3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
51 #ifdef HAVE_SYS_STAT_H
52 # include <sys/stat.h>
56 #include <zlib.h> /* to get the libz version number */
60 # include <sys/capability.h>
63 #ifndef HAVE_GETOPT_LONG
64 #include "wsutil/wsgetopt.h"
69 #include <epan/exceptions.h>
70 #include <epan/epan-int.h>
71 #include <epan/epan.h>
73 #include <wsutil/clopts_common.h>
74 #include <wsutil/cmdarg_err.h>
75 #include <wsutil/crash_info.h>
76 #include <wsutil/filesystem.h>
77 #include <wsutil/file_util.h>
78 #include <wsutil/privileges.h>
79 #include <wsutil/report_err.h>
80 #include <wsutil/ws_diag_control.h>
81 #include <wsutil/ws_version_info.h>
84 #include <epan/timestamp.h>
85 #include <epan/packet.h>
87 #include <epan/wslua/init_wslua.h>
90 #include "frame_tvbuff.h"
91 #include <epan/disabled_protos.h>
92 #include <epan/prefs.h>
93 #include <epan/column.h>
94 #include <epan/print.h>
95 #include <epan/addr_resolv.h>
97 #include "ui/capture_ui_utils.h"
100 #include "ui/ui_util.h"
101 #include "ui/cli/tshark-tap.h"
102 #include "register.h"
103 #include <epan/epan_dissect.h>
104 #include <epan/tap.h>
105 #include <epan/stat_tap_ui.h>
106 #include <epan/conversation_table.h>
107 #include <epan/srt_table.h>
108 #include <epan/rtd_table.h>
109 #include <epan/ex-opt.h>
111 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
112 #include <epan/asn1.h>
113 #include <epan/dissectors/packet-kerberos.h>
116 #include "capture_opts.h"
118 #include "caputils/capture-pcap-util.h"
121 #include "caputils/capture_ifinfo.h"
123 #include "caputils/capture-wpcap.h"
124 #include <wsutil/os_version_info.h>
125 #include <wsutil/unicode-utils.h>
127 #include <capchild/capture_session.h>
128 #include <capchild/capture_sync.h>
129 #endif /* HAVE_LIBPCAP */
131 #include <epan/funnel.h>
134 #include <wsutil/plugins.h>
139 #define tshark_debug(...) g_warning(__VA_ARGS__)
141 #define tshark_debug(...)
146 * This is the template for the decode as option; it is shared between the
147 * various functions that output the usage for this parameter.
149 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
151 static guint32 cum_bytes;
152 static const frame_data *ref;
153 static frame_data ref_frame;
154 static frame_data *prev_dis;
155 static frame_data prev_dis_frame;
156 static frame_data *prev_cap;
157 static frame_data prev_cap_frame;
159 static const char* prev_display_dissector_name = NULL;
161 static gboolean perform_two_pass_analysis;
164 * The way the packet decode is to be written.
167 WRITE_TEXT, /* summary or detail text */
168 WRITE_XML, /* PDML or PSML */
169 WRITE_FIELDS /* User defined list of fields */
170 /* Add CSV and the like here */
173 static output_action_e output_action;
174 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
175 static gboolean print_packet_info; /* TRUE if we're to print packet information */
176 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
177 static gboolean print_details; /* TRUE if we're to print packet details information */
178 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
179 static gboolean line_buffered;
180 static gboolean really_quiet = FALSE;
182 static print_format_e print_format = PR_FMT_TEXT;
183 static print_stream_t *print_stream;
185 static output_fields_t* output_fields = NULL;
187 /* The line separator used between packets, changeable via the -S option */
188 static const char *separator = "";
192 * TRUE if we're to print packet counts to keep track of captured packets.
194 static gboolean print_packet_counts;
196 static capture_options global_capture_opts;
197 static capture_session global_capture_session;
200 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
201 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
204 static gboolean capture(void);
205 static void report_counts(void);
207 static BOOL WINAPI capture_cleanup(DWORD);
209 static void capture_cleanup(int);
211 static void report_counts_siginfo(int);
215 #else /* HAVE_LIBPCAP */
217 static char *output_file_name;
219 #endif /* HAVE_LIBPCAP */
221 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
222 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
223 struct wtap_pkthdr *whdr, const guchar *pd,
225 static void show_capture_file_io_error(const char *, int, gboolean);
226 static void show_print_file_io_error(int err);
227 static gboolean write_preamble(capture_file *cf);
228 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
229 static gboolean write_finale(void);
230 static const char *cf_open_error_message(int err, gchar *err_info,
231 gboolean for_writing, int file_type);
233 static void open_failure_message(const char *filename, int err,
234 gboolean for_writing);
235 static void failure_message(const char *msg_format, va_list ap);
236 static void read_failure_message(const char *filename, int err);
237 static void write_failure_message(const char *filename, int err);
238 static void failure_message_cont(const char *msg_format, va_list ap);
242 static GHashTable *output_only_tables = NULL;
245 const char *sstr; /* The short string */
246 const char *lstr; /* The long string */
250 string_compare(gconstpointer a, gconstpointer b)
252 return strcmp(((const struct string_elem *)a)->sstr,
253 ((const struct string_elem *)b)->sstr);
257 string_elem_print(gpointer data, gpointer not_used _U_)
259 fprintf(stderr, " %s - %s\n",
260 ((struct string_elem *)data)->sstr,
261 ((struct string_elem *)data)->lstr);
265 list_capture_types(void) {
267 struct string_elem *captypes;
270 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
272 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
273 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
274 if (wtap_dump_can_open(i)) {
275 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
276 captypes[i].lstr = wtap_file_type_subtype_string(i);
277 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
280 g_slist_foreach(list, string_elem_print, NULL);
286 list_read_capture_types(void) {
288 struct string_elem *captypes;
290 const char *magic = "Magic-value-based";
291 const char *heuristic = "Heuristics-based";
293 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
294 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
296 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
297 for (i = 0; open_routines[i].name != NULL; i++) {
298 captypes[i].sstr = open_routines[i].name;
299 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
300 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
302 g_slist_foreach(list, string_elem_print, NULL);
308 print_usage(FILE *output)
310 fprintf(output, "\n");
311 fprintf(output, "Usage: tshark [options] ...\n");
312 fprintf(output, "\n");
315 fprintf(output, "Capture interface:\n");
316 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
317 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
318 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
319 fprintf(output, " -p don't capture in promiscuous mode\n");
320 #ifdef HAVE_PCAP_CREATE
321 fprintf(output, " -I capture in monitor mode, if available\n");
323 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
324 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
326 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
327 fprintf(output, " -D print list of interfaces and exit\n");
328 fprintf(output, " -L print list of link-layer types of iface and exit\n");
329 fprintf(output, "\n");
330 fprintf(output, "Capture stop conditions:\n");
331 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
332 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
333 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
334 fprintf(output, " files:NUM - stop after NUM files\n");
335 /*fprintf(output, "\n");*/
336 fprintf(output, "Capture output:\n");
337 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
338 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
339 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
340 #endif /* HAVE_LIBPCAP */
341 #ifdef HAVE_PCAP_REMOTE
342 fprintf(output, "RPCAP options:\n");
343 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
345 /*fprintf(output, "\n");*/
346 fprintf(output, "Input file:\n");
347 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
349 fprintf(output, "\n");
350 fprintf(output, "Processing:\n");
351 fprintf(output, " -2 perform a two-pass analysis\n");
352 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
353 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
354 fprintf(output, " syntax\n");
355 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
356 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
357 fprintf(output, " -d %s ...\n", decode_as_arg_template);
358 fprintf(output, " \"Decode As\", see the man page for details\n");
359 fprintf(output, " Example: tcp.port==8888,http\n");
360 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
361 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
362 fprintf(output, " --disable-protocol <proto_name>\n");
363 fprintf(output, " disable dissection of proto_name\n");
364 fprintf(output, " --enable-heuristic <short_name>\n");
365 fprintf(output, " enable dissection of heuristic protocol\n");
366 fprintf(output, " --disable-heuristic <short_name>\n");
367 fprintf(output, " disable dissection of heuristic protocol\n");
369 /*fprintf(output, "\n");*/
370 fprintf(output, "Output:\n");
371 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
372 fprintf(output, " (or to the standard output for \"-\")\n");
373 fprintf(output, " -C <config profile> start with specified configuration profile\n");
374 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
375 fprintf(output, " an empty \"-F\" option will list the file types\n");
376 fprintf(output, " -V add output of packet tree (Packet Details)\n");
377 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
378 fprintf(output, " separated\n");
379 fprintf(output, " -P print packet summary even when writing to a file\n");
380 fprintf(output, " -S <separator> the line separator to print between packets\n");
381 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
382 fprintf(output, " -T pdml|ps|psml|text|fields\n");
383 fprintf(output, " format of text output (def: text)\n");
384 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
385 fprintf(output, " _ws.col.Info)\n");
386 fprintf(output, " this option can be repeated to print multiple fields\n");
387 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
388 fprintf(output, " header=y|n switch headers on and off\n");
389 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
390 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
391 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
392 fprintf(output, " aggregator\n");
393 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
394 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
395 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
396 fprintf(output, " -l flush standard output after each packet\n");
397 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
398 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
399 fprintf(output, " -g enable group read access on the output file(s)\n");
400 fprintf(output, " -W n Save extra information in the file, if supported.\n");
401 fprintf(output, " n = write network address resolution information\n");
402 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
403 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
404 fprintf(output, " --capture-comment <comment>\n");
405 fprintf(output, " add a capture comment to the newly created\n");
406 fprintf(output, " output file (only for pcapng)\n");
408 fprintf(output, "\n");
409 fprintf(output, "Miscellaneous:\n");
410 fprintf(output, " -h display this help and exit\n");
411 fprintf(output, " -v display version info and exit\n");
412 fprintf(output, " -o <name>:<value> ... override preference setting\n");
413 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
414 fprintf(output, " -G [report] dump one of several available reports and exit\n");
415 fprintf(output, " default report=\"fields\"\n");
416 fprintf(output, " use \"-G ?\" for more help\n");
418 fprintf(output, "\n");
419 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
420 fprintf(output, "You might want to reset it\n");
421 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
422 fprintf(output, "\n");
428 glossary_option_help(void)
434 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
436 fprintf(output, "\n");
437 fprintf(output, "Usage: tshark -G [report]\n");
438 fprintf(output, "\n");
439 fprintf(output, "Glossary table reports:\n");
440 fprintf(output, " -G column-formats dump column format codes and exit\n");
441 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
442 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
443 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
444 fprintf(output, " -G fields dump fields glossary and exit\n");
445 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
446 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
447 fprintf(output, " -G plugins dump installed plugins and exit\n");
448 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
449 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
450 fprintf(output, "\n");
451 fprintf(output, "Preference reports:\n");
452 fprintf(output, " -G currentprefs dump current preferences and exit\n");
453 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
454 fprintf(output, "\n");
458 * For a dissector table, print on the stream described by output,
459 * its short name (which is what's used in the "-d" option) and its
463 display_dissector_table_names(const char *table_name, const char *ui_name,
466 if ((prev_display_dissector_name == NULL) ||
467 (strcmp(prev_display_dissector_name, table_name) != 0)) {
468 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
469 prev_display_dissector_name = table_name;
474 * For a dissector handle, print on the stream described by output,
475 * the filter name (which is what's used in the "-d" option) and the full
476 * name for the protocol that corresponds to this handle.
479 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
482 const gchar *proto_filter_name;
483 const gchar *proto_ui_name;
485 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
487 if (proto_id != -1) {
488 proto_filter_name = proto_get_protocol_filter_name(proto_id);
489 proto_ui_name = proto_get_protocol_name(proto_id);
490 g_assert(proto_filter_name != NULL);
491 g_assert(proto_ui_name != NULL);
493 if ((prev_display_dissector_name == NULL) ||
494 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
495 fprintf((FILE *)output, "\t%s (%s)\n",
498 prev_display_dissector_name = proto_filter_name;
504 * The protocol_name_search structure is used by find_protocol_name_func()
505 * to pass parameters and store results
507 struct protocol_name_search{
508 gchar *searched_name; /* Protocol filter name we are looking for */
509 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
510 guint nb_match; /* How many dissectors matched searched_name */
512 typedef struct protocol_name_search *protocol_name_search_t;
515 * This function parses all dissectors associated with a table to find the
516 * one whose protocol has the specified filter name. It is called
517 * as a reference function in a call to dissector_table_foreach_handle.
518 * The name we are looking for, as well as the results, are stored in the
519 * protocol_name_search struct pointed to by user_data.
520 * If called using dissector_table_foreach_handle, we actually parse the
521 * whole list of dissectors.
524 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
528 const gchar *protocol_filter_name;
529 protocol_name_search_t search_info;
533 search_info = (protocol_name_search_t)user_data;
535 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
536 if (proto_id != -1) {
537 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
538 g_assert(protocol_filter_name != NULL);
539 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
541 if (search_info->nb_match == 0) {
542 /* Record this handle only if this is the first match */
543 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
545 search_info->nb_match++;
551 * Allow dissector key names to be sorted alphabetically
555 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
557 return strcmp((const char*)dissector_a, (const char*)dissector_b);
561 * Print all layer type names supported.
562 * We send the output to the stream described by the handle output.
566 fprint_all_layer_types(FILE *output)
569 prev_display_dissector_name = NULL;
570 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
574 * Print all protocol names supported for a specific layer type.
575 * table_name contains the layer type name in which the search is performed.
576 * We send the output to the stream described by the handle output.
580 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
583 prev_display_dissector_name = NULL;
584 dissector_table_foreach_handle(table_name,
585 display_dissector_names,
590 * The function below parses the command-line parameters for the decode as
591 * feature (a string pointer by cl_param).
592 * It checks the format of the command-line, searches for a matching table
593 * and dissector. If a table/dissector match is not found, we display a
594 * summary of the available tables/dissectors (on stderr) and return FALSE.
595 * If everything is fine, we get the "Decode as" preference activated,
596 * then we return TRUE.
599 add_decode_as(const gchar *cl_param)
602 guint32 selector, selector2;
603 gchar *decoded_param;
604 gchar *remaining_param;
606 gchar *dissector_str;
607 dissector_handle_t dissector_matching;
608 dissector_table_t table_matching;
609 ftenum_t dissector_table_selector_type;
610 struct protocol_name_search user_protocol_name;
614 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
617 decoded_param = g_strdup(cl_param);
618 g_assert(decoded_param);
621 /* The lines below will parse this string (modifying it) to extract all
622 necessary information. Note that decoded_param is still needed since
623 strings are not copied - we just save pointers. */
625 /* This section extracts a layer type (table_name) from decoded_param */
626 table_name = decoded_param; /* Layer type string starts from beginning */
628 remaining_param = strchr(table_name, '=');
629 if (remaining_param == NULL) {
630 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
631 /* If the argument does not follow the template, carry on anyway to check
632 if the table name is at least correct. If remaining_param is NULL,
633 we'll exit anyway further down */
636 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
639 /* Remove leading and trailing spaces from the table name */
640 while ( table_name[0] == ' ' )
642 while ( table_name[strlen(table_name) - 1] == ' ' )
643 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
645 /* The following part searches a table matching with the layer type specified */
646 table_matching = NULL;
648 /* Look for the requested table */
649 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
650 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
653 table_matching = find_dissector_table(table_name);
654 if (!table_matching) {
655 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
659 if (!table_matching) {
660 /* Display a list of supported layer types to help the user, if the
661 specified layer type was not found */
662 cmdarg_err("Valid layer types are:");
663 fprint_all_layer_types(stderr);
665 if (remaining_param == NULL || !table_matching) {
666 /* Exit if the layer type was not found, or if no '=' separator was found
668 g_free(decoded_param);
672 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
673 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
676 remaining_param++; /* Move to the second '=' */
677 *remaining_param = '\0'; /* Remove the second '=' */
679 remaining_param++; /* Position after the layer type string */
681 /* This section extracts a selector value (selector_str) from decoded_param */
683 selector_str = remaining_param; /* Next part starts with the selector number */
685 remaining_param = strchr(selector_str, ',');
686 if (remaining_param == NULL) {
687 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
688 /* If the argument does not follow the template, carry on anyway to check
689 if the selector value is at least correct. If remaining_param is NULL,
690 we'll exit anyway further down */
693 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
696 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
698 switch (dissector_table_selector_type) {
704 /* The selector for this table is an unsigned number. Parse it as such.
705 There's no need to remove leading and trailing spaces from the
706 selector number string, because sscanf will do that for us. */
707 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
712 if (op != ':' && op != '-') {
713 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
714 g_free(decoded_param);
718 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
719 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
720 g_free(decoded_param);
724 else if (selector2 < selector) {
725 /* We could swap them for the user, but maybe it's better to call
726 * this out as an error in case it's not what was intended? */
727 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
728 g_free(decoded_param);
733 cmdarg_err("Invalid selector number \"%s\"", selector_str);
734 g_free(decoded_param);
743 /* The selector for this table is a string. */
747 /* There are currently no dissector tables with any types other
748 than the ones listed above. */
749 g_assert_not_reached();
752 if (remaining_param == NULL) {
753 /* Exit if no ',' separator was found (see above) */
754 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
755 fprint_all_protocols_for_layer_types(stderr, table_name);
756 g_free(decoded_param);
760 remaining_param++; /* Position after the selector number string */
762 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
764 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
766 /* Remove leading and trailing spaces from the dissector name */
767 while ( dissector_str[0] == ' ' )
769 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
770 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
772 dissector_matching = NULL;
774 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
775 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
776 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
779 user_protocol_name.nb_match = 0;
780 user_protocol_name.searched_name = dissector_str;
781 user_protocol_name.matched_handle = NULL;
783 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
785 if (user_protocol_name.nb_match != 0) {
786 dissector_matching = user_protocol_name.matched_handle;
787 if (user_protocol_name.nb_match > 1) {
788 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
792 /* OK, check whether the problem is that there isn't any such
793 protocol, or that there is but it's not specified as a protocol
794 that's valid for that dissector table.
795 Note, we don't exit here, but dissector_matching will remain NULL,
797 if (proto_get_id_by_filter_name(dissector_str) == -1) {
798 /* No such protocol */
799 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
801 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
802 dissector_str, table_name);
807 if (!dissector_matching) {
808 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
809 fprint_all_protocols_for_layer_types(stderr, table_name);
810 g_free(decoded_param);
814 /* This is the end of the code that parses the command-line options.
815 All information is now stored in the variables:
819 The above variables that are strings are still pointing to areas within
820 decoded_parm. decoded_parm thus still needs to be kept allocated in
821 until we stop needing these variables
822 decoded_param will be deallocated at each exit point of this function */
825 /* We now have a pointer to the handle for the requested dissector
826 (requested protocol) inside the variable dissector_matching */
827 switch (dissector_table_selector_type) {
833 /* The selector for this table is an unsigned number. */
835 dissector_change_uint(table_name, selector, dissector_matching);
836 } else if (op == ':') {
837 for (i = selector; i < (guint64)selector + selector2; i++) {
838 dissector_change_uint(table_name, (guint32)i, dissector_matching);
840 } else { /* op == '-' */
841 for (i = selector; i <= selector2; i++) {
842 dissector_change_uint(table_name, (guint32)i, dissector_matching);
851 /* The selector for this table is a string. */
852 dissector_change_string(table_name, selector_str, dissector_matching);
856 /* There are currently no dissector tables with any types other
857 than the ones listed above. */
858 g_assert_not_reached();
860 g_free(decoded_param); /* "Decode As" rule has been successfully added */
865 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
866 const gchar *message, gpointer user_data)
868 /* ignore log message, if log_level isn't interesting based
869 upon the console log preferences.
870 If the preferences haven't been loaded loaded yet, display the
873 The default console_log_level preference value is such that only
874 ERROR, CRITICAL and WARNING level messages are processed;
875 MESSAGE, INFO and DEBUG level messages are ignored.
877 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
878 ERROR and CRITICAL level messages so the current code is a behavioral
879 change. The current behavior is the same as in Wireshark.
881 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
882 prefs.console_log_level != 0) {
886 g_log_default_handler(log_domain, log_level, message, user_data);
891 output_file_description(const char *fname)
893 char *save_file_string;
895 /* Get a string that describes what we're writing to */
896 if (strcmp(fname, "-") == 0) {
897 /* We're writing to the standard output */
898 save_file_string = g_strdup("standard output");
900 /* We're writing to a file with the name in save_file */
901 save_file_string = g_strdup_printf("file \"%s\"", fname);
903 return save_file_string;
907 print_current_user(void) {
908 gchar *cur_user, *cur_group;
910 if (started_with_special_privs()) {
911 cur_user = get_cur_username();
912 cur_group = get_cur_groupname();
913 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
914 cur_user, cur_group);
917 if (running_with_special_privs()) {
918 fprintf(stderr, " This could be dangerous.");
920 fprintf(stderr, "\n");
925 get_tshark_compiled_version_info(GString *str)
927 /* Capture libraries */
928 get_compiled_caplibs_version(str);
931 g_string_append(str, ", ");
933 g_string_append(str, "with libz ");
935 g_string_append(str, ZLIB_VERSION);
936 #else /* ZLIB_VERSION */
937 g_string_append(str, "(version unknown)");
938 #endif /* ZLIB_VERSION */
939 #else /* HAVE_LIBZ */
940 g_string_append(str, "without libz");
941 #endif /* HAVE_LIBZ */
945 get_tshark_runtime_version_info(GString *str)
948 /* Capture libraries */
949 g_string_append(str, ", ");
950 get_runtime_caplibs_version(str);
954 #if defined(HAVE_LIBZ) && !defined(_WIN32)
955 g_string_append_printf(str, ", with libz %s", zlibVersion());
958 /* stuff used by libwireshark */
959 epan_get_runtime_version_info(str);
963 main(int argc, char *argv[])
965 GString *comp_info_str;
966 GString *runtime_info_str;
967 char *init_progfile_dir_error;
970 static const struct option long_options[] = {
971 {(char *)"help", no_argument, NULL, 'h'},
972 {(char *)"version", no_argument, NULL, 'v'},
973 LONGOPT_CAPTURE_COMMON
977 gboolean arg_error = FALSE;
983 char *gpf_path, *pf_path;
984 char *gdp_path, *dp_path;
985 int gpf_open_errno, gpf_read_errno;
986 int pf_open_errno, pf_read_errno;
987 int gdp_open_errno, gdp_read_errno;
988 int dp_open_errno, dp_read_errno;
990 volatile int exit_status = 0;
992 gboolean list_link_layer_types = FALSE;
993 gboolean start_capture = FALSE;
998 gboolean capture_option_specified = FALSE;
1000 gboolean quiet = FALSE;
1001 #ifdef PCAP_NG_DEFAULT
1002 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
1004 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
1006 volatile gboolean out_file_name_res = FALSE;
1007 volatile int in_file_type = WTAP_TYPE_AUTO;
1008 gchar *volatile cf_name = NULL;
1009 gchar *rfilter = NULL;
1010 gchar *dfilter = NULL;
1011 #ifdef HAVE_PCAP_OPEN_DEAD
1012 struct bpf_program fcode;
1014 dfilter_t *rfcode = NULL;
1015 dfilter_t *dfcode = NULL;
1020 gchar *output_only = NULL;
1021 GSList *disable_protocol_slist = NULL;
1022 GSList *enable_heur_slist = NULL;
1023 GSList *disable_heur_slist = NULL;
1026 * The leading + ensures that getopt_long() does not permute the argv[]
1029 * We have to make sure that the first getopt_long() preserves the content
1030 * of argv[] for the subsequent getopt_long() call.
1032 * We use getopt_long() in both cases to ensure that we're using a routine
1033 * whose permutation behavior we can control in the same fashion on all
1034 * platforms, and so that, if we ever need to process a long argument before
1035 * doing further initialization, we can do so.
1037 * Glibc and Solaris libc document that a leading + disables permutation
1038 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1039 * and OS X don't document it, but do so anyway.
1041 * We do *not* use a leading - because the behavior of a leading - is
1042 * platform-dependent.
1044 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1046 static const char optstring[] = OPTSTRING;
1048 tshark_debug("tshark started with %d args", argc);
1050 /* Set the C-language locale to the native environment. */
1051 setlocale(LC_ALL, "");
1053 cmdarg_err_init(failure_message, failure_message_cont);
1056 arg_list_utf_16to8(argc, argv);
1057 create_app_running_mutex();
1058 #if !GLIB_CHECK_VERSION(2,31,0)
1059 g_thread_init(NULL);
1064 * Get credential information for later use, and drop privileges
1065 * before doing anything else.
1066 * Let the user know if anything happened.
1068 init_process_policies();
1069 relinquish_special_privs_perm();
1070 print_current_user();
1073 * Attempt to get the pathname of the executable file.
1075 init_progfile_dir_error = init_progfile_dir(argv[0], (void *)main);
1076 if (init_progfile_dir_error != NULL) {
1077 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1078 init_progfile_dir_error);
1081 initialize_funnel_ops();
1084 /* Load wpcap if possible. Do this before collecting the run-time version information */
1087 /* Warn the user if npf.sys isn't loaded. */
1088 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1089 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1090 "capturing or\nlisting interfaces.\n");
1094 /* Get the compile-time version information string */
1095 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1096 epan_get_compiled_version_info);
1098 /* Get the run-time version information string */
1099 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1101 /* Add it to the information to be reported on a crash. */
1102 ws_add_crash_info("TShark (Wireshark) %s\n"
1107 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1108 g_string_free(comp_info_str, TRUE);
1109 g_string_free(runtime_info_str, TRUE);
1112 * In order to have the -X opts assigned before the wslua machine starts
1113 * we need to call getopt_long before epan_init() gets called.
1115 * In order to handle, for example, -o options, we also need to call it
1116 * *after* epan_init() gets called, so that the dissectors have had a
1117 * chance to register their preferences.
1119 * XXX - can we do this all with one getopt_long() call, saving the
1120 * arguments we can't handle until after initializing libwireshark,
1121 * and then process them after initializing libwireshark?
1125 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1127 case 'C': /* Configuration Profile */
1128 if (profile_exists (optarg, FALSE)) {
1129 set_profile_name (optarg);
1131 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1135 case 'P': /* Print packet summary info even when writing to a file */
1136 print_packet_info = TRUE;
1137 print_summary = TRUE;
1139 case 'O': /* Only output these protocols */
1140 output_only = g_strdup(optarg);
1142 case 'V': /* Verbose */
1143 print_details = TRUE;
1144 print_packet_info = TRUE;
1146 case 'x': /* Print packet data in hex (and ASCII) */
1148 /* The user asked for hex output, so let's ensure they get it,
1149 * even if they're writing to a file.
1151 print_packet_info = TRUE;
1162 * Print packet summary information is the default, unless either -V or -x
1163 * were specified and -P was not. Note that this is new behavior, which
1164 * allows for the possibility of printing only hex/ascii output without
1165 * necessarily requiring that either the summary or details be printed too.
1167 if (print_summary == -1)
1168 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1170 /** Send All g_log messages to our own handler **/
1174 G_LOG_LEVEL_CRITICAL|
1175 G_LOG_LEVEL_WARNING|
1176 G_LOG_LEVEL_MESSAGE|
1179 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1181 g_log_set_handler(NULL,
1182 (GLogLevelFlags)log_flags,
1183 tshark_log_handler, NULL /* user_data */);
1184 g_log_set_handler(LOG_DOMAIN_MAIN,
1185 (GLogLevelFlags)log_flags,
1186 tshark_log_handler, NULL /* user_data */);
1189 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1190 (GLogLevelFlags)log_flags,
1191 tshark_log_handler, NULL /* user_data */);
1192 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1193 (GLogLevelFlags)log_flags,
1194 tshark_log_handler, NULL /* user_data */);
1197 init_report_err(failure_message, open_failure_message, read_failure_message,
1198 write_failure_message);
1201 capture_opts_init(&global_capture_opts);
1202 capture_session_init(&global_capture_session, &cfile);
1205 timestamp_set_type(TS_RELATIVE);
1206 timestamp_set_precision(TS_PREC_AUTO);
1207 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1209 init_open_routines();
1212 /* Register all the plugin types we have. */
1213 epan_register_plugin_types(); /* Types known to libwireshark */
1214 wtap_register_plugin_types(); /* Types known to libwiretap */
1216 /* Scan for plugins. This does *not* call their registration routines;
1217 that's done later. */
1220 /* Register all libwiretap plugin modules. */
1221 register_all_wiretap_modules();
1224 /* Register all dissectors; we must do this before checking for the
1225 "-G" flag, as the "-G" flag dumps information registered by the
1226 dissectors, and we must do it before we read the preferences, in
1227 case any dissectors register preferences. */
1228 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1230 /* Register all tap listeners; we do this before we parse the arguments,
1231 as the "-z" argument can specify a registered tap. */
1233 /* we register the plugin taps before the other taps because
1234 stats_tree taps plugins will be registered as tap listeners
1235 by stats_tree_stat.c and need to registered before that */
1237 register_all_plugin_tap_listeners();
1239 register_all_tap_listeners();
1240 conversation_table_set_gui_info(init_iousers);
1241 hostlist_table_set_gui_info(init_hostlists);
1242 srt_table_iterate_tables(register_srt_tables, NULL);
1243 rtd_table_iterate_tables(register_rtd_tables, NULL);
1244 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1246 /* If invoked with the "-G" flag, we dump out information based on
1247 the argument to the "-G" flag; if no argument is specified,
1248 for backwards compatibility we dump out a glossary of display
1251 XXX - we do this here, for now, to support "-G" with no arguments.
1252 If none of our build or other processes uses "-G" with no arguments,
1253 we can just process it with the other arguments. */
1254 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1255 proto_initialize_all_prefixes();
1258 proto_registrar_dump_fields();
1260 if (strcmp(argv[2], "column-formats") == 0)
1261 column_dump_column_formats();
1262 else if (strcmp(argv[2], "currentprefs") == 0) {
1263 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1264 &pf_open_errno, &pf_read_errno, &pf_path);
1267 else if (strcmp(argv[2], "decodes") == 0)
1268 dissector_dump_decodes();
1269 else if (strcmp(argv[2], "defaultprefs") == 0)
1271 else if (strcmp(argv[2], "dissector-tables") == 0)
1272 dissector_dump_dissector_tables();
1273 else if (strcmp(argv[2], "fieldcount") == 0) {
1274 /* return value for the test suite */
1275 return proto_registrar_dump_fieldcount();
1276 } else if (strcmp(argv[2], "fields") == 0)
1277 proto_registrar_dump_fields();
1278 else if (strcmp(argv[2], "ftypes") == 0)
1279 proto_registrar_dump_ftypes();
1280 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1281 dissector_dump_heur_decodes();
1282 else if (strcmp(argv[2], "plugins") == 0) {
1287 wslua_plugins_dump_all();
1290 else if (strcmp(argv[2], "protocols") == 0)
1291 proto_registrar_dump_protocols();
1292 else if (strcmp(argv[2], "values") == 0)
1293 proto_registrar_dump_values();
1294 else if (strcmp(argv[2], "?") == 0)
1295 glossary_option_help();
1296 else if (strcmp(argv[2], "-?") == 0)
1297 glossary_option_help();
1299 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1306 tshark_debug("tshark reading preferences");
1308 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1309 &pf_open_errno, &pf_read_errno, &pf_path);
1310 if (gpf_path != NULL) {
1311 if (gpf_open_errno != 0) {
1312 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1313 pf_path, g_strerror(gpf_open_errno));
1315 if (gpf_read_errno != 0) {
1316 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1317 pf_path, g_strerror(gpf_read_errno));
1320 if (pf_path != NULL) {
1321 if (pf_open_errno != 0) {
1322 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1323 g_strerror(pf_open_errno));
1325 if (pf_read_errno != 0) {
1326 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1327 pf_path, g_strerror(pf_read_errno));
1333 /* Read the disabled protocols file. */
1334 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1335 &dp_path, &dp_open_errno, &dp_read_errno);
1336 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1337 &dp_path, &dp_open_errno, &dp_read_errno);
1338 if (gdp_path != NULL) {
1339 if (gdp_open_errno != 0) {
1340 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1341 gdp_path, g_strerror(gdp_open_errno));
1343 if (gdp_read_errno != 0) {
1344 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1345 gdp_path, g_strerror(gdp_read_errno));
1349 if (dp_path != NULL) {
1350 if (dp_open_errno != 0) {
1352 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1353 g_strerror(dp_open_errno));
1355 if (dp_read_errno != 0) {
1357 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1358 g_strerror(dp_read_errno));
1363 cap_file_init(&cfile);
1365 /* Print format defaults to this. */
1366 print_format = PR_FMT_TEXT;
1368 output_fields = output_fields_new();
1371 * To reset the options parser, set optreset to 1 on platforms that
1372 * have optreset (documented in *BSD and OS X, apparently present but
1373 * not documented in Solaris - the Illumos repository seems to
1374 * suggest that the first Solaris getopt_long(), at least as of 2004,
1375 * was based on the NetBSD one, it had optreset) and set optind to 1,
1376 * and set optind to 0 otherwise (documented as working in the GNU
1377 * getopt_long(). Setting optind to 0 didn't originally work in the
1378 * NetBSD one, but that was added later - we don't want to depend on
1379 * it if we have optreset).
1381 * Also reset opterr to 1, so that error messages are printed by
1384 #ifdef HAVE_OPTRESET
1392 /* Now get our args */
1393 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1395 case '2': /* Perform two pass analysis */
1396 perform_two_pass_analysis = TRUE;
1398 case 'a': /* autostop criteria */
1399 case 'b': /* Ringbuffer option */
1400 case 'c': /* Capture x packets */
1401 case 'f': /* capture filter */
1402 case 'g': /* enable group read access on file(s) */
1403 case 'i': /* Use interface x */
1404 case 'p': /* Don't capture in promiscuous mode */
1405 #ifdef HAVE_PCAP_REMOTE
1406 case 'A': /* Authentication */
1408 #ifdef HAVE_PCAP_CREATE
1409 case 'I': /* Capture in monitor mode, if available */
1411 case 's': /* Set the snapshot (capture) length */
1412 case 'w': /* Write to capture file x */
1413 case 'y': /* Set the pcap data link type */
1414 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1415 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1416 case 'B': /* Buffer size */
1419 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1426 * Output file name, if we're reading a file and writing to another
1429 output_file_name = optarg;
1431 capture_option_specified = TRUE;
1437 /* already processed; just ignore it now */
1439 case 'd': /* Decode as rule */
1440 if (!add_decode_as(optarg))
1443 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1444 case 'K': /* Kerberos keytab file */
1445 read_keytab_file(optarg);
1448 case 'D': /* Print a list of capture devices and exit */
1450 if_list = capture_interface_list(&err, &err_str,NULL);
1451 if (if_list == NULL) {
1453 cmdarg_err("There are no interfaces on which a capture can be done");
1455 cmdarg_err("%s", err_str);
1460 capture_opts_print_interfaces(if_list);
1461 free_interface_list(if_list);
1464 capture_option_specified = TRUE;
1470 output_fields_add(output_fields, optarg);
1474 if (!output_fields_set_option(output_fields, optarg)) {
1475 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1476 output_fields_list_options(stderr);
1481 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1482 if (out_file_type < 0) {
1483 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1484 list_capture_types();
1488 case 'W': /* Select extra information to save in our capture file */
1489 /* This is patterned after the -N flag which may not be the best idea. */
1490 if (strchr(optarg, 'n')) {
1491 out_file_name_res = TRUE;
1493 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1494 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1498 case 'H': /* Read address to name mappings from a hosts file */
1499 if (! add_hosts_file(optarg))
1501 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1504 out_file_name_res = TRUE;
1507 case 'h': /* Print help and exit */
1508 printf("TShark (Wireshark) %s\n"
1509 "Dump and analyze network traffic.\n"
1510 "See https://www.wireshark.org for more information.\n",
1511 get_ws_vcs_version_info());
1512 print_usage(stdout);
1515 case 'l': /* "Line-buffer" standard output */
1516 /* This isn't line-buffering, strictly speaking, it's just
1517 flushing the standard output after the information for
1518 each packet is printed; however, that should be good
1519 enough for all the purposes to which "-l" is put (and
1520 is probably actually better for "-V", as it does fewer
1523 See the comment in "process_packet()" for an explanation of
1524 why we do that, and why we don't just use "setvbuf()" to
1525 make the standard output line-buffered (short version: in
1526 Windows, "line-buffered" is the same as "fully-buffered",
1527 and the output buffer is only flushed when it fills up). */
1528 line_buffered = TRUE;
1530 case 'L': /* Print list of link-layer types and exit */
1532 list_link_layer_types = TRUE;
1534 capture_option_specified = TRUE;
1538 case 'n': /* No name resolution */
1539 disable_name_resolution();
1541 case 'N': /* Select what types of addresses/port #s to resolve */
1542 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1543 if (badopt != '\0') {
1544 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1546 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1547 "\t'd' to enable address resolution from captured DNS packets\n"
1548 "\t'm' to enable MAC address resolution\n"
1549 "\t'n' to enable network address resolution\n"
1550 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1551 "\t for network address resolution\n"
1552 "\t't' to enable transport-layer port number resolution");
1556 case 'o': /* Override preference from command line */
1557 switch (prefs_set_pref(optarg)) {
1562 case PREFS_SET_SYNTAX_ERR:
1563 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1567 case PREFS_SET_NO_SUCH_PREF:
1568 case PREFS_SET_OBSOLETE:
1569 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1574 case 'q': /* Quiet */
1577 case 'Q': /* Really quiet */
1579 really_quiet = TRUE;
1581 case 'r': /* Read capture file x */
1582 cf_name = g_strdup(optarg);
1584 case 'R': /* Read file filter */
1588 /* already processed; just ignore it now */
1590 case 'S': /* Set the line Separator to be printed between packets */
1593 case 't': /* Time stamp type */
1594 if (strcmp(optarg, "r") == 0)
1595 timestamp_set_type(TS_RELATIVE);
1596 else if (strcmp(optarg, "a") == 0)
1597 timestamp_set_type(TS_ABSOLUTE);
1598 else if (strcmp(optarg, "ad") == 0)
1599 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1600 else if (strcmp(optarg, "adoy") == 0)
1601 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1602 else if (strcmp(optarg, "d") == 0)
1603 timestamp_set_type(TS_DELTA);
1604 else if (strcmp(optarg, "dd") == 0)
1605 timestamp_set_type(TS_DELTA_DIS);
1606 else if (strcmp(optarg, "e") == 0)
1607 timestamp_set_type(TS_EPOCH);
1608 else if (strcmp(optarg, "u") == 0)
1609 timestamp_set_type(TS_UTC);
1610 else if (strcmp(optarg, "ud") == 0)
1611 timestamp_set_type(TS_UTC_WITH_YMD);
1612 else if (strcmp(optarg, "udoy") == 0)
1613 timestamp_set_type(TS_UTC_WITH_YDOY);
1615 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1616 cmdarg_err_cont("\t\"a\" for absolute\n"
1617 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1618 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1619 "\t\"d\" for delta\n"
1620 "\t\"dd\" for delta displayed\n"
1621 "\t\"e\" for epoch\n"
1622 "\t\"r\" for relative\n"
1623 "\t\"u\" for absolute UTC\n"
1624 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1625 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1629 case 'T': /* printing Type */
1630 print_packet_info = TRUE;
1631 if (strcmp(optarg, "text") == 0) {
1632 output_action = WRITE_TEXT;
1633 print_format = PR_FMT_TEXT;
1634 } else if (strcmp(optarg, "ps") == 0) {
1635 output_action = WRITE_TEXT;
1636 print_format = PR_FMT_PS;
1637 } else if (strcmp(optarg, "pdml") == 0) {
1638 output_action = WRITE_XML;
1639 print_details = TRUE; /* Need details */
1640 print_summary = FALSE; /* Don't allow summary */
1641 } else if (strcmp(optarg, "psml") == 0) {
1642 output_action = WRITE_XML;
1643 print_details = FALSE; /* Don't allow details */
1644 print_summary = TRUE; /* Need summary */
1645 } else if (strcmp(optarg, "fields") == 0) {
1646 output_action = WRITE_FIELDS;
1647 print_details = TRUE; /* Need full tree info */
1648 print_summary = FALSE; /* Don't allow summary */
1650 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1651 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1652 "\t specified by the -E option.\n"
1653 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1654 "\t details of a decoded packet. This information is equivalent to\n"
1655 "\t the packet details printed with the -V flag.\n"
1656 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1657 "\t the packets, or a multi-line view of the details of each of\n"
1658 "\t the packets, depending on whether the -V flag was specified.\n"
1659 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1660 "\t summary information of a decoded packet. This information is\n"
1661 "\t equivalent to the information shown in the one-line summary\n"
1662 "\t printed by default.\n"
1663 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1664 "\t packets, or a multi-line view of the details of each of the\n"
1665 "\t packets, depending on whether the -V flag was specified.\n"
1666 "\t This is the default.");
1670 case 'u': /* Seconds type */
1671 if (strcmp(optarg, "s") == 0)
1672 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1673 else if (strcmp(optarg, "hms") == 0)
1674 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1676 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1677 cmdarg_err_cont("\t\"s\" for seconds\n"
1678 "\t\"hms\" for hours, minutes and seconds");
1682 case 'v': /* Show version and exit */
1683 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1684 epan_get_compiled_version_info);
1685 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1686 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1687 g_string_free(comp_info_str, TRUE);
1688 g_string_free(runtime_info_str, TRUE);
1689 /* We don't really have to cleanup here, but it's a convenient way to test
1690 * start-up and shut-down of the epan library without any UI-specific
1691 * cruft getting in the way. Makes the results of running
1692 * $ ./tools/valgrind-wireshark -n
1693 * much more useful. */
1696 case 'O': /* Only output these protocols */
1697 /* already processed; just ignore it now */
1699 case 'V': /* Verbose */
1700 /* already processed; just ignore it now */
1702 case 'x': /* Print packet data in hex (and ASCII) */
1703 /* already processed; just ignore it now */
1706 /* already processed; just ignore it now */
1712 /* We won't call the init function for the stat this soon
1713 as it would disallow MATE's fields (which are registered
1714 by the preferences set callback) from being used as
1715 part of a tap filter. Instead, we just add the argument
1716 to a list of stat arguments. */
1717 if (strcmp("help", optarg) == 0) {
1718 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1719 list_stat_cmd_args();
1722 if (!process_stat_cmd_arg(optarg)) {
1723 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1724 list_stat_cmd_args();
1728 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1729 disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg);
1731 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1732 enable_heur_slist = g_slist_append(enable_heur_slist, optarg);
1734 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1735 disable_heur_slist = g_slist_append(disable_heur_slist, optarg);
1739 case '?': /* Bad flag - print usage message */
1742 list_capture_types();
1745 print_usage(stderr);
1752 /* If we specified output fields, but not the output field type... */
1753 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1754 cmdarg_err("Output fields were specified with \"-e\", "
1755 "but \"-Tfields\" was not specified.");
1757 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1758 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1759 "specified with \"-e\".");
1764 /* If no capture filter or display filter has been specified, and there are
1765 still command-line arguments, treat them as the tokens of a capture
1766 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1767 flag was specified. */
1768 if (optind < argc) {
1769 if (cf_name != NULL) {
1770 if (dfilter != NULL) {
1771 cmdarg_err("Display filters were specified both with \"-d\" "
1772 "and with additional command-line arguments.");
1775 dfilter = get_args_as_string(argc, argv, optind);
1780 if (global_capture_opts.default_options.cfilter) {
1781 cmdarg_err("A default capture filter was specified both with \"-f\""
1782 " and with additional command-line arguments.");
1785 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1786 interface_options interface_opts;
1787 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1788 if (interface_opts.cfilter == NULL) {
1789 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1790 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1791 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1793 cmdarg_err("A capture filter was specified both with \"-f\""
1794 " and with additional command-line arguments.");
1798 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1800 capture_option_specified = TRUE;
1806 if (!global_capture_opts.saving_to_file) {
1807 /* We're not saving the capture to a file; if "-q" wasn't specified,
1808 we should print packet information */
1810 print_packet_info = TRUE;
1812 /* We're saving to a file; if we're writing to the standard output.
1813 and we'll also be writing dissected packets to the standard
1814 output, reject the request. At best, we could redirect that
1815 to the standard error; we *can't* write both to the standard
1816 output and have either of them be useful. */
1817 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1818 cmdarg_err("You can't write both raw packet data and dissected packets"
1819 " to the standard output.");
1824 /* We're not saving the capture to a file; if "-q" wasn't specified,
1825 we should print packet information */
1827 print_packet_info = TRUE;
1830 #ifndef HAVE_LIBPCAP
1831 if (capture_option_specified)
1832 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1835 print_usage(stderr);
1840 if (output_action != WRITE_TEXT) {
1841 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1846 if (output_only != NULL) {
1849 if (!print_details) {
1850 cmdarg_err("-O requires -V");
1854 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1855 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1856 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1860 if (rfilter != NULL && !perform_two_pass_analysis) {
1861 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1866 if (list_link_layer_types) {
1867 /* We're supposed to list the link-layer types for an interface;
1868 did the user also specify a capture file to be read? */
1870 /* Yes - that's bogus. */
1871 cmdarg_err("You can't specify -L and a capture file to be read.");
1874 /* No - did they specify a ring buffer option? */
1875 if (global_capture_opts.multi_files_on) {
1876 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1882 * "-r" was specified, so we're reading a capture file.
1883 * Capture options don't apply here.
1886 /* We don't support capture filters when reading from a capture file
1887 (the BPF compiler doesn't support all link-layer types that we
1888 support in capture files we read). */
1889 if (global_capture_opts.default_options.cfilter) {
1890 cmdarg_err("Only read filters, not capture filters, "
1891 "can be specified when reading a capture file.");
1894 if (global_capture_opts.multi_files_on) {
1895 cmdarg_err("Multiple capture files requested, but "
1896 "a capture isn't being done.");
1899 if (global_capture_opts.has_file_duration) {
1900 cmdarg_err("Switching capture files after a time interval was specified, but "
1901 "a capture isn't being done.");
1904 if (global_capture_opts.has_ring_num_files) {
1905 cmdarg_err("A ring buffer of capture files was specified, but "
1906 "a capture isn't being done.");
1909 if (global_capture_opts.has_autostop_files) {
1910 cmdarg_err("A maximum number of capture files was specified, but "
1911 "a capture isn't being done.");
1914 if (global_capture_opts.capture_comment) {
1915 cmdarg_err("A capture comment was specified, but "
1916 "a capture isn't being done.\nThere's no support for adding "
1917 "a capture comment to an existing capture file.");
1921 /* Note: TShark now allows the restriction of a _read_ file by packet count
1922 * and byte count as well as a write file. Other autostop options remain valid
1923 * only for a write file.
1925 if (global_capture_opts.has_autostop_duration) {
1926 cmdarg_err("A maximum capture time was specified, but "
1927 "a capture isn't being done.");
1932 * "-r" wasn't specified, so we're doing a live capture.
1934 if (perform_two_pass_analysis) {
1935 /* Two-pass analysis doesn't work with live capture since it requires us
1936 * to buffer packets until we've read all of them, but a live capture
1937 * has no useful/meaningful definition of "all" */
1938 cmdarg_err("Live captures do not support two-pass analysis.");
1942 if (global_capture_opts.saving_to_file) {
1943 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1945 /* When capturing, we only support writing pcap or pcap-ng format. */
1946 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1947 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1948 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1951 if (global_capture_opts.capture_comment &&
1952 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1953 cmdarg_err("A capture comment can only be written to a pcapng file.");
1956 if (global_capture_opts.multi_files_on) {
1957 /* Multiple-file mode doesn't work under certain conditions:
1958 a) it doesn't work if you're writing to the standard output;
1959 b) it doesn't work if you're writing to a pipe;
1961 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1962 cmdarg_err("Multiple capture files requested, but "
1963 "the capture is being written to the standard output.");
1966 if (global_capture_opts.output_to_pipe) {
1967 cmdarg_err("Multiple capture files requested, but "
1968 "the capture file is a pipe.");
1971 if (!global_capture_opts.has_autostop_filesize &&
1972 !global_capture_opts.has_file_duration) {
1973 cmdarg_err("Multiple capture files requested, but "
1974 "no maximum capture file size or duration was specified.");
1978 /* Currently, we don't support read or display filters when capturing
1979 and saving the packets. */
1980 if (rfilter != NULL) {
1981 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1984 if (dfilter != NULL) {
1985 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1988 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1990 /* They didn't specify a "-w" flag, so we won't be saving to a
1991 capture file. Check for options that only make sense if
1992 we're saving to a file. */
1993 if (global_capture_opts.has_autostop_filesize) {
1994 cmdarg_err("Maximum capture file size specified, but "
1995 "capture isn't being saved to a file.");
1998 if (global_capture_opts.multi_files_on) {
1999 cmdarg_err("Multiple capture files requested, but "
2000 "the capture isn't being saved to a file.");
2003 if (global_capture_opts.capture_comment) {
2004 cmdarg_err("A capture comment was specified, but "
2005 "the capture isn't being saved to a file.");
2014 /* Start windows sockets */
2015 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2018 /* Notify all registered modules that have had any of their preferences
2019 changed either from one of the preferences file or from the command
2020 line that their preferences have changed. */
2023 /* At this point MATE will have registered its field array so we can
2024 have a tap filter with one of MATE's late-registered fields as part
2025 of the filter. We can now process all the "-z" arguments. */
2026 start_requested_stats();
2028 /* At this point MATE will have registered its field array so we can
2029 check if the fields specified by the user are all good.
2033 GSList *invalid_fields = output_fields_valid(output_fields);
2034 if (invalid_fields != NULL) {
2036 cmdarg_err("Some fields aren't valid:");
2037 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2038 cmdarg_err_cont("\t%s", (gchar *)it->data);
2040 g_slist_free(invalid_fields);
2045 /* We currently don't support taps, or printing dissected packets,
2046 if we're writing to a pipe. */
2047 if (global_capture_opts.saving_to_file &&
2048 global_capture_opts.output_to_pipe) {
2049 if (tap_listeners_require_dissection()) {
2050 cmdarg_err("Taps aren't supported when saving to a pipe.");
2053 if (print_packet_info) {
2054 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2060 if (ex_opt_count("read_format") > 0) {
2061 const gchar* name = ex_opt_get_next("read_format");
2062 in_file_type = open_info_name_to_type(name);
2063 if (in_file_type == WTAP_TYPE_AUTO) {
2064 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2065 list_read_capture_types();
2070 /* disabled protocols as per configuration file */
2071 if (gdp_path == NULL && dp_path == NULL) {
2072 set_disabled_protos_list();
2073 set_disabled_heur_dissector_list();
2076 if(disable_protocol_slist) {
2077 GSList *proto_disable;
2078 for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
2080 proto_disable_proto_by_name((char*)proto_disable->data);
2084 if(enable_heur_slist) {
2085 GSList *heur_enable;
2086 for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
2088 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
2092 if(disable_heur_slist) {
2093 GSList *heur_disable;
2094 for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
2096 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
2100 /* Build the column format array */
2101 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2104 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2105 capture_opts_trim_ring_num_files(&global_capture_opts);
2108 if (rfilter != NULL) {
2109 tshark_debug("Compiling read filter: '%s'", rfilter);
2110 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2111 cmdarg_err("%s", err_msg);
2114 #ifdef HAVE_PCAP_OPEN_DEAD
2118 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2120 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2122 " Note: That read filter code looks like a valid capture filter;\n"
2123 " maybe you mixed them up?");
2132 cfile.rfcode = rfcode;
2134 if (dfilter != NULL) {
2135 tshark_debug("Compiling display filter: '%s'", dfilter);
2136 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2137 cmdarg_err("%s", err_msg);
2140 #ifdef HAVE_PCAP_OPEN_DEAD
2144 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2146 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2148 " Note: That display filter code looks like a valid capture filter;\n"
2149 " maybe you mixed them up?");
2158 cfile.dfcode = dfcode;
2160 if (print_packet_info) {
2161 /* If we're printing as text or PostScript, we have
2162 to create a print stream. */
2163 if (output_action == WRITE_TEXT) {
2164 switch (print_format) {
2167 print_stream = print_stream_text_stdio_new(stdout);
2171 print_stream = print_stream_ps_stdio_new(stdout);
2175 g_assert_not_reached();
2180 /* We have to dissect each packet if:
2182 we're printing information about each packet;
2184 we're using a read filter on the packets;
2186 we're using a display filter on the packets;
2188 we're using any taps that need dissection. */
2189 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2190 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2193 tshark_debug("tshark: Opening capture file: %s", cf_name);
2195 * We're reading a capture file.
2197 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2202 /* Process the packets in the file */
2203 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2206 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2207 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2208 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2210 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2213 CATCH(OutOfMemoryError) {
2217 "Sorry, but TShark has to terminate now.\n"
2219 "More information and workarounds can be found at\n"
2220 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2225 /* We still dump out the results of taps, etc., as we might have
2226 read some packets; however, we exit with an error status. */
2230 tshark_debug("tshark: no capture file specified");
2231 /* No capture file specified, so we're supposed to do a live capture
2232 or get a list of link-layer types for a live capture device;
2233 do we have support for live captures? */
2235 /* if no interface was specified, pick a default */
2236 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2237 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2238 if (exit_status != 0)
2241 /* if requested, list the link layer types and exit */
2242 if (list_link_layer_types) {
2245 /* Get the list of link-layer types for the capture devices. */
2246 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2247 interface_options interface_opts;
2248 if_capabilities_t *caps;
2249 char *auth_str = NULL;
2251 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2252 #ifdef HAVE_PCAP_REMOTE
2253 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2254 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2257 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2260 cmdarg_err("%s", err_str);
2264 if (caps->data_link_types == NULL) {
2265 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2268 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2269 free_if_capabilities(caps);
2275 * If the standard error isn't a terminal, don't print packet counts,
2276 * as they won't show up on the user's terminal and they'll get in
2277 * the way of error messages in the file (to which we assume the
2278 * standard error was redirected; if it's redirected to the null
2279 * device, there's no point in printing packet counts anyway).
2281 * Otherwise, if we're printing packet information and the standard
2282 * output is a terminal (which we assume means the standard output and
2283 * error are going to the same terminal), don't print packet counts,
2284 * as they'll get in the way of the packet information.
2286 * Otherwise, if the user specified -q, don't print packet counts.
2288 * Otherwise, print packet counts.
2290 * XXX - what if the user wants to do a live capture, doesn't want
2291 * to save it to a file, doesn't want information printed for each
2292 * packet, does want some "-z" statistic, and wants packet counts
2293 * so they know whether they're seeing any packets? -q will
2294 * suppress the information printed for each packet, but it'll
2295 * also suppress the packet counts.
2297 if (!isatty(fileno(stderr)))
2298 print_packet_counts = FALSE;
2299 else if (print_packet_info && isatty(fileno(stdout)))
2300 print_packet_counts = FALSE;
2302 print_packet_counts = FALSE;
2304 print_packet_counts = TRUE;
2306 if (print_packet_info) {
2307 if (!write_preamble(&cfile)) {
2308 show_print_file_io_error(errno);
2313 tshark_debug("tshark: performing live capture");
2315 * XXX - this returns FALSE if an error occurred, but it also
2316 * returns FALSE if the capture stops because a time limit
2317 * was reached (and possibly other limits), so we can't assume
2318 * it means an error.
2320 * The capture code is a bit twisty, so it doesn't appear to
2321 * be an easy fix. We just ignore the return value for now.
2322 * Instead, pass on the exit status from the capture child.
2325 exit_status = global_capture_session.fork_child_status;
2327 if (print_packet_info) {
2328 if (!write_finale()) {
2330 show_print_file_io_error(err);
2334 /* No - complain. */
2335 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2342 if (cfile.frames != NULL) {
2343 free_frame_data_sequence(cfile.frames);
2344 cfile.frames = NULL;
2347 draw_tap_listeners(TRUE);
2348 funnel_dump_all_text_windows();
2349 epan_free(cfile.epan);
2352 output_fields_free(output_fields);
2353 output_fields = NULL;
2358 /*#define USE_BROKEN_G_MAIN_LOOP*/
2360 #ifdef USE_BROKEN_G_MAIN_LOOP
2363 gboolean loop_running = FALSE;
2365 guint32 packet_count = 0;
2368 typedef struct pipe_input_tag {
2371 ws_process_id *child_process;
2372 pipe_input_cb_t input_cb;
2373 guint pipe_input_id;
2375 GMutex *callback_running;
2379 static pipe_input_t pipe_input;
2382 /* The timer has expired, see if there's stuff to read from the pipe,
2383 if so, do the callback */
2385 pipe_timer_cb(gpointer data)
2391 pipe_input_t *pipe_input_p = data;
2392 gint iterations = 0;
2394 g_mutex_lock (pipe_input_p->callback_running);
2396 /* try to read data from the pipe only 5 times, to avoid blocking */
2397 while(iterations < 5) {
2398 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2400 /* Oddly enough although Named pipes don't work on win9x,
2401 PeekNamedPipe does !!! */
2402 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2403 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2405 /* Get the child process exit status */
2406 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2409 /* If the Peek returned an error, or there are bytes to be read
2410 or the childwatcher thread has terminated then call the normal
2412 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2414 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2416 /* And call the real handler */
2417 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2418 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2419 /* pipe closed, return false so that the timer is stopped */
2420 g_mutex_unlock (pipe_input_p->callback_running);
2425 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2426 /* No data, stop now */
2433 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2435 g_mutex_unlock (pipe_input_p->callback_running);
2437 /* we didn't stopped the timer, so let it run */
2444 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2447 pipe_input.source = source;
2448 pipe_input.child_process = child_process;
2449 pipe_input.user_data = user_data;
2450 pipe_input.input_cb = input_cb;
2453 #if GLIB_CHECK_VERSION(2,31,0)
2454 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2455 g_mutex_init(pipe_input.callback_running);
2457 pipe_input.callback_running = g_mutex_new();
2459 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2460 do this but that doesn't cover all win32 platforms. GTK can do
2461 this but doesn't seem to work over processes. Attempt to do
2462 something similar here, start a timer and check for data on every
2464 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2465 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2469 static const nstime_t *
2470 tshark_get_frame_ts(void *data, guint32 frame_num)
2472 capture_file *cf = (capture_file *) data;
2474 if (ref && ref->num == frame_num)
2475 return &ref->abs_ts;
2477 if (prev_dis && prev_dis->num == frame_num)
2478 return &prev_dis->abs_ts;
2480 if (prev_cap && prev_cap->num == frame_num)
2481 return &prev_cap->abs_ts;
2484 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2486 return (fd) ? &fd->abs_ts : NULL;
2493 tshark_epan_new(capture_file *cf)
2495 epan_t *epan = epan_new();
2498 epan->get_frame_ts = tshark_get_frame_ts;
2499 epan->get_interface_name = cap_file_get_interface_name;
2500 epan->get_user_comment = NULL;
2512 #ifdef USE_TSHARK_SELECT
2516 struct sigaction action, oldaction;
2519 /* Create new dissection section. */
2520 epan_free(cfile.epan);
2521 cfile.epan = tshark_epan_new(&cfile);
2524 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2525 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2527 /* Catch SIGINT and SIGTERM and, if we get either of them,
2528 clean up and exit. If SIGHUP isn't being ignored, catch
2529 it too and, if we get it, clean up and exit.
2531 We restart any read that was in progress, so that it doesn't
2532 disrupt reading from the sync pipe. The signal handler tells
2533 the capture child to finish; it will report that it finished,
2534 or will exit abnormally, so we'll stop reading from the sync
2535 pipe, pick up the exit status, and quit. */
2536 memset(&action, 0, sizeof(action));
2537 action.sa_handler = capture_cleanup;
2538 action.sa_flags = SA_RESTART;
2539 sigemptyset(&action.sa_mask);
2540 sigaction(SIGTERM, &action, NULL);
2541 sigaction(SIGINT, &action, NULL);
2542 sigaction(SIGHUP, NULL, &oldaction);
2543 if (oldaction.sa_handler == SIG_DFL)
2544 sigaction(SIGHUP, &action, NULL);
2547 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2548 quiet mode, report the number of packets we've captured.
2550 Again, restart any read that was in progress, so that it doesn't
2551 disrupt reading from the sync pipe. */
2552 action.sa_handler = report_counts_siginfo;
2553 action.sa_flags = SA_RESTART;
2554 sigemptyset(&action.sa_mask);
2555 sigaction(SIGINFO, &action, NULL);
2556 #endif /* SIGINFO */
2559 global_capture_session.state = CAPTURE_PREPARING;
2561 /* Let the user know which interfaces were chosen. */
2562 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2563 interface_options interface_opts;
2565 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2566 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2567 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2568 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2570 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2571 if (really_quiet == FALSE)
2572 fprintf(stderr, "Capturing on %s\n", str->str);
2574 g_string_free(str, TRUE);
2576 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2581 /* the actual capture loop
2583 * XXX - glib doesn't seem to provide any event based loop handling.
2585 * XXX - for whatever reason,
2586 * calling g_main_loop_new() ends up in 100% cpu load.
2588 * But that doesn't matter: in UNIX we can use select() to find an input
2589 * source with something to do.
2591 * But that doesn't matter because we're in a CLI (that doesn't need to
2592 * update a GUI or something at the same time) so it's OK if we block
2593 * trying to read from the pipe.
2595 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2596 * wrong (but I leave it there in case I am...).
2599 #ifdef USE_TSHARK_SELECT
2601 FD_SET(pipe_input.source, &readfds);
2604 loop_running = TRUE;
2608 while (loop_running)
2610 #ifdef USE_TSHARK_SELECT
2611 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2615 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2617 } else if (ret == 1) {
2619 /* Call the real handler */
2620 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2621 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2624 #ifdef USE_TSHARK_SELECT
2629 CATCH(OutOfMemoryError) {
2633 "Sorry, but TShark has to terminate now.\n"
2635 "More information and workarounds can be found at\n"
2636 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2643 /* capture child detected an error */
2645 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2647 cmdarg_err("%s", error_msg);
2648 cmdarg_err_cont("%s", secondary_error_msg);
2652 /* capture child detected an capture filter related error */
2654 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2656 capture_options *capture_opts = cap_session->capture_opts;
2657 dfilter_t *rfcode = NULL;
2658 interface_options interface_opts;
2660 g_assert(i < capture_opts->ifaces->len);
2661 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2663 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2665 "Invalid capture filter \"%s\" for interface '%s'.\n"
2667 "That string looks like a valid display filter; however, it isn't a valid\n"
2668 "capture filter (%s).\n"
2670 "Note that display filters and capture filters don't have the same syntax,\n"
2671 "so you can't use most display filter expressions as capture filters.\n"
2673 "See the User's Guide for a description of the capture filter syntax.",
2674 interface_opts.cfilter, interface_opts.descr, error_message);
2675 dfilter_free(rfcode);
2678 "Invalid capture filter \"%s\" for interface '%s'.\n"
2680 "That string isn't a valid capture filter (%s).\n"
2681 "See the User's Guide for a description of the capture filter syntax.",
2682 interface_opts.cfilter, interface_opts.descr, error_message);
2687 /* capture child tells us we have a new (or the first) capture file */
2689 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2691 capture_options *capture_opts = cap_session->capture_opts;
2692 capture_file *cf = (capture_file *) cap_session->cf;
2693 gboolean is_tempfile;
2696 if (cap_session->state == CAPTURE_PREPARING) {
2697 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2699 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2701 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2703 /* free the old filename */
2704 if (capture_opts->save_file != NULL) {
2706 /* we start a new capture file, close the old one (if we had one before) */
2707 if (cf->state != FILE_CLOSED) {
2708 if (cf->wth != NULL) {
2709 wtap_close(cf->wth);
2712 cf->state = FILE_CLOSED;
2715 g_free(capture_opts->save_file);
2716 is_tempfile = FALSE;
2718 epan_free(cf->epan);
2719 cf->epan = tshark_epan_new(cf);
2721 /* we didn't had a save_file before, must be a tempfile */
2725 /* save the new filename */
2726 capture_opts->save_file = g_strdup(new_file);
2728 /* if we are in real-time mode, open the new file now */
2729 if (do_dissection) {
2730 /* this is probably unecessary, but better safe than sorry */
2731 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2732 /* Attempt to open the capture file and set up to read from it. */
2733 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2737 /* Don't unlink (delete) the save file - leave it around,
2738 for debugging purposes. */
2739 g_free(capture_opts->save_file);
2740 capture_opts->save_file = NULL;
2745 cap_session->state = CAPTURE_RUNNING;
2751 /* capture child tells us we have new packets to read */
2753 capture_input_new_packets(capture_session *cap_session, int to_read)
2759 capture_file *cf = (capture_file *)cap_session->cf;
2760 gboolean filtering_tap_listeners;
2765 * Prevent a SIGINFO handler from writing to the standard error while
2766 * we're doing so or writing to the standard output; instead, have it
2767 * just set a flag telling us to print that information when we're done.
2770 #endif /* SIGINFO */
2772 /* Do we have any tap listeners with filters? */
2773 filtering_tap_listeners = have_filtering_tap_listeners();
2775 /* Get the union of the flags for all tap listeners. */
2776 tap_flags = union_of_tap_listener_flags();
2778 if (do_dissection) {
2779 gboolean create_proto_tree;
2780 epan_dissect_t *edt;
2782 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2783 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2784 create_proto_tree = TRUE;
2786 create_proto_tree = FALSE;
2788 /* The protocol tree will be "visible", i.e., printed, only if we're
2789 printing packet details, which is true if we're printing stuff
2790 ("print_packet_info" is true) and we're in verbose mode
2791 ("packet_details" is true). */
2792 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2794 while (to_read-- && cf->wth) {
2795 wtap_cleareof(cf->wth);
2796 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2798 /* read from file failed, tell the capture child to stop */
2799 sync_pipe_stop(cap_session);
2800 wtap_close(cf->wth);
2803 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2804 wtap_buf_ptr(cf->wth),
2808 /* packet successfully read and gone through the "Read Filter" */
2813 epan_dissect_free(edt);
2817 * Dumpcap's doing all the work; we're not doing any dissection.
2818 * Count all the packets it wrote.
2820 packet_count += to_read;
2823 if (print_packet_counts) {
2824 /* We're printing packet counts. */
2825 if (packet_count != 0) {
2826 fprintf(stderr, "\r%u ", packet_count);
2827 /* stderr could be line buffered */
2834 * Allow SIGINFO handlers to write.
2839 * If a SIGINFO handler asked us to write out capture counts, do so.
2843 #endif /* SIGINFO */
2849 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2850 /* Report the count only if we aren't printing a packet count
2851 as packets arrive. */
2852 fprintf(stderr, "%u packet%s captured\n", packet_count,
2853 plurality(packet_count, "", "s"));
2856 infoprint = FALSE; /* we just reported it */
2857 #endif /* SIGINFO */
2862 report_counts_siginfo(int signum _U_)
2864 int sav_errno = errno;
2865 /* If we've been told to delay printing, just set a flag asking
2866 that we print counts (if we're supposed to), otherwise print
2867 the count of packets captured (if we're supposed to). */
2874 #endif /* SIGINFO */
2877 /* capture child detected any packet drops? */
2879 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2881 if (print_packet_counts) {
2882 /* We're printing packet counts to stderr.
2883 Send a newline so that we move to the line after the packet count. */
2884 fprintf(stderr, "\n");
2888 /* We're printing packet counts to stderr.
2889 Send a newline so that we move to the line after the packet count. */
2890 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2896 * Capture child closed its side of the pipe, report any error and
2897 * do the required cleanup.
2900 capture_input_closed(capture_session *cap_session, gchar *msg)
2902 capture_file *cf = (capture_file *) cap_session->cf;
2905 fprintf(stderr, "tshark: %s\n", msg);
2909 if (cf != NULL && cf->wth != NULL) {
2910 wtap_close(cf->wth);
2911 if (cf->is_tempfile) {
2912 ws_unlink(cf->filename);
2915 #ifdef USE_BROKEN_G_MAIN_LOOP
2916 /*g_main_loop_quit(loop);*/
2917 g_main_loop_quit(loop);
2919 loop_running = FALSE;
2928 capture_cleanup(DWORD ctrltype _U_)
2930 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2931 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2932 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2933 like SIGTERM at least when the machine's shutting down.
2935 For now, we handle them all as indications that we should clean up
2936 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2939 We must return TRUE so that no other handler - such as one that would
2940 terminate the process - gets called.
2942 XXX - for some reason, typing ^C to TShark, if you run this in
2943 a Cygwin console window in at least some versions of Cygwin,
2944 causes TShark to terminate immediately; this routine gets
2945 called, but the main loop doesn't get a chance to run and
2946 exit cleanly, at least if this is compiled with Microsoft Visual
2947 C++ (i.e., it's a property of the Cygwin console window or Bash;
2948 it happens if TShark is not built with Cygwin - for all I know,
2949 building it with Cygwin may make the problem go away). */
2951 /* tell the capture child to stop */
2952 sync_pipe_stop(&global_capture_session);
2954 /* don't stop our own loop already here, otherwise status messages and
2955 * cleanup wouldn't be done properly. The child will indicate the stop of
2956 * everything by calling capture_input_closed() later */
2962 capture_cleanup(int signum _U_)
2964 /* tell the capture child to stop */
2965 sync_pipe_stop(&global_capture_session);
2967 /* don't stop our own loop already here, otherwise status messages and
2968 * cleanup wouldn't be done properly. The child will indicate the stop of
2969 * everything by calling capture_input_closed() later */
2972 #endif /* HAVE_LIBPCAP */
2975 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2976 gint64 offset, struct wtap_pkthdr *whdr,
2983 /* The frame number of this packet is one more than the count of
2984 frames in this packet. */
2985 framenum = cf->count + 1;
2987 /* If we're not running a display filter and we're not printing any
2988 packet information, we don't need to do a dissection. This means
2989 that all packets can be marked as 'passed'. */
2992 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2994 /* If we're going to print packet information, or we're going to
2995 run a read filter, or display filter, or we're going to process taps, set up to
2996 do a dissection and do so. */
2998 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2999 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3000 /* Grab any resolved addresses */
3001 host_name_lookup_process();
3003 /* If we're running a read filter, prime the epan_dissect_t with that
3006 epan_dissect_prime_dfilter(edt, cf->rfcode);
3009 epan_dissect_prime_dfilter(edt, cf->dfcode);
3011 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3013 if (ref == &fdlocal) {
3014 ref_frame = fdlocal;
3018 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
3020 /* Run the read filter if we have one. */
3022 passed = dfilter_apply_edt(cf->rfcode, edt);
3026 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3027 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
3029 /* If we're not doing dissection then there won't be any dependent frames.
3030 * More importantly, edt.pi.dependent_frames won't be initialized because
3031 * epan hasn't been initialized.
3032 * if we *are* doing dissection, then mark the dependent frames, but only
3033 * if a display filter was given and it matches this packet.
3035 if (edt && cf->dfcode) {
3036 if (dfilter_apply_edt(cf->dfcode, edt)) {
3037 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
3043 /* if we don't add it to the frame_data_sequence, clean it up right now
3045 frame_data_destroy(&fdlocal);
3049 epan_dissect_reset(edt);
3055 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
3056 struct wtap_pkthdr *phdr, Buffer *buf,
3062 /* If we're not running a display filter and we're not printing any
3063 packet information, we don't need to do a dissection. This means
3064 that all packets can be marked as 'passed'. */
3067 /* If we're going to print packet information, or we're going to
3068 run a read filter, or we're going to process taps, set up to
3069 do a dissection and do so. */
3071 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3072 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3073 /* Grab any resolved addresses */
3074 host_name_lookup_process();
3076 /* If we're running a display filter, prime the epan_dissect_t with that
3079 epan_dissect_prime_dfilter(edt, cf->dfcode);
3081 col_custom_prime_edt(edt, &cf->cinfo);
3083 /* We only need the columns if either
3084 1) some tap needs the columns
3086 2) we're printing packet info but we're *not* verbose; in verbose
3087 mode, we print the protocol tree, not the protocol summary.
3089 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3094 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3101 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3103 /* Run the read/display filter if we have one. */
3105 passed = dfilter_apply_edt(cf->dfcode, edt);
3109 frame_data_set_after_dissect(fdata, &cum_bytes);
3110 /* Process this packet. */
3111 if (print_packet_info) {
3112 /* We're printing packet information; print the information for
3114 print_packet(cf, edt);
3116 /* The ANSI C standard does not appear to *require* that a line-buffered
3117 stream be flushed to the host environment whenever a newline is
3118 written, it just says that, on such a stream, characters "are
3119 intended to be transmitted to or from the host environment as a
3120 block when a new-line character is encountered".
3122 The Visual C++ 6.0 C implementation doesn't do what is intended;
3123 even if you set a stream to be line-buffered, it still doesn't
3124 flush the buffer at the end of every line.
3126 So, if the "-l" flag was specified, we flush the standard output
3127 at the end of a packet. This will do the right thing if we're
3128 printing packet summary lines, and, as we print the entire protocol
3129 tree for a single packet without waiting for anything to happen,
3130 it should be as good as line-buffered mode if we're printing
3131 protocol trees. (The whole reason for the "-l" flag in either
3132 tcpdump or TShark is to allow the output of a live capture to
3133 be piped to a program or script and to have that script see the
3134 information for the packet as soon as it's printed, rather than
3135 having to wait until a standard I/O buffer fills up. */
3139 if (ferror(stdout)) {
3140 show_print_file_io_error(errno);
3149 epan_dissect_reset(edt);
3151 return passed || fdata->flags.dependent_of_displayed;
3155 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3156 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3159 int snapshot_length;
3163 gchar *err_info = NULL;
3165 char *save_file_string = NULL;
3166 gboolean filtering_tap_listeners;
3168 wtapng_section_t *shb_hdr = NULL;
3169 wtapng_iface_descriptions_t *idb_inf = NULL;
3170 wtapng_name_res_t *nrb_hdr = NULL;
3171 struct wtap_pkthdr phdr;
3173 epan_dissect_t *edt = NULL;
3175 wtap_phdr_init(&phdr);
3177 idb_inf = wtap_file_get_idb_info(cf->wth);
3178 #ifdef PCAP_NG_DEFAULT
3179 if (idb_inf->interface_data->len > 1) {
3180 linktype = WTAP_ENCAP_PER_PACKET;
3182 linktype = wtap_file_encap(cf->wth);
3185 linktype = wtap_file_encap(cf->wth);
3187 if (save_file != NULL) {
3188 /* Get a string that describes what we're writing to */
3189 save_file_string = output_file_description(save_file);
3191 /* Set up to write to the capture file. */
3192 snapshot_length = wtap_snapshot_length(cf->wth);
3193 if (snapshot_length == 0) {
3194 /* Snapshot length of input file not known. */
3195 snapshot_length = WTAP_MAX_PACKET_SIZE;
3197 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3199 shb_hdr = wtap_file_get_shb_for_new_file(cf->wth);
3200 nrb_hdr = wtap_file_get_nrb_for_new_file(cf->wth);
3202 /* If we don't have an application name add Tshark */
3203 if (shb_hdr->shb_user_appl == NULL) {
3204 /* this is free'd by wtap_free_shb() later */
3205 shb_hdr->shb_user_appl = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3208 if (linktype != WTAP_ENCAP_PER_PACKET &&
3209 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3210 tshark_debug("tshark: writing PCAP format to %s", save_file);
3211 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3212 snapshot_length, FALSE /* compressed */, &err);
3215 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3216 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3217 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3224 /* We couldn't set up to write to the capture file. */
3227 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3228 cmdarg_err("Capture files can't be written in that format.");
3231 case WTAP_ERR_UNWRITABLE_ENCAP:
3232 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3233 cmdarg_err("The capture file being read can't be written as a "
3234 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3237 case WTAP_ERR_CANT_OPEN:
3238 cmdarg_err("The %s couldn't be created for some "
3239 "unknown reason.", save_file_string);
3242 case WTAP_ERR_SHORT_WRITE:
3243 cmdarg_err("A full header couldn't be written to the %s.",
3248 cmdarg_err("The %s could not be created: %s.", save_file_string,
3249 wtap_strerror(err));
3255 if (print_packet_info) {
3256 if (!write_preamble(cf)) {
3258 show_print_file_io_error(err);
3267 /* Do we have any tap listeners with filters? */
3268 filtering_tap_listeners = have_filtering_tap_listeners();
3270 /* Get the union of the flags for all tap listeners. */
3271 tap_flags = union_of_tap_listener_flags();
3273 if (perform_two_pass_analysis) {
3276 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3278 /* Allocate a frame_data_sequence for all the frames. */
3279 cf->frames = new_frame_data_sequence();
3281 if (do_dissection) {
3282 gboolean create_proto_tree = FALSE;
3284 /* If we're going to be applying a filter, we'll need to
3285 create a protocol tree against which to apply the filter. */
3286 if (cf->rfcode || cf->dfcode)
3287 create_proto_tree = TRUE;
3289 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3291 /* We're not going to display the protocol tree on this pass,
3292 so it's not going to be "visible". */
3293 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3296 tshark_debug("tshark: reading records for first pass");
3297 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3298 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3299 wtap_buf_ptr(cf->wth))) {
3300 /* Stop reading if we have the maximum number of packets;
3301 * When the -c option has not been used, max_packet_count
3302 * starts at 0, which practically means, never stop reading.
3303 * (unless we roll over max_packet_count ?)
3305 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3306 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3307 max_packet_count, data_offset, max_byte_count);
3308 err = 0; /* This is not an error */
3315 epan_dissect_free(edt);
3319 /* Close the sequential I/O side, to free up memory it requires. */
3320 wtap_sequential_close(cf->wth);
3322 /* Allow the protocol dissectors to free up memory that they
3323 * don't need after the sequential run-through of the packets. */
3324 postseq_cleanup_all_protocols();
3328 ws_buffer_init(&buf, 1500);
3330 tshark_debug("tshark: done with first pass");
3332 if (do_dissection) {
3333 gboolean create_proto_tree;
3335 if (cf->dfcode || print_details || filtering_tap_listeners ||
3336 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3337 create_proto_tree = TRUE;
3339 create_proto_tree = FALSE;
3341 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3343 /* The protocol tree will be "visible", i.e., printed, only if we're
3344 printing packet details, which is true if we're printing stuff
3345 ("print_packet_info" is true) and we're in verbose mode
3346 ("packet_details" is true). */
3347 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3350 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3351 fdata = frame_data_sequence_find(cf->frames, framenum);
3352 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3354 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3355 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3357 /* Either there's no read filtering or this packet passed the
3358 filter, so, if we're writing to a capture file, write
3361 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3362 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3363 /* Error writing to a capture file */
3364 tshark_debug("tshark: error writing to a capture file (%d)", err);
3367 case WTAP_ERR_UNWRITABLE_ENCAP:
3369 * This is a problem with the particular frame we're writing
3370 * and the file type and subtype we're writing; note that,
3371 * and report the frame number and file type/subtype.
3373 * XXX - framenum is not necessarily the frame number in
3374 * the input file if there was a read filter.
3377 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3378 framenum, cf->filename,
3379 wtap_file_type_subtype_short_string(out_file_type));
3382 case WTAP_ERR_PACKET_TOO_LARGE:
3384 * This is a problem with the particular frame we're writing
3385 * and the file type and subtype we're writing; note that,
3386 * and report the frame number and file type/subtype.
3388 * XXX - framenum is not necessarily the frame number in
3389 * the input file if there was a read filter.
3392 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3393 framenum, cf->filename,
3394 wtap_file_type_subtype_short_string(out_file_type));
3397 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3399 * This is a problem with the particular record we're writing
3400 * and the file type and subtype we're writing; note that,
3401 * and report the record number and file type/subtype.
3403 * XXX - framenum is not necessarily the record number in
3404 * the input file if there was a read filter.
3407 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3408 framenum, cf->filename,
3409 wtap_file_type_subtype_short_string(out_file_type));
3412 case WTAP_ERR_UNWRITABLE_REC_DATA:
3414 * This is a problem with the particular record we're writing
3415 * and the file type and subtype we're writing; note that,
3416 * and report the record number and file type/subtype.
3418 * XXX - framenum is not necessarily the record number in
3419 * the input file if there was a read filter.
3422 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3423 framenum, cf->filename,
3424 wtap_file_type_subtype_short_string(out_file_type),
3425 err_info != NULL ? err_info : "no information supplied");
3430 show_capture_file_io_error(save_file, err, FALSE);
3433 wtap_dump_close(pdh, &err);
3434 wtap_free_shb(shb_hdr);
3435 wtap_free_nrb(nrb_hdr);
3444 epan_dissect_free(edt);
3448 ws_buffer_free(&buf);
3450 tshark_debug("tshark: done with second pass");
3453 /* !perform_two_pass_analysis */
3456 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3458 if (do_dissection) {
3459 gboolean create_proto_tree;
3461 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3462 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3463 create_proto_tree = TRUE;
3465 create_proto_tree = FALSE;
3467 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3469 /* The protocol tree will be "visible", i.e., printed, only if we're
3470 printing packet details, which is true if we're printing stuff
3471 ("print_packet_info" is true) and we're in verbose mode
3472 ("packet_details" is true). */
3473 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3476 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3479 tshark_debug("tshark: processing packet #%d", framenum);
3481 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3482 wtap_buf_ptr(cf->wth),
3484 /* Either there's no read filtering or this packet passed the
3485 filter, so, if we're writing to a capture file, write
3488 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3489 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3490 /* Error writing to a capture file */
3491 tshark_debug("tshark: error writing to a capture file (%d)", err);
3494 case WTAP_ERR_UNWRITABLE_ENCAP:
3496 * This is a problem with the particular frame we're writing
3497 * and the file type and subtype we're writing; note that,
3498 * and report the frame number and file type/subtype.
3501 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3502 framenum, cf->filename,
3503 wtap_file_type_subtype_short_string(out_file_type));
3506 case WTAP_ERR_PACKET_TOO_LARGE:
3508 * This is a problem with the particular frame we're writing
3509 * and the file type and subtype we're writing; note that,
3510 * and report the frame number and file type/subtype.
3513 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3514 framenum, cf->filename,
3515 wtap_file_type_subtype_short_string(out_file_type));
3518 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3520 * This is a problem with the particular record we're writing
3521 * and the file type and subtype we're writing; note that,
3522 * and report the record number and file type/subtype.
3525 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3526 framenum, cf->filename,
3527 wtap_file_type_subtype_short_string(out_file_type));
3530 case WTAP_ERR_UNWRITABLE_REC_DATA:
3532 * This is a problem with the particular record we're writing
3533 * and the file type and subtype we're writing; note that,
3534 * and report the record number and file type/subtype.
3537 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3538 framenum, cf->filename,
3539 wtap_file_type_subtype_short_string(out_file_type),
3540 err_info != NULL ? err_info : "no information supplied");
3545 show_capture_file_io_error(save_file, err, FALSE);
3548 wtap_dump_close(pdh, &err);
3549 wtap_free_shb(shb_hdr);
3550 wtap_free_nrb(nrb_hdr);
3555 /* Stop reading if we have the maximum number of packets;
3556 * When the -c option has not been used, max_packet_count
3557 * starts at 0, which practically means, never stop reading.
3558 * (unless we roll over max_packet_count ?)
3560 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3561 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3562 max_packet_count, data_offset, max_byte_count);
3563 err = 0; /* This is not an error */
3569 epan_dissect_free(edt);
3574 wtap_phdr_cleanup(&phdr);
3577 tshark_debug("tshark: something failed along the line (%d)", err);
3579 * Print a message noting that the read failed somewhere along the line.
3581 * If we're printing packet data, and the standard output and error are
3582 * going to the same place, flush the standard output, so everything
3583 * buffered up is written, and then print a newline to the standard error
3584 * before printing the error message, to separate it from the packet
3585 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3586 * the _fstat() documentation at Microsoft doesn't indicate whether
3587 * st_ino is even supported.)
3590 if (print_packet_info) {
3591 ws_statb64 stat_stdout, stat_stderr;
3593 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3594 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3595 stat_stdout.st_ino == stat_stderr.st_ino) {
3597 fprintf(stderr, "\n");
3604 case WTAP_ERR_UNSUPPORTED:
3605 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3607 err_info != NULL ? err_info : "no information supplied");
3611 case WTAP_ERR_SHORT_READ:
3612 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3616 case WTAP_ERR_BAD_FILE:
3617 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3619 err_info != NULL ? err_info : "no information supplied");
3623 case WTAP_ERR_DECOMPRESS:
3624 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3625 "(%s)", cf->filename,
3626 err_info != NULL ? err_info : "no information supplied");
3631 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3632 cf->filename, wtap_strerror(err));
3635 if (save_file != NULL) {
3636 /* Now close the capture file. */
3637 if (!wtap_dump_close(pdh, &err))
3638 show_capture_file_io_error(save_file, err, TRUE);
3641 if (save_file != NULL) {
3642 if (pdh && out_file_name_res) {
3643 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3644 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3645 wtap_file_type_subtype_short_string(out_file_type));
3648 /* Now close the capture file. */
3649 if (!wtap_dump_close(pdh, &err))
3650 show_capture_file_io_error(save_file, err, TRUE);
3652 if (print_packet_info) {
3653 if (!write_finale()) {
3655 show_print_file_io_error(err);
3662 wtap_close(cf->wth);
3665 g_free(save_file_string);
3666 wtap_free_shb(shb_hdr);
3667 wtap_free_nrb(nrb_hdr);
3673 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3674 const guchar *pd, guint tap_flags)
3680 /* Count this packet. */
3683 /* If we're not running a display filter and we're not printing any
3684 packet information, we don't need to do a dissection. This means
3685 that all packets can be marked as 'passed'. */
3688 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3690 /* If we're going to print packet information, or we're going to
3691 run a read filter, or we're going to process taps, set up to
3692 do a dissection and do so. */
3694 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3695 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3696 /* Grab any resolved addresses */
3697 host_name_lookup_process();
3699 /* If we're running a filter, prime the epan_dissect_t with that
3702 epan_dissect_prime_dfilter(edt, cf->dfcode);
3704 col_custom_prime_edt(edt, &cf->cinfo);
3706 /* We only need the columns if either
3707 1) some tap needs the columns
3709 2) we're printing packet info but we're *not* verbose; in verbose
3710 mode, we print the protocol tree, not the protocol summary.
3712 3) there is a column mapped as an individual field */
3713 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3718 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3720 if (ref == &fdata) {
3725 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3727 /* Run the filter if we have it. */
3729 passed = dfilter_apply_edt(cf->dfcode, edt);
3733 frame_data_set_after_dissect(&fdata, &cum_bytes);
3735 /* Process this packet. */
3736 if (print_packet_info) {
3737 /* We're printing packet information; print the information for
3739 print_packet(cf, edt);
3741 /* The ANSI C standard does not appear to *require* that a line-buffered
3742 stream be flushed to the host environment whenever a newline is
3743 written, it just says that, on such a stream, characters "are
3744 intended to be transmitted to or from the host environment as a
3745 block when a new-line character is encountered".
3747 The Visual C++ 6.0 C implementation doesn't do what is intended;
3748 even if you set a stream to be line-buffered, it still doesn't
3749 flush the buffer at the end of every line.
3751 So, if the "-l" flag was specified, we flush the standard output
3752 at the end of a packet. This will do the right thing if we're
3753 printing packet summary lines, and, as we print the entire protocol
3754 tree for a single packet without waiting for anything to happen,
3755 it should be as good as line-buffered mode if we're printing
3756 protocol trees. (The whole reason for the "-l" flag in either
3757 tcpdump or TShark is to allow the output of a live capture to
3758 be piped to a program or script and to have that script see the
3759 information for the packet as soon as it's printed, rather than
3760 having to wait until a standard I/O buffer fills up. */
3764 if (ferror(stdout)) {
3765 show_print_file_io_error(errno);
3770 /* this must be set after print_packet() [bug #8160] */
3771 prev_dis_frame = fdata;
3772 prev_dis = &prev_dis_frame;
3775 prev_cap_frame = fdata;
3776 prev_cap = &prev_cap_frame;
3779 epan_dissect_reset(edt);
3780 frame_data_destroy(&fdata);
3786 write_preamble(capture_file *cf)
3788 switch (output_action) {
3791 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3795 write_pdml_preamble(stdout, cf->filename);
3797 write_psml_preamble(&cf->cinfo, stdout);
3798 return !ferror(stdout);
3801 write_fields_preamble(output_fields, stdout);
3802 return !ferror(stdout);
3805 g_assert_not_reached();
3811 get_line_buf(size_t len)
3813 static char *line_bufp = NULL;
3814 static size_t line_buf_len = 256;
3815 size_t new_line_buf_len;
3817 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3818 new_line_buf_len *= 2)
3820 if (line_bufp == NULL) {
3821 line_buf_len = new_line_buf_len;
3822 line_bufp = (char *)g_malloc(line_buf_len + 1);
3824 if (new_line_buf_len > line_buf_len) {
3825 line_buf_len = new_line_buf_len;
3826 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3833 put_string(char *dest, const char *str, size_t str_len)
3835 memcpy(dest, str, str_len);
3836 dest[str_len] = '\0';
3840 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3844 for (i = str_len; i < str_with_spaces; i++)
3847 put_string(dest, str, str_len);
3851 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3855 memcpy(dest, str, str_len);
3856 for (i = str_len; i < str_with_spaces; i++)
3859 dest[str_with_spaces] = '\0';
3863 print_columns(capture_file *cf)
3870 col_item_t* col_item;
3872 line_bufp = get_line_buf(256);
3875 for (i = 0; i < cf->cinfo.num_cols; i++) {
3876 col_item = &cf->cinfo.columns[i];
3877 /* Skip columns not marked as visible. */
3878 if (!get_column_visible(i))
3880 switch (col_item->col_fmt) {
3882 column_len = col_len = strlen(col_item->col_data);
3885 line_bufp = get_line_buf(buf_offset + column_len);
3886 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3892 case COL_ABS_YMD_TIME: /* XXX - wider */
3893 case COL_ABS_YDOY_TIME: /* XXX - wider */
3895 case COL_UTC_YMD_TIME: /* XXX - wider */
3896 case COL_UTC_YDOY_TIME: /* XXX - wider */
3897 column_len = col_len = strlen(col_item->col_data);
3898 if (column_len < 10)
3900 line_bufp = get_line_buf(buf_offset + column_len);
3901 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3907 case COL_DEF_DL_SRC:
3908 case COL_RES_DL_SRC:
3909 case COL_UNRES_DL_SRC:
3910 case COL_DEF_NET_SRC:
3911 case COL_RES_NET_SRC:
3912 case COL_UNRES_NET_SRC:
3913 column_len = col_len = strlen(col_item->col_data);
3914 if (column_len < 12)
3916 line_bufp = get_line_buf(buf_offset + column_len);
3917 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3923 case COL_DEF_DL_DST:
3924 case COL_RES_DL_DST:
3925 case COL_UNRES_DL_DST:
3926 case COL_DEF_NET_DST:
3927 case COL_RES_NET_DST:
3928 case COL_UNRES_NET_DST:
3929 column_len = col_len = strlen(col_item->col_data);
3930 if (column_len < 12)
3932 line_bufp = get_line_buf(buf_offset + column_len);
3933 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3937 column_len = strlen(col_item->col_data);
3938 line_bufp = get_line_buf(buf_offset + column_len);
3939 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3942 buf_offset += column_len;
3943 if (i != cf->cinfo.num_cols - 1) {
3945 * This isn't the last column, so we need to print a
3946 * separator between this column and the next.
3948 * If we printed a network source and are printing a
3949 * network destination of the same type next, separate
3950 * them with " -> "; if we printed a network destination
3951 * and are printing a network source of the same type
3952 * next, separate them with " <- "; otherwise separate them
3955 * We add enough space to the buffer for " <- " or " -> ",
3956 * even if we're only adding " ".
3958 line_bufp = get_line_buf(buf_offset + 4);
3959 switch (col_item->col_fmt) {
3964 switch (cf->cinfo.columns[i+1].col_fmt) {
3969 put_string(line_bufp + buf_offset, " -> ", 4);
3974 put_string(line_bufp + buf_offset, " ", 1);
3980 case COL_DEF_DL_SRC:
3981 case COL_RES_DL_SRC:
3982 case COL_UNRES_DL_SRC:
3983 switch (cf->cinfo.columns[i+1].col_fmt) {
3985 case COL_DEF_DL_DST:
3986 case COL_RES_DL_DST:
3987 case COL_UNRES_DL_DST:
3988 put_string(line_bufp + buf_offset, " -> ", 4);
3993 put_string(line_bufp + buf_offset, " ", 1);
3999 case COL_DEF_NET_SRC:
4000 case COL_RES_NET_SRC:
4001 case COL_UNRES_NET_SRC:
4002 switch (cf->cinfo.columns[i+1].col_fmt) {
4004 case COL_DEF_NET_DST:
4005 case COL_RES_NET_DST:
4006 case COL_UNRES_NET_DST:
4007 put_string(line_bufp + buf_offset, " -> ", 4);
4012 put_string(line_bufp + buf_offset, " ", 1);
4021 switch (cf->cinfo.columns[i+1].col_fmt) {
4026 put_string(line_bufp + buf_offset, " <- ", 4);
4031 put_string(line_bufp + buf_offset, " ", 1);
4037 case COL_DEF_DL_DST:
4038 case COL_RES_DL_DST:
4039 case COL_UNRES_DL_DST:
4040 switch (cf->cinfo.columns[i+1].col_fmt) {
4042 case COL_DEF_DL_SRC:
4043 case COL_RES_DL_SRC:
4044 case COL_UNRES_DL_SRC:
4045 put_string(line_bufp + buf_offset, " <- ", 4);
4050 put_string(line_bufp + buf_offset, " ", 1);
4056 case COL_DEF_NET_DST:
4057 case COL_RES_NET_DST:
4058 case COL_UNRES_NET_DST:
4059 switch (cf->cinfo.columns[i+1].col_fmt) {
4061 case COL_DEF_NET_SRC:
4062 case COL_RES_NET_SRC:
4063 case COL_UNRES_NET_SRC:
4064 put_string(line_bufp + buf_offset, " <- ", 4);
4069 put_string(line_bufp + buf_offset, " ", 1);
4076 put_string(line_bufp + buf_offset, " ", 1);
4082 return print_line(print_stream, 0, line_bufp);
4086 print_packet(capture_file *cf, epan_dissect_t *edt)
4088 print_args_t print_args;
4090 if (print_summary || output_fields_has_cols(output_fields)) {
4091 /* Just fill in the columns. */
4092 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4094 if (print_summary) {
4095 /* Now print them. */
4096 switch (output_action) {
4099 if (!print_columns(cf))
4104 write_psml_columns(edt, stdout);
4105 return !ferror(stdout);
4106 case WRITE_FIELDS: /*No non-verbose "fields" format */
4107 g_assert_not_reached();
4112 if (print_details) {
4113 /* Print the information in the protocol tree. */
4114 switch (output_action) {
4117 /* Only initialize the fields that are actually used in proto_tree_print.
4118 * This is particularly important for .range, as that's heap memory which
4119 * we would otherwise have to g_free().
4120 print_args.to_file = TRUE;
4121 print_args.format = print_format;
4122 print_args.print_summary = print_summary;
4123 print_args.print_formfeed = FALSE;
4124 packet_range_init(&print_args.range, &cfile);
4126 print_args.print_hex = print_hex;
4127 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4129 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4132 if (!print_line(print_stream, 0, separator))
4138 write_pdml_proto_tree(edt, stdout);
4140 return !ferror(stdout);
4142 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4144 return !ferror(stdout);
4148 if (print_summary || print_details) {
4149 if (!print_line(print_stream, 0, ""))
4152 if (!print_hex_data(print_stream, edt))
4154 if (!print_line(print_stream, 0, separator))
4163 switch (output_action) {
4166 return print_finale(print_stream);
4170 write_pdml_finale(stdout);
4172 write_psml_finale(stdout);
4173 return !ferror(stdout);
4176 write_fields_finale(output_fields, stdout);
4177 return !ferror(stdout);
4180 g_assert_not_reached();
4186 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4190 char err_msg[2048+1];
4192 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4196 /* The open succeeded. Fill in the information for this file. */
4198 /* Create new epan session for dissection. */
4199 epan_free(cf->epan);
4200 cf->epan = tshark_epan_new(cf);
4203 cf->f_datalen = 0; /* not used, but set it anyway */
4205 /* Set the file name because we need it to set the follow stream filter.
4206 XXX - is that still true? We need it for other reasons, though,
4208 cf->filename = g_strdup(fname);
4210 /* Indicate whether it's a permanent or temporary file. */
4211 cf->is_tempfile = is_tempfile;
4213 /* No user changes yet. */
4214 cf->unsaved_changes = FALSE;
4216 cf->cd_t = wtap_file_type_subtype(cf->wth);
4217 cf->open_type = type;
4219 cf->drops_known = FALSE;
4221 cf->snap = wtap_snapshot_length(cf->wth);
4222 if (cf->snap == 0) {
4223 /* Snapshot length not known. */
4224 cf->has_snap = FALSE;
4225 cf->snap = WTAP_MAX_PACKET_SIZE;
4227 cf->has_snap = TRUE;
4228 nstime_set_zero(&cf->elapsed_time);
4233 cf->state = FILE_READ_IN_PROGRESS;
4235 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4236 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4241 g_snprintf(err_msg, sizeof err_msg,
4242 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4243 cmdarg_err("%s", err_msg);
4248 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4250 char *save_file_string;
4252 save_file_string = output_file_description(fname);
4257 cmdarg_err("Not all the packets could be written to the %s because there is "
4258 "no space left on the file system.",
4264 cmdarg_err("Not all the packets could be written to the %s because you are "
4265 "too close to, or over your disk quota.",
4270 case WTAP_ERR_CANT_CLOSE:
4271 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4275 case WTAP_ERR_SHORT_WRITE:
4276 cmdarg_err("Not all the packets could be written to the %s.",
4282 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4283 wtap_strerror(err));
4285 cmdarg_err("An error occurred while writing to the %s: %s.",
4286 save_file_string, wtap_strerror(err));
4290 g_free(save_file_string);
4294 show_print_file_io_error(int err)
4299 cmdarg_err("Not all the packets could be printed because there is "
4300 "no space left on the file system.");
4305 cmdarg_err("Not all the packets could be printed because you are "
4306 "too close to, or over your disk quota.");
4311 cmdarg_err("An error occurred while printing packets: %s.",
4318 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4322 static char errmsg_errno[1024+1];
4325 /* Wiretap error. */
4328 case WTAP_ERR_NOT_REGULAR_FILE:
4329 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4332 case WTAP_ERR_RANDOM_OPEN_PIPE:
4333 /* Seen only when opening a capture file for reading. */
4334 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4337 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4338 /* Seen only when opening a capture file for reading. */
4339 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4342 case WTAP_ERR_UNSUPPORTED:
4343 /* Seen only when opening a capture file for reading. */
4344 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4345 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4347 err_info != NULL ? err_info : "no information supplied");
4349 errmsg = errmsg_errno;
4352 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4353 /* Seen only when opening a capture file for writing. */
4354 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4355 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4356 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4357 errmsg = errmsg_errno;
4360 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4361 /* Seen only when opening a capture file for writing. */
4362 errmsg = "TShark doesn't support writing capture files in that format.";
4365 case WTAP_ERR_UNWRITABLE_ENCAP:
4366 /* Seen only when opening a capture file for writing. */
4367 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4368 "TShark can't save this capture as a \"%s\" file.",
4369 wtap_file_type_subtype_short_string(file_type));
4370 errmsg = errmsg_errno;
4373 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4375 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4376 "TShark can't save this capture as a \"%s\" file.",
4377 wtap_file_type_subtype_short_string(file_type));
4378 errmsg = errmsg_errno;
4380 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4383 case WTAP_ERR_BAD_FILE:
4384 /* Seen only when opening a capture file for reading. */
4385 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4386 "The file \"%%s\" appears to be damaged or corrupt.\n"
4388 err_info != NULL ? err_info : "no information supplied");
4390 errmsg = errmsg_errno;
4393 case WTAP_ERR_CANT_OPEN:
4395 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4397 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4400 case WTAP_ERR_SHORT_READ:
4401 errmsg = "The file \"%s\" appears to have been cut short"
4402 " in the middle of a packet or other data.";
4405 case WTAP_ERR_SHORT_WRITE:
4406 errmsg = "A full header couldn't be written to the file \"%s\".";
4409 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4410 errmsg = "This file type cannot be written as a compressed file.";
4413 case WTAP_ERR_DECOMPRESS:
4414 /* Seen only when opening a capture file for reading. */
4415 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4416 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4418 err_info != NULL ? err_info : "no information supplied");
4420 errmsg = errmsg_errno;
4424 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4425 "The file \"%%s\" could not be %s: %s.",
4426 for_writing ? "created" : "opened",
4427 wtap_strerror(err));
4428 errmsg = errmsg_errno;
4432 errmsg = file_open_error_message(err, for_writing);
4437 * Open/create errors are reported with an console message in TShark.
4440 open_failure_message(const char *filename, int err, gboolean for_writing)
4442 fprintf(stderr, "tshark: ");
4443 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4444 fprintf(stderr, "\n");
4448 * General errors are reported with an console message in TShark.
4451 failure_message(const char *msg_format, va_list ap)
4453 fprintf(stderr, "tshark: ");
4454 vfprintf(stderr, msg_format, ap);
4455 fprintf(stderr, "\n");
4459 * Read errors are reported with an console message in TShark.
4462 read_failure_message(const char *filename, int err)
4464 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4465 filename, g_strerror(err));
4469 * Write errors are reported with an console message in TShark.
4472 write_failure_message(const char *filename, int err)
4474 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4475 filename, g_strerror(err));
4479 * Report additional information for an error in command-line arguments.
4482 failure_message_cont(const char *msg_format, va_list ap)
4484 vfprintf(stderr, msg_format, ap);
4485 fprintf(stderr, "\n");
4489 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4494 * indent-tabs-mode: nil
4497 * vi: set shiftwidth=2 tabstop=8 expandtab:
4498 * :indentSize=2:tabSize=8:noTabs=true: