) length */
1099 case 'w': /* Write to capture file x */
1100 case 'y': /* Set the pcap data link type */
1101 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1102 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1103 case 'B': /* Buffer size */
1106 exit_status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1107 if (exit_status != 0) {
1113 * Output file name, if we're reading a file and writing to another
1116 output_file_name = optarg;
1118 capture_option_specified = TRUE;
1124 /* already processed; just ignore it now */
1126 case 'D': /* Print a list of capture devices and exit */
1128 if_list = capture_interface_list(&err, &err_str,NULL);
1129 if (if_list == NULL) {
1131 cmdarg_err("There are no interfaces on which a capture can be done");
1133 cmdarg_err("%s", err_str);
1136 exit_status = INVALID_INTERFACE;
1139 capture_opts_print_interfaces(if_list);
1140 free_interface_list(if_list);
1141 exit_status = EXIT_SUCCESS;
1144 capture_option_specified = TRUE;
1150 output_fields_add(output_fields, optarg);
1154 if (!output_fields_set_option(output_fields, optarg)) {
1155 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1156 output_fields_list_options(stderr);
1157 exit_status = INVALID_OPTION;
1162 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1163 if (out_file_type < 0) {
1164 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1165 list_capture_types();
1166 exit_status = INVALID_OPTION;
1171 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1174 protocolfilter_flags = PF_INCLUDE_CHILDREN;
1175 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1177 case 'W': /* Select extra information to save in our capture file */
1178 /* This is patterned after the -N flag which may not be the best idea. */
1179 if (strchr(optarg, 'n')) {
1180 out_file_name_res = TRUE;
1182 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1183 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1184 exit_status = INVALID_OPTION;
1188 case 'H': /* Read address to name mappings from a hosts file */
1189 if (! add_hosts_file(optarg))
1191 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1192 exit_status = INVALID_OPTION;
1195 out_file_name_res = TRUE;
1198 case 'h': /* Print help and exit */
1199 printf("TShark (Wireshark) %s\n"
1200 "Dump and analyze network traffic.\n"
1201 "See https://www.wireshark.org for more information.\n",
1202 get_ws_vcs_version_info());
1203 print_usage(stdout);
1204 exit_status = EXIT_SUCCESS;
1207 case 'l': /* "Line-buffer" standard output */
1208 /* The ANSI C standard does not appear to *require* that a line-buffered
1209 stream be flushed to the host environment whenever a newline is
1210 written, it just says that, on such a stream, characters "are
1211 intended to be transmitted to or from the host environment as a
1212 block when a new-line character is encountered".
1214 The Visual C++ 6.0 C implementation doesn't do what is intended;
1215 even if you set a stream to be line-buffered, it still doesn't
1216 flush the buffer at the end of every line.
1218 The whole reason for the "-l" flag in either tcpdump or TShark
1219 is to allow the output of a live capture to be piped to a program
1220 or script and to have that script see the information for the
1221 packet as soon as it's printed, rather than having to wait until
1222 a standard I/O buffer fills up.
1224 So, if the "-l" flag is specified, we flush the standard output
1225 at the end of a packet. This will do the right thing if we're
1226 printing packet summary lines, and, as we print the entire protocol
1227 tree for a single packet without waiting for anything to happen,
1228 it should be as good as line-buffered mode if we're printing
1229 protocol trees - arguably even better, as it may do fewer
1231 line_buffered = TRUE;
1233 case 'L': /* Print list of link-layer types and exit */
1235 caps_queries |= CAPS_QUERY_LINK_TYPES;
1237 capture_option_specified = TRUE;
1241 case LONGOPT_LIST_TSTAMP_TYPES: /* List possible timestamp types */
1243 caps_queries |= CAPS_QUERY_TIMESTAMP_TYPES;
1245 capture_option_specified = TRUE;
1249 case 'o': /* Override preference from command line */
1251 char *errmsg = NULL;
1253 switch (prefs_set_pref(optarg, &errmsg)) {
1258 case PREFS_SET_SYNTAX_ERR:
1259 cmdarg_err("Invalid -o flag \"%s\"%s%s", optarg,
1260 errmsg ? ": " : "", errmsg ? errmsg : "");
1262 exit_status = INVALID_OPTION;
1266 case PREFS_SET_NO_SUCH_PREF:
1267 case PREFS_SET_OBSOLETE:
1268 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1269 exit_status = INVALID_OPTION;
1275 case 'q': /* Quiet */
1278 case 'Q': /* Really quiet */
1280 really_quiet = TRUE;
1282 case 'r': /* Read capture file x */
1283 cf_name = g_strdup(optarg);
1285 case 'R': /* Read file filter */
1289 /* already processed; just ignore it now */
1291 case 'S': /* Set the line Separator to be printed between packets */
1294 case 'T': /* printing Type */
1295 print_packet_info = TRUE;
1296 if (strcmp(optarg, "text") == 0) {
1297 output_action = WRITE_TEXT;
1298 print_format = PR_FMT_TEXT;
1299 } else if (strcmp(optarg, "tabs") == 0) {
1300 output_action = WRITE_TEXT;
1301 print_format = PR_FMT_TEXT;
1302 delimiter_char = "\t";
1303 } else if (strcmp(optarg, "ps") == 0) {
1304 output_action = WRITE_TEXT;
1305 print_format = PR_FMT_PS;
1306 } else if (strcmp(optarg, "pdml") == 0) {
1307 output_action = WRITE_XML;
1308 print_details = TRUE; /* Need details */
1309 print_summary = FALSE; /* Don't allow summary */
1310 } else if (strcmp(optarg, "psml") == 0) {
1311 output_action = WRITE_XML;
1312 print_details = FALSE; /* Don't allow details */
1313 print_summary = TRUE; /* Need summary */
1314 } else if (strcmp(optarg, "fields") == 0) {
1315 output_action = WRITE_FIELDS;
1316 print_details = TRUE; /* Need full tree info */
1317 print_summary = FALSE; /* Don't allow summary */
1318 } else if (strcmp(optarg, "json") == 0) {
1319 output_action = WRITE_JSON;
1320 print_details = TRUE; /* Need details */
1321 print_summary = FALSE; /* Don't allow summary */
1322 } else if (strcmp(optarg, "ek") == 0) {
1323 output_action = WRITE_EK;
1325 print_details = TRUE;
1326 } else if (strcmp(optarg, "jsonraw") == 0) {
1327 output_action = WRITE_JSON_RAW;
1328 print_details = TRUE; /* Need details */
1329 print_summary = FALSE; /* Don't allow summary */
1332 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1333 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1334 "\t specified by the -E option.\n"
1335 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1336 "\t details of a decoded packet. This information is equivalent to\n"
1337 "\t the packet details printed with the -V flag.\n"
1338 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1339 "\t the packets, or a multi-line view of the details of each of\n"
1340 "\t the packets, depending on whether the -V flag was specified.\n"
1341 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1342 "\t summary information of a decoded packet. This information is\n"
1343 "\t equivalent to the information shown in the one-line summary\n"
1344 "\t printed by default.\n"
1345 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1346 "\t summary information of a decoded packet. This information is \n"
1347 "\t equivalent to the packet details printed with the -V flag.\n"
1348 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1349 "\t including only raw hex decoded fields (same as -T json -x but\n"
1350 "\t without text decoding, only raw fields included). \n"
1351 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1352 "\t into elastic search cluster. This information is \n"
1353 "\t equivalent to the packet details printed with the -V flag.\n"
1354 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1355 "\t packets, or a multi-line view of the details of each of the\n"
1356 "\t packets, depending on whether the -V flag was specified.\n"
1357 "\t This is the default.\n"
1358 "\t\"tabs\" Similar to the text report except that each column of the\n"
1359 "\t human-readable one-line summary is delimited with an ASCII\n"
1360 "\t horizontal tab character.");
1361 exit_status = INVALID_OPTION;
1365 case 'U': /* Export PDUs to file */
1367 GSList *export_pdu_tap_name_list = NULL;
1370 cmdarg_err("A tap name is required. Valid names are:");
1371 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1372 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1374 exit_status = INVALID_OPTION;
1377 pdu_export_arg = g_strdup(optarg);
1380 case 'v': /* Show version and exit */
1381 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1382 epan_get_compiled_version_info);
1383 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1384 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1385 g_string_free(comp_info_str, TRUE);
1386 g_string_free(runtime_info_str, TRUE);
1387 /* We don't really have to cleanup here, but it's a convenient way to test
1388 * start-up and shut-down of the epan library without any UI-specific
1389 * cruft getting in the way. Makes the results of running
1390 * $ ./tools/valgrind-wireshark -n
1391 * much more useful. */
1394 exit_status = EXIT_SUCCESS;
1396 case 'O': /* Only output these protocols */
1397 /* already processed; just ignore it now */
1399 case 'V': /* Verbose */
1400 /* already processed; just ignore it now */
1402 case 'x': /* Print packet data in hex (and ASCII) */
1403 /* already processed; just ignore it now */
1406 /* already processed; just ignore it now */
1412 /* We won't call the init function for the stat this soon
1413 as it would disallow MATE's fields (which are registered
1414 by the preferences set callback) from being used as
1415 part of a tap filter. Instead, we just add the argument
1416 to a list of stat arguments. */
1417 if (strcmp("help", optarg) == 0) {
1418 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1419 list_stat_cmd_args();
1420 exit_status = EXIT_SUCCESS;
1423 if (!process_stat_cmd_arg(optarg)) {
1424 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1425 list_stat_cmd_args();
1426 exit_status = INVALID_OPTION;
1430 case 'd': /* Decode as rule */
1431 case 'K': /* Kerberos keytab file */
1432 case 'n': /* No name resolution */
1433 case 'N': /* Select what types of addresses/port #s to resolve */
1434 case 't': /* Time stamp type */
1435 case 'u': /* Seconds type */
1436 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1437 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1438 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1439 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1440 if (!dissect_opts_handle_opt(opt, optarg)) {
1441 exit_status = INVALID_OPTION;
1445 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1446 if (strcmp("help", optarg) == 0) {
1447 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1448 eo_list_object_types();
1449 exit_status = EXIT_SUCCESS;
1452 if (!eo_tap_opt_add(optarg)) {
1453 exit_status = INVALID_OPTION;
1457 case LONGOPT_COLOR: /* print in color where appropriate */
1458 dissect_color = TRUE;
1460 case LONGOPT_NO_DUPLICATE_KEYS:
1461 no_duplicate_keys = TRUE;
1462 node_children_grouper = proto_node_group_children_by_json_key;
1465 case '?': /* Bad flag - print usage message */
1468 list_capture_types();
1471 print_usage(stderr);
1473 exit_status = INVALID_OPTION;
1480 * Print packet summary information is the default if neither -V or -x
1481 * were specified. Note that this is new behavior, which allows for the
1482 * possibility of printing only hex/ascii output without necessarily
1483 * requiring that either the summary or details be printed too.
1485 if (!print_summary && !print_details && !print_hex)
1486 print_summary = TRUE;
1488 if (no_duplicate_keys && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW) {
1489 cmdarg_err("--no-duplicate-keys can only be used with \"-T json\" and \"-T jsonraw\"");
1490 exit_status = INVALID_OPTION;
1494 /* If we specified output fields, but not the output field type... */
1495 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1496 cmdarg_err("Output fields were specified with \"-e\", "
1497 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1498 exit_status = INVALID_OPTION;
1500 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1501 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1502 "specified with \"-e\".");
1504 exit_status = INVALID_OPTION;
1508 if (dissect_color) {
1509 if (!color_filters_init(&err_msg, NULL)) {
1510 fprintf(stderr, "%s\n", err_msg);
1515 /* If no capture filter or display filter has been specified, and there are
1516 still command-line arguments, treat them as the tokens of a capture
1517 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1518 flag was specified. */
1519 if (optind < argc) {
1520 if (cf_name != NULL) {
1521 if (dfilter != NULL) {
1522 cmdarg_err("Display filters were specified both with \"-d\" "
1523 "and with additional command-line arguments.");
1524 exit_status = INVALID_OPTION;
1527 dfilter = get_args_as_string(argc, argv, optind);
1532 if (global_capture_opts.default_options.cfilter) {
1533 cmdarg_err("A default capture filter was specified both with \"-f\""
1534 " and with additional command-line arguments.");
1535 exit_status = INVALID_OPTION;
1538 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1539 interface_options *interface_opts;
1540 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
1541 if (interface_opts->cfilter == NULL) {
1542 interface_opts->cfilter = get_args_as_string(argc, argv, optind);
1544 cmdarg_err("A capture filter was specified both with \"-f\""
1545 " and with additional command-line arguments.");
1546 exit_status = INVALID_OPTION;
1550 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1552 capture_option_specified = TRUE;
1558 if (!global_capture_opts.saving_to_file) {
1559 /* We're not saving the capture to a file; if "-q" wasn't specified,
1560 we should print packet information */
1562 print_packet_info = TRUE;
1564 /* We're saving to a file; if we're writing to the standard output.
1565 and we'll also be writing dissected packets to the standard
1566 output, reject the request. At best, we could redirect that
1567 to the standard error; we *can't* write both to the standard
1568 output and have either of them be useful. */
1569 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1570 cmdarg_err("You can't write both raw packet data and dissected packets"
1571 " to the standard output.");
1572 exit_status = INVALID_OPTION;
1577 /* We're not saving the capture to a file; if "-q" wasn't specified,
1578 we should print packet information */
1580 print_packet_info = TRUE;
1583 #ifndef HAVE_LIBPCAP
1584 if (capture_option_specified)
1585 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1588 print_usage(stderr);
1589 exit_status = INVALID_OPTION;
1594 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
1595 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
1596 exit_status = INVALID_OPTION;
1601 if (output_only != NULL) {
1604 if (!print_details) {
1605 cmdarg_err("-O requires -V");
1606 exit_status = INVALID_OPTION;
1610 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1611 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1612 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1616 if (rfilter != NULL && !perform_two_pass_analysis) {
1617 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1618 exit_status = INVALID_OPTION;
1624 /* We're supposed to list the link-layer/timestamp types for an interface;
1625 did the user also specify a capture file to be read? */
1627 /* Yes - that's bogus. */
1628 cmdarg_err("You can't specify %s and a capture file to be read.",
1629 caps_queries & CAPS_QUERY_LINK_TYPES ? "-L" : "--list-time-stamp-types");
1630 exit_status = INVALID_OPTION;
1633 /* No - did they specify a ring buffer option? */
1634 if (global_capture_opts.multi_files_on) {
1635 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1636 exit_status = INVALID_OPTION;
1642 * "-r" was specified, so we're reading a capture file.
1643 * Capture options don't apply here.
1646 /* We don't support capture filters when reading from a capture file
1647 (the BPF compiler doesn't support all link-layer types that we
1648 support in capture files we read). */
1649 if (global_capture_opts.default_options.cfilter) {
1650 cmdarg_err("Only read filters, not capture filters, "
1651 "can be specified when reading a capture file.");
1652 exit_status = INVALID_OPTION;
1655 if (global_capture_opts.multi_files_on) {
1656 cmdarg_err("Multiple capture files requested, but "
1657 "a capture isn't being done.");
1658 exit_status = INVALID_OPTION;
1661 if (global_capture_opts.has_file_duration) {
1662 cmdarg_err("Switching capture files after a time period was specified, but "
1663 "a capture isn't being done.");
1664 exit_status = INVALID_OPTION;
1667 if (global_capture_opts.has_file_interval) {
1668 cmdarg_err("Switching capture files after a time interval was specified, but "
1669 "a capture isn't being done.");
1670 exit_status = INVALID_OPTION;
1673 if (global_capture_opts.has_ring_num_files) {
1674 cmdarg_err("A ring buffer of capture files was specified, but "
1675 "a capture isn't being done.");
1676 exit_status = INVALID_OPTION;
1679 if (global_capture_opts.has_autostop_files) {
1680 cmdarg_err("A maximum number of capture files was specified, but "
1681 "a capture isn't being done.");
1682 exit_status = INVALID_OPTION;
1685 if (global_capture_opts.capture_comment) {
1686 cmdarg_err("A capture comment was specified, but "
1687 "a capture isn't being done.\nThere's no support for adding "
1688 "a capture comment to an existing capture file.");
1689 exit_status = INVALID_OPTION;
1693 /* Note: TShark now allows the restriction of a _read_ file by packet count
1694 * and byte count as well as a write file. Other autostop options remain valid
1695 * only for a write file.
1697 if (global_capture_opts.has_autostop_duration) {
1698 cmdarg_err("A maximum capture time was specified, but "
1699 "a capture isn't being done.");
1700 exit_status = INVALID_OPTION;
1705 * "-r" wasn't specified, so we're doing a live capture.
1707 if (perform_two_pass_analysis) {
1708 /* Two-pass analysis doesn't work with live capture since it requires us
1709 * to buffer packets until we've read all of them, but a live capture
1710 * has no useful/meaningful definition of "all" */
1711 cmdarg_err("Live captures do not support two-pass analysis.");
1712 exit_status = INVALID_OPTION;
1716 if (global_capture_opts.saving_to_file) {
1717 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1719 /* When capturing, we only support writing pcap or pcapng format. */
1720 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1721 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1722 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1723 exit_status = INVALID_OPTION;
1726 if (global_capture_opts.capture_comment &&
1727 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1728 cmdarg_err("A capture comment can only be written to a pcapng file.");
1729 exit_status = INVALID_OPTION;
1732 if (global_capture_opts.multi_files_on) {
1733 /* Multiple-file mode doesn't work under certain conditions:
1734 a) it doesn't work if you're writing to the standard output;
1735 b) it doesn't work if you're writing to a pipe;
1737 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1738 cmdarg_err("Multiple capture files requested, but "
1739 "the capture is being written to the standard output.");
1740 exit_status = INVALID_OPTION;
1743 if (global_capture_opts.output_to_pipe) {
1744 cmdarg_err("Multiple capture files requested, but "
1745 "the capture file is a pipe.");
1746 exit_status = INVALID_OPTION;
1749 if (!global_capture_opts.has_autostop_filesize &&
1750 !global_capture_opts.has_file_duration &&
1751 !global_capture_opts.has_file_interval) {
1752 cmdarg_err("Multiple capture files requested, but "
1753 "no maximum capture file size, duration or interval was specified.");
1754 exit_status = INVALID_OPTION;
1758 /* Currently, we don't support read or display filters when capturing
1759 and saving the packets. */
1760 if (rfilter != NULL) {
1761 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1762 exit_status = INVALID_OPTION;
1765 if (dfilter != NULL) {
1766 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1767 exit_status = INVALID_OPTION;
1770 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1772 /* They didn't specify a "-w" flag, so we won't be saving to a
1773 capture file. Check for options that only make sense if
1774 we're saving to a file. */
1775 if (global_capture_opts.has_autostop_filesize) {
1776 cmdarg_err("Maximum capture file size specified, but "
1777 "capture isn't being saved to a file.");
1778 exit_status = INVALID_OPTION;
1781 if (global_capture_opts.multi_files_on) {
1782 cmdarg_err("Multiple capture files requested, but "
1783 "the capture isn't being saved to a file.");
1784 exit_status = INVALID_OPTION;
1787 if (global_capture_opts.capture_comment) {
1788 cmdarg_err("A capture comment was specified, but "
1789 "the capture isn't being saved to a file.");
1790 exit_status = INVALID_OPTION;
1799 /* Start windows sockets */
1800 result = WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1803 exit_status = INIT_FAILED;
1808 /* Notify all registered modules that have had any of their preferences
1809 changed either from one of the preferences file or from the command
1810 line that their preferences have changed. */
1813 /* We can also enable specified taps for export object */
1814 start_exportobjects();
1816 /* At this point MATE will have registered its field array so we can
1817 check if the fields specified by the user are all good.
1821 GSList *invalid_fields = output_fields_valid(output_fields);
1822 if (invalid_fields != NULL) {
1824 cmdarg_err("Some fields aren't valid:");
1825 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
1826 cmdarg_err_cont("\t%s", (gchar *)it->data);
1828 g_slist_free(invalid_fields);
1829 exit_status = INVALID_OPTION;
1834 /* We currently don't support taps, or printing dissected packets,
1835 if we're writing to a pipe. */
1836 if (global_capture_opts.saving_to_file &&
1837 global_capture_opts.output_to_pipe) {
1838 if (tap_listeners_require_dissection()) {
1839 cmdarg_err("Taps aren't supported when saving to a pipe.");
1840 exit_status = INVALID_OPTION;
1843 if (print_packet_info) {
1844 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1845 exit_status = INVALID_OPTION;
1851 if (ex_opt_count("read_format") > 0) {
1852 const gchar* name = ex_opt_get_next("read_format");
1853 in_file_type = open_info_name_to_type(name);
1854 if (in_file_type == WTAP_TYPE_AUTO) {
1855 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1856 list_read_capture_types();
1857 exit_status = INVALID_OPTION;
1862 timestamp_set_type(global_dissect_options.time_format);
1865 * Enabled and disabled protocols and heuristic dissectors as per
1866 * command-line options.
1868 if (!setup_enabled_and_disabled_protocols()) {
1869 exit_status = INVALID_OPTION;
1873 /* Build the column format array */
1874 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1877 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1878 capture_opts_trim_ring_num_files(&global_capture_opts);
1881 if (rfilter != NULL) {
1882 tshark_debug("Compiling read filter: '%s'", rfilter);
1883 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
1884 cmdarg_err("%s", err_msg);
1888 #ifdef HAVE_PCAP_OPEN_DEAD
1892 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1894 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1896 " Note: That read filter code looks like a valid capture filter;\n"
1897 " maybe you mixed them up?");
1903 exit_status = INVALID_INTERFACE;
1907 cfile.rfcode = rfcode;
1909 if (dfilter != NULL) {
1910 tshark_debug("Compiling display filter: '%s'", dfilter);
1911 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
1912 cmdarg_err("%s", err_msg);
1916 #ifdef HAVE_PCAP_OPEN_DEAD
1920 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1922 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1924 " Note: That display filter code looks like a valid capture filter;\n"
1925 " maybe you mixed them up?");
1931 exit_status = INVALID_FILTER;
1935 cfile.dfcode = dfcode;
1937 if (print_packet_info) {
1938 /* If we're printing as text or PostScript, we have
1939 to create a print stream. */
1940 if (output_action == WRITE_TEXT) {
1941 switch (print_format) {
1944 print_stream = print_stream_text_stdio_new(stdout);
1948 print_stream = print_stream_ps_stdio_new(stdout);
1952 g_assert_not_reached();
1957 /* PDU export requested. Take the ownership of the '-w' file, apply tap
1958 * filters and start tapping. */
1959 if (pdu_export_arg) {
1960 const char *exp_pdu_tap_name = pdu_export_arg;
1961 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
1962 char *exp_pdu_error;
1967 cmdarg_err("PDUs export requires a capture file (specify with -r).");
1968 exit_status = INVALID_OPTION;
1971 /* Take ownership of the '-w' output file. */
1973 exp_pdu_filename = global_capture_opts.save_file;
1974 global_capture_opts.save_file = NULL;
1976 exp_pdu_filename = output_file_name;
1977 output_file_name = NULL;
1979 if (exp_pdu_filename == NULL) {
1980 cmdarg_err("PDUs export requires an output file (-w).");
1981 exit_status = INVALID_OPTION;
1985 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
1987 if (exp_pdu_error) {
1988 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
1989 g_free(exp_pdu_error);
1990 exit_status = INVALID_TAP;
1994 if (strcmp(exp_pdu_filename, "-") == 0) {
1995 /* Write to the standard output. */
1998 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2000 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2001 exit_status = INVALID_FILE;
2006 /* Activate the export PDU tap */
2007 comment = g_strdup_printf("Dump of PDUs from %s", cf_name);
2008 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd, comment);
2010 cfile_dump_open_failure_message("TShark", exp_pdu_filename, err,
2011 WTAP_FILE_TYPE_SUBTYPE_PCAPNG);
2013 exit_status = INVALID_EXPORT;
2018 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2021 tshark_debug("tshark: Opening capture file: %s", cf_name);
2023 * We're reading a capture file.
2025 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2028 exit_status = INVALID_FILE;
2032 /* Start statistics taps; we do so after successfully opening the
2033 capture file, so we know we have something to compute stats
2034 on, and after registering all dissectors, so that MATE will
2035 have registered its field array so we can have a tap filter
2036 with one of MATE's late-registered fields as part of the
2038 start_requested_stats();
2040 /* Do we need to do dissection of packets? That depends on, among
2041 other things, what taps are listening, so determine that after
2042 starting the statistics taps. */
2043 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2045 /* Process the packets in the file */
2046 tshark_debug("tshark: invoking process_cap_file() to process the packets");
2049 success = process_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2050 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2051 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2053 success = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2056 CATCH(OutOfMemoryError) {
2060 "Sorry, but TShark has to terminate now.\n"
2062 "More information and workarounds can be found at\n"
2063 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2069 /* We still dump out the results of taps, etc., as we might have
2070 read some packets; however, we exit with an error status. */
2074 if (pdu_export_arg) {
2075 err = exp_pdu_close(&exp_pdu_tap_data);
2077 cfile_close_failure_message(exp_pdu_filename, err);
2080 g_free(pdu_export_arg);
2083 tshark_debug("tshark: no capture file specified");
2084 /* No capture file specified, so we're supposed to do a live capture
2085 or get a list of link-layer types for a live capture device;
2086 do we have support for live captures? */
2089 /* Warn the user if npf.sys isn't loaded. */
2090 if (!npf_sys_is_running()) {
2091 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
2092 "capturing or\nlisting interfaces.\n");
2096 /* if no interface was specified, pick a default */
2097 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2098 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2099 if (exit_status != 0) {
2103 /* if requested, list the link layer types and exit */
2107 /* Get the list of link-layer types for the capture devices. */
2108 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2109 interface_options *interface_opts;
2110 if_capabilities_t *caps;
2111 char *auth_str = NULL;
2112 int if_caps_queries = caps_queries;
2114 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2115 #ifdef HAVE_PCAP_REMOTE
2116 if (interface_opts->auth_type == CAPTURE_AUTH_PWD) {
2117 auth_str = g_strdup_printf("%s:%s", interface_opts->auth_username, interface_opts->auth_password);
2120 caps = capture_get_if_capabilities(interface_opts->name, interface_opts->monitor_mode, auth_str, &err_str, NULL);
2123 cmdarg_err("%s", err_str);
2125 exit_status = INVALID_CAPABILITY;
2128 if ((if_caps_queries & CAPS_QUERY_LINK_TYPES) && caps->data_link_types == NULL) {
2129 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts->name);
2130 exit_status = INVALID_DATA_LINK;
2133 if ((if_caps_queries & CAPS_QUERY_TIMESTAMP_TYPES) && caps->timestamp_types == NULL) {
2134 cmdarg_err("The capture device \"%s\" has no timestamp types.", interface_opts->name);
2135 exit_status = INVALID_TIMESTAMP_TYPE;
2138 if (interface_opts->monitor_mode)
2139 if_caps_queries |= CAPS_MONITOR_MODE;
2140 capture_opts_print_if_capabilities(caps, interface_opts->name, if_caps_queries);
2141 free_if_capabilities(caps);
2143 exit_status = EXIT_SUCCESS;
2148 * If the standard error isn't a terminal, don't print packet counts,
2149 * as they won't show up on the user's terminal and they'll get in
2150 * the way of error messages in the file (to which we assume the
2151 * standard error was redirected; if it's redirected to the null
2152 * device, there's no point in printing packet counts anyway).
2154 * Otherwise, if we're printing packet information and the standard
2155 * output is a terminal (which we assume means the standard output and
2156 * error are going to the same terminal), don't print packet counts,
2157 * as they'll get in the way of the packet information.
2159 * Otherwise, if the user specified -q, don't print packet counts.
2161 * Otherwise, print packet counts.
2163 * XXX - what if the user wants to do a live capture, doesn't want
2164 * to save it to a file, doesn't want information printed for each
2165 * packet, does want some "-z" statistic, and wants packet counts
2166 * so they know whether they're seeing any packets? -q will
2167 * suppress the information printed for each packet, but it'll
2168 * also suppress the packet counts.
2170 if (!ws_isatty(ws_fileno(stderr)))
2171 print_packet_counts = FALSE;
2172 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2173 print_packet_counts = FALSE;
2175 print_packet_counts = FALSE;
2177 print_packet_counts = TRUE;
2179 if (print_packet_info) {
2180 if (!write_preamble(&cfile)) {
2181 show_print_file_io_error(errno);
2182 exit_status = INVALID_FILE;
2187 tshark_debug("tshark: performing live capture");
2189 /* Start statistics taps; we should only do so after the capture
2190 started successfully, so we know we have something to compute
2191 stats, but we currently don't check for that - see below.
2193 We do so after registering all dissectors, so that MATE will
2194 have registered its field array so we can have a tap filter
2195 with one of MATE's late-registered fields as part of the
2197 start_requested_stats();
2199 /* Do we need to do dissection of packets? That depends on, among
2200 other things, what taps are listening, so determine that after
2201 starting the statistics taps. */
2202 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2205 * XXX - this returns FALSE if an error occurred, but it also
2206 * returns FALSE if the capture stops because a time limit
2207 * was reached (and possibly other limits), so we can't assume
2208 * it means an error.
2210 * The capture code is a bit twisty, so it doesn't appear to
2211 * be an easy fix. We just ignore the return value for now.
2212 * Instead, pass on the exit status from the capture child.
2215 exit_status = global_capture_session.fork_child_status;
2217 if (print_packet_info) {
2218 if (!write_finale()) {
2219 show_print_file_io_error(errno);
2223 /* No - complain. */
2224 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2225 exit_status = INVALID_CAPTURE;
2232 if (cfile.provider.frames != NULL) {
2233 free_frame_data_sequence(cfile.provider.frames);
2234 cfile.provider.frames = NULL;
2237 draw_tap_listeners(TRUE);
2238 /* Memory cleanup */
2239 reset_tap_listeners();
2240 funnel_dump_all_text_windows();
2241 epan_free(cfile.epan);
2245 output_fields_free(output_fields);
2246 output_fields = NULL;
2249 destroy_print_stream(print_stream);
2251 capture_opts_cleanup(&global_capture_opts);
2253 col_cleanup(&cfile.cinfo);
2254 free_filter_lists();
2258 dfilter_free(dfcode);
2262 /*#define USE_BROKEN_G_MAIN_LOOP*/
2264 #ifdef USE_BROKEN_G_MAIN_LOOP
2267 gboolean loop_running = FALSE;
2269 guint32 packet_count = 0;
2272 typedef struct pipe_input_tag {
2275 ws_process_id *child_process;
2276 pipe_input_cb_t input_cb;
2277 guint pipe_input_id;
2279 GMutex *callback_running;
2283 static pipe_input_t pipe_input;
2286 /* The timer has expired, see if there's stuff to read from the pipe,
2287 if so, do the callback */
2289 pipe_timer_cb(gpointer data)
2295 pipe_input_t *pipe_input_p = data;
2296 gint iterations = 0;
2298 g_mutex_lock (pipe_input_p->callback_running);
2300 /* try to read data from the pipe only 5 times, to avoid blocking */
2301 while(iterations < 5) {
2302 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2304 /* Oddly enough although Named pipes don't work on win9x,
2305 PeekNamedPipe does !!! */
2306 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2307 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2309 /* Get the child process exit status */
2310 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2313 /* If the Peek returned an error, or there are bytes to be read
2314 or the childwatcher thread has terminated then call the normal
2316 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2318 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2320 /* And call the real handler */
2321 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2322 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2323 /* pipe closed, return false so that the timer is stopped */
2324 g_mutex_unlock (pipe_input_p->callback_running);
2329 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2330 /* No data, stop now */
2337 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2339 g_mutex_unlock (pipe_input_p->callback_running);
2341 /* we didn't stopped the timer, so let it run */
2348 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2351 pipe_input.source = source;
2352 pipe_input.child_process = child_process;
2353 pipe_input.user_data = user_data;
2354 pipe_input.input_cb = input_cb;
2357 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2358 g_mutex_init(pipe_input.callback_running);
2359 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2360 do this but that doesn't cover all win32 platforms. GTK can do
2361 this but doesn't seem to work over processes. Attempt to do
2362 something similar here, start a timer and check for data on every
2364 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2365 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2369 static const nstime_t *
2370 tshark_get_frame_ts(struct packet_provider_data *prov, guint32 frame_num)
2372 if (prov->ref && prov->ref->num == frame_num)
2373 return &prov->ref->abs_ts;
2375 if (prov->prev_dis && prov->prev_dis->num == frame_num)
2376 return &prov->prev_dis->abs_ts;
2378 if (prov->prev_cap && prov->prev_cap->num == frame_num)
2379 return &prov->prev_cap->abs_ts;
2382 frame_data *fd = frame_data_sequence_find(prov->frames, frame_num);
2384 return (fd) ? &fd->abs_ts : NULL;
2391 tshark_epan_new(capture_file *cf)
2393 static const struct packet_provider_funcs funcs = {
2394 tshark_get_frame_ts,
2395 cap_file_provider_get_interface_name,
2396 cap_file_provider_get_interface_description,
2400 return epan_new(&cf->provider, &funcs);
2410 #ifdef USE_TSHARK_SELECT
2414 struct sigaction action, oldaction;
2417 /* Create new dissection section. */
2418 epan_free(cfile.epan);
2419 cfile.epan = tshark_epan_new(&cfile);
2422 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2423 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2425 /* Catch SIGINT and SIGTERM and, if we get either of them,
2426 clean up and exit. If SIGHUP isn't being ignored, catch
2427 it too and, if we get it, clean up and exit.
2429 We restart any read that was in progress, so that it doesn't
2430 disrupt reading from the sync pipe. The signal handler tells
2431 the capture child to finish; it will report that it finished,
2432 or will exit abnormally, so we'll stop reading from the sync
2433 pipe, pick up the exit status, and quit. */
2434 memset(&action, 0, sizeof(action));
2435 action.sa_handler = capture_cleanup;
2436 action.sa_flags = SA_RESTART;
2437 sigemptyset(&action.sa_mask);
2438 sigaction(SIGTERM, &action, NULL);
2439 sigaction(SIGINT, &action, NULL);
2440 sigaction(SIGHUP, NULL, &oldaction);
2441 if (oldaction.sa_handler == SIG_DFL)
2442 sigaction(SIGHUP, &action, NULL);
2445 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2446 quiet mode, report the number of packets we've captured.
2448 Again, restart any read that was in progress, so that it doesn't
2449 disrupt reading from the sync pipe. */
2450 action.sa_handler = report_counts_siginfo;
2451 action.sa_flags = SA_RESTART;
2452 sigemptyset(&action.sa_mask);
2453 sigaction(SIGINFO, &action, NULL);
2454 #endif /* SIGINFO */
2457 global_capture_session.state = CAPTURE_PREPARING;
2459 /* Let the user know which interfaces were chosen. */
2460 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2461 interface_options *interface_opts;
2463 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2464 interface_opts->descr = get_interface_descriptive_name(interface_opts->name);
2466 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2467 if (really_quiet == FALSE)
2468 fprintf(stderr, "Capturing on %s\n", str->str);
2470 g_string_free(str, TRUE);
2472 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2478 * Force synchronous resolution of IP addresses; we're doing only
2479 * one pass, so we can't do it in the background and fix up past
2482 set_resolution_synchrony(TRUE);
2484 /* the actual capture loop
2486 * XXX - glib doesn't seem to provide any event based loop handling.
2488 * XXX - for whatever reason,
2489 * calling g_main_loop_new() ends up in 100% cpu load.
2491 * But that doesn't matter: in UNIX we can use select() to find an input
2492 * source with something to do.
2494 * But that doesn't matter because we're in a CLI (that doesn't need to
2495 * update a GUI or something at the same time) so it's OK if we block
2496 * trying to read from the pipe.
2498 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2499 * wrong (but I leave it there in case I am...).
2502 #ifdef USE_TSHARK_SELECT
2504 FD_SET(pipe_input.source, &readfds);
2507 loop_running = TRUE;
2511 while (loop_running)
2513 #ifdef USE_TSHARK_SELECT
2514 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2518 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2520 } else if (ret == 1) {
2522 /* Call the real handler */
2523 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2524 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2527 #ifdef USE_TSHARK_SELECT
2532 CATCH(OutOfMemoryError) {
2536 "Sorry, but TShark has to terminate now.\n"
2538 "More information and workarounds can be found at\n"
2539 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2546 /* capture child detected an error */
2548 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2550 cmdarg_err("%s", error_msg);
2551 cmdarg_err_cont("%s", secondary_error_msg);
2555 /* capture child detected an capture filter related error */
2557 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2559 capture_options *capture_opts = cap_session->capture_opts;
2560 dfilter_t *rfcode = NULL;
2561 interface_options *interface_opts;
2563 g_assert(i < capture_opts->ifaces->len);
2564 interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
2566 if (dfilter_compile(interface_opts->cfilter, &rfcode, NULL) && rfcode != NULL) {
2568 "Invalid capture filter \"%s\" for interface '%s'.\n"
2570 "That string looks like a valid display filter; however, it isn't a valid\n"
2571 "capture filter (%s).\n"
2573 "Note that display filters and capture filters don't have the same syntax,\n"
2574 "so you can't use most display filter expressions as capture filters.\n"
2576 "See the User's Guide for a description of the capture filter syntax.",
2577 interface_opts->cfilter, interface_opts->descr, error_message);
2578 dfilter_free(rfcode);
2581 "Invalid capture filter \"%s\" for interface '%s'.\n"
2583 "That string isn't a valid capture filter (%s).\n"
2584 "See the User's Guide for a description of the capture filter syntax.",
2585 interface_opts->cfilter, interface_opts->descr, error_message);
2590 /* capture child tells us we have a new (or the first) capture file */
2592 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2594 capture_options *capture_opts = cap_session->capture_opts;
2595 capture_file *cf = (capture_file *) cap_session->cf;
2596 gboolean is_tempfile;
2599 if (cap_session->state == CAPTURE_PREPARING) {
2600 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2602 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2604 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2606 /* free the old filename */
2607 if (capture_opts->save_file != NULL) {
2609 /* we start a new capture file, close the old one (if we had one before) */
2610 if (cf->state != FILE_CLOSED) {
2611 if (cf->provider.wth != NULL) {
2612 wtap_close(cf->provider.wth);
2613 cf->provider.wth = NULL;
2615 cf->state = FILE_CLOSED;
2618 g_free(capture_opts->save_file);
2619 is_tempfile = FALSE;
2621 epan_free(cf->epan);
2622 cf->epan = tshark_epan_new(cf);
2624 /* we didn't had a save_file before, must be a tempfile */
2628 /* save the new filename */
2629 capture_opts->save_file = g_strdup(new_file);
2631 /* if we are in real-time mode, open the new file now */
2632 if (do_dissection) {
2633 /* this is probably unecessary, but better safe than sorry */
2634 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2635 /* Attempt to open the capture file and set up to read from it. */
2636 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2640 /* Don't unlink (delete) the save file - leave it around,
2641 for debugging purposes. */
2642 g_free(capture_opts->save_file);
2643 capture_opts->save_file = NULL;
2648 cap_session->state = CAPTURE_RUNNING;
2654 /* capture child tells us we have new packets to read */
2656 capture_input_new_packets(capture_session *cap_session, int to_read)
2662 capture_file *cf = (capture_file *)cap_session->cf;
2663 gboolean filtering_tap_listeners;
2668 * Prevent a SIGINFO handler from writing to the standard error while
2669 * we're doing so or writing to the standard output; instead, have it
2670 * just set a flag telling us to print that information when we're done.
2673 #endif /* SIGINFO */
2675 /* Do we have any tap listeners with filters? */
2676 filtering_tap_listeners = have_filtering_tap_listeners();
2678 /* Get the union of the flags for all tap listeners. */
2679 tap_flags = union_of_tap_listener_flags();
2681 if (do_dissection) {
2682 gboolean create_proto_tree;
2683 epan_dissect_t *edt;
2686 * Determine whether we need to create a protocol tree.
2689 * we're going to apply a read filter;
2691 * we're going to apply a display filter;
2693 * we're going to print the protocol tree;
2695 * one of the tap listeners is going to apply a filter;
2697 * one of the tap listeners requires a protocol tree;
2699 * a postdissector wants field values or protocols
2700 * on the first pass;
2702 * we have custom columns (which require field values, which
2703 * currently requires that we build a protocol tree).
2706 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2707 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
2708 have_custom_cols(&cf->cinfo) || dissect_color);
2710 /* The protocol tree will be "visible", i.e., printed, only if we're
2711 printing packet details, which is true if we're printing stuff
2712 ("print_packet_info" is true) and we're in verbose mode
2713 ("packet_details" is true). */
2714 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2716 while (to_read-- && cf->provider.wth) {
2717 wtap_cleareof(cf->provider.wth);
2718 ret = wtap_read(cf->provider.wth, &err, &err_info, &data_offset);
2719 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
2721 /* read from file failed, tell the capture child to stop */
2722 sync_pipe_stop(cap_session);
2723 wtap_close(cf->provider.wth);
2724 cf->provider.wth = NULL;
2726 ret = process_packet_single_pass(cf, edt, data_offset,
2727 wtap_get_rec(cf->provider.wth),
2728 wtap_get_buf_ptr(cf->provider.wth), tap_flags);
2731 /* packet successfully read and gone through the "Read Filter" */
2736 epan_dissect_free(edt);
2740 * Dumpcap's doing all the work; we're not doing any dissection.
2741 * Count all the packets it wrote.
2743 packet_count += to_read;
2746 if (print_packet_counts) {
2747 /* We're printing packet counts. */
2748 if (packet_count != 0) {
2749 fprintf(stderr, "\r%u ", packet_count);
2750 /* stderr could be line buffered */
2757 * Allow SIGINFO handlers to write.
2762 * If a SIGINFO handler asked us to write out capture counts, do so.
2766 #endif /* SIGINFO */
2772 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2773 /* Report the count only if we aren't printing a packet count
2774 as packets arrive. */
2775 fprintf(stderr, "%u packet%s captured\n", packet_count,
2776 plurality(packet_count, "", "s"));
2779 infoprint = FALSE; /* we just reported it */
2780 #endif /* SIGINFO */
2785 report_counts_siginfo(int signum _U_)
2787 int sav_errno = errno;
2788 /* If we've been told to delay printing, just set a flag asking
2789 that we print counts (if we're supposed to), otherwise print
2790 the count of packets captured (if we're supposed to). */
2797 #endif /* SIGINFO */
2800 /* capture child detected any packet drops? */
2802 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2804 if (print_packet_counts) {
2805 /* We're printing packet counts to stderr.
2806 Send a newline so that we move to the line after the packet count. */
2807 fprintf(stderr, "\n");
2811 /* We're printing packet counts to stderr.
2812 Send a newline so that we move to the line after the packet count. */
2813 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2819 * Capture child closed its side of the pipe, report any error and
2820 * do the required cleanup.
2823 capture_input_closed(capture_session *cap_session, gchar *msg)
2825 capture_file *cf = (capture_file *) cap_session->cf;
2828 fprintf(stderr, "tshark: %s\n", msg);
2832 if (cf != NULL && cf->provider.wth != NULL) {
2833 wtap_close(cf->provider.wth);
2834 if (cf->is_tempfile) {
2835 ws_unlink(cf->filename);
2838 #ifdef USE_BROKEN_G_MAIN_LOOP
2839 /*g_main_loop_quit(loop);*/
2840 g_main_loop_quit(loop);
2842 loop_running = FALSE;
2851 capture_cleanup(DWORD ctrltype _U_)
2853 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2854 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2855 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2856 like SIGTERM at least when the machine's shutting down.
2858 For now, we handle them all as indications that we should clean up
2859 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2862 We must return TRUE so that no other handler - such as one that would
2863 terminate the process - gets called.
2865 XXX - for some reason, typing ^C to TShark, if you run this in
2866 a Cygwin console window in at least some versions of Cygwin,
2867 causes TShark to terminate immediately; this routine gets
2868 called, but the main loop doesn't get a chance to run and
2869 exit cleanly, at least if this is compiled with Microsoft Visual
2870 C++ (i.e., it's a property of the Cygwin console window or Bash;
2871 it happens if TShark is not built with Cygwin - for all I know,
2872 building it with Cygwin may make the problem go away). */
2874 /* tell the capture child to stop */
2875 sync_pipe_stop(&global_capture_session);
2877 /* don't stop our own loop already here, otherwise status messages and
2878 * cleanup wouldn't be done properly. The child will indicate the stop of
2879 * everything by calling capture_input_closed() later */
2885 capture_cleanup(int signum _U_)
2887 /* tell the capture child to stop */
2888 sync_pipe_stop(&global_capture_session);
2890 /* don't stop our own loop already here, otherwise status messages and
2891 * cleanup wouldn't be done properly. The child will indicate the stop of
2892 * everything by calling capture_input_closed() later */
2895 #endif /* HAVE_LIBPCAP */
2898 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2899 gint64 offset, wtap_rec *rec,
2906 /* The frame number of this packet is one more than the count of
2907 frames in this packet. */
2908 framenum = cf->count + 1;
2910 /* If we're not running a display filter and we're not printing any
2911 packet information, we don't need to do a dissection. This means
2912 that all packets can be marked as 'passed'. */
2915 frame_data_init(&fdlocal, framenum, rec, offset, cum_bytes);
2917 /* If we're going to run a read filter or a display filter, set up to
2918 do a dissection and do so. (This is the first pass of two passes
2919 over the packets, so we will not be printing any information
2920 from the dissection or running taps on the packet; if we're doing
2921 any of that, we'll do it in the second pass.) */
2923 /* If we're running a read filter, prime the epan_dissect_t with that
2926 epan_dissect_prime_with_dfilter(edt, cf->rfcode);
2929 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
2931 /* This is the first pass, so prime the epan_dissect_t with the
2932 hfids postdissectors want on the first pass. */
2933 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
2935 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2936 &cf->provider.ref, cf->provider.prev_dis);
2937 if (cf->provider.ref == &fdlocal) {
2938 ref_frame = fdlocal;
2939 cf->provider.ref = &ref_frame;
2942 epan_dissect_run(edt, cf->cd_t, rec,
2943 frame_tvbuff_new(&cf->provider, &fdlocal, pd),
2946 /* Run the read filter if we have one. */
2948 passed = dfilter_apply_edt(cf->rfcode, edt);
2952 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2953 cf->provider.prev_cap = cf->provider.prev_dis = frame_data_sequence_add(cf->provider.frames, &fdlocal);
2955 /* If we're not doing dissection then there won't be any dependent frames.
2956 * More importantly, edt.pi.dependent_frames won't be initialized because
2957 * epan hasn't been initialized.
2958 * if we *are* doing dissection, then mark the dependent frames, but only
2959 * if a display filter was given and it matches this packet.
2961 if (edt && cf->dfcode) {
2962 if (dfilter_apply_edt(cf->dfcode, edt)) {
2963 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
2969 /* if we don't add it to the frame_data_sequence, clean it up right now
2971 frame_data_destroy(&fdlocal);
2975 epan_dissect_reset(edt);
2981 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt,
2982 frame_data *fdata, wtap_rec *rec,
2983 Buffer *buf, guint tap_flags)
2988 /* If we're not running a display filter and we're not printing any
2989 packet information, we don't need to do a dissection. This means
2990 that all packets can be marked as 'passed'. */
2993 /* If we're going to print packet information, or we're going to
2994 run a read filter, or we're going to process taps, set up to
2995 do a dissection and do so. (This is the second pass of two
2996 passes over the packets; that's the pass where we print
2997 packet information or run taps.) */
2999 /* If we're running a display filter, prime the epan_dissect_t with that
3002 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3004 col_custom_prime_edt(edt, &cf->cinfo);
3006 /* We only need the columns if either
3007 1) some tap needs the columns
3009 2) we're printing packet info but we're *not* verbose; in verbose
3010 mode, we print the protocol tree, not the protocol summary.
3012 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3017 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3018 &cf->provider.ref, cf->provider.prev_dis);
3019 if (cf->provider.ref == fdata) {
3021 cf->provider.ref = &ref_frame;
3024 if (dissect_color) {
3025 color_filters_prime_edt(edt);
3026 fdata->flags.need_colorize = 1;
3029 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
3030 frame_tvbuff_new_buffer(&cf->provider, fdata, buf),
3033 /* Run the read/display filter if we have one. */
3035 passed = dfilter_apply_edt(cf->dfcode, edt);
3039 frame_data_set_after_dissect(fdata, &cum_bytes);
3040 /* Process this packet. */
3041 if (print_packet_info) {
3042 /* We're printing packet information; print the information for
3044 print_packet(cf, edt);
3046 /* If we're doing "line-buffering", flush the standard output
3047 after every packet. See the comment above, for the "-l"
3048 option, for an explanation of why we do that. */
3052 if (ferror(stdout)) {
3053 show_print_file_io_error(errno);
3057 cf->provider.prev_dis = fdata;
3059 cf->provider.prev_cap = fdata;
3062 epan_dissect_reset(edt);
3064 return passed || fdata->flags.dependent_of_displayed;
3068 process_cap_file(capture_file *cf, char *save_file, int out_file_type,
3069 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3071 gboolean success = TRUE;
3073 int snapshot_length;
3076 int err = 0, err_pass1 = 0;
3077 gchar *err_info = NULL, *err_info_pass1 = NULL;
3079 gboolean filtering_tap_listeners;
3081 GArray *shb_hdrs = NULL;
3082 wtapng_iface_descriptions_t *idb_inf = NULL;
3083 GArray *nrb_hdrs = NULL;
3086 epan_dissect_t *edt = NULL;
3087 char *shb_user_appl;
3089 wtap_rec_init(&rec);
3091 idb_inf = wtap_file_get_idb_info(cf->provider.wth);
3092 #ifdef PCAP_NG_DEFAULT
3093 if (idb_inf->interface_data->len > 1) {
3094 linktype = WTAP_ENCAP_PER_PACKET;
3096 linktype = wtap_file_encap(cf->provider.wth);
3099 linktype = wtap_file_encap(cf->provider.wth);
3101 if (save_file != NULL) {
3102 /* Set up to write to the capture file. */
3103 snapshot_length = wtap_snapshot_length(cf->provider.wth);
3104 if (snapshot_length == 0) {
3105 /* Snapshot length of input file not known. */
3106 snapshot_length = WTAP_MAX_PACKET_SIZE_STANDARD;
3108 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3110 shb_hdrs = wtap_file_get_shb_for_new_file(cf->provider.wth);
3111 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->provider.wth);
3113 /* If we don't have an application name add Tshark */
3114 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3115 /* this is free'd by wtap_block_free() later */
3116 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3119 if (linktype != WTAP_ENCAP_PER_PACKET &&
3120 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3121 tshark_debug("tshark: writing PCAP format to %s", save_file);
3122 if (strcmp(save_file, "-") == 0) {
3123 /* Write to the standard output. */
3124 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3125 snapshot_length, FALSE /* compressed */, &err);
3127 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3128 snapshot_length, FALSE /* compressed */, &err);
3132 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3133 if (strcmp(save_file, "-") == 0) {
3134 /* Write to the standard output. */
3135 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3136 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3138 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3139 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3147 /* We couldn't set up to write to the capture file. */
3148 cfile_dump_open_failure_message("TShark", save_file, err, out_file_type);
3153 /* Set up to print packet information. */
3154 if (print_packet_info) {
3155 if (!write_preamble(cf)) {
3156 show_print_file_io_error(errno);
3166 /* Do we have any tap listeners with filters? */
3167 filtering_tap_listeners = have_filtering_tap_listeners();
3169 /* Get the union of the flags for all tap listeners. */
3170 tap_flags = union_of_tap_listener_flags();
3172 if (perform_two_pass_analysis) {
3175 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3177 /* Allocate a frame_data_sequence for all the frames. */
3178 cf->provider.frames = new_frame_data_sequence();
3180 if (do_dissection) {
3181 gboolean create_proto_tree;
3184 * Determine whether we need to create a protocol tree.
3187 * we're going to apply a read filter;
3189 * we're going to apply a display filter;
3191 * a postdissector wants field values or protocols
3192 * on the first pass.
3195 (cf->rfcode != NULL || cf->dfcode != NULL || postdissectors_want_hfids() || dissect_color);
3197 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3199 /* We're not going to display the protocol tree on this pass,
3200 so it's not going to be "visible". */
3201 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3204 tshark_debug("tshark: reading records for first pass");
3205 while (wtap_read(cf->provider.wth, &err, &err_info, &data_offset)) {
3206 if (process_packet_first_pass(cf, edt, data_offset, wtap_get_rec(cf->provider.wth),
3207 wtap_get_buf_ptr(cf->provider.wth))) {
3208 /* Stop reading if we have the maximum number of packets;
3209 * When the -c option has not been used, max_packet_count
3210 * starts at 0, which practically means, never stop reading.
3211 * (unless we roll over max_packet_count ?)
3213 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3214 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3215 max_packet_count, data_offset, max_byte_count);
3216 err = 0; /* This is not an error */
3223 * If we got a read error on the first pass, remember the error, so
3224 * but do the second pass, so we can at least process the packets we
3225 * read, and then report the first-pass error after the second pass
3226 * (and before we report any second-pass errors), so all the the
3227 * errors show up at the end.
3231 err_info_pass1 = err_info;
3237 epan_dissect_free(edt);
3241 /* Close the sequential I/O side, to free up memory it requires. */
3242 wtap_sequential_close(cf->provider.wth);
3244 /* Allow the protocol dissectors to free up memory that they
3245 * don't need after the sequential run-through of the packets. */
3246 postseq_cleanup_all_protocols();
3248 cf->provider.prev_dis = NULL;
3249 cf->provider.prev_cap = NULL;
3250 ws_buffer_init(&buf, 1500);
3252 tshark_debug("tshark: done with first pass");
3254 if (do_dissection) {
3255 gboolean create_proto_tree;
3258 * Determine whether we need to create a protocol tree.
3261 * we're going to apply a display filter;
3263 * we're going to print the protocol tree;
3265 * one of the tap listeners requires a protocol tree;
3267 * we have custom columns (which require field values, which
3268 * currently requires that we build a protocol tree).
3271 (cf->dfcode || print_details || filtering_tap_listeners ||
3272 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo) || dissect_color);
3274 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3276 /* The protocol tree will be "visible", i.e., printed, only if we're
3277 printing packet details, which is true if we're printing stuff
3278 ("print_packet_info" is true) and we're in verbose mode
3279 ("packet_details" is true). */
3280 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3284 * Force synchronous resolution of IP addresses; in this pass, we
3285 * can't do it in the background and fix up past dissections.
3287 set_resolution_synchrony(TRUE);
3289 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3290 fdata = frame_data_sequence_find(cf->provider.frames, framenum);
3291 if (wtap_seek_read(cf->provider.wth, fdata->file_off, &rec, &buf, &err,
3293 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3294 if (process_packet_second_pass(cf, edt, fdata, &rec, &buf,
3296 /* Either there's no read filtering or this packet passed the
3297 filter, so, if we're writing to a capture file, write
3300 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3301 if (!wtap_dump(pdh, &rec, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3302 /* Error writing to a capture file */
3303 tshark_debug("tshark: error writing to a capture file (%d)", err);
3305 /* Report the error.
3306 XXX - framenum is not necessarily the frame number in
3307 the input file if there was a read filter. */
3308 cfile_write_failure_message("TShark", cf->filename, save_file,
3309 err, err_info, framenum,
3311 wtap_dump_close(pdh, &err);
3312 wtap_block_array_free(shb_hdrs);
3313 wtap_block_array_free(nrb_hdrs);
3322 epan_dissect_free(edt);
3326 ws_buffer_free(&buf);
3328 tshark_debug("tshark: done with second pass");
3331 /* !perform_two_pass_analysis */
3333 gboolean create_proto_tree = FALSE;
3334 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3336 if (do_dissection) {
3338 * Determine whether we need to create a protocol tree.
3341 * we're going to apply a read filter;
3343 * we're going to apply a display filter;
3345 * we're going to print the protocol tree;
3347 * one of the tap listeners is going to apply a filter;
3349 * one of the tap listeners requires a protocol tree;
3351 * a postdissector wants field values or protocols
3352 * on the first pass;
3354 * we have custom columns (which require field values, which
3355 * currently requires that we build a protocol tree).
3358 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3359 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3360 have_custom_cols(&cf->cinfo) || dissect_color);
3362 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3364 /* The protocol tree will be "visible", i.e., printed, only if we're
3365 printing packet details, which is true if we're printing stuff
3366 ("print_packet_info" is true) and we're in verbose mode
3367 ("packet_details" is true). */
3368 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3372 * Force synchronous resolution of IP addresses; we're doing only
3373 * one pass, so we can't do it in the background and fix up past
3376 set_resolution_synchrony(TRUE);
3378 while (wtap_read(cf->provider.wth, &err, &err_info, &data_offset)) {
3381 tshark_debug("tshark: processing packet #%d", framenum);
3383 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3385 if (process_packet_single_pass(cf, edt, data_offset, wtap_get_rec(cf->provider.wth),
3386 wtap_get_buf_ptr(cf->provider.wth), tap_flags)) {
3387 /* Either there's no read filtering or this packet passed the
3388 filter, so, if we're writing to a capture file, write
3391 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3392 if (!wtap_dump(pdh, wtap_get_rec(cf->provider.wth), wtap_get_buf_ptr(cf->provider.wth), &err, &err_info)) {
3393 /* Error writing to a capture file */
3394 tshark_debug("tshark: error writing to a capture file (%d)", err);
3395 cfile_write_failure_message("TShark", cf->filename, save_file,
3396 err, err_info, framenum, out_file_type);
3397 wtap_dump_close(pdh, &err);
3398 wtap_block_array_free(shb_hdrs);
3399 wtap_block_array_free(nrb_hdrs);
3404 /* Stop reading if we have the maximum number of packets;
3405 * When the -c option has not been used, max_packet_count
3406 * starts at 0, which practically means, never stop reading.
3407 * (unless we roll over max_packet_count ?)
3409 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3410 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3411 max_packet_count, data_offset, max_byte_count);
3412 err = 0; /* This is not an error */
3418 epan_dissect_free(edt);
3423 wtap_rec_cleanup(&rec);
3425 if (err != 0 || err_pass1 != 0) {
3426 tshark_debug("tshark: something failed along the line (%d)", err);
3428 * Print a message noting that the read failed somewhere along the line.
3430 * If we're printing packet data, and the standard output and error are
3431 * going to the same place, flush the standard output, so everything
3432 * buffered up is written, and then print a newline to the standard error
3433 * before printing the error message, to separate it from the packet
3434 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3435 * the _fstat() documentation at Microsoft doesn't indicate whether
3436 * st_ino is even supported.)
3439 if (print_packet_info) {
3440 ws_statb64 stat_stdout, stat_stderr;
3442 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3443 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3444 stat_stdout.st_ino == stat_stderr.st_ino) {
3446 fprintf(stderr, "\n");
3451 if (err_pass1 != 0) {
3452 /* Error on pass 1 of two-pass processing. */
3453 cfile_read_failure_message("TShark", cf->filename, err_pass1,
3457 /* Error on pass 2 of two-pass processing or on the only pass of
3458 one-pass processing. */
3459 cfile_read_failure_message("TShark", cf->filename, err, err_info);
3463 if (save_file != NULL) {
3464 if (pdh && out_file_name_res) {
3465 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3466 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3467 wtap_file_type_subtype_short_string(out_file_type));
3470 /* Now close the capture file. */
3471 if (!wtap_dump_close(pdh, &err)) {
3472 cfile_close_failure_message(save_file, err);
3476 if (print_packet_info) {
3477 if (!write_finale()) {
3478 show_print_file_io_error(errno);
3485 wtap_close(cf->provider.wth);
3486 cf->provider.wth = NULL;
3488 wtap_block_array_free(shb_hdrs);
3489 wtap_block_array_free(nrb_hdrs);
3495 process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,
3496 wtap_rec *rec, const guchar *pd,
3503 /* Count this packet. */
3506 /* If we're not running a display filter and we're not printing any
3507 packet information, we don't need to do a dissection. This means
3508 that all packets can be marked as 'passed'. */
3511 frame_data_init(&fdata, cf->count, rec, offset, cum_bytes);
3513 /* If we're going to print packet information, or we're going to
3514 run a read filter, or we're going to process taps, set up to
3515 do a dissection and do so. (This is the one and only pass
3516 over the packets, so, if we'll be printing packet information
3517 or running taps, we'll be doing it here.) */
3519 /* If we're running a filter, prime the epan_dissect_t with that
3522 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3524 /* This is the first and only pass, so prime the epan_dissect_t
3525 with the hfids postdissectors want on the first pass. */
3526 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
3528 col_custom_prime_edt(edt, &cf->cinfo);
3530 /* We only need the columns if either
3531 1) some tap needs the columns
3533 2) we're printing packet info but we're *not* verbose; in verbose
3534 mode, we print the protocol tree, not the protocol summary.
3536 3) there is a column mapped as an individual field */
3537 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3542 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3543 &cf->provider.ref, cf->provider.prev_dis);
3544 if (cf->provider.ref == &fdata) {
3546 cf->provider.ref = &ref_frame;
3549 if (dissect_color) {
3550 color_filters_prime_edt(edt);
3551 fdata.flags.need_colorize = 1;
3554 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
3555 frame_tvbuff_new(&cf->provider, &fdata, pd),
3558 /* Run the filter if we have it. */
3560 passed = dfilter_apply_edt(cf->dfcode, edt);
3564 frame_data_set_after_dissect(&fdata, &cum_bytes);
3566 /* Process this packet. */
3567 if (print_packet_info) {
3568 /* We're printing packet information; print the information for
3571 print_packet(cf, edt);
3573 /* If we're doing "line-buffering", flush the standard output
3574 after every packet. See the comment above, for the "-l"
3575 option, for an explanation of why we do that. */
3579 if (ferror(stdout)) {
3580 show_print_file_io_error(errno);
3585 /* this must be set after print_packet() [bug #8160] */
3586 prev_dis_frame = fdata;
3587 cf->provider.prev_dis = &prev_dis_frame;
3590 prev_cap_frame = fdata;
3591 cf->provider.prev_cap = &prev_cap_frame;
3594 epan_dissect_reset(edt);
3595 frame_data_destroy(&fdata);
3601 write_preamble(capture_file *cf)
3603 switch (output_action) {
3606 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3610 write_pdml_preamble(stdout, cf->filename);
3612 write_psml_preamble(&cf->cinfo, stdout);
3613 return !ferror(stdout);
3616 write_fields_preamble(output_fields, stdout);
3617 return !ferror(stdout);
3620 case WRITE_JSON_RAW:
3621 write_json_preamble(stdout);
3622 return !ferror(stdout);
3625 return !ferror(stdout);
3628 g_assert_not_reached();
3634 get_line_buf(size_t len)
3636 static char *line_bufp = NULL;
3637 static size_t line_buf_len = 256;
3638 size_t new_line_buf_len;
3640 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3641 new_line_buf_len *= 2)
3643 if (line_bufp == NULL) {
3644 line_buf_len = new_line_buf_len;
3645 line_bufp = (char *)g_malloc(line_buf_len + 1);
3647 if (new_line_buf_len > line_buf_len) {
3648 line_buf_len = new_line_buf_len;
3649 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3656 put_string(char *dest, const char *str, size_t str_len)
3658 memcpy(dest, str, str_len);
3659 dest[str_len] = '\0';
3663 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3667 for (i = str_len; i < str_with_spaces; i++)
3670 put_string(dest, str, str_len);
3674 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3678 memcpy(dest, str, str_len);
3679 for (i = str_len; i < str_with_spaces; i++)
3682 dest[str_with_spaces] = '\0';
3686 print_columns(capture_file *cf, const epan_dissect_t *edt)
3693 col_item_t* col_item;
3694 gchar str_format[11];
3695 const color_filter_t *color_filter = NULL;
3697 line_bufp = get_line_buf(256);
3702 color_filter = edt->pi.fd->color_filter;
3704 for (i = 0; i < cf->cinfo.num_cols; i++) {
3705 col_item = &cf->cinfo.columns[i];
3706 /* Skip columns not marked as visible. */
3707 if (!get_column_visible(i))
3709 switch (col_item->col_fmt) {
3711 column_len = col_len = strlen(col_item->col_data);
3714 line_bufp = get_line_buf(buf_offset + column_len);
3715 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3721 case COL_ABS_YMD_TIME: /* XXX - wider */
3722 case COL_ABS_YDOY_TIME: /* XXX - wider */
3724 case COL_UTC_YMD_TIME: /* XXX - wider */
3725 case COL_UTC_YDOY_TIME: /* XXX - wider */
3726 column_len = col_len = strlen(col_item->col_data);
3727 if (column_len < 10)
3729 line_bufp = get_line_buf(buf_offset + column_len);
3730 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3736 case COL_DEF_DL_SRC:
3737 case COL_RES_DL_SRC:
3738 case COL_UNRES_DL_SRC:
3739 case COL_DEF_NET_SRC:
3740 case COL_RES_NET_SRC:
3741 case COL_UNRES_NET_SRC:
3742 column_len = col_len = strlen(col_item->col_data);
3743 if (column_len < 12)
3745 line_bufp = get_line_buf(buf_offset + column_len);
3746 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3752 case COL_DEF_DL_DST:
3753 case COL_RES_DL_DST:
3754 case COL_UNRES_DL_DST:
3755 case COL_DEF_NET_DST:
3756 case COL_RES_NET_DST:
3757 case COL_UNRES_NET_DST:
3758 column_len = col_len = strlen(col_item->col_data);
3759 if (column_len < 12)
3761 line_bufp = get_line_buf(buf_offset + column_len);
3762 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3766 column_len = strlen(col_item->col_data);
3767 line_bufp = get_line_buf(buf_offset + column_len);
3768 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3771 buf_offset += column_len;
3772 if (i != cf->cinfo.num_cols - 1) {
3774 * This isn't the last column, so we need to print a
3775 * separator between this column and the next.
3777 * If we printed a network source and are printing a
3778 * network destination of the same type next, separate
3779 * them with a UTF-8 right arrow; if we printed a network
3780 * destination and are printing a network source of the same
3781 * type next, separate them with a UTF-8 left arrow;
3782 * otherwise separate them with a space.
3784 * We add enough space to the buffer for " \xe2\x86\x90 "
3785 * or " \xe2\x86\x92 ", even if we're only adding " ".
3787 line_bufp = get_line_buf(buf_offset + 5);
3788 switch (col_item->col_fmt) {
3793 switch (cf->cinfo.columns[i+1].col_fmt) {
3798 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3799 put_string(line_bufp + buf_offset, str_format, 5);
3804 put_string(line_bufp + buf_offset, delimiter_char, 1);
3810 case COL_DEF_DL_SRC:
3811 case COL_RES_DL_SRC:
3812 case COL_UNRES_DL_SRC:
3813 switch (cf->cinfo.columns[i+1].col_fmt) {
3815 case COL_DEF_DL_DST:
3816 case COL_RES_DL_DST:
3817 case COL_UNRES_DL_DST:
3818 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3819 put_string(line_bufp + buf_offset, str_format, 5);
3824 put_string(line_bufp + buf_offset, delimiter_char, 1);
3830 case COL_DEF_NET_SRC:
3831 case COL_RES_NET_SRC:
3832 case COL_UNRES_NET_SRC:
3833 switch (cf->cinfo.columns[i+1].col_fmt) {
3835 case COL_DEF_NET_DST:
3836 case COL_RES_NET_DST:
3837 case COL_UNRES_NET_DST:
3838 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3839 put_string(line_bufp + buf_offset, str_format, 5);
3844 put_string(line_bufp + buf_offset, delimiter_char, 1);
3853 switch (cf->cinfo.columns[i+1].col_fmt) {
3858 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3859 put_string(line_bufp + buf_offset, str_format, 5);
3864 put_string(line_bufp + buf_offset, delimiter_char, 1);
3870 case COL_DEF_DL_DST:
3871 case COL_RES_DL_DST:
3872 case COL_UNRES_DL_DST:
3873 switch (cf->cinfo.columns[i+1].col_fmt) {
3875 case COL_DEF_DL_SRC:
3876 case COL_RES_DL_SRC:
3877 case COL_UNRES_DL_SRC:
3878 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3879 put_string(line_bufp + buf_offset, str_format, 5);
3884 put_string(line_bufp + buf_offset, delimiter_char, 1);
3890 case COL_DEF_NET_DST:
3891 case COL_RES_NET_DST:
3892 case COL_UNRES_NET_DST:
3893 switch (cf->cinfo.columns[i+1].col_fmt) {
3895 case COL_DEF_NET_SRC:
3896 case COL_RES_NET_SRC:
3897 case COL_UNRES_NET_SRC:
3898 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3899 put_string(line_bufp + buf_offset, str_format, 5);
3904 put_string(line_bufp + buf_offset, delimiter_char, 1);
3911 put_string(line_bufp + buf_offset, delimiter_char, 1);
3918 if (dissect_color && color_filter != NULL)
3919 return print_line_color(print_stream, 0, line_bufp, &color_filter->fg_color, &color_filter->bg_color);
3921 return print_line(print_stream, 0, line_bufp);
3925 print_packet(capture_file *cf, epan_dissect_t *edt)
3927 if (print_summary || output_fields_has_cols(output_fields))
3928 /* Just fill in the columns. */
3929 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3931 /* Print summary columns and/or protocol tree */
3932 switch (output_action) {
3935 if (print_summary && !print_columns(cf, edt))
3937 if (print_details) {
3938 if (!proto_tree_print(print_details ? print_dissections_expanded : print_dissections_none,
3939 print_hex, edt, output_only_tables, print_stream))
3942 if (!print_line(print_stream, 0, separator))
3949 if (print_summary) {
3950 write_psml_columns(edt, stdout, dissect_color);
3951 return !ferror(stdout);
3953 if (print_details) {
3954 write_pdml_proto_tree(output_fields, protocolfilter, protocolfilter_flags, edt, &cf->cinfo, stdout, dissect_color);
3956 return !ferror(stdout);
3961 if (print_summary) {
3962 /*No non-verbose "fields" format */
3963 g_assert_not_reached();
3965 if (print_details) {
3966 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
3968 return !ferror(stdout);
3974 g_assert_not_reached();
3975 if (print_details) {
3976 write_json_proto_tree(output_fields, print_dissections_expanded,
3977 print_hex, protocolfilter, protocolfilter_flags,
3978 edt, &cf->cinfo, node_children_grouper, stdout);
3979 return !ferror(stdout);
3983 case WRITE_JSON_RAW:
3985 g_assert_not_reached();
3986 if (print_details) {
3987 write_json_proto_tree(output_fields, print_dissections_none, TRUE,
3988 protocolfilter, protocolfilter_flags,
3989 edt, &cf->cinfo, node_children_grouper, stdout);
3990 return !ferror(stdout);
3995 write_ek_proto_tree(output_fields, print_summary, print_hex, protocolfilter,
3996 protocolfilter_flags, edt, &cf->cinfo, stdout);
3997 return !ferror(stdout);
4001 if (print_summary || print_details) {
4002 if (!print_line(print_stream, 0, ""))
4005 if (!print_hex_data(print_stream, edt))
4007 if (!print_line(print_stream, 0, separator))
4016 switch (output_action) {
4019 return print_finale(print_stream);
4023 write_pdml_finale(stdout);
4025 write_psml_finale(stdout);
4026 return !ferror(stdout);
4029 write_fields_finale(output_fields, stdout);
4030 return !ferror(stdout);
4033 case WRITE_JSON_RAW:
4034 write_json_finale(stdout);
4035 return !ferror(stdout);
4038 return !ferror(stdout);
4041 g_assert_not_reached();
4047 cf_close(capture_file *cf)
4049 g_free(cf->filename);
4053 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4058 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4062 /* The open succeeded. Fill in the information for this file. */
4064 /* Create new epan session for dissection. */
4065 epan_free(cf->epan);
4066 cf->epan = tshark_epan_new(cf);
4068 cf->provider.wth = wth;
4069 cf->f_datalen = 0; /* not used, but set it anyway */
4071 /* Set the file name because we need it to set the follow stream filter.
4072 XXX - is that still true? We need it for other reasons, though,
4074 cf->filename = g_strdup(fname);
4076 /* Indicate whether it's a permanent or temporary file. */
4077 cf->is_tempfile = is_tempfile;
4079 /* No user changes yet. */
4080 cf->unsaved_changes = FALSE;
4082 cf->cd_t = wtap_file_type_subtype(cf->provider.wth);
4083 cf->open_type = type;
4085 cf->drops_known = FALSE;
4087 cf->snap = wtap_snapshot_length(cf->provider.wth);
4088 nstime_set_zero(&cf->elapsed_time);
4089 cf->provider.ref = NULL;
4090 cf->provider.prev_dis = NULL;
4091 cf->provider.prev_cap = NULL;
4093 cf->state = FILE_READ_IN_PROGRESS;
4095 wtap_set_cb_new_ipv4(cf->provider.wth, add_ipv4_name);
4096 wtap_set_cb_new_ipv6(cf->provider.wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4101 cfile_open_failure_message("TShark", fname, *err, err_info);
4106 show_print_file_io_error(int err)
4111 cmdarg_err("Not all the packets could be printed because there is "
4112 "no space left on the file system.");
4117 cmdarg_err("Not all the packets could be printed because you are "
4118 "too close to, or over your disk quota.");
4123 cmdarg_err("An error occurred while printing packets: %s.",
4130 * General errors and warnings are reported with an console message
4134 failure_warning_message(const char *msg_format, va_list ap)
4136 fprintf(stderr, "tshark: ");
4137 vfprintf(stderr, msg_format, ap);
4138 fprintf(stderr, "\n");
4142 * Open/create errors are reported with an console message in TShark.
4145 open_failure_message(const char *filename, int err, gboolean for_writing)
4147 fprintf(stderr, "tshark: ");
4148 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4149 fprintf(stderr, "\n");
4153 * Read errors are reported with an console message in TShark.
4156 read_failure_message(const char *filename, int err)
4158 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4159 filename, g_strerror(err));
4163 * Write errors are reported with an console message in TShark.
4166 write_failure_message(const char *filename, int err)
4168 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4169 filename, g_strerror(err));
4172 static void reset_epan_mem(capture_file *cf,epan_dissect_t *edt, gboolean tree, gboolean visual)
4174 if (!epan_auto_reset || (cf->count < epan_auto_reset_count))
4177 fprintf(stderr, "resetting session.\n");
4179 epan_dissect_cleanup(edt);
4180 epan_free(cf->epan);
4182 cf->epan = tshark_epan_new(cf);
4183 epan_dissect_init(edt, cf->epan, tree, visual);
4188 * Report additional information for an error in command-line arguments.
4191 failure_message_cont(const char *msg_format, va_list ap)
4193 vfprintf(stderr, msg_format, ap);
4194 fprintf(stderr, "\n");
4198 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4203 * indent-tabs-mode: nil
4206 * vi: set shiftwidth=2 tabstop=8 expandtab:
4207 * :indentSize=2:tabSize=8:noTabs=true: