3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 #include <zlib.h> /* to get the libz version number */
48 # include <sys/capability.h>
51 #ifndef HAVE_GETOPT_LONG
52 #include "wsutil/wsgetopt.h"
57 #include <epan/exceptions.h>
58 #include <epan/epan-int.h>
59 #include <epan/epan.h>
61 #include <wsutil/clopts_common.h>
62 #include <wsutil/cmdarg_err.h>
63 #include <wsutil/crash_info.h>
64 #include <wsutil/filesystem.h>
65 #include <wsutil/file_util.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/report_err.h>
68 #include <wsutil/ws_diag_control.h>
69 #include <wsutil/ws_version_info.h>
70 #include <wiretap/wtap_opttypes.h>
71 #include <wiretap/pcapng.h>
74 #include <epan/timestamp.h>
75 #include <epan/packet.h>
77 #include <epan/wslua/init_wslua.h>
79 #include "frame_tvbuff.h"
80 #include <epan/disabled_protos.h>
81 #include <epan/prefs.h>
82 #include <epan/column.h>
83 #include <epan/print.h>
84 #include <epan/addr_resolv.h>
86 #include "ui/capture_ui_utils.h"
89 #include "ui/ui_util.h"
90 #include "ui/decode_as_utils.h"
91 #include "ui/cli/tshark-tap.h"
93 #include "filter_files.h"
94 #include <epan/epan_dissect.h>
96 #include <epan/stat_tap_ui.h>
97 #include <epan/conversation_table.h>
98 #include <epan/srt_table.h>
99 #include <epan/rtd_table.h>
100 #include <epan/ex-opt.h>
102 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
103 #include <epan/asn1.h>
104 #include <epan/dissectors/packet-kerberos.h>
107 #include "capture_opts.h"
109 #include "caputils/capture-pcap-util.h"
112 #include "caputils/capture_ifinfo.h"
114 #include "caputils/capture-wpcap.h"
115 #include <wsutil/os_version_info.h>
116 #include <wsutil/unicode-utils.h>
118 #include <capchild/capture_session.h>
119 #include <capchild/capture_sync.h>
120 #include <capture_info.h>
121 #endif /* HAVE_LIBPCAP */
123 #include <epan/funnel.h>
125 #include <wsutil/str_util.h>
128 #include <wsutil/plugins.h>
133 #define tshark_debug(...) g_warning(__VA_ARGS__)
135 #define tshark_debug(...)
140 * This is the template for the decode as option; it is shared between the
141 * various functions that output the usage for this parameter.
143 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
145 static guint32 cum_bytes;
146 static const frame_data *ref;
147 static frame_data ref_frame;
148 static frame_data *prev_dis;
149 static frame_data prev_dis_frame;
150 static frame_data *prev_cap;
151 static frame_data prev_cap_frame;
153 static const char* prev_display_dissector_name = NULL;
155 static gboolean perform_two_pass_analysis;
158 * The way the packet decode is to be written.
161 WRITE_TEXT, /* summary or detail text */
162 WRITE_XML, /* PDML or PSML */
163 WRITE_FIELDS /* User defined list of fields */
164 /* Add CSV and the like here */
167 static output_action_e output_action;
168 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
169 static gboolean print_packet_info; /* TRUE if we're to print packet information */
170 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
171 static gboolean print_details; /* TRUE if we're to print packet details information */
172 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
173 static gboolean line_buffered;
174 static gboolean really_quiet = FALSE;
176 static print_format_e print_format = PR_FMT_TEXT;
177 static print_stream_t *print_stream;
179 static output_fields_t* output_fields = NULL;
181 /* The line separator used between packets, changeable via the -S option */
182 static const char *separator = "";
186 * TRUE if we're to print packet counts to keep track of captured packets.
188 static gboolean print_packet_counts;
190 static capture_options global_capture_opts;
191 static capture_session global_capture_session;
192 static info_data_t global_info_data;
195 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
196 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
199 static gboolean capture(void);
200 static void report_counts(void);
202 static BOOL WINAPI capture_cleanup(DWORD);
204 static void capture_cleanup(int);
206 static void report_counts_siginfo(int);
210 #else /* HAVE_LIBPCAP */
212 static char *output_file_name;
214 #endif /* HAVE_LIBPCAP */
216 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
217 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
218 struct wtap_pkthdr *whdr, const guchar *pd,
220 static void show_capture_file_io_error(const char *, int, gboolean);
221 static void show_print_file_io_error(int err);
222 static gboolean write_preamble(capture_file *cf);
223 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
224 static gboolean write_finale(void);
225 static const char *cf_open_error_message(int err, gchar *err_info,
226 gboolean for_writing, int file_type);
228 static void open_failure_message(const char *filename, int err,
229 gboolean for_writing);
230 static void failure_message(const char *msg_format, va_list ap);
231 static void read_failure_message(const char *filename, int err);
232 static void write_failure_message(const char *filename, int err);
233 static void failure_message_cont(const char *msg_format, va_list ap);
237 static GHashTable *output_only_tables = NULL;
240 const char *sstr; /* The short string */
241 const char *lstr; /* The long string */
245 string_compare(gconstpointer a, gconstpointer b)
247 return strcmp(((const struct string_elem *)a)->sstr,
248 ((const struct string_elem *)b)->sstr);
252 string_elem_print(gpointer data, gpointer not_used _U_)
254 fprintf(stderr, " %s - %s\n",
255 ((struct string_elem *)data)->sstr,
256 ((struct string_elem *)data)->lstr);
260 list_capture_types(void) {
262 struct string_elem *captypes;
265 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
267 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
268 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
269 if (wtap_dump_can_open(i)) {
270 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
271 captypes[i].lstr = wtap_file_type_subtype_string(i);
272 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
275 g_slist_foreach(list, string_elem_print, NULL);
281 list_read_capture_types(void) {
283 struct string_elem *captypes;
285 const char *magic = "Magic-value-based";
286 const char *heuristic = "Heuristics-based";
288 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
289 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
291 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
292 for (i = 0; open_routines[i].name != NULL; i++) {
293 captypes[i].sstr = open_routines[i].name;
294 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
295 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
297 g_slist_foreach(list, string_elem_print, NULL);
303 print_usage(FILE *output)
305 fprintf(output, "\n");
306 fprintf(output, "Usage: tshark [options] ...\n");
307 fprintf(output, "\n");
310 fprintf(output, "Capture interface:\n");
311 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
312 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
313 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
314 fprintf(output, " -p don't capture in promiscuous mode\n");
315 #ifdef HAVE_PCAP_CREATE
316 fprintf(output, " -I capture in monitor mode, if available\n");
318 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
319 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
321 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
322 fprintf(output, " -D print list of interfaces and exit\n");
323 fprintf(output, " -L print list of link-layer types of iface and exit\n");
324 fprintf(output, "\n");
325 fprintf(output, "Capture stop conditions:\n");
326 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
327 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
328 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
329 fprintf(output, " files:NUM - stop after NUM files\n");
330 /*fprintf(output, "\n");*/
331 fprintf(output, "Capture output:\n");
332 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
333 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
334 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
335 #endif /* HAVE_LIBPCAP */
336 #ifdef HAVE_PCAP_REMOTE
337 fprintf(output, "RPCAP options:\n");
338 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
340 /*fprintf(output, "\n");*/
341 fprintf(output, "Input file:\n");
342 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
344 fprintf(output, "\n");
345 fprintf(output, "Processing:\n");
346 fprintf(output, " -2 perform a two-pass analysis\n");
347 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
348 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
349 fprintf(output, " syntax\n");
350 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
351 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
352 fprintf(output, " -d %s ...\n", decode_as_arg_template);
353 fprintf(output, " \"Decode As\", see the man page for details\n");
354 fprintf(output, " Example: tcp.port==8888,http\n");
355 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
356 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
357 fprintf(output, " --disable-protocol <proto_name>\n");
358 fprintf(output, " disable dissection of proto_name\n");
359 fprintf(output, " --enable-heuristic <short_name>\n");
360 fprintf(output, " enable dissection of heuristic protocol\n");
361 fprintf(output, " --disable-heuristic <short_name>\n");
362 fprintf(output, " disable dissection of heuristic protocol\n");
364 /*fprintf(output, "\n");*/
365 fprintf(output, "Output:\n");
366 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
367 fprintf(output, " (or to the standard output for \"-\")\n");
368 fprintf(output, " -C <config profile> start with specified configuration profile\n");
369 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
370 fprintf(output, " an empty \"-F\" option will list the file types\n");
371 fprintf(output, " -V add output of packet tree (Packet Details)\n");
372 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
373 fprintf(output, " separated\n");
374 fprintf(output, " -P print packet summary even when writing to a file\n");
375 fprintf(output, " -S <separator> the line separator to print between packets\n");
376 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
377 fprintf(output, " -T pdml|ps|psml|text|fields\n");
378 fprintf(output, " format of text output (def: text)\n");
379 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
380 fprintf(output, " _ws.col.Info)\n");
381 fprintf(output, " this option can be repeated to print multiple fields\n");
382 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
383 fprintf(output, " header=y|n switch headers on and off\n");
384 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
385 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
386 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
387 fprintf(output, " aggregator\n");
388 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
389 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
390 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
391 fprintf(output, " -l flush standard output after each packet\n");
392 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
393 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
394 fprintf(output, " -g enable group read access on the output file(s)\n");
395 fprintf(output, " -W n Save extra information in the file, if supported.\n");
396 fprintf(output, " n = write network address resolution information\n");
397 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
398 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
399 fprintf(output, " --capture-comment <comment>\n");
400 fprintf(output, " add a capture comment to the newly created\n");
401 fprintf(output, " output file (only for pcapng)\n");
403 fprintf(output, "\n");
404 fprintf(output, "Miscellaneous:\n");
405 fprintf(output, " -h display this help and exit\n");
406 fprintf(output, " -v display version info and exit\n");
407 fprintf(output, " -o <name>:<value> ... override preference setting\n");
408 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
409 fprintf(output, " -G [report] dump one of several available reports and exit\n");
410 fprintf(output, " default report=\"fields\"\n");
411 fprintf(output, " use \"-G ?\" for more help\n");
413 fprintf(output, "\n");
414 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
415 fprintf(output, "You might want to reset it\n");
416 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
417 fprintf(output, "\n");
423 glossary_option_help(void)
429 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
431 fprintf(output, "\n");
432 fprintf(output, "Usage: tshark -G [report]\n");
433 fprintf(output, "\n");
434 fprintf(output, "Glossary table reports:\n");
435 fprintf(output, " -G column-formats dump column format codes and exit\n");
436 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
437 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
438 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
439 fprintf(output, " -G fields dump fields glossary and exit\n");
440 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
441 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
442 fprintf(output, " -G plugins dump installed plugins and exit\n");
443 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
444 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
445 fprintf(output, "\n");
446 fprintf(output, "Preference reports:\n");
447 fprintf(output, " -G currentprefs dump current preferences and exit\n");
448 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
449 fprintf(output, "\n");
453 * For a dissector table, print on the stream described by output,
454 * its short name (which is what's used in the "-d" option) and its
458 display_dissector_table_names(const char *table_name, const char *ui_name,
461 if ((prev_display_dissector_name == NULL) ||
462 (strcmp(prev_display_dissector_name, table_name) != 0)) {
463 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
464 prev_display_dissector_name = table_name;
469 * For a dissector handle, print on the stream described by output,
470 * the filter name (which is what's used in the "-d" option) and the full
471 * name for the protocol that corresponds to this handle.
474 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
477 const gchar *proto_filter_name;
478 const gchar *proto_ui_name;
480 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
482 if (proto_id != -1) {
483 proto_filter_name = proto_get_protocol_filter_name(proto_id);
484 proto_ui_name = proto_get_protocol_name(proto_id);
485 g_assert(proto_filter_name != NULL);
486 g_assert(proto_ui_name != NULL);
488 if ((prev_display_dissector_name == NULL) ||
489 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
490 fprintf((FILE *)output, "\t%s (%s)\n",
493 prev_display_dissector_name = proto_filter_name;
499 * The protocol_name_search structure is used by find_protocol_name_func()
500 * to pass parameters and store results
502 struct protocol_name_search{
503 gchar *searched_name; /* Protocol filter name we are looking for */
504 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
505 guint nb_match; /* How many dissectors matched searched_name */
507 typedef struct protocol_name_search *protocol_name_search_t;
510 * This function parses all dissectors associated with a table to find the
511 * one whose protocol has the specified filter name. It is called
512 * as a reference function in a call to dissector_table_foreach_handle.
513 * The name we are looking for, as well as the results, are stored in the
514 * protocol_name_search struct pointed to by user_data.
515 * If called using dissector_table_foreach_handle, we actually parse the
516 * whole list of dissectors.
519 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
523 const gchar *protocol_filter_name;
524 protocol_name_search_t search_info;
528 search_info = (protocol_name_search_t)user_data;
530 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
531 if (proto_id != -1) {
532 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
533 g_assert(protocol_filter_name != NULL);
534 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
536 if (search_info->nb_match == 0) {
537 /* Record this handle only if this is the first match */
538 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
540 search_info->nb_match++;
546 * Allow dissector key names to be sorted alphabetically
550 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
552 return strcmp((const char*)dissector_a, (const char*)dissector_b);
556 * Print all layer type names supported.
557 * We send the output to the stream described by the handle output.
561 fprint_all_layer_types(FILE *output)
564 prev_display_dissector_name = NULL;
565 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
569 * Print all protocol names supported for a specific layer type.
570 * table_name contains the layer type name in which the search is performed.
571 * We send the output to the stream described by the handle output.
575 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
578 prev_display_dissector_name = NULL;
579 dissector_table_foreach_handle(table_name,
580 display_dissector_names,
585 * The function below parses the command-line parameters for the decode as
586 * feature (a string pointer by cl_param).
587 * It checks the format of the command-line, searches for a matching table
588 * and dissector. If a table/dissector match is not found, we display a
589 * summary of the available tables/dissectors (on stderr) and return FALSE.
590 * If everything is fine, we get the "Decode as" preference activated,
591 * then we return TRUE.
594 add_decode_as(const gchar *cl_param)
597 guint32 selector, selector2;
598 gchar *decoded_param;
599 gchar *remaining_param;
601 gchar *dissector_str;
602 dissector_handle_t dissector_matching;
603 dissector_table_t table_matching;
604 ftenum_t dissector_table_selector_type;
605 struct protocol_name_search user_protocol_name;
609 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
612 decoded_param = g_strdup(cl_param);
613 g_assert(decoded_param);
616 /* The lines below will parse this string (modifying it) to extract all
617 necessary information. Note that decoded_param is still needed since
618 strings are not copied - we just save pointers. */
620 /* This section extracts a layer type (table_name) from decoded_param */
621 table_name = decoded_param; /* Layer type string starts from beginning */
623 remaining_param = strchr(table_name, '=');
624 if (remaining_param == NULL) {
625 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
626 /* If the argument does not follow the template, carry on anyway to check
627 if the table name is at least correct. If remaining_param is NULL,
628 we'll exit anyway further down */
631 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
634 /* Remove leading and trailing spaces from the table name */
635 while ( table_name[0] == ' ' )
637 while ( table_name[strlen(table_name) - 1] == ' ' )
638 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
640 /* The following part searches a table matching with the layer type specified */
641 table_matching = NULL;
643 /* Look for the requested table */
644 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
645 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
648 table_matching = find_dissector_table(table_name);
649 if (!table_matching) {
650 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
654 if (!table_matching) {
655 /* Display a list of supported layer types to help the user, if the
656 specified layer type was not found */
657 cmdarg_err("Valid layer types are:");
658 fprint_all_layer_types(stderr);
660 if (remaining_param == NULL || !table_matching) {
661 /* Exit if the layer type was not found, or if no '=' separator was found
663 g_free(decoded_param);
667 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
668 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
671 remaining_param++; /* Move to the second '=' */
672 *remaining_param = '\0'; /* Remove the second '=' */
674 remaining_param++; /* Position after the layer type string */
676 /* This section extracts a selector value (selector_str) from decoded_param */
678 selector_str = remaining_param; /* Next part starts with the selector number */
680 remaining_param = strchr(selector_str, ',');
681 if (remaining_param == NULL) {
682 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
683 /* If the argument does not follow the template, carry on anyway to check
684 if the selector value is at least correct. If remaining_param is NULL,
685 we'll exit anyway further down */
688 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
691 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
693 switch (dissector_table_selector_type) {
699 /* The selector for this table is an unsigned number. Parse it as such.
700 There's no need to remove leading and trailing spaces from the
701 selector number string, because sscanf will do that for us. */
702 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
707 if (op != ':' && op != '-') {
708 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
709 g_free(decoded_param);
713 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
714 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
715 g_free(decoded_param);
719 else if (selector2 < selector) {
720 /* We could swap them for the user, but maybe it's better to call
721 * this out as an error in case it's not what was intended? */
722 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
723 g_free(decoded_param);
728 cmdarg_err("Invalid selector number \"%s\"", selector_str);
729 g_free(decoded_param);
738 /* The selector for this table is a string. */
742 /* There are currently no dissector tables with any types other
743 than the ones listed above. */
744 g_assert_not_reached();
747 if (remaining_param == NULL) {
748 /* Exit if no ',' separator was found (see above) */
749 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
750 fprint_all_protocols_for_layer_types(stderr, table_name);
751 g_free(decoded_param);
755 remaining_param++; /* Position after the selector number string */
757 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
759 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
761 /* Remove leading and trailing spaces from the dissector name */
762 while ( dissector_str[0] == ' ' )
764 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
765 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
767 dissector_matching = NULL;
769 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
770 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
771 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
774 user_protocol_name.nb_match = 0;
775 user_protocol_name.searched_name = dissector_str;
776 user_protocol_name.matched_handle = NULL;
778 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
780 if (user_protocol_name.nb_match != 0) {
781 dissector_matching = user_protocol_name.matched_handle;
782 if (user_protocol_name.nb_match > 1) {
783 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
787 /* OK, check whether the problem is that there isn't any such
788 protocol, or that there is but it's not specified as a protocol
789 that's valid for that dissector table.
790 Note, we don't exit here, but dissector_matching will remain NULL,
792 if (proto_get_id_by_filter_name(dissector_str) == -1) {
793 /* No such protocol */
794 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
796 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
797 dissector_str, table_name);
802 if (!dissector_matching) {
803 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
804 fprint_all_protocols_for_layer_types(stderr, table_name);
805 g_free(decoded_param);
809 /* This is the end of the code that parses the command-line options.
810 All information is now stored in the variables:
814 The above variables that are strings are still pointing to areas within
815 decoded_parm. decoded_parm thus still needs to be kept allocated in
816 until we stop needing these variables
817 decoded_param will be deallocated at each exit point of this function */
820 /* We now have a pointer to the handle for the requested dissector
821 (requested protocol) inside the variable dissector_matching */
822 switch (dissector_table_selector_type) {
828 /* The selector for this table is an unsigned number. */
830 dissector_change_uint(table_name, selector, dissector_matching);
831 } else if (op == ':') {
832 for (i = selector; i < (guint64)selector + selector2; i++) {
833 dissector_change_uint(table_name, (guint32)i, dissector_matching);
835 } else { /* op == '-' */
836 for (i = selector; i <= selector2; i++) {
837 dissector_change_uint(table_name, (guint32)i, dissector_matching);
846 /* The selector for this table is a string. */
847 dissector_change_string(table_name, selector_str, dissector_matching);
851 /* There are currently no dissector tables with any types other
852 than the ones listed above. */
853 g_assert_not_reached();
855 g_free(decoded_param); /* "Decode As" rule has been successfully added */
860 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
861 const gchar *message, gpointer user_data)
863 /* ignore log message, if log_level isn't interesting based
864 upon the console log preferences.
865 If the preferences haven't been loaded loaded yet, display the
868 The default console_log_level preference value is such that only
869 ERROR, CRITICAL and WARNING level messages are processed;
870 MESSAGE, INFO and DEBUG level messages are ignored.
872 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
873 ERROR and CRITICAL level messages so the current code is a behavioral
874 change. The current behavior is the same as in Wireshark.
876 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
877 prefs.console_log_level != 0) {
881 g_log_default_handler(log_domain, log_level, message, user_data);
886 output_file_description(const char *fname)
888 char *save_file_string;
890 /* Get a string that describes what we're writing to */
891 if (strcmp(fname, "-") == 0) {
892 /* We're writing to the standard output */
893 save_file_string = g_strdup("standard output");
895 /* We're writing to a file with the name in save_file */
896 save_file_string = g_strdup_printf("file \"%s\"", fname);
898 return save_file_string;
902 print_current_user(void) {
903 gchar *cur_user, *cur_group;
905 if (started_with_special_privs()) {
906 cur_user = get_cur_username();
907 cur_group = get_cur_groupname();
908 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
909 cur_user, cur_group);
912 if (running_with_special_privs()) {
913 fprintf(stderr, " This could be dangerous.");
915 fprintf(stderr, "\n");
920 get_tshark_compiled_version_info(GString *str)
922 /* Capture libraries */
923 get_compiled_caplibs_version(str);
926 g_string_append(str, ", ");
928 g_string_append(str, "with libz ");
930 g_string_append(str, ZLIB_VERSION);
931 #else /* ZLIB_VERSION */
932 g_string_append(str, "(version unknown)");
933 #endif /* ZLIB_VERSION */
934 #else /* HAVE_LIBZ */
935 g_string_append(str, "without libz");
936 #endif /* HAVE_LIBZ */
940 get_tshark_runtime_version_info(GString *str)
943 /* Capture libraries */
944 g_string_append(str, ", ");
945 get_runtime_caplibs_version(str);
949 #if defined(HAVE_LIBZ) && !defined(_WIN32)
950 g_string_append_printf(str, ", with libz %s", zlibVersion());
953 /* stuff used by libwireshark */
954 epan_get_runtime_version_info(str);
958 main(int argc, char *argv[])
960 GString *comp_info_str;
961 GString *runtime_info_str;
962 char *init_progfile_dir_error;
964 static const struct option long_options[] = {
965 {"help", no_argument, NULL, 'h'},
966 {"version", no_argument, NULL, 'v'},
967 LONGOPT_CAPTURE_COMMON
970 gboolean arg_error = FALSE;
976 char *gpf_path, *pf_path;
977 char *gdp_path, *dp_path;
979 int gpf_open_errno, gpf_read_errno;
980 int pf_open_errno, pf_read_errno;
981 int gdp_open_errno, gdp_read_errno;
982 int dp_open_errno, dp_read_errno;
985 volatile int exit_status = 0;
987 gboolean list_link_layer_types = FALSE;
988 gboolean start_capture = FALSE;
993 gboolean capture_option_specified = FALSE;
995 gboolean quiet = FALSE;
996 #ifdef PCAP_NG_DEFAULT
997 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
999 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
1001 volatile gboolean out_file_name_res = FALSE;
1002 volatile int in_file_type = WTAP_TYPE_AUTO;
1003 gchar *volatile cf_name = NULL;
1004 gchar *rfilter = NULL;
1005 gchar *dfilter = NULL;
1006 #ifdef HAVE_PCAP_OPEN_DEAD
1007 struct bpf_program fcode;
1009 dfilter_t *rfcode = NULL;
1010 dfilter_t *dfcode = NULL;
1015 gchar *output_only = NULL;
1016 GSList *disable_protocol_slist = NULL;
1017 GSList *enable_heur_slist = NULL;
1018 GSList *disable_heur_slist = NULL;
1021 * The leading + ensures that getopt_long() does not permute the argv[]
1024 * We have to make sure that the first getopt_long() preserves the content
1025 * of argv[] for the subsequent getopt_long() call.
1027 * We use getopt_long() in both cases to ensure that we're using a routine
1028 * whose permutation behavior we can control in the same fashion on all
1029 * platforms, and so that, if we ever need to process a long argument before
1030 * doing further initialization, we can do so.
1032 * Glibc and Solaris libc document that a leading + disables permutation
1033 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1034 * and OS X don't document it, but do so anyway.
1036 * We do *not* use a leading - because the behavior of a leading - is
1037 * platform-dependent.
1039 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1041 static const char optstring[] = OPTSTRING;
1043 tshark_debug("tshark started with %d args", argc);
1045 /* Set the C-language locale to the native environment. */
1046 setlocale(LC_ALL, "");
1048 cmdarg_err_init(failure_message, failure_message_cont);
1051 arg_list_utf_16to8(argc, argv);
1052 create_app_running_mutex();
1053 #if !GLIB_CHECK_VERSION(2,31,0)
1054 g_thread_init(NULL);
1059 * Get credential information for later use, and drop privileges
1060 * before doing anything else.
1061 * Let the user know if anything happened.
1063 init_process_policies();
1064 relinquish_special_privs_perm();
1065 print_current_user();
1068 * Attempt to get the pathname of the executable file.
1070 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1071 if (init_progfile_dir_error != NULL) {
1072 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1073 init_progfile_dir_error);
1076 initialize_funnel_ops();
1079 /* Load wpcap if possible. Do this before collecting the run-time version information */
1082 /* Warn the user if npf.sys isn't loaded. */
1083 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1084 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1085 "capturing or\nlisting interfaces.\n");
1089 /* Get the compile-time version information string */
1090 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1091 epan_get_compiled_version_info);
1093 /* Get the run-time version information string */
1094 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1096 /* Add it to the information to be reported on a crash. */
1097 ws_add_crash_info("TShark (Wireshark) %s\n"
1102 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1103 g_string_free(comp_info_str, TRUE);
1104 g_string_free(runtime_info_str, TRUE);
1106 /* Fail sometimes. Useful for testing fuzz scripts. */
1107 /* if (g_random_int_range(0, 100) < 5) abort(); */
1110 * In order to have the -X opts assigned before the wslua machine starts
1111 * we need to call getopt_long before epan_init() gets called.
1113 * In order to handle, for example, -o options, we also need to call it
1114 * *after* epan_init() gets called, so that the dissectors have had a
1115 * chance to register their preferences.
1117 * XXX - can we do this all with one getopt_long() call, saving the
1118 * arguments we can't handle until after initializing libwireshark,
1119 * and then process them after initializing libwireshark?
1123 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1125 case 'C': /* Configuration Profile */
1126 if (profile_exists (optarg, FALSE)) {
1127 set_profile_name (optarg);
1129 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1133 case 'P': /* Print packet summary info even when writing to a file */
1134 print_packet_info = TRUE;
1135 print_summary = TRUE;
1137 case 'O': /* Only output these protocols */
1138 output_only = g_strdup(optarg);
1140 case 'V': /* Verbose */
1141 print_details = TRUE;
1142 print_packet_info = TRUE;
1144 case 'x': /* Print packet data in hex (and ASCII) */
1146 /* The user asked for hex output, so let's ensure they get it,
1147 * even if they're writing to a file.
1149 print_packet_info = TRUE;
1160 * Print packet summary information is the default, unless either -V or -x
1161 * were specified and -P was not. Note that this is new behavior, which
1162 * allows for the possibility of printing only hex/ascii output without
1163 * necessarily requiring that either the summary or details be printed too.
1165 if (print_summary == -1)
1166 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1168 /** Send All g_log messages to our own handler **/
1172 G_LOG_LEVEL_CRITICAL|
1173 G_LOG_LEVEL_WARNING|
1174 G_LOG_LEVEL_MESSAGE|
1177 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1179 g_log_set_handler(NULL,
1180 (GLogLevelFlags)log_flags,
1181 tshark_log_handler, NULL /* user_data */);
1182 g_log_set_handler(LOG_DOMAIN_MAIN,
1183 (GLogLevelFlags)log_flags,
1184 tshark_log_handler, NULL /* user_data */);
1187 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1188 (GLogLevelFlags)log_flags,
1189 tshark_log_handler, NULL /* user_data */);
1190 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1191 (GLogLevelFlags)log_flags,
1192 tshark_log_handler, NULL /* user_data */);
1195 init_report_err(failure_message, open_failure_message, read_failure_message,
1196 write_failure_message);
1199 capture_opts_init(&global_capture_opts);
1200 capture_session_init(&global_capture_session, &cfile);
1203 timestamp_set_type(TS_RELATIVE);
1204 timestamp_set_precision(TS_PREC_AUTO);
1205 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1207 init_open_routines();
1210 /* Register all the plugin types we have. */
1211 epan_register_plugin_types(); /* Types known to libwireshark */
1212 wtap_register_plugin_types(); /* Types known to libwiretap */
1214 /* Scan for plugins. This does *not* call their registration routines;
1215 that's done later. */
1218 /* Register all libwiretap plugin modules. */
1219 register_all_wiretap_modules();
1222 /* Register all dissectors; we must do this before checking for the
1223 "-G" flag, as the "-G" flag dumps information registered by the
1224 dissectors, and we must do it before we read the preferences, in
1225 case any dissectors register preferences. */
1226 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
1230 /* Register all tap listeners; we do this before we parse the arguments,
1231 as the "-z" argument can specify a registered tap. */
1233 /* we register the plugin taps before the other taps because
1234 stats_tree taps plugins will be registered as tap listeners
1235 by stats_tree_stat.c and need to registered before that */
1237 register_all_plugin_tap_listeners();
1239 register_all_tap_listeners();
1240 conversation_table_set_gui_info(init_iousers);
1241 hostlist_table_set_gui_info(init_hostlists);
1242 srt_table_iterate_tables(register_srt_tables, NULL);
1243 rtd_table_iterate_tables(register_rtd_tables, NULL);
1244 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1246 /* If invoked with the "-G" flag, we dump out information based on
1247 the argument to the "-G" flag; if no argument is specified,
1248 for backwards compatibility we dump out a glossary of display
1251 XXX - we do this here, for now, to support "-G" with no arguments.
1252 If none of our build or other processes uses "-G" with no arguments,
1253 we can just process it with the other arguments. */
1254 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1255 proto_initialize_all_prefixes();
1258 proto_registrar_dump_fields();
1260 if (strcmp(argv[2], "column-formats") == 0)
1261 column_dump_column_formats();
1262 else if (strcmp(argv[2], "currentprefs") == 0) {
1263 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1264 &pf_open_errno, &pf_read_errno, &pf_path);
1267 else if (strcmp(argv[2], "decodes") == 0)
1268 dissector_dump_decodes();
1269 else if (strcmp(argv[2], "defaultprefs") == 0)
1271 else if (strcmp(argv[2], "dissector-tables") == 0)
1272 dissector_dump_dissector_tables();
1273 else if (strcmp(argv[2], "fieldcount") == 0) {
1274 /* return value for the test suite */
1275 return proto_registrar_dump_fieldcount();
1276 } else if (strcmp(argv[2], "fields") == 0)
1277 proto_registrar_dump_fields();
1278 else if (strcmp(argv[2], "ftypes") == 0)
1279 proto_registrar_dump_ftypes();
1280 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1281 dissector_dump_heur_decodes();
1282 else if (strcmp(argv[2], "plugins") == 0) {
1287 wslua_plugins_dump_all();
1290 else if (strcmp(argv[2], "protocols") == 0)
1291 proto_registrar_dump_protocols();
1292 else if (strcmp(argv[2], "values") == 0)
1293 proto_registrar_dump_values();
1294 else if (strcmp(argv[2], "?") == 0)
1295 glossary_option_help();
1296 else if (strcmp(argv[2], "-?") == 0)
1297 glossary_option_help();
1299 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1306 /* load the decode as entries of this profile */
1307 load_decode_as_entries();
1309 tshark_debug("tshark reading preferences");
1311 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1312 &pf_open_errno, &pf_read_errno, &pf_path);
1313 if (gpf_path != NULL) {
1314 if (gpf_open_errno != 0) {
1315 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1316 pf_path, g_strerror(gpf_open_errno));
1318 if (gpf_read_errno != 0) {
1319 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1320 pf_path, g_strerror(gpf_read_errno));
1323 if (pf_path != NULL) {
1324 if (pf_open_errno != 0) {
1325 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1326 g_strerror(pf_open_errno));
1328 if (pf_read_errno != 0) {
1329 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1330 pf_path, g_strerror(pf_read_errno));
1336 read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno);
1337 if (cf_path != NULL) {
1338 cmdarg_err("Could not open your capture filter file\n\"%s\": %s.",
1339 cf_path, g_strerror(cf_open_errno));
1343 /* Read the disabled protocols file. */
1344 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1345 &dp_path, &dp_open_errno, &dp_read_errno);
1346 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1347 &dp_path, &dp_open_errno, &dp_read_errno);
1348 if (gdp_path != NULL) {
1349 if (gdp_open_errno != 0) {
1350 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1351 gdp_path, g_strerror(gdp_open_errno));
1353 if (gdp_read_errno != 0) {
1354 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1355 gdp_path, g_strerror(gdp_read_errno));
1359 if (dp_path != NULL) {
1360 if (dp_open_errno != 0) {
1362 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1363 g_strerror(dp_open_errno));
1365 if (dp_read_errno != 0) {
1367 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1368 g_strerror(dp_read_errno));
1373 cap_file_init(&cfile);
1375 /* Print format defaults to this. */
1376 print_format = PR_FMT_TEXT;
1378 output_fields = output_fields_new();
1381 * To reset the options parser, set optreset to 1 on platforms that
1382 * have optreset (documented in *BSD and OS X, apparently present but
1383 * not documented in Solaris - the Illumos repository seems to
1384 * suggest that the first Solaris getopt_long(), at least as of 2004,
1385 * was based on the NetBSD one, it had optreset) and set optind to 1,
1386 * and set optind to 0 otherwise (documented as working in the GNU
1387 * getopt_long(). Setting optind to 0 didn't originally work in the
1388 * NetBSD one, but that was added later - we don't want to depend on
1389 * it if we have optreset).
1391 * Also reset opterr to 1, so that error messages are printed by
1394 #ifdef HAVE_OPTRESET
1402 /* Now get our args */
1403 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1405 case '2': /* Perform two pass analysis */
1406 perform_two_pass_analysis = TRUE;
1408 case 'a': /* autostop criteria */
1409 case 'b': /* Ringbuffer option */
1410 case 'c': /* Capture x packets */
1411 case 'f': /* capture filter */
1412 case 'g': /* enable group read access on file(s) */
1413 case 'i': /* Use interface x */
1414 case 'p': /* Don't capture in promiscuous mode */
1415 #ifdef HAVE_PCAP_REMOTE
1416 case 'A': /* Authentication */
1418 #ifdef HAVE_PCAP_CREATE
1419 case 'I': /* Capture in monitor mode, if available */
1421 case 's': /* Set the snapshot (capture) length */
1422 case 'w': /* Write to capture file x */
1423 case 'y': /* Set the pcap data link type */
1424 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1425 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1426 case 'B': /* Buffer size */
1429 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1436 * Output file name, if we're reading a file and writing to another
1439 output_file_name = optarg;
1441 capture_option_specified = TRUE;
1447 /* already processed; just ignore it now */
1449 case 'd': /* Decode as rule */
1450 if (!add_decode_as(optarg))
1453 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1454 case 'K': /* Kerberos keytab file */
1455 read_keytab_file(optarg);
1458 case 'D': /* Print a list of capture devices and exit */
1460 if_list = capture_interface_list(&err, &err_str,NULL);
1461 if (if_list == NULL) {
1463 cmdarg_err("There are no interfaces on which a capture can be done");
1465 cmdarg_err("%s", err_str);
1470 capture_opts_print_interfaces(if_list);
1471 free_interface_list(if_list);
1474 capture_option_specified = TRUE;
1480 output_fields_add(output_fields, optarg);
1484 if (!output_fields_set_option(output_fields, optarg)) {
1485 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1486 output_fields_list_options(stderr);
1491 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1492 if (out_file_type < 0) {
1493 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1494 list_capture_types();
1498 case 'W': /* Select extra information to save in our capture file */
1499 /* This is patterned after the -N flag which may not be the best idea. */
1500 if (strchr(optarg, 'n')) {
1501 out_file_name_res = TRUE;
1503 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1504 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1508 case 'H': /* Read address to name mappings from a hosts file */
1509 if (! add_hosts_file(optarg))
1511 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1514 out_file_name_res = TRUE;
1517 case 'h': /* Print help and exit */
1518 printf("TShark (Wireshark) %s\n"
1519 "Dump and analyze network traffic.\n"
1520 "See https://www.wireshark.org for more information.\n",
1521 get_ws_vcs_version_info());
1522 print_usage(stdout);
1525 case 'l': /* "Line-buffer" standard output */
1526 /* This isn't line-buffering, strictly speaking, it's just
1527 flushing the standard output after the information for
1528 each packet is printed; however, that should be good
1529 enough for all the purposes to which "-l" is put (and
1530 is probably actually better for "-V", as it does fewer
1533 See the comment in "process_packet()" for an explanation of
1534 why we do that, and why we don't just use "setvbuf()" to
1535 make the standard output line-buffered (short version: in
1536 Windows, "line-buffered" is the same as "fully-buffered",
1537 and the output buffer is only flushed when it fills up). */
1538 line_buffered = TRUE;
1540 case 'L': /* Print list of link-layer types and exit */
1542 list_link_layer_types = TRUE;
1544 capture_option_specified = TRUE;
1548 case 'n': /* No name resolution */
1549 disable_name_resolution();
1551 case 'N': /* Select what types of addresses/port #s to resolve */
1552 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1553 if (badopt != '\0') {
1554 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1556 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1557 "\t'd' to enable address resolution from captured DNS packets\n"
1558 "\t'm' to enable MAC address resolution\n"
1559 "\t'n' to enable network address resolution\n"
1560 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1561 "\t for network address resolution\n"
1562 "\t't' to enable transport-layer port number resolution");
1566 case 'o': /* Override preference from command line */
1567 switch (prefs_set_pref(optarg)) {
1572 case PREFS_SET_SYNTAX_ERR:
1573 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1577 case PREFS_SET_NO_SUCH_PREF:
1578 case PREFS_SET_OBSOLETE:
1579 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1584 case 'q': /* Quiet */
1587 case 'Q': /* Really quiet */
1589 really_quiet = TRUE;
1591 case 'r': /* Read capture file x */
1592 cf_name = g_strdup(optarg);
1594 case 'R': /* Read file filter */
1598 /* already processed; just ignore it now */
1600 case 'S': /* Set the line Separator to be printed between packets */
1603 case 't': /* Time stamp type */
1604 if (strcmp(optarg, "r") == 0)
1605 timestamp_set_type(TS_RELATIVE);
1606 else if (strcmp(optarg, "a") == 0)
1607 timestamp_set_type(TS_ABSOLUTE);
1608 else if (strcmp(optarg, "ad") == 0)
1609 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1610 else if (strcmp(optarg, "adoy") == 0)
1611 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1612 else if (strcmp(optarg, "d") == 0)
1613 timestamp_set_type(TS_DELTA);
1614 else if (strcmp(optarg, "dd") == 0)
1615 timestamp_set_type(TS_DELTA_DIS);
1616 else if (strcmp(optarg, "e") == 0)
1617 timestamp_set_type(TS_EPOCH);
1618 else if (strcmp(optarg, "u") == 0)
1619 timestamp_set_type(TS_UTC);
1620 else if (strcmp(optarg, "ud") == 0)
1621 timestamp_set_type(TS_UTC_WITH_YMD);
1622 else if (strcmp(optarg, "udoy") == 0)
1623 timestamp_set_type(TS_UTC_WITH_YDOY);
1625 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1626 cmdarg_err_cont("\t\"a\" for absolute\n"
1627 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1628 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1629 "\t\"d\" for delta\n"
1630 "\t\"dd\" for delta displayed\n"
1631 "\t\"e\" for epoch\n"
1632 "\t\"r\" for relative\n"
1633 "\t\"u\" for absolute UTC\n"
1634 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1635 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1639 case 'T': /* printing Type */
1640 print_packet_info = TRUE;
1641 if (strcmp(optarg, "text") == 0) {
1642 output_action = WRITE_TEXT;
1643 print_format = PR_FMT_TEXT;
1644 } else if (strcmp(optarg, "ps") == 0) {
1645 output_action = WRITE_TEXT;
1646 print_format = PR_FMT_PS;
1647 } else if (strcmp(optarg, "pdml") == 0) {
1648 output_action = WRITE_XML;
1649 print_details = TRUE; /* Need details */
1650 print_summary = FALSE; /* Don't allow summary */
1651 } else if (strcmp(optarg, "psml") == 0) {
1652 output_action = WRITE_XML;
1653 print_details = FALSE; /* Don't allow details */
1654 print_summary = TRUE; /* Need summary */
1655 } else if (strcmp(optarg, "fields") == 0) {
1656 output_action = WRITE_FIELDS;
1657 print_details = TRUE; /* Need full tree info */
1658 print_summary = FALSE; /* Don't allow summary */
1660 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1661 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1662 "\t specified by the -E option.\n"
1663 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1664 "\t details of a decoded packet. This information is equivalent to\n"
1665 "\t the packet details printed with the -V flag.\n"
1666 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1667 "\t the packets, or a multi-line view of the details of each of\n"
1668 "\t the packets, depending on whether the -V flag was specified.\n"
1669 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1670 "\t summary information of a decoded packet. This information is\n"
1671 "\t equivalent to the information shown in the one-line summary\n"
1672 "\t printed by default.\n"
1673 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1674 "\t packets, or a multi-line view of the details of each of the\n"
1675 "\t packets, depending on whether the -V flag was specified.\n"
1676 "\t This is the default.");
1680 case 'u': /* Seconds type */
1681 if (strcmp(optarg, "s") == 0)
1682 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1683 else if (strcmp(optarg, "hms") == 0)
1684 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1686 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1687 cmdarg_err_cont("\t\"s\" for seconds\n"
1688 "\t\"hms\" for hours, minutes and seconds");
1692 case 'v': /* Show version and exit */
1693 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1694 epan_get_compiled_version_info);
1695 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1696 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1697 g_string_free(comp_info_str, TRUE);
1698 g_string_free(runtime_info_str, TRUE);
1699 /* We don't really have to cleanup here, but it's a convenient way to test
1700 * start-up and shut-down of the epan library without any UI-specific
1701 * cruft getting in the way. Makes the results of running
1702 * $ ./tools/valgrind-wireshark -n
1703 * much more useful. */
1706 case 'O': /* Only output these protocols */
1707 /* already processed; just ignore it now */
1709 case 'V': /* Verbose */
1710 /* already processed; just ignore it now */
1712 case 'x': /* Print packet data in hex (and ASCII) */
1713 /* already processed; just ignore it now */
1716 /* already processed; just ignore it now */
1722 /* We won't call the init function for the stat this soon
1723 as it would disallow MATE's fields (which are registered
1724 by the preferences set callback) from being used as
1725 part of a tap filter. Instead, we just add the argument
1726 to a list of stat arguments. */
1727 if (strcmp("help", optarg) == 0) {
1728 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1729 list_stat_cmd_args();
1732 if (!process_stat_cmd_arg(optarg)) {
1733 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1734 list_stat_cmd_args();
1738 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1739 disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg);
1741 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1742 enable_heur_slist = g_slist_append(enable_heur_slist, optarg);
1744 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1745 disable_heur_slist = g_slist_append(disable_heur_slist, optarg);
1749 case '?': /* Bad flag - print usage message */
1752 list_capture_types();
1755 print_usage(stderr);
1762 /* If we specified output fields, but not the output field type... */
1763 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1764 cmdarg_err("Output fields were specified with \"-e\", "
1765 "but \"-Tfields\" was not specified.");
1767 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1768 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1769 "specified with \"-e\".");
1774 /* If no capture filter or display filter has been specified, and there are
1775 still command-line arguments, treat them as the tokens of a capture
1776 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1777 flag was specified. */
1778 if (optind < argc) {
1779 if (cf_name != NULL) {
1780 if (dfilter != NULL) {
1781 cmdarg_err("Display filters were specified both with \"-d\" "
1782 "and with additional command-line arguments.");
1785 dfilter = get_args_as_string(argc, argv, optind);
1790 if (global_capture_opts.default_options.cfilter) {
1791 cmdarg_err("A default capture filter was specified both with \"-f\""
1792 " and with additional command-line arguments.");
1795 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1796 interface_options interface_opts;
1797 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1798 if (interface_opts.cfilter == NULL) {
1799 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1800 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1801 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1803 cmdarg_err("A capture filter was specified both with \"-f\""
1804 " and with additional command-line arguments.");
1808 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1810 capture_option_specified = TRUE;
1816 if (!global_capture_opts.saving_to_file) {
1817 /* We're not saving the capture to a file; if "-q" wasn't specified,
1818 we should print packet information */
1820 print_packet_info = TRUE;
1822 /* We're saving to a file; if we're writing to the standard output.
1823 and we'll also be writing dissected packets to the standard
1824 output, reject the request. At best, we could redirect that
1825 to the standard error; we *can't* write both to the standard
1826 output and have either of them be useful. */
1827 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1828 cmdarg_err("You can't write both raw packet data and dissected packets"
1829 " to the standard output.");
1834 /* We're not saving the capture to a file; if "-q" wasn't specified,
1835 we should print packet information */
1837 print_packet_info = TRUE;
1840 #ifndef HAVE_LIBPCAP
1841 if (capture_option_specified)
1842 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1845 print_usage(stderr);
1850 if (output_action != WRITE_TEXT) {
1851 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1856 if (output_only != NULL) {
1859 if (!print_details) {
1860 cmdarg_err("-O requires -V");
1864 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1865 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1866 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1870 if (rfilter != NULL && !perform_two_pass_analysis) {
1871 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1876 if (list_link_layer_types) {
1877 /* We're supposed to list the link-layer types for an interface;
1878 did the user also specify a capture file to be read? */
1880 /* Yes - that's bogus. */
1881 cmdarg_err("You can't specify -L and a capture file to be read.");
1884 /* No - did they specify a ring buffer option? */
1885 if (global_capture_opts.multi_files_on) {
1886 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1892 * "-r" was specified, so we're reading a capture file.
1893 * Capture options don't apply here.
1896 /* We don't support capture filters when reading from a capture file
1897 (the BPF compiler doesn't support all link-layer types that we
1898 support in capture files we read). */
1899 if (global_capture_opts.default_options.cfilter) {
1900 cmdarg_err("Only read filters, not capture filters, "
1901 "can be specified when reading a capture file.");
1904 if (global_capture_opts.multi_files_on) {
1905 cmdarg_err("Multiple capture files requested, but "
1906 "a capture isn't being done.");
1909 if (global_capture_opts.has_file_duration) {
1910 cmdarg_err("Switching capture files after a time interval was specified, but "
1911 "a capture isn't being done.");
1914 if (global_capture_opts.has_ring_num_files) {
1915 cmdarg_err("A ring buffer of capture files was specified, but "
1916 "a capture isn't being done.");
1919 if (global_capture_opts.has_autostop_files) {
1920 cmdarg_err("A maximum number of capture files was specified, but "
1921 "a capture isn't being done.");
1924 if (global_capture_opts.capture_comment) {
1925 cmdarg_err("A capture comment was specified, but "
1926 "a capture isn't being done.\nThere's no support for adding "
1927 "a capture comment to an existing capture file.");
1931 /* Note: TShark now allows the restriction of a _read_ file by packet count
1932 * and byte count as well as a write file. Other autostop options remain valid
1933 * only for a write file.
1935 if (global_capture_opts.has_autostop_duration) {
1936 cmdarg_err("A maximum capture time was specified, but "
1937 "a capture isn't being done.");
1942 * "-r" wasn't specified, so we're doing a live capture.
1944 if (perform_two_pass_analysis) {
1945 /* Two-pass analysis doesn't work with live capture since it requires us
1946 * to buffer packets until we've read all of them, but a live capture
1947 * has no useful/meaningful definition of "all" */
1948 cmdarg_err("Live captures do not support two-pass analysis.");
1952 if (global_capture_opts.saving_to_file) {
1953 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1955 /* When capturing, we only support writing pcap or pcap-ng format. */
1956 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1957 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1958 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1961 if (global_capture_opts.capture_comment &&
1962 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1963 cmdarg_err("A capture comment can only be written to a pcapng file.");
1966 if (global_capture_opts.multi_files_on) {
1967 /* Multiple-file mode doesn't work under certain conditions:
1968 a) it doesn't work if you're writing to the standard output;
1969 b) it doesn't work if you're writing to a pipe;
1971 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1972 cmdarg_err("Multiple capture files requested, but "
1973 "the capture is being written to the standard output.");
1976 if (global_capture_opts.output_to_pipe) {
1977 cmdarg_err("Multiple capture files requested, but "
1978 "the capture file is a pipe.");
1981 if (!global_capture_opts.has_autostop_filesize &&
1982 !global_capture_opts.has_file_duration) {
1983 cmdarg_err("Multiple capture files requested, but "
1984 "no maximum capture file size or duration was specified.");
1988 /* Currently, we don't support read or display filters when capturing
1989 and saving the packets. */
1990 if (rfilter != NULL) {
1991 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1994 if (dfilter != NULL) {
1995 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1998 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
2000 /* They didn't specify a "-w" flag, so we won't be saving to a
2001 capture file. Check for options that only make sense if
2002 we're saving to a file. */
2003 if (global_capture_opts.has_autostop_filesize) {
2004 cmdarg_err("Maximum capture file size specified, but "
2005 "capture isn't being saved to a file.");
2008 if (global_capture_opts.multi_files_on) {
2009 cmdarg_err("Multiple capture files requested, but "
2010 "the capture isn't being saved to a file.");
2013 if (global_capture_opts.capture_comment) {
2014 cmdarg_err("A capture comment was specified, but "
2015 "the capture isn't being saved to a file.");
2024 /* Start windows sockets */
2025 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2028 /* Notify all registered modules that have had any of their preferences
2029 changed either from one of the preferences file or from the command
2030 line that their preferences have changed. */
2033 /* At this point MATE will have registered its field array so we can
2034 have a tap filter with one of MATE's late-registered fields as part
2035 of the filter. We can now process all the "-z" arguments. */
2036 start_requested_stats();
2038 /* At this point MATE will have registered its field array so we can
2039 check if the fields specified by the user are all good.
2043 GSList *invalid_fields = output_fields_valid(output_fields);
2044 if (invalid_fields != NULL) {
2046 cmdarg_err("Some fields aren't valid:");
2047 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2048 cmdarg_err_cont("\t%s", (gchar *)it->data);
2050 g_slist_free(invalid_fields);
2055 /* We currently don't support taps, or printing dissected packets,
2056 if we're writing to a pipe. */
2057 if (global_capture_opts.saving_to_file &&
2058 global_capture_opts.output_to_pipe) {
2059 if (tap_listeners_require_dissection()) {
2060 cmdarg_err("Taps aren't supported when saving to a pipe.");
2063 if (print_packet_info) {
2064 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2070 if (ex_opt_count("read_format") > 0) {
2071 const gchar* name = ex_opt_get_next("read_format");
2072 in_file_type = open_info_name_to_type(name);
2073 if (in_file_type == WTAP_TYPE_AUTO) {
2074 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2075 list_read_capture_types();
2080 /* disabled protocols as per configuration file */
2081 if (gdp_path == NULL && dp_path == NULL) {
2082 set_disabled_protos_list();
2083 set_disabled_heur_dissector_list();
2086 if(disable_protocol_slist) {
2087 GSList *proto_disable;
2088 for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
2090 proto_disable_proto_by_name((char*)proto_disable->data);
2094 if(enable_heur_slist) {
2095 GSList *heur_enable;
2096 for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
2098 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
2102 if(disable_heur_slist) {
2103 GSList *heur_disable;
2104 for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
2106 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
2110 /* Build the column format array */
2111 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2114 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2115 capture_opts_trim_ring_num_files(&global_capture_opts);
2118 if (rfilter != NULL) {
2119 tshark_debug("Compiling read filter: '%s'", rfilter);
2120 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2121 cmdarg_err("%s", err_msg);
2124 #ifdef HAVE_PCAP_OPEN_DEAD
2128 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2130 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2132 " Note: That read filter code looks like a valid capture filter;\n"
2133 " maybe you mixed them up?");
2142 cfile.rfcode = rfcode;
2144 if (dfilter != NULL) {
2145 tshark_debug("Compiling display filter: '%s'", dfilter);
2146 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2147 cmdarg_err("%s", err_msg);
2150 #ifdef HAVE_PCAP_OPEN_DEAD
2154 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2156 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2158 " Note: That display filter code looks like a valid capture filter;\n"
2159 " maybe you mixed them up?");
2168 cfile.dfcode = dfcode;
2170 if (print_packet_info) {
2171 /* If we're printing as text or PostScript, we have
2172 to create a print stream. */
2173 if (output_action == WRITE_TEXT) {
2174 switch (print_format) {
2177 print_stream = print_stream_text_stdio_new(stdout);
2181 print_stream = print_stream_ps_stdio_new(stdout);
2185 g_assert_not_reached();
2190 /* We have to dissect each packet if:
2192 we're printing information about each packet;
2194 we're using a read filter on the packets;
2196 we're using a display filter on the packets;
2198 we're using any taps that need dissection. */
2199 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2200 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2203 tshark_debug("tshark: Opening capture file: %s", cf_name);
2205 * We're reading a capture file.
2207 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2212 /* Process the packets in the file */
2213 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2216 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2217 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2218 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2220 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2223 CATCH(OutOfMemoryError) {
2227 "Sorry, but TShark has to terminate now.\n"
2229 "More information and workarounds can be found at\n"
2230 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2235 /* We still dump out the results of taps, etc., as we might have
2236 read some packets; however, we exit with an error status. */
2240 tshark_debug("tshark: no capture file specified");
2241 /* No capture file specified, so we're supposed to do a live capture
2242 or get a list of link-layer types for a live capture device;
2243 do we have support for live captures? */
2245 /* if no interface was specified, pick a default */
2246 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2247 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2248 if (exit_status != 0)
2251 /* if requested, list the link layer types and exit */
2252 if (list_link_layer_types) {
2255 /* Get the list of link-layer types for the capture devices. */
2256 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2257 interface_options interface_opts;
2258 if_capabilities_t *caps;
2259 char *auth_str = NULL;
2261 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2262 #ifdef HAVE_PCAP_REMOTE
2263 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2264 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2267 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2270 cmdarg_err("%s", err_str);
2274 if (caps->data_link_types == NULL) {
2275 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2278 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2279 free_if_capabilities(caps);
2285 * If the standard error isn't a terminal, don't print packet counts,
2286 * as they won't show up on the user's terminal and they'll get in
2287 * the way of error messages in the file (to which we assume the
2288 * standard error was redirected; if it's redirected to the null
2289 * device, there's no point in printing packet counts anyway).
2291 * Otherwise, if we're printing packet information and the standard
2292 * output is a terminal (which we assume means the standard output and
2293 * error are going to the same terminal), don't print packet counts,
2294 * as they'll get in the way of the packet information.
2296 * Otherwise, if the user specified -q, don't print packet counts.
2298 * Otherwise, print packet counts.
2300 * XXX - what if the user wants to do a live capture, doesn't want
2301 * to save it to a file, doesn't want information printed for each
2302 * packet, does want some "-z" statistic, and wants packet counts
2303 * so they know whether they're seeing any packets? -q will
2304 * suppress the information printed for each packet, but it'll
2305 * also suppress the packet counts.
2307 if (!isatty(fileno(stderr)))
2308 print_packet_counts = FALSE;
2309 else if (print_packet_info && isatty(fileno(stdout)))
2310 print_packet_counts = FALSE;
2312 print_packet_counts = FALSE;
2314 print_packet_counts = TRUE;
2316 if (print_packet_info) {
2317 if (!write_preamble(&cfile)) {
2318 show_print_file_io_error(errno);
2323 tshark_debug("tshark: performing live capture");
2325 * XXX - this returns FALSE if an error occurred, but it also
2326 * returns FALSE if the capture stops because a time limit
2327 * was reached (and possibly other limits), so we can't assume
2328 * it means an error.
2330 * The capture code is a bit twisty, so it doesn't appear to
2331 * be an easy fix. We just ignore the return value for now.
2332 * Instead, pass on the exit status from the capture child.
2335 exit_status = global_capture_session.fork_child_status;
2337 if (print_packet_info) {
2338 if (!write_finale()) {
2340 show_print_file_io_error(err);
2344 /* No - complain. */
2345 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2352 if (cfile.frames != NULL) {
2353 free_frame_data_sequence(cfile.frames);
2354 cfile.frames = NULL;
2357 draw_tap_listeners(TRUE);
2358 funnel_dump_all_text_windows();
2359 epan_free(cfile.epan);
2362 output_fields_free(output_fields);
2363 output_fields = NULL;
2368 /*#define USE_BROKEN_G_MAIN_LOOP*/
2370 #ifdef USE_BROKEN_G_MAIN_LOOP
2373 gboolean loop_running = FALSE;
2375 guint32 packet_count = 0;
2378 typedef struct pipe_input_tag {
2381 ws_process_id *child_process;
2382 pipe_input_cb_t input_cb;
2383 guint pipe_input_id;
2385 GMutex *callback_running;
2389 static pipe_input_t pipe_input;
2392 /* The timer has expired, see if there's stuff to read from the pipe,
2393 if so, do the callback */
2395 pipe_timer_cb(gpointer data)
2401 pipe_input_t *pipe_input_p = data;
2402 gint iterations = 0;
2404 g_mutex_lock (pipe_input_p->callback_running);
2406 /* try to read data from the pipe only 5 times, to avoid blocking */
2407 while(iterations < 5) {
2408 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2410 /* Oddly enough although Named pipes don't work on win9x,
2411 PeekNamedPipe does !!! */
2412 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2413 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2415 /* Get the child process exit status */
2416 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2419 /* If the Peek returned an error, or there are bytes to be read
2420 or the childwatcher thread has terminated then call the normal
2422 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2424 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2426 /* And call the real handler */
2427 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2428 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2429 /* pipe closed, return false so that the timer is stopped */
2430 g_mutex_unlock (pipe_input_p->callback_running);
2435 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2436 /* No data, stop now */
2443 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2445 g_mutex_unlock (pipe_input_p->callback_running);
2447 /* we didn't stopped the timer, so let it run */
2454 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2457 pipe_input.source = source;
2458 pipe_input.child_process = child_process;
2459 pipe_input.user_data = user_data;
2460 pipe_input.input_cb = input_cb;
2463 #if GLIB_CHECK_VERSION(2,31,0)
2464 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2465 g_mutex_init(pipe_input.callback_running);
2467 pipe_input.callback_running = g_mutex_new();
2469 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2470 do this but that doesn't cover all win32 platforms. GTK can do
2471 this but doesn't seem to work over processes. Attempt to do
2472 something similar here, start a timer and check for data on every
2474 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2475 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2479 static const nstime_t *
2480 tshark_get_frame_ts(void *data, guint32 frame_num)
2482 capture_file *cf = (capture_file *) data;
2484 if (ref && ref->num == frame_num)
2485 return &ref->abs_ts;
2487 if (prev_dis && prev_dis->num == frame_num)
2488 return &prev_dis->abs_ts;
2490 if (prev_cap && prev_cap->num == frame_num)
2491 return &prev_cap->abs_ts;
2494 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2496 return (fd) ? &fd->abs_ts : NULL;
2503 tshark_epan_new(capture_file *cf)
2505 epan_t *epan = epan_new();
2508 epan->get_frame_ts = tshark_get_frame_ts;
2509 epan->get_interface_name = cap_file_get_interface_name;
2510 epan->get_user_comment = NULL;
2522 #ifdef USE_TSHARK_SELECT
2526 struct sigaction action, oldaction;
2529 /* Create new dissection section. */
2530 epan_free(cfile.epan);
2531 cfile.epan = tshark_epan_new(&cfile);
2534 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2535 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2537 /* Catch SIGINT and SIGTERM and, if we get either of them,
2538 clean up and exit. If SIGHUP isn't being ignored, catch
2539 it too and, if we get it, clean up and exit.
2541 We restart any read that was in progress, so that it doesn't
2542 disrupt reading from the sync pipe. The signal handler tells
2543 the capture child to finish; it will report that it finished,
2544 or will exit abnormally, so we'll stop reading from the sync
2545 pipe, pick up the exit status, and quit. */
2546 memset(&action, 0, sizeof(action));
2547 action.sa_handler = capture_cleanup;
2548 action.sa_flags = SA_RESTART;
2549 sigemptyset(&action.sa_mask);
2550 sigaction(SIGTERM, &action, NULL);
2551 sigaction(SIGINT, &action, NULL);
2552 sigaction(SIGHUP, NULL, &oldaction);
2553 if (oldaction.sa_handler == SIG_DFL)
2554 sigaction(SIGHUP, &action, NULL);
2557 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2558 quiet mode, report the number of packets we've captured.
2560 Again, restart any read that was in progress, so that it doesn't
2561 disrupt reading from the sync pipe. */
2562 action.sa_handler = report_counts_siginfo;
2563 action.sa_flags = SA_RESTART;
2564 sigemptyset(&action.sa_mask);
2565 sigaction(SIGINFO, &action, NULL);
2566 #endif /* SIGINFO */
2569 global_capture_session.state = CAPTURE_PREPARING;
2571 /* Let the user know which interfaces were chosen. */
2572 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2573 interface_options interface_opts;
2575 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2576 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2577 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2578 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2580 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2581 if (really_quiet == FALSE)
2582 fprintf(stderr, "Capturing on %s\n", str->str);
2584 g_string_free(str, TRUE);
2586 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2591 /* the actual capture loop
2593 * XXX - glib doesn't seem to provide any event based loop handling.
2595 * XXX - for whatever reason,
2596 * calling g_main_loop_new() ends up in 100% cpu load.
2598 * But that doesn't matter: in UNIX we can use select() to find an input
2599 * source with something to do.
2601 * But that doesn't matter because we're in a CLI (that doesn't need to
2602 * update a GUI or something at the same time) so it's OK if we block
2603 * trying to read from the pipe.
2605 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2606 * wrong (but I leave it there in case I am...).
2609 #ifdef USE_TSHARK_SELECT
2611 FD_SET(pipe_input.source, &readfds);
2614 loop_running = TRUE;
2618 while (loop_running)
2620 #ifdef USE_TSHARK_SELECT
2621 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2625 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2627 } else if (ret == 1) {
2629 /* Call the real handler */
2630 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2631 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2634 #ifdef USE_TSHARK_SELECT
2639 CATCH(OutOfMemoryError) {
2643 "Sorry, but TShark has to terminate now.\n"
2645 "More information and workarounds can be found at\n"
2646 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2653 /* capture child detected an error */
2655 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2657 cmdarg_err("%s", error_msg);
2658 cmdarg_err_cont("%s", secondary_error_msg);
2662 /* capture child detected an capture filter related error */
2664 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2666 capture_options *capture_opts = cap_session->capture_opts;
2667 dfilter_t *rfcode = NULL;
2668 interface_options interface_opts;
2670 g_assert(i < capture_opts->ifaces->len);
2671 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2673 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2675 "Invalid capture filter \"%s\" for interface '%s'.\n"
2677 "That string looks like a valid display filter; however, it isn't a valid\n"
2678 "capture filter (%s).\n"
2680 "Note that display filters and capture filters don't have the same syntax,\n"
2681 "so you can't use most display filter expressions as capture filters.\n"
2683 "See the User's Guide for a description of the capture filter syntax.",
2684 interface_opts.cfilter, interface_opts.descr, error_message);
2685 dfilter_free(rfcode);
2688 "Invalid capture filter \"%s\" for interface '%s'.\n"
2690 "That string isn't a valid capture filter (%s).\n"
2691 "See the User's Guide for a description of the capture filter syntax.",
2692 interface_opts.cfilter, interface_opts.descr, error_message);
2697 /* capture child tells us we have a new (or the first) capture file */
2699 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2701 capture_options *capture_opts = cap_session->capture_opts;
2702 capture_file *cf = (capture_file *) cap_session->cf;
2703 gboolean is_tempfile;
2706 if (cap_session->state == CAPTURE_PREPARING) {
2707 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2709 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2711 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2713 /* free the old filename */
2714 if (capture_opts->save_file != NULL) {
2716 /* we start a new capture file, close the old one (if we had one before) */
2717 if (cf->state != FILE_CLOSED) {
2718 if (cf->wth != NULL) {
2719 wtap_close(cf->wth);
2722 cf->state = FILE_CLOSED;
2725 g_free(capture_opts->save_file);
2726 is_tempfile = FALSE;
2728 epan_free(cf->epan);
2729 cf->epan = tshark_epan_new(cf);
2731 /* we didn't had a save_file before, must be a tempfile */
2735 /* save the new filename */
2736 capture_opts->save_file = g_strdup(new_file);
2738 /* if we are in real-time mode, open the new file now */
2739 if (do_dissection) {
2740 /* this is probably unecessary, but better safe than sorry */
2741 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2742 /* Attempt to open the capture file and set up to read from it. */
2743 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2747 /* Don't unlink (delete) the save file - leave it around,
2748 for debugging purposes. */
2749 g_free(capture_opts->save_file);
2750 capture_opts->save_file = NULL;
2755 cap_session->state = CAPTURE_RUNNING;
2761 /* capture child tells us we have new packets to read */
2763 capture_input_new_packets(capture_session *cap_session, int to_read)
2769 capture_file *cf = (capture_file *)cap_session->cf;
2770 gboolean filtering_tap_listeners;
2775 * Prevent a SIGINFO handler from writing to the standard error while
2776 * we're doing so or writing to the standard output; instead, have it
2777 * just set a flag telling us to print that information when we're done.
2780 #endif /* SIGINFO */
2782 /* Do we have any tap listeners with filters? */
2783 filtering_tap_listeners = have_filtering_tap_listeners();
2785 /* Get the union of the flags for all tap listeners. */
2786 tap_flags = union_of_tap_listener_flags();
2788 if (do_dissection) {
2789 gboolean create_proto_tree;
2790 epan_dissect_t *edt;
2792 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2793 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2794 create_proto_tree = TRUE;
2796 create_proto_tree = FALSE;
2798 /* The protocol tree will be "visible", i.e., printed, only if we're
2799 printing packet details, which is true if we're printing stuff
2800 ("print_packet_info" is true) and we're in verbose mode
2801 ("packet_details" is true). */
2802 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2804 while (to_read-- && cf->wth) {
2805 wtap_cleareof(cf->wth);
2806 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2808 /* read from file failed, tell the capture child to stop */
2809 sync_pipe_stop(cap_session);
2810 wtap_close(cf->wth);
2813 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2814 wtap_buf_ptr(cf->wth),
2818 /* packet successfully read and gone through the "Read Filter" */
2823 epan_dissect_free(edt);
2827 * Dumpcap's doing all the work; we're not doing any dissection.
2828 * Count all the packets it wrote.
2830 packet_count += to_read;
2833 if (print_packet_counts) {
2834 /* We're printing packet counts. */
2835 if (packet_count != 0) {
2836 fprintf(stderr, "\r%u ", packet_count);
2837 /* stderr could be line buffered */
2844 * Allow SIGINFO handlers to write.
2849 * If a SIGINFO handler asked us to write out capture counts, do so.
2853 #endif /* SIGINFO */
2859 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2860 /* Report the count only if we aren't printing a packet count
2861 as packets arrive. */
2862 fprintf(stderr, "%u packet%s captured\n", packet_count,
2863 plurality(packet_count, "", "s"));
2866 infoprint = FALSE; /* we just reported it */
2867 #endif /* SIGINFO */
2872 report_counts_siginfo(int signum _U_)
2874 int sav_errno = errno;
2875 /* If we've been told to delay printing, just set a flag asking
2876 that we print counts (if we're supposed to), otherwise print
2877 the count of packets captured (if we're supposed to). */
2884 #endif /* SIGINFO */
2887 /* capture child detected any packet drops? */
2889 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2891 if (print_packet_counts) {
2892 /* We're printing packet counts to stderr.
2893 Send a newline so that we move to the line after the packet count. */
2894 fprintf(stderr, "\n");
2898 /* We're printing packet counts to stderr.
2899 Send a newline so that we move to the line after the packet count. */
2900 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2906 * Capture child closed its side of the pipe, report any error and
2907 * do the required cleanup.
2910 capture_input_closed(capture_session *cap_session, gchar *msg)
2912 capture_file *cf = (capture_file *) cap_session->cf;
2915 fprintf(stderr, "tshark: %s\n", msg);
2919 if (cf != NULL && cf->wth != NULL) {
2920 wtap_close(cf->wth);
2921 if (cf->is_tempfile) {
2922 ws_unlink(cf->filename);
2925 #ifdef USE_BROKEN_G_MAIN_LOOP
2926 /*g_main_loop_quit(loop);*/
2927 g_main_loop_quit(loop);
2929 loop_running = FALSE;
2938 capture_cleanup(DWORD ctrltype _U_)
2940 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2941 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2942 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2943 like SIGTERM at least when the machine's shutting down.
2945 For now, we handle them all as indications that we should clean up
2946 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2949 We must return TRUE so that no other handler - such as one that would
2950 terminate the process - gets called.
2952 XXX - for some reason, typing ^C to TShark, if you run this in
2953 a Cygwin console window in at least some versions of Cygwin,
2954 causes TShark to terminate immediately; this routine gets
2955 called, but the main loop doesn't get a chance to run and
2956 exit cleanly, at least if this is compiled with Microsoft Visual
2957 C++ (i.e., it's a property of the Cygwin console window or Bash;
2958 it happens if TShark is not built with Cygwin - for all I know,
2959 building it with Cygwin may make the problem go away). */
2961 /* tell the capture child to stop */
2962 sync_pipe_stop(&global_capture_session);
2964 /* don't stop our own loop already here, otherwise status messages and
2965 * cleanup wouldn't be done properly. The child will indicate the stop of
2966 * everything by calling capture_input_closed() later */
2972 capture_cleanup(int signum _U_)
2974 /* tell the capture child to stop */
2975 sync_pipe_stop(&global_capture_session);
2977 /* don't stop our own loop already here, otherwise status messages and
2978 * cleanup wouldn't be done properly. The child will indicate the stop of
2979 * everything by calling capture_input_closed() later */
2982 #endif /* HAVE_LIBPCAP */
2985 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2986 gint64 offset, struct wtap_pkthdr *whdr,
2993 /* The frame number of this packet is one more than the count of
2994 frames in this packet. */
2995 framenum = cf->count + 1;
2997 /* If we're not running a display filter and we're not printing any
2998 packet information, we don't need to do a dissection. This means
2999 that all packets can be marked as 'passed'. */
3002 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
3004 /* If we're going to print packet information, or we're going to
3005 run a read filter, or display filter, or we're going to process taps, set up to
3006 do a dissection and do so. */
3008 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3009 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3010 /* Grab any resolved addresses */
3011 host_name_lookup_process();
3013 /* If we're running a read filter, prime the epan_dissect_t with that
3016 epan_dissect_prime_dfilter(edt, cf->rfcode);
3019 epan_dissect_prime_dfilter(edt, cf->dfcode);
3021 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3023 if (ref == &fdlocal) {
3024 ref_frame = fdlocal;
3028 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
3030 /* Run the read filter if we have one. */
3032 passed = dfilter_apply_edt(cf->rfcode, edt);
3036 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3037 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
3039 /* If we're not doing dissection then there won't be any dependent frames.
3040 * More importantly, edt.pi.dependent_frames won't be initialized because
3041 * epan hasn't been initialized.
3042 * if we *are* doing dissection, then mark the dependent frames, but only
3043 * if a display filter was given and it matches this packet.
3045 if (edt && cf->dfcode) {
3046 if (dfilter_apply_edt(cf->dfcode, edt)) {
3047 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
3053 /* if we don't add it to the frame_data_sequence, clean it up right now
3055 frame_data_destroy(&fdlocal);
3059 epan_dissect_reset(edt);
3065 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
3066 struct wtap_pkthdr *phdr, Buffer *buf,
3072 /* If we're not running a display filter and we're not printing any
3073 packet information, we don't need to do a dissection. This means
3074 that all packets can be marked as 'passed'. */
3077 /* If we're going to print packet information, or we're going to
3078 run a read filter, or we're going to process taps, set up to
3079 do a dissection and do so. */
3081 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3082 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3083 /* Grab any resolved addresses */
3084 host_name_lookup_process();
3086 /* If we're running a display filter, prime the epan_dissect_t with that
3089 epan_dissect_prime_dfilter(edt, cf->dfcode);
3091 col_custom_prime_edt(edt, &cf->cinfo);
3093 /* We only need the columns if either
3094 1) some tap needs the columns
3096 2) we're printing packet info but we're *not* verbose; in verbose
3097 mode, we print the protocol tree, not the protocol summary.
3099 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3104 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3111 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3113 /* Run the read/display filter if we have one. */
3115 passed = dfilter_apply_edt(cf->dfcode, edt);
3119 frame_data_set_after_dissect(fdata, &cum_bytes);
3120 /* Process this packet. */
3121 if (print_packet_info) {
3122 /* We're printing packet information; print the information for
3124 print_packet(cf, edt);
3126 /* The ANSI C standard does not appear to *require* that a line-buffered
3127 stream be flushed to the host environment whenever a newline is
3128 written, it just says that, on such a stream, characters "are
3129 intended to be transmitted to or from the host environment as a
3130 block when a new-line character is encountered".
3132 The Visual C++ 6.0 C implementation doesn't do what is intended;
3133 even if you set a stream to be line-buffered, it still doesn't
3134 flush the buffer at the end of every line.
3136 So, if the "-l" flag was specified, we flush the standard output
3137 at the end of a packet. This will do the right thing if we're
3138 printing packet summary lines, and, as we print the entire protocol
3139 tree for a single packet without waiting for anything to happen,
3140 it should be as good as line-buffered mode if we're printing
3141 protocol trees. (The whole reason for the "-l" flag in either
3142 tcpdump or TShark is to allow the output of a live capture to
3143 be piped to a program or script and to have that script see the
3144 information for the packet as soon as it's printed, rather than
3145 having to wait until a standard I/O buffer fills up. */
3149 if (ferror(stdout)) {
3150 show_print_file_io_error(errno);
3159 epan_dissect_reset(edt);
3161 return passed || fdata->flags.dependent_of_displayed;
3165 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3166 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3169 int snapshot_length;
3173 gchar *err_info = NULL;
3175 char *save_file_string = NULL;
3176 gboolean filtering_tap_listeners;
3178 wtap_optionblock_t shb_hdr = NULL;
3179 wtapng_iface_descriptions_t *idb_inf = NULL;
3180 wtap_optionblock_t nrb_hdr = NULL;
3181 struct wtap_pkthdr phdr;
3183 epan_dissect_t *edt = NULL;
3184 char *shb_user_appl;
3186 wtap_phdr_init(&phdr);
3188 idb_inf = wtap_file_get_idb_info(cf->wth);
3189 #ifdef PCAP_NG_DEFAULT
3190 if (idb_inf->interface_data->len > 1) {
3191 linktype = WTAP_ENCAP_PER_PACKET;
3193 linktype = wtap_file_encap(cf->wth);
3196 linktype = wtap_file_encap(cf->wth);
3198 if (save_file != NULL) {
3199 /* Get a string that describes what we're writing to */
3200 save_file_string = output_file_description(save_file);
3202 /* Set up to write to the capture file. */
3203 snapshot_length = wtap_snapshot_length(cf->wth);
3204 if (snapshot_length == 0) {
3205 /* Snapshot length of input file not known. */
3206 snapshot_length = WTAP_MAX_PACKET_SIZE;
3208 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3210 shb_hdr = wtap_file_get_shb_for_new_file(cf->wth);
3211 nrb_hdr = wtap_file_get_nrb_for_new_file(cf->wth);
3213 /* If we don't have an application name add Tshark */
3214 wtap_optionblock_get_option_string(shb_hdr, OPT_SHB_USERAPPL, &shb_user_appl);
3215 if (shb_user_appl == NULL) {
3216 /* this is free'd by wtap_optionblock_free() later */
3217 shb_user_appl = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3218 wtap_optionblock_set_option_string(shb_hdr, OPT_SHB_USERAPPL, shb_user_appl);
3219 g_free(shb_user_appl);
3222 if (linktype != WTAP_ENCAP_PER_PACKET &&
3223 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3224 tshark_debug("tshark: writing PCAP format to %s", save_file);
3225 if (strcmp(save_file, "-") == 0) {
3226 /* Write to the standard output. */
3227 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3228 snapshot_length, FALSE /* compressed */, &err);
3230 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3231 snapshot_length, FALSE /* compressed */, &err);
3235 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3236 if (strcmp(save_file, "-") == 0) {
3237 /* Write to the standard output. */
3238 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3239 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3241 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3242 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3250 /* We couldn't set up to write to the capture file. */
3253 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3254 cmdarg_err("Capture files can't be written in that format.");
3257 case WTAP_ERR_UNWRITABLE_ENCAP:
3258 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3259 cmdarg_err("The capture file being read can't be written as a "
3260 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3263 case WTAP_ERR_CANT_OPEN:
3264 cmdarg_err("The %s couldn't be created for some "
3265 "unknown reason.", save_file_string);
3268 case WTAP_ERR_SHORT_WRITE:
3269 cmdarg_err("A full header couldn't be written to the %s.",
3274 cmdarg_err("The %s could not be created: %s.", save_file_string,
3275 wtap_strerror(err));
3281 if (print_packet_info) {
3282 if (!write_preamble(cf)) {
3284 show_print_file_io_error(err);
3293 /* Do we have any tap listeners with filters? */
3294 filtering_tap_listeners = have_filtering_tap_listeners();
3296 /* Get the union of the flags for all tap listeners. */
3297 tap_flags = union_of_tap_listener_flags();
3299 if (perform_two_pass_analysis) {
3302 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3304 /* Allocate a frame_data_sequence for all the frames. */
3305 cf->frames = new_frame_data_sequence();
3307 if (do_dissection) {
3308 gboolean create_proto_tree = FALSE;
3310 /* If we're going to be applying a filter, we'll need to
3311 create a protocol tree against which to apply the filter. */
3312 if (cf->rfcode || cf->dfcode)
3313 create_proto_tree = TRUE;
3315 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3317 /* We're not going to display the protocol tree on this pass,
3318 so it's not going to be "visible". */
3319 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3322 tshark_debug("tshark: reading records for first pass");
3323 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3324 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3325 wtap_buf_ptr(cf->wth))) {
3326 /* Stop reading if we have the maximum number of packets;
3327 * When the -c option has not been used, max_packet_count
3328 * starts at 0, which practically means, never stop reading.
3329 * (unless we roll over max_packet_count ?)
3331 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3332 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3333 max_packet_count, data_offset, max_byte_count);
3334 err = 0; /* This is not an error */
3341 epan_dissect_free(edt);
3345 /* Close the sequential I/O side, to free up memory it requires. */
3346 wtap_sequential_close(cf->wth);
3348 /* Allow the protocol dissectors to free up memory that they
3349 * don't need after the sequential run-through of the packets. */
3350 postseq_cleanup_all_protocols();
3354 ws_buffer_init(&buf, 1500);
3356 tshark_debug("tshark: done with first pass");
3358 if (do_dissection) {
3359 gboolean create_proto_tree;
3361 if (cf->dfcode || print_details || filtering_tap_listeners ||
3362 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3363 create_proto_tree = TRUE;
3365 create_proto_tree = FALSE;
3367 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3369 /* The protocol tree will be "visible", i.e., printed, only if we're
3370 printing packet details, which is true if we're printing stuff
3371 ("print_packet_info" is true) and we're in verbose mode
3372 ("packet_details" is true). */
3373 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3376 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3377 fdata = frame_data_sequence_find(cf->frames, framenum);
3378 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3380 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3381 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3383 /* Either there's no read filtering or this packet passed the
3384 filter, so, if we're writing to a capture file, write
3387 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3388 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3389 /* Error writing to a capture file */
3390 tshark_debug("tshark: error writing to a capture file (%d)", err);
3393 case WTAP_ERR_UNWRITABLE_ENCAP:
3395 * This is a problem with the particular frame we're writing
3396 * and the file type and subtype we're writing; note that,
3397 * and report the frame number and file type/subtype.
3399 * XXX - framenum is not necessarily the frame number in
3400 * the input file if there was a read filter.
3403 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3404 framenum, cf->filename,
3405 wtap_file_type_subtype_short_string(out_file_type));
3408 case WTAP_ERR_PACKET_TOO_LARGE:
3410 * This is a problem with the particular frame we're writing
3411 * and the file type and subtype we're writing; note that,
3412 * and report the frame number and file type/subtype.
3414 * XXX - framenum is not necessarily the frame number in
3415 * the input file if there was a read filter.
3418 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3419 framenum, cf->filename,
3420 wtap_file_type_subtype_short_string(out_file_type));
3423 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3425 * This is a problem with the particular record we're writing
3426 * and the file type and subtype we're writing; note that,
3427 * and report the record number and file type/subtype.
3429 * XXX - framenum is not necessarily the record number in
3430 * the input file if there was a read filter.
3433 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3434 framenum, cf->filename,
3435 wtap_file_type_subtype_short_string(out_file_type));
3438 case WTAP_ERR_UNWRITABLE_REC_DATA:
3440 * This is a problem with the particular record we're writing
3441 * and the file type and subtype we're writing; note that,
3442 * and report the record number and file type/subtype.
3444 * XXX - framenum is not necessarily the record number in
3445 * the input file if there was a read filter.
3448 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3449 framenum, cf->filename,
3450 wtap_file_type_subtype_short_string(out_file_type),
3451 err_info != NULL ? err_info : "no information supplied");
3456 show_capture_file_io_error(save_file, err, FALSE);
3459 wtap_dump_close(pdh, &err);
3460 wtap_optionblock_free(shb_hdr);
3461 wtap_optionblock_free(nrb_hdr);
3470 epan_dissect_free(edt);
3474 ws_buffer_free(&buf);
3476 tshark_debug("tshark: done with second pass");
3479 /* !perform_two_pass_analysis */
3482 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3484 if (do_dissection) {
3485 gboolean create_proto_tree;
3487 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3488 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3489 create_proto_tree = TRUE;
3491 create_proto_tree = FALSE;
3493 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3495 /* The protocol tree will be "visible", i.e., printed, only if we're
3496 printing packet details, which is true if we're printing stuff
3497 ("print_packet_info" is true) and we're in verbose mode
3498 ("packet_details" is true). */
3499 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3502 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3505 tshark_debug("tshark: processing packet #%d", framenum);
3507 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3508 wtap_buf_ptr(cf->wth),
3510 /* Either there's no read filtering or this packet passed the
3511 filter, so, if we're writing to a capture file, write
3514 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3515 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3516 /* Error writing to a capture file */
3517 tshark_debug("tshark: error writing to a capture file (%d)", err);
3520 case WTAP_ERR_UNWRITABLE_ENCAP:
3522 * This is a problem with the particular frame we're writing
3523 * and the file type and subtype we're writing; note that,
3524 * and report the frame number and file type/subtype.
3527 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3528 framenum, cf->filename,
3529 wtap_file_type_subtype_short_string(out_file_type));
3532 case WTAP_ERR_PACKET_TOO_LARGE:
3534 * This is a problem with the particular frame we're writing
3535 * and the file type and subtype we're writing; note that,
3536 * and report the frame number and file type/subtype.
3539 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3540 framenum, cf->filename,
3541 wtap_file_type_subtype_short_string(out_file_type));
3544 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3546 * This is a problem with the particular record we're writing
3547 * and the file type and subtype we're writing; note that,
3548 * and report the record number and file type/subtype.
3551 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3552 framenum, cf->filename,
3553 wtap_file_type_subtype_short_string(out_file_type));
3556 case WTAP_ERR_UNWRITABLE_REC_DATA:
3558 * This is a problem with the particular record we're writing
3559 * and the file type and subtype we're writing; note that,
3560 * and report the record number and file type/subtype.
3563 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3564 framenum, cf->filename,
3565 wtap_file_type_subtype_short_string(out_file_type),
3566 err_info != NULL ? err_info : "no information supplied");
3571 show_capture_file_io_error(save_file, err, FALSE);
3574 wtap_dump_close(pdh, &err);
3575 wtap_optionblock_free(shb_hdr);
3576 wtap_optionblock_free(nrb_hdr);
3581 /* Stop reading if we have the maximum number of packets;
3582 * When the -c option has not been used, max_packet_count
3583 * starts at 0, which practically means, never stop reading.
3584 * (unless we roll over max_packet_count ?)
3586 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3587 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3588 max_packet_count, data_offset, max_byte_count);
3589 err = 0; /* This is not an error */
3595 epan_dissect_free(edt);
3600 wtap_phdr_cleanup(&phdr);
3603 tshark_debug("tshark: something failed along the line (%d)", err);
3605 * Print a message noting that the read failed somewhere along the line.
3607 * If we're printing packet data, and the standard output and error are
3608 * going to the same place, flush the standard output, so everything
3609 * buffered up is written, and then print a newline to the standard error
3610 * before printing the error message, to separate it from the packet
3611 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3612 * the _fstat() documentation at Microsoft doesn't indicate whether
3613 * st_ino is even supported.)
3616 if (print_packet_info) {
3617 ws_statb64 stat_stdout, stat_stderr;
3619 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3620 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3621 stat_stdout.st_ino == stat_stderr.st_ino) {
3623 fprintf(stderr, "\n");
3630 case WTAP_ERR_UNSUPPORTED:
3631 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3633 err_info != NULL ? err_info : "no information supplied");
3637 case WTAP_ERR_SHORT_READ:
3638 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3642 case WTAP_ERR_BAD_FILE:
3643 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3645 err_info != NULL ? err_info : "no information supplied");
3649 case WTAP_ERR_DECOMPRESS:
3650 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3651 "(%s)", cf->filename,
3652 err_info != NULL ? err_info : "no information supplied");
3657 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3658 cf->filename, wtap_strerror(err));
3661 if (save_file != NULL) {
3662 /* Now close the capture file. */
3663 if (!wtap_dump_close(pdh, &err))
3664 show_capture_file_io_error(save_file, err, TRUE);
3667 if (save_file != NULL) {
3668 if (pdh && out_file_name_res) {
3669 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3670 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3671 wtap_file_type_subtype_short_string(out_file_type));
3674 /* Now close the capture file. */
3675 if (!wtap_dump_close(pdh, &err))
3676 show_capture_file_io_error(save_file, err, TRUE);
3678 if (print_packet_info) {
3679 if (!write_finale()) {
3681 show_print_file_io_error(err);
3688 wtap_close(cf->wth);
3691 g_free(save_file_string);
3692 wtap_optionblock_free(shb_hdr);
3693 wtap_optionblock_free(nrb_hdr);
3699 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3700 const guchar *pd, guint tap_flags)
3706 /* Count this packet. */
3709 /* If we're not running a display filter and we're not printing any
3710 packet information, we don't need to do a dissection. This means
3711 that all packets can be marked as 'passed'. */
3714 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3716 /* If we're going to print packet information, or we're going to
3717 run a read filter, or we're going to process taps, set up to
3718 do a dissection and do so. */
3720 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3721 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3722 /* Grab any resolved addresses */
3723 host_name_lookup_process();
3725 /* If we're running a filter, prime the epan_dissect_t with that
3728 epan_dissect_prime_dfilter(edt, cf->dfcode);
3730 col_custom_prime_edt(edt, &cf->cinfo);
3732 /* We only need the columns if either
3733 1) some tap needs the columns
3735 2) we're printing packet info but we're *not* verbose; in verbose
3736 mode, we print the protocol tree, not the protocol summary.
3738 3) there is a column mapped as an individual field */
3739 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3744 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3746 if (ref == &fdata) {
3751 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3753 /* Run the filter if we have it. */
3755 passed = dfilter_apply_edt(cf->dfcode, edt);
3759 frame_data_set_after_dissect(&fdata, &cum_bytes);
3761 /* Process this packet. */
3762 if (print_packet_info) {
3763 /* We're printing packet information; print the information for
3765 print_packet(cf, edt);
3767 /* The ANSI C standard does not appear to *require* that a line-buffered
3768 stream be flushed to the host environment whenever a newline is
3769 written, it just says that, on such a stream, characters "are
3770 intended to be transmitted to or from the host environment as a
3771 block when a new-line character is encountered".
3773 The Visual C++ 6.0 C implementation doesn't do what is intended;
3774 even if you set a stream to be line-buffered, it still doesn't
3775 flush the buffer at the end of every line.
3777 So, if the "-l" flag was specified, we flush the standard output
3778 at the end of a packet. This will do the right thing if we're
3779 printing packet summary lines, and, as we print the entire protocol
3780 tree for a single packet without waiting for anything to happen,
3781 it should be as good as line-buffered mode if we're printing
3782 protocol trees. (The whole reason for the "-l" flag in either
3783 tcpdump or TShark is to allow the output of a live capture to
3784 be piped to a program or script and to have that script see the
3785 information for the packet as soon as it's printed, rather than
3786 having to wait until a standard I/O buffer fills up. */
3790 if (ferror(stdout)) {
3791 show_print_file_io_error(errno);
3796 /* this must be set after print_packet() [bug #8160] */
3797 prev_dis_frame = fdata;
3798 prev_dis = &prev_dis_frame;
3801 prev_cap_frame = fdata;
3802 prev_cap = &prev_cap_frame;
3805 epan_dissect_reset(edt);
3806 frame_data_destroy(&fdata);
3812 write_preamble(capture_file *cf)
3814 switch (output_action) {
3817 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3821 write_pdml_preamble(stdout, cf->filename);
3823 write_psml_preamble(&cf->cinfo, stdout);
3824 return !ferror(stdout);
3827 write_fields_preamble(output_fields, stdout);
3828 return !ferror(stdout);
3831 g_assert_not_reached();
3837 get_line_buf(size_t len)
3839 static char *line_bufp = NULL;
3840 static size_t line_buf_len = 256;
3841 size_t new_line_buf_len;
3843 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3844 new_line_buf_len *= 2)
3846 if (line_bufp == NULL) {
3847 line_buf_len = new_line_buf_len;
3848 line_bufp = (char *)g_malloc(line_buf_len + 1);
3850 if (new_line_buf_len > line_buf_len) {
3851 line_buf_len = new_line_buf_len;
3852 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3859 put_string(char *dest, const char *str, size_t str_len)
3861 memcpy(dest, str, str_len);
3862 dest[str_len] = '\0';
3866 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3870 for (i = str_len; i < str_with_spaces; i++)
3873 put_string(dest, str, str_len);
3877 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3881 memcpy(dest, str, str_len);
3882 for (i = str_len; i < str_with_spaces; i++)
3885 dest[str_with_spaces] = '\0';
3889 print_columns(capture_file *cf)
3896 col_item_t* col_item;
3898 line_bufp = get_line_buf(256);
3901 for (i = 0; i < cf->cinfo.num_cols; i++) {
3902 col_item = &cf->cinfo.columns[i];
3903 /* Skip columns not marked as visible. */
3904 if (!get_column_visible(i))
3906 switch (col_item->col_fmt) {
3908 column_len = col_len = strlen(col_item->col_data);
3911 line_bufp = get_line_buf(buf_offset + column_len);
3912 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3918 case COL_ABS_YMD_TIME: /* XXX - wider */
3919 case COL_ABS_YDOY_TIME: /* XXX - wider */
3921 case COL_UTC_YMD_TIME: /* XXX - wider */
3922 case COL_UTC_YDOY_TIME: /* XXX - wider */
3923 column_len = col_len = strlen(col_item->col_data);
3924 if (column_len < 10)
3926 line_bufp = get_line_buf(buf_offset + column_len);
3927 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3933 case COL_DEF_DL_SRC:
3934 case COL_RES_DL_SRC:
3935 case COL_UNRES_DL_SRC:
3936 case COL_DEF_NET_SRC:
3937 case COL_RES_NET_SRC:
3938 case COL_UNRES_NET_SRC:
3939 column_len = col_len = strlen(col_item->col_data);
3940 if (column_len < 12)
3942 line_bufp = get_line_buf(buf_offset + column_len);
3943 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3949 case COL_DEF_DL_DST:
3950 case COL_RES_DL_DST:
3951 case COL_UNRES_DL_DST:
3952 case COL_DEF_NET_DST:
3953 case COL_RES_NET_DST:
3954 case COL_UNRES_NET_DST:
3955 column_len = col_len = strlen(col_item->col_data);
3956 if (column_len < 12)
3958 line_bufp = get_line_buf(buf_offset + column_len);
3959 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3963 column_len = strlen(col_item->col_data);
3964 line_bufp = get_line_buf(buf_offset + column_len);
3965 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3968 buf_offset += column_len;
3969 if (i != cf->cinfo.num_cols - 1) {
3971 * This isn't the last column, so we need to print a
3972 * separator between this column and the next.
3974 * If we printed a network source and are printing a
3975 * network destination of the same type next, separate
3976 * them with " -> "; if we printed a network destination
3977 * and are printing a network source of the same type
3978 * next, separate them with " <- "; otherwise separate them
3981 * We add enough space to the buffer for " <- " or " -> ",
3982 * even if we're only adding " ".
3984 line_bufp = get_line_buf(buf_offset + 4);
3985 switch (col_item->col_fmt) {
3990 switch (cf->cinfo.columns[i+1].col_fmt) {
3995 put_string(line_bufp + buf_offset, " -> ", 4);
4000 put_string(line_bufp + buf_offset, " ", 1);
4006 case COL_DEF_DL_SRC:
4007 case COL_RES_DL_SRC:
4008 case COL_UNRES_DL_SRC:
4009 switch (cf->cinfo.columns[i+1].col_fmt) {
4011 case COL_DEF_DL_DST:
4012 case COL_RES_DL_DST:
4013 case COL_UNRES_DL_DST:
4014 put_string(line_bufp + buf_offset, " -> ", 4);
4019 put_string(line_bufp + buf_offset, " ", 1);
4025 case COL_DEF_NET_SRC:
4026 case COL_RES_NET_SRC:
4027 case COL_UNRES_NET_SRC:
4028 switch (cf->cinfo.columns[i+1].col_fmt) {
4030 case COL_DEF_NET_DST:
4031 case COL_RES_NET_DST:
4032 case COL_UNRES_NET_DST:
4033 put_string(line_bufp + buf_offset, " -> ", 4);
4038 put_string(line_bufp + buf_offset, " ", 1);
4047 switch (cf->cinfo.columns[i+1].col_fmt) {
4052 put_string(line_bufp + buf_offset, " <- ", 4);
4057 put_string(line_bufp + buf_offset, " ", 1);
4063 case COL_DEF_DL_DST:
4064 case COL_RES_DL_DST:
4065 case COL_UNRES_DL_DST:
4066 switch (cf->cinfo.columns[i+1].col_fmt) {
4068 case COL_DEF_DL_SRC:
4069 case COL_RES_DL_SRC:
4070 case COL_UNRES_DL_SRC:
4071 put_string(line_bufp + buf_offset, " <- ", 4);
4076 put_string(line_bufp + buf_offset, " ", 1);
4082 case COL_DEF_NET_DST:
4083 case COL_RES_NET_DST:
4084 case COL_UNRES_NET_DST:
4085 switch (cf->cinfo.columns[i+1].col_fmt) {
4087 case COL_DEF_NET_SRC:
4088 case COL_RES_NET_SRC:
4089 case COL_UNRES_NET_SRC:
4090 put_string(line_bufp + buf_offset, " <- ", 4);
4095 put_string(line_bufp + buf_offset, " ", 1);
4102 put_string(line_bufp + buf_offset, " ", 1);
4108 return print_line(print_stream, 0, line_bufp);
4112 print_packet(capture_file *cf, epan_dissect_t *edt)
4114 print_args_t print_args;
4116 if (print_summary || output_fields_has_cols(output_fields)) {
4117 /* Just fill in the columns. */
4118 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4120 if (print_summary) {
4121 /* Now print them. */
4122 switch (output_action) {
4125 if (!print_columns(cf))
4130 write_psml_columns(edt, stdout);
4131 return !ferror(stdout);
4132 case WRITE_FIELDS: /*No non-verbose "fields" format */
4133 g_assert_not_reached();
4138 if (print_details) {
4139 /* Print the information in the protocol tree. */
4140 switch (output_action) {
4143 /* Only initialize the fields that are actually used in proto_tree_print.
4144 * This is particularly important for .range, as that's heap memory which
4145 * we would otherwise have to g_free().
4146 print_args.to_file = TRUE;
4147 print_args.format = print_format;
4148 print_args.print_summary = print_summary;
4149 print_args.print_formfeed = FALSE;
4150 packet_range_init(&print_args.range, &cfile);
4152 print_args.print_hex = print_hex;
4153 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4155 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4158 if (!print_line(print_stream, 0, separator))
4164 write_pdml_proto_tree(edt, stdout);
4166 return !ferror(stdout);
4168 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4170 return !ferror(stdout);
4174 if (print_summary || print_details) {
4175 if (!print_line(print_stream, 0, ""))
4178 if (!print_hex_data(print_stream, edt))
4180 if (!print_line(print_stream, 0, separator))
4189 switch (output_action) {
4192 return print_finale(print_stream);
4196 write_pdml_finale(stdout);
4198 write_psml_finale(stdout);
4199 return !ferror(stdout);
4202 write_fields_finale(output_fields, stdout);
4203 return !ferror(stdout);
4206 g_assert_not_reached();
4212 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4216 char err_msg[2048+1];
4218 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4222 /* The open succeeded. Fill in the information for this file. */
4224 /* Create new epan session for dissection. */
4225 epan_free(cf->epan);
4226 cf->epan = tshark_epan_new(cf);
4229 cf->f_datalen = 0; /* not used, but set it anyway */
4231 /* Set the file name because we need it to set the follow stream filter.
4232 XXX - is that still true? We need it for other reasons, though,
4234 cf->filename = g_strdup(fname);
4236 /* Indicate whether it's a permanent or temporary file. */
4237 cf->is_tempfile = is_tempfile;
4239 /* No user changes yet. */
4240 cf->unsaved_changes = FALSE;
4242 cf->cd_t = wtap_file_type_subtype(cf->wth);
4243 cf->open_type = type;
4245 cf->drops_known = FALSE;
4247 cf->snap = wtap_snapshot_length(cf->wth);
4248 if (cf->snap == 0) {
4249 /* Snapshot length not known. */
4250 cf->has_snap = FALSE;
4251 cf->snap = WTAP_MAX_PACKET_SIZE;
4253 cf->has_snap = TRUE;
4254 nstime_set_zero(&cf->elapsed_time);
4259 cf->state = FILE_READ_IN_PROGRESS;
4261 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4262 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4267 g_snprintf(err_msg, sizeof err_msg,
4268 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4269 cmdarg_err("%s", err_msg);
4274 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4276 char *save_file_string;
4278 save_file_string = output_file_description(fname);
4283 cmdarg_err("Not all the packets could be written to the %s because there is "
4284 "no space left on the file system.",
4290 cmdarg_err("Not all the packets could be written to the %s because you are "
4291 "too close to, or over your disk quota.",
4296 case WTAP_ERR_CANT_CLOSE:
4297 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4301 case WTAP_ERR_SHORT_WRITE:
4302 cmdarg_err("Not all the packets could be written to the %s.",
4308 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4309 wtap_strerror(err));
4311 cmdarg_err("An error occurred while writing to the %s: %s.",
4312 save_file_string, wtap_strerror(err));
4316 g_free(save_file_string);
4320 show_print_file_io_error(int err)
4325 cmdarg_err("Not all the packets could be printed because there is "
4326 "no space left on the file system.");
4331 cmdarg_err("Not all the packets could be printed because you are "
4332 "too close to, or over your disk quota.");
4337 cmdarg_err("An error occurred while printing packets: %s.",
4344 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4348 static char errmsg_errno[1024+1];
4351 /* Wiretap error. */
4354 case WTAP_ERR_NOT_REGULAR_FILE:
4355 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4358 case WTAP_ERR_RANDOM_OPEN_PIPE:
4359 /* Seen only when opening a capture file for reading. */
4360 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4363 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4364 /* Seen only when opening a capture file for reading. */
4365 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4368 case WTAP_ERR_UNSUPPORTED:
4369 /* Seen only when opening a capture file for reading. */
4370 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4371 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4373 err_info != NULL ? err_info : "no information supplied");
4375 errmsg = errmsg_errno;
4378 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4379 /* Seen only when opening a capture file for writing. */
4380 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4381 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4382 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4383 errmsg = errmsg_errno;
4386 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4387 /* Seen only when opening a capture file for writing. */
4388 errmsg = "TShark doesn't support writing capture files in that format.";
4391 case WTAP_ERR_UNWRITABLE_ENCAP:
4392 /* Seen only when opening a capture file for writing. */
4393 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4394 "TShark can't save this capture as a \"%s\" file.",
4395 wtap_file_type_subtype_short_string(file_type));
4396 errmsg = errmsg_errno;
4399 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4401 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4402 "TShark can't save this capture as a \"%s\" file.",
4403 wtap_file_type_subtype_short_string(file_type));
4404 errmsg = errmsg_errno;
4406 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4409 case WTAP_ERR_BAD_FILE:
4410 /* Seen only when opening a capture file for reading. */
4411 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4412 "The file \"%%s\" appears to be damaged or corrupt.\n"
4414 err_info != NULL ? err_info : "no information supplied");
4416 errmsg = errmsg_errno;
4419 case WTAP_ERR_CANT_OPEN:
4421 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4423 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4426 case WTAP_ERR_SHORT_READ:
4427 errmsg = "The file \"%s\" appears to have been cut short"
4428 " in the middle of a packet or other data.";
4431 case WTAP_ERR_SHORT_WRITE:
4432 errmsg = "A full header couldn't be written to the file \"%s\".";
4435 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4436 errmsg = "This file type cannot be written as a compressed file.";
4439 case WTAP_ERR_DECOMPRESS:
4440 /* Seen only when opening a capture file for reading. */
4441 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4442 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4444 err_info != NULL ? err_info : "no information supplied");
4446 errmsg = errmsg_errno;
4450 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4451 "The file \"%%s\" could not be %s: %s.",
4452 for_writing ? "created" : "opened",
4453 wtap_strerror(err));
4454 errmsg = errmsg_errno;
4458 errmsg = file_open_error_message(err, for_writing);
4463 * Open/create errors are reported with an console message in TShark.
4466 open_failure_message(const char *filename, int err, gboolean for_writing)
4468 fprintf(stderr, "tshark: ");
4469 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4470 fprintf(stderr, "\n");
4474 * General errors are reported with an console message in TShark.
4477 failure_message(const char *msg_format, va_list ap)
4479 fprintf(stderr, "tshark: ");
4480 vfprintf(stderr, msg_format, ap);
4481 fprintf(stderr, "\n");
4485 * Read errors are reported with an console message in TShark.
4488 read_failure_message(const char *filename, int err)
4490 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4491 filename, g_strerror(err));
4495 * Write errors are reported with an console message in TShark.
4498 write_failure_message(const char *filename, int err)
4500 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4501 filename, g_strerror(err));
4505 * Report additional information for an error in command-line arguments.
4508 failure_message_cont(const char *msg_format, va_list ap)
4510 vfprintf(stderr, msg_format, ap);
4511 fprintf(stderr, "\n");
4515 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4520 * indent-tabs-mode: nil
4523 * vi: set shiftwidth=2 tabstop=8 expandtab:
4524 * :indentSize=2:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob