3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 #include <zlib.h> /* to get the libz version number */
48 # include <sys/capability.h>
51 #ifndef HAVE_GETOPT_LONG
52 #include "wsutil/wsgetopt.h"
57 #include <epan/exceptions.h>
58 #include <epan/epan-int.h>
59 #include <epan/epan.h>
61 #include <wsutil/clopts_common.h>
62 #include <wsutil/cmdarg_err.h>
63 #include <wsutil/crash_info.h>
64 #include <wsutil/filesystem.h>
65 #include <wsutil/file_util.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/report_err.h>
68 #include <wsutil/ws_diag_control.h>
69 #include <wsutil/ws_version_info.h>
72 #include <epan/timestamp.h>
73 #include <epan/packet.h>
75 #include <epan/wslua/init_wslua.h>
77 #include "frame_tvbuff.h"
78 #include <epan/disabled_protos.h>
79 #include <epan/prefs.h>
80 #include <epan/column.h>
81 #include <epan/print.h>
82 #include <epan/addr_resolv.h>
84 #include "ui/capture_ui_utils.h"
87 #include "ui/ui_util.h"
88 #include "ui/cli/tshark-tap.h"
90 #include <epan/epan_dissect.h>
92 #include <epan/stat_tap_ui.h>
93 #include <epan/conversation_table.h>
94 #include <epan/srt_table.h>
95 #include <epan/rtd_table.h>
96 #include <epan/ex-opt.h>
98 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
99 #include <epan/asn1.h>
100 #include <epan/dissectors/packet-kerberos.h>
103 #include "capture_opts.h"
105 #include "caputils/capture-pcap-util.h"
108 #include "caputils/capture_ifinfo.h"
110 #include "caputils/capture-wpcap.h"
111 #include <wsutil/os_version_info.h>
112 #include <wsutil/unicode-utils.h>
114 #include <capchild/capture_session.h>
115 #include <capchild/capture_sync.h>
116 #endif /* HAVE_LIBPCAP */
118 #include <epan/funnel.h>
120 #include <wsutil/str_util.h>
123 #include <wsutil/plugins.h>
128 #define tshark_debug(...) g_warning(__VA_ARGS__)
130 #define tshark_debug(...)
135 * This is the template for the decode as option; it is shared between the
136 * various functions that output the usage for this parameter.
138 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
140 static guint32 cum_bytes;
141 static const frame_data *ref;
142 static frame_data ref_frame;
143 static frame_data *prev_dis;
144 static frame_data prev_dis_frame;
145 static frame_data *prev_cap;
146 static frame_data prev_cap_frame;
148 static const char* prev_display_dissector_name = NULL;
150 static gboolean perform_two_pass_analysis;
153 * The way the packet decode is to be written.
156 WRITE_TEXT, /* summary or detail text */
157 WRITE_XML, /* PDML or PSML */
158 WRITE_FIELDS /* User defined list of fields */
159 /* Add CSV and the like here */
162 static output_action_e output_action;
163 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
164 static gboolean print_packet_info; /* TRUE if we're to print packet information */
165 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
166 static gboolean print_details; /* TRUE if we're to print packet details information */
167 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
168 static gboolean line_buffered;
169 static gboolean really_quiet = FALSE;
171 static print_format_e print_format = PR_FMT_TEXT;
172 static print_stream_t *print_stream;
174 static output_fields_t* output_fields = NULL;
176 /* The line separator used between packets, changeable via the -S option */
177 static const char *separator = "";
181 * TRUE if we're to print packet counts to keep track of captured packets.
183 static gboolean print_packet_counts;
185 static capture_options global_capture_opts;
186 static capture_session global_capture_session;
189 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
190 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
193 static gboolean capture(void);
194 static void report_counts(void);
196 static BOOL WINAPI capture_cleanup(DWORD);
198 static void capture_cleanup(int);
200 static void report_counts_siginfo(int);
204 #else /* HAVE_LIBPCAP */
206 static char *output_file_name;
208 #endif /* HAVE_LIBPCAP */
210 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
211 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
212 struct wtap_pkthdr *whdr, const guchar *pd,
214 static void show_capture_file_io_error(const char *, int, gboolean);
215 static void show_print_file_io_error(int err);
216 static gboolean write_preamble(capture_file *cf);
217 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
218 static gboolean write_finale(void);
219 static const char *cf_open_error_message(int err, gchar *err_info,
220 gboolean for_writing, int file_type);
222 static void open_failure_message(const char *filename, int err,
223 gboolean for_writing);
224 static void failure_message(const char *msg_format, va_list ap);
225 static void read_failure_message(const char *filename, int err);
226 static void write_failure_message(const char *filename, int err);
227 static void failure_message_cont(const char *msg_format, va_list ap);
231 static GHashTable *output_only_tables = NULL;
234 const char *sstr; /* The short string */
235 const char *lstr; /* The long string */
239 string_compare(gconstpointer a, gconstpointer b)
241 return strcmp(((const struct string_elem *)a)->sstr,
242 ((const struct string_elem *)b)->sstr);
246 string_elem_print(gpointer data, gpointer not_used _U_)
248 fprintf(stderr, " %s - %s\n",
249 ((struct string_elem *)data)->sstr,
250 ((struct string_elem *)data)->lstr);
254 list_capture_types(void) {
256 struct string_elem *captypes;
259 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
261 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
262 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
263 if (wtap_dump_can_open(i)) {
264 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
265 captypes[i].lstr = wtap_file_type_subtype_string(i);
266 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
269 g_slist_foreach(list, string_elem_print, NULL);
275 list_read_capture_types(void) {
277 struct string_elem *captypes;
279 const char *magic = "Magic-value-based";
280 const char *heuristic = "Heuristics-based";
282 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
283 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
285 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
286 for (i = 0; open_routines[i].name != NULL; i++) {
287 captypes[i].sstr = open_routines[i].name;
288 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
289 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
291 g_slist_foreach(list, string_elem_print, NULL);
297 print_usage(FILE *output)
299 fprintf(output, "\n");
300 fprintf(output, "Usage: tshark [options] ...\n");
301 fprintf(output, "\n");
304 fprintf(output, "Capture interface:\n");
305 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
306 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
307 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
308 fprintf(output, " -p don't capture in promiscuous mode\n");
309 #ifdef HAVE_PCAP_CREATE
310 fprintf(output, " -I capture in monitor mode, if available\n");
312 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
313 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
315 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
316 fprintf(output, " -D print list of interfaces and exit\n");
317 fprintf(output, " -L print list of link-layer types of iface and exit\n");
318 fprintf(output, "\n");
319 fprintf(output, "Capture stop conditions:\n");
320 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
321 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
322 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
323 fprintf(output, " files:NUM - stop after NUM files\n");
324 /*fprintf(output, "\n");*/
325 fprintf(output, "Capture output:\n");
326 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
327 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
328 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
329 #endif /* HAVE_LIBPCAP */
330 #ifdef HAVE_PCAP_REMOTE
331 fprintf(output, "RPCAP options:\n");
332 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
334 /*fprintf(output, "\n");*/
335 fprintf(output, "Input file:\n");
336 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
338 fprintf(output, "\n");
339 fprintf(output, "Processing:\n");
340 fprintf(output, " -2 perform a two-pass analysis\n");
341 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
342 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
343 fprintf(output, " syntax\n");
344 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
345 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
346 fprintf(output, " -d %s ...\n", decode_as_arg_template);
347 fprintf(output, " \"Decode As\", see the man page for details\n");
348 fprintf(output, " Example: tcp.port==8888,http\n");
349 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
350 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
351 fprintf(output, " --disable-protocol <proto_name>\n");
352 fprintf(output, " disable dissection of proto_name\n");
353 fprintf(output, " --enable-heuristic <short_name>\n");
354 fprintf(output, " enable dissection of heuristic protocol\n");
355 fprintf(output, " --disable-heuristic <short_name>\n");
356 fprintf(output, " disable dissection of heuristic protocol\n");
358 /*fprintf(output, "\n");*/
359 fprintf(output, "Output:\n");
360 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
361 fprintf(output, " (or to the standard output for \"-\")\n");
362 fprintf(output, " -C <config profile> start with specified configuration profile\n");
363 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
364 fprintf(output, " an empty \"-F\" option will list the file types\n");
365 fprintf(output, " -V add output of packet tree (Packet Details)\n");
366 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
367 fprintf(output, " separated\n");
368 fprintf(output, " -P print packet summary even when writing to a file\n");
369 fprintf(output, " -S <separator> the line separator to print between packets\n");
370 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
371 fprintf(output, " -T pdml|ps|psml|text|fields\n");
372 fprintf(output, " format of text output (def: text)\n");
373 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
374 fprintf(output, " _ws.col.Info)\n");
375 fprintf(output, " this option can be repeated to print multiple fields\n");
376 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
377 fprintf(output, " header=y|n switch headers on and off\n");
378 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
379 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
380 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
381 fprintf(output, " aggregator\n");
382 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
383 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
384 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
385 fprintf(output, " -l flush standard output after each packet\n");
386 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
387 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
388 fprintf(output, " -g enable group read access on the output file(s)\n");
389 fprintf(output, " -W n Save extra information in the file, if supported.\n");
390 fprintf(output, " n = write network address resolution information\n");
391 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
392 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
393 fprintf(output, " --capture-comment <comment>\n");
394 fprintf(output, " add a capture comment to the newly created\n");
395 fprintf(output, " output file (only for pcapng)\n");
397 fprintf(output, "\n");
398 fprintf(output, "Miscellaneous:\n");
399 fprintf(output, " -h display this help and exit\n");
400 fprintf(output, " -v display version info and exit\n");
401 fprintf(output, " -o <name>:<value> ... override preference setting\n");
402 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
403 fprintf(output, " -G [report] dump one of several available reports and exit\n");
404 fprintf(output, " default report=\"fields\"\n");
405 fprintf(output, " use \"-G ?\" for more help\n");
407 fprintf(output, "\n");
408 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
409 fprintf(output, "You might want to reset it\n");
410 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
411 fprintf(output, "\n");
417 glossary_option_help(void)
423 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
425 fprintf(output, "\n");
426 fprintf(output, "Usage: tshark -G [report]\n");
427 fprintf(output, "\n");
428 fprintf(output, "Glossary table reports:\n");
429 fprintf(output, " -G column-formats dump column format codes and exit\n");
430 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
431 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
432 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
433 fprintf(output, " -G fields dump fields glossary and exit\n");
434 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
435 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
436 fprintf(output, " -G plugins dump installed plugins and exit\n");
437 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
438 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
439 fprintf(output, "\n");
440 fprintf(output, "Preference reports:\n");
441 fprintf(output, " -G currentprefs dump current preferences and exit\n");
442 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
443 fprintf(output, "\n");
447 * For a dissector table, print on the stream described by output,
448 * its short name (which is what's used in the "-d" option) and its
452 display_dissector_table_names(const char *table_name, const char *ui_name,
455 if ((prev_display_dissector_name == NULL) ||
456 (strcmp(prev_display_dissector_name, table_name) != 0)) {
457 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
458 prev_display_dissector_name = table_name;
463 * For a dissector handle, print on the stream described by output,
464 * the filter name (which is what's used in the "-d" option) and the full
465 * name for the protocol that corresponds to this handle.
468 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
471 const gchar *proto_filter_name;
472 const gchar *proto_ui_name;
474 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
476 if (proto_id != -1) {
477 proto_filter_name = proto_get_protocol_filter_name(proto_id);
478 proto_ui_name = proto_get_protocol_name(proto_id);
479 g_assert(proto_filter_name != NULL);
480 g_assert(proto_ui_name != NULL);
482 if ((prev_display_dissector_name == NULL) ||
483 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
484 fprintf((FILE *)output, "\t%s (%s)\n",
487 prev_display_dissector_name = proto_filter_name;
493 * The protocol_name_search structure is used by find_protocol_name_func()
494 * to pass parameters and store results
496 struct protocol_name_search{
497 gchar *searched_name; /* Protocol filter name we are looking for */
498 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
499 guint nb_match; /* How many dissectors matched searched_name */
501 typedef struct protocol_name_search *protocol_name_search_t;
504 * This function parses all dissectors associated with a table to find the
505 * one whose protocol has the specified filter name. It is called
506 * as a reference function in a call to dissector_table_foreach_handle.
507 * The name we are looking for, as well as the results, are stored in the
508 * protocol_name_search struct pointed to by user_data.
509 * If called using dissector_table_foreach_handle, we actually parse the
510 * whole list of dissectors.
513 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
517 const gchar *protocol_filter_name;
518 protocol_name_search_t search_info;
522 search_info = (protocol_name_search_t)user_data;
524 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
525 if (proto_id != -1) {
526 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
527 g_assert(protocol_filter_name != NULL);
528 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
530 if (search_info->nb_match == 0) {
531 /* Record this handle only if this is the first match */
532 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
534 search_info->nb_match++;
540 * Allow dissector key names to be sorted alphabetically
544 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
546 return strcmp((const char*)dissector_a, (const char*)dissector_b);
550 * Print all layer type names supported.
551 * We send the output to the stream described by the handle output.
555 fprint_all_layer_types(FILE *output)
558 prev_display_dissector_name = NULL;
559 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
563 * Print all protocol names supported for a specific layer type.
564 * table_name contains the layer type name in which the search is performed.
565 * We send the output to the stream described by the handle output.
569 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
572 prev_display_dissector_name = NULL;
573 dissector_table_foreach_handle(table_name,
574 display_dissector_names,
579 * The function below parses the command-line parameters for the decode as
580 * feature (a string pointer by cl_param).
581 * It checks the format of the command-line, searches for a matching table
582 * and dissector. If a table/dissector match is not found, we display a
583 * summary of the available tables/dissectors (on stderr) and return FALSE.
584 * If everything is fine, we get the "Decode as" preference activated,
585 * then we return TRUE.
588 add_decode_as(const gchar *cl_param)
591 guint32 selector, selector2;
592 gchar *decoded_param;
593 gchar *remaining_param;
595 gchar *dissector_str;
596 dissector_handle_t dissector_matching;
597 dissector_table_t table_matching;
598 ftenum_t dissector_table_selector_type;
599 struct protocol_name_search user_protocol_name;
603 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
606 decoded_param = g_strdup(cl_param);
607 g_assert(decoded_param);
610 /* The lines below will parse this string (modifying it) to extract all
611 necessary information. Note that decoded_param is still needed since
612 strings are not copied - we just save pointers. */
614 /* This section extracts a layer type (table_name) from decoded_param */
615 table_name = decoded_param; /* Layer type string starts from beginning */
617 remaining_param = strchr(table_name, '=');
618 if (remaining_param == NULL) {
619 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
620 /* If the argument does not follow the template, carry on anyway to check
621 if the table name is at least correct. If remaining_param is NULL,
622 we'll exit anyway further down */
625 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
628 /* Remove leading and trailing spaces from the table name */
629 while ( table_name[0] == ' ' )
631 while ( table_name[strlen(table_name) - 1] == ' ' )
632 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
634 /* The following part searches a table matching with the layer type specified */
635 table_matching = NULL;
637 /* Look for the requested table */
638 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
639 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
642 table_matching = find_dissector_table(table_name);
643 if (!table_matching) {
644 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
648 if (!table_matching) {
649 /* Display a list of supported layer types to help the user, if the
650 specified layer type was not found */
651 cmdarg_err("Valid layer types are:");
652 fprint_all_layer_types(stderr);
654 if (remaining_param == NULL || !table_matching) {
655 /* Exit if the layer type was not found, or if no '=' separator was found
657 g_free(decoded_param);
661 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
662 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
665 remaining_param++; /* Move to the second '=' */
666 *remaining_param = '\0'; /* Remove the second '=' */
668 remaining_param++; /* Position after the layer type string */
670 /* This section extracts a selector value (selector_str) from decoded_param */
672 selector_str = remaining_param; /* Next part starts with the selector number */
674 remaining_param = strchr(selector_str, ',');
675 if (remaining_param == NULL) {
676 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
677 /* If the argument does not follow the template, carry on anyway to check
678 if the selector value is at least correct. If remaining_param is NULL,
679 we'll exit anyway further down */
682 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
685 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
687 switch (dissector_table_selector_type) {
693 /* The selector for this table is an unsigned number. Parse it as such.
694 There's no need to remove leading and trailing spaces from the
695 selector number string, because sscanf will do that for us. */
696 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
701 if (op != ':' && op != '-') {
702 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
703 g_free(decoded_param);
707 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
708 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
709 g_free(decoded_param);
713 else if (selector2 < selector) {
714 /* We could swap them for the user, but maybe it's better to call
715 * this out as an error in case it's not what was intended? */
716 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
717 g_free(decoded_param);
722 cmdarg_err("Invalid selector number \"%s\"", selector_str);
723 g_free(decoded_param);
732 /* The selector for this table is a string. */
736 /* There are currently no dissector tables with any types other
737 than the ones listed above. */
738 g_assert_not_reached();
741 if (remaining_param == NULL) {
742 /* Exit if no ',' separator was found (see above) */
743 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
744 fprint_all_protocols_for_layer_types(stderr, table_name);
745 g_free(decoded_param);
749 remaining_param++; /* Position after the selector number string */
751 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
753 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
755 /* Remove leading and trailing spaces from the dissector name */
756 while ( dissector_str[0] == ' ' )
758 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
759 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
761 dissector_matching = NULL;
763 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
764 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
765 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
768 user_protocol_name.nb_match = 0;
769 user_protocol_name.searched_name = dissector_str;
770 user_protocol_name.matched_handle = NULL;
772 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
774 if (user_protocol_name.nb_match != 0) {
775 dissector_matching = user_protocol_name.matched_handle;
776 if (user_protocol_name.nb_match > 1) {
777 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
781 /* OK, check whether the problem is that there isn't any such
782 protocol, or that there is but it's not specified as a protocol
783 that's valid for that dissector table.
784 Note, we don't exit here, but dissector_matching will remain NULL,
786 if (proto_get_id_by_filter_name(dissector_str) == -1) {
787 /* No such protocol */
788 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
790 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
791 dissector_str, table_name);
796 if (!dissector_matching) {
797 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
798 fprint_all_protocols_for_layer_types(stderr, table_name);
799 g_free(decoded_param);
803 /* This is the end of the code that parses the command-line options.
804 All information is now stored in the variables:
808 The above variables that are strings are still pointing to areas within
809 decoded_parm. decoded_parm thus still needs to be kept allocated in
810 until we stop needing these variables
811 decoded_param will be deallocated at each exit point of this function */
814 /* We now have a pointer to the handle for the requested dissector
815 (requested protocol) inside the variable dissector_matching */
816 switch (dissector_table_selector_type) {
822 /* The selector for this table is an unsigned number. */
824 dissector_change_uint(table_name, selector, dissector_matching);
825 } else if (op == ':') {
826 for (i = selector; i < (guint64)selector + selector2; i++) {
827 dissector_change_uint(table_name, (guint32)i, dissector_matching);
829 } else { /* op == '-' */
830 for (i = selector; i <= selector2; i++) {
831 dissector_change_uint(table_name, (guint32)i, dissector_matching);
840 /* The selector for this table is a string. */
841 dissector_change_string(table_name, selector_str, dissector_matching);
845 /* There are currently no dissector tables with any types other
846 than the ones listed above. */
847 g_assert_not_reached();
849 g_free(decoded_param); /* "Decode As" rule has been successfully added */
854 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
855 const gchar *message, gpointer user_data)
857 /* ignore log message, if log_level isn't interesting based
858 upon the console log preferences.
859 If the preferences haven't been loaded loaded yet, display the
862 The default console_log_level preference value is such that only
863 ERROR, CRITICAL and WARNING level messages are processed;
864 MESSAGE, INFO and DEBUG level messages are ignored.
866 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
867 ERROR and CRITICAL level messages so the current code is a behavioral
868 change. The current behavior is the same as in Wireshark.
870 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
871 prefs.console_log_level != 0) {
875 g_log_default_handler(log_domain, log_level, message, user_data);
880 output_file_description(const char *fname)
882 char *save_file_string;
884 /* Get a string that describes what we're writing to */
885 if (strcmp(fname, "-") == 0) {
886 /* We're writing to the standard output */
887 save_file_string = g_strdup("standard output");
889 /* We're writing to a file with the name in save_file */
890 save_file_string = g_strdup_printf("file \"%s\"", fname);
892 return save_file_string;
896 print_current_user(void) {
897 gchar *cur_user, *cur_group;
899 if (started_with_special_privs()) {
900 cur_user = get_cur_username();
901 cur_group = get_cur_groupname();
902 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
903 cur_user, cur_group);
906 if (running_with_special_privs()) {
907 fprintf(stderr, " This could be dangerous.");
909 fprintf(stderr, "\n");
914 get_tshark_compiled_version_info(GString *str)
916 /* Capture libraries */
917 get_compiled_caplibs_version(str);
920 g_string_append(str, ", ");
922 g_string_append(str, "with libz ");
924 g_string_append(str, ZLIB_VERSION);
925 #else /* ZLIB_VERSION */
926 g_string_append(str, "(version unknown)");
927 #endif /* ZLIB_VERSION */
928 #else /* HAVE_LIBZ */
929 g_string_append(str, "without libz");
930 #endif /* HAVE_LIBZ */
934 get_tshark_runtime_version_info(GString *str)
937 /* Capture libraries */
938 g_string_append(str, ", ");
939 get_runtime_caplibs_version(str);
943 #if defined(HAVE_LIBZ) && !defined(_WIN32)
944 g_string_append_printf(str, ", with libz %s", zlibVersion());
947 /* stuff used by libwireshark */
948 epan_get_runtime_version_info(str);
952 main(int argc, char *argv[])
954 GString *comp_info_str;
955 GString *runtime_info_str;
956 char *init_progfile_dir_error;
959 static const struct option long_options[] = {
960 {(char *)"help", no_argument, NULL, 'h'},
961 {(char *)"version", no_argument, NULL, 'v'},
962 LONGOPT_CAPTURE_COMMON
966 gboolean arg_error = FALSE;
972 char *gpf_path, *pf_path;
973 char *gdp_path, *dp_path;
974 int gpf_open_errno, gpf_read_errno;
975 int pf_open_errno, pf_read_errno;
976 int gdp_open_errno, gdp_read_errno;
977 int dp_open_errno, dp_read_errno;
979 volatile int exit_status = 0;
981 gboolean list_link_layer_types = FALSE;
982 gboolean start_capture = FALSE;
987 gboolean capture_option_specified = FALSE;
989 gboolean quiet = FALSE;
990 #ifdef PCAP_NG_DEFAULT
991 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
993 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
995 volatile gboolean out_file_name_res = FALSE;
996 volatile int in_file_type = WTAP_TYPE_AUTO;
997 gchar *volatile cf_name = NULL;
998 gchar *rfilter = NULL;
999 gchar *dfilter = NULL;
1000 #ifdef HAVE_PCAP_OPEN_DEAD
1001 struct bpf_program fcode;
1003 dfilter_t *rfcode = NULL;
1004 dfilter_t *dfcode = NULL;
1009 gchar *output_only = NULL;
1010 GSList *disable_protocol_slist = NULL;
1011 GSList *enable_heur_slist = NULL;
1012 GSList *disable_heur_slist = NULL;
1015 * The leading + ensures that getopt_long() does not permute the argv[]
1018 * We have to make sure that the first getopt_long() preserves the content
1019 * of argv[] for the subsequent getopt_long() call.
1021 * We use getopt_long() in both cases to ensure that we're using a routine
1022 * whose permutation behavior we can control in the same fashion on all
1023 * platforms, and so that, if we ever need to process a long argument before
1024 * doing further initialization, we can do so.
1026 * Glibc and Solaris libc document that a leading + disables permutation
1027 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1028 * and OS X don't document it, but do so anyway.
1030 * We do *not* use a leading - because the behavior of a leading - is
1031 * platform-dependent.
1033 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1035 static const char optstring[] = OPTSTRING;
1037 tshark_debug("tshark started with %d args", argc);
1039 /* Set the C-language locale to the native environment. */
1040 setlocale(LC_ALL, "");
1042 cmdarg_err_init(failure_message, failure_message_cont);
1045 arg_list_utf_16to8(argc, argv);
1046 create_app_running_mutex();
1047 #if !GLIB_CHECK_VERSION(2,31,0)
1048 g_thread_init(NULL);
1053 * Get credential information for later use, and drop privileges
1054 * before doing anything else.
1055 * Let the user know if anything happened.
1057 init_process_policies();
1058 relinquish_special_privs_perm();
1059 print_current_user();
1062 * Attempt to get the pathname of the executable file.
1064 init_progfile_dir_error = init_progfile_dir(argv[0], (void *)main);
1065 if (init_progfile_dir_error != NULL) {
1066 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1067 init_progfile_dir_error);
1070 initialize_funnel_ops();
1073 /* Load wpcap if possible. Do this before collecting the run-time version information */
1076 /* Warn the user if npf.sys isn't loaded. */
1077 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1078 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1079 "capturing or\nlisting interfaces.\n");
1083 /* Get the compile-time version information string */
1084 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1085 epan_get_compiled_version_info);
1087 /* Get the run-time version information string */
1088 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1090 /* Add it to the information to be reported on a crash. */
1091 ws_add_crash_info("TShark (Wireshark) %s\n"
1096 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1097 g_string_free(comp_info_str, TRUE);
1098 g_string_free(runtime_info_str, TRUE);
1101 * In order to have the -X opts assigned before the wslua machine starts
1102 * we need to call getopt_long before epan_init() gets called.
1104 * In order to handle, for example, -o options, we also need to call it
1105 * *after* epan_init() gets called, so that the dissectors have had a
1106 * chance to register their preferences.
1108 * XXX - can we do this all with one getopt_long() call, saving the
1109 * arguments we can't handle until after initializing libwireshark,
1110 * and then process them after initializing libwireshark?
1114 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1116 case 'C': /* Configuration Profile */
1117 if (profile_exists (optarg, FALSE)) {
1118 set_profile_name (optarg);
1120 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1124 case 'P': /* Print packet summary info even when writing to a file */
1125 print_packet_info = TRUE;
1126 print_summary = TRUE;
1128 case 'O': /* Only output these protocols */
1129 output_only = g_strdup(optarg);
1131 case 'V': /* Verbose */
1132 print_details = TRUE;
1133 print_packet_info = TRUE;
1135 case 'x': /* Print packet data in hex (and ASCII) */
1137 /* The user asked for hex output, so let's ensure they get it,
1138 * even if they're writing to a file.
1140 print_packet_info = TRUE;
1151 * Print packet summary information is the default, unless either -V or -x
1152 * were specified and -P was not. Note that this is new behavior, which
1153 * allows for the possibility of printing only hex/ascii output without
1154 * necessarily requiring that either the summary or details be printed too.
1156 if (print_summary == -1)
1157 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1159 /** Send All g_log messages to our own handler **/
1163 G_LOG_LEVEL_CRITICAL|
1164 G_LOG_LEVEL_WARNING|
1165 G_LOG_LEVEL_MESSAGE|
1168 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1170 g_log_set_handler(NULL,
1171 (GLogLevelFlags)log_flags,
1172 tshark_log_handler, NULL /* user_data */);
1173 g_log_set_handler(LOG_DOMAIN_MAIN,
1174 (GLogLevelFlags)log_flags,
1175 tshark_log_handler, NULL /* user_data */);
1178 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1179 (GLogLevelFlags)log_flags,
1180 tshark_log_handler, NULL /* user_data */);
1181 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1182 (GLogLevelFlags)log_flags,
1183 tshark_log_handler, NULL /* user_data */);
1186 init_report_err(failure_message, open_failure_message, read_failure_message,
1187 write_failure_message);
1190 capture_opts_init(&global_capture_opts);
1191 capture_session_init(&global_capture_session, &cfile);
1194 timestamp_set_type(TS_RELATIVE);
1195 timestamp_set_precision(TS_PREC_AUTO);
1196 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1198 init_open_routines();
1201 /* Register all the plugin types we have. */
1202 epan_register_plugin_types(); /* Types known to libwireshark */
1203 wtap_register_plugin_types(); /* Types known to libwiretap */
1205 /* Scan for plugins. This does *not* call their registration routines;
1206 that's done later. */
1209 /* Register all libwiretap plugin modules. */
1210 register_all_wiretap_modules();
1213 /* Register all dissectors; we must do this before checking for the
1214 "-G" flag, as the "-G" flag dumps information registered by the
1215 dissectors, and we must do it before we read the preferences, in
1216 case any dissectors register preferences. */
1217 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
1221 /* Register all tap listeners; we do this before we parse the arguments,
1222 as the "-z" argument can specify a registered tap. */
1224 /* we register the plugin taps before the other taps because
1225 stats_tree taps plugins will be registered as tap listeners
1226 by stats_tree_stat.c and need to registered before that */
1228 register_all_plugin_tap_listeners();
1230 register_all_tap_listeners();
1231 conversation_table_set_gui_info(init_iousers);
1232 hostlist_table_set_gui_info(init_hostlists);
1233 srt_table_iterate_tables(register_srt_tables, NULL);
1234 rtd_table_iterate_tables(register_rtd_tables, NULL);
1235 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1237 /* If invoked with the "-G" flag, we dump out information based on
1238 the argument to the "-G" flag; if no argument is specified,
1239 for backwards compatibility we dump out a glossary of display
1242 XXX - we do this here, for now, to support "-G" with no arguments.
1243 If none of our build or other processes uses "-G" with no arguments,
1244 we can just process it with the other arguments. */
1245 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1246 proto_initialize_all_prefixes();
1249 proto_registrar_dump_fields();
1251 if (strcmp(argv[2], "column-formats") == 0)
1252 column_dump_column_formats();
1253 else if (strcmp(argv[2], "currentprefs") == 0) {
1254 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1255 &pf_open_errno, &pf_read_errno, &pf_path);
1258 else if (strcmp(argv[2], "decodes") == 0)
1259 dissector_dump_decodes();
1260 else if (strcmp(argv[2], "defaultprefs") == 0)
1262 else if (strcmp(argv[2], "dissector-tables") == 0)
1263 dissector_dump_dissector_tables();
1264 else if (strcmp(argv[2], "fieldcount") == 0) {
1265 /* return value for the test suite */
1266 return proto_registrar_dump_fieldcount();
1267 } else if (strcmp(argv[2], "fields") == 0)
1268 proto_registrar_dump_fields();
1269 else if (strcmp(argv[2], "ftypes") == 0)
1270 proto_registrar_dump_ftypes();
1271 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1272 dissector_dump_heur_decodes();
1273 else if (strcmp(argv[2], "plugins") == 0) {
1278 wslua_plugins_dump_all();
1281 else if (strcmp(argv[2], "protocols") == 0)
1282 proto_registrar_dump_protocols();
1283 else if (strcmp(argv[2], "values") == 0)
1284 proto_registrar_dump_values();
1285 else if (strcmp(argv[2], "?") == 0)
1286 glossary_option_help();
1287 else if (strcmp(argv[2], "-?") == 0)
1288 glossary_option_help();
1290 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1297 tshark_debug("tshark reading preferences");
1299 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1300 &pf_open_errno, &pf_read_errno, &pf_path);
1301 if (gpf_path != NULL) {
1302 if (gpf_open_errno != 0) {
1303 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1304 pf_path, g_strerror(gpf_open_errno));
1306 if (gpf_read_errno != 0) {
1307 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1308 pf_path, g_strerror(gpf_read_errno));
1311 if (pf_path != NULL) {
1312 if (pf_open_errno != 0) {
1313 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1314 g_strerror(pf_open_errno));
1316 if (pf_read_errno != 0) {
1317 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1318 pf_path, g_strerror(pf_read_errno));
1324 /* Read the disabled protocols file. */
1325 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1326 &dp_path, &dp_open_errno, &dp_read_errno);
1327 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1328 &dp_path, &dp_open_errno, &dp_read_errno);
1329 if (gdp_path != NULL) {
1330 if (gdp_open_errno != 0) {
1331 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1332 gdp_path, g_strerror(gdp_open_errno));
1334 if (gdp_read_errno != 0) {
1335 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1336 gdp_path, g_strerror(gdp_read_errno));
1340 if (dp_path != NULL) {
1341 if (dp_open_errno != 0) {
1343 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1344 g_strerror(dp_open_errno));
1346 if (dp_read_errno != 0) {
1348 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1349 g_strerror(dp_read_errno));
1354 cap_file_init(&cfile);
1356 /* Print format defaults to this. */
1357 print_format = PR_FMT_TEXT;
1359 output_fields = output_fields_new();
1362 * To reset the options parser, set optreset to 1 on platforms that
1363 * have optreset (documented in *BSD and OS X, apparently present but
1364 * not documented in Solaris - the Illumos repository seems to
1365 * suggest that the first Solaris getopt_long(), at least as of 2004,
1366 * was based on the NetBSD one, it had optreset) and set optind to 1,
1367 * and set optind to 0 otherwise (documented as working in the GNU
1368 * getopt_long(). Setting optind to 0 didn't originally work in the
1369 * NetBSD one, but that was added later - we don't want to depend on
1370 * it if we have optreset).
1372 * Also reset opterr to 1, so that error messages are printed by
1375 #ifdef HAVE_OPTRESET
1383 /* Now get our args */
1384 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1386 case '2': /* Perform two pass analysis */
1387 perform_two_pass_analysis = TRUE;
1389 case 'a': /* autostop criteria */
1390 case 'b': /* Ringbuffer option */
1391 case 'c': /* Capture x packets */
1392 case 'f': /* capture filter */
1393 case 'g': /* enable group read access on file(s) */
1394 case 'i': /* Use interface x */
1395 case 'p': /* Don't capture in promiscuous mode */
1396 #ifdef HAVE_PCAP_REMOTE
1397 case 'A': /* Authentication */
1399 #ifdef HAVE_PCAP_CREATE
1400 case 'I': /* Capture in monitor mode, if available */
1402 case 's': /* Set the snapshot (capture) length */
1403 case 'w': /* Write to capture file x */
1404 case 'y': /* Set the pcap data link type */
1405 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1406 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1407 case 'B': /* Buffer size */
1410 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1417 * Output file name, if we're reading a file and writing to another
1420 output_file_name = optarg;
1422 capture_option_specified = TRUE;
1428 /* already processed; just ignore it now */
1430 case 'd': /* Decode as rule */
1431 if (!add_decode_as(optarg))
1434 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1435 case 'K': /* Kerberos keytab file */
1436 read_keytab_file(optarg);
1439 case 'D': /* Print a list of capture devices and exit */
1441 if_list = capture_interface_list(&err, &err_str,NULL);
1442 if (if_list == NULL) {
1444 cmdarg_err("There are no interfaces on which a capture can be done");
1446 cmdarg_err("%s", err_str);
1451 capture_opts_print_interfaces(if_list);
1452 free_interface_list(if_list);
1455 capture_option_specified = TRUE;
1461 output_fields_add(output_fields, optarg);
1465 if (!output_fields_set_option(output_fields, optarg)) {
1466 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1467 output_fields_list_options(stderr);
1472 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1473 if (out_file_type < 0) {
1474 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1475 list_capture_types();
1479 case 'W': /* Select extra information to save in our capture file */
1480 /* This is patterned after the -N flag which may not be the best idea. */
1481 if (strchr(optarg, 'n')) {
1482 out_file_name_res = TRUE;
1484 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1485 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1489 case 'H': /* Read address to name mappings from a hosts file */
1490 if (! add_hosts_file(optarg))
1492 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1495 out_file_name_res = TRUE;
1498 case 'h': /* Print help and exit */
1499 printf("TShark (Wireshark) %s\n"
1500 "Dump and analyze network traffic.\n"
1501 "See https://www.wireshark.org for more information.\n",
1502 get_ws_vcs_version_info());
1503 print_usage(stdout);
1506 case 'l': /* "Line-buffer" standard output */
1507 /* This isn't line-buffering, strictly speaking, it's just
1508 flushing the standard output after the information for
1509 each packet is printed; however, that should be good
1510 enough for all the purposes to which "-l" is put (and
1511 is probably actually better for "-V", as it does fewer
1514 See the comment in "process_packet()" for an explanation of
1515 why we do that, and why we don't just use "setvbuf()" to
1516 make the standard output line-buffered (short version: in
1517 Windows, "line-buffered" is the same as "fully-buffered",
1518 and the output buffer is only flushed when it fills up). */
1519 line_buffered = TRUE;
1521 case 'L': /* Print list of link-layer types and exit */
1523 list_link_layer_types = TRUE;
1525 capture_option_specified = TRUE;
1529 case 'n': /* No name resolution */
1530 disable_name_resolution();
1532 case 'N': /* Select what types of addresses/port #s to resolve */
1533 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1534 if (badopt != '\0') {
1535 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1537 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1538 "\t'd' to enable address resolution from captured DNS packets\n"
1539 "\t'm' to enable MAC address resolution\n"
1540 "\t'n' to enable network address resolution\n"
1541 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1542 "\t for network address resolution\n"
1543 "\t't' to enable transport-layer port number resolution");
1547 case 'o': /* Override preference from command line */
1548 switch (prefs_set_pref(optarg)) {
1553 case PREFS_SET_SYNTAX_ERR:
1554 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1558 case PREFS_SET_NO_SUCH_PREF:
1559 case PREFS_SET_OBSOLETE:
1560 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1565 case 'q': /* Quiet */
1568 case 'Q': /* Really quiet */
1570 really_quiet = TRUE;
1572 case 'r': /* Read capture file x */
1573 cf_name = g_strdup(optarg);
1575 case 'R': /* Read file filter */
1579 /* already processed; just ignore it now */
1581 case 'S': /* Set the line Separator to be printed between packets */
1584 case 't': /* Time stamp type */
1585 if (strcmp(optarg, "r") == 0)
1586 timestamp_set_type(TS_RELATIVE);
1587 else if (strcmp(optarg, "a") == 0)
1588 timestamp_set_type(TS_ABSOLUTE);
1589 else if (strcmp(optarg, "ad") == 0)
1590 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1591 else if (strcmp(optarg, "adoy") == 0)
1592 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1593 else if (strcmp(optarg, "d") == 0)
1594 timestamp_set_type(TS_DELTA);
1595 else if (strcmp(optarg, "dd") == 0)
1596 timestamp_set_type(TS_DELTA_DIS);
1597 else if (strcmp(optarg, "e") == 0)
1598 timestamp_set_type(TS_EPOCH);
1599 else if (strcmp(optarg, "u") == 0)
1600 timestamp_set_type(TS_UTC);
1601 else if (strcmp(optarg, "ud") == 0)
1602 timestamp_set_type(TS_UTC_WITH_YMD);
1603 else if (strcmp(optarg, "udoy") == 0)
1604 timestamp_set_type(TS_UTC_WITH_YDOY);
1606 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1607 cmdarg_err_cont("\t\"a\" for absolute\n"
1608 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1609 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1610 "\t\"d\" for delta\n"
1611 "\t\"dd\" for delta displayed\n"
1612 "\t\"e\" for epoch\n"
1613 "\t\"r\" for relative\n"
1614 "\t\"u\" for absolute UTC\n"
1615 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1616 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1620 case 'T': /* printing Type */
1621 print_packet_info = TRUE;
1622 if (strcmp(optarg, "text") == 0) {
1623 output_action = WRITE_TEXT;
1624 print_format = PR_FMT_TEXT;
1625 } else if (strcmp(optarg, "ps") == 0) {
1626 output_action = WRITE_TEXT;
1627 print_format = PR_FMT_PS;
1628 } else if (strcmp(optarg, "pdml") == 0) {
1629 output_action = WRITE_XML;
1630 print_details = TRUE; /* Need details */
1631 print_summary = FALSE; /* Don't allow summary */
1632 } else if (strcmp(optarg, "psml") == 0) {
1633 output_action = WRITE_XML;
1634 print_details = FALSE; /* Don't allow details */
1635 print_summary = TRUE; /* Need summary */
1636 } else if (strcmp(optarg, "fields") == 0) {
1637 output_action = WRITE_FIELDS;
1638 print_details = TRUE; /* Need full tree info */
1639 print_summary = FALSE; /* Don't allow summary */
1641 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1642 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1643 "\t specified by the -E option.\n"
1644 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1645 "\t details of a decoded packet. This information is equivalent to\n"
1646 "\t the packet details printed with the -V flag.\n"
1647 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1648 "\t the packets, or a multi-line view of the details of each of\n"
1649 "\t the packets, depending on whether the -V flag was specified.\n"
1650 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1651 "\t summary information of a decoded packet. This information is\n"
1652 "\t equivalent to the information shown in the one-line summary\n"
1653 "\t printed by default.\n"
1654 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1655 "\t packets, or a multi-line view of the details of each of the\n"
1656 "\t packets, depending on whether the -V flag was specified.\n"
1657 "\t This is the default.");
1661 case 'u': /* Seconds type */
1662 if (strcmp(optarg, "s") == 0)
1663 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1664 else if (strcmp(optarg, "hms") == 0)
1665 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1667 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1668 cmdarg_err_cont("\t\"s\" for seconds\n"
1669 "\t\"hms\" for hours, minutes and seconds");
1673 case 'v': /* Show version and exit */
1674 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1675 epan_get_compiled_version_info);
1676 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1677 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1678 g_string_free(comp_info_str, TRUE);
1679 g_string_free(runtime_info_str, TRUE);
1680 /* We don't really have to cleanup here, but it's a convenient way to test
1681 * start-up and shut-down of the epan library without any UI-specific
1682 * cruft getting in the way. Makes the results of running
1683 * $ ./tools/valgrind-wireshark -n
1684 * much more useful. */
1687 case 'O': /* Only output these protocols */
1688 /* already processed; just ignore it now */
1690 case 'V': /* Verbose */
1691 /* already processed; just ignore it now */
1693 case 'x': /* Print packet data in hex (and ASCII) */
1694 /* already processed; just ignore it now */
1697 /* already processed; just ignore it now */
1703 /* We won't call the init function for the stat this soon
1704 as it would disallow MATE's fields (which are registered
1705 by the preferences set callback) from being used as
1706 part of a tap filter. Instead, we just add the argument
1707 to a list of stat arguments. */
1708 if (strcmp("help", optarg) == 0) {
1709 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1710 list_stat_cmd_args();
1713 if (!process_stat_cmd_arg(optarg)) {
1714 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1715 list_stat_cmd_args();
1719 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1720 disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg);
1722 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1723 enable_heur_slist = g_slist_append(enable_heur_slist, optarg);
1725 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1726 disable_heur_slist = g_slist_append(disable_heur_slist, optarg);
1730 case '?': /* Bad flag - print usage message */
1733 list_capture_types();
1736 print_usage(stderr);
1743 /* If we specified output fields, but not the output field type... */
1744 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1745 cmdarg_err("Output fields were specified with \"-e\", "
1746 "but \"-Tfields\" was not specified.");
1748 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1749 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1750 "specified with \"-e\".");
1755 /* If no capture filter or display filter has been specified, and there are
1756 still command-line arguments, treat them as the tokens of a capture
1757 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1758 flag was specified. */
1759 if (optind < argc) {
1760 if (cf_name != NULL) {
1761 if (dfilter != NULL) {
1762 cmdarg_err("Display filters were specified both with \"-d\" "
1763 "and with additional command-line arguments.");
1766 dfilter = get_args_as_string(argc, argv, optind);
1771 if (global_capture_opts.default_options.cfilter) {
1772 cmdarg_err("A default capture filter was specified both with \"-f\""
1773 " and with additional command-line arguments.");
1776 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1777 interface_options interface_opts;
1778 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1779 if (interface_opts.cfilter == NULL) {
1780 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1781 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1782 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1784 cmdarg_err("A capture filter was specified both with \"-f\""
1785 " and with additional command-line arguments.");
1789 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1791 capture_option_specified = TRUE;
1797 if (!global_capture_opts.saving_to_file) {
1798 /* We're not saving the capture to a file; if "-q" wasn't specified,
1799 we should print packet information */
1801 print_packet_info = TRUE;
1803 /* We're saving to a file; if we're writing to the standard output.
1804 and we'll also be writing dissected packets to the standard
1805 output, reject the request. At best, we could redirect that
1806 to the standard error; we *can't* write both to the standard
1807 output and have either of them be useful. */
1808 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1809 cmdarg_err("You can't write both raw packet data and dissected packets"
1810 " to the standard output.");
1815 /* We're not saving the capture to a file; if "-q" wasn't specified,
1816 we should print packet information */
1818 print_packet_info = TRUE;
1821 #ifndef HAVE_LIBPCAP
1822 if (capture_option_specified)
1823 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1826 print_usage(stderr);
1831 if (output_action != WRITE_TEXT) {
1832 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1837 if (output_only != NULL) {
1840 if (!print_details) {
1841 cmdarg_err("-O requires -V");
1845 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1846 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1847 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1851 if (rfilter != NULL && !perform_two_pass_analysis) {
1852 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1857 if (list_link_layer_types) {
1858 /* We're supposed to list the link-layer types for an interface;
1859 did the user also specify a capture file to be read? */
1861 /* Yes - that's bogus. */
1862 cmdarg_err("You can't specify -L and a capture file to be read.");
1865 /* No - did they specify a ring buffer option? */
1866 if (global_capture_opts.multi_files_on) {
1867 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1873 * "-r" was specified, so we're reading a capture file.
1874 * Capture options don't apply here.
1877 /* We don't support capture filters when reading from a capture file
1878 (the BPF compiler doesn't support all link-layer types that we
1879 support in capture files we read). */
1880 if (global_capture_opts.default_options.cfilter) {
1881 cmdarg_err("Only read filters, not capture filters, "
1882 "can be specified when reading a capture file.");
1885 if (global_capture_opts.multi_files_on) {
1886 cmdarg_err("Multiple capture files requested, but "
1887 "a capture isn't being done.");
1890 if (global_capture_opts.has_file_duration) {
1891 cmdarg_err("Switching capture files after a time interval was specified, but "
1892 "a capture isn't being done.");
1895 if (global_capture_opts.has_ring_num_files) {
1896 cmdarg_err("A ring buffer of capture files was specified, but "
1897 "a capture isn't being done.");
1900 if (global_capture_opts.has_autostop_files) {
1901 cmdarg_err("A maximum number of capture files was specified, but "
1902 "a capture isn't being done.");
1905 if (global_capture_opts.capture_comment) {
1906 cmdarg_err("A capture comment was specified, but "
1907 "a capture isn't being done.\nThere's no support for adding "
1908 "a capture comment to an existing capture file.");
1912 /* Note: TShark now allows the restriction of a _read_ file by packet count
1913 * and byte count as well as a write file. Other autostop options remain valid
1914 * only for a write file.
1916 if (global_capture_opts.has_autostop_duration) {
1917 cmdarg_err("A maximum capture time was specified, but "
1918 "a capture isn't being done.");
1923 * "-r" wasn't specified, so we're doing a live capture.
1925 if (perform_two_pass_analysis) {
1926 /* Two-pass analysis doesn't work with live capture since it requires us
1927 * to buffer packets until we've read all of them, but a live capture
1928 * has no useful/meaningful definition of "all" */
1929 cmdarg_err("Live captures do not support two-pass analysis.");
1933 if (global_capture_opts.saving_to_file) {
1934 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1936 /* When capturing, we only support writing pcap or pcap-ng format. */
1937 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1938 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1939 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1942 if (global_capture_opts.capture_comment &&
1943 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1944 cmdarg_err("A capture comment can only be written to a pcapng file.");
1947 if (global_capture_opts.multi_files_on) {
1948 /* Multiple-file mode doesn't work under certain conditions:
1949 a) it doesn't work if you're writing to the standard output;
1950 b) it doesn't work if you're writing to a pipe;
1952 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1953 cmdarg_err("Multiple capture files requested, but "
1954 "the capture is being written to the standard output.");
1957 if (global_capture_opts.output_to_pipe) {
1958 cmdarg_err("Multiple capture files requested, but "
1959 "the capture file is a pipe.");
1962 if (!global_capture_opts.has_autostop_filesize &&
1963 !global_capture_opts.has_file_duration) {
1964 cmdarg_err("Multiple capture files requested, but "
1965 "no maximum capture file size or duration was specified.");
1969 /* Currently, we don't support read or display filters when capturing
1970 and saving the packets. */
1971 if (rfilter != NULL) {
1972 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1975 if (dfilter != NULL) {
1976 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1979 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1981 /* They didn't specify a "-w" flag, so we won't be saving to a
1982 capture file. Check for options that only make sense if
1983 we're saving to a file. */
1984 if (global_capture_opts.has_autostop_filesize) {
1985 cmdarg_err("Maximum capture file size specified, but "
1986 "capture isn't being saved to a file.");
1989 if (global_capture_opts.multi_files_on) {
1990 cmdarg_err("Multiple capture files requested, but "
1991 "the capture isn't being saved to a file.");
1994 if (global_capture_opts.capture_comment) {
1995 cmdarg_err("A capture comment was specified, but "
1996 "the capture isn't being saved to a file.");
2005 /* Start windows sockets */
2006 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2009 /* Notify all registered modules that have had any of their preferences
2010 changed either from one of the preferences file or from the command
2011 line that their preferences have changed. */
2014 /* At this point MATE will have registered its field array so we can
2015 have a tap filter with one of MATE's late-registered fields as part
2016 of the filter. We can now process all the "-z" arguments. */
2017 start_requested_stats();
2019 /* At this point MATE will have registered its field array so we can
2020 check if the fields specified by the user are all good.
2024 GSList *invalid_fields = output_fields_valid(output_fields);
2025 if (invalid_fields != NULL) {
2027 cmdarg_err("Some fields aren't valid:");
2028 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2029 cmdarg_err_cont("\t%s", (gchar *)it->data);
2031 g_slist_free(invalid_fields);
2036 /* We currently don't support taps, or printing dissected packets,
2037 if we're writing to a pipe. */
2038 if (global_capture_opts.saving_to_file &&
2039 global_capture_opts.output_to_pipe) {
2040 if (tap_listeners_require_dissection()) {
2041 cmdarg_err("Taps aren't supported when saving to a pipe.");
2044 if (print_packet_info) {
2045 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2051 if (ex_opt_count("read_format") > 0) {
2052 const gchar* name = ex_opt_get_next("read_format");
2053 in_file_type = open_info_name_to_type(name);
2054 if (in_file_type == WTAP_TYPE_AUTO) {
2055 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2056 list_read_capture_types();
2061 /* disabled protocols as per configuration file */
2062 if (gdp_path == NULL && dp_path == NULL) {
2063 set_disabled_protos_list();
2064 set_disabled_heur_dissector_list();
2067 if(disable_protocol_slist) {
2068 GSList *proto_disable;
2069 for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
2071 proto_disable_proto_by_name((char*)proto_disable->data);
2075 if(enable_heur_slist) {
2076 GSList *heur_enable;
2077 for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
2079 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
2083 if(disable_heur_slist) {
2084 GSList *heur_disable;
2085 for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
2087 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
2091 /* Build the column format array */
2092 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2095 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2096 capture_opts_trim_ring_num_files(&global_capture_opts);
2099 if (rfilter != NULL) {
2100 tshark_debug("Compiling read filter: '%s'", rfilter);
2101 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2102 cmdarg_err("%s", err_msg);
2105 #ifdef HAVE_PCAP_OPEN_DEAD
2109 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2111 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2113 " Note: That read filter code looks like a valid capture filter;\n"
2114 " maybe you mixed them up?");
2123 cfile.rfcode = rfcode;
2125 if (dfilter != NULL) {
2126 tshark_debug("Compiling display filter: '%s'", dfilter);
2127 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2128 cmdarg_err("%s", err_msg);
2131 #ifdef HAVE_PCAP_OPEN_DEAD
2135 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2137 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2139 " Note: That display filter code looks like a valid capture filter;\n"
2140 " maybe you mixed them up?");
2149 cfile.dfcode = dfcode;
2151 if (print_packet_info) {
2152 /* If we're printing as text or PostScript, we have
2153 to create a print stream. */
2154 if (output_action == WRITE_TEXT) {
2155 switch (print_format) {
2158 print_stream = print_stream_text_stdio_new(stdout);
2162 print_stream = print_stream_ps_stdio_new(stdout);
2166 g_assert_not_reached();
2171 /* We have to dissect each packet if:
2173 we're printing information about each packet;
2175 we're using a read filter on the packets;
2177 we're using a display filter on the packets;
2179 we're using any taps that need dissection. */
2180 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2181 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2184 tshark_debug("tshark: Opening capture file: %s", cf_name);
2186 * We're reading a capture file.
2188 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2193 /* Process the packets in the file */
2194 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2197 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2198 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2199 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2201 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2204 CATCH(OutOfMemoryError) {
2208 "Sorry, but TShark has to terminate now.\n"
2210 "More information and workarounds can be found at\n"
2211 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2216 /* We still dump out the results of taps, etc., as we might have
2217 read some packets; however, we exit with an error status. */
2221 tshark_debug("tshark: no capture file specified");
2222 /* No capture file specified, so we're supposed to do a live capture
2223 or get a list of link-layer types for a live capture device;
2224 do we have support for live captures? */
2226 /* if no interface was specified, pick a default */
2227 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2228 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2229 if (exit_status != 0)
2232 /* if requested, list the link layer types and exit */
2233 if (list_link_layer_types) {
2236 /* Get the list of link-layer types for the capture devices. */
2237 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2238 interface_options interface_opts;
2239 if_capabilities_t *caps;
2240 char *auth_str = NULL;
2242 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2243 #ifdef HAVE_PCAP_REMOTE
2244 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2245 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2248 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2251 cmdarg_err("%s", err_str);
2255 if (caps->data_link_types == NULL) {
2256 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2259 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2260 free_if_capabilities(caps);
2266 * If the standard error isn't a terminal, don't print packet counts,
2267 * as they won't show up on the user's terminal and they'll get in
2268 * the way of error messages in the file (to which we assume the
2269 * standard error was redirected; if it's redirected to the null
2270 * device, there's no point in printing packet counts anyway).
2272 * Otherwise, if we're printing packet information and the standard
2273 * output is a terminal (which we assume means the standard output and
2274 * error are going to the same terminal), don't print packet counts,
2275 * as they'll get in the way of the packet information.
2277 * Otherwise, if the user specified -q, don't print packet counts.
2279 * Otherwise, print packet counts.
2281 * XXX - what if the user wants to do a live capture, doesn't want
2282 * to save it to a file, doesn't want information printed for each
2283 * packet, does want some "-z" statistic, and wants packet counts
2284 * so they know whether they're seeing any packets? -q will
2285 * suppress the information printed for each packet, but it'll
2286 * also suppress the packet counts.
2288 if (!isatty(fileno(stderr)))
2289 print_packet_counts = FALSE;
2290 else if (print_packet_info && isatty(fileno(stdout)))
2291 print_packet_counts = FALSE;
2293 print_packet_counts = FALSE;
2295 print_packet_counts = TRUE;
2297 if (print_packet_info) {
2298 if (!write_preamble(&cfile)) {
2299 show_print_file_io_error(errno);
2304 tshark_debug("tshark: performing live capture");
2306 * XXX - this returns FALSE if an error occurred, but it also
2307 * returns FALSE if the capture stops because a time limit
2308 * was reached (and possibly other limits), so we can't assume
2309 * it means an error.
2311 * The capture code is a bit twisty, so it doesn't appear to
2312 * be an easy fix. We just ignore the return value for now.
2313 * Instead, pass on the exit status from the capture child.
2316 exit_status = global_capture_session.fork_child_status;
2318 if (print_packet_info) {
2319 if (!write_finale()) {
2321 show_print_file_io_error(err);
2325 /* No - complain. */
2326 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2333 if (cfile.frames != NULL) {
2334 free_frame_data_sequence(cfile.frames);
2335 cfile.frames = NULL;
2338 draw_tap_listeners(TRUE);
2339 funnel_dump_all_text_windows();
2340 epan_free(cfile.epan);
2343 output_fields_free(output_fields);
2344 output_fields = NULL;
2349 /*#define USE_BROKEN_G_MAIN_LOOP*/
2351 #ifdef USE_BROKEN_G_MAIN_LOOP
2354 gboolean loop_running = FALSE;
2356 guint32 packet_count = 0;
2359 typedef struct pipe_input_tag {
2362 ws_process_id *child_process;
2363 pipe_input_cb_t input_cb;
2364 guint pipe_input_id;
2366 GMutex *callback_running;
2370 static pipe_input_t pipe_input;
2373 /* The timer has expired, see if there's stuff to read from the pipe,
2374 if so, do the callback */
2376 pipe_timer_cb(gpointer data)
2382 pipe_input_t *pipe_input_p = data;
2383 gint iterations = 0;
2385 g_mutex_lock (pipe_input_p->callback_running);
2387 /* try to read data from the pipe only 5 times, to avoid blocking */
2388 while(iterations < 5) {
2389 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2391 /* Oddly enough although Named pipes don't work on win9x,
2392 PeekNamedPipe does !!! */
2393 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2394 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2396 /* Get the child process exit status */
2397 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2400 /* If the Peek returned an error, or there are bytes to be read
2401 or the childwatcher thread has terminated then call the normal
2403 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2405 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2407 /* And call the real handler */
2408 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2409 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2410 /* pipe closed, return false so that the timer is stopped */
2411 g_mutex_unlock (pipe_input_p->callback_running);
2416 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2417 /* No data, stop now */
2424 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2426 g_mutex_unlock (pipe_input_p->callback_running);
2428 /* we didn't stopped the timer, so let it run */
2435 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2438 pipe_input.source = source;
2439 pipe_input.child_process = child_process;
2440 pipe_input.user_data = user_data;
2441 pipe_input.input_cb = input_cb;
2444 #if GLIB_CHECK_VERSION(2,31,0)
2445 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2446 g_mutex_init(pipe_input.callback_running);
2448 pipe_input.callback_running = g_mutex_new();
2450 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2451 do this but that doesn't cover all win32 platforms. GTK can do
2452 this but doesn't seem to work over processes. Attempt to do
2453 something similar here, start a timer and check for data on every
2455 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2456 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2460 static const nstime_t *
2461 tshark_get_frame_ts(void *data, guint32 frame_num)
2463 capture_file *cf = (capture_file *) data;
2465 if (ref && ref->num == frame_num)
2466 return &ref->abs_ts;
2468 if (prev_dis && prev_dis->num == frame_num)
2469 return &prev_dis->abs_ts;
2471 if (prev_cap && prev_cap->num == frame_num)
2472 return &prev_cap->abs_ts;
2475 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2477 return (fd) ? &fd->abs_ts : NULL;
2484 tshark_epan_new(capture_file *cf)
2486 epan_t *epan = epan_new();
2489 epan->get_frame_ts = tshark_get_frame_ts;
2490 epan->get_interface_name = cap_file_get_interface_name;
2491 epan->get_user_comment = NULL;
2503 #ifdef USE_TSHARK_SELECT
2507 struct sigaction action, oldaction;
2510 /* Create new dissection section. */
2511 epan_free(cfile.epan);
2512 cfile.epan = tshark_epan_new(&cfile);
2515 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2516 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2518 /* Catch SIGINT and SIGTERM and, if we get either of them,
2519 clean up and exit. If SIGHUP isn't being ignored, catch
2520 it too and, if we get it, clean up and exit.
2522 We restart any read that was in progress, so that it doesn't
2523 disrupt reading from the sync pipe. The signal handler tells
2524 the capture child to finish; it will report that it finished,
2525 or will exit abnormally, so we'll stop reading from the sync
2526 pipe, pick up the exit status, and quit. */
2527 memset(&action, 0, sizeof(action));
2528 action.sa_handler = capture_cleanup;
2529 action.sa_flags = SA_RESTART;
2530 sigemptyset(&action.sa_mask);
2531 sigaction(SIGTERM, &action, NULL);
2532 sigaction(SIGINT, &action, NULL);
2533 sigaction(SIGHUP, NULL, &oldaction);
2534 if (oldaction.sa_handler == SIG_DFL)
2535 sigaction(SIGHUP, &action, NULL);
2538 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2539 quiet mode, report the number of packets we've captured.
2541 Again, restart any read that was in progress, so that it doesn't
2542 disrupt reading from the sync pipe. */
2543 action.sa_handler = report_counts_siginfo;
2544 action.sa_flags = SA_RESTART;
2545 sigemptyset(&action.sa_mask);
2546 sigaction(SIGINFO, &action, NULL);
2547 #endif /* SIGINFO */
2550 global_capture_session.state = CAPTURE_PREPARING;
2552 /* Let the user know which interfaces were chosen. */
2553 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2554 interface_options interface_opts;
2556 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2557 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2558 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2559 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2561 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2562 if (really_quiet == FALSE)
2563 fprintf(stderr, "Capturing on %s\n", str->str);
2565 g_string_free(str, TRUE);
2567 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2572 /* the actual capture loop
2574 * XXX - glib doesn't seem to provide any event based loop handling.
2576 * XXX - for whatever reason,
2577 * calling g_main_loop_new() ends up in 100% cpu load.
2579 * But that doesn't matter: in UNIX we can use select() to find an input
2580 * source with something to do.
2582 * But that doesn't matter because we're in a CLI (that doesn't need to
2583 * update a GUI or something at the same time) so it's OK if we block
2584 * trying to read from the pipe.
2586 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2587 * wrong (but I leave it there in case I am...).
2590 #ifdef USE_TSHARK_SELECT
2592 FD_SET(pipe_input.source, &readfds);
2595 loop_running = TRUE;
2599 while (loop_running)
2601 #ifdef USE_TSHARK_SELECT
2602 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2606 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2608 } else if (ret == 1) {
2610 /* Call the real handler */
2611 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2612 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2615 #ifdef USE_TSHARK_SELECT
2620 CATCH(OutOfMemoryError) {
2624 "Sorry, but TShark has to terminate now.\n"
2626 "More information and workarounds can be found at\n"
2627 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2634 /* capture child detected an error */
2636 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2638 cmdarg_err("%s", error_msg);
2639 cmdarg_err_cont("%s", secondary_error_msg);
2643 /* capture child detected an capture filter related error */
2645 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2647 capture_options *capture_opts = cap_session->capture_opts;
2648 dfilter_t *rfcode = NULL;
2649 interface_options interface_opts;
2651 g_assert(i < capture_opts->ifaces->len);
2652 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2654 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2656 "Invalid capture filter \"%s\" for interface '%s'.\n"
2658 "That string looks like a valid display filter; however, it isn't a valid\n"
2659 "capture filter (%s).\n"
2661 "Note that display filters and capture filters don't have the same syntax,\n"
2662 "so you can't use most display filter expressions as capture filters.\n"
2664 "See the User's Guide for a description of the capture filter syntax.",
2665 interface_opts.cfilter, interface_opts.descr, error_message);
2666 dfilter_free(rfcode);
2669 "Invalid capture filter \"%s\" for interface '%s'.\n"
2671 "That string isn't a valid capture filter (%s).\n"
2672 "See the User's Guide for a description of the capture filter syntax.",
2673 interface_opts.cfilter, interface_opts.descr, error_message);
2678 /* capture child tells us we have a new (or the first) capture file */
2680 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2682 capture_options *capture_opts = cap_session->capture_opts;
2683 capture_file *cf = (capture_file *) cap_session->cf;
2684 gboolean is_tempfile;
2687 if (cap_session->state == CAPTURE_PREPARING) {
2688 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2690 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2692 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2694 /* free the old filename */
2695 if (capture_opts->save_file != NULL) {
2697 /* we start a new capture file, close the old one (if we had one before) */
2698 if (cf->state != FILE_CLOSED) {
2699 if (cf->wth != NULL) {
2700 wtap_close(cf->wth);
2703 cf->state = FILE_CLOSED;
2706 g_free(capture_opts->save_file);
2707 is_tempfile = FALSE;
2709 epan_free(cf->epan);
2710 cf->epan = tshark_epan_new(cf);
2712 /* we didn't had a save_file before, must be a tempfile */
2716 /* save the new filename */
2717 capture_opts->save_file = g_strdup(new_file);
2719 /* if we are in real-time mode, open the new file now */
2720 if (do_dissection) {
2721 /* this is probably unecessary, but better safe than sorry */
2722 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2723 /* Attempt to open the capture file and set up to read from it. */
2724 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2728 /* Don't unlink (delete) the save file - leave it around,
2729 for debugging purposes. */
2730 g_free(capture_opts->save_file);
2731 capture_opts->save_file = NULL;
2736 cap_session->state = CAPTURE_RUNNING;
2742 /* capture child tells us we have new packets to read */
2744 capture_input_new_packets(capture_session *cap_session, int to_read)
2750 capture_file *cf = (capture_file *)cap_session->cf;
2751 gboolean filtering_tap_listeners;
2756 * Prevent a SIGINFO handler from writing to the standard error while
2757 * we're doing so or writing to the standard output; instead, have it
2758 * just set a flag telling us to print that information when we're done.
2761 #endif /* SIGINFO */
2763 /* Do we have any tap listeners with filters? */
2764 filtering_tap_listeners = have_filtering_tap_listeners();
2766 /* Get the union of the flags for all tap listeners. */
2767 tap_flags = union_of_tap_listener_flags();
2769 if (do_dissection) {
2770 gboolean create_proto_tree;
2771 epan_dissect_t *edt;
2773 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2774 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2775 create_proto_tree = TRUE;
2777 create_proto_tree = FALSE;
2779 /* The protocol tree will be "visible", i.e., printed, only if we're
2780 printing packet details, which is true if we're printing stuff
2781 ("print_packet_info" is true) and we're in verbose mode
2782 ("packet_details" is true). */
2783 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2785 while (to_read-- && cf->wth) {
2786 wtap_cleareof(cf->wth);
2787 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2789 /* read from file failed, tell the capture child to stop */
2790 sync_pipe_stop(cap_session);
2791 wtap_close(cf->wth);
2794 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2795 wtap_buf_ptr(cf->wth),
2799 /* packet successfully read and gone through the "Read Filter" */
2804 epan_dissect_free(edt);
2808 * Dumpcap's doing all the work; we're not doing any dissection.
2809 * Count all the packets it wrote.
2811 packet_count += to_read;
2814 if (print_packet_counts) {
2815 /* We're printing packet counts. */
2816 if (packet_count != 0) {
2817 fprintf(stderr, "\r%u ", packet_count);
2818 /* stderr could be line buffered */
2825 * Allow SIGINFO handlers to write.
2830 * If a SIGINFO handler asked us to write out capture counts, do so.
2834 #endif /* SIGINFO */
2840 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2841 /* Report the count only if we aren't printing a packet count
2842 as packets arrive. */
2843 fprintf(stderr, "%u packet%s captured\n", packet_count,
2844 plurality(packet_count, "", "s"));
2847 infoprint = FALSE; /* we just reported it */
2848 #endif /* SIGINFO */
2853 report_counts_siginfo(int signum _U_)
2855 int sav_errno = errno;
2856 /* If we've been told to delay printing, just set a flag asking
2857 that we print counts (if we're supposed to), otherwise print
2858 the count of packets captured (if we're supposed to). */
2865 #endif /* SIGINFO */
2868 /* capture child detected any packet drops? */
2870 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2872 if (print_packet_counts) {
2873 /* We're printing packet counts to stderr.
2874 Send a newline so that we move to the line after the packet count. */
2875 fprintf(stderr, "\n");
2879 /* We're printing packet counts to stderr.
2880 Send a newline so that we move to the line after the packet count. */
2881 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2887 * Capture child closed its side of the pipe, report any error and
2888 * do the required cleanup.
2891 capture_input_closed(capture_session *cap_session, gchar *msg)
2893 capture_file *cf = (capture_file *) cap_session->cf;
2896 fprintf(stderr, "tshark: %s\n", msg);
2900 if (cf != NULL && cf->wth != NULL) {
2901 wtap_close(cf->wth);
2902 if (cf->is_tempfile) {
2903 ws_unlink(cf->filename);
2906 #ifdef USE_BROKEN_G_MAIN_LOOP
2907 /*g_main_loop_quit(loop);*/
2908 g_main_loop_quit(loop);
2910 loop_running = FALSE;
2919 capture_cleanup(DWORD ctrltype _U_)
2921 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2922 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2923 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2924 like SIGTERM at least when the machine's shutting down.
2926 For now, we handle them all as indications that we should clean up
2927 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2930 We must return TRUE so that no other handler - such as one that would
2931 terminate the process - gets called.
2933 XXX - for some reason, typing ^C to TShark, if you run this in
2934 a Cygwin console window in at least some versions of Cygwin,
2935 causes TShark to terminate immediately; this routine gets
2936 called, but the main loop doesn't get a chance to run and
2937 exit cleanly, at least if this is compiled with Microsoft Visual
2938 C++ (i.e., it's a property of the Cygwin console window or Bash;
2939 it happens if TShark is not built with Cygwin - for all I know,
2940 building it with Cygwin may make the problem go away). */
2942 /* tell the capture child to stop */
2943 sync_pipe_stop(&global_capture_session);
2945 /* don't stop our own loop already here, otherwise status messages and
2946 * cleanup wouldn't be done properly. The child will indicate the stop of
2947 * everything by calling capture_input_closed() later */
2953 capture_cleanup(int signum _U_)
2955 /* tell the capture child to stop */
2956 sync_pipe_stop(&global_capture_session);
2958 /* don't stop our own loop already here, otherwise status messages and
2959 * cleanup wouldn't be done properly. The child will indicate the stop of
2960 * everything by calling capture_input_closed() later */
2963 #endif /* HAVE_LIBPCAP */
2966 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2967 gint64 offset, struct wtap_pkthdr *whdr,
2974 /* The frame number of this packet is one more than the count of
2975 frames in this packet. */
2976 framenum = cf->count + 1;
2978 /* If we're not running a display filter and we're not printing any
2979 packet information, we don't need to do a dissection. This means
2980 that all packets can be marked as 'passed'. */
2983 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2985 /* If we're going to print packet information, or we're going to
2986 run a read filter, or display filter, or we're going to process taps, set up to
2987 do a dissection and do so. */
2989 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2990 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2991 /* Grab any resolved addresses */
2992 host_name_lookup_process();
2994 /* If we're running a read filter, prime the epan_dissect_t with that
2997 epan_dissect_prime_dfilter(edt, cf->rfcode);
3000 epan_dissect_prime_dfilter(edt, cf->dfcode);
3002 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3004 if (ref == &fdlocal) {
3005 ref_frame = fdlocal;
3009 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
3011 /* Run the read filter if we have one. */
3013 passed = dfilter_apply_edt(cf->rfcode, edt);
3017 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3018 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
3020 /* If we're not doing dissection then there won't be any dependent frames.
3021 * More importantly, edt.pi.dependent_frames won't be initialized because
3022 * epan hasn't been initialized.
3023 * if we *are* doing dissection, then mark the dependent frames, but only
3024 * if a display filter was given and it matches this packet.
3026 if (edt && cf->dfcode) {
3027 if (dfilter_apply_edt(cf->dfcode, edt)) {
3028 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
3034 /* if we don't add it to the frame_data_sequence, clean it up right now
3036 frame_data_destroy(&fdlocal);
3040 epan_dissect_reset(edt);
3046 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
3047 struct wtap_pkthdr *phdr, Buffer *buf,
3053 /* If we're not running a display filter and we're not printing any
3054 packet information, we don't need to do a dissection. This means
3055 that all packets can be marked as 'passed'. */
3058 /* If we're going to print packet information, or we're going to
3059 run a read filter, or we're going to process taps, set up to
3060 do a dissection and do so. */
3062 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3063 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3064 /* Grab any resolved addresses */
3065 host_name_lookup_process();
3067 /* If we're running a display filter, prime the epan_dissect_t with that
3070 epan_dissect_prime_dfilter(edt, cf->dfcode);
3072 col_custom_prime_edt(edt, &cf->cinfo);
3074 /* We only need the columns if either
3075 1) some tap needs the columns
3077 2) we're printing packet info but we're *not* verbose; in verbose
3078 mode, we print the protocol tree, not the protocol summary.
3080 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3085 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3092 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3094 /* Run the read/display filter if we have one. */
3096 passed = dfilter_apply_edt(cf->dfcode, edt);
3100 frame_data_set_after_dissect(fdata, &cum_bytes);
3101 /* Process this packet. */
3102 if (print_packet_info) {
3103 /* We're printing packet information; print the information for
3105 print_packet(cf, edt);
3107 /* The ANSI C standard does not appear to *require* that a line-buffered
3108 stream be flushed to the host environment whenever a newline is
3109 written, it just says that, on such a stream, characters "are
3110 intended to be transmitted to or from the host environment as a
3111 block when a new-line character is encountered".
3113 The Visual C++ 6.0 C implementation doesn't do what is intended;
3114 even if you set a stream to be line-buffered, it still doesn't
3115 flush the buffer at the end of every line.
3117 So, if the "-l" flag was specified, we flush the standard output
3118 at the end of a packet. This will do the right thing if we're
3119 printing packet summary lines, and, as we print the entire protocol
3120 tree for a single packet without waiting for anything to happen,
3121 it should be as good as line-buffered mode if we're printing
3122 protocol trees. (The whole reason for the "-l" flag in either
3123 tcpdump or TShark is to allow the output of a live capture to
3124 be piped to a program or script and to have that script see the
3125 information for the packet as soon as it's printed, rather than
3126 having to wait until a standard I/O buffer fills up. */
3130 if (ferror(stdout)) {
3131 show_print_file_io_error(errno);
3140 epan_dissect_reset(edt);
3142 return passed || fdata->flags.dependent_of_displayed;
3146 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3147 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3150 int snapshot_length;
3154 gchar *err_info = NULL;
3156 char *save_file_string = NULL;
3157 gboolean filtering_tap_listeners;
3159 wtapng_section_t *shb_hdr = NULL;
3160 wtapng_iface_descriptions_t *idb_inf = NULL;
3161 wtapng_name_res_t *nrb_hdr = NULL;
3162 struct wtap_pkthdr phdr;
3164 epan_dissect_t *edt = NULL;
3166 wtap_phdr_init(&phdr);
3168 idb_inf = wtap_file_get_idb_info(cf->wth);
3169 #ifdef PCAP_NG_DEFAULT
3170 if (idb_inf->interface_data->len > 1) {
3171 linktype = WTAP_ENCAP_PER_PACKET;
3173 linktype = wtap_file_encap(cf->wth);
3176 linktype = wtap_file_encap(cf->wth);
3178 if (save_file != NULL) {
3179 /* Get a string that describes what we're writing to */
3180 save_file_string = output_file_description(save_file);
3182 /* Set up to write to the capture file. */
3183 snapshot_length = wtap_snapshot_length(cf->wth);
3184 if (snapshot_length == 0) {
3185 /* Snapshot length of input file not known. */
3186 snapshot_length = WTAP_MAX_PACKET_SIZE;
3188 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3190 shb_hdr = wtap_file_get_shb_for_new_file(cf->wth);
3191 nrb_hdr = wtap_file_get_nrb_for_new_file(cf->wth);
3193 /* If we don't have an application name add Tshark */
3194 if (shb_hdr->shb_user_appl == NULL) {
3195 /* this is free'd by wtap_free_shb() later */
3196 shb_hdr->shb_user_appl = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3199 if (linktype != WTAP_ENCAP_PER_PACKET &&
3200 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3201 tshark_debug("tshark: writing PCAP format to %s", save_file);
3202 if (strcmp(save_file, "-") == 0) {
3203 /* Write to the standard output. */
3204 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3205 snapshot_length, FALSE /* compressed */, &err);
3207 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3208 snapshot_length, FALSE /* compressed */, &err);
3212 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3213 if (strcmp(save_file, "-") == 0) {
3214 /* Write to the standard output. */
3215 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3216 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3218 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3219 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3227 /* We couldn't set up to write to the capture file. */
3230 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3231 cmdarg_err("Capture files can't be written in that format.");
3234 case WTAP_ERR_UNWRITABLE_ENCAP:
3235 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3236 cmdarg_err("The capture file being read can't be written as a "
3237 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3240 case WTAP_ERR_CANT_OPEN:
3241 cmdarg_err("The %s couldn't be created for some "
3242 "unknown reason.", save_file_string);
3245 case WTAP_ERR_SHORT_WRITE:
3246 cmdarg_err("A full header couldn't be written to the %s.",
3251 cmdarg_err("The %s could not be created: %s.", save_file_string,
3252 wtap_strerror(err));
3258 if (print_packet_info) {
3259 if (!write_preamble(cf)) {
3261 show_print_file_io_error(err);
3270 /* Do we have any tap listeners with filters? */
3271 filtering_tap_listeners = have_filtering_tap_listeners();
3273 /* Get the union of the flags for all tap listeners. */
3274 tap_flags = union_of_tap_listener_flags();
3276 if (perform_two_pass_analysis) {
3279 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3281 /* Allocate a frame_data_sequence for all the frames. */
3282 cf->frames = new_frame_data_sequence();
3284 if (do_dissection) {
3285 gboolean create_proto_tree = FALSE;
3287 /* If we're going to be applying a filter, we'll need to
3288 create a protocol tree against which to apply the filter. */
3289 if (cf->rfcode || cf->dfcode)
3290 create_proto_tree = TRUE;
3292 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3294 /* We're not going to display the protocol tree on this pass,
3295 so it's not going to be "visible". */
3296 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3299 tshark_debug("tshark: reading records for first pass");
3300 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3301 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3302 wtap_buf_ptr(cf->wth))) {
3303 /* Stop reading if we have the maximum number of packets;
3304 * When the -c option has not been used, max_packet_count
3305 * starts at 0, which practically means, never stop reading.
3306 * (unless we roll over max_packet_count ?)
3308 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3309 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3310 max_packet_count, data_offset, max_byte_count);
3311 err = 0; /* This is not an error */
3318 epan_dissect_free(edt);
3322 /* Close the sequential I/O side, to free up memory it requires. */
3323 wtap_sequential_close(cf->wth);
3325 /* Allow the protocol dissectors to free up memory that they
3326 * don't need after the sequential run-through of the packets. */
3327 postseq_cleanup_all_protocols();
3331 ws_buffer_init(&buf, 1500);
3333 tshark_debug("tshark: done with first pass");
3335 if (do_dissection) {
3336 gboolean create_proto_tree;
3338 if (cf->dfcode || print_details || filtering_tap_listeners ||
3339 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3340 create_proto_tree = TRUE;
3342 create_proto_tree = FALSE;
3344 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3346 /* The protocol tree will be "visible", i.e., printed, only if we're
3347 printing packet details, which is true if we're printing stuff
3348 ("print_packet_info" is true) and we're in verbose mode
3349 ("packet_details" is true). */
3350 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3353 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3354 fdata = frame_data_sequence_find(cf->frames, framenum);
3355 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3357 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3358 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3360 /* Either there's no read filtering or this packet passed the
3361 filter, so, if we're writing to a capture file, write
3364 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3365 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3366 /* Error writing to a capture file */
3367 tshark_debug("tshark: error writing to a capture file (%d)", err);
3370 case WTAP_ERR_UNWRITABLE_ENCAP:
3372 * This is a problem with the particular frame we're writing
3373 * and the file type and subtype we're writing; note that,
3374 * and report the frame number and file type/subtype.
3376 * XXX - framenum is not necessarily the frame number in
3377 * the input file if there was a read filter.
3380 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3381 framenum, cf->filename,
3382 wtap_file_type_subtype_short_string(out_file_type));
3385 case WTAP_ERR_PACKET_TOO_LARGE:
3387 * This is a problem with the particular frame we're writing
3388 * and the file type and subtype we're writing; note that,
3389 * and report the frame number and file type/subtype.
3391 * XXX - framenum is not necessarily the frame number in
3392 * the input file if there was a read filter.
3395 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3396 framenum, cf->filename,
3397 wtap_file_type_subtype_short_string(out_file_type));
3400 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3402 * This is a problem with the particular record we're writing
3403 * and the file type and subtype we're writing; note that,
3404 * and report the record number and file type/subtype.
3406 * XXX - framenum is not necessarily the record number in
3407 * the input file if there was a read filter.
3410 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3411 framenum, cf->filename,
3412 wtap_file_type_subtype_short_string(out_file_type));
3415 case WTAP_ERR_UNWRITABLE_REC_DATA:
3417 * This is a problem with the particular record we're writing
3418 * and the file type and subtype we're writing; note that,
3419 * and report the record number and file type/subtype.
3421 * XXX - framenum is not necessarily the record number in
3422 * the input file if there was a read filter.
3425 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3426 framenum, cf->filename,
3427 wtap_file_type_subtype_short_string(out_file_type),
3428 err_info != NULL ? err_info : "no information supplied");
3433 show_capture_file_io_error(save_file, err, FALSE);
3436 wtap_dump_close(pdh, &err);
3437 wtap_free_shb(shb_hdr);
3438 wtap_free_nrb(nrb_hdr);
3447 epan_dissect_free(edt);
3451 ws_buffer_free(&buf);
3453 tshark_debug("tshark: done with second pass");
3456 /* !perform_two_pass_analysis */
3459 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3461 if (do_dissection) {
3462 gboolean create_proto_tree;
3464 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3465 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3466 create_proto_tree = TRUE;
3468 create_proto_tree = FALSE;
3470 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3472 /* The protocol tree will be "visible", i.e., printed, only if we're
3473 printing packet details, which is true if we're printing stuff
3474 ("print_packet_info" is true) and we're in verbose mode
3475 ("packet_details" is true). */
3476 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3479 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3482 tshark_debug("tshark: processing packet #%d", framenum);
3484 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3485 wtap_buf_ptr(cf->wth),
3487 /* Either there's no read filtering or this packet passed the
3488 filter, so, if we're writing to a capture file, write
3491 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3492 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3493 /* Error writing to a capture file */
3494 tshark_debug("tshark: error writing to a capture file (%d)", err);
3497 case WTAP_ERR_UNWRITABLE_ENCAP:
3499 * This is a problem with the particular frame we're writing
3500 * and the file type and subtype we're writing; note that,
3501 * and report the frame number and file type/subtype.
3504 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3505 framenum, cf->filename,
3506 wtap_file_type_subtype_short_string(out_file_type));
3509 case WTAP_ERR_PACKET_TOO_LARGE:
3511 * This is a problem with the particular frame we're writing
3512 * and the file type and subtype we're writing; note that,
3513 * and report the frame number and file type/subtype.
3516 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3517 framenum, cf->filename,
3518 wtap_file_type_subtype_short_string(out_file_type));
3521 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3523 * This is a problem with the particular record we're writing
3524 * and the file type and subtype we're writing; note that,
3525 * and report the record number and file type/subtype.
3528 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3529 framenum, cf->filename,
3530 wtap_file_type_subtype_short_string(out_file_type));
3533 case WTAP_ERR_UNWRITABLE_REC_DATA:
3535 * This is a problem with the particular record we're writing
3536 * and the file type and subtype we're writing; note that,
3537 * and report the record number and file type/subtype.
3540 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3541 framenum, cf->filename,
3542 wtap_file_type_subtype_short_string(out_file_type),
3543 err_info != NULL ? err_info : "no information supplied");
3548 show_capture_file_io_error(save_file, err, FALSE);
3551 wtap_dump_close(pdh, &err);
3552 wtap_free_shb(shb_hdr);
3553 wtap_free_nrb(nrb_hdr);
3558 /* Stop reading if we have the maximum number of packets;
3559 * When the -c option has not been used, max_packet_count
3560 * starts at 0, which practically means, never stop reading.
3561 * (unless we roll over max_packet_count ?)
3563 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3564 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3565 max_packet_count, data_offset, max_byte_count);
3566 err = 0; /* This is not an error */
3572 epan_dissect_free(edt);
3577 wtap_phdr_cleanup(&phdr);
3580 tshark_debug("tshark: something failed along the line (%d)", err);
3582 * Print a message noting that the read failed somewhere along the line.
3584 * If we're printing packet data, and the standard output and error are
3585 * going to the same place, flush the standard output, so everything
3586 * buffered up is written, and then print a newline to the standard error
3587 * before printing the error message, to separate it from the packet
3588 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3589 * the _fstat() documentation at Microsoft doesn't indicate whether
3590 * st_ino is even supported.)
3593 if (print_packet_info) {
3594 ws_statb64 stat_stdout, stat_stderr;
3596 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3597 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3598 stat_stdout.st_ino == stat_stderr.st_ino) {
3600 fprintf(stderr, "\n");
3607 case WTAP_ERR_UNSUPPORTED:
3608 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3610 err_info != NULL ? err_info : "no information supplied");
3614 case WTAP_ERR_SHORT_READ:
3615 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3619 case WTAP_ERR_BAD_FILE:
3620 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3622 err_info != NULL ? err_info : "no information supplied");
3626 case WTAP_ERR_DECOMPRESS:
3627 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3628 "(%s)", cf->filename,
3629 err_info != NULL ? err_info : "no information supplied");
3634 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3635 cf->filename, wtap_strerror(err));
3638 if (save_file != NULL) {
3639 /* Now close the capture file. */
3640 if (!wtap_dump_close(pdh, &err))
3641 show_capture_file_io_error(save_file, err, TRUE);
3644 if (save_file != NULL) {
3645 if (pdh && out_file_name_res) {
3646 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3647 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3648 wtap_file_type_subtype_short_string(out_file_type));
3651 /* Now close the capture file. */
3652 if (!wtap_dump_close(pdh, &err))
3653 show_capture_file_io_error(save_file, err, TRUE);
3655 if (print_packet_info) {
3656 if (!write_finale()) {
3658 show_print_file_io_error(err);
3665 wtap_close(cf->wth);
3668 g_free(save_file_string);
3669 wtap_free_shb(shb_hdr);
3670 wtap_free_nrb(nrb_hdr);
3676 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3677 const guchar *pd, guint tap_flags)
3683 /* Count this packet. */
3686 /* If we're not running a display filter and we're not printing any
3687 packet information, we don't need to do a dissection. This means
3688 that all packets can be marked as 'passed'. */
3691 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3693 /* If we're going to print packet information, or we're going to
3694 run a read filter, or we're going to process taps, set up to
3695 do a dissection and do so. */
3697 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3698 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3699 /* Grab any resolved addresses */
3700 host_name_lookup_process();
3702 /* If we're running a filter, prime the epan_dissect_t with that
3705 epan_dissect_prime_dfilter(edt, cf->dfcode);
3707 col_custom_prime_edt(edt, &cf->cinfo);
3709 /* We only need the columns if either
3710 1) some tap needs the columns
3712 2) we're printing packet info but we're *not* verbose; in verbose
3713 mode, we print the protocol tree, not the protocol summary.
3715 3) there is a column mapped as an individual field */
3716 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3721 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3723 if (ref == &fdata) {
3728 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3730 /* Run the filter if we have it. */
3732 passed = dfilter_apply_edt(cf->dfcode, edt);
3736 frame_data_set_after_dissect(&fdata, &cum_bytes);
3738 /* Process this packet. */
3739 if (print_packet_info) {
3740 /* We're printing packet information; print the information for
3742 print_packet(cf, edt);
3744 /* The ANSI C standard does not appear to *require* that a line-buffered
3745 stream be flushed to the host environment whenever a newline is
3746 written, it just says that, on such a stream, characters "are
3747 intended to be transmitted to or from the host environment as a
3748 block when a new-line character is encountered".
3750 The Visual C++ 6.0 C implementation doesn't do what is intended;
3751 even if you set a stream to be line-buffered, it still doesn't
3752 flush the buffer at the end of every line.
3754 So, if the "-l" flag was specified, we flush the standard output
3755 at the end of a packet. This will do the right thing if we're
3756 printing packet summary lines, and, as we print the entire protocol
3757 tree for a single packet without waiting for anything to happen,
3758 it should be as good as line-buffered mode if we're printing
3759 protocol trees. (The whole reason for the "-l" flag in either
3760 tcpdump or TShark is to allow the output of a live capture to
3761 be piped to a program or script and to have that script see the
3762 information for the packet as soon as it's printed, rather than
3763 having to wait until a standard I/O buffer fills up. */
3767 if (ferror(stdout)) {
3768 show_print_file_io_error(errno);
3773 /* this must be set after print_packet() [bug #8160] */
3774 prev_dis_frame = fdata;
3775 prev_dis = &prev_dis_frame;
3778 prev_cap_frame = fdata;
3779 prev_cap = &prev_cap_frame;
3782 epan_dissect_reset(edt);
3783 frame_data_destroy(&fdata);
3789 write_preamble(capture_file *cf)
3791 switch (output_action) {
3794 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3798 write_pdml_preamble(stdout, cf->filename);
3800 write_psml_preamble(&cf->cinfo, stdout);
3801 return !ferror(stdout);
3804 write_fields_preamble(output_fields, stdout);
3805 return !ferror(stdout);
3808 g_assert_not_reached();
3814 get_line_buf(size_t len)
3816 static char *line_bufp = NULL;
3817 static size_t line_buf_len = 256;
3818 size_t new_line_buf_len;
3820 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3821 new_line_buf_len *= 2)
3823 if (line_bufp == NULL) {
3824 line_buf_len = new_line_buf_len;
3825 line_bufp = (char *)g_malloc(line_buf_len + 1);
3827 if (new_line_buf_len > line_buf_len) {
3828 line_buf_len = new_line_buf_len;
3829 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3836 put_string(char *dest, const char *str, size_t str_len)
3838 memcpy(dest, str, str_len);
3839 dest[str_len] = '\0';
3843 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3847 for (i = str_len; i < str_with_spaces; i++)
3850 put_string(dest, str, str_len);
3854 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3858 memcpy(dest, str, str_len);
3859 for (i = str_len; i < str_with_spaces; i++)
3862 dest[str_with_spaces] = '\0';
3866 print_columns(capture_file *cf)
3873 col_item_t* col_item;
3875 line_bufp = get_line_buf(256);
3878 for (i = 0; i < cf->cinfo.num_cols; i++) {
3879 col_item = &cf->cinfo.columns[i];
3880 /* Skip columns not marked as visible. */
3881 if (!get_column_visible(i))
3883 switch (col_item->col_fmt) {
3885 column_len = col_len = strlen(col_item->col_data);
3888 line_bufp = get_line_buf(buf_offset + column_len);
3889 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3895 case COL_ABS_YMD_TIME: /* XXX - wider */
3896 case COL_ABS_YDOY_TIME: /* XXX - wider */
3898 case COL_UTC_YMD_TIME: /* XXX - wider */
3899 case COL_UTC_YDOY_TIME: /* XXX - wider */
3900 column_len = col_len = strlen(col_item->col_data);
3901 if (column_len < 10)
3903 line_bufp = get_line_buf(buf_offset + column_len);
3904 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3910 case COL_DEF_DL_SRC:
3911 case COL_RES_DL_SRC:
3912 case COL_UNRES_DL_SRC:
3913 case COL_DEF_NET_SRC:
3914 case COL_RES_NET_SRC:
3915 case COL_UNRES_NET_SRC:
3916 column_len = col_len = strlen(col_item->col_data);
3917 if (column_len < 12)
3919 line_bufp = get_line_buf(buf_offset + column_len);
3920 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3926 case COL_DEF_DL_DST:
3927 case COL_RES_DL_DST:
3928 case COL_UNRES_DL_DST:
3929 case COL_DEF_NET_DST:
3930 case COL_RES_NET_DST:
3931 case COL_UNRES_NET_DST:
3932 column_len = col_len = strlen(col_item->col_data);
3933 if (column_len < 12)
3935 line_bufp = get_line_buf(buf_offset + column_len);
3936 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3940 column_len = strlen(col_item->col_data);
3941 line_bufp = get_line_buf(buf_offset + column_len);
3942 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3945 buf_offset += column_len;
3946 if (i != cf->cinfo.num_cols - 1) {
3948 * This isn't the last column, so we need to print a
3949 * separator between this column and the next.
3951 * If we printed a network source and are printing a
3952 * network destination of the same type next, separate
3953 * them with " -> "; if we printed a network destination
3954 * and are printing a network source of the same type
3955 * next, separate them with " <- "; otherwise separate them
3958 * We add enough space to the buffer for " <- " or " -> ",
3959 * even if we're only adding " ".
3961 line_bufp = get_line_buf(buf_offset + 4);
3962 switch (col_item->col_fmt) {
3967 switch (cf->cinfo.columns[i+1].col_fmt) {
3972 put_string(line_bufp + buf_offset, " -> ", 4);
3977 put_string(line_bufp + buf_offset, " ", 1);
3983 case COL_DEF_DL_SRC:
3984 case COL_RES_DL_SRC:
3985 case COL_UNRES_DL_SRC:
3986 switch (cf->cinfo.columns[i+1].col_fmt) {
3988 case COL_DEF_DL_DST:
3989 case COL_RES_DL_DST:
3990 case COL_UNRES_DL_DST:
3991 put_string(line_bufp + buf_offset, " -> ", 4);
3996 put_string(line_bufp + buf_offset, " ", 1);
4002 case COL_DEF_NET_SRC:
4003 case COL_RES_NET_SRC:
4004 case COL_UNRES_NET_SRC:
4005 switch (cf->cinfo.columns[i+1].col_fmt) {
4007 case COL_DEF_NET_DST:
4008 case COL_RES_NET_DST:
4009 case COL_UNRES_NET_DST:
4010 put_string(line_bufp + buf_offset, " -> ", 4);
4015 put_string(line_bufp + buf_offset, " ", 1);
4024 switch (cf->cinfo.columns[i+1].col_fmt) {
4029 put_string(line_bufp + buf_offset, " <- ", 4);
4034 put_string(line_bufp + buf_offset, " ", 1);
4040 case COL_DEF_DL_DST:
4041 case COL_RES_DL_DST:
4042 case COL_UNRES_DL_DST:
4043 switch (cf->cinfo.columns[i+1].col_fmt) {
4045 case COL_DEF_DL_SRC:
4046 case COL_RES_DL_SRC:
4047 case COL_UNRES_DL_SRC:
4048 put_string(line_bufp + buf_offset, " <- ", 4);
4053 put_string(line_bufp + buf_offset, " ", 1);
4059 case COL_DEF_NET_DST:
4060 case COL_RES_NET_DST:
4061 case COL_UNRES_NET_DST:
4062 switch (cf->cinfo.columns[i+1].col_fmt) {
4064 case COL_DEF_NET_SRC:
4065 case COL_RES_NET_SRC:
4066 case COL_UNRES_NET_SRC:
4067 put_string(line_bufp + buf_offset, " <- ", 4);
4072 put_string(line_bufp + buf_offset, " ", 1);
4079 put_string(line_bufp + buf_offset, " ", 1);
4085 return print_line(print_stream, 0, line_bufp);
4089 print_packet(capture_file *cf, epan_dissect_t *edt)
4091 print_args_t print_args;
4093 if (print_summary || output_fields_has_cols(output_fields)) {
4094 /* Just fill in the columns. */
4095 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4097 if (print_summary) {
4098 /* Now print them. */
4099 switch (output_action) {
4102 if (!print_columns(cf))
4107 write_psml_columns(edt, stdout);
4108 return !ferror(stdout);
4109 case WRITE_FIELDS: /*No non-verbose "fields" format */
4110 g_assert_not_reached();
4115 if (print_details) {
4116 /* Print the information in the protocol tree. */
4117 switch (output_action) {
4120 /* Only initialize the fields that are actually used in proto_tree_print.
4121 * This is particularly important for .range, as that's heap memory which
4122 * we would otherwise have to g_free().
4123 print_args.to_file = TRUE;
4124 print_args.format = print_format;
4125 print_args.print_summary = print_summary;
4126 print_args.print_formfeed = FALSE;
4127 packet_range_init(&print_args.range, &cfile);
4129 print_args.print_hex = print_hex;
4130 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4132 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4135 if (!print_line(print_stream, 0, separator))
4141 write_pdml_proto_tree(edt, stdout);
4143 return !ferror(stdout);
4145 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4147 return !ferror(stdout);
4151 if (print_summary || print_details) {
4152 if (!print_line(print_stream, 0, ""))
4155 if (!print_hex_data(print_stream, edt))
4157 if (!print_line(print_stream, 0, separator))
4166 switch (output_action) {
4169 return print_finale(print_stream);
4173 write_pdml_finale(stdout);
4175 write_psml_finale(stdout);
4176 return !ferror(stdout);
4179 write_fields_finale(output_fields, stdout);
4180 return !ferror(stdout);
4183 g_assert_not_reached();
4189 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4193 char err_msg[2048+1];
4195 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4199 /* The open succeeded. Fill in the information for this file. */
4201 /* Create new epan session for dissection. */
4202 epan_free(cf->epan);
4203 cf->epan = tshark_epan_new(cf);
4206 cf->f_datalen = 0; /* not used, but set it anyway */
4208 /* Set the file name because we need it to set the follow stream filter.
4209 XXX - is that still true? We need it for other reasons, though,
4211 cf->filename = g_strdup(fname);
4213 /* Indicate whether it's a permanent or temporary file. */
4214 cf->is_tempfile = is_tempfile;
4216 /* No user changes yet. */
4217 cf->unsaved_changes = FALSE;
4219 cf->cd_t = wtap_file_type_subtype(cf->wth);
4220 cf->open_type = type;
4222 cf->drops_known = FALSE;
4224 cf->snap = wtap_snapshot_length(cf->wth);
4225 if (cf->snap == 0) {
4226 /* Snapshot length not known. */
4227 cf->has_snap = FALSE;
4228 cf->snap = WTAP_MAX_PACKET_SIZE;
4230 cf->has_snap = TRUE;
4231 nstime_set_zero(&cf->elapsed_time);
4236 cf->state = FILE_READ_IN_PROGRESS;
4238 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4239 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4244 g_snprintf(err_msg, sizeof err_msg,
4245 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4246 cmdarg_err("%s", err_msg);
4251 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4253 char *save_file_string;
4255 save_file_string = output_file_description(fname);
4260 cmdarg_err("Not all the packets could be written to the %s because there is "
4261 "no space left on the file system.",
4267 cmdarg_err("Not all the packets could be written to the %s because you are "
4268 "too close to, or over your disk quota.",
4273 case WTAP_ERR_CANT_CLOSE:
4274 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4278 case WTAP_ERR_SHORT_WRITE:
4279 cmdarg_err("Not all the packets could be written to the %s.",
4285 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4286 wtap_strerror(err));
4288 cmdarg_err("An error occurred while writing to the %s: %s.",
4289 save_file_string, wtap_strerror(err));
4293 g_free(save_file_string);
4297 show_print_file_io_error(int err)
4302 cmdarg_err("Not all the packets could be printed because there is "
4303 "no space left on the file system.");
4308 cmdarg_err("Not all the packets could be printed because you are "
4309 "too close to, or over your disk quota.");
4314 cmdarg_err("An error occurred while printing packets: %s.",
4321 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4325 static char errmsg_errno[1024+1];
4328 /* Wiretap error. */
4331 case WTAP_ERR_NOT_REGULAR_FILE:
4332 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4335 case WTAP_ERR_RANDOM_OPEN_PIPE:
4336 /* Seen only when opening a capture file for reading. */
4337 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4340 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4341 /* Seen only when opening a capture file for reading. */
4342 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4345 case WTAP_ERR_UNSUPPORTED:
4346 /* Seen only when opening a capture file for reading. */
4347 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4348 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4350 err_info != NULL ? err_info : "no information supplied");
4352 errmsg = errmsg_errno;
4355 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4356 /* Seen only when opening a capture file for writing. */
4357 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4358 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4359 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4360 errmsg = errmsg_errno;
4363 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4364 /* Seen only when opening a capture file for writing. */
4365 errmsg = "TShark doesn't support writing capture files in that format.";
4368 case WTAP_ERR_UNWRITABLE_ENCAP:
4369 /* Seen only when opening a capture file for writing. */
4370 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4371 "TShark can't save this capture as a \"%s\" file.",
4372 wtap_file_type_subtype_short_string(file_type));
4373 errmsg = errmsg_errno;
4376 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4378 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4379 "TShark can't save this capture as a \"%s\" file.",
4380 wtap_file_type_subtype_short_string(file_type));
4381 errmsg = errmsg_errno;
4383 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4386 case WTAP_ERR_BAD_FILE:
4387 /* Seen only when opening a capture file for reading. */
4388 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4389 "The file \"%%s\" appears to be damaged or corrupt.\n"
4391 err_info != NULL ? err_info : "no information supplied");
4393 errmsg = errmsg_errno;
4396 case WTAP_ERR_CANT_OPEN:
4398 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4400 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4403 case WTAP_ERR_SHORT_READ:
4404 errmsg = "The file \"%s\" appears to have been cut short"
4405 " in the middle of a packet or other data.";
4408 case WTAP_ERR_SHORT_WRITE:
4409 errmsg = "A full header couldn't be written to the file \"%s\".";
4412 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4413 errmsg = "This file type cannot be written as a compressed file.";
4416 case WTAP_ERR_DECOMPRESS:
4417 /* Seen only when opening a capture file for reading. */
4418 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4419 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4421 err_info != NULL ? err_info : "no information supplied");
4423 errmsg = errmsg_errno;
4427 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4428 "The file \"%%s\" could not be %s: %s.",
4429 for_writing ? "created" : "opened",
4430 wtap_strerror(err));
4431 errmsg = errmsg_errno;
4435 errmsg = file_open_error_message(err, for_writing);
4440 * Open/create errors are reported with an console message in TShark.
4443 open_failure_message(const char *filename, int err, gboolean for_writing)
4445 fprintf(stderr, "tshark: ");
4446 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4447 fprintf(stderr, "\n");
4451 * General errors are reported with an console message in TShark.
4454 failure_message(const char *msg_format, va_list ap)
4456 fprintf(stderr, "tshark: ");
4457 vfprintf(stderr, msg_format, ap);
4458 fprintf(stderr, "\n");
4462 * Read errors are reported with an console message in TShark.
4465 read_failure_message(const char *filename, int err)
4467 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4468 filename, g_strerror(err));
4472 * Write errors are reported with an console message in TShark.
4475 write_failure_message(const char *filename, int err)
4477 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4478 filename, g_strerror(err));
4482 * Report additional information for an error in command-line arguments.
4485 failure_message_cont(const char *msg_format, va_list ap)
4487 vfprintf(stderr, msg_format, ap);
4488 fprintf(stderr, "\n");
4492 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4497 * indent-tabs-mode: nil
4500 * vi: set shiftwidth=2 tabstop=8 expandtab:
4501 * :indentSize=2:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob