3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 # include <sys/capability.h>
47 #ifndef HAVE_GETOPT_LONG
48 #include "wsutil/wsgetopt.h"
53 #include <epan/exceptions.h>
54 #include <epan/epan-int.h>
55 #include <epan/epan.h>
57 #include <wsutil/clopts_common.h>
58 #include <wsutil/cmdarg_err.h>
59 #include <wsutil/crash_info.h>
60 #include <wsutil/filesystem.h>
61 #include <wsutil/file_util.h>
62 #include <wsutil/privileges.h>
63 #include <wsutil/report_message.h>
64 #include <ws_version_info.h>
65 #include <wiretap/wtap_opttypes.h>
66 #include <wiretap/pcapng.h>
69 #include <epan/timestamp.h>
70 #include <epan/packet.h>
72 #include <epan/wslua/init_wslua.h>
74 #include "frame_tvbuff.h"
75 #include <epan/disabled_protos.h>
76 #include <epan/prefs.h>
77 #include <epan/column.h>
78 #include <epan/decode_as.h>
79 #include <epan/print.h>
80 #include <epan/addr_resolv.h>
82 #include "ui/capture_ui_utils.h"
85 #include "ui/ui_util.h"
86 #include "ui/decode_as_utils.h"
87 #include "ui/filter_files.h"
88 #include "ui/cli/tshark-tap.h"
89 #include "ui/cli/tap-exportobject.h"
90 #include "ui/tap_export_pdu.h"
91 #include "ui/dissect_opts.h"
92 #include "ui/failure_message.h"
93 #if defined(HAVE_LIBSMI)
94 #include "epan/oids.h"
96 #if defined(HAVE_GEOIP)
97 #include "epan/geoip_db.h"
100 #include <epan/epan_dissect.h>
101 #include <epan/tap.h>
102 #include <epan/stat_tap_ui.h>
103 #include <epan/conversation_table.h>
104 #include <epan/srt_table.h>
105 #include <epan/rtd_table.h>
106 #include <epan/ex-opt.h>
107 #include <epan/exported_pdu.h>
109 #include "capture_opts.h"
111 #include "caputils/capture-pcap-util.h"
114 #include "caputils/capture_ifinfo.h"
116 #include "caputils/capture-wpcap.h"
117 #include <wsutil/os_version_info.h>
118 #include <wsutil/unicode-utils.h>
120 #include <capchild/capture_session.h>
121 #include <capchild/capture_sync.h>
122 #include <capture_info.h>
123 #endif /* HAVE_LIBPCAP */
125 #include <epan/funnel.h>
127 #include <wsutil/str_util.h>
128 #include <wsutil/utf8_entities.h>
135 #include <wsutil/plugins.h>
139 #define INVALID_OPTION 1
140 #define INVALID_INTERFACE 2
141 #define INVALID_FILE 2
142 #define INVALID_FILTER 2
143 #define INVALID_EXPORT 2
144 #define INVALID_CAPABILITY 2
145 #define INVALID_TAP 2
146 #define INVALID_DATA_LINK 2
147 #define INVALID_CAPTURE 2
148 #define INIT_FAILED 2
151 #define tshark_debug(...) g_warning(__VA_ARGS__)
153 #define tshark_debug(...)
156 static guint32 cum_bytes;
157 static const frame_data *ref;
158 static frame_data ref_frame;
159 static frame_data *prev_dis;
160 static frame_data prev_dis_frame;
161 static frame_data *prev_cap;
162 static frame_data prev_cap_frame;
164 static gboolean perform_two_pass_analysis;
165 static guint32 epan_auto_reset_count = 0;
166 static gboolean epan_auto_reset = FALSE;
169 * The way the packet decode is to be written.
172 WRITE_TEXT, /* summary or detail text */
173 WRITE_XML, /* PDML or PSML */
174 WRITE_FIELDS, /* User defined list of fields */
175 WRITE_JSON, /* JSON */
176 WRITE_JSON_RAW, /* JSON only raw hex */
177 WRITE_EK /* JSON bulk insert to Elasticsearch */
178 /* Add CSV and the like here */
181 static output_action_e output_action;
182 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
183 static gboolean print_packet_info; /* TRUE if we're to print packet information */
184 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
185 static gboolean print_details; /* TRUE if we're to print packet details information */
186 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
187 static gboolean line_buffered;
188 static gboolean really_quiet = FALSE;
189 static gchar* delimiter_char = " ";
191 static print_format_e print_format = PR_FMT_TEXT;
192 static print_stream_t *print_stream = NULL;
194 static output_fields_t* output_fields = NULL;
195 static gchar **protocolfilter = NULL;
196 static pf_flags protocolfilter_flags = PF_NONE;
198 /* The line separator used between packets, changeable via the -S option */
199 static const char *separator = "";
203 * TRUE if we're to print packet counts to keep track of captured packets.
205 static gboolean print_packet_counts;
207 static capture_options global_capture_opts;
208 static capture_session global_capture_session;
209 static info_data_t global_info_data;
212 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
213 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
216 static gboolean capture(void);
217 static void report_counts(void);
219 static BOOL WINAPI capture_cleanup(DWORD);
221 static void capture_cleanup(int);
223 static void report_counts_siginfo(int);
227 #else /* HAVE_LIBPCAP */
229 static char *output_file_name;
231 #endif /* HAVE_LIBPCAP */
233 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
234 static gboolean process_cap_file(capture_file *, char *, int, gboolean, int, gint64);
235 static gboolean process_packet_single_pass(capture_file *cf,
236 epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
237 const guchar *pd, guint tap_flags);
238 static void show_print_file_io_error(int err);
239 static gboolean write_preamble(capture_file *cf);
240 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
241 static gboolean write_finale(void);
243 static void failure_warning_message(const char *msg_format, va_list ap);
244 static void open_failure_message(const char *filename, int err,
245 gboolean for_writing);
246 static void read_failure_message(const char *filename, int err);
247 static void write_failure_message(const char *filename, int err);
248 static void failure_message_cont(const char *msg_format, va_list ap);
252 static GHashTable *output_only_tables = NULL;
255 const char *sstr; /* The short string */
256 const char *lstr; /* The long string */
260 string_compare(gconstpointer a, gconstpointer b)
262 return strcmp(((const struct string_elem *)a)->sstr,
263 ((const struct string_elem *)b)->sstr);
267 string_elem_print(gpointer data, gpointer not_used _U_)
269 fprintf(stderr, " %s - %s\n",
270 ((struct string_elem *)data)->sstr,
271 ((struct string_elem *)data)->lstr);
275 list_capture_types(void) {
277 struct string_elem *captypes;
280 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
282 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
283 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
284 if (wtap_dump_can_open(i)) {
285 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
286 captypes[i].lstr = wtap_file_type_subtype_string(i);
287 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
290 g_slist_foreach(list, string_elem_print, NULL);
296 list_read_capture_types(void) {
298 struct string_elem *captypes;
300 const char *magic = "Magic-value-based";
301 const char *heuristic = "Heuristics-based";
303 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
304 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
306 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
307 for (i = 0; open_routines[i].name != NULL; i++) {
308 captypes[i].sstr = open_routines[i].name;
309 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
310 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
312 g_slist_foreach(list, string_elem_print, NULL);
318 print_usage(FILE *output)
320 fprintf(output, "\n");
321 fprintf(output, "Usage: tshark [options] ...\n");
322 fprintf(output, "\n");
325 fprintf(output, "Capture interface:\n");
326 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
327 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
328 fprintf(output, " -s <snaplen> packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE);
329 fprintf(output, " -p don't capture in promiscuous mode\n");
330 #ifdef HAVE_PCAP_CREATE
331 fprintf(output, " -I capture in monitor mode, if available\n");
333 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
334 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
336 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
337 fprintf(output, " -D print list of interfaces and exit\n");
338 fprintf(output, " -L print list of link-layer types of iface and exit\n");
339 fprintf(output, "\n");
340 fprintf(output, "Capture stop conditions:\n");
341 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
342 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
343 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
344 fprintf(output, " files:NUM - stop after NUM files\n");
345 /*fprintf(output, "\n");*/
346 fprintf(output, "Capture output:\n");
347 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
348 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
349 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
350 #endif /* HAVE_LIBPCAP */
351 #ifdef HAVE_PCAP_REMOTE
352 fprintf(output, "RPCAP options:\n");
353 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
355 /*fprintf(output, "\n");*/
356 fprintf(output, "Input file:\n");
357 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
359 fprintf(output, "\n");
360 fprintf(output, "Processing:\n");
361 fprintf(output, " -2 perform a two-pass analysis\n");
362 fprintf(output, " -M <packet count> perform session auto reset\n");
363 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
364 fprintf(output, " (requires -2)\n");
365 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
366 fprintf(output, " syntax\n");
367 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
368 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
369 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
370 fprintf(output, " \"Decode As\", see the man page for details\n");
371 fprintf(output, " Example: tcp.port==8888,http\n");
372 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
373 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
374 fprintf(output, " --enable-protocol <proto_name>\n");
375 fprintf(output, " enable dissection of proto_name\n");
376 fprintf(output, " --disable-protocol <proto_name>\n");
377 fprintf(output, " disable dissection of proto_name\n");
378 fprintf(output, " --enable-heuristic <short_name>\n");
379 fprintf(output, " enable dissection of heuristic protocol\n");
380 fprintf(output, " --disable-heuristic <short_name>\n");
381 fprintf(output, " disable dissection of heuristic protocol\n");
383 /*fprintf(output, "\n");*/
384 fprintf(output, "Output:\n");
385 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
386 fprintf(output, " (or to the standard output for \"-\")\n");
387 fprintf(output, " -C <config profile> start with specified configuration profile\n");
388 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
389 fprintf(output, " an empty \"-F\" option will list the file types\n");
390 fprintf(output, " -V add output of packet tree (Packet Details)\n");
391 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
392 fprintf(output, " separated\n");
393 fprintf(output, " -P print packet summary even when writing to a file\n");
394 fprintf(output, " -S <separator> the line separator to print between packets\n");
395 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
396 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
397 fprintf(output, " format of text output (def: text)\n");
398 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
399 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
400 fprintf(output, " nodes, unless child is specified also in the filter)\n");
401 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
402 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
403 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
404 fprintf(output, " _ws.col.Info)\n");
405 fprintf(output, " this option can be repeated to print multiple fields\n");
406 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
407 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
408 fprintf(output, " header=y|n switch headers on and off\n");
409 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
410 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
411 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
412 fprintf(output, " aggregator\n");
413 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
414 fprintf(output, " -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)\n");
415 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
416 fprintf(output, " -l flush standard output after each packet\n");
417 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
418 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
419 fprintf(output, " -g enable group read access on the output file(s)\n");
420 fprintf(output, " -W n Save extra information in the file, if supported.\n");
421 fprintf(output, " n = write network address resolution information\n");
422 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
423 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
424 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
425 fprintf(output, " --capture-comment <comment>\n");
426 fprintf(output, " add a capture comment to the newly created\n");
427 fprintf(output, " output file (only for pcapng)\n");
428 fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
429 fprintf(output, " a directory named \"destdir\"\n");
431 fprintf(output, "\n");
432 fprintf(output, "Miscellaneous:\n");
433 fprintf(output, " -h display this help and exit\n");
434 fprintf(output, " -v display version info and exit\n");
435 fprintf(output, " -o <name>:<value> ... override preference setting\n");
436 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
437 fprintf(output, " -G [report] dump one of several available reports and exit\n");
438 fprintf(output, " default report=\"fields\"\n");
439 fprintf(output, " use \"-G ?\" for more help\n");
441 fprintf(output, "\n");
442 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
443 fprintf(output, "You might want to reset it\n");
444 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
445 fprintf(output, "\n");
451 glossary_option_help(void)
457 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
459 fprintf(output, "\n");
460 fprintf(output, "Usage: tshark -G [report]\n");
461 fprintf(output, "\n");
462 fprintf(output, "Glossary table reports:\n");
463 fprintf(output, " -G column-formats dump column format codes and exit\n");
464 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
465 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
466 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
467 fprintf(output, " -G fields dump fields glossary and exit\n");
468 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
469 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
470 fprintf(output, " -G plugins dump installed plugins and exit\n");
471 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
472 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
473 fprintf(output, "\n");
474 fprintf(output, "Preference reports:\n");
475 fprintf(output, " -G currentprefs dump current preferences and exit\n");
476 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
477 fprintf(output, " -G folders dump about:folders\n");
478 fprintf(output, "\n");
482 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
483 const gchar *message, gpointer user_data)
485 /* ignore log message, if log_level isn't interesting based
486 upon the console log preferences.
487 If the preferences haven't been loaded loaded yet, display the
490 The default console_log_level preference value is such that only
491 ERROR, CRITICAL and WARNING level messages are processed;
492 MESSAGE, INFO and DEBUG level messages are ignored.
494 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
495 ERROR and CRITICAL level messages so the current code is a behavioral
496 change. The current behavior is the same as in Wireshark.
498 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
499 prefs.console_log_level != 0) {
503 g_log_default_handler(log_domain, log_level, message, user_data);
508 print_current_user(void) {
509 gchar *cur_user, *cur_group;
511 if (started_with_special_privs()) {
512 cur_user = get_cur_username();
513 cur_group = get_cur_groupname();
514 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
515 cur_user, cur_group);
518 if (running_with_special_privs()) {
519 fprintf(stderr, " This could be dangerous.");
521 fprintf(stderr, "\n");
526 get_tshark_compiled_version_info(GString *str)
528 /* Capture libraries */
529 get_compiled_caplibs_version(str);
533 get_tshark_runtime_version_info(GString *str)
536 /* Capture libraries */
537 g_string_append(str, ", ");
538 get_runtime_caplibs_version(str);
541 /* stuff used by libwireshark */
542 epan_get_runtime_version_info(str);
548 const char *constpath;
550 #if defined(HAVE_LIBSMI) || defined(HAVE_GEOIP) || defined(HAVE_EXTCAP)
558 * Fetching the "File" dialogs folder not implemented.
559 * This is arguably just a pwd for a ui/cli .
563 printf("%-21s\t%s\n", "Temp:", g_get_tmp_dir());
566 path = get_persconffile_path("", FALSE);
567 printf("%-21s\t%s\n", "Personal configuration:", path);
571 constpath = get_datafile_dir();
572 if (constpath != NULL) {
573 printf("%-21s\t%s\n", "Global configuration:", constpath);
577 constpath = get_systemfile_dir();
578 printf("%-21s\t%s\n", "System:", constpath);
581 constpath = get_progfile_dir();
582 printf("%-21s\t%s\n", "Program:", constpath);
584 #if defined(HAVE_PLUGINS) || defined(HAVE_LUA)
586 path = get_plugins_pers_dir();
588 printf("%-21s\t%s\n", "Personal Plugins:", path);
593 printf("%-21s\t%s\n", "Global Plugins:", get_plugin_dir());
598 path = geoip_db_get_paths();
600 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
602 for(i = 0; resultArray[i]; i++)
603 printf("%-21s\t%s\n", "GeoIP path:", g_strstrip(resultArray[i]));
605 g_strfreev(resultArray);
611 path = oid_get_default_mib_path();
612 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
614 for(i = 0; resultArray[i]; i++)
615 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
617 g_strfreev(resultArray);
623 constpath = get_extcap_dir();
625 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
626 for(i = 0; resultArray[i]; i++)
627 printf("%-21s\t%s\n", "Extcap path:", g_strstrip(resultArray[i]));
629 g_strfreev(resultArray);
635 main(int argc, char *argv[])
637 GString *comp_info_str;
638 GString *runtime_info_str;
639 char *init_progfile_dir_error;
641 static const struct option long_options[] = {
642 {"help", no_argument, NULL, 'h'},
643 {"version", no_argument, NULL, 'v'},
644 LONGOPT_CAPTURE_COMMON
645 LONGOPT_DISSECT_COMMON
646 {"export-objects", required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
649 gboolean arg_error = FALSE;
657 volatile gboolean success;
658 volatile int exit_status = EXIT_SUCCESS;
660 gboolean list_link_layer_types = FALSE;
661 gboolean start_capture = FALSE;
665 gboolean capture_option_specified = FALSE;
667 gboolean quiet = FALSE;
668 #ifdef PCAP_NG_DEFAULT
669 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
671 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
673 volatile gboolean out_file_name_res = FALSE;
674 volatile int in_file_type = WTAP_TYPE_AUTO;
675 gchar *volatile cf_name = NULL;
676 gchar *rfilter = NULL;
677 gchar *dfilter = NULL;
678 #ifdef HAVE_PCAP_OPEN_DEAD
679 struct bpf_program fcode;
681 dfilter_t *rfcode = NULL;
682 dfilter_t *dfcode = NULL;
686 gchar *output_only = NULL;
687 gchar *volatile pdu_export_arg = NULL;
688 const char *volatile exp_pdu_filename = NULL;
689 exp_pdu_t exp_pdu_tap_data;
692 * The leading + ensures that getopt_long() does not permute the argv[]
695 * We have to make sure that the first getopt_long() preserves the content
696 * of argv[] for the subsequent getopt_long() call.
698 * We use getopt_long() in both cases to ensure that we're using a routine
699 * whose permutation behavior we can control in the same fashion on all
700 * platforms, and so that, if we ever need to process a long argument before
701 * doing further initialization, we can do so.
703 * Glibc and Solaris libc document that a leading + disables permutation
704 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
705 * and macOS don't document it, but do so anyway.
707 * We do *not* use a leading - because the behavior of a leading - is
708 * platform-dependent.
710 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQr:R:S:T:U:vVw:W:xX:Y:z:"
712 static const char optstring[] = OPTSTRING;
714 tshark_debug("tshark started with %d args", argc);
716 /* Set the C-language locale to the native environment. */
717 setlocale(LC_ALL, "");
719 cmdarg_err_init(failure_warning_message, failure_message_cont);
722 arg_list_utf_16to8(argc, argv);
723 create_app_running_mutex();
724 #if !GLIB_CHECK_VERSION(2,31,0)
730 * Get credential information for later use, and drop privileges
731 * before doing anything else.
732 * Let the user know if anything happened.
734 init_process_policies();
735 relinquish_special_privs_perm();
736 print_current_user();
739 * Attempt to get the pathname of the directory containing the
742 init_progfile_dir_error = init_progfile_dir(argv[0], main);
743 if (init_progfile_dir_error != NULL) {
745 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
746 "It won't be possible to capture traffic.\n"
747 "Report this to the Wireshark developers.",
748 init_progfile_dir_error);
749 g_free(init_progfile_dir_error);
752 initialize_funnel_ops();
755 ws_init_dll_search_path();
756 /* Load wpcap if possible. Do this before collecting the run-time version information */
759 /* Warn the user if npf.sys isn't loaded. */
760 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
761 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
762 "capturing or\nlisting interfaces.\n");
766 /* Get the compile-time version information string */
767 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
768 epan_get_compiled_version_info);
770 /* Get the run-time version information string */
771 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
773 /* Add it to the information to be reported on a crash. */
774 ws_add_crash_info("TShark (Wireshark) %s\n"
779 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
780 g_string_free(comp_info_str, TRUE);
781 g_string_free(runtime_info_str, TRUE);
783 /* Fail sometimes. Useful for testing fuzz scripts. */
784 /* if (g_random_int_range(0, 100) < 5) abort(); */
787 * In order to have the -X opts assigned before the wslua machine starts
788 * we need to call getopt_long before epan_init() gets called.
790 * In order to handle, for example, -o options, we also need to call it
791 * *after* epan_init() gets called, so that the dissectors have had a
792 * chance to register their preferences.
794 * XXX - can we do this all with one getopt_long() call, saving the
795 * arguments we can't handle until after initializing libwireshark,
796 * and then process them after initializing libwireshark?
800 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
802 case 'C': /* Configuration Profile */
803 if (profile_exists (optarg, FALSE)) {
804 set_profile_name (optarg);
806 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
807 exit_status = INVALID_OPTION;
811 case 'P': /* Print packet summary info even when writing to a file */
812 print_packet_info = TRUE;
813 print_summary = TRUE;
815 case 'O': /* Only output these protocols */
816 output_only = g_strdup(optarg);
818 case 'V': /* Verbose */
819 print_details = TRUE;
820 print_packet_info = TRUE;
822 case 'x': /* Print packet data in hex (and ASCII) */
824 /* The user asked for hex output, so let's ensure they get it,
825 * even if they're writing to a file.
827 print_packet_info = TRUE;
838 * Print packet summary information is the default, unless either -V or -x
839 * were specified and -P was not. Note that this is new behavior, which
840 * allows for the possibility of printing only hex/ascii output without
841 * necessarily requiring that either the summary or details be printed too.
843 if (print_summary == -1)
844 print_summary = (print_details || print_hex) ? FALSE : TRUE;
846 /** Send All g_log messages to our own handler **/
850 G_LOG_LEVEL_CRITICAL|
855 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
857 g_log_set_handler(NULL,
858 (GLogLevelFlags)log_flags,
859 tshark_log_handler, NULL /* user_data */);
860 g_log_set_handler(LOG_DOMAIN_MAIN,
861 (GLogLevelFlags)log_flags,
862 tshark_log_handler, NULL /* user_data */);
865 g_log_set_handler(LOG_DOMAIN_CAPTURE,
866 (GLogLevelFlags)log_flags,
867 tshark_log_handler, NULL /* user_data */);
868 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
869 (GLogLevelFlags)log_flags,
870 tshark_log_handler, NULL /* user_data */);
873 init_report_message(failure_warning_message, failure_warning_message,
874 open_failure_message, read_failure_message,
875 write_failure_message);
878 capture_opts_init(&global_capture_opts);
879 capture_session_init(&global_capture_session, &cfile);
882 timestamp_set_type(TS_RELATIVE);
883 timestamp_set_precision(TS_PREC_AUTO);
884 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
889 /* Register all the plugin types we have. */
890 epan_register_plugin_types(); /* Types known to libwireshark */
892 /* Scan for plugins. This does *not* call their registration routines;
893 that's done later. */
894 scan_plugins(REPORT_LOAD_FAILURE);
896 /* Register all libwiretap plugin modules. */
897 register_all_wiretap_modules();
900 /* Register all dissectors; we must do this before checking for the
901 "-G" flag, as the "-G" flag dumps information registered by the
902 dissectors, and we must do it before we read the preferences, in
903 case any dissectors register preferences. */
904 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
906 exit_status = INIT_FAILED;
910 /* Register all tap listeners; we do this before we parse the arguments,
911 as the "-z" argument can specify a registered tap. */
913 /* we register the plugin taps before the other taps because
914 stats_tree taps plugins will be registered as tap listeners
915 by stats_tree_stat.c and need to registered before that */
917 register_all_plugin_tap_listeners();
920 extcap_register_preferences();
922 register_all_tap_listeners();
923 conversation_table_set_gui_info(init_iousers);
924 hostlist_table_set_gui_info(init_hostlists);
925 srt_table_iterate_tables(register_srt_tables, NULL);
926 rtd_table_iterate_tables(register_rtd_tables, NULL);
927 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
929 /* If invoked with the "-G" flag, we dump out information based on
930 the argument to the "-G" flag; if no argument is specified,
931 for backwards compatibility we dump out a glossary of display
934 XXX - we do this here, for now, to support "-G" with no arguments.
935 If none of our build or other processes uses "-G" with no arguments,
936 we can just process it with the other arguments. */
937 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
938 proto_initialize_all_prefixes();
941 proto_registrar_dump_fields();
943 if (strcmp(argv[2], "column-formats") == 0)
944 column_dump_column_formats();
945 else if (strcmp(argv[2], "currentprefs") == 0) {
946 epan_load_settings();
949 else if (strcmp(argv[2], "decodes") == 0)
950 dissector_dump_decodes();
951 else if (strcmp(argv[2], "defaultprefs") == 0)
953 else if (strcmp(argv[2], "dissector-tables") == 0)
954 dissector_dump_dissector_tables();
955 else if (strcmp(argv[2], "fieldcount") == 0) {
956 /* return value for the test suite */
957 exit_status = proto_registrar_dump_fieldcount();
959 } else if (strcmp(argv[2], "fields") == 0)
960 proto_registrar_dump_fields();
961 else if (strcmp(argv[2], "folders") == 0)
963 else if (strcmp(argv[2], "ftypes") == 0)
964 proto_registrar_dump_ftypes();
965 else if (strcmp(argv[2], "heuristic-decodes") == 0)
966 dissector_dump_heur_decodes();
967 else if (strcmp(argv[2], "plugins") == 0) {
972 wslua_plugins_dump_all();
975 else if (strcmp(argv[2], "protocols") == 0)
976 proto_registrar_dump_protocols();
977 else if (strcmp(argv[2], "values") == 0)
978 proto_registrar_dump_values();
979 else if (strcmp(argv[2], "?") == 0)
980 glossary_option_help();
981 else if (strcmp(argv[2], "-?") == 0)
982 glossary_option_help();
984 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
985 exit_status = INVALID_OPTION;
989 exit_status = EXIT_SUCCESS;
993 tshark_debug("tshark reading settings");
995 /* Load libwireshark settings from the current profile. */
996 prefs_p = epan_load_settings();
998 read_filter_list(CFILTER_LIST);
1000 cap_file_init(&cfile);
1002 /* Print format defaults to this. */
1003 print_format = PR_FMT_TEXT;
1004 delimiter_char = " ";
1006 output_fields = output_fields_new();
1009 * To reset the options parser, set optreset to 1 on platforms that
1010 * have optreset (documented in *BSD and macOS, apparently present but
1011 * not documented in Solaris - the Illumos repository seems to
1012 * suggest that the first Solaris getopt_long(), at least as of 2004,
1013 * was based on the NetBSD one, it had optreset) and set optind to 1,
1014 * and set optind to 0 otherwise (documented as working in the GNU
1015 * getopt_long(). Setting optind to 0 didn't originally work in the
1016 * NetBSD one, but that was added later - we don't want to depend on
1017 * it if we have optreset).
1019 * Also reset opterr to 1, so that error messages are printed by
1022 #ifdef HAVE_OPTRESET
1030 /* Now get our args */
1031 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1033 case '2': /* Perform two pass analysis */
1034 if(epan_auto_reset){
1035 cmdarg_err("-2 does not support auto session reset.");
1038 perform_two_pass_analysis = TRUE;
1041 if(perform_two_pass_analysis){
1042 cmdarg_err("-M does not support two pass analysis.");
1045 epan_auto_reset_count = get_positive_int(optarg, "epan reset count");
1046 epan_auto_reset = TRUE;
1048 case 'a': /* autostop criteria */
1049 case 'b': /* Ringbuffer option */
1050 case 'c': /* Capture x packets */
1051 case 'f': /* capture filter */
1052 case 'g': /* enable group read access on file(s) */
1053 case 'i': /* Use interface x */
1054 case 'p': /* Don't capture in promiscuous mode */
1055 #ifdef HAVE_PCAP_REMOTE
1056 case 'A': /* Authentication */
1058 #ifdef HAVE_PCAP_CREATE
1059 case 'I': /* Capture in monitor mode, if available */
1061 case 's': /* Set the snapshot (capture) length */
1062 case 'w': /* Write to capture file x */
1063 case 'y': /* Set the pcap data link type */
1064 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1065 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1066 case 'B': /* Buffer size */
1069 exit_status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1070 if (exit_status != 0) {
1076 * Output file name, if we're reading a file and writing to another
1079 output_file_name = optarg;
1081 capture_option_specified = TRUE;
1087 /* already processed; just ignore it now */
1089 case 'D': /* Print a list of capture devices and exit */
1091 if_list = capture_interface_list(&err, &err_str,NULL);
1092 if (if_list == NULL) {
1094 cmdarg_err("There are no interfaces on which a capture can be done");
1096 cmdarg_err("%s", err_str);
1099 exit_status = INVALID_INTERFACE;
1102 capture_opts_print_interfaces(if_list);
1103 free_interface_list(if_list);
1104 exit_status = EXIT_SUCCESS;
1107 capture_option_specified = TRUE;
1113 output_fields_add(output_fields, optarg);
1117 if (!output_fields_set_option(output_fields, optarg)) {
1118 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1119 output_fields_list_options(stderr);
1120 exit_status = INVALID_OPTION;
1125 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1126 if (out_file_type < 0) {
1127 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1128 list_capture_types();
1129 exit_status = INVALID_OPTION;
1134 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1137 protocolfilter_flags = PF_INCLUDE_CHILDREN;
1138 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1140 case 'W': /* Select extra information to save in our capture file */
1141 /* This is patterned after the -N flag which may not be the best idea. */
1142 if (strchr(optarg, 'n')) {
1143 out_file_name_res = TRUE;
1145 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1146 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1147 exit_status = INVALID_OPTION;
1151 case 'H': /* Read address to name mappings from a hosts file */
1152 if (! add_hosts_file(optarg))
1154 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1155 exit_status = INVALID_OPTION;
1158 out_file_name_res = TRUE;
1161 case 'h': /* Print help and exit */
1162 printf("TShark (Wireshark) %s\n"
1163 "Dump and analyze network traffic.\n"
1164 "See https://www.wireshark.org for more information.\n",
1165 get_ws_vcs_version_info());
1166 print_usage(stdout);
1167 exit_status = EXIT_SUCCESS;
1170 case 'l': /* "Line-buffer" standard output */
1171 /* The ANSI C standard does not appear to *require* that a line-buffered
1172 stream be flushed to the host environment whenever a newline is
1173 written, it just says that, on such a stream, characters "are
1174 intended to be transmitted to or from the host environment as a
1175 block when a new-line character is encountered".
1177 The Visual C++ 6.0 C implementation doesn't do what is intended;
1178 even if you set a stream to be line-buffered, it still doesn't
1179 flush the buffer at the end of every line.
1181 The whole reason for the "-l" flag in either tcpdump or TShark
1182 is to allow the output of a live capture to be piped to a program
1183 or script and to have that script see the information for the
1184 packet as soon as it's printed, rather than having to wait until
1185 a standard I/O buffer fills up.
1187 So, if the "-l" flag is specified, we flush the standard output
1188 at the end of a packet. This will do the right thing if we're
1189 printing packet summary lines, and, as we print the entire protocol
1190 tree for a single packet without waiting for anything to happen,
1191 it should be as good as line-buffered mode if we're printing
1192 protocol trees - arguably even better, as it may do fewer
1194 line_buffered = TRUE;
1196 case 'L': /* Print list of link-layer types and exit */
1198 list_link_layer_types = TRUE;
1200 capture_option_specified = TRUE;
1204 case 'o': /* Override preference from command line */
1205 switch (prefs_set_pref(optarg)) {
1210 case PREFS_SET_SYNTAX_ERR:
1211 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1212 exit_status = INVALID_OPTION;
1216 case PREFS_SET_NO_SUCH_PREF:
1217 case PREFS_SET_OBSOLETE:
1218 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1219 exit_status = INVALID_OPTION;
1224 case 'q': /* Quiet */
1227 case 'Q': /* Really quiet */
1229 really_quiet = TRUE;
1231 case 'r': /* Read capture file x */
1232 cf_name = g_strdup(optarg);
1234 case 'R': /* Read file filter */
1238 /* already processed; just ignore it now */
1240 case 'S': /* Set the line Separator to be printed between packets */
1243 case 'T': /* printing Type */
1244 print_packet_info = TRUE;
1245 if (strcmp(optarg, "text") == 0) {
1246 output_action = WRITE_TEXT;
1247 print_format = PR_FMT_TEXT;
1248 } else if (strcmp(optarg, "tabs") == 0) {
1249 output_action = WRITE_TEXT;
1250 print_format = PR_FMT_TEXT;
1251 delimiter_char = "\t";
1252 } else if (strcmp(optarg, "ps") == 0) {
1253 output_action = WRITE_TEXT;
1254 print_format = PR_FMT_PS;
1255 } else if (strcmp(optarg, "pdml") == 0) {
1256 output_action = WRITE_XML;
1257 print_details = TRUE; /* Need details */
1258 print_summary = FALSE; /* Don't allow summary */
1259 } else if (strcmp(optarg, "psml") == 0) {
1260 output_action = WRITE_XML;
1261 print_details = FALSE; /* Don't allow details */
1262 print_summary = TRUE; /* Need summary */
1263 } else if (strcmp(optarg, "fields") == 0) {
1264 output_action = WRITE_FIELDS;
1265 print_details = TRUE; /* Need full tree info */
1266 print_summary = FALSE; /* Don't allow summary */
1267 } else if (strcmp(optarg, "json") == 0) {
1268 output_action = WRITE_JSON;
1269 print_details = TRUE; /* Need details */
1270 print_summary = FALSE; /* Don't allow summary */
1271 } else if (strcmp(optarg, "ek") == 0) {
1272 output_action = WRITE_EK;
1273 print_details = TRUE; /* Need details */
1274 print_summary = FALSE; /* Don't allow summary */
1275 } else if (strcmp(optarg, "jsonraw") == 0) {
1276 output_action = WRITE_JSON_RAW;
1277 print_details = TRUE; /* Need details */
1278 print_summary = FALSE; /* Don't allow summary */
1281 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1282 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1283 "\t specified by the -E option.\n"
1284 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1285 "\t details of a decoded packet. This information is equivalent to\n"
1286 "\t the packet details printed with the -V flag.\n"
1287 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1288 "\t the packets, or a multi-line view of the details of each of\n"
1289 "\t the packets, depending on whether the -V flag was specified.\n"
1290 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1291 "\t summary information of a decoded packet. This information is\n"
1292 "\t equivalent to the information shown in the one-line summary\n"
1293 "\t printed by default.\n"
1294 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1295 "\t summary information of a decoded packet. This information is \n"
1296 "\t equivalent to the packet details printed with the -V flag.\n"
1297 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1298 "\t including only raw hex decoded fields (same as -T json -x but\n"
1299 "\t without text decoding, only raw fields included). \n"
1300 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1301 "\t into elastic search cluster. This information is \n"
1302 "\t equivalent to the packet details printed with the -V flag.\n"
1303 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1304 "\t packets, or a multi-line view of the details of each of the\n"
1305 "\t packets, depending on whether the -V flag was specified.\n"
1306 "\t This is the default.\n"
1307 "\t\"tabs\" Similar to the text report except that each column of the\n"
1308 "\t human-readable one-line summary is delimited with an ASCII\n"
1309 "\t horizontal tab character.");
1310 exit_status = INVALID_OPTION;
1314 case 'U': /* Export PDUs to file */
1316 GSList *export_pdu_tap_name_list = NULL;
1319 cmdarg_err("A tap name is required. Valid names are:");
1320 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1321 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1323 exit_status = INVALID_OPTION;
1326 pdu_export_arg = g_strdup(optarg);
1329 case 'v': /* Show version and exit */
1330 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1331 epan_get_compiled_version_info);
1332 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1333 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1334 g_string_free(comp_info_str, TRUE);
1335 g_string_free(runtime_info_str, TRUE);
1336 /* We don't really have to cleanup here, but it's a convenient way to test
1337 * start-up and shut-down of the epan library without any UI-specific
1338 * cruft getting in the way. Makes the results of running
1339 * $ ./tools/valgrind-wireshark -n
1340 * much more useful. */
1345 exit_status = EXIT_SUCCESS;
1347 case 'O': /* Only output these protocols */
1348 /* already processed; just ignore it now */
1350 case 'V': /* Verbose */
1351 /* already processed; just ignore it now */
1353 case 'x': /* Print packet data in hex (and ASCII) */
1354 /* already processed; just ignore it now */
1357 /* already processed; just ignore it now */
1363 /* We won't call the init function for the stat this soon
1364 as it would disallow MATE's fields (which are registered
1365 by the preferences set callback) from being used as
1366 part of a tap filter. Instead, we just add the argument
1367 to a list of stat arguments. */
1368 if (strcmp("help", optarg) == 0) {
1369 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1370 list_stat_cmd_args();
1371 exit_status = EXIT_SUCCESS;
1374 if (!process_stat_cmd_arg(optarg)) {
1375 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1376 list_stat_cmd_args();
1377 exit_status = INVALID_OPTION;
1381 case 'd': /* Decode as rule */
1382 case 'K': /* Kerberos keytab file */
1383 case 'n': /* No name resolution */
1384 case 'N': /* Select what types of addresses/port #s to resolve */
1385 case 't': /* Time stamp type */
1386 case 'u': /* Seconds type */
1387 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1388 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1389 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1390 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1391 if (!dissect_opts_handle_opt(opt, optarg)) {
1392 exit_status = INVALID_OPTION;
1396 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1397 if (strcmp("help", optarg) == 0) {
1398 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1399 eo_list_object_types();
1400 exit_status = EXIT_SUCCESS;
1403 if (!eo_tap_opt_add(optarg)) {
1404 exit_status = INVALID_OPTION;
1409 case '?': /* Bad flag - print usage message */
1412 list_capture_types();
1415 print_usage(stderr);
1417 exit_status = INVALID_OPTION;
1423 /* If we specified output fields, but not the output field type... */
1424 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1425 cmdarg_err("Output fields were specified with \"-e\", "
1426 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1427 exit_status = INVALID_OPTION;
1429 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1430 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1431 "specified with \"-e\".");
1433 exit_status = INVALID_OPTION;
1437 /* If no capture filter or display filter has been specified, and there are
1438 still command-line arguments, treat them as the tokens of a capture
1439 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1440 flag was specified. */
1441 if (optind < argc) {
1442 if (cf_name != NULL) {
1443 if (dfilter != NULL) {
1444 cmdarg_err("Display filters were specified both with \"-d\" "
1445 "and with additional command-line arguments.");
1446 exit_status = INVALID_OPTION;
1449 dfilter = get_args_as_string(argc, argv, optind);
1454 if (global_capture_opts.default_options.cfilter) {
1455 cmdarg_err("A default capture filter was specified both with \"-f\""
1456 " and with additional command-line arguments.");
1457 exit_status = INVALID_OPTION;
1460 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1461 interface_options interface_opts;
1462 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1463 if (interface_opts.cfilter == NULL) {
1464 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1465 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1466 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1468 cmdarg_err("A capture filter was specified both with \"-f\""
1469 " and with additional command-line arguments.");
1470 exit_status = INVALID_OPTION;
1474 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1476 capture_option_specified = TRUE;
1482 if (!global_capture_opts.saving_to_file) {
1483 /* We're not saving the capture to a file; if "-q" wasn't specified,
1484 we should print packet information */
1486 print_packet_info = TRUE;
1488 /* We're saving to a file; if we're writing to the standard output.
1489 and we'll also be writing dissected packets to the standard
1490 output, reject the request. At best, we could redirect that
1491 to the standard error; we *can't* write both to the standard
1492 output and have either of them be useful. */
1493 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1494 cmdarg_err("You can't write both raw packet data and dissected packets"
1495 " to the standard output.");
1496 exit_status = INVALID_OPTION;
1501 /* We're not saving the capture to a file; if "-q" wasn't specified,
1502 we should print packet information */
1504 print_packet_info = TRUE;
1507 #ifndef HAVE_LIBPCAP
1508 if (capture_option_specified)
1509 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1512 print_usage(stderr);
1513 exit_status = INVALID_OPTION;
1518 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
1519 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
1520 exit_status = INVALID_OPTION;
1525 if (output_only != NULL) {
1528 if (!print_details) {
1529 cmdarg_err("-O requires -V");
1530 exit_status = INVALID_OPTION;
1534 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1535 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1536 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1540 if (rfilter != NULL && !perform_two_pass_analysis) {
1541 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1542 exit_status = INVALID_OPTION;
1547 if (list_link_layer_types) {
1548 /* We're supposed to list the link-layer types for an interface;
1549 did the user also specify a capture file to be read? */
1551 /* Yes - that's bogus. */
1552 cmdarg_err("You can't specify -L and a capture file to be read.");
1553 exit_status = INVALID_OPTION;
1556 /* No - did they specify a ring buffer option? */
1557 if (global_capture_opts.multi_files_on) {
1558 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1559 exit_status = INVALID_OPTION;
1565 * "-r" was specified, so we're reading a capture file.
1566 * Capture options don't apply here.
1569 /* We don't support capture filters when reading from a capture file
1570 (the BPF compiler doesn't support all link-layer types that we
1571 support in capture files we read). */
1572 if (global_capture_opts.default_options.cfilter) {
1573 cmdarg_err("Only read filters, not capture filters, "
1574 "can be specified when reading a capture file.");
1575 exit_status = INVALID_OPTION;
1578 if (global_capture_opts.multi_files_on) {
1579 cmdarg_err("Multiple capture files requested, but "
1580 "a capture isn't being done.");
1581 exit_status = INVALID_OPTION;
1584 if (global_capture_opts.has_file_duration) {
1585 cmdarg_err("Switching capture files after a time interval was specified, but "
1586 "a capture isn't being done.");
1587 exit_status = INVALID_OPTION;
1590 if (global_capture_opts.has_ring_num_files) {
1591 cmdarg_err("A ring buffer of capture files was specified, but "
1592 "a capture isn't being done.");
1593 exit_status = INVALID_OPTION;
1596 if (global_capture_opts.has_autostop_files) {
1597 cmdarg_err("A maximum number of capture files was specified, but "
1598 "a capture isn't being done.");
1599 exit_status = INVALID_OPTION;
1602 if (global_capture_opts.capture_comment) {
1603 cmdarg_err("A capture comment was specified, but "
1604 "a capture isn't being done.\nThere's no support for adding "
1605 "a capture comment to an existing capture file.");
1606 exit_status = INVALID_OPTION;
1610 /* Note: TShark now allows the restriction of a _read_ file by packet count
1611 * and byte count as well as a write file. Other autostop options remain valid
1612 * only for a write file.
1614 if (global_capture_opts.has_autostop_duration) {
1615 cmdarg_err("A maximum capture time was specified, but "
1616 "a capture isn't being done.");
1617 exit_status = INVALID_OPTION;
1622 * "-r" wasn't specified, so we're doing a live capture.
1624 if (perform_two_pass_analysis) {
1625 /* Two-pass analysis doesn't work with live capture since it requires us
1626 * to buffer packets until we've read all of them, but a live capture
1627 * has no useful/meaningful definition of "all" */
1628 cmdarg_err("Live captures do not support two-pass analysis.");
1629 exit_status = INVALID_OPTION;
1633 if (global_capture_opts.saving_to_file) {
1634 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1636 /* When capturing, we only support writing pcap or pcap-ng format. */
1637 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1638 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1639 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1640 exit_status = INVALID_OPTION;
1643 if (global_capture_opts.capture_comment &&
1644 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1645 cmdarg_err("A capture comment can only be written to a pcapng file.");
1646 exit_status = INVALID_OPTION;
1649 if (global_capture_opts.multi_files_on) {
1650 /* Multiple-file mode doesn't work under certain conditions:
1651 a) it doesn't work if you're writing to the standard output;
1652 b) it doesn't work if you're writing to a pipe;
1654 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1655 cmdarg_err("Multiple capture files requested, but "
1656 "the capture is being written to the standard output.");
1657 exit_status = INVALID_OPTION;
1660 if (global_capture_opts.output_to_pipe) {
1661 cmdarg_err("Multiple capture files requested, but "
1662 "the capture file is a pipe.");
1663 exit_status = INVALID_OPTION;
1666 if (!global_capture_opts.has_autostop_filesize &&
1667 !global_capture_opts.has_file_duration) {
1668 cmdarg_err("Multiple capture files requested, but "
1669 "no maximum capture file size or duration was specified.");
1670 exit_status = INVALID_OPTION;
1674 /* Currently, we don't support read or display filters when capturing
1675 and saving the packets. */
1676 if (rfilter != NULL) {
1677 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1678 exit_status = INVALID_OPTION;
1681 if (dfilter != NULL) {
1682 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1683 exit_status = INVALID_OPTION;
1686 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1688 /* They didn't specify a "-w" flag, so we won't be saving to a
1689 capture file. Check for options that only make sense if
1690 we're saving to a file. */
1691 if (global_capture_opts.has_autostop_filesize) {
1692 cmdarg_err("Maximum capture file size specified, but "
1693 "capture isn't being saved to a file.");
1694 exit_status = INVALID_OPTION;
1697 if (global_capture_opts.multi_files_on) {
1698 cmdarg_err("Multiple capture files requested, but "
1699 "the capture isn't being saved to a file.");
1700 exit_status = INVALID_OPTION;
1703 if (global_capture_opts.capture_comment) {
1704 cmdarg_err("A capture comment was specified, but "
1705 "the capture isn't being saved to a file.");
1706 exit_status = INVALID_OPTION;
1715 /* Start windows sockets */
1716 result = WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1719 exit_status = INIT_FAILED;
1724 /* Notify all registered modules that have had any of their preferences
1725 changed either from one of the preferences file or from the command
1726 line that their preferences have changed. */
1729 /* At this point MATE will have registered its field array so we can
1730 have a tap filter with one of MATE's late-registered fields as part
1731 of the filter. We can now process all the "-z" arguments. */
1732 start_requested_stats();
1734 /* We can also enable specified taps for export object */
1735 start_exportobjects();
1737 /* At this point MATE will have registered its field array so we can
1738 check if the fields specified by the user are all good.
1742 GSList *invalid_fields = output_fields_valid(output_fields);
1743 if (invalid_fields != NULL) {
1745 cmdarg_err("Some fields aren't valid:");
1746 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
1747 cmdarg_err_cont("\t%s", (gchar *)it->data);
1749 g_slist_free(invalid_fields);
1750 exit_status = INVALID_OPTION;
1755 /* We currently don't support taps, or printing dissected packets,
1756 if we're writing to a pipe. */
1757 if (global_capture_opts.saving_to_file &&
1758 global_capture_opts.output_to_pipe) {
1759 if (tap_listeners_require_dissection()) {
1760 cmdarg_err("Taps aren't supported when saving to a pipe.");
1761 exit_status = INVALID_OPTION;
1764 if (print_packet_info) {
1765 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1766 exit_status = INVALID_OPTION;
1772 if (ex_opt_count("read_format") > 0) {
1773 const gchar* name = ex_opt_get_next("read_format");
1774 in_file_type = open_info_name_to_type(name);
1775 if (in_file_type == WTAP_TYPE_AUTO) {
1776 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1777 list_read_capture_types();
1778 exit_status = INVALID_OPTION;
1783 timestamp_set_type(global_dissect_options.time_format);
1786 * Enabled and disabled protocols and heuristic dissectors as per
1787 * command-line options.
1789 if (!setup_enabled_and_disabled_protocols()) {
1790 exit_status = INVALID_OPTION;
1794 /* Build the column format array */
1795 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1798 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1799 capture_opts_trim_ring_num_files(&global_capture_opts);
1802 if (rfilter != NULL) {
1803 tshark_debug("Compiling read filter: '%s'", rfilter);
1804 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
1805 cmdarg_err("%s", err_msg);
1811 #ifdef HAVE_PCAP_OPEN_DEAD
1815 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1817 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1819 " Note: That read filter code looks like a valid capture filter;\n"
1820 " maybe you mixed them up?");
1826 exit_status = INVALID_INTERFACE;
1830 cfile.rfcode = rfcode;
1832 if (dfilter != NULL) {
1833 tshark_debug("Compiling display filter: '%s'", dfilter);
1834 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
1835 cmdarg_err("%s", err_msg);
1841 #ifdef HAVE_PCAP_OPEN_DEAD
1845 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1847 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1849 " Note: That display filter code looks like a valid capture filter;\n"
1850 " maybe you mixed them up?");
1856 exit_status = INVALID_FILTER;
1860 cfile.dfcode = dfcode;
1862 if (print_packet_info) {
1863 /* If we're printing as text or PostScript, we have
1864 to create a print stream. */
1865 if (output_action == WRITE_TEXT) {
1866 switch (print_format) {
1869 print_stream = print_stream_text_stdio_new(stdout);
1873 print_stream = print_stream_ps_stdio_new(stdout);
1877 g_assert_not_reached();
1882 /* PDU export requested. Take the ownership of the '-w' file, apply tap
1883 * filters and start tapping. */
1884 if (pdu_export_arg) {
1885 const char *exp_pdu_tap_name = pdu_export_arg;
1886 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
1887 char *exp_pdu_error;
1892 cmdarg_err("PDUs export requires a capture file (specify with -r).");
1893 exit_status = INVALID_OPTION;
1896 /* Take ownership of the '-w' output file. */
1898 exp_pdu_filename = global_capture_opts.save_file;
1899 global_capture_opts.save_file = NULL;
1901 exp_pdu_filename = output_file_name;
1902 output_file_name = NULL;
1904 if (exp_pdu_filename == NULL) {
1905 cmdarg_err("PDUs export requires an output file (-w).");
1906 exit_status = INVALID_OPTION;
1910 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
1912 if (exp_pdu_error) {
1913 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
1914 g_free(exp_pdu_error);
1915 exit_status = INVALID_TAP;
1919 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
1921 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
1922 exit_status = INVALID_FILE;
1926 /* Activate the export PDU tap */
1927 comment = g_strdup_printf("Dump of PDUs from %s", cf_name);
1928 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd, comment);
1930 cfile_dump_open_failure_message("TShark", exp_pdu_filename, err,
1931 WTAP_FILE_TYPE_SUBTYPE_PCAPNG);
1933 exit_status = INVALID_EXPORT;
1938 /* We have to dissect each packet if:
1940 we're printing information about each packet;
1942 we're using a read filter on the packets;
1944 we're using a display filter on the packets;
1946 we're exporting PDUs;
1948 we're using any taps that need dissection. */
1949 do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg ||
1950 tap_listeners_require_dissection();
1951 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
1954 tshark_debug("tshark: Opening capture file: %s", cf_name);
1956 * We're reading a capture file.
1958 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
1963 exit_status = INVALID_FILE;
1967 /* Process the packets in the file */
1968 tshark_debug("tshark: invoking process_cap_file() to process the packets");
1971 success = process_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
1972 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
1973 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
1975 success = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
1978 CATCH(OutOfMemoryError) {
1982 "Sorry, but TShark has to terminate now.\n"
1984 "More information and workarounds can be found at\n"
1985 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
1991 /* We still dump out the results of taps, etc., as we might have
1992 read some packets; however, we exit with an error status. */
1996 if (pdu_export_arg) {
1997 err = exp_pdu_close(&exp_pdu_tap_data);
1999 cfile_close_failure_message(exp_pdu_filename, err);
2002 g_free(pdu_export_arg);
2005 tshark_debug("tshark: no capture file specified");
2006 /* No capture file specified, so we're supposed to do a live capture
2007 or get a list of link-layer types for a live capture device;
2008 do we have support for live captures? */
2010 /* if no interface was specified, pick a default */
2011 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2012 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2013 if (exit_status != 0) {
2017 /* if requested, list the link layer types and exit */
2018 if (list_link_layer_types) {
2021 /* Get the list of link-layer types for the capture devices. */
2022 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2023 interface_options interface_opts;
2024 if_capabilities_t *caps;
2025 char *auth_str = NULL;
2027 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2028 #ifdef HAVE_PCAP_REMOTE
2029 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2030 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2033 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2036 cmdarg_err("%s", err_str);
2038 exit_status = INVALID_CAPABILITY;
2041 if (caps->data_link_types == NULL) {
2042 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2043 exit_status = INVALID_DATA_LINK;
2046 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2047 free_if_capabilities(caps);
2049 exit_status = EXIT_SUCCESS;
2054 * If the standard error isn't a terminal, don't print packet counts,
2055 * as they won't show up on the user's terminal and they'll get in
2056 * the way of error messages in the file (to which we assume the
2057 * standard error was redirected; if it's redirected to the null
2058 * device, there's no point in printing packet counts anyway).
2060 * Otherwise, if we're printing packet information and the standard
2061 * output is a terminal (which we assume means the standard output and
2062 * error are going to the same terminal), don't print packet counts,
2063 * as they'll get in the way of the packet information.
2065 * Otherwise, if the user specified -q, don't print packet counts.
2067 * Otherwise, print packet counts.
2069 * XXX - what if the user wants to do a live capture, doesn't want
2070 * to save it to a file, doesn't want information printed for each
2071 * packet, does want some "-z" statistic, and wants packet counts
2072 * so they know whether they're seeing any packets? -q will
2073 * suppress the information printed for each packet, but it'll
2074 * also suppress the packet counts.
2076 if (!ws_isatty(ws_fileno(stderr)))
2077 print_packet_counts = FALSE;
2078 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2079 print_packet_counts = FALSE;
2081 print_packet_counts = FALSE;
2083 print_packet_counts = TRUE;
2085 if (print_packet_info) {
2086 if (!write_preamble(&cfile)) {
2087 show_print_file_io_error(errno);
2088 exit_status = INVALID_FILE;
2093 tshark_debug("tshark: performing live capture");
2095 * XXX - this returns FALSE if an error occurred, but it also
2096 * returns FALSE if the capture stops because a time limit
2097 * was reached (and possibly other limits), so we can't assume
2098 * it means an error.
2100 * The capture code is a bit twisty, so it doesn't appear to
2101 * be an easy fix. We just ignore the return value for now.
2102 * Instead, pass on the exit status from the capture child.
2105 exit_status = global_capture_session.fork_child_status;
2107 if (print_packet_info) {
2108 if (!write_finale()) {
2109 show_print_file_io_error(errno);
2113 /* No - complain. */
2114 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2115 exit_status = INVALID_CAPTURE;
2122 if (cfile.frames != NULL) {
2123 free_frame_data_sequence(cfile.frames);
2124 cfile.frames = NULL;
2127 draw_tap_listeners(TRUE);
2128 funnel_dump_all_text_windows();
2129 epan_free(cfile.epan);
2135 output_fields_free(output_fields);
2136 output_fields = NULL;
2139 destroy_print_stream(print_stream);
2141 capture_opts_cleanup(&global_capture_opts);
2143 col_cleanup(&cfile.cinfo);
2144 free_filter_lists();
2154 /*#define USE_BROKEN_G_MAIN_LOOP*/
2156 #ifdef USE_BROKEN_G_MAIN_LOOP
2159 gboolean loop_running = FALSE;
2161 guint32 packet_count = 0;
2164 typedef struct pipe_input_tag {
2167 ws_process_id *child_process;
2168 pipe_input_cb_t input_cb;
2169 guint pipe_input_id;
2171 GMutex *callback_running;
2175 static pipe_input_t pipe_input;
2178 /* The timer has expired, see if there's stuff to read from the pipe,
2179 if so, do the callback */
2181 pipe_timer_cb(gpointer data)
2187 pipe_input_t *pipe_input_p = data;
2188 gint iterations = 0;
2190 g_mutex_lock (pipe_input_p->callback_running);
2192 /* try to read data from the pipe only 5 times, to avoid blocking */
2193 while(iterations < 5) {
2194 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2196 /* Oddly enough although Named pipes don't work on win9x,
2197 PeekNamedPipe does !!! */
2198 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2199 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2201 /* Get the child process exit status */
2202 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2205 /* If the Peek returned an error, or there are bytes to be read
2206 or the childwatcher thread has terminated then call the normal
2208 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2210 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2212 /* And call the real handler */
2213 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2214 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2215 /* pipe closed, return false so that the timer is stopped */
2216 g_mutex_unlock (pipe_input_p->callback_running);
2221 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2222 /* No data, stop now */
2229 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2231 g_mutex_unlock (pipe_input_p->callback_running);
2233 /* we didn't stopped the timer, so let it run */
2240 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2243 pipe_input.source = source;
2244 pipe_input.child_process = child_process;
2245 pipe_input.user_data = user_data;
2246 pipe_input.input_cb = input_cb;
2249 #if GLIB_CHECK_VERSION(2,31,0)
2250 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2251 g_mutex_init(pipe_input.callback_running);
2253 pipe_input.callback_running = g_mutex_new();
2255 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2256 do this but that doesn't cover all win32 platforms. GTK can do
2257 this but doesn't seem to work over processes. Attempt to do
2258 something similar here, start a timer and check for data on every
2260 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2261 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2265 static const nstime_t *
2266 tshark_get_frame_ts(void *data, guint32 frame_num)
2268 capture_file *cf = (capture_file *) data;
2270 if (ref && ref->num == frame_num)
2271 return &ref->abs_ts;
2273 if (prev_dis && prev_dis->num == frame_num)
2274 return &prev_dis->abs_ts;
2276 if (prev_cap && prev_cap->num == frame_num)
2277 return &prev_cap->abs_ts;
2280 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2282 return (fd) ? &fd->abs_ts : NULL;
2289 tshark_epan_new(capture_file *cf)
2291 epan_t *epan = epan_new();
2294 epan->get_frame_ts = tshark_get_frame_ts;
2295 epan->get_interface_name = cap_file_get_interface_name;
2296 epan->get_interface_description = cap_file_get_interface_description;
2297 epan->get_user_comment = NULL;
2309 #ifdef USE_TSHARK_SELECT
2313 struct sigaction action, oldaction;
2316 /* Create new dissection section. */
2317 epan_free(cfile.epan);
2318 cfile.epan = tshark_epan_new(&cfile);
2321 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2322 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2324 /* Catch SIGINT and SIGTERM and, if we get either of them,
2325 clean up and exit. If SIGHUP isn't being ignored, catch
2326 it too and, if we get it, clean up and exit.
2328 We restart any read that was in progress, so that it doesn't
2329 disrupt reading from the sync pipe. The signal handler tells
2330 the capture child to finish; it will report that it finished,
2331 or will exit abnormally, so we'll stop reading from the sync
2332 pipe, pick up the exit status, and quit. */
2333 memset(&action, 0, sizeof(action));
2334 action.sa_handler = capture_cleanup;
2335 action.sa_flags = SA_RESTART;
2336 sigemptyset(&action.sa_mask);
2337 sigaction(SIGTERM, &action, NULL);
2338 sigaction(SIGINT, &action, NULL);
2339 sigaction(SIGHUP, NULL, &oldaction);
2340 if (oldaction.sa_handler == SIG_DFL)
2341 sigaction(SIGHUP, &action, NULL);
2344 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2345 quiet mode, report the number of packets we've captured.
2347 Again, restart any read that was in progress, so that it doesn't
2348 disrupt reading from the sync pipe. */
2349 action.sa_handler = report_counts_siginfo;
2350 action.sa_flags = SA_RESTART;
2351 sigemptyset(&action.sa_mask);
2352 sigaction(SIGINFO, &action, NULL);
2353 #endif /* SIGINFO */
2356 global_capture_session.state = CAPTURE_PREPARING;
2358 /* Let the user know which interfaces were chosen. */
2359 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2360 interface_options interface_opts;
2362 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2363 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2364 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2365 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2367 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2368 if (really_quiet == FALSE)
2369 fprintf(stderr, "Capturing on %s\n", str->str);
2371 g_string_free(str, TRUE);
2373 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2378 /* the actual capture loop
2380 * XXX - glib doesn't seem to provide any event based loop handling.
2382 * XXX - for whatever reason,
2383 * calling g_main_loop_new() ends up in 100% cpu load.
2385 * But that doesn't matter: in UNIX we can use select() to find an input
2386 * source with something to do.
2388 * But that doesn't matter because we're in a CLI (that doesn't need to
2389 * update a GUI or something at the same time) so it's OK if we block
2390 * trying to read from the pipe.
2392 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2393 * wrong (but I leave it there in case I am...).
2396 #ifdef USE_TSHARK_SELECT
2398 FD_SET(pipe_input.source, &readfds);
2401 loop_running = TRUE;
2405 while (loop_running)
2407 #ifdef USE_TSHARK_SELECT
2408 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2412 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2414 } else if (ret == 1) {
2416 /* Call the real handler */
2417 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2418 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2421 #ifdef USE_TSHARK_SELECT
2426 CATCH(OutOfMemoryError) {
2430 "Sorry, but TShark has to terminate now.\n"
2432 "More information and workarounds can be found at\n"
2433 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2440 /* capture child detected an error */
2442 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2444 cmdarg_err("%s", error_msg);
2445 cmdarg_err_cont("%s", secondary_error_msg);
2449 /* capture child detected an capture filter related error */
2451 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2453 capture_options *capture_opts = cap_session->capture_opts;
2454 dfilter_t *rfcode = NULL;
2455 interface_options interface_opts;
2457 g_assert(i < capture_opts->ifaces->len);
2458 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2460 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2462 "Invalid capture filter \"%s\" for interface '%s'.\n"
2464 "That string looks like a valid display filter; however, it isn't a valid\n"
2465 "capture filter (%s).\n"
2467 "Note that display filters and capture filters don't have the same syntax,\n"
2468 "so you can't use most display filter expressions as capture filters.\n"
2470 "See the User's Guide for a description of the capture filter syntax.",
2471 interface_opts.cfilter, interface_opts.descr, error_message);
2472 dfilter_free(rfcode);
2475 "Invalid capture filter \"%s\" for interface '%s'.\n"
2477 "That string isn't a valid capture filter (%s).\n"
2478 "See the User's Guide for a description of the capture filter syntax.",
2479 interface_opts.cfilter, interface_opts.descr, error_message);
2484 /* capture child tells us we have a new (or the first) capture file */
2486 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2488 capture_options *capture_opts = cap_session->capture_opts;
2489 capture_file *cf = (capture_file *) cap_session->cf;
2490 gboolean is_tempfile;
2493 if (cap_session->state == CAPTURE_PREPARING) {
2494 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2496 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2498 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2500 /* free the old filename */
2501 if (capture_opts->save_file != NULL) {
2503 /* we start a new capture file, close the old one (if we had one before) */
2504 if (cf->state != FILE_CLOSED) {
2505 if (cf->wth != NULL) {
2506 wtap_close(cf->wth);
2509 cf->state = FILE_CLOSED;
2512 g_free(capture_opts->save_file);
2513 is_tempfile = FALSE;
2515 epan_free(cf->epan);
2516 cf->epan = tshark_epan_new(cf);
2518 /* we didn't had a save_file before, must be a tempfile */
2522 /* save the new filename */
2523 capture_opts->save_file = g_strdup(new_file);
2525 /* if we are in real-time mode, open the new file now */
2526 if (do_dissection) {
2527 /* this is probably unecessary, but better safe than sorry */
2528 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2529 /* Attempt to open the capture file and set up to read from it. */
2530 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2534 /* Don't unlink (delete) the save file - leave it around,
2535 for debugging purposes. */
2536 g_free(capture_opts->save_file);
2537 capture_opts->save_file = NULL;
2542 cap_session->state = CAPTURE_RUNNING;
2548 /* capture child tells us we have new packets to read */
2550 capture_input_new_packets(capture_session *cap_session, int to_read)
2556 capture_file *cf = (capture_file *)cap_session->cf;
2557 gboolean filtering_tap_listeners;
2562 * Prevent a SIGINFO handler from writing to the standard error while
2563 * we're doing so or writing to the standard output; instead, have it
2564 * just set a flag telling us to print that information when we're done.
2567 #endif /* SIGINFO */
2569 /* Do we have any tap listeners with filters? */
2570 filtering_tap_listeners = have_filtering_tap_listeners();
2572 /* Get the union of the flags for all tap listeners. */
2573 tap_flags = union_of_tap_listener_flags();
2575 if (do_dissection) {
2576 gboolean create_proto_tree;
2577 epan_dissect_t *edt;
2580 * Determine whether we need to create a protocol tree.
2583 * we're going to apply a read filter;
2585 * we're going to apply a display filter;
2587 * we're going to print the protocol tree;
2589 * one of the tap listeners is going to apply a filter;
2591 * one of the tap listeners requires a protocol tree;
2593 * a postdissector wants field values or protocols
2594 * on the first pass;
2596 * we have custom columns (which require field values, which
2597 * currently requires that we build a protocol tree).
2600 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2601 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
2602 have_custom_cols(&cf->cinfo));
2604 /* The protocol tree will be "visible", i.e., printed, only if we're
2605 printing packet details, which is true if we're printing stuff
2606 ("print_packet_info" is true) and we're in verbose mode
2607 ("packet_details" is true). */
2608 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2610 while (to_read-- && cf->wth) {
2611 wtap_cleareof(cf->wth);
2612 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2613 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
2615 /* read from file failed, tell the capture child to stop */
2616 sync_pipe_stop(cap_session);
2617 wtap_close(cf->wth);
2620 ret = process_packet_single_pass(cf, edt, data_offset,
2622 wtap_buf_ptr(cf->wth), tap_flags);
2625 /* packet successfully read and gone through the "Read Filter" */
2630 epan_dissect_free(edt);
2634 * Dumpcap's doing all the work; we're not doing any dissection.
2635 * Count all the packets it wrote.
2637 packet_count += to_read;
2640 if (print_packet_counts) {
2641 /* We're printing packet counts. */
2642 if (packet_count != 0) {
2643 fprintf(stderr, "\r%u ", packet_count);
2644 /* stderr could be line buffered */
2651 * Allow SIGINFO handlers to write.
2656 * If a SIGINFO handler asked us to write out capture counts, do so.
2660 #endif /* SIGINFO */
2666 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2667 /* Report the count only if we aren't printing a packet count
2668 as packets arrive. */
2669 fprintf(stderr, "%u packet%s captured\n", packet_count,
2670 plurality(packet_count, "", "s"));
2673 infoprint = FALSE; /* we just reported it */
2674 #endif /* SIGINFO */
2679 report_counts_siginfo(int signum _U_)
2681 int sav_errno = errno;
2682 /* If we've been told to delay printing, just set a flag asking
2683 that we print counts (if we're supposed to), otherwise print
2684 the count of packets captured (if we're supposed to). */
2691 #endif /* SIGINFO */
2694 /* capture child detected any packet drops? */
2696 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2698 if (print_packet_counts) {
2699 /* We're printing packet counts to stderr.
2700 Send a newline so that we move to the line after the packet count. */
2701 fprintf(stderr, "\n");
2705 /* We're printing packet counts to stderr.
2706 Send a newline so that we move to the line after the packet count. */
2707 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2713 * Capture child closed its side of the pipe, report any error and
2714 * do the required cleanup.
2717 capture_input_closed(capture_session *cap_session, gchar *msg)
2719 capture_file *cf = (capture_file *) cap_session->cf;
2722 fprintf(stderr, "tshark: %s\n", msg);
2726 if (cf != NULL && cf->wth != NULL) {
2727 wtap_close(cf->wth);
2728 if (cf->is_tempfile) {
2729 ws_unlink(cf->filename);
2732 #ifdef USE_BROKEN_G_MAIN_LOOP
2733 /*g_main_loop_quit(loop);*/
2734 g_main_loop_quit(loop);
2736 loop_running = FALSE;
2745 capture_cleanup(DWORD ctrltype _U_)
2747 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2748 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2749 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2750 like SIGTERM at least when the machine's shutting down.
2752 For now, we handle them all as indications that we should clean up
2753 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2756 We must return TRUE so that no other handler - such as one that would
2757 terminate the process - gets called.
2759 XXX - for some reason, typing ^C to TShark, if you run this in
2760 a Cygwin console window in at least some versions of Cygwin,
2761 causes TShark to terminate immediately; this routine gets
2762 called, but the main loop doesn't get a chance to run and
2763 exit cleanly, at least if this is compiled with Microsoft Visual
2764 C++ (i.e., it's a property of the Cygwin console window or Bash;
2765 it happens if TShark is not built with Cygwin - for all I know,
2766 building it with Cygwin may make the problem go away). */
2768 /* tell the capture child to stop */
2769 sync_pipe_stop(&global_capture_session);
2771 /* don't stop our own loop already here, otherwise status messages and
2772 * cleanup wouldn't be done properly. The child will indicate the stop of
2773 * everything by calling capture_input_closed() later */
2779 capture_cleanup(int signum _U_)
2781 /* tell the capture child to stop */
2782 sync_pipe_stop(&global_capture_session);
2784 /* don't stop our own loop already here, otherwise status messages and
2785 * cleanup wouldn't be done properly. The child will indicate the stop of
2786 * everything by calling capture_input_closed() later */
2789 #endif /* HAVE_LIBPCAP */
2792 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2793 gint64 offset, struct wtap_pkthdr *whdr,
2800 /* The frame number of this packet is one more than the count of
2801 frames in this packet. */
2802 framenum = cf->count + 1;
2804 /* If we're not running a display filter and we're not printing any
2805 packet information, we don't need to do a dissection. This means
2806 that all packets can be marked as 'passed'. */
2809 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2811 /* If we're going to run a read filter or a display filter, set up to
2812 do a dissection and do so. (This is the first pass of two passes
2813 over the packets, so we will not be printing any information
2814 from the dissection or running taps on the packet; if we're doing
2815 any of that, we'll do it in the second pass.) */
2817 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2818 gbl_resolv_flags.transport_name)
2819 /* Grab any resolved addresses */
2820 host_name_lookup_process();
2822 /* If we're running a read filter, prime the epan_dissect_t with that
2825 epan_dissect_prime_with_dfilter(edt, cf->rfcode);
2828 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
2830 /* This is the first pass, so prime the epan_dissect_t with the
2831 hfids postdissectors want on the first pass. */
2832 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
2834 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2836 if (ref == &fdlocal) {
2837 ref_frame = fdlocal;
2841 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2843 /* Run the read filter if we have one. */
2845 passed = dfilter_apply_edt(cf->rfcode, edt);
2849 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2850 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2852 /* If we're not doing dissection then there won't be any dependent frames.
2853 * More importantly, edt.pi.dependent_frames won't be initialized because
2854 * epan hasn't been initialized.
2855 * if we *are* doing dissection, then mark the dependent frames, but only
2856 * if a display filter was given and it matches this packet.
2858 if (edt && cf->dfcode) {
2859 if (dfilter_apply_edt(cf->dfcode, edt)) {
2860 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2866 /* if we don't add it to the frame_data_sequence, clean it up right now
2868 frame_data_destroy(&fdlocal);
2872 epan_dissect_reset(edt);
2878 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt,
2879 frame_data *fdata, struct wtap_pkthdr *phdr,
2880 Buffer *buf, guint tap_flags)
2885 /* If we're not running a display filter and we're not printing any
2886 packet information, we don't need to do a dissection. This means
2887 that all packets can be marked as 'passed'. */
2890 /* If we're going to print packet information, or we're going to
2891 run a read filter, or we're going to process taps, set up to
2892 do a dissection and do so. (This is the second pass of two
2893 passes over the packets; that's the pass where we print
2894 packet information or run taps.) */
2896 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2897 gbl_resolv_flags.transport_name)
2898 /* Grab any resolved addresses */
2899 host_name_lookup_process();
2901 /* If we're running a display filter, prime the epan_dissect_t with that
2904 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
2906 col_custom_prime_edt(edt, &cf->cinfo);
2908 /* We only need the columns if either
2909 1) some tap needs the columns
2911 2) we're printing packet info but we're *not* verbose; in verbose
2912 mode, we print the protocol tree, not the protocol summary.
2914 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
2919 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2926 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2928 /* Run the read/display filter if we have one. */
2930 passed = dfilter_apply_edt(cf->dfcode, edt);
2934 frame_data_set_after_dissect(fdata, &cum_bytes);
2935 /* Process this packet. */
2936 if (print_packet_info) {
2937 /* We're printing packet information; print the information for
2939 print_packet(cf, edt);
2941 /* If we're doing "line-buffering", flush the standard output
2942 after every packet. See the comment above, for the "-l"
2943 option, for an explanation of why we do that. */
2947 if (ferror(stdout)) {
2948 show_print_file_io_error(errno);
2957 epan_dissect_reset(edt);
2959 return passed || fdata->flags.dependent_of_displayed;
2963 process_cap_file(capture_file *cf, char *save_file, int out_file_type,
2964 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2966 gboolean success = TRUE;
2968 int snapshot_length;
2971 int err = 0, err_pass1 = 0;
2972 gchar *err_info = NULL, *err_info_pass1 = NULL;
2974 gboolean filtering_tap_listeners;
2976 GArray *shb_hdrs = NULL;
2977 wtapng_iface_descriptions_t *idb_inf = NULL;
2978 GArray *nrb_hdrs = NULL;
2979 struct wtap_pkthdr phdr;
2981 epan_dissect_t *edt = NULL;
2982 char *shb_user_appl;
2984 wtap_phdr_init(&phdr);
2986 idb_inf = wtap_file_get_idb_info(cf->wth);
2987 #ifdef PCAP_NG_DEFAULT
2988 if (idb_inf->interface_data->len > 1) {
2989 linktype = WTAP_ENCAP_PER_PACKET;
2991 linktype = wtap_file_encap(cf->wth);
2994 linktype = wtap_file_encap(cf->wth);
2996 if (save_file != NULL) {
2997 /* Set up to write to the capture file. */
2998 snapshot_length = wtap_snapshot_length(cf->wth);
2999 if (snapshot_length == 0) {
3000 /* Snapshot length of input file not known. */
3001 snapshot_length = WTAP_MAX_PACKET_SIZE;
3003 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3005 shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth);
3006 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth);
3008 /* If we don't have an application name add Tshark */
3009 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3010 /* this is free'd by wtap_block_free() later */
3011 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3014 if (linktype != WTAP_ENCAP_PER_PACKET &&
3015 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3016 tshark_debug("tshark: writing PCAP format to %s", save_file);
3017 if (strcmp(save_file, "-") == 0) {
3018 /* Write to the standard output. */
3019 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3020 snapshot_length, FALSE /* compressed */, &err);
3022 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3023 snapshot_length, FALSE /* compressed */, &err);
3027 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3028 if (strcmp(save_file, "-") == 0) {
3029 /* Write to the standard output. */
3030 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3031 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3033 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3034 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3042 /* We couldn't set up to write to the capture file. */
3043 cfile_dump_open_failure_message("TShark", save_file, err, out_file_type);
3048 /* Set up to print packet information. */
3049 if (print_packet_info) {
3050 if (!write_preamble(cf)) {
3051 show_print_file_io_error(errno);
3061 /* Do we have any tap listeners with filters? */
3062 filtering_tap_listeners = have_filtering_tap_listeners();
3064 /* Get the union of the flags for all tap listeners. */
3065 tap_flags = union_of_tap_listener_flags();
3067 if (perform_two_pass_analysis) {
3070 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3072 /* Allocate a frame_data_sequence for all the frames. */
3073 cf->frames = new_frame_data_sequence();
3075 if (do_dissection) {
3076 gboolean create_proto_tree;
3079 * Determine whether we need to create a protocol tree.
3082 * we're going to apply a read filter;
3084 * we're going to apply a display filter;
3086 * a postdissector wants field values or protocols
3087 * on the first pass.
3090 (cf->rfcode != NULL || cf->dfcode != NULL || postdissectors_want_hfids());
3092 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3094 /* We're not going to display the protocol tree on this pass,
3095 so it's not going to be "visible". */
3096 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3099 tshark_debug("tshark: reading records for first pass");
3100 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3101 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3102 wtap_buf_ptr(cf->wth))) {
3103 /* Stop reading if we have the maximum number of packets;
3104 * When the -c option has not been used, max_packet_count
3105 * starts at 0, which practically means, never stop reading.
3106 * (unless we roll over max_packet_count ?)
3108 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3109 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3110 max_packet_count, data_offset, max_byte_count);
3111 err = 0; /* This is not an error */
3118 * If we got a read error on the first pass, remember the error, so
3119 * but do the second pass, so we can at least process the packets we
3120 * read, and then report the first-pass error after the second pass
3121 * (and before we report any second-pass errors), so all the the
3122 * errors show up at the end.
3126 err_info_pass1 = err_info;
3132 epan_dissect_free(edt);
3136 /* Close the sequential I/O side, to free up memory it requires. */
3137 wtap_sequential_close(cf->wth);
3139 /* Allow the protocol dissectors to free up memory that they
3140 * don't need after the sequential run-through of the packets. */
3141 postseq_cleanup_all_protocols();
3145 ws_buffer_init(&buf, 1500);
3147 tshark_debug("tshark: done with first pass");
3149 if (do_dissection) {
3150 gboolean create_proto_tree;
3153 * Determine whether we need to create a protocol tree.
3156 * we're going to apply a display filter;
3158 * we're going to print the protocol tree;
3160 * one of the tap listeners requires a protocol tree;
3162 * we have custom columns (which require field values, which
3163 * currently requires that we build a protocol tree).
3166 (cf->dfcode || print_details || filtering_tap_listeners ||
3167 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo));
3169 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3171 /* The protocol tree will be "visible", i.e., printed, only if we're
3172 printing packet details, which is true if we're printing stuff
3173 ("print_packet_info" is true) and we're in verbose mode
3174 ("packet_details" is true). */
3175 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3178 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3179 fdata = frame_data_sequence_find(cf->frames, framenum);
3180 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3182 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3183 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3185 /* Either there's no read filtering or this packet passed the
3186 filter, so, if we're writing to a capture file, write
3189 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3190 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3191 /* Error writing to a capture file */
3192 tshark_debug("tshark: error writing to a capture file (%d)", err);
3194 /* Report the error.
3195 XXX - framenum is not necessarily the frame number in
3196 the input file if there was a read filter. */
3197 cfile_write_failure_message("TShark", cf->filename, save_file,
3198 err, err_info, framenum,
3200 wtap_dump_close(pdh, &err);
3201 wtap_block_array_free(shb_hdrs);
3202 wtap_block_array_free(nrb_hdrs);
3211 epan_dissect_free(edt);
3215 ws_buffer_free(&buf);
3217 tshark_debug("tshark: done with second pass");
3220 /* !perform_two_pass_analysis */
3222 gboolean create_proto_tree = FALSE;
3223 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3225 if (do_dissection) {
3227 * Determine whether we need to create a protocol tree.
3230 * we're going to apply a read filter;
3232 * we're going to apply a display filter;
3234 * we're going to print the protocol tree;
3236 * one of the tap listeners is going to apply a filter;
3238 * one of the tap listeners requires a protocol tree;
3240 * a postdissector wants field values or protocols
3241 * on the first pass;
3243 * we have custom columns (which require field values, which
3244 * currently requires that we build a protocol tree).
3247 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3248 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3249 have_custom_cols(&cf->cinfo));
3251 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3253 /* The protocol tree will be "visible", i.e., printed, only if we're
3254 printing packet details, which is true if we're printing stuff
3255 ("print_packet_info" is true) and we're in verbose mode
3256 ("packet_details" is true). */
3257 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3260 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3263 tshark_debug("tshark: processing packet #%d", framenum);
3265 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3267 if (process_packet_single_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3268 wtap_buf_ptr(cf->wth), tap_flags)) {
3269 /* Either there's no read filtering or this packet passed the
3270 filter, so, if we're writing to a capture file, write
3273 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3274 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3275 /* Error writing to a capture file */
3276 tshark_debug("tshark: error writing to a capture file (%d)", err);
3277 cfile_write_failure_message("TShark", cf->filename, save_file,
3278 err, err_info, framenum, out_file_type);
3279 wtap_dump_close(pdh, &err);
3280 wtap_block_array_free(shb_hdrs);
3281 wtap_block_array_free(nrb_hdrs);
3286 /* Stop reading if we have the maximum number of packets;
3287 * When the -c option has not been used, max_packet_count
3288 * starts at 0, which practically means, never stop reading.
3289 * (unless we roll over max_packet_count ?)
3291 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3292 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3293 max_packet_count, data_offset, max_byte_count);
3294 err = 0; /* This is not an error */
3300 epan_dissect_free(edt);
3305 wtap_phdr_cleanup(&phdr);
3307 if (err != 0 || err_pass1 != 0) {
3308 tshark_debug("tshark: something failed along the line (%d)", err);
3310 * Print a message noting that the read failed somewhere along the line.
3312 * If we're printing packet data, and the standard output and error are
3313 * going to the same place, flush the standard output, so everything
3314 * buffered up is written, and then print a newline to the standard error
3315 * before printing the error message, to separate it from the packet
3316 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3317 * the _fstat() documentation at Microsoft doesn't indicate whether
3318 * st_ino is even supported.)
3321 if (print_packet_info) {
3322 ws_statb64 stat_stdout, stat_stderr;
3324 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3325 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3326 stat_stdout.st_ino == stat_stderr.st_ino) {
3328 fprintf(stderr, "\n");
3333 if (err_pass1 != 0) {
3334 /* Error on pass 1 of two-pass processing. */
3335 cfile_read_failure_message("TShark", cf->filename, err_pass1,
3339 /* Error on pass 2 of two-pass processing or on the only pass of
3340 one-pass processing. */
3341 cfile_read_failure_message("TShark", cf->filename, err, err_info);
3345 if (save_file != NULL) {
3346 if (pdh && out_file_name_res) {
3347 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3348 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3349 wtap_file_type_subtype_short_string(out_file_type));
3352 /* Now close the capture file. */
3353 if (!wtap_dump_close(pdh, &err)) {
3354 cfile_close_failure_message(save_file, err);
3358 if (print_packet_info) {
3359 if (!write_finale()) {
3360 show_print_file_io_error(errno);
3367 wtap_close(cf->wth);
3370 wtap_block_array_free(shb_hdrs);
3371 wtap_block_array_free(nrb_hdrs);
3377 process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,
3378 struct wtap_pkthdr *whdr, const guchar *pd,
3385 /* Count this packet. */
3388 /* If we're not running a display filter and we're not printing any
3389 packet information, we don't need to do a dissection. This means
3390 that all packets can be marked as 'passed'. */
3393 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3395 /* If we're going to print packet information, or we're going to
3396 run a read filter, or we're going to process taps, set up to
3397 do a dissection and do so. (This is the one and only pass
3398 over the packets, so, if we'll be printing packet information
3399 or running taps, we'll be doing it here.) */
3401 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3402 gbl_resolv_flags.transport_name))
3403 /* Grab any resolved addresses */
3404 host_name_lookup_process();
3406 /* If we're running a filter, prime the epan_dissect_t with that
3409 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3411 /* This is the first and only pass, so prime the epan_dissect_t
3412 with the hfids postdissectors want on the first pass. */
3413 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
3415 col_custom_prime_edt(edt, &cf->cinfo);
3417 /* We only need the columns if either
3418 1) some tap needs the columns
3420 2) we're printing packet info but we're *not* verbose; in verbose
3421 mode, we print the protocol tree, not the protocol summary.
3423 3) there is a column mapped as an individual field */
3424 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3429 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3431 if (ref == &fdata) {
3436 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3438 /* Run the filter if we have it. */
3440 passed = dfilter_apply_edt(cf->dfcode, edt);
3444 frame_data_set_after_dissect(&fdata, &cum_bytes);
3446 /* Process this packet. */
3447 if (print_packet_info) {
3448 /* We're printing packet information; print the information for
3450 print_packet(cf, edt);
3452 /* If we're doing "line-buffering", flush the standard output
3453 after every packet. See the comment above, for the "-l"
3454 option, for an explanation of why we do that. */
3458 if (ferror(stdout)) {
3459 show_print_file_io_error(errno);
3464 /* this must be set after print_packet() [bug #8160] */
3465 prev_dis_frame = fdata;
3466 prev_dis = &prev_dis_frame;
3469 prev_cap_frame = fdata;
3470 prev_cap = &prev_cap_frame;
3473 epan_dissect_reset(edt);
3474 frame_data_destroy(&fdata);
3480 write_preamble(capture_file *cf)
3482 switch (output_action) {
3485 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3489 write_pdml_preamble(stdout, cf->filename);
3491 write_psml_preamble(&cf->cinfo, stdout);
3492 return !ferror(stdout);
3495 write_fields_preamble(output_fields, stdout);
3496 return !ferror(stdout);
3499 case WRITE_JSON_RAW:
3500 write_json_preamble(stdout);
3501 return !ferror(stdout);
3504 return !ferror(stdout);
3507 g_assert_not_reached();
3513 get_line_buf(size_t len)
3515 static char *line_bufp = NULL;
3516 static size_t line_buf_len = 256;
3517 size_t new_line_buf_len;
3519 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3520 new_line_buf_len *= 2)
3522 if (line_bufp == NULL) {
3523 line_buf_len = new_line_buf_len;
3524 line_bufp = (char *)g_malloc(line_buf_len + 1);
3526 if (new_line_buf_len > line_buf_len) {
3527 line_buf_len = new_line_buf_len;
3528 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3535 put_string(char *dest, const char *str, size_t str_len)
3537 memcpy(dest, str, str_len);
3538 dest[str_len] = '\0';
3542 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3546 for (i = str_len; i < str_with_spaces; i++)
3549 put_string(dest, str, str_len);
3553 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3557 memcpy(dest, str, str_len);
3558 for (i = str_len; i < str_with_spaces; i++)
3561 dest[str_with_spaces] = '\0';
3565 print_columns(capture_file *cf)
3572 col_item_t* col_item;
3573 gchar str_format[11];
3575 line_bufp = get_line_buf(256);
3578 for (i = 0; i < cf->cinfo.num_cols; i++) {
3579 col_item = &cf->cinfo.columns[i];
3580 /* Skip columns not marked as visible. */
3581 if (!get_column_visible(i))
3583 switch (col_item->col_fmt) {
3585 column_len = col_len = strlen(col_item->col_data);
3588 line_bufp = get_line_buf(buf_offset + column_len);
3589 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3595 case COL_ABS_YMD_TIME: /* XXX - wider */
3596 case COL_ABS_YDOY_TIME: /* XXX - wider */
3598 case COL_UTC_YMD_TIME: /* XXX - wider */
3599 case COL_UTC_YDOY_TIME: /* XXX - wider */
3600 column_len = col_len = strlen(col_item->col_data);
3601 if (column_len < 10)
3603 line_bufp = get_line_buf(buf_offset + column_len);
3604 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3610 case COL_DEF_DL_SRC:
3611 case COL_RES_DL_SRC:
3612 case COL_UNRES_DL_SRC:
3613 case COL_DEF_NET_SRC:
3614 case COL_RES_NET_SRC:
3615 case COL_UNRES_NET_SRC:
3616 column_len = col_len = strlen(col_item->col_data);
3617 if (column_len < 12)
3619 line_bufp = get_line_buf(buf_offset + column_len);
3620 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3626 case COL_DEF_DL_DST:
3627 case COL_RES_DL_DST:
3628 case COL_UNRES_DL_DST:
3629 case COL_DEF_NET_DST:
3630 case COL_RES_NET_DST:
3631 case COL_UNRES_NET_DST:
3632 column_len = col_len = strlen(col_item->col_data);
3633 if (column_len < 12)
3635 line_bufp = get_line_buf(buf_offset + column_len);
3636 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3640 column_len = strlen(col_item->col_data);
3641 line_bufp = get_line_buf(buf_offset + column_len);
3642 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3645 buf_offset += column_len;
3646 if (i != cf->cinfo.num_cols - 1) {
3648 * This isn't the last column, so we need to print a
3649 * separator between this column and the next.
3651 * If we printed a network source and are printing a
3652 * network destination of the same type next, separate
3653 * them with a UTF-8 right arrow; if we printed a network
3654 * destination and are printing a network source of the same
3655 * type next, separate them with a UTF-8 left arrow;
3656 * otherwise separate them with a space.
3658 * We add enough space to the buffer for " \xe2\x86\x90 "
3659 * or " \xe2\x86\x92 ", even if we're only adding " ".
3661 line_bufp = get_line_buf(buf_offset + 5);
3662 switch (col_item->col_fmt) {
3667 switch (cf->cinfo.columns[i+1].col_fmt) {
3672 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3673 put_string(line_bufp + buf_offset, str_format, 5);
3678 put_string(line_bufp + buf_offset, delimiter_char, 1);
3684 case COL_DEF_DL_SRC:
3685 case COL_RES_DL_SRC:
3686 case COL_UNRES_DL_SRC:
3687 switch (cf->cinfo.columns[i+1].col_fmt) {
3689 case COL_DEF_DL_DST:
3690 case COL_RES_DL_DST:
3691 case COL_UNRES_DL_DST:
3692 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3693 put_string(line_bufp + buf_offset, str_format, 5);
3698 put_string(line_bufp + buf_offset, delimiter_char, 1);
3704 case COL_DEF_NET_SRC:
3705 case COL_RES_NET_SRC:
3706 case COL_UNRES_NET_SRC:
3707 switch (cf->cinfo.columns[i+1].col_fmt) {
3709 case COL_DEF_NET_DST:
3710 case COL_RES_NET_DST:
3711 case COL_UNRES_NET_DST:
3712 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3713 put_string(line_bufp + buf_offset, str_format, 5);
3718 put_string(line_bufp + buf_offset, delimiter_char, 1);
3727 switch (cf->cinfo.columns[i+1].col_fmt) {
3732 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3733 put_string(line_bufp + buf_offset, str_format, 5);
3738 put_string(line_bufp + buf_offset, delimiter_char, 1);
3744 case COL_DEF_DL_DST:
3745 case COL_RES_DL_DST:
3746 case COL_UNRES_DL_DST:
3747 switch (cf->cinfo.columns[i+1].col_fmt) {
3749 case COL_DEF_DL_SRC:
3750 case COL_RES_DL_SRC:
3751 case COL_UNRES_DL_SRC:
3752 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3753 put_string(line_bufp + buf_offset, str_format, 5);
3758 put_string(line_bufp + buf_offset, delimiter_char, 1);
3764 case COL_DEF_NET_DST:
3765 case COL_RES_NET_DST:
3766 case COL_UNRES_NET_DST:
3767 switch (cf->cinfo.columns[i+1].col_fmt) {
3769 case COL_DEF_NET_SRC:
3770 case COL_RES_NET_SRC:
3771 case COL_UNRES_NET_SRC:
3772 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3773 put_string(line_bufp + buf_offset, str_format, 5);
3778 put_string(line_bufp + buf_offset, delimiter_char, 1);
3785 put_string(line_bufp + buf_offset, delimiter_char, 1);
3791 return print_line(print_stream, 0, line_bufp);
3795 print_packet(capture_file *cf, epan_dissect_t *edt)
3797 if (print_summary || output_fields_has_cols(output_fields)) {
3798 /* Just fill in the columns. */
3799 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3801 if (print_summary) {
3802 /* Now print them. */
3803 switch (output_action) {
3806 if (!print_columns(cf))
3811 write_psml_columns(edt, stdout);
3812 return !ferror(stdout);
3813 case WRITE_FIELDS: /*No non-verbose "fields" format */
3816 case WRITE_JSON_RAW:
3817 g_assert_not_reached();
3822 if (print_details) {
3823 /* Print the information in the protocol tree. */
3824 switch (output_action) {
3827 if (!proto_tree_print(print_details ? print_dissections_expanded : print_dissections_none,
3828 print_hex, edt, output_only_tables, print_stream))
3831 if (!print_line(print_stream, 0, separator))
3837 write_pdml_proto_tree(output_fields, protocolfilter, protocolfilter_flags, edt, stdout);
3839 return !ferror(stdout);
3841 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
3843 return !ferror(stdout);
3845 write_json_proto_tree(output_fields, print_dissections_expanded,
3846 print_hex, protocolfilter, protocolfilter_flags,
3849 return !ferror(stdout);
3850 case WRITE_JSON_RAW:
3851 write_json_proto_tree(output_fields, print_dissections_none, TRUE,
3852 protocolfilter, protocolfilter_flags, edt, stdout);
3854 return !ferror(stdout);
3856 write_ek_proto_tree(output_fields, print_hex, protocolfilter,
3857 protocolfilter_flags, edt, stdout);
3858 return !ferror(stdout);
3862 if (print_summary || print_details) {
3863 if (!print_line(print_stream, 0, ""))
3866 if (!print_hex_data(print_stream, edt))
3868 if (!print_line(print_stream, 0, separator))
3877 switch (output_action) {
3880 return print_finale(print_stream);
3884 write_pdml_finale(stdout);
3886 write_psml_finale(stdout);
3887 return !ferror(stdout);
3890 write_fields_finale(output_fields, stdout);
3891 return !ferror(stdout);
3894 case WRITE_JSON_RAW:
3895 write_json_finale(stdout);
3896 return !ferror(stdout);
3899 return !ferror(stdout);
3902 g_assert_not_reached();
3908 cf_close(capture_file *cf)
3910 g_free(cf->filename);
3914 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
3919 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
3923 /* The open succeeded. Fill in the information for this file. */
3925 /* Create new epan session for dissection. */
3926 epan_free(cf->epan);
3927 cf->epan = tshark_epan_new(cf);
3930 cf->f_datalen = 0; /* not used, but set it anyway */
3932 /* Set the file name because we need it to set the follow stream filter.
3933 XXX - is that still true? We need it for other reasons, though,
3935 cf->filename = g_strdup(fname);
3937 /* Indicate whether it's a permanent or temporary file. */
3938 cf->is_tempfile = is_tempfile;
3940 /* No user changes yet. */
3941 cf->unsaved_changes = FALSE;
3943 cf->cd_t = wtap_file_type_subtype(cf->wth);
3944 cf->open_type = type;
3946 cf->drops_known = FALSE;
3948 cf->snap = wtap_snapshot_length(cf->wth);
3949 if (cf->snap == 0) {
3950 /* Snapshot length not known. */
3951 cf->has_snap = FALSE;
3952 cf->snap = WTAP_MAX_PACKET_SIZE;
3954 cf->has_snap = TRUE;
3955 nstime_set_zero(&cf->elapsed_time);
3960 cf->state = FILE_READ_IN_PROGRESS;
3962 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3963 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3968 cfile_open_failure_message("TShark", fname, *err, err_info);
3973 show_print_file_io_error(int err)
3978 cmdarg_err("Not all the packets could be printed because there is "
3979 "no space left on the file system.");
3984 cmdarg_err("Not all the packets could be printed because you are "
3985 "too close to, or over your disk quota.");
3990 cmdarg_err("An error occurred while printing packets: %s.",
3997 * General errors and warnings are reported with an console message
4001 failure_warning_message(const char *msg_format, va_list ap)
4003 fprintf(stderr, "tshark: ");
4004 vfprintf(stderr, msg_format, ap);
4005 fprintf(stderr, "\n");
4009 * Open/create errors are reported with an console message in TShark.
4012 open_failure_message(const char *filename, int err, gboolean for_writing)
4014 fprintf(stderr, "tshark: ");
4015 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4016 fprintf(stderr, "\n");
4020 * Read errors are reported with an console message in TShark.
4023 read_failure_message(const char *filename, int err)
4025 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4026 filename, g_strerror(err));
4030 * Write errors are reported with an console message in TShark.
4033 write_failure_message(const char *filename, int err)
4035 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4036 filename, g_strerror(err));
4039 static void reset_epan_mem(capture_file *cf,epan_dissect_t *edt, gboolean tree, gboolean visual)
4041 if (!epan_auto_reset || (cf->count < epan_auto_reset_count))
4044 fprintf(stderr, "resetting session.\n");
4046 epan_dissect_cleanup(edt);
4047 epan_free(cf->epan);
4049 cf->epan = tshark_epan_new(cf);
4050 epan_dissect_init(edt, cf->epan, tree, visual);
4055 * Report additional information for an error in command-line arguments.
4058 failure_message_cont(const char *msg_format, va_list ap)
4060 vfprintf(stderr, msg_format, ap);
4061 fprintf(stderr, "\n");
4065 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4070 * indent-tabs-mode: nil
4073 * vi: set shiftwidth=2 tabstop=8 expandtab:
4074 * :indentSize=2:tabSize=8:noTabs=true: