3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
50 #ifdef HAVE_SYS_STAT_H
51 # include <sys/stat.h>
55 #include <zlib.h> /* to get the libz version number */
59 #include "wsutil/wsgetopt.h"
64 #include <epan/exceptions.h>
65 #include <epan/epan-int.h>
66 #include <epan/epan.h>
67 #include <wsutil/crash_info.h>
68 #include <wsutil/privileges.h>
69 #include <wsutil/file_util.h>
70 #include <wsutil/filesystem.h>
71 #include <wsutil/report_err.h>
72 #include <wsutil/copyright_info.h>
73 #include <wsutil/os_version_info.h>
74 #include <wsutil/ws_version_info.h>
77 #include <epan/timestamp.h>
78 #include <epan/packet.h>
80 #include <epan/wslua/init_wslua.h>
83 #include "frame_tvbuff.h"
84 #include <epan/disabled_protos.h>
85 #include <epan/prefs.h>
86 #include <epan/column.h>
87 #include <epan/print.h>
88 #include <epan/addr_resolv.h>
90 #include "ui/ui_util.h"
91 #include "clopts_common.h"
92 #include "cmdarg_err.h"
93 #include "version_info.h"
95 #include <epan/epan_dissect.h>
97 #include <epan/stat_cmd_args.h>
98 #include <epan/timestamp.h>
99 #include <epan/ex-opt.h>
101 #include "capture_opts.h"
104 #include "capture_ui_utils.h"
105 #include <capchild/capture_ifinfo.h>
106 #include "capture-pcap-util.h"
108 #include "capture-wpcap.h"
109 #include <wsutil/unicode-utils.h>
111 #include "capture_session.h"
112 #include <capchild/capture_sync.h>
113 #include "capture_opts.h"
114 #endif /* HAVE_LIBPCAP */
116 #include <epan/funnel.h>
119 #include <wsutil/plugins.h>
123 * This is the template for the decode as option; it is shared between the
124 * various functions that output the usage for this parameter.
126 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
128 static guint32 cum_bytes;
129 static const frame_data *ref;
130 static frame_data ref_frame;
131 static frame_data *prev_dis;
132 static frame_data prev_dis_frame;
133 static frame_data *prev_cap;
134 static frame_data prev_cap_frame;
136 static const char* prev_display_dissector_name = NULL;
138 static gboolean perform_two_pass_analysis;
141 * The way the packet decode is to be written.
144 WRITE_TEXT, /* summary or detail text */
145 WRITE_XML, /* PDML or PSML */
146 WRITE_FIELDS /* User defined list of fields */
147 /* Add CSV and the like here */
150 static output_action_e output_action;
151 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
152 static gboolean print_packet_info; /* TRUE if we're to print packet information */
153 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
154 static gboolean print_details; /* TRUE if we're to print packet details information */
155 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
156 static gboolean line_buffered;
157 static gboolean really_quiet = FALSE;
159 static print_format_e print_format = PR_FMT_TEXT;
160 static print_stream_t *print_stream;
162 static output_fields_t* output_fields = NULL;
164 /* The line separator used between packets, changeable via the -S option */
165 static const char *separator = "";
169 * TRUE if we're to print packet counts to keep track of captured packets.
171 static gboolean print_packet_counts;
173 static capture_options global_capture_opts;
174 static capture_session global_capture_session;
177 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
178 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
181 static gboolean capture(void);
182 static void report_counts(void);
184 static BOOL WINAPI capture_cleanup(DWORD);
186 static void capture_cleanup(int);
188 static void report_counts_siginfo(int);
192 #else /* HAVE_LIBPCAP */
194 static char *output_file_name;
196 #endif /* HAVE_LIBPCAP */
198 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
199 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
200 struct wtap_pkthdr *whdr, const guchar *pd,
202 static void show_capture_file_io_error(const char *, int, gboolean);
203 static void show_print_file_io_error(int err);
204 static gboolean write_preamble(capture_file *cf);
205 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
206 static gboolean write_finale(void);
207 static const char *cf_open_error_message(int err, gchar *err_info,
208 gboolean for_writing, int file_type);
210 static void open_failure_message(const char *filename, int err,
211 gboolean for_writing);
212 static void failure_message(const char *msg_format, va_list ap);
213 static void read_failure_message(const char *filename, int err);
214 static void write_failure_message(const char *filename, int err);
219 const char *sstr; /* The short string */
220 const char *lstr; /* The long string */
224 string_compare(gconstpointer a, gconstpointer b)
226 return strcmp(((const struct string_elem *)a)->sstr,
227 ((const struct string_elem *)b)->sstr);
231 string_elem_print(gpointer data, gpointer not_used _U_)
233 fprintf(stderr, " %s - %s\n",
234 ((struct string_elem *)data)->sstr,
235 ((struct string_elem *)data)->lstr);
239 list_capture_types(void) {
241 struct string_elem *captypes;
244 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
246 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
247 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
248 if (wtap_dump_can_open(i)) {
249 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
250 captypes[i].lstr = wtap_file_type_subtype_string(i);
251 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
254 g_slist_foreach(list, string_elem_print, NULL);
260 list_read_capture_types(void) {
262 struct string_elem *captypes;
264 const char *magic = "Magic-value-based";
265 const char *heuristic = "Heuristics-based";
267 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
268 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
270 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
271 for (i = 0; open_routines[i].name != NULL; i++) {
272 captypes[i].sstr = open_routines[i].name;
273 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
274 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
276 g_slist_foreach(list, string_elem_print, NULL);
282 print_usage(gboolean print_ver)
290 "Dump and analyze network traffic.\n"
291 "See http://www.wireshark.org for more information.\n"
294 get_ws_vcs_version_info(), get_copyright_info());
298 fprintf(output, "\n");
299 fprintf(output, "Usage: tshark [options] ...\n");
300 fprintf(output, "\n");
303 fprintf(output, "Capture interface:\n");
304 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
305 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
306 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
307 fprintf(output, " -p don't capture in promiscuous mode\n");
308 #ifdef HAVE_PCAP_CREATE
309 fprintf(output, " -I capture in monitor mode, if available\n");
311 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
312 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
314 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
315 fprintf(output, " -D print list of interfaces and exit\n");
316 fprintf(output, " -L print list of link-layer types of iface and exit\n");
317 fprintf(output, "\n");
318 fprintf(output, "Capture stop conditions:\n");
319 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
320 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
321 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
322 fprintf(output, " files:NUM - stop after NUM files\n");
323 /*fprintf(output, "\n");*/
324 fprintf(output, "Capture output:\n");
325 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
326 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
327 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
328 #endif /* HAVE_LIBPCAP */
329 #ifdef HAVE_PCAP_REMOTE
330 fprintf(output, "RPCAP options:\n");
331 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
333 /*fprintf(output, "\n");*/
334 fprintf(output, "Input file:\n");
335 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
337 fprintf(output, "\n");
338 fprintf(output, "Processing:\n");
339 fprintf(output, " -2 perform a two-pass analysis\n");
340 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
341 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
342 fprintf(output, " syntax\n");
343 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
344 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
345 fprintf(output, " -d %s ...\n", decode_as_arg_template);
346 fprintf(output, " \"Decode As\", see the man page for details\n");
347 fprintf(output, " Example: tcp.port==8888,http\n");
348 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
349 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
351 /*fprintf(output, "\n");*/
352 fprintf(output, "Output:\n");
353 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
354 fprintf(output, " (or to the standard output for \"-\")\n");
355 fprintf(output, " -C <config profile> start with specified configuration profile\n");
356 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
357 fprintf(output, " an empty \"-F\" option will list the file types\n");
358 fprintf(output, " -V add output of packet tree (Packet Details)\n");
359 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
360 fprintf(output, " separated\n");
361 fprintf(output, " -P print packet summary even when writing to a file\n");
362 fprintf(output, " -S <separator> the line separator to print between packets\n");
363 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
364 fprintf(output, " -T pdml|ps|psml|text|fields\n");
365 fprintf(output, " format of text output (def: text)\n");
366 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
367 fprintf(output, " _ws.col.Info)\n");
368 fprintf(output, " this option can be repeated to print multiple fields\n");
369 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
370 fprintf(output, " header=y|n switch headers on and off\n");
371 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
372 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
373 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
374 fprintf(output, " aggregator\n");
375 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
376 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
377 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
378 fprintf(output, " -l flush standard output after each packet\n");
379 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
380 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
381 fprintf(output, " -g enable group read access on the output file(s)\n");
382 fprintf(output, " -W n Save extra information in the file, if supported.\n");
383 fprintf(output, " n = write network address resolution information\n");
384 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
385 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
386 fprintf(output, " --capture-comment <comment>\n");
387 fprintf(output, " add a capture comment to the newly created\n");
388 fprintf(output, " output file (only for pcapng)\n");
390 fprintf(output, "\n");
391 fprintf(output, "Miscellaneous:\n");
392 fprintf(output, " -h display this help and exit\n");
393 fprintf(output, " -v display version info and exit\n");
394 fprintf(output, " -o <name>:<value> ... override preference setting\n");
395 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
396 fprintf(output, " -G [report] dump one of several available reports and exit\n");
397 fprintf(output, " default report=\"fields\"\n");
398 fprintf(output, " use \"-G ?\" for more help\n");
400 fprintf(output, "\n");
401 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
402 fprintf(output, "You might want to reset it\n");
403 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
404 fprintf(output, "\n");
410 glossary_option_help(void)
416 fprintf(output, "TShark %s\n", get_ws_vcs_version_info());
418 fprintf(output, "\n");
419 fprintf(output, "Usage: tshark -G [report]\n");
420 fprintf(output, "\n");
421 fprintf(output, "Glossary table reports:\n");
422 fprintf(output, " -G column-formats dump column format codes and exit\n");
423 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
424 fprintf(output, " -G fields dump fields glossary and exit\n");
425 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
426 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
427 fprintf(output, " -G plugins dump installed plugins and exit\n");
428 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
429 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
430 fprintf(output, "\n");
431 fprintf(output, "Preference reports:\n");
432 fprintf(output, " -G currentprefs dump current preferences and exit\n");
433 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
434 fprintf(output, "\n");
438 * For a dissector table, print on the stream described by output,
439 * its short name (which is what's used in the "-d" option) and its
443 display_dissector_table_names(const char *table_name, const char *ui_name,
446 if ((prev_display_dissector_name == NULL) ||
447 (strcmp(prev_display_dissector_name, table_name) != 0)) {
448 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
449 prev_display_dissector_name = table_name;
454 * For a dissector handle, print on the stream described by output,
455 * the filter name (which is what's used in the "-d" option) and the full
456 * name for the protocol that corresponds to this handle.
459 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
462 const gchar *proto_filter_name;
463 const gchar *proto_ui_name;
465 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
467 if (proto_id != -1) {
468 proto_filter_name = proto_get_protocol_filter_name(proto_id);
469 proto_ui_name = proto_get_protocol_name(proto_id);
470 g_assert(proto_filter_name != NULL);
471 g_assert(proto_ui_name != NULL);
473 if ((prev_display_dissector_name == NULL) ||
474 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
475 fprintf((FILE *)output, "\t%s (%s)\n",
478 prev_display_dissector_name = proto_filter_name;
484 * The protocol_name_search structure is used by find_protocol_name_func()
485 * to pass parameters and store results
487 struct protocol_name_search{
488 gchar *searched_name; /* Protocol filter name we are looking for */
489 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
490 guint nb_match; /* How many dissectors matched searched_name */
492 typedef struct protocol_name_search *protocol_name_search_t;
495 * This function parses all dissectors associated with a table to find the
496 * one whose protocol has the specified filter name. It is called
497 * as a reference function in a call to dissector_table_foreach_handle.
498 * The name we are looking for, as well as the results, are stored in the
499 * protocol_name_search struct pointed to by user_data.
500 * If called using dissector_table_foreach_handle, we actually parse the
501 * whole list of dissectors.
504 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
508 const gchar *protocol_filter_name;
509 protocol_name_search_t search_info;
513 search_info = (protocol_name_search_t)user_data;
515 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
516 if (proto_id != -1) {
517 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
518 g_assert(protocol_filter_name != NULL);
519 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
521 if (search_info->nb_match == 0) {
522 /* Record this handle only if this is the first match */
523 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
525 search_info->nb_match++;
531 * Allow dissector key names to be sorted alphabetically
535 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
537 return strcmp((const char*)dissector_a, (const char*)dissector_b);
541 * Print all layer type names supported.
542 * We send the output to the stream described by the handle output.
546 fprint_all_layer_types(FILE *output)
549 prev_display_dissector_name = NULL;
550 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
554 * Print all protocol names supported for a specific layer type.
555 * table_name contains the layer type name in which the search is performed.
556 * We send the output to the stream described by the handle output.
560 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
563 prev_display_dissector_name = NULL;
564 dissector_table_foreach_handle(table_name,
565 display_dissector_names,
570 * The function below parses the command-line parameters for the decode as
571 * feature (a string pointer by cl_param).
572 * It checks the format of the command-line, searches for a matching table
573 * and dissector. If a table/dissector match is not found, we display a
574 * summary of the available tables/dissectors (on stderr) and return FALSE.
575 * If everything is fine, we get the "Decode as" preference activated,
576 * then we return TRUE.
579 add_decode_as(const gchar *cl_param)
582 guint32 selector, selector2;
583 gchar *decoded_param;
584 gchar *remaining_param;
586 gchar *dissector_str;
587 dissector_handle_t dissector_matching;
588 dissector_table_t table_matching;
589 ftenum_t dissector_table_selector_type;
590 struct protocol_name_search user_protocol_name;
594 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
597 decoded_param = g_strdup(cl_param);
598 g_assert(decoded_param);
601 /* The lines below will parse this string (modifying it) to extract all
602 necessary information. Note that decoded_param is still needed since
603 strings are not copied - we just save pointers. */
605 /* This section extracts a layer type (table_name) from decoded_param */
606 table_name = decoded_param; /* Layer type string starts from beginning */
608 remaining_param = strchr(table_name, '=');
609 if (remaining_param == NULL) {
610 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
611 /* If the argument does not follow the template, carry on anyway to check
612 if the table name is at least correct. If remaining_param is NULL,
613 we'll exit anyway further down */
616 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
619 /* Remove leading and trailing spaces from the table name */
620 while ( table_name[0] == ' ' )
622 while ( table_name[strlen(table_name) - 1] == ' ' )
623 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
625 /* The following part searches a table matching with the layer type specified */
626 table_matching = NULL;
628 /* Look for the requested table */
629 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
630 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
633 table_matching = find_dissector_table(table_name);
634 if (!table_matching) {
635 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
639 if (!table_matching) {
640 /* Display a list of supported layer types to help the user, if the
641 specified layer type was not found */
642 cmdarg_err("Valid layer types are:");
643 fprint_all_layer_types(stderr);
645 if (remaining_param == NULL || !table_matching) {
646 /* Exit if the layer type was not found, or if no '=' separator was found
648 g_free(decoded_param);
652 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
653 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
656 remaining_param++; /* Move to the second '=' */
657 *remaining_param = '\0'; /* Remove the second '=' */
659 remaining_param++; /* Position after the layer type string */
661 /* This section extracts a selector value (selector_str) from decoded_param */
663 selector_str = remaining_param; /* Next part starts with the selector number */
665 remaining_param = strchr(selector_str, ',');
666 if (remaining_param == NULL) {
667 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
668 /* If the argument does not follow the template, carry on anyway to check
669 if the selector value is at least correct. If remaining_param is NULL,
670 we'll exit anyway further down */
673 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
676 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
678 switch (dissector_table_selector_type) {
684 /* The selector for this table is an unsigned number. Parse it as such.
685 There's no need to remove leading and trailing spaces from the
686 selector number string, because sscanf will do that for us. */
687 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
692 if (op != ':' && op != '-') {
693 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
694 g_free(decoded_param);
698 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
699 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
700 g_free(decoded_param);
704 else if (selector2 < selector) {
705 /* We could swap them for the user, but maybe it's better to call
706 * this out as an error in case it's not what was intended? */
707 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
708 g_free(decoded_param);
713 cmdarg_err("Invalid selector number \"%s\"", selector_str);
714 g_free(decoded_param);
723 /* The selector for this table is a string. */
727 /* There are currently no dissector tables with any types other
728 than the ones listed above. */
729 g_assert_not_reached();
732 if (remaining_param == NULL) {
733 /* Exit if no ',' separator was found (see above) */
734 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
735 fprint_all_protocols_for_layer_types(stderr, table_name);
736 g_free(decoded_param);
740 remaining_param++; /* Position after the selector number string */
742 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
744 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
746 /* Remove leading and trailing spaces from the dissector name */
747 while ( dissector_str[0] == ' ' )
749 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
750 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
752 dissector_matching = NULL;
754 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
755 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
756 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
759 user_protocol_name.nb_match = 0;
760 user_protocol_name.searched_name = dissector_str;
761 user_protocol_name.matched_handle = NULL;
763 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
765 if (user_protocol_name.nb_match != 0) {
766 dissector_matching = user_protocol_name.matched_handle;
767 if (user_protocol_name.nb_match > 1) {
768 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
772 /* OK, check whether the problem is that there isn't any such
773 protocol, or that there is but it's not specified as a protocol
774 that's valid for that dissector table.
775 Note, we don't exit here, but dissector_matching will remain NULL,
777 if (proto_get_id_by_filter_name(dissector_str) == -1) {
778 /* No such protocol */
779 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
781 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
782 dissector_str, table_name);
787 if (!dissector_matching) {
788 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
789 fprint_all_protocols_for_layer_types(stderr, table_name);
790 g_free(decoded_param);
794 /* This is the end of the code that parses the command-line options.
795 All information is now stored in the variables:
799 The above variables that are strings are still pointing to areas within
800 decoded_parm. decoded_parm thus still needs to be kept allocated in
801 until we stop needing these variables
802 decoded_param will be deallocated at each exit point of this function */
805 /* We now have a pointer to the handle for the requested dissector
806 (requested protocol) inside the variable dissector_matching */
807 switch (dissector_table_selector_type) {
813 /* The selector for this table is an unsigned number. */
815 dissector_change_uint(table_name, selector, dissector_matching);
816 } else if (op == ':') {
817 for (i = selector; i < (guint64)selector + selector2; i++) {
818 dissector_change_uint(table_name, (guint32)i, dissector_matching);
820 } else { /* op == '-' */
821 for (i = selector; i <= selector2; i++) {
822 dissector_change_uint(table_name, (guint32)i, dissector_matching);
831 /* The selector for this table is a string. */
832 dissector_change_string(table_name, selector_str, dissector_matching);
836 /* There are currently no dissector tables with any types other
837 than the ones listed above. */
838 g_assert_not_reached();
840 g_free(decoded_param); /* "Decode As" rule has been successfully added */
845 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
846 const gchar *message, gpointer user_data)
848 /* ignore log message, if log_level isn't interesting based
849 upon the console log preferences.
850 If the preferences haven't been loaded loaded yet, display the
853 The default console_log_level preference value is such that only
854 ERROR, CRITICAL and WARNING level messages are processed;
855 MESSAGE, INFO and DEBUG level messages are ignored.
857 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
858 ERROR and CRITICAL level messages so the current code is a behavioral
859 change. The current behavior is the same as in Wireshark.
861 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
862 prefs.console_log_level != 0) {
866 g_log_default_handler(log_domain, log_level, message, user_data);
871 output_file_description(const char *fname)
873 char *save_file_string;
875 /* Get a string that describes what we're writing to */
876 if (strcmp(fname, "-") == 0) {
877 /* We're writing to the standard output */
878 save_file_string = g_strdup("standard output");
880 /* We're writing to a file with the name in save_file */
881 save_file_string = g_strdup_printf("file \"%s\"", fname);
883 return save_file_string;
887 print_current_user(void) {
888 gchar *cur_user, *cur_group;
890 if (started_with_special_privs()) {
891 cur_user = get_cur_username();
892 cur_group = get_cur_groupname();
893 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
894 cur_user, cur_group);
897 if (running_with_special_privs()) {
898 fprintf(stderr, " This could be dangerous.");
900 fprintf(stderr, "\n");
905 show_version(GString *comp_info_str, GString *runtime_info_str)
914 get_ws_vcs_version_info(), get_copyright_info(), comp_info_str->str,
915 runtime_info_str->str);
919 get_tshark_runtime_info(GString *str)
923 g_string_append(str, ", ");
924 get_runtime_pcap_version(str);
928 #if defined(HAVE_LIBZ) && !defined(_WIN32)
929 g_string_append_printf(str, ", with libz %s", zlibVersion());
932 /* stuff used by libwireshark */
933 epan_get_runtime_version_info(str);
937 main(int argc, char *argv[])
939 GString *comp_info_str;
940 GString *runtime_info_str;
941 char *init_progfile_dir_error;
943 static const struct option long_options[] = {
944 {(char *)"help", no_argument, NULL, 'h'},
945 {(char *)"version", no_argument, NULL, 'v'},
946 LONGOPT_CAPTURE_COMMON
949 gboolean arg_error = FALSE;
955 char *gpf_path, *pf_path;
956 char *gdp_path, *dp_path;
957 int gpf_open_errno, gpf_read_errno;
958 int pf_open_errno, pf_read_errno;
959 int gdp_open_errno, gdp_read_errno;
960 int dp_open_errno, dp_read_errno;
962 volatile int exit_status = 0;
964 gboolean list_link_layer_types = FALSE;
965 gboolean start_capture = FALSE;
970 gboolean capture_option_specified = FALSE;
972 gboolean quiet = FALSE;
973 #ifdef PCAP_NG_DEFAULT
974 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
976 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
978 volatile gboolean out_file_name_res = FALSE;
979 volatile int in_file_type = WTAP_TYPE_AUTO;
980 gchar *volatile cf_name = NULL;
981 gchar *rfilter = NULL;
982 gchar *dfilter = NULL;
983 #ifdef HAVE_PCAP_OPEN_DEAD
984 struct bpf_program fcode;
986 dfilter_t *rfcode = NULL;
987 dfilter_t *dfcode = NULL;
992 gchar *output_only = NULL;
994 /* the leading - ensures that getopt() does not permute the argv[] entries
995 we have to make sure that the first getopt() preserves the content of argv[]
996 for the subsequent getopt_long() call */
997 #define OPTSTRING "-2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
999 static const char optstring[] = OPTSTRING;
1002 /* Load wpcap if possible. Do this before collecting the run-time version information */
1005 /* Warn the user if npf.sys isn't loaded. */
1006 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1007 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1008 "capturing or\nlisting interfaces.\n");
1012 /* Assemble the compile-time version information string */
1013 comp_info_str = g_string_new("Compiled ");
1014 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1016 /* Assemble the run-time version information string */
1017 runtime_info_str = g_string_new("Running ");
1018 get_runtime_version_info(runtime_info_str, get_tshark_runtime_info);
1020 /* Add it to the information to be reported on a crash. */
1021 ws_add_crash_info("TShark %s\n"
1026 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1029 arg_list_utf_16to8(argc, argv);
1030 create_app_running_mutex();
1031 #if !GLIB_CHECK_VERSION(2,31,0)
1032 g_thread_init(NULL);
1037 * Get credential information for later use.
1039 init_process_policies();
1042 * Attempt to get the pathname of the executable file.
1044 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1045 if (init_progfile_dir_error != NULL) {
1046 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1047 init_progfile_dir_error);
1051 * In order to have the -X opts assigned before the wslua machine starts
1052 * we need to call getopts before epan_init() gets called.
1055 optind_initial = optind;
1057 while ((opt = getopt(argc, argv, optstring)) != -1) {
1059 case 'C': /* Configuration Profile */
1060 if (profile_exists (optarg, FALSE)) {
1061 set_profile_name (optarg);
1063 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1067 case 'P': /* Print packet summary info even when writing to a file */
1068 print_packet_info = TRUE;
1069 print_summary = TRUE;
1071 case 'O': /* Only output these protocols */
1072 output_only = g_strdup(optarg);
1074 case 'V': /* Verbose */
1075 print_details = TRUE;
1076 print_packet_info = TRUE;
1078 case 'x': /* Print packet data in hex (and ASCII) */
1080 /* The user asked for hex output, so let's ensure they get it,
1081 * even if they're writing to a file.
1083 print_packet_info = TRUE;
1094 * Print packet summary information is the default, unless either -V or -x
1095 * were specified and -P was not. Note that this is new behavior, which
1096 * allows for the possibility of printing only hex/ascii output without
1097 * necessarily requiring that either the summary or details be printed too.
1099 if (print_summary == -1)
1100 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1102 optind = optind_initial;
1107 /** Send All g_log messages to our own handler **/
1111 G_LOG_LEVEL_CRITICAL|
1112 G_LOG_LEVEL_WARNING|
1113 G_LOG_LEVEL_MESSAGE|
1116 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1118 g_log_set_handler(NULL,
1119 (GLogLevelFlags)log_flags,
1120 tshark_log_handler, NULL /* user_data */);
1121 g_log_set_handler(LOG_DOMAIN_MAIN,
1122 (GLogLevelFlags)log_flags,
1123 tshark_log_handler, NULL /* user_data */);
1126 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1127 (GLogLevelFlags)log_flags,
1128 tshark_log_handler, NULL /* user_data */);
1129 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1130 (GLogLevelFlags)log_flags,
1131 tshark_log_handler, NULL /* user_data */);
1134 initialize_funnel_ops();
1136 init_report_err(failure_message, open_failure_message, read_failure_message,
1137 write_failure_message);
1140 capture_opts_init(&global_capture_opts);
1141 capture_session_init(&global_capture_session, (void *)&cfile);
1144 timestamp_set_type(TS_RELATIVE);
1145 timestamp_set_precision(TS_PREC_AUTO);
1146 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1148 init_open_routines();
1151 /* Register all the plugin types we have. */
1152 epan_register_plugin_types(); /* Types known to libwireshark */
1153 wtap_register_plugin_types(); /* Types known to libwiretap */
1155 /* Scan for plugins. This does *not* call their registration routines;
1156 that's done later. */
1159 /* Register all libwiretap plugin modules. */
1160 register_all_wiretap_modules();
1163 /* Register all dissectors; we must do this before checking for the
1164 "-G" flag, as the "-G" flag dumps information registered by the
1165 dissectors, and we must do it before we read the preferences, in
1166 case any dissectors register preferences. */
1167 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1169 /* Register all tap listeners; we do this before we parse the arguments,
1170 as the "-z" argument can specify a registered tap. */
1172 /* we register the plugin taps before the other taps because
1173 stats_tree taps plugins will be registered as tap listeners
1174 by stats_tree_stat.c and need to registered before that */
1176 register_all_plugin_tap_listeners();
1178 register_all_tap_listeners();
1180 /* If invoked with the "-G" flag, we dump out information based on
1181 the argument to the "-G" flag; if no argument is specified,
1182 for backwards compatibility we dump out a glossary of display
1185 XXX - we do this here, for now, to support "-G" with no arguments.
1186 If none of our build or other processes uses "-G" with no arguments,
1187 we can just process it with the other arguments. */
1188 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1189 proto_initialize_all_prefixes();
1192 proto_registrar_dump_fields();
1194 if (strcmp(argv[2], "column-formats") == 0)
1195 column_dump_column_formats();
1196 else if (strcmp(argv[2], "currentprefs") == 0) {
1197 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1198 &pf_open_errno, &pf_read_errno, &pf_path);
1201 else if (strcmp(argv[2], "decodes") == 0)
1202 dissector_dump_decodes();
1203 else if (strcmp(argv[2], "defaultprefs") == 0)
1205 else if (strcmp(argv[2], "fields") == 0)
1206 proto_registrar_dump_fields();
1207 else if (strcmp(argv[2], "ftypes") == 0)
1208 proto_registrar_dump_ftypes();
1209 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1210 dissector_dump_heur_decodes();
1211 else if (strcmp(argv[2], "plugins") == 0) {
1216 wslua_plugins_dump_all();
1219 else if (strcmp(argv[2], "protocols") == 0)
1220 proto_registrar_dump_protocols();
1221 else if (strcmp(argv[2], "values") == 0)
1222 proto_registrar_dump_values();
1223 else if (strcmp(argv[2], "?") == 0)
1224 glossary_option_help();
1225 else if (strcmp(argv[2], "-?") == 0)
1226 glossary_option_help();
1228 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1235 /* Set the C-language locale to the native environment. */
1236 setlocale(LC_ALL, "");
1238 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1239 &pf_open_errno, &pf_read_errno, &pf_path);
1240 if (gpf_path != NULL) {
1241 if (gpf_open_errno != 0) {
1242 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1243 pf_path, g_strerror(gpf_open_errno));
1245 if (gpf_read_errno != 0) {
1246 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1247 pf_path, g_strerror(gpf_read_errno));
1250 if (pf_path != NULL) {
1251 if (pf_open_errno != 0) {
1252 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1253 g_strerror(pf_open_errno));
1255 if (pf_read_errno != 0) {
1256 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1257 pf_path, g_strerror(pf_read_errno));
1263 /* Read the disabled protocols file. */
1264 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1265 &dp_path, &dp_open_errno, &dp_read_errno);
1266 if (gdp_path != NULL) {
1267 if (gdp_open_errno != 0) {
1268 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1269 gdp_path, g_strerror(gdp_open_errno));
1271 if (gdp_read_errno != 0) {
1272 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1273 gdp_path, g_strerror(gdp_read_errno));
1277 if (dp_path != NULL) {
1278 if (dp_open_errno != 0) {
1280 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1281 g_strerror(dp_open_errno));
1283 if (dp_read_errno != 0) {
1285 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1286 g_strerror(dp_read_errno));
1291 cap_file_init(&cfile);
1293 /* Print format defaults to this. */
1294 print_format = PR_FMT_TEXT;
1296 output_fields = output_fields_new();
1298 /* Now get our args */
1299 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1301 case '2': /* Perform two pass analysis */
1302 perform_two_pass_analysis = TRUE;
1304 case 'a': /* autostop criteria */
1305 case 'b': /* Ringbuffer option */
1306 case 'c': /* Capture x packets */
1307 case 'f': /* capture filter */
1308 case 'g': /* enable group read access on file(s) */
1309 case 'i': /* Use interface x */
1310 case 'p': /* Don't capture in promiscuous mode */
1311 #ifdef HAVE_PCAP_REMOTE
1312 case 'A': /* Authentication */
1314 #ifdef HAVE_PCAP_CREATE
1315 case 'I': /* Capture in monitor mode, if available */
1317 case 's': /* Set the snapshot (capture) length */
1318 case 'w': /* Write to capture file x */
1319 case 'y': /* Set the pcap data link type */
1320 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1321 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1322 case 'B': /* Buffer size */
1323 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1325 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1332 * Output file name, if we're reading a file and writing to another
1335 output_file_name = optarg;
1337 capture_option_specified = TRUE;
1343 /* Configuration profile settings were already processed just ignore them this time*/
1345 case 'd': /* Decode as rule */
1346 if (!add_decode_as(optarg))
1349 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1350 case 'K': /* Kerberos keytab file */
1351 read_keytab_file(optarg);
1354 case 'D': /* Print a list of capture devices and exit */
1356 if_list = capture_interface_list(&err, &err_str,NULL);
1357 if (if_list == NULL) {
1359 case CANT_GET_INTERFACE_LIST:
1360 case DONT_HAVE_PCAP:
1361 cmdarg_err("%s", err_str);
1365 case NO_INTERFACES_FOUND:
1366 cmdarg_err("There are no interfaces on which a capture can be done");
1371 capture_opts_print_interfaces(if_list);
1372 free_interface_list(if_list);
1375 capture_option_specified = TRUE;
1381 output_fields_add(output_fields, optarg);
1385 if (!output_fields_set_option(output_fields, optarg)) {
1386 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1387 output_fields_list_options(stderr);
1392 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1393 if (out_file_type < 0) {
1394 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1395 list_capture_types();
1399 case 'W': /* Select extra information to save in our capture file */
1400 /* This is patterned after the -N flag which may not be the best idea. */
1401 if (strchr(optarg, 'n')) {
1402 out_file_name_res = TRUE;
1404 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1405 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1409 case 'H': /* Read address to name mappings from a hosts file */
1410 if (! add_hosts_file(optarg))
1412 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1415 out_file_name_res = TRUE;
1418 case 'h': /* Print help and exit */
1422 case 'l': /* "Line-buffer" standard output */
1423 /* This isn't line-buffering, strictly speaking, it's just
1424 flushing the standard output after the information for
1425 each packet is printed; however, that should be good
1426 enough for all the purposes to which "-l" is put (and
1427 is probably actually better for "-V", as it does fewer
1430 See the comment in "process_packet()" for an explanation of
1431 why we do that, and why we don't just use "setvbuf()" to
1432 make the standard output line-buffered (short version: in
1433 Windows, "line-buffered" is the same as "fully-buffered",
1434 and the output buffer is only flushed when it fills up). */
1435 line_buffered = TRUE;
1437 case 'L': /* Print list of link-layer types and exit */
1439 list_link_layer_types = TRUE;
1441 capture_option_specified = TRUE;
1445 case 'n': /* No name resolution */
1446 gbl_resolv_flags.mac_name = FALSE;
1447 gbl_resolv_flags.network_name = FALSE;
1448 gbl_resolv_flags.transport_name = FALSE;
1449 gbl_resolv_flags.concurrent_dns = FALSE;
1451 case 'N': /* Select what types of addresses/port #s to resolve */
1452 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1453 if (badopt != '\0') {
1454 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1456 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1457 "\t'm' to enable MAC address resolution\n"
1458 "\t'n' to enable network address resolution\n"
1459 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1460 "\t for network address resolution\n"
1461 "\t't' to enable transport-layer port number resolution");
1465 case 'o': /* Override preference from command line */
1466 switch (prefs_set_pref(optarg)) {
1471 case PREFS_SET_SYNTAX_ERR:
1472 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1476 case PREFS_SET_NO_SUCH_PREF:
1477 case PREFS_SET_OBSOLETE:
1478 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1483 case 'q': /* Quiet */
1486 case 'Q': /* Really quiet */
1488 really_quiet = TRUE;
1490 case 'r': /* Read capture file x */
1491 cf_name = g_strdup(optarg);
1493 case 'R': /* Read file filter */
1497 /* already processed; just ignore it now */
1499 case 'S': /* Set the line Separator to be printed between packets */
1502 case 't': /* Time stamp type */
1503 if (strcmp(optarg, "r") == 0)
1504 timestamp_set_type(TS_RELATIVE);
1505 else if (strcmp(optarg, "a") == 0)
1506 timestamp_set_type(TS_ABSOLUTE);
1507 else if (strcmp(optarg, "ad") == 0)
1508 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1509 else if (strcmp(optarg, "adoy") == 0)
1510 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1511 else if (strcmp(optarg, "d") == 0)
1512 timestamp_set_type(TS_DELTA);
1513 else if (strcmp(optarg, "dd") == 0)
1514 timestamp_set_type(TS_DELTA_DIS);
1515 else if (strcmp(optarg, "e") == 0)
1516 timestamp_set_type(TS_EPOCH);
1517 else if (strcmp(optarg, "u") == 0)
1518 timestamp_set_type(TS_UTC);
1519 else if (strcmp(optarg, "ud") == 0)
1520 timestamp_set_type(TS_UTC_WITH_YMD);
1521 else if (strcmp(optarg, "udoy") == 0)
1522 timestamp_set_type(TS_UTC_WITH_YDOY);
1524 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1525 cmdarg_err_cont("\t\"a\" for absolute\n"
1526 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1527 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1528 "\t\"d\" for delta\n"
1529 "\t\"dd\" for delta displayed\n"
1530 "\t\"e\" for epoch\n"
1531 "\t\"r\" for relative\n"
1532 "\t\"u\" for absolute UTC\n"
1533 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1534 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1538 case 'T': /* printing Type */
1539 print_packet_info = TRUE;
1540 if (strcmp(optarg, "text") == 0) {
1541 output_action = WRITE_TEXT;
1542 print_format = PR_FMT_TEXT;
1543 } else if (strcmp(optarg, "ps") == 0) {
1544 output_action = WRITE_TEXT;
1545 print_format = PR_FMT_PS;
1546 } else if (strcmp(optarg, "pdml") == 0) {
1547 output_action = WRITE_XML;
1548 print_details = TRUE; /* Need details */
1549 print_summary = FALSE; /* Don't allow summary */
1550 } else if (strcmp(optarg, "psml") == 0) {
1551 output_action = WRITE_XML;
1552 print_details = FALSE; /* Don't allow details */
1553 print_summary = TRUE; /* Need summary */
1554 } else if (strcmp(optarg, "fields") == 0) {
1555 output_action = WRITE_FIELDS;
1556 print_details = TRUE; /* Need full tree info */
1557 print_summary = FALSE; /* Don't allow summary */
1559 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1560 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1561 "\t specified by the -E option.\n"
1562 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1563 "\t details of a decoded packet. This information is equivalent to\n"
1564 "\t the packet details printed with the -V flag.\n"
1565 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1566 "\t the packets, or a multi-line view of the details of each of\n"
1567 "\t the packets, depending on whether the -V flag was specified.\n"
1568 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1569 "\t summary information of a decoded packet. This information is\n"
1570 "\t equivalent to the information shown in the one-line summary\n"
1571 "\t printed by default.\n"
1572 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1573 "\t packets, or a multi-line view of the details of each of the\n"
1574 "\t packets, depending on whether the -V flag was specified.\n"
1575 "\t This is the default.");
1579 case 'u': /* Seconds type */
1580 if (strcmp(optarg, "s") == 0)
1581 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1582 else if (strcmp(optarg, "hms") == 0)
1583 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1585 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1586 cmdarg_err_cont("\t\"s\" for seconds\n"
1587 "\t\"hms\" for hours, minutes and seconds");
1591 case 'v': /* Show version and exit */
1593 show_version(comp_info_str, runtime_info_str);
1594 g_string_free(comp_info_str, TRUE);
1595 g_string_free(runtime_info_str, TRUE);
1596 /* We don't really have to cleanup here, but it's a convenient way to test
1597 * start-up and shut-down of the epan library without any UI-specific
1598 * cruft getting in the way. Makes the results of running
1599 * $ ./tools/valgrind-wireshark -n
1600 * much more useful. */
1604 case 'O': /* Only output these protocols */
1605 /* already processed; just ignore it now */
1607 case 'V': /* Verbose */
1608 /* already processed; just ignore it now */
1610 case 'x': /* Print packet data in hex (and ASCII) */
1611 /* already processed; just ignore it now */
1619 /* We won't call the init function for the stat this soon
1620 as it would disallow MATE's fields (which are registered
1621 by the preferences set callback) from being used as
1622 part of a tap filter. Instead, we just add the argument
1623 to a list of stat arguments. */
1624 if (!process_stat_cmd_arg(optarg)) {
1625 if (strcmp("help", optarg)==0) {
1626 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1627 list_stat_cmd_args();
1630 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1631 list_stat_cmd_args();
1636 case '?': /* Bad flag - print usage message */
1639 list_capture_types();
1649 /* If we specified output fields, but not the output field type... */
1650 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1651 cmdarg_err("Output fields were specified with \"-e\", "
1652 "but \"-Tfields\" was not specified.");
1654 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1655 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1656 "specified with \"-e\".");
1661 /* If no capture filter or display filter has been specified, and there are
1662 still command-line arguments, treat them as the tokens of a capture
1663 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1664 flag was specified. */
1665 if (optind < argc) {
1666 if (cf_name != NULL) {
1667 if (dfilter != NULL) {
1668 cmdarg_err("Display filters were specified both with \"-d\" "
1669 "and with additional command-line arguments.");
1672 dfilter = get_args_as_string(argc, argv, optind);
1677 if (global_capture_opts.default_options.cfilter) {
1678 cmdarg_err("A default capture filter was specified both with \"-f\""
1679 " and with additional command-line arguments.");
1682 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1683 interface_options interface_opts;
1684 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1685 if (interface_opts.cfilter == NULL) {
1686 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1687 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1688 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1690 cmdarg_err("A capture filter was specified both with \"-f\""
1691 " and with additional command-line arguments.");
1695 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1697 capture_option_specified = TRUE;
1703 if (!global_capture_opts.saving_to_file) {
1704 /* We're not saving the capture to a file; if "-q" wasn't specified,
1705 we should print packet information */
1707 print_packet_info = TRUE;
1709 /* We're saving to a file; if we're writing to the standard output.
1710 and we'll also be writing dissected packets to the standard
1711 output, reject the request. At best, we could redirect that
1712 to the standard error; we *can't* write both to the standard
1713 output and have either of them be useful. */
1714 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1715 cmdarg_err("You can't write both raw packet data and dissected packets"
1716 " to the standard output.");
1721 /* We're not saving the capture to a file; if "-q" wasn't specified,
1722 we should print packet information */
1724 print_packet_info = TRUE;
1727 #ifndef HAVE_LIBPCAP
1728 if (capture_option_specified)
1729 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1737 if (output_action != WRITE_TEXT) {
1738 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1743 if (output_only != NULL) {
1746 if (!print_details) {
1747 cmdarg_err("-O requires -V");
1751 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1752 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1753 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1757 if (rfilter != NULL && !perform_two_pass_analysis) {
1758 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1763 if (list_link_layer_types) {
1764 /* We're supposed to list the link-layer types for an interface;
1765 did the user also specify a capture file to be read? */
1767 /* Yes - that's bogus. */
1768 cmdarg_err("You can't specify -L and a capture file to be read.");
1771 /* No - did they specify a ring buffer option? */
1772 if (global_capture_opts.multi_files_on) {
1773 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1779 * "-r" was specified, so we're reading a capture file.
1780 * Capture options don't apply here.
1783 /* We don't support capture filters when reading from a capture file
1784 (the BPF compiler doesn't support all link-layer types that we
1785 support in capture files we read). */
1786 if (global_capture_opts.default_options.cfilter) {
1787 cmdarg_err("Only read filters, not capture filters, "
1788 "can be specified when reading a capture file.");
1791 if (global_capture_opts.multi_files_on) {
1792 cmdarg_err("Multiple capture files requested, but "
1793 "a capture isn't being done.");
1796 if (global_capture_opts.has_file_duration) {
1797 cmdarg_err("Switching capture files after a time interval was specified, but "
1798 "a capture isn't being done.");
1801 if (global_capture_opts.has_ring_num_files) {
1802 cmdarg_err("A ring buffer of capture files was specified, but "
1803 "a capture isn't being done.");
1806 if (global_capture_opts.has_autostop_files) {
1807 cmdarg_err("A maximum number of capture files was specified, but "
1808 "a capture isn't being done.");
1811 if (global_capture_opts.capture_comment) {
1812 cmdarg_err("A capture comment was specified, but "
1813 "a capture isn't being done.\nThere's no support for adding "
1814 "a capture comment to an existing capture file.");
1818 /* Note: TShark now allows the restriction of a _read_ file by packet count
1819 * and byte count as well as a write file. Other autostop options remain valid
1820 * only for a write file.
1822 if (global_capture_opts.has_autostop_duration) {
1823 cmdarg_err("A maximum capture time was specified, but "
1824 "a capture isn't being done.");
1829 * "-r" wasn't specified, so we're doing a live capture.
1831 if (perform_two_pass_analysis) {
1832 /* Two-pass analysis doesn't work with live capture since it requires us
1833 * to buffer packets until we've read all of them, but a live capture
1834 * has no useful/meaningful definition of "all" */
1835 cmdarg_err("Live captures do not support two-pass analysis.");
1839 if (global_capture_opts.saving_to_file) {
1840 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1842 /* When capturing, we only support writing pcap or pcap-ng format. */
1843 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1844 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1845 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1848 if (global_capture_opts.capture_comment &&
1849 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1850 cmdarg_err("A capture comment can only be written to a pcapng file.");
1853 if (global_capture_opts.multi_files_on) {
1854 /* Multiple-file mode doesn't work under certain conditions:
1855 a) it doesn't work if you're writing to the standard output;
1856 b) it doesn't work if you're writing to a pipe;
1858 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1859 cmdarg_err("Multiple capture files requested, but "
1860 "the capture is being written to the standard output.");
1863 if (global_capture_opts.output_to_pipe) {
1864 cmdarg_err("Multiple capture files requested, but "
1865 "the capture file is a pipe.");
1868 if (!global_capture_opts.has_autostop_filesize &&
1869 !global_capture_opts.has_file_duration) {
1870 cmdarg_err("Multiple capture files requested, but "
1871 "no maximum capture file size or duration was specified.");
1875 /* Currently, we don't support read or display filters when capturing
1876 and saving the packets. */
1877 if (rfilter != NULL) {
1878 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1881 if (dfilter != NULL) {
1882 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1885 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1887 /* They didn't specify a "-w" flag, so we won't be saving to a
1888 capture file. Check for options that only make sense if
1889 we're saving to a file. */
1890 if (global_capture_opts.has_autostop_filesize) {
1891 cmdarg_err("Maximum capture file size specified, but "
1892 "capture isn't being saved to a file.");
1895 if (global_capture_opts.multi_files_on) {
1896 cmdarg_err("Multiple capture files requested, but "
1897 "the capture isn't being saved to a file.");
1900 if (global_capture_opts.capture_comment) {
1901 cmdarg_err("A capture comment was specified, but "
1902 "the capture isn't being saved to a file.");
1911 /* Start windows sockets */
1912 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1915 /* Notify all registered modules that have had any of their preferences
1916 changed either from one of the preferences file or from the command
1917 line that their preferences have changed. */
1920 /* At this point MATE will have registered its field array so we can
1921 have a tap filter with one of MATE's late-registered fields as part
1922 of the filter. We can now process all the "-z" arguments. */
1923 start_requested_stats();
1926 /* We currently don't support taps, or printing dissected packets,
1927 if we're writing to a pipe. */
1928 if (global_capture_opts.saving_to_file &&
1929 global_capture_opts.output_to_pipe) {
1930 if (tap_listeners_require_dissection()) {
1931 cmdarg_err("Taps aren't supported when saving to a pipe.");
1934 if (print_packet_info) {
1935 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1941 if (ex_opt_count("read_format") > 0) {
1942 const gchar* name = ex_opt_get_next("read_format");
1943 in_file_type = open_info_name_to_type(name);
1944 if (in_file_type == WTAP_TYPE_AUTO) {
1945 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1946 list_read_capture_types();
1951 /* disabled protocols as per configuration file */
1952 if (gdp_path == NULL && dp_path == NULL) {
1953 set_disabled_protos_list();
1956 /* Build the column format array */
1957 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1960 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1961 capture_opts_trim_ring_num_files(&global_capture_opts);
1964 if (rfilter != NULL) {
1965 if (!dfilter_compile(rfilter, &rfcode)) {
1966 cmdarg_err("%s", dfilter_error_msg);
1968 #ifdef HAVE_PCAP_OPEN_DEAD
1972 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1974 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1976 " Note: That read filter code looks like a valid capture filter;\n"
1977 " maybe you mixed them up?");
1986 cfile.rfcode = rfcode;
1988 if (dfilter != NULL) {
1989 if (!dfilter_compile(dfilter, &dfcode)) {
1990 cmdarg_err("%s", dfilter_error_msg);
1992 #ifdef HAVE_PCAP_OPEN_DEAD
1996 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1998 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2000 " Note: That display filter code looks like a valid capture filter;\n"
2001 " maybe you mixed them up?");
2010 cfile.dfcode = dfcode;
2012 if (print_packet_info) {
2013 /* If we're printing as text or PostScript, we have
2014 to create a print stream. */
2015 if (output_action == WRITE_TEXT) {
2016 switch (print_format) {
2019 print_stream = print_stream_text_stdio_new(stdout);
2023 print_stream = print_stream_ps_stdio_new(stdout);
2027 g_assert_not_reached();
2032 /* We have to dissect each packet if:
2034 we're printing information about each packet;
2036 we're using a read filter on the packets;
2038 we're using a display filter on the packets;
2040 we're using any taps that need dissection. */
2041 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2045 * We're reading a capture file.
2049 * Immediately relinquish any special privileges we have; we must not
2050 * be allowed to read any capture files the user running TShark
2053 relinquish_special_privs_perm();
2054 print_current_user();
2056 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2061 /* Set timestamp precision; there should arguably be a command-line
2062 option to let the user set this. */
2063 switch(wtap_file_tsprecision(cfile.wth)) {
2064 case(WTAP_FILE_TSPREC_SEC):
2065 timestamp_set_precision(TS_PREC_AUTO_SEC);
2067 case(WTAP_FILE_TSPREC_DSEC):
2068 timestamp_set_precision(TS_PREC_AUTO_DSEC);
2070 case(WTAP_FILE_TSPREC_CSEC):
2071 timestamp_set_precision(TS_PREC_AUTO_CSEC);
2073 case(WTAP_FILE_TSPREC_MSEC):
2074 timestamp_set_precision(TS_PREC_AUTO_MSEC);
2076 case(WTAP_FILE_TSPREC_USEC):
2077 timestamp_set_precision(TS_PREC_AUTO_USEC);
2079 case(WTAP_FILE_TSPREC_NSEC):
2080 timestamp_set_precision(TS_PREC_AUTO_NSEC);
2083 g_assert_not_reached();
2086 /* Process the packets in the file */
2089 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2090 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2091 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2093 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2096 CATCH(OutOfMemoryError) {
2100 "Sorry, but TShark has to terminate now!\n"
2102 "Some infos / workarounds can be found at:\n"
2103 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2108 /* We still dump out the results of taps, etc., as we might have
2109 read some packets; however, we exit with an error status. */
2113 /* No capture file specified, so we're supposed to do a live capture
2114 or get a list of link-layer types for a live capture device;
2115 do we have support for live captures? */
2117 /* if no interface was specified, pick a default */
2118 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2119 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2120 if (exit_status != 0)
2123 /* if requested, list the link layer types and exit */
2124 if (list_link_layer_types) {
2127 /* Get the list of link-layer types for the capture devices. */
2128 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2129 interface_options interface_opts;
2130 if_capabilities_t *caps;
2132 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2133 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2135 cmdarg_err("%s", err_str);
2139 if (caps->data_link_types == NULL) {
2140 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2143 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2144 free_if_capabilities(caps);
2150 * If the standard error isn't a terminal, don't print packet counts,
2151 * as they won't show up on the user's terminal and they'll get in
2152 * the way of error messages in the file (to which we assume the
2153 * standard error was redirected; if it's redirected to the null
2154 * device, there's no point in printing packet counts anyway).
2156 * Otherwise, if we're printing packet information and the standard
2157 * output is a terminal (which we assume means the standard output and
2158 * error are going to the same terminal), don't print packet counts,
2159 * as they'll get in the way of the packet information.
2161 * Otherwise, if the user specified -q, don't print packet counts.
2163 * Otherwise, print packet counts.
2165 * XXX - what if the user wants to do a live capture, doesn't want
2166 * to save it to a file, doesn't want information printed for each
2167 * packet, does want some "-z" statistic, and wants packet counts
2168 * so they know whether they're seeing any packets? -q will
2169 * suppress the information printed for each packet, but it'll
2170 * also suppress the packet counts.
2172 if (!isatty(fileno(stderr)))
2173 print_packet_counts = FALSE;
2174 else if (print_packet_info && isatty(fileno(stdout)))
2175 print_packet_counts = FALSE;
2177 print_packet_counts = FALSE;
2179 print_packet_counts = TRUE;
2181 if (print_packet_info) {
2182 if (!write_preamble(NULL)) {
2183 show_print_file_io_error(errno);
2188 /* For now, assume libpcap gives microsecond precision. */
2189 timestamp_set_precision(TS_PREC_AUTO_USEC);
2192 * XXX - this returns FALSE if an error occurred, but it also
2193 * returns FALSE if the capture stops because a time limit
2194 * was reached (and possibly other limits), so we can't assume
2195 * it means an error.
2197 * The capture code is a bit twisty, so it doesn't appear to
2198 * be an easy fix. We just ignore the return value for now.
2199 * Instead, pass on the exit status from the capture child.
2202 exit_status = global_capture_session.fork_child_status;
2204 if (print_packet_info) {
2205 if (!write_finale()) {
2207 show_print_file_io_error(err);
2211 /* No - complain. */
2212 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2219 if (cfile.frames != NULL) {
2220 free_frame_data_sequence(cfile.frames);
2221 cfile.frames = NULL;
2224 draw_tap_listeners(TRUE);
2225 funnel_dump_all_text_windows();
2226 epan_free(cfile.epan);
2229 output_fields_free(output_fields);
2230 output_fields = NULL;
2235 /*#define USE_BROKEN_G_MAIN_LOOP*/
2237 #ifdef USE_BROKEN_G_MAIN_LOOP
2240 gboolean loop_running = FALSE;
2242 guint32 packet_count = 0;
2245 typedef struct pipe_input_tag {
2249 pipe_input_cb_t input_cb;
2250 guint pipe_input_id;
2252 GMutex *callback_running;
2256 static pipe_input_t pipe_input;
2259 /* The timer has expired, see if there's stuff to read from the pipe,
2260 if so, do the callback */
2262 pipe_timer_cb(gpointer data)
2268 pipe_input_t *pipe_input_p = data;
2269 gint iterations = 0;
2271 g_mutex_lock (pipe_input_p->callback_running);
2273 /* try to read data from the pipe only 5 times, to avoid blocking */
2274 while(iterations < 5) {
2275 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2277 /* Oddly enough although Named pipes don't work on win9x,
2278 PeekNamedPipe does !!! */
2279 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2280 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2282 /* Get the child process exit status */
2283 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2286 /* If the Peek returned an error, or there are bytes to be read
2287 or the childwatcher thread has terminated then call the normal
2289 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2291 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2293 /* And call the real handler */
2294 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2295 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2296 /* pipe closed, return false so that the timer is stopped */
2297 g_mutex_unlock (pipe_input_p->callback_running);
2302 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2303 /* No data, stop now */
2310 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2312 g_mutex_unlock (pipe_input_p->callback_running);
2314 /* we didn't stopped the timer, so let it run */
2321 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2324 pipe_input.source = source;
2325 pipe_input.child_process = child_process;
2326 pipe_input.user_data = user_data;
2327 pipe_input.input_cb = input_cb;
2330 #if GLIB_CHECK_VERSION(2,31,0)
2331 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2332 g_mutex_init(pipe_input.callback_running);
2334 pipe_input.callback_running = g_mutex_new();
2336 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2337 do this but that doesn't cover all win32 platforms. GTK can do
2338 this but doesn't seem to work over processes. Attempt to do
2339 something similar here, start a timer and check for data on every
2341 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2342 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2346 static const nstime_t *
2347 tshark_get_frame_ts(void *data, guint32 frame_num)
2349 capture_file *cf = (capture_file *) data;
2351 if (ref && ref->num == frame_num)
2352 return &ref->abs_ts;
2354 if (prev_dis && prev_dis->num == frame_num)
2355 return &prev_dis->abs_ts;
2357 if (prev_cap && prev_cap->num == frame_num)
2358 return &prev_cap->abs_ts;
2361 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2363 return (fd) ? &fd->abs_ts : NULL;
2370 tshark_epan_new(capture_file *cf)
2372 epan_t *epan = epan_new();
2375 epan->get_frame_ts = tshark_get_frame_ts;
2376 epan->get_interface_name = cap_file_get_interface_name;
2377 epan->get_user_comment = NULL;
2388 GString *str = g_string_new("");
2389 #ifdef USE_TSHARK_SELECT
2393 struct sigaction action, oldaction;
2397 * XXX - dropping privileges is still required, until code cleanup is done
2399 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2400 * when it's done, we don't need special privileges to run tshark at all,
2401 * therefore we don't need to drop these privileges
2402 * The only thing we might want to keep is a warning if tshark is run as root,
2403 * as it's no longer necessary and potentially dangerous.
2405 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2406 * We've opened the capture device, so we shouldn't need any special
2407 * privileges any more; relinquish those privileges.
2409 * XXX - if we have saved set-user-ID support, we should give up those
2410 * privileges immediately, and then reclaim them long enough to get
2411 * a list of network interfaces and to open one, and then give them
2412 * up again, so that stuff we do while processing the argument list,
2413 * reading the user's preferences, loading and starting plugins
2414 * (especially *user* plugins), etc. is done with the user's privileges,
2415 * not special privileges.
2417 relinquish_special_privs_perm();
2418 print_current_user();
2420 /* Create new dissection section. */
2421 epan_free(cfile.epan);
2422 cfile.epan = tshark_epan_new(&cfile);
2425 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2426 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2428 /* Catch SIGINT and SIGTERM and, if we get either of them,
2429 clean up and exit. If SIGHUP isn't being ignored, catch
2430 it too and, if we get it, clean up and exit.
2432 We restart any read that was in progress, so that it doesn't
2433 disrupt reading from the sync pipe. The signal handler tells
2434 the capture child to finish; it will report that it finished,
2435 or will exit abnormally, so we'll stop reading from the sync
2436 pipe, pick up the exit status, and quit. */
2437 memset(&action, 0, sizeof(action));
2438 action.sa_handler = capture_cleanup;
2439 action.sa_flags = SA_RESTART;
2440 sigemptyset(&action.sa_mask);
2441 sigaction(SIGTERM, &action, NULL);
2442 sigaction(SIGINT, &action, NULL);
2443 sigaction(SIGHUP, NULL, &oldaction);
2444 if (oldaction.sa_handler == SIG_DFL)
2445 sigaction(SIGHUP, &action, NULL);
2448 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2449 quiet mode, report the number of packets we've captured.
2451 Again, restart any read that was in progress, so that it doesn't
2452 disrupt reading from the sync pipe. */
2453 action.sa_handler = report_counts_siginfo;
2454 action.sa_flags = SA_RESTART;
2455 sigemptyset(&action.sa_mask);
2456 sigaction(SIGINFO, &action, NULL);
2457 #endif /* SIGINFO */
2460 global_capture_session.state = CAPTURE_PREPARING;
2462 /* Let the user know which interfaces were chosen. */
2463 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2464 interface_options interface_opts;
2466 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2467 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2468 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2469 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2472 if (global_capture_opts.ifaces->len < 2)
2474 if (global_capture_opts.ifaces->len < 4)
2477 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2478 interface_options interface_opts;
2480 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2482 if (global_capture_opts.ifaces->len > 2) {
2483 g_string_append_printf(str, ",");
2485 g_string_append_printf(str, " ");
2486 if (i == global_capture_opts.ifaces->len - 1) {
2487 g_string_append_printf(str, "and ");
2490 g_string_append_printf(str, "'%s'", interface_opts.descr);
2493 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2495 if (really_quiet == FALSE)
2496 fprintf(stderr, "Capturing on %s\n", str->str);
2498 g_string_free(str, TRUE);
2500 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2505 /* the actual capture loop
2507 * XXX - glib doesn't seem to provide any event based loop handling.
2509 * XXX - for whatever reason,
2510 * calling g_main_loop_new() ends up in 100% cpu load.
2512 * But that doesn't matter: in UNIX we can use select() to find an input
2513 * source with something to do.
2515 * But that doesn't matter because we're in a CLI (that doesn't need to
2516 * update a GUI or something at the same time) so it's OK if we block
2517 * trying to read from the pipe.
2519 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2520 * wrong (but I leave it there in case I am...).
2523 #ifdef USE_TSHARK_SELECT
2525 FD_SET(pipe_input.source, &readfds);
2528 loop_running = TRUE;
2532 while (loop_running)
2534 #ifdef USE_TSHARK_SELECT
2535 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2539 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2541 } else if (ret == 1) {
2543 /* Call the real handler */
2544 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2545 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2548 #ifdef USE_TSHARK_SELECT
2553 CATCH(OutOfMemoryError) {
2557 "Sorry, but TShark has to terminate now!\n"
2559 "Some infos / workarounds can be found at:\n"
2560 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2567 /* capture child detected an error */
2569 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2571 cmdarg_err("%s", error_msg);
2572 cmdarg_err_cont("%s", secondary_error_msg);
2576 /* capture child detected an capture filter related error */
2578 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2580 capture_options *capture_opts = cap_session->capture_opts;
2581 dfilter_t *rfcode = NULL;
2582 interface_options interface_opts;
2584 g_assert(i < capture_opts->ifaces->len);
2585 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2587 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2589 "Invalid capture filter \"%s\" for interface '%s'!\n"
2591 "That string looks like a valid display filter; however, it isn't a valid\n"
2592 "capture filter (%s).\n"
2594 "Note that display filters and capture filters don't have the same syntax,\n"
2595 "so you can't use most display filter expressions as capture filters.\n"
2597 "See the User's Guide for a description of the capture filter syntax.",
2598 interface_opts.cfilter, interface_opts.descr, error_message);
2599 dfilter_free(rfcode);
2602 "Invalid capture filter \"%s\" for interface '%s'!\n"
2604 "That string isn't a valid capture filter (%s).\n"
2605 "See the User's Guide for a description of the capture filter syntax.",
2606 interface_opts.cfilter, interface_opts.descr, error_message);
2611 /* capture child tells us we have a new (or the first) capture file */
2613 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2615 capture_options *capture_opts = cap_session->capture_opts;
2616 gboolean is_tempfile;
2619 if (cap_session->state == CAPTURE_PREPARING) {
2620 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2622 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2624 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2626 /* free the old filename */
2627 if (capture_opts->save_file != NULL) {
2629 /* we start a new capture file, close the old one (if we had one before) */
2630 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2631 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2632 wtap_close(((capture_file *) cap_session->cf)->wth);
2633 ((capture_file *) cap_session->cf)->wth = NULL;
2635 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2638 g_free(capture_opts->save_file);
2639 is_tempfile = FALSE;
2641 /* we didn't had a save_file before, must be a tempfile */
2645 /* save the new filename */
2646 capture_opts->save_file = g_strdup(new_file);
2648 /* if we are in real-time mode, open the new file now */
2649 if (do_dissection) {
2650 /* this is probably unecessary, but better safe than sorry */
2651 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2652 /* Attempt to open the capture file and set up to read from it. */
2653 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2657 /* Don't unlink (delete) the save file - leave it around,
2658 for debugging purposes. */
2659 g_free(capture_opts->save_file);
2660 capture_opts->save_file = NULL;
2665 cap_session->state = CAPTURE_RUNNING;
2671 /* capture child tells us we have new packets to read */
2673 capture_input_new_packets(capture_session *cap_session, int to_read)
2679 capture_file *cf = (capture_file *)cap_session->cf;
2680 gboolean filtering_tap_listeners;
2685 * Prevent a SIGINFO handler from writing to the standard error while
2686 * we're doing so or writing to the standard output; instead, have it
2687 * just set a flag telling us to print that information when we're done.
2690 #endif /* SIGINFO */
2692 /* Do we have any tap listeners with filters? */
2693 filtering_tap_listeners = have_filtering_tap_listeners();
2695 /* Get the union of the flags for all tap listeners. */
2696 tap_flags = union_of_tap_listener_flags();
2698 if (do_dissection) {
2699 gboolean create_proto_tree;
2700 epan_dissect_t *edt;
2702 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2703 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2704 create_proto_tree = TRUE;
2706 create_proto_tree = FALSE;
2708 /* The protocol tree will be "visible", i.e., printed, only if we're
2709 printing packet details, which is true if we're printing stuff
2710 ("print_packet_info" is true) and we're in verbose mode
2711 ("packet_details" is true). */
2712 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2714 while (to_read-- && cf->wth) {
2715 wtap_cleareof(cf->wth);
2716 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2718 /* read from file failed, tell the capture child to stop */
2719 sync_pipe_stop(cap_session);
2720 wtap_close(cf->wth);
2723 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2724 wtap_buf_ptr(cf->wth),
2728 /* packet successfully read and gone through the "Read Filter" */
2733 epan_dissect_free(edt);
2737 * Dumpcap's doing all the work; we're not doing any dissection.
2738 * Count all the packets it wrote.
2740 packet_count += to_read;
2743 if (print_packet_counts) {
2744 /* We're printing packet counts. */
2745 if (packet_count != 0) {
2746 fprintf(stderr, "\r%u ", packet_count);
2747 /* stderr could be line buffered */
2754 * Allow SIGINFO handlers to write.
2759 * If a SIGINFO handler asked us to write out capture counts, do so.
2763 #endif /* SIGINFO */
2769 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2770 /* Report the count only if we aren't printing a packet count
2771 as packets arrive. */
2772 fprintf(stderr, "%u packet%s captured\n", packet_count,
2773 plurality(packet_count, "", "s"));
2776 infoprint = FALSE; /* we just reported it */
2777 #endif /* SIGINFO */
2782 report_counts_siginfo(int signum _U_)
2784 int sav_errno = errno;
2785 /* If we've been told to delay printing, just set a flag asking
2786 that we print counts (if we're supposed to), otherwise print
2787 the count of packets captured (if we're supposed to). */
2794 #endif /* SIGINFO */
2797 /* capture child detected any packet drops? */
2799 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2801 if (print_packet_counts) {
2802 /* We're printing packet counts to stderr.
2803 Send a newline so that we move to the line after the packet count. */
2804 fprintf(stderr, "\n");
2808 /* We're printing packet counts to stderr.
2809 Send a newline so that we move to the line after the packet count. */
2810 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2816 * Capture child closed its side of the pipe, report any error and
2817 * do the required cleanup.
2820 capture_input_closed(capture_session *cap_session, gchar *msg)
2822 capture_file *cf = (capture_file *) cap_session->cf;
2825 fprintf(stderr, "tshark: %s\n", msg);
2829 if (cf != NULL && cf->wth != NULL) {
2830 wtap_close(cf->wth);
2831 if (cf->is_tempfile) {
2832 ws_unlink(cf->filename);
2835 #ifdef USE_BROKEN_G_MAIN_LOOP
2836 /*g_main_loop_quit(loop);*/
2837 g_main_loop_quit(loop);
2839 loop_running = FALSE;
2848 capture_cleanup(DWORD ctrltype _U_)
2850 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2851 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2852 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2853 like SIGTERM at least when the machine's shutting down.
2855 For now, we handle them all as indications that we should clean up
2856 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2859 We must return TRUE so that no other handler - such as one that would
2860 terminate the process - gets called.
2862 XXX - for some reason, typing ^C to TShark, if you run this in
2863 a Cygwin console window in at least some versions of Cygwin,
2864 causes TShark to terminate immediately; this routine gets
2865 called, but the main loop doesn't get a chance to run and
2866 exit cleanly, at least if this is compiled with Microsoft Visual
2867 C++ (i.e., it's a property of the Cygwin console window or Bash;
2868 it happens if TShark is not built with Cygwin - for all I know,
2869 building it with Cygwin may make the problem go away). */
2871 /* tell the capture child to stop */
2872 sync_pipe_stop(&global_capture_session);
2874 /* don't stop our own loop already here, otherwise status messages and
2875 * cleanup wouldn't be done properly. The child will indicate the stop of
2876 * everything by calling capture_input_closed() later */
2882 capture_cleanup(int signum _U_)
2884 /* tell the capture child to stop */
2885 sync_pipe_stop(&global_capture_session);
2887 /* don't stop our own loop already here, otherwise status messages and
2888 * cleanup wouldn't be done properly. The child will indicate the stop of
2889 * everything by calling capture_input_closed() later */
2892 #endif /* HAVE_LIBPCAP */
2895 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2896 gint64 offset, struct wtap_pkthdr *whdr,
2903 /* The frame number of this packet is one more than the count of
2904 frames in this packet. */
2905 framenum = cf->count + 1;
2907 /* If we're not running a display filter and we're not printing any
2908 packet information, we don't need to do a dissection. This means
2909 that all packets can be marked as 'passed'. */
2912 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2914 /* If we're going to print packet information, or we're going to
2915 run a read filter, or display filter, or we're going to process taps, set up to
2916 do a dissection and do so. */
2918 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2919 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2920 /* Grab any resolved addresses */
2921 host_name_lookup_process();
2923 /* If we're running a read filter, prime the epan_dissect_t with that
2926 epan_dissect_prime_dfilter(edt, cf->rfcode);
2929 epan_dissect_prime_dfilter(edt, cf->dfcode);
2931 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2933 if (ref == &fdlocal) {
2934 ref_frame = fdlocal;
2938 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2940 /* Run the read filter if we have one. */
2942 passed = dfilter_apply_edt(cf->rfcode, edt);
2946 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2947 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2949 /* If we're not doing dissection then there won't be any dependent frames.
2950 * More importantly, edt.pi.dependent_frames won't be initialized because
2951 * epan hasn't been initialized.
2952 * if we *are* doing dissection, then mark the dependent frames, but only
2953 * if a display filter was given and it matches this packet.
2955 if (edt && cf->dfcode) {
2956 if (dfilter_apply_edt(cf->dfcode, edt)) {
2957 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2963 /* if we don't add it to the frame_data_sequence, clean it up right now
2965 frame_data_destroy(&fdlocal);
2969 epan_dissect_reset(edt);
2975 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2976 struct wtap_pkthdr *phdr, Buffer *buf,
2982 /* If we're not running a display filter and we're not printing any
2983 packet information, we don't need to do a dissection. This means
2984 that all packets can be marked as 'passed'. */
2987 /* If we're going to print packet information, or we're going to
2988 run a read filter, or we're going to process taps, set up to
2989 do a dissection and do so. */
2991 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2992 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2993 /* Grab any resolved addresses */
2994 host_name_lookup_process();
2996 /* If we're running a display filter, prime the epan_dissect_t with that
2999 epan_dissect_prime_dfilter(edt, cf->dfcode);
3001 col_custom_prime_edt(edt, &cf->cinfo);
3003 /* We only need the columns if either
3004 1) some tap needs the columns
3006 2) we're printing packet info but we're *not* verbose; in verbose
3007 mode, we print the protocol tree, not the protocol summary.
3009 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3014 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3021 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3023 /* Run the read/display filter if we have one. */
3025 passed = dfilter_apply_edt(cf->dfcode, edt);
3029 frame_data_set_after_dissect(fdata, &cum_bytes);
3030 /* Process this packet. */
3031 if (print_packet_info) {
3032 /* We're printing packet information; print the information for
3034 print_packet(cf, edt);
3036 /* The ANSI C standard does not appear to *require* that a line-buffered
3037 stream be flushed to the host environment whenever a newline is
3038 written, it just says that, on such a stream, characters "are
3039 intended to be transmitted to or from the host environment as a
3040 block when a new-line character is encountered".
3042 The Visual C++ 6.0 C implementation doesn't do what is intended;
3043 even if you set a stream to be line-buffered, it still doesn't
3044 flush the buffer at the end of every line.
3046 So, if the "-l" flag was specified, we flush the standard output
3047 at the end of a packet. This will do the right thing if we're
3048 printing packet summary lines, and, as we print the entire protocol
3049 tree for a single packet without waiting for anything to happen,
3050 it should be as good as line-buffered mode if we're printing
3051 protocol trees. (The whole reason for the "-l" flag in either
3052 tcpdump or TShark is to allow the output of a live capture to
3053 be piped to a program or script and to have that script see the
3054 information for the packet as soon as it's printed, rather than
3055 having to wait until a standard I/O buffer fills up. */
3059 if (ferror(stdout)) {
3060 show_print_file_io_error(errno);
3069 epan_dissect_reset(edt);
3071 return passed || fdata->flags.dependent_of_displayed;
3075 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3076 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3079 int snapshot_length;
3083 gchar *err_info = NULL;
3085 char *save_file_string = NULL;
3086 gboolean filtering_tap_listeners;
3088 wtapng_section_t *shb_hdr;
3089 wtapng_iface_descriptions_t *idb_inf;
3091 struct wtap_pkthdr phdr;
3093 epan_dissect_t *edt = NULL;
3095 memset(&phdr, 0, sizeof(struct wtap_pkthdr));
3097 shb_hdr = wtap_file_get_shb_info(cf->wth);
3098 idb_inf = wtap_file_get_idb_info(cf->wth);
3099 #ifdef PCAP_NG_DEFAULT
3100 if (idb_inf->interface_data->len > 1) {
3101 linktype = WTAP_ENCAP_PER_PACKET;
3103 linktype = wtap_file_encap(cf->wth);
3106 linktype = wtap_file_encap(cf->wth);
3108 if (save_file != NULL) {
3109 /* Get a string that describes what we're writing to */
3110 save_file_string = output_file_description(save_file);
3112 /* Set up to write to the capture file. */
3113 snapshot_length = wtap_snapshot_length(cf->wth);
3114 if (snapshot_length == 0) {
3115 /* Snapshot length of input file not known. */
3116 snapshot_length = WTAP_MAX_PACKET_SIZE;
3118 /* If we don't have an application name add Tshark */
3119 if (shb_hdr->shb_user_appl == NULL) {
3120 g_snprintf(appname, sizeof(appname), "TShark %s", get_ws_vcs_version_info());
3121 shb_hdr->shb_user_appl = appname;
3124 if (linktype != WTAP_ENCAP_PER_PACKET &&
3125 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3126 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3127 snapshot_length, FALSE /* compressed */, &err);
3129 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3130 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3136 /* We couldn't set up to write to the capture file. */
3139 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3140 cmdarg_err("Capture files can't be written in that format.");
3143 case WTAP_ERR_UNSUPPORTED_ENCAP:
3144 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3145 cmdarg_err("The capture file being read can't be written as a "
3146 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3149 case WTAP_ERR_CANT_OPEN:
3150 cmdarg_err("The %s couldn't be created for some "
3151 "unknown reason.", save_file_string);
3154 case WTAP_ERR_SHORT_WRITE:
3155 cmdarg_err("A full header couldn't be written to the %s.",
3160 cmdarg_err("The %s could not be created: %s.", save_file_string,
3161 wtap_strerror(err));
3167 if (print_packet_info) {
3168 if (!write_preamble(cf)) {
3170 show_print_file_io_error(err);
3179 if (pdh && out_file_name_res) {
3180 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3181 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3182 wtap_file_type_subtype_short_string(out_file_type));
3186 /* Do we have any tap listeners with filters? */
3187 filtering_tap_listeners = have_filtering_tap_listeners();
3189 /* Get the union of the flags for all tap listeners. */
3190 tap_flags = union_of_tap_listener_flags();
3192 if (perform_two_pass_analysis) {
3195 /* Allocate a frame_data_sequence for all the frames. */
3196 cf->frames = new_frame_data_sequence();
3198 if (do_dissection) {
3199 gboolean create_proto_tree = FALSE;
3201 /* If we're going to be applying a filter, we'll need to
3202 create a protocol tree against which to apply the filter. */
3203 if (cf->rfcode || cf->dfcode)
3204 create_proto_tree = TRUE;
3206 /* We're not going to display the protocol tree on this pass,
3207 so it's not going to be "visible". */
3208 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3211 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3212 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3213 wtap_buf_ptr(cf->wth))) {
3214 /* Stop reading if we have the maximum number of packets;
3215 * When the -c option has not been used, max_packet_count
3216 * starts at 0, which practically means, never stop reading.
3217 * (unless we roll over max_packet_count ?)
3219 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3220 err = 0; /* This is not an error */
3227 epan_dissect_free(edt);
3231 /* Close the sequential I/O side, to free up memory it requires. */
3232 wtap_sequential_close(cf->wth);
3234 /* Allow the protocol dissectors to free up memory that they
3235 * don't need after the sequential run-through of the packets. */
3236 postseq_cleanup_all_protocols();
3240 buffer_init(&buf, 1500);
3242 if (do_dissection) {
3243 gboolean create_proto_tree;
3245 if (cf->dfcode || print_details || filtering_tap_listeners ||
3246 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3247 create_proto_tree = TRUE;
3249 create_proto_tree = FALSE;
3251 /* The protocol tree will be "visible", i.e., printed, only if we're
3252 printing packet details, which is true if we're printing stuff
3253 ("print_packet_info" is true) and we're in verbose mode
3254 ("packet_details" is true). */
3255 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3258 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3259 fdata = frame_data_sequence_find(cf->frames, framenum);
3260 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3262 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3264 /* Either there's no read filtering or this packet passed the
3265 filter, so, if we're writing to a capture file, write
3268 if (!wtap_dump(pdh, &phdr, buffer_start_ptr(&buf), &err)) {
3269 /* Error writing to a capture file */
3272 case WTAP_ERR_UNSUPPORTED_ENCAP:
3274 * This is a problem with the particular frame we're writing
3275 * and the file type and subtype we're writing; note that,
3276 * and report the frame number and file type/subtype.
3278 * XXX - framenum is not necessarily the frame number in
3279 * the input file if there was a read filter.
3282 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3283 framenum, cf->filename,
3284 wtap_file_type_subtype_short_string(out_file_type));
3287 case WTAP_ERR_PACKET_TOO_LARGE:
3289 * This is a problem with the particular frame we're writing
3290 * and the file type and subtype we're writing; note that,
3291 * and report the frame number and file type/subtype.
3293 * XXX - framenum is not necessarily the frame number in
3294 * the input file if there was a read filter.
3297 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3298 framenum, cf->filename,
3299 wtap_file_type_subtype_short_string(out_file_type));
3303 show_capture_file_io_error(save_file, err, FALSE);
3306 wtap_dump_close(pdh, &err);
3316 epan_dissect_free(edt);
3325 if (do_dissection) {
3326 gboolean create_proto_tree;
3328 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3329 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3330 create_proto_tree = TRUE;
3332 create_proto_tree = FALSE;
3334 /* The protocol tree will be "visible", i.e., printed, only if we're
3335 printing packet details, which is true if we're printing stuff
3336 ("print_packet_info" is true) and we're in verbose mode
3337 ("packet_details" is true). */
3338 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3341 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3344 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3345 wtap_buf_ptr(cf->wth),
3347 /* Either there's no read filtering or this packet passed the
3348 filter, so, if we're writing to a capture file, write
3351 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3352 /* Error writing to a capture file */
3355 case WTAP_ERR_UNSUPPORTED_ENCAP:
3357 * This is a problem with the particular frame we're writing
3358 * and the file type and subtype we're writing; note that,
3359 * and report the frame number and file type/subtype.
3362 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3363 framenum, cf->filename,
3364 wtap_file_type_subtype_short_string(out_file_type));
3367 case WTAP_ERR_PACKET_TOO_LARGE:
3369 * This is a problem with the particular frame we're writing
3370 * and the file type and subtype we're writing; note that,
3371 * and report the frame number and file type/subtype.
3374 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3375 framenum, cf->filename,
3376 wtap_file_type_subtype_short_string(out_file_type));
3380 show_capture_file_io_error(save_file, err, FALSE);
3383 wtap_dump_close(pdh, &err);
3389 /* Stop reading if we have the maximum number of packets;
3390 * When the -c option has not been used, max_packet_count
3391 * starts at 0, which practically means, never stop reading.
3392 * (unless we roll over max_packet_count ?)
3394 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3395 err = 0; /* This is not an error */
3401 epan_dissect_free(edt);
3408 * Print a message noting that the read failed somewhere along the line.
3410 * If we're printing packet data, and the standard output and error are
3411 * going to the same place, flush the standard output, so everything
3412 * buffered up is written, and then print a newline to the standard error
3413 * before printing the error message, to separate it from the packet
3414 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3415 * the _fstat() documentation at Microsoft doesn't indicate whether
3416 * st_ino is even supported.)
3419 if (print_packet_info) {
3420 struct stat stat_stdout, stat_stderr;
3422 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3423 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3424 stat_stdout.st_ino == stat_stderr.st_ino) {
3426 fprintf(stderr, "\n");
3433 case WTAP_ERR_UNSUPPORTED:
3434 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3435 cf->filename, err_info);
3439 case WTAP_ERR_UNSUPPORTED_ENCAP:
3440 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3441 cf->filename, err_info);
3445 case WTAP_ERR_CANT_READ:
3446 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3450 case WTAP_ERR_SHORT_READ:
3451 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3455 case WTAP_ERR_BAD_FILE:
3456 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3457 cf->filename, err_info);
3461 case WTAP_ERR_DECOMPRESS:
3462 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3463 "(%s)", cf->filename, err_info);
3467 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3468 cf->filename, wtap_strerror(err));
3471 if (save_file != NULL) {
3472 /* Now close the capture file. */
3473 if (!wtap_dump_close(pdh, &err))
3474 show_capture_file_io_error(save_file, err, TRUE);
3477 if (save_file != NULL) {
3478 /* Now close the capture file. */
3479 if (!wtap_dump_close(pdh, &err))
3480 show_capture_file_io_error(save_file, err, TRUE);
3482 if (print_packet_info) {
3483 if (!write_finale()) {
3485 show_print_file_io_error(err);
3492 wtap_close(cf->wth);
3495 g_free(save_file_string);
3502 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3503 const guchar *pd, guint tap_flags)
3509 /* Count this packet. */
3512 /* If we're not running a display filter and we're not printing any
3513 packet information, we don't need to do a dissection. This means
3514 that all packets can be marked as 'passed'. */
3517 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3519 /* If we're going to print packet information, or we're going to
3520 run a read filter, or we're going to process taps, set up to
3521 do a dissection and do so. */
3523 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3524 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3525 /* Grab any resolved addresses */
3526 host_name_lookup_process();
3528 /* If we're running a filter, prime the epan_dissect_t with that
3531 epan_dissect_prime_dfilter(edt, cf->dfcode);
3533 col_custom_prime_edt(edt, &cf->cinfo);
3535 /* We only need the columns if either
3536 1) some tap needs the columns
3538 2) we're printing packet info but we're *not* verbose; in verbose
3539 mode, we print the protocol tree, not the protocol summary.
3541 3) there is a column mapped as an individual field */
3542 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3547 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3549 if (ref == &fdata) {
3554 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3556 /* Run the filter if we have it. */
3558 passed = dfilter_apply_edt(cf->dfcode, edt);
3562 frame_data_set_after_dissect(&fdata, &cum_bytes);
3564 /* Process this packet. */
3565 if (print_packet_info) {
3566 /* We're printing packet information; print the information for
3568 print_packet(cf, edt);
3570 /* The ANSI C standard does not appear to *require* that a line-buffered
3571 stream be flushed to the host environment whenever a newline is
3572 written, it just says that, on such a stream, characters "are
3573 intended to be transmitted to or from the host environment as a
3574 block when a new-line character is encountered".
3576 The Visual C++ 6.0 C implementation doesn't do what is intended;
3577 even if you set a stream to be line-buffered, it still doesn't
3578 flush the buffer at the end of every line.
3580 So, if the "-l" flag was specified, we flush the standard output
3581 at the end of a packet. This will do the right thing if we're
3582 printing packet summary lines, and, as we print the entire protocol
3583 tree for a single packet without waiting for anything to happen,
3584 it should be as good as line-buffered mode if we're printing
3585 protocol trees. (The whole reason for the "-l" flag in either
3586 tcpdump or TShark is to allow the output of a live capture to
3587 be piped to a program or script and to have that script see the
3588 information for the packet as soon as it's printed, rather than
3589 having to wait until a standard I/O buffer fills up. */
3593 if (ferror(stdout)) {
3594 show_print_file_io_error(errno);
3599 /* this must be set after print_packet() [bug #8160] */
3600 prev_dis_frame = fdata;
3601 prev_dis = &prev_dis_frame;
3604 prev_cap_frame = fdata;
3605 prev_cap = &prev_cap_frame;
3608 epan_dissect_reset(edt);
3609 frame_data_destroy(&fdata);
3615 write_preamble(capture_file *cf)
3617 switch (output_action) {
3620 return print_preamble(print_stream, cf ? cf->filename : NULL, get_ws_vcs_version_info());
3624 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3626 write_psml_preamble(stdout);
3627 return !ferror(stdout);
3630 write_fields_preamble(output_fields, stdout);
3631 return !ferror(stdout);
3634 g_assert_not_reached();
3640 get_line_buf(size_t len)
3642 static char *line_bufp = NULL;
3643 static size_t line_buf_len = 256;
3644 size_t new_line_buf_len;
3646 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3647 new_line_buf_len *= 2)
3649 if (line_bufp == NULL) {
3650 line_buf_len = new_line_buf_len;
3651 line_bufp = (char *)g_malloc(line_buf_len + 1);
3653 if (new_line_buf_len > line_buf_len) {
3654 line_buf_len = new_line_buf_len;
3655 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3662 put_string(char *dest, const char *str, size_t str_len)
3664 memcpy(dest, str, str_len);
3665 dest[str_len] = '\0';
3669 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3673 for (i = str_len; i < str_with_spaces; i++)
3676 put_string(dest, str, str_len);
3680 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3684 memcpy(dest, str, str_len);
3685 for (i = str_len; i < str_with_spaces; i++)
3688 dest[str_with_spaces] = '\0';
3692 print_columns(capture_file *cf)
3700 line_bufp = get_line_buf(256);
3703 for (i = 0; i < cf->cinfo.num_cols; i++) {
3704 /* Skip columns not marked as visible. */
3705 if (!get_column_visible(i))
3707 switch (cf->cinfo.col_fmt[i]) {
3709 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3712 line_bufp = get_line_buf(buf_offset + column_len);
3713 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3719 case COL_ABS_YMD_TIME: /* XXX - wider */
3720 case COL_ABS_YDOY_TIME: /* XXX - wider */
3722 case COL_UTC_YMD_TIME: /* XXX - wider */
3723 case COL_UTC_YDOY_TIME: /* XXX - wider */
3724 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3725 if (column_len < 10)
3727 line_bufp = get_line_buf(buf_offset + column_len);
3728 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3734 case COL_DEF_DL_SRC:
3735 case COL_RES_DL_SRC:
3736 case COL_UNRES_DL_SRC:
3737 case COL_DEF_NET_SRC:
3738 case COL_RES_NET_SRC:
3739 case COL_UNRES_NET_SRC:
3740 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3741 if (column_len < 12)
3743 line_bufp = get_line_buf(buf_offset + column_len);
3744 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3750 case COL_DEF_DL_DST:
3751 case COL_RES_DL_DST:
3752 case COL_UNRES_DL_DST:
3753 case COL_DEF_NET_DST:
3754 case COL_RES_NET_DST:
3755 case COL_UNRES_NET_DST:
3756 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3757 if (column_len < 12)
3759 line_bufp = get_line_buf(buf_offset + column_len);
3760 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3764 column_len = strlen(cf->cinfo.col_data[i]);
3765 line_bufp = get_line_buf(buf_offset + column_len);
3766 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3769 buf_offset += column_len;
3770 if (i != cf->cinfo.num_cols - 1) {
3772 * This isn't the last column, so we need to print a
3773 * separator between this column and the next.
3775 * If we printed a network source and are printing a
3776 * network destination of the same type next, separate
3777 * them with " -> "; if we printed a network destination
3778 * and are printing a network source of the same type
3779 * next, separate them with " <- "; otherwise separate them
3782 * We add enough space to the buffer for " <- " or " -> ",
3783 * even if we're only adding " ".
3785 line_bufp = get_line_buf(buf_offset + 4);
3786 switch (cf->cinfo.col_fmt[i]) {
3791 switch (cf->cinfo.col_fmt[i + 1]) {
3796 put_string(line_bufp + buf_offset, " -> ", 4);
3801 put_string(line_bufp + buf_offset, " ", 1);
3807 case COL_DEF_DL_SRC:
3808 case COL_RES_DL_SRC:
3809 case COL_UNRES_DL_SRC:
3810 switch (cf->cinfo.col_fmt[i + 1]) {
3812 case COL_DEF_DL_DST:
3813 case COL_RES_DL_DST:
3814 case COL_UNRES_DL_DST:
3815 put_string(line_bufp + buf_offset, " -> ", 4);
3820 put_string(line_bufp + buf_offset, " ", 1);
3826 case COL_DEF_NET_SRC:
3827 case COL_RES_NET_SRC:
3828 case COL_UNRES_NET_SRC:
3829 switch (cf->cinfo.col_fmt[i + 1]) {
3831 case COL_DEF_NET_DST:
3832 case COL_RES_NET_DST:
3833 case COL_UNRES_NET_DST:
3834 put_string(line_bufp + buf_offset, " -> ", 4);
3839 put_string(line_bufp + buf_offset, " ", 1);
3848 switch (cf->cinfo.col_fmt[i + 1]) {
3853 put_string(line_bufp + buf_offset, " <- ", 4);
3858 put_string(line_bufp + buf_offset, " ", 1);
3864 case COL_DEF_DL_DST:
3865 case COL_RES_DL_DST:
3866 case COL_UNRES_DL_DST:
3867 switch (cf->cinfo.col_fmt[i + 1]) {
3869 case COL_DEF_DL_SRC:
3870 case COL_RES_DL_SRC:
3871 case COL_UNRES_DL_SRC:
3872 put_string(line_bufp + buf_offset, " <- ", 4);
3877 put_string(line_bufp + buf_offset, " ", 1);
3883 case COL_DEF_NET_DST:
3884 case COL_RES_NET_DST:
3885 case COL_UNRES_NET_DST:
3886 switch (cf->cinfo.col_fmt[i + 1]) {
3888 case COL_DEF_NET_SRC:
3889 case COL_RES_NET_SRC:
3890 case COL_UNRES_NET_SRC:
3891 put_string(line_bufp + buf_offset, " <- ", 4);
3896 put_string(line_bufp + buf_offset, " ", 1);
3903 put_string(line_bufp + buf_offset, " ", 1);
3909 return print_line(print_stream, 0, line_bufp);
3913 print_packet(capture_file *cf, epan_dissect_t *edt)
3915 print_args_t print_args;
3917 if (print_summary || output_fields_has_cols(output_fields)) {
3918 /* Just fill in the columns. */
3919 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3921 if (print_summary) {
3922 /* Now print them. */
3923 switch (output_action) {
3926 if (!print_columns(cf))
3931 proto_tree_write_psml(edt, stdout);
3932 return !ferror(stdout);
3933 case WRITE_FIELDS: /*No non-verbose "fields" format */
3934 g_assert_not_reached();
3939 if (print_details) {
3940 /* Print the information in the protocol tree. */
3941 switch (output_action) {
3944 /* Only initialize the fields that are actually used in proto_tree_print.
3945 * This is particularly important for .range, as that's heap memory which
3946 * we would otherwise have to g_free().
3947 print_args.to_file = TRUE;
3948 print_args.format = print_format;
3949 print_args.print_summary = print_summary;
3950 print_args.print_formfeed = FALSE;
3951 packet_range_init(&print_args.range, &cfile);
3953 print_args.print_hex = print_hex;
3954 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3956 if (!proto_tree_print(&print_args, edt, print_stream))
3959 if (!print_line(print_stream, 0, separator))
3965 proto_tree_write_pdml(edt, stdout);
3967 return !ferror(stdout);
3969 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3971 return !ferror(stdout);
3975 if (print_summary || print_details) {
3976 if (!print_line(print_stream, 0, ""))
3979 if (!print_hex_data(print_stream, edt))
3981 if (!print_line(print_stream, 0, separator))
3990 switch (output_action) {
3993 return print_finale(print_stream);
3997 write_pdml_finale(stdout);
3999 write_psml_finale(stdout);
4000 return !ferror(stdout);
4003 write_fields_finale(output_fields, stdout);
4004 return !ferror(stdout);
4007 g_assert_not_reached();
4013 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4017 char err_msg[2048+1];
4019 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4023 /* The open succeeded. Fill in the information for this file. */
4025 /* Create new epan session for dissection. */
4026 epan_free(cf->epan);
4027 cf->epan = tshark_epan_new(cf);
4030 cf->f_datalen = 0; /* not used, but set it anyway */
4032 /* Set the file name because we need it to set the follow stream filter.
4033 XXX - is that still true? We need it for other reasons, though,
4035 cf->filename = g_strdup(fname);
4037 /* Indicate whether it's a permanent or temporary file. */
4038 cf->is_tempfile = is_tempfile;
4040 /* No user changes yet. */
4041 cf->unsaved_changes = FALSE;
4043 cf->cd_t = wtap_file_type_subtype(cf->wth);
4044 cf->open_type = type;
4046 cf->drops_known = FALSE;
4048 cf->snap = wtap_snapshot_length(cf->wth);
4049 if (cf->snap == 0) {
4050 /* Snapshot length not known. */
4051 cf->has_snap = FALSE;
4052 cf->snap = WTAP_MAX_PACKET_SIZE;
4054 cf->has_snap = TRUE;
4055 nstime_set_zero(&cf->elapsed_time);
4060 cf->state = FILE_READ_IN_PROGRESS;
4062 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4063 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4068 g_snprintf(err_msg, sizeof err_msg,
4069 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4070 cmdarg_err("%s", err_msg);
4075 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4077 char *save_file_string;
4079 save_file_string = output_file_description(fname);
4084 cmdarg_err("Not all the packets could be written to the %s because there is "
4085 "no space left on the file system.",
4091 cmdarg_err("Not all the packets could be written to the %s because you are "
4092 "too close to, or over your disk quota.",
4097 case WTAP_ERR_CANT_CLOSE:
4098 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4102 case WTAP_ERR_SHORT_WRITE:
4103 cmdarg_err("Not all the packets could be written to the %s.",
4109 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4110 wtap_strerror(err));
4112 cmdarg_err("An error occurred while writing to the %s: %s.",
4113 save_file_string, wtap_strerror(err));
4117 g_free(save_file_string);
4121 show_print_file_io_error(int err)
4126 cmdarg_err("Not all the packets could be printed because there is "
4127 "no space left on the file system.");
4132 cmdarg_err("Not all the packets could be printed because you are "
4133 "too close to, or over your disk quota.");
4138 cmdarg_err("An error occurred while printing packets: %s.",
4145 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4149 static char errmsg_errno[1024+1];
4152 /* Wiretap error. */
4155 case WTAP_ERR_NOT_REGULAR_FILE:
4156 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4159 case WTAP_ERR_RANDOM_OPEN_PIPE:
4160 /* Seen only when opening a capture file for reading. */
4161 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4164 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4165 /* Seen only when opening a capture file for reading. */
4166 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4169 case WTAP_ERR_UNSUPPORTED:
4170 /* Seen only when opening a capture file for reading. */
4171 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4172 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4175 errmsg = errmsg_errno;
4178 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4179 /* Seen only when opening a capture file for writing. */
4180 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4181 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4182 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4183 errmsg = errmsg_errno;
4186 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4187 /* Seen only when opening a capture file for writing. */
4188 errmsg = "TShark doesn't support writing capture files in that format.";
4191 case WTAP_ERR_UNSUPPORTED_ENCAP:
4193 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4194 "TShark can't save this capture as a \"%s\" file.",
4195 wtap_file_type_subtype_short_string(file_type));
4197 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4198 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4202 errmsg = errmsg_errno;
4205 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4207 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4208 "TShark can't save this capture as a \"%s\" file.",
4209 wtap_file_type_subtype_short_string(file_type));
4210 errmsg = errmsg_errno;
4212 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4215 case WTAP_ERR_BAD_FILE:
4216 /* Seen only when opening a capture file for reading. */
4217 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4218 "The file \"%%s\" appears to be damaged or corrupt.\n"
4221 errmsg = errmsg_errno;
4224 case WTAP_ERR_CANT_OPEN:
4226 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4228 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4231 case WTAP_ERR_SHORT_READ:
4232 errmsg = "The file \"%s\" appears to have been cut short"
4233 " in the middle of a packet or other data.";
4236 case WTAP_ERR_SHORT_WRITE:
4237 errmsg = "A full header couldn't be written to the file \"%s\".";
4240 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4241 errmsg = "This file type cannot be written as a compressed file.";
4244 case WTAP_ERR_DECOMPRESS:
4245 /* Seen only when opening a capture file for reading. */
4246 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4247 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4250 errmsg = errmsg_errno;
4254 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4255 "The file \"%%s\" could not be %s: %s.",
4256 for_writing ? "created" : "opened",
4257 wtap_strerror(err));
4258 errmsg = errmsg_errno;
4262 errmsg = file_open_error_message(err, for_writing);
4267 * Open/create errors are reported with an console message in TShark.
4270 open_failure_message(const char *filename, int err, gboolean for_writing)
4272 fprintf(stderr, "tshark: ");
4273 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4274 fprintf(stderr, "\n");
4279 * General errors are reported with an console message in TShark.
4282 failure_message(const char *msg_format, va_list ap)
4284 fprintf(stderr, "tshark: ");
4285 vfprintf(stderr, msg_format, ap);
4286 fprintf(stderr, "\n");
4290 * Read errors are reported with an console message in TShark.
4293 read_failure_message(const char *filename, int err)
4295 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4296 filename, g_strerror(err));
4300 * Write errors are reported with an console message in TShark.
4303 write_failure_message(const char *filename, int err)
4305 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4306 filename, g_strerror(err));
4310 * Report an error in command-line arguments.
4313 cmdarg_err(const char *fmt, ...)
4318 failure_message(fmt, ap);
4323 * Report additional information for an error in command-line arguments.
4326 cmdarg_err_cont(const char *fmt, ...)
4331 vfprintf(stderr, fmt, ap);
4332 fprintf(stderr, "\n");
4338 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4343 * indent-tabs-mode: nil
4346 * vi: set shiftwidth=2 tabstop=8 expandtab:
4347 * :indentSize=2:tabSize=8:noTabs=true: