3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
50 #ifdef HAVE_SYS_STAT_H
51 # include <sys/stat.h>
55 #include <zlib.h> /* to get the libz version number */
59 #include "wsutil/wsgetopt.h"
64 #include <epan/exceptions.h>
65 #include <epan/epan-int.h>
66 #include <epan/epan.h>
68 #include <wsutil/clopts_common.h>
69 #include <wsutil/cmdarg_err.h>
70 #include <wsutil/crash_info.h>
71 #include <wsutil/privileges.h>
72 #include <wsutil/file_util.h>
73 #include <wsutil/filesystem.h>
74 #include <wsutil/report_err.h>
75 #include <wsutil/copyright_info.h>
76 #include <wsutil/os_version_info.h>
77 #include <wsutil/ws_version_info.h>
80 #include <epan/timestamp.h>
81 #include <epan/packet.h>
83 #include <epan/wslua/init_wslua.h>
86 #include "frame_tvbuff.h"
87 #include <epan/disabled_protos.h>
88 #include <epan/prefs.h>
89 #include <epan/column.h>
90 #include <epan/print.h>
91 #include <epan/addr_resolv.h>
93 #include "ui/capture_ui_utils.h"
96 #include "ui/ui_util.h"
97 #include "version_info.h"
99 #include <epan/epan_dissect.h>
100 #include <epan/tap.h>
101 #include <epan/stat_cmd_args.h>
102 #include <epan/timestamp.h>
103 #include <epan/ex-opt.h>
105 #include "capture_opts.h"
108 #include <capchild/capture_ifinfo.h>
109 #include "capture-pcap-util.h"
111 #include "capture-wpcap.h"
112 #include <wsutil/unicode-utils.h>
114 #include <capchild/capture_session.h>
115 #include <capchild/capture_sync.h>
116 #include "capture_opts.h"
117 #endif /* HAVE_LIBPCAP */
119 #include <epan/funnel.h>
122 #include <wsutil/plugins.h>
126 * This is the template for the decode as option; it is shared between the
127 * various functions that output the usage for this parameter.
129 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
131 static guint32 cum_bytes;
132 static const frame_data *ref;
133 static frame_data ref_frame;
134 static frame_data *prev_dis;
135 static frame_data prev_dis_frame;
136 static frame_data *prev_cap;
137 static frame_data prev_cap_frame;
139 static const char* prev_display_dissector_name = NULL;
141 static gboolean perform_two_pass_analysis;
144 * The way the packet decode is to be written.
147 WRITE_TEXT, /* summary or detail text */
148 WRITE_XML, /* PDML or PSML */
149 WRITE_FIELDS /* User defined list of fields */
150 /* Add CSV and the like here */
153 static output_action_e output_action;
154 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
155 static gboolean print_packet_info; /* TRUE if we're to print packet information */
156 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
157 static gboolean print_details; /* TRUE if we're to print packet details information */
158 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
159 static gboolean line_buffered;
160 static gboolean really_quiet = FALSE;
162 static print_format_e print_format = PR_FMT_TEXT;
163 static print_stream_t *print_stream;
165 static output_fields_t* output_fields = NULL;
167 /* The line separator used between packets, changeable via the -S option */
168 static const char *separator = "";
172 * TRUE if we're to print packet counts to keep track of captured packets.
174 static gboolean print_packet_counts;
176 static capture_options global_capture_opts;
177 static capture_session global_capture_session;
180 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
181 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
184 static gboolean capture(void);
185 static void report_counts(void);
187 static BOOL WINAPI capture_cleanup(DWORD);
189 static void capture_cleanup(int);
191 static void report_counts_siginfo(int);
195 #else /* HAVE_LIBPCAP */
197 static char *output_file_name;
199 #endif /* HAVE_LIBPCAP */
201 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
202 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
203 struct wtap_pkthdr *whdr, const guchar *pd,
205 static void show_capture_file_io_error(const char *, int, gboolean);
206 static void show_print_file_io_error(int err);
207 static gboolean write_preamble(capture_file *cf);
208 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
209 static gboolean write_finale(void);
210 static const char *cf_open_error_message(int err, gchar *err_info,
211 gboolean for_writing, int file_type);
213 static void open_failure_message(const char *filename, int err,
214 gboolean for_writing);
215 static void failure_message(const char *msg_format, va_list ap);
216 static void read_failure_message(const char *filename, int err);
217 static void write_failure_message(const char *filename, int err);
218 static void failure_message_cont(const char *msg_format, va_list ap);
223 const char *sstr; /* The short string */
224 const char *lstr; /* The long string */
228 string_compare(gconstpointer a, gconstpointer b)
230 return strcmp(((const struct string_elem *)a)->sstr,
231 ((const struct string_elem *)b)->sstr);
235 string_elem_print(gpointer data, gpointer not_used _U_)
237 fprintf(stderr, " %s - %s\n",
238 ((struct string_elem *)data)->sstr,
239 ((struct string_elem *)data)->lstr);
243 list_capture_types(void) {
245 struct string_elem *captypes;
248 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
250 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
251 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
252 if (wtap_dump_can_open(i)) {
253 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
254 captypes[i].lstr = wtap_file_type_subtype_string(i);
255 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
258 g_slist_foreach(list, string_elem_print, NULL);
264 list_read_capture_types(void) {
266 struct string_elem *captypes;
268 const char *magic = "Magic-value-based";
269 const char *heuristic = "Heuristics-based";
271 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
272 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
274 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
275 for (i = 0; open_routines[i].name != NULL; i++) {
276 captypes[i].sstr = open_routines[i].name;
277 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
278 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
280 g_slist_foreach(list, string_elem_print, NULL);
286 print_usage(FILE *output)
288 fprintf(output, "\n");
289 fprintf(output, "Usage: tshark [options] ...\n");
290 fprintf(output, "\n");
293 fprintf(output, "Capture interface:\n");
294 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
295 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
296 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
297 fprintf(output, " -p don't capture in promiscuous mode\n");
298 #ifdef HAVE_PCAP_CREATE
299 fprintf(output, " -I capture in monitor mode, if available\n");
301 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
302 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
304 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
305 fprintf(output, " -D print list of interfaces and exit\n");
306 fprintf(output, " -L print list of link-layer types of iface and exit\n");
307 fprintf(output, "\n");
308 fprintf(output, "Capture stop conditions:\n");
309 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
310 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
311 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
312 fprintf(output, " files:NUM - stop after NUM files\n");
313 /*fprintf(output, "\n");*/
314 fprintf(output, "Capture output:\n");
315 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
316 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
317 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
318 #endif /* HAVE_LIBPCAP */
319 #ifdef HAVE_PCAP_REMOTE
320 fprintf(output, "RPCAP options:\n");
321 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
323 /*fprintf(output, "\n");*/
324 fprintf(output, "Input file:\n");
325 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
327 fprintf(output, "\n");
328 fprintf(output, "Processing:\n");
329 fprintf(output, " -2 perform a two-pass analysis\n");
330 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
331 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
332 fprintf(output, " syntax\n");
333 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
334 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
335 fprintf(output, " -d %s ...\n", decode_as_arg_template);
336 fprintf(output, " \"Decode As\", see the man page for details\n");
337 fprintf(output, " Example: tcp.port==8888,http\n");
338 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
339 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
341 /*fprintf(output, "\n");*/
342 fprintf(output, "Output:\n");
343 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
344 fprintf(output, " (or to the standard output for \"-\")\n");
345 fprintf(output, " -C <config profile> start with specified configuration profile\n");
346 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
347 fprintf(output, " an empty \"-F\" option will list the file types\n");
348 fprintf(output, " -V add output of packet tree (Packet Details)\n");
349 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
350 fprintf(output, " separated\n");
351 fprintf(output, " -P print packet summary even when writing to a file\n");
352 fprintf(output, " -S <separator> the line separator to print between packets\n");
353 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
354 fprintf(output, " -T pdml|ps|psml|text|fields\n");
355 fprintf(output, " format of text output (def: text)\n");
356 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
357 fprintf(output, " _ws.col.Info)\n");
358 fprintf(output, " this option can be repeated to print multiple fields\n");
359 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
360 fprintf(output, " header=y|n switch headers on and off\n");
361 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
362 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
363 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
364 fprintf(output, " aggregator\n");
365 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
366 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
367 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
368 fprintf(output, " -l flush standard output after each packet\n");
369 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
370 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
371 fprintf(output, " -g enable group read access on the output file(s)\n");
372 fprintf(output, " -W n Save extra information in the file, if supported.\n");
373 fprintf(output, " n = write network address resolution information\n");
374 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
375 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
376 fprintf(output, " --capture-comment <comment>\n");
377 fprintf(output, " add a capture comment to the newly created\n");
378 fprintf(output, " output file (only for pcapng)\n");
380 fprintf(output, "\n");
381 fprintf(output, "Miscellaneous:\n");
382 fprintf(output, " -h display this help and exit\n");
383 fprintf(output, " -v display version info and exit\n");
384 fprintf(output, " -o <name>:<value> ... override preference setting\n");
385 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
386 fprintf(output, " -G [report] dump one of several available reports and exit\n");
387 fprintf(output, " default report=\"fields\"\n");
388 fprintf(output, " use \"-G ?\" for more help\n");
390 fprintf(output, "\n");
391 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
392 fprintf(output, "You might want to reset it\n");
393 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
394 fprintf(output, "\n");
400 glossary_option_help(void)
406 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
408 fprintf(output, "\n");
409 fprintf(output, "Usage: tshark -G [report]\n");
410 fprintf(output, "\n");
411 fprintf(output, "Glossary table reports:\n");
412 fprintf(output, " -G column-formats dump column format codes and exit\n");
413 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
414 fprintf(output, " -G fields dump fields glossary and exit\n");
415 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
416 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
417 fprintf(output, " -G plugins dump installed plugins and exit\n");
418 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
419 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
420 fprintf(output, "\n");
421 fprintf(output, "Preference reports:\n");
422 fprintf(output, " -G currentprefs dump current preferences and exit\n");
423 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
424 fprintf(output, "\n");
428 * For a dissector table, print on the stream described by output,
429 * its short name (which is what's used in the "-d" option) and its
433 display_dissector_table_names(const char *table_name, const char *ui_name,
436 if ((prev_display_dissector_name == NULL) ||
437 (strcmp(prev_display_dissector_name, table_name) != 0)) {
438 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
439 prev_display_dissector_name = table_name;
444 * For a dissector handle, print on the stream described by output,
445 * the filter name (which is what's used in the "-d" option) and the full
446 * name for the protocol that corresponds to this handle.
449 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
452 const gchar *proto_filter_name;
453 const gchar *proto_ui_name;
455 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
457 if (proto_id != -1) {
458 proto_filter_name = proto_get_protocol_filter_name(proto_id);
459 proto_ui_name = proto_get_protocol_name(proto_id);
460 g_assert(proto_filter_name != NULL);
461 g_assert(proto_ui_name != NULL);
463 if ((prev_display_dissector_name == NULL) ||
464 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
465 fprintf((FILE *)output, "\t%s (%s)\n",
468 prev_display_dissector_name = proto_filter_name;
474 * The protocol_name_search structure is used by find_protocol_name_func()
475 * to pass parameters and store results
477 struct protocol_name_search{
478 gchar *searched_name; /* Protocol filter name we are looking for */
479 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
480 guint nb_match; /* How many dissectors matched searched_name */
482 typedef struct protocol_name_search *protocol_name_search_t;
485 * This function parses all dissectors associated with a table to find the
486 * one whose protocol has the specified filter name. It is called
487 * as a reference function in a call to dissector_table_foreach_handle.
488 * The name we are looking for, as well as the results, are stored in the
489 * protocol_name_search struct pointed to by user_data.
490 * If called using dissector_table_foreach_handle, we actually parse the
491 * whole list of dissectors.
494 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
498 const gchar *protocol_filter_name;
499 protocol_name_search_t search_info;
503 search_info = (protocol_name_search_t)user_data;
505 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
506 if (proto_id != -1) {
507 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
508 g_assert(protocol_filter_name != NULL);
509 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
511 if (search_info->nb_match == 0) {
512 /* Record this handle only if this is the first match */
513 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
515 search_info->nb_match++;
521 * Allow dissector key names to be sorted alphabetically
525 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
527 return strcmp((const char*)dissector_a, (const char*)dissector_b);
531 * Print all layer type names supported.
532 * We send the output to the stream described by the handle output.
536 fprint_all_layer_types(FILE *output)
539 prev_display_dissector_name = NULL;
540 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
544 * Print all protocol names supported for a specific layer type.
545 * table_name contains the layer type name in which the search is performed.
546 * We send the output to the stream described by the handle output.
550 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
553 prev_display_dissector_name = NULL;
554 dissector_table_foreach_handle(table_name,
555 display_dissector_names,
560 * The function below parses the command-line parameters for the decode as
561 * feature (a string pointer by cl_param).
562 * It checks the format of the command-line, searches for a matching table
563 * and dissector. If a table/dissector match is not found, we display a
564 * summary of the available tables/dissectors (on stderr) and return FALSE.
565 * If everything is fine, we get the "Decode as" preference activated,
566 * then we return TRUE.
569 add_decode_as(const gchar *cl_param)
572 guint32 selector, selector2;
573 gchar *decoded_param;
574 gchar *remaining_param;
576 gchar *dissector_str;
577 dissector_handle_t dissector_matching;
578 dissector_table_t table_matching;
579 ftenum_t dissector_table_selector_type;
580 struct protocol_name_search user_protocol_name;
584 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
587 decoded_param = g_strdup(cl_param);
588 g_assert(decoded_param);
591 /* The lines below will parse this string (modifying it) to extract all
592 necessary information. Note that decoded_param is still needed since
593 strings are not copied - we just save pointers. */
595 /* This section extracts a layer type (table_name) from decoded_param */
596 table_name = decoded_param; /* Layer type string starts from beginning */
598 remaining_param = strchr(table_name, '=');
599 if (remaining_param == NULL) {
600 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
601 /* If the argument does not follow the template, carry on anyway to check
602 if the table name is at least correct. If remaining_param is NULL,
603 we'll exit anyway further down */
606 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
609 /* Remove leading and trailing spaces from the table name */
610 while ( table_name[0] == ' ' )
612 while ( table_name[strlen(table_name) - 1] == ' ' )
613 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
615 /* The following part searches a table matching with the layer type specified */
616 table_matching = NULL;
618 /* Look for the requested table */
619 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
620 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
623 table_matching = find_dissector_table(table_name);
624 if (!table_matching) {
625 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
629 if (!table_matching) {
630 /* Display a list of supported layer types to help the user, if the
631 specified layer type was not found */
632 cmdarg_err("Valid layer types are:");
633 fprint_all_layer_types(stderr);
635 if (remaining_param == NULL || !table_matching) {
636 /* Exit if the layer type was not found, or if no '=' separator was found
638 g_free(decoded_param);
642 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
643 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
646 remaining_param++; /* Move to the second '=' */
647 *remaining_param = '\0'; /* Remove the second '=' */
649 remaining_param++; /* Position after the layer type string */
651 /* This section extracts a selector value (selector_str) from decoded_param */
653 selector_str = remaining_param; /* Next part starts with the selector number */
655 remaining_param = strchr(selector_str, ',');
656 if (remaining_param == NULL) {
657 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
658 /* If the argument does not follow the template, carry on anyway to check
659 if the selector value is at least correct. If remaining_param is NULL,
660 we'll exit anyway further down */
663 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
666 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
668 switch (dissector_table_selector_type) {
674 /* The selector for this table is an unsigned number. Parse it as such.
675 There's no need to remove leading and trailing spaces from the
676 selector number string, because sscanf will do that for us. */
677 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
682 if (op != ':' && op != '-') {
683 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
684 g_free(decoded_param);
688 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
689 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
690 g_free(decoded_param);
694 else if (selector2 < selector) {
695 /* We could swap them for the user, but maybe it's better to call
696 * this out as an error in case it's not what was intended? */
697 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
698 g_free(decoded_param);
703 cmdarg_err("Invalid selector number \"%s\"", selector_str);
704 g_free(decoded_param);
713 /* The selector for this table is a string. */
717 /* There are currently no dissector tables with any types other
718 than the ones listed above. */
719 g_assert_not_reached();
722 if (remaining_param == NULL) {
723 /* Exit if no ',' separator was found (see above) */
724 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
725 fprint_all_protocols_for_layer_types(stderr, table_name);
726 g_free(decoded_param);
730 remaining_param++; /* Position after the selector number string */
732 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
734 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
736 /* Remove leading and trailing spaces from the dissector name */
737 while ( dissector_str[0] == ' ' )
739 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
740 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
742 dissector_matching = NULL;
744 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
745 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
746 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
749 user_protocol_name.nb_match = 0;
750 user_protocol_name.searched_name = dissector_str;
751 user_protocol_name.matched_handle = NULL;
753 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
755 if (user_protocol_name.nb_match != 0) {
756 dissector_matching = user_protocol_name.matched_handle;
757 if (user_protocol_name.nb_match > 1) {
758 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
762 /* OK, check whether the problem is that there isn't any such
763 protocol, or that there is but it's not specified as a protocol
764 that's valid for that dissector table.
765 Note, we don't exit here, but dissector_matching will remain NULL,
767 if (proto_get_id_by_filter_name(dissector_str) == -1) {
768 /* No such protocol */
769 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
771 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
772 dissector_str, table_name);
777 if (!dissector_matching) {
778 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
779 fprint_all_protocols_for_layer_types(stderr, table_name);
780 g_free(decoded_param);
784 /* This is the end of the code that parses the command-line options.
785 All information is now stored in the variables:
789 The above variables that are strings are still pointing to areas within
790 decoded_parm. decoded_parm thus still needs to be kept allocated in
791 until we stop needing these variables
792 decoded_param will be deallocated at each exit point of this function */
795 /* We now have a pointer to the handle for the requested dissector
796 (requested protocol) inside the variable dissector_matching */
797 switch (dissector_table_selector_type) {
803 /* The selector for this table is an unsigned number. */
805 dissector_change_uint(table_name, selector, dissector_matching);
806 } else if (op == ':') {
807 for (i = selector; i < (guint64)selector + selector2; i++) {
808 dissector_change_uint(table_name, (guint32)i, dissector_matching);
810 } else { /* op == '-' */
811 for (i = selector; i <= selector2; i++) {
812 dissector_change_uint(table_name, (guint32)i, dissector_matching);
821 /* The selector for this table is a string. */
822 dissector_change_string(table_name, selector_str, dissector_matching);
826 /* There are currently no dissector tables with any types other
827 than the ones listed above. */
828 g_assert_not_reached();
830 g_free(decoded_param); /* "Decode As" rule has been successfully added */
835 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
836 const gchar *message, gpointer user_data)
838 /* ignore log message, if log_level isn't interesting based
839 upon the console log preferences.
840 If the preferences haven't been loaded loaded yet, display the
843 The default console_log_level preference value is such that only
844 ERROR, CRITICAL and WARNING level messages are processed;
845 MESSAGE, INFO and DEBUG level messages are ignored.
847 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
848 ERROR and CRITICAL level messages so the current code is a behavioral
849 change. The current behavior is the same as in Wireshark.
851 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
852 prefs.console_log_level != 0) {
856 g_log_default_handler(log_domain, log_level, message, user_data);
861 output_file_description(const char *fname)
863 char *save_file_string;
865 /* Get a string that describes what we're writing to */
866 if (strcmp(fname, "-") == 0) {
867 /* We're writing to the standard output */
868 save_file_string = g_strdup("standard output");
870 /* We're writing to a file with the name in save_file */
871 save_file_string = g_strdup_printf("file \"%s\"", fname);
873 return save_file_string;
877 print_current_user(void) {
878 gchar *cur_user, *cur_group;
880 if (started_with_special_privs()) {
881 cur_user = get_cur_username();
882 cur_group = get_cur_groupname();
883 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
884 cur_user, cur_group);
887 if (running_with_special_privs()) {
888 fprintf(stderr, " This could be dangerous.");
890 fprintf(stderr, "\n");
895 show_version(GString *comp_info_str, GString *runtime_info_str)
897 printf("TShark (Wireshark) %s\n"
904 get_ws_vcs_version_info(), get_copyright_info(), comp_info_str->str,
905 runtime_info_str->str);
909 get_tshark_runtime_info(GString *str)
913 g_string_append(str, ", ");
914 get_runtime_pcap_version(str);
918 #if defined(HAVE_LIBZ) && !defined(_WIN32)
919 g_string_append_printf(str, ", with libz %s", zlibVersion());
922 /* stuff used by libwireshark */
923 epan_get_runtime_version_info(str);
927 main(int argc, char *argv[])
929 GString *comp_info_str;
930 GString *runtime_info_str;
931 char *init_progfile_dir_error;
933 static const struct option long_options[] = {
934 {(char *)"help", no_argument, NULL, 'h'},
935 {(char *)"version", no_argument, NULL, 'v'},
936 LONGOPT_CAPTURE_COMMON
939 gboolean arg_error = FALSE;
945 char *gpf_path, *pf_path;
946 char *gdp_path, *dp_path;
947 int gpf_open_errno, gpf_read_errno;
948 int pf_open_errno, pf_read_errno;
949 int gdp_open_errno, gdp_read_errno;
950 int dp_open_errno, dp_read_errno;
952 volatile int exit_status = 0;
954 gboolean list_link_layer_types = FALSE;
955 gboolean start_capture = FALSE;
960 gboolean capture_option_specified = FALSE;
962 gboolean quiet = FALSE;
963 #ifdef PCAP_NG_DEFAULT
964 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
966 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
968 volatile gboolean out_file_name_res = FALSE;
969 volatile int in_file_type = WTAP_TYPE_AUTO;
970 gchar *volatile cf_name = NULL;
971 gchar *rfilter = NULL;
972 gchar *dfilter = NULL;
973 #ifdef HAVE_PCAP_OPEN_DEAD
974 struct bpf_program fcode;
976 dfilter_t *rfcode = NULL;
977 dfilter_t *dfcode = NULL;
982 gchar *output_only = NULL;
984 /* the leading - ensures that getopt() does not permute the argv[] entries
985 we have to make sure that the first getopt() preserves the content of argv[]
986 for the subsequent getopt_long() call */
987 #define OPTSTRING "-2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
989 static const char optstring[] = OPTSTRING;
991 cmdarg_err_init(failure_message, failure_message_cont);
994 arg_list_utf_16to8(argc, argv);
995 create_app_running_mutex();
996 #if !GLIB_CHECK_VERSION(2,31,0)
1002 * Get credential information for later use, and drop privileges
1003 * before doing anything else.
1004 * Let the user know if anything happened.
1006 init_process_policies();
1007 relinquish_special_privs_perm();
1008 print_current_user();
1011 * Attempt to get the pathname of the executable file.
1013 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1014 if (init_progfile_dir_error != NULL) {
1015 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1016 init_progfile_dir_error);
1019 initialize_funnel_ops();
1022 /* Load wpcap if possible. Do this before collecting the run-time version information */
1025 /* Warn the user if npf.sys isn't loaded. */
1026 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1027 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1028 "capturing or\nlisting interfaces.\n");
1032 /* Assemble the compile-time version information string */
1033 comp_info_str = g_string_new("Compiled ");
1034 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1036 /* Assemble the run-time version information string */
1037 runtime_info_str = g_string_new("Running ");
1038 get_runtime_version_info(runtime_info_str, get_tshark_runtime_info);
1040 /* Add it to the information to be reported on a crash. */
1041 ws_add_crash_info("TShark (Wireshark) %s\n"
1046 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1049 * In order to have the -X opts assigned before the wslua machine starts
1050 * we need to call getopts before epan_init() gets called.
1053 optind_initial = optind;
1055 while ((opt = getopt(argc, argv, optstring)) != -1) {
1057 case 'C': /* Configuration Profile */
1058 if (profile_exists (optarg, FALSE)) {
1059 set_profile_name (optarg);
1061 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1065 case 'P': /* Print packet summary info even when writing to a file */
1066 print_packet_info = TRUE;
1067 print_summary = TRUE;
1069 case 'O': /* Only output these protocols */
1070 output_only = g_strdup(optarg);
1072 case 'V': /* Verbose */
1073 print_details = TRUE;
1074 print_packet_info = TRUE;
1076 case 'x': /* Print packet data in hex (and ASCII) */
1078 /* The user asked for hex output, so let's ensure they get it,
1079 * even if they're writing to a file.
1081 print_packet_info = TRUE;
1092 * Print packet summary information is the default, unless either -V or -x
1093 * were specified and -P was not. Note that this is new behavior, which
1094 * allows for the possibility of printing only hex/ascii output without
1095 * necessarily requiring that either the summary or details be printed too.
1097 if (print_summary == -1)
1098 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1100 optind = optind_initial;
1105 /** Send All g_log messages to our own handler **/
1109 G_LOG_LEVEL_CRITICAL|
1110 G_LOG_LEVEL_WARNING|
1111 G_LOG_LEVEL_MESSAGE|
1114 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1116 g_log_set_handler(NULL,
1117 (GLogLevelFlags)log_flags,
1118 tshark_log_handler, NULL /* user_data */);
1119 g_log_set_handler(LOG_DOMAIN_MAIN,
1120 (GLogLevelFlags)log_flags,
1121 tshark_log_handler, NULL /* user_data */);
1124 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1125 (GLogLevelFlags)log_flags,
1126 tshark_log_handler, NULL /* user_data */);
1127 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1128 (GLogLevelFlags)log_flags,
1129 tshark_log_handler, NULL /* user_data */);
1132 init_report_err(failure_message, open_failure_message, read_failure_message,
1133 write_failure_message);
1136 capture_opts_init(&global_capture_opts);
1137 capture_session_init(&global_capture_session, (void *)&cfile);
1140 timestamp_set_type(TS_RELATIVE);
1141 timestamp_set_precision(TS_PREC_AUTO);
1142 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1144 init_open_routines();
1147 /* Register all the plugin types we have. */
1148 epan_register_plugin_types(); /* Types known to libwireshark */
1149 wtap_register_plugin_types(); /* Types known to libwiretap */
1151 /* Scan for plugins. This does *not* call their registration routines;
1152 that's done later. */
1155 /* Register all libwiretap plugin modules. */
1156 register_all_wiretap_modules();
1159 /* Register all dissectors; we must do this before checking for the
1160 "-G" flag, as the "-G" flag dumps information registered by the
1161 dissectors, and we must do it before we read the preferences, in
1162 case any dissectors register preferences. */
1163 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1165 /* Register all tap listeners; we do this before we parse the arguments,
1166 as the "-z" argument can specify a registered tap. */
1168 /* we register the plugin taps before the other taps because
1169 stats_tree taps plugins will be registered as tap listeners
1170 by stats_tree_stat.c and need to registered before that */
1172 register_all_plugin_tap_listeners();
1174 register_all_tap_listeners();
1176 /* If invoked with the "-G" flag, we dump out information based on
1177 the argument to the "-G" flag; if no argument is specified,
1178 for backwards compatibility we dump out a glossary of display
1181 XXX - we do this here, for now, to support "-G" with no arguments.
1182 If none of our build or other processes uses "-G" with no arguments,
1183 we can just process it with the other arguments. */
1184 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1185 proto_initialize_all_prefixes();
1188 proto_registrar_dump_fields();
1190 if (strcmp(argv[2], "column-formats") == 0)
1191 column_dump_column_formats();
1192 else if (strcmp(argv[2], "currentprefs") == 0) {
1193 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1194 &pf_open_errno, &pf_read_errno, &pf_path);
1197 else if (strcmp(argv[2], "decodes") == 0)
1198 dissector_dump_decodes();
1199 else if (strcmp(argv[2], "defaultprefs") == 0)
1201 else if (strcmp(argv[2], "fields") == 0)
1202 proto_registrar_dump_fields();
1203 else if (strcmp(argv[2], "ftypes") == 0)
1204 proto_registrar_dump_ftypes();
1205 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1206 dissector_dump_heur_decodes();
1207 else if (strcmp(argv[2], "plugins") == 0) {
1212 wslua_plugins_dump_all();
1215 else if (strcmp(argv[2], "protocols") == 0)
1216 proto_registrar_dump_protocols();
1217 else if (strcmp(argv[2], "values") == 0)
1218 proto_registrar_dump_values();
1219 else if (strcmp(argv[2], "?") == 0)
1220 glossary_option_help();
1221 else if (strcmp(argv[2], "-?") == 0)
1222 glossary_option_help();
1224 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1231 /* Set the C-language locale to the native environment. */
1232 setlocale(LC_ALL, "");
1234 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1235 &pf_open_errno, &pf_read_errno, &pf_path);
1236 if (gpf_path != NULL) {
1237 if (gpf_open_errno != 0) {
1238 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1239 pf_path, g_strerror(gpf_open_errno));
1241 if (gpf_read_errno != 0) {
1242 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1243 pf_path, g_strerror(gpf_read_errno));
1246 if (pf_path != NULL) {
1247 if (pf_open_errno != 0) {
1248 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1249 g_strerror(pf_open_errno));
1251 if (pf_read_errno != 0) {
1252 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1253 pf_path, g_strerror(pf_read_errno));
1259 /* Read the disabled protocols file. */
1260 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1261 &dp_path, &dp_open_errno, &dp_read_errno);
1262 if (gdp_path != NULL) {
1263 if (gdp_open_errno != 0) {
1264 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1265 gdp_path, g_strerror(gdp_open_errno));
1267 if (gdp_read_errno != 0) {
1268 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1269 gdp_path, g_strerror(gdp_read_errno));
1273 if (dp_path != NULL) {
1274 if (dp_open_errno != 0) {
1276 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1277 g_strerror(dp_open_errno));
1279 if (dp_read_errno != 0) {
1281 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1282 g_strerror(dp_read_errno));
1287 cap_file_init(&cfile);
1289 /* Print format defaults to this. */
1290 print_format = PR_FMT_TEXT;
1292 output_fields = output_fields_new();
1294 /* Now get our args */
1295 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1297 case '2': /* Perform two pass analysis */
1298 perform_two_pass_analysis = TRUE;
1300 case 'a': /* autostop criteria */
1301 case 'b': /* Ringbuffer option */
1302 case 'c': /* Capture x packets */
1303 case 'f': /* capture filter */
1304 case 'g': /* enable group read access on file(s) */
1305 case 'i': /* Use interface x */
1306 case 'p': /* Don't capture in promiscuous mode */
1307 #ifdef HAVE_PCAP_REMOTE
1308 case 'A': /* Authentication */
1310 #ifdef HAVE_PCAP_CREATE
1311 case 'I': /* Capture in monitor mode, if available */
1313 case 's': /* Set the snapshot (capture) length */
1314 case 'w': /* Write to capture file x */
1315 case 'y': /* Set the pcap data link type */
1316 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1317 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1318 case 'B': /* Buffer size */
1319 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1321 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1328 * Output file name, if we're reading a file and writing to another
1331 output_file_name = optarg;
1333 capture_option_specified = TRUE;
1339 /* Configuration profile settings were already processed just ignore them this time*/
1341 case 'd': /* Decode as rule */
1342 if (!add_decode_as(optarg))
1345 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1346 case 'K': /* Kerberos keytab file */
1347 read_keytab_file(optarg);
1350 case 'D': /* Print a list of capture devices and exit */
1352 if_list = capture_interface_list(&err, &err_str,NULL);
1353 if (if_list == NULL) {
1355 case CANT_GET_INTERFACE_LIST:
1356 case DONT_HAVE_PCAP:
1357 cmdarg_err("%s", err_str);
1361 case NO_INTERFACES_FOUND:
1362 cmdarg_err("There are no interfaces on which a capture can be done");
1367 capture_opts_print_interfaces(if_list);
1368 free_interface_list(if_list);
1371 capture_option_specified = TRUE;
1377 output_fields_add(output_fields, optarg);
1381 if (!output_fields_set_option(output_fields, optarg)) {
1382 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1383 output_fields_list_options(stderr);
1388 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1389 if (out_file_type < 0) {
1390 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1391 list_capture_types();
1395 case 'W': /* Select extra information to save in our capture file */
1396 /* This is patterned after the -N flag which may not be the best idea. */
1397 if (strchr(optarg, 'n')) {
1398 out_file_name_res = TRUE;
1400 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1401 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1405 case 'H': /* Read address to name mappings from a hosts file */
1406 if (! add_hosts_file(optarg))
1408 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1411 out_file_name_res = TRUE;
1414 case 'h': /* Print help and exit */
1415 printf("TShark (Wireshark) %s\n"
1416 "Dump and analyze network traffic.\n"
1417 "See http://www.wireshark.org for more information.\n",
1418 get_ws_vcs_version_info());
1419 print_usage(stdout);
1422 case 'l': /* "Line-buffer" standard output */
1423 /* This isn't line-buffering, strictly speaking, it's just
1424 flushing the standard output after the information for
1425 each packet is printed; however, that should be good
1426 enough for all the purposes to which "-l" is put (and
1427 is probably actually better for "-V", as it does fewer
1430 See the comment in "process_packet()" for an explanation of
1431 why we do that, and why we don't just use "setvbuf()" to
1432 make the standard output line-buffered (short version: in
1433 Windows, "line-buffered" is the same as "fully-buffered",
1434 and the output buffer is only flushed when it fills up). */
1435 line_buffered = TRUE;
1437 case 'L': /* Print list of link-layer types and exit */
1439 list_link_layer_types = TRUE;
1441 capture_option_specified = TRUE;
1445 case 'n': /* No name resolution */
1446 gbl_resolv_flags.mac_name = FALSE;
1447 gbl_resolv_flags.network_name = FALSE;
1448 gbl_resolv_flags.transport_name = FALSE;
1449 gbl_resolv_flags.concurrent_dns = FALSE;
1451 case 'N': /* Select what types of addresses/port #s to resolve */
1452 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1453 if (badopt != '\0') {
1454 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1456 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1457 "\t'm' to enable MAC address resolution\n"
1458 "\t'n' to enable network address resolution\n"
1459 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1460 "\t for network address resolution\n"
1461 "\t't' to enable transport-layer port number resolution");
1465 case 'o': /* Override preference from command line */
1466 switch (prefs_set_pref(optarg)) {
1471 case PREFS_SET_SYNTAX_ERR:
1472 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1476 case PREFS_SET_NO_SUCH_PREF:
1477 case PREFS_SET_OBSOLETE:
1478 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1483 case 'q': /* Quiet */
1486 case 'Q': /* Really quiet */
1488 really_quiet = TRUE;
1490 case 'r': /* Read capture file x */
1491 cf_name = g_strdup(optarg);
1493 case 'R': /* Read file filter */
1497 /* already processed; just ignore it now */
1499 case 'S': /* Set the line Separator to be printed between packets */
1502 case 't': /* Time stamp type */
1503 if (strcmp(optarg, "r") == 0)
1504 timestamp_set_type(TS_RELATIVE);
1505 else if (strcmp(optarg, "a") == 0)
1506 timestamp_set_type(TS_ABSOLUTE);
1507 else if (strcmp(optarg, "ad") == 0)
1508 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1509 else if (strcmp(optarg, "adoy") == 0)
1510 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1511 else if (strcmp(optarg, "d") == 0)
1512 timestamp_set_type(TS_DELTA);
1513 else if (strcmp(optarg, "dd") == 0)
1514 timestamp_set_type(TS_DELTA_DIS);
1515 else if (strcmp(optarg, "e") == 0)
1516 timestamp_set_type(TS_EPOCH);
1517 else if (strcmp(optarg, "u") == 0)
1518 timestamp_set_type(TS_UTC);
1519 else if (strcmp(optarg, "ud") == 0)
1520 timestamp_set_type(TS_UTC_WITH_YMD);
1521 else if (strcmp(optarg, "udoy") == 0)
1522 timestamp_set_type(TS_UTC_WITH_YDOY);
1524 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1525 cmdarg_err_cont("\t\"a\" for absolute\n"
1526 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1527 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1528 "\t\"d\" for delta\n"
1529 "\t\"dd\" for delta displayed\n"
1530 "\t\"e\" for epoch\n"
1531 "\t\"r\" for relative\n"
1532 "\t\"u\" for absolute UTC\n"
1533 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1534 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1538 case 'T': /* printing Type */
1539 print_packet_info = TRUE;
1540 if (strcmp(optarg, "text") == 0) {
1541 output_action = WRITE_TEXT;
1542 print_format = PR_FMT_TEXT;
1543 } else if (strcmp(optarg, "ps") == 0) {
1544 output_action = WRITE_TEXT;
1545 print_format = PR_FMT_PS;
1546 } else if (strcmp(optarg, "pdml") == 0) {
1547 output_action = WRITE_XML;
1548 print_details = TRUE; /* Need details */
1549 print_summary = FALSE; /* Don't allow summary */
1550 } else if (strcmp(optarg, "psml") == 0) {
1551 output_action = WRITE_XML;
1552 print_details = FALSE; /* Don't allow details */
1553 print_summary = TRUE; /* Need summary */
1554 } else if (strcmp(optarg, "fields") == 0) {
1555 output_action = WRITE_FIELDS;
1556 print_details = TRUE; /* Need full tree info */
1557 print_summary = FALSE; /* Don't allow summary */
1559 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1560 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1561 "\t specified by the -E option.\n"
1562 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1563 "\t details of a decoded packet. This information is equivalent to\n"
1564 "\t the packet details printed with the -V flag.\n"
1565 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1566 "\t the packets, or a multi-line view of the details of each of\n"
1567 "\t the packets, depending on whether the -V flag was specified.\n"
1568 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1569 "\t summary information of a decoded packet. This information is\n"
1570 "\t equivalent to the information shown in the one-line summary\n"
1571 "\t printed by default.\n"
1572 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1573 "\t packets, or a multi-line view of the details of each of the\n"
1574 "\t packets, depending on whether the -V flag was specified.\n"
1575 "\t This is the default.");
1579 case 'u': /* Seconds type */
1580 if (strcmp(optarg, "s") == 0)
1581 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1582 else if (strcmp(optarg, "hms") == 0)
1583 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1585 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1586 cmdarg_err_cont("\t\"s\" for seconds\n"
1587 "\t\"hms\" for hours, minutes and seconds");
1591 case 'v': /* Show version and exit */
1593 show_version(comp_info_str, runtime_info_str);
1594 g_string_free(comp_info_str, TRUE);
1595 g_string_free(runtime_info_str, TRUE);
1596 /* We don't really have to cleanup here, but it's a convenient way to test
1597 * start-up and shut-down of the epan library without any UI-specific
1598 * cruft getting in the way. Makes the results of running
1599 * $ ./tools/valgrind-wireshark -n
1600 * much more useful. */
1604 case 'O': /* Only output these protocols */
1605 /* already processed; just ignore it now */
1607 case 'V': /* Verbose */
1608 /* already processed; just ignore it now */
1610 case 'x': /* Print packet data in hex (and ASCII) */
1611 /* already processed; just ignore it now */
1619 /* We won't call the init function for the stat this soon
1620 as it would disallow MATE's fields (which are registered
1621 by the preferences set callback) from being used as
1622 part of a tap filter. Instead, we just add the argument
1623 to a list of stat arguments. */
1624 if (!process_stat_cmd_arg(optarg)) {
1625 if (strcmp("help", optarg)==0) {
1626 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1627 list_stat_cmd_args();
1630 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1631 list_stat_cmd_args();
1636 case '?': /* Bad flag - print usage message */
1639 list_capture_types();
1642 print_usage(stderr);
1649 /* If we specified output fields, but not the output field type... */
1650 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1651 cmdarg_err("Output fields were specified with \"-e\", "
1652 "but \"-Tfields\" was not specified.");
1654 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1655 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1656 "specified with \"-e\".");
1661 /* If no capture filter or display filter has been specified, and there are
1662 still command-line arguments, treat them as the tokens of a capture
1663 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1664 flag was specified. */
1665 if (optind < argc) {
1666 if (cf_name != NULL) {
1667 if (dfilter != NULL) {
1668 cmdarg_err("Display filters were specified both with \"-d\" "
1669 "and with additional command-line arguments.");
1672 dfilter = get_args_as_string(argc, argv, optind);
1677 if (global_capture_opts.default_options.cfilter) {
1678 cmdarg_err("A default capture filter was specified both with \"-f\""
1679 " and with additional command-line arguments.");
1682 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1683 interface_options interface_opts;
1684 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1685 if (interface_opts.cfilter == NULL) {
1686 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1687 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1688 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1690 cmdarg_err("A capture filter was specified both with \"-f\""
1691 " and with additional command-line arguments.");
1695 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1697 capture_option_specified = TRUE;
1703 if (!global_capture_opts.saving_to_file) {
1704 /* We're not saving the capture to a file; if "-q" wasn't specified,
1705 we should print packet information */
1707 print_packet_info = TRUE;
1709 /* We're saving to a file; if we're writing to the standard output.
1710 and we'll also be writing dissected packets to the standard
1711 output, reject the request. At best, we could redirect that
1712 to the standard error; we *can't* write both to the standard
1713 output and have either of them be useful. */
1714 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1715 cmdarg_err("You can't write both raw packet data and dissected packets"
1716 " to the standard output.");
1721 /* We're not saving the capture to a file; if "-q" wasn't specified,
1722 we should print packet information */
1724 print_packet_info = TRUE;
1727 #ifndef HAVE_LIBPCAP
1728 if (capture_option_specified)
1729 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1732 print_usage(stderr);
1737 if (output_action != WRITE_TEXT) {
1738 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1743 if (output_only != NULL) {
1746 if (!print_details) {
1747 cmdarg_err("-O requires -V");
1751 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1752 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1753 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1757 if (rfilter != NULL && !perform_two_pass_analysis) {
1758 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1763 if (list_link_layer_types) {
1764 /* We're supposed to list the link-layer types for an interface;
1765 did the user also specify a capture file to be read? */
1767 /* Yes - that's bogus. */
1768 cmdarg_err("You can't specify -L and a capture file to be read.");
1771 /* No - did they specify a ring buffer option? */
1772 if (global_capture_opts.multi_files_on) {
1773 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1779 * "-r" was specified, so we're reading a capture file.
1780 * Capture options don't apply here.
1783 /* We don't support capture filters when reading from a capture file
1784 (the BPF compiler doesn't support all link-layer types that we
1785 support in capture files we read). */
1786 if (global_capture_opts.default_options.cfilter) {
1787 cmdarg_err("Only read filters, not capture filters, "
1788 "can be specified when reading a capture file.");
1791 if (global_capture_opts.multi_files_on) {
1792 cmdarg_err("Multiple capture files requested, but "
1793 "a capture isn't being done.");
1796 if (global_capture_opts.has_file_duration) {
1797 cmdarg_err("Switching capture files after a time interval was specified, but "
1798 "a capture isn't being done.");
1801 if (global_capture_opts.has_ring_num_files) {
1802 cmdarg_err("A ring buffer of capture files was specified, but "
1803 "a capture isn't being done.");
1806 if (global_capture_opts.has_autostop_files) {
1807 cmdarg_err("A maximum number of capture files was specified, but "
1808 "a capture isn't being done.");
1811 if (global_capture_opts.capture_comment) {
1812 cmdarg_err("A capture comment was specified, but "
1813 "a capture isn't being done.\nThere's no support for adding "
1814 "a capture comment to an existing capture file.");
1818 /* Note: TShark now allows the restriction of a _read_ file by packet count
1819 * and byte count as well as a write file. Other autostop options remain valid
1820 * only for a write file.
1822 if (global_capture_opts.has_autostop_duration) {
1823 cmdarg_err("A maximum capture time was specified, but "
1824 "a capture isn't being done.");
1829 * "-r" wasn't specified, so we're doing a live capture.
1831 if (perform_two_pass_analysis) {
1832 /* Two-pass analysis doesn't work with live capture since it requires us
1833 * to buffer packets until we've read all of them, but a live capture
1834 * has no useful/meaningful definition of "all" */
1835 cmdarg_err("Live captures do not support two-pass analysis.");
1839 if (global_capture_opts.saving_to_file) {
1840 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1842 /* When capturing, we only support writing pcap or pcap-ng format. */
1843 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1844 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1845 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1848 if (global_capture_opts.capture_comment &&
1849 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1850 cmdarg_err("A capture comment can only be written to a pcapng file.");
1853 if (global_capture_opts.multi_files_on) {
1854 /* Multiple-file mode doesn't work under certain conditions:
1855 a) it doesn't work if you're writing to the standard output;
1856 b) it doesn't work if you're writing to a pipe;
1858 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1859 cmdarg_err("Multiple capture files requested, but "
1860 "the capture is being written to the standard output.");
1863 if (global_capture_opts.output_to_pipe) {
1864 cmdarg_err("Multiple capture files requested, but "
1865 "the capture file is a pipe.");
1868 if (!global_capture_opts.has_autostop_filesize &&
1869 !global_capture_opts.has_file_duration) {
1870 cmdarg_err("Multiple capture files requested, but "
1871 "no maximum capture file size or duration was specified.");
1875 /* Currently, we don't support read or display filters when capturing
1876 and saving the packets. */
1877 if (rfilter != NULL) {
1878 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1881 if (dfilter != NULL) {
1882 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1885 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1887 /* They didn't specify a "-w" flag, so we won't be saving to a
1888 capture file. Check for options that only make sense if
1889 we're saving to a file. */
1890 if (global_capture_opts.has_autostop_filesize) {
1891 cmdarg_err("Maximum capture file size specified, but "
1892 "capture isn't being saved to a file.");
1895 if (global_capture_opts.multi_files_on) {
1896 cmdarg_err("Multiple capture files requested, but "
1897 "the capture isn't being saved to a file.");
1900 if (global_capture_opts.capture_comment) {
1901 cmdarg_err("A capture comment was specified, but "
1902 "the capture isn't being saved to a file.");
1911 /* Start windows sockets */
1912 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1915 /* Notify all registered modules that have had any of their preferences
1916 changed either from one of the preferences file or from the command
1917 line that their preferences have changed. */
1920 /* At this point MATE will have registered its field array so we can
1921 have a tap filter with one of MATE's late-registered fields as part
1922 of the filter. We can now process all the "-z" arguments. */
1923 start_requested_stats();
1925 /* At this point MATE will have registered its field array so we can
1926 check if the fields specified by the user are all good.
1928 if (!output_fields_valid(output_fields)) {
1929 cmdarg_err("Some fields aren't valid");
1934 /* We currently don't support taps, or printing dissected packets,
1935 if we're writing to a pipe. */
1936 if (global_capture_opts.saving_to_file &&
1937 global_capture_opts.output_to_pipe) {
1938 if (tap_listeners_require_dissection()) {
1939 cmdarg_err("Taps aren't supported when saving to a pipe.");
1942 if (print_packet_info) {
1943 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1949 if (ex_opt_count("read_format") > 0) {
1950 const gchar* name = ex_opt_get_next("read_format");
1951 in_file_type = open_info_name_to_type(name);
1952 if (in_file_type == WTAP_TYPE_AUTO) {
1953 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1954 list_read_capture_types();
1959 /* disabled protocols as per configuration file */
1960 if (gdp_path == NULL && dp_path == NULL) {
1961 set_disabled_protos_list();
1964 /* Build the column format array */
1965 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1968 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1969 capture_opts_trim_ring_num_files(&global_capture_opts);
1972 if (rfilter != NULL) {
1973 if (!dfilter_compile(rfilter, &rfcode)) {
1974 cmdarg_err("%s", dfilter_error_msg);
1976 #ifdef HAVE_PCAP_OPEN_DEAD
1980 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1982 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1984 " Note: That read filter code looks like a valid capture filter;\n"
1985 " maybe you mixed them up?");
1994 cfile.rfcode = rfcode;
1996 if (dfilter != NULL) {
1997 if (!dfilter_compile(dfilter, &dfcode)) {
1998 cmdarg_err("%s", dfilter_error_msg);
2000 #ifdef HAVE_PCAP_OPEN_DEAD
2004 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2006 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2008 " Note: That display filter code looks like a valid capture filter;\n"
2009 " maybe you mixed them up?");
2018 cfile.dfcode = dfcode;
2020 if (print_packet_info) {
2021 /* If we're printing as text or PostScript, we have
2022 to create a print stream. */
2023 if (output_action == WRITE_TEXT) {
2024 switch (print_format) {
2027 print_stream = print_stream_text_stdio_new(stdout);
2031 print_stream = print_stream_ps_stdio_new(stdout);
2035 g_assert_not_reached();
2040 /* We have to dissect each packet if:
2042 we're printing information about each packet;
2044 we're using a read filter on the packets;
2046 we're using a display filter on the packets;
2048 we're using any taps that need dissection. */
2049 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2053 * We're reading a capture file.
2055 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2060 /* Set timestamp precision; there should arguably be a command-line
2061 option to let the user set this. */
2062 switch(wtap_file_tsprecision(cfile.wth)) {
2063 case(WTAP_FILE_TSPREC_SEC):
2064 timestamp_set_precision(TS_PREC_AUTO_SEC);
2066 case(WTAP_FILE_TSPREC_DSEC):
2067 timestamp_set_precision(TS_PREC_AUTO_DSEC);
2069 case(WTAP_FILE_TSPREC_CSEC):
2070 timestamp_set_precision(TS_PREC_AUTO_CSEC);
2072 case(WTAP_FILE_TSPREC_MSEC):
2073 timestamp_set_precision(TS_PREC_AUTO_MSEC);
2075 case(WTAP_FILE_TSPREC_USEC):
2076 timestamp_set_precision(TS_PREC_AUTO_USEC);
2078 case(WTAP_FILE_TSPREC_NSEC):
2079 timestamp_set_precision(TS_PREC_AUTO_NSEC);
2082 g_assert_not_reached();
2085 /* Process the packets in the file */
2088 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2089 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2090 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2092 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2095 CATCH(OutOfMemoryError) {
2099 "Sorry, but TShark has to terminate now!\n"
2101 "Some infos / workarounds can be found at:\n"
2102 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2107 /* We still dump out the results of taps, etc., as we might have
2108 read some packets; however, we exit with an error status. */
2112 /* No capture file specified, so we're supposed to do a live capture
2113 or get a list of link-layer types for a live capture device;
2114 do we have support for live captures? */
2116 /* if no interface was specified, pick a default */
2117 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2118 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2119 if (exit_status != 0)
2122 /* if requested, list the link layer types and exit */
2123 if (list_link_layer_types) {
2126 /* Get the list of link-layer types for the capture devices. */
2127 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2128 interface_options interface_opts;
2129 if_capabilities_t *caps;
2131 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2132 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2134 cmdarg_err("%s", err_str);
2138 if (caps->data_link_types == NULL) {
2139 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2142 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2143 free_if_capabilities(caps);
2149 * If the standard error isn't a terminal, don't print packet counts,
2150 * as they won't show up on the user's terminal and they'll get in
2151 * the way of error messages in the file (to which we assume the
2152 * standard error was redirected; if it's redirected to the null
2153 * device, there's no point in printing packet counts anyway).
2155 * Otherwise, if we're printing packet information and the standard
2156 * output is a terminal (which we assume means the standard output and
2157 * error are going to the same terminal), don't print packet counts,
2158 * as they'll get in the way of the packet information.
2160 * Otherwise, if the user specified -q, don't print packet counts.
2162 * Otherwise, print packet counts.
2164 * XXX - what if the user wants to do a live capture, doesn't want
2165 * to save it to a file, doesn't want information printed for each
2166 * packet, does want some "-z" statistic, and wants packet counts
2167 * so they know whether they're seeing any packets? -q will
2168 * suppress the information printed for each packet, but it'll
2169 * also suppress the packet counts.
2171 if (!isatty(fileno(stderr)))
2172 print_packet_counts = FALSE;
2173 else if (print_packet_info && isatty(fileno(stdout)))
2174 print_packet_counts = FALSE;
2176 print_packet_counts = FALSE;
2178 print_packet_counts = TRUE;
2180 if (print_packet_info) {
2181 if (!write_preamble(NULL)) {
2182 show_print_file_io_error(errno);
2187 /* For now, assume libpcap gives microsecond precision. */
2188 timestamp_set_precision(TS_PREC_AUTO_USEC);
2191 * XXX - this returns FALSE if an error occurred, but it also
2192 * returns FALSE if the capture stops because a time limit
2193 * was reached (and possibly other limits), so we can't assume
2194 * it means an error.
2196 * The capture code is a bit twisty, so it doesn't appear to
2197 * be an easy fix. We just ignore the return value for now.
2198 * Instead, pass on the exit status from the capture child.
2201 exit_status = global_capture_session.fork_child_status;
2203 if (print_packet_info) {
2204 if (!write_finale()) {
2206 show_print_file_io_error(err);
2210 /* No - complain. */
2211 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2218 if (cfile.frames != NULL) {
2219 free_frame_data_sequence(cfile.frames);
2220 cfile.frames = NULL;
2223 draw_tap_listeners(TRUE);
2224 funnel_dump_all_text_windows();
2225 epan_free(cfile.epan);
2228 output_fields_free(output_fields);
2229 output_fields = NULL;
2234 /*#define USE_BROKEN_G_MAIN_LOOP*/
2236 #ifdef USE_BROKEN_G_MAIN_LOOP
2239 gboolean loop_running = FALSE;
2241 guint32 packet_count = 0;
2244 typedef struct pipe_input_tag {
2248 pipe_input_cb_t input_cb;
2249 guint pipe_input_id;
2251 GMutex *callback_running;
2255 static pipe_input_t pipe_input;
2258 /* The timer has expired, see if there's stuff to read from the pipe,
2259 if so, do the callback */
2261 pipe_timer_cb(gpointer data)
2267 pipe_input_t *pipe_input_p = data;
2268 gint iterations = 0;
2270 g_mutex_lock (pipe_input_p->callback_running);
2272 /* try to read data from the pipe only 5 times, to avoid blocking */
2273 while(iterations < 5) {
2274 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2276 /* Oddly enough although Named pipes don't work on win9x,
2277 PeekNamedPipe does !!! */
2278 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2279 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2281 /* Get the child process exit status */
2282 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2285 /* If the Peek returned an error, or there are bytes to be read
2286 or the childwatcher thread has terminated then call the normal
2288 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2290 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2292 /* And call the real handler */
2293 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2294 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2295 /* pipe closed, return false so that the timer is stopped */
2296 g_mutex_unlock (pipe_input_p->callback_running);
2301 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2302 /* No data, stop now */
2309 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2311 g_mutex_unlock (pipe_input_p->callback_running);
2313 /* we didn't stopped the timer, so let it run */
2320 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2323 pipe_input.source = source;
2324 pipe_input.child_process = child_process;
2325 pipe_input.user_data = user_data;
2326 pipe_input.input_cb = input_cb;
2329 #if GLIB_CHECK_VERSION(2,31,0)
2330 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2331 g_mutex_init(pipe_input.callback_running);
2333 pipe_input.callback_running = g_mutex_new();
2335 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2336 do this but that doesn't cover all win32 platforms. GTK can do
2337 this but doesn't seem to work over processes. Attempt to do
2338 something similar here, start a timer and check for data on every
2340 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2341 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2345 static const nstime_t *
2346 tshark_get_frame_ts(void *data, guint32 frame_num)
2348 capture_file *cf = (capture_file *) data;
2350 if (ref && ref->num == frame_num)
2351 return &ref->abs_ts;
2353 if (prev_dis && prev_dis->num == frame_num)
2354 return &prev_dis->abs_ts;
2356 if (prev_cap && prev_cap->num == frame_num)
2357 return &prev_cap->abs_ts;
2360 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2362 return (fd) ? &fd->abs_ts : NULL;
2369 tshark_epan_new(capture_file *cf)
2371 epan_t *epan = epan_new();
2374 epan->get_frame_ts = tshark_get_frame_ts;
2375 epan->get_interface_name = cap_file_get_interface_name;
2376 epan->get_user_comment = NULL;
2387 GString *str = g_string_new("");
2388 #ifdef USE_TSHARK_SELECT
2392 struct sigaction action, oldaction;
2395 /* Create new dissection section. */
2396 epan_free(cfile.epan);
2397 cfile.epan = tshark_epan_new(&cfile);
2400 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2401 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2403 /* Catch SIGINT and SIGTERM and, if we get either of them,
2404 clean up and exit. If SIGHUP isn't being ignored, catch
2405 it too and, if we get it, clean up and exit.
2407 We restart any read that was in progress, so that it doesn't
2408 disrupt reading from the sync pipe. The signal handler tells
2409 the capture child to finish; it will report that it finished,
2410 or will exit abnormally, so we'll stop reading from the sync
2411 pipe, pick up the exit status, and quit. */
2412 memset(&action, 0, sizeof(action));
2413 action.sa_handler = capture_cleanup;
2414 action.sa_flags = SA_RESTART;
2415 sigemptyset(&action.sa_mask);
2416 sigaction(SIGTERM, &action, NULL);
2417 sigaction(SIGINT, &action, NULL);
2418 sigaction(SIGHUP, NULL, &oldaction);
2419 if (oldaction.sa_handler == SIG_DFL)
2420 sigaction(SIGHUP, &action, NULL);
2423 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2424 quiet mode, report the number of packets we've captured.
2426 Again, restart any read that was in progress, so that it doesn't
2427 disrupt reading from the sync pipe. */
2428 action.sa_handler = report_counts_siginfo;
2429 action.sa_flags = SA_RESTART;
2430 sigemptyset(&action.sa_mask);
2431 sigaction(SIGINFO, &action, NULL);
2432 #endif /* SIGINFO */
2435 global_capture_session.state = CAPTURE_PREPARING;
2437 /* Let the user know which interfaces were chosen. */
2438 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2439 interface_options interface_opts;
2441 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2442 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2443 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2444 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2447 if (global_capture_opts.ifaces->len < 2)
2449 if (global_capture_opts.ifaces->len < 4)
2452 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2453 interface_options interface_opts;
2455 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2457 if (global_capture_opts.ifaces->len > 2) {
2458 g_string_append_printf(str, ",");
2460 g_string_append_printf(str, " ");
2461 if (i == global_capture_opts.ifaces->len - 1) {
2462 g_string_append_printf(str, "and ");
2465 g_string_append_printf(str, "'%s'", interface_opts.descr);
2468 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2470 if (really_quiet == FALSE)
2471 fprintf(stderr, "Capturing on %s\n", str->str);
2473 g_string_free(str, TRUE);
2475 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2480 /* the actual capture loop
2482 * XXX - glib doesn't seem to provide any event based loop handling.
2484 * XXX - for whatever reason,
2485 * calling g_main_loop_new() ends up in 100% cpu load.
2487 * But that doesn't matter: in UNIX we can use select() to find an input
2488 * source with something to do.
2490 * But that doesn't matter because we're in a CLI (that doesn't need to
2491 * update a GUI or something at the same time) so it's OK if we block
2492 * trying to read from the pipe.
2494 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2495 * wrong (but I leave it there in case I am...).
2498 #ifdef USE_TSHARK_SELECT
2500 FD_SET(pipe_input.source, &readfds);
2503 loop_running = TRUE;
2507 while (loop_running)
2509 #ifdef USE_TSHARK_SELECT
2510 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2514 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2516 } else if (ret == 1) {
2518 /* Call the real handler */
2519 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2520 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2523 #ifdef USE_TSHARK_SELECT
2528 CATCH(OutOfMemoryError) {
2532 "Sorry, but TShark has to terminate now!\n"
2534 "Some infos / workarounds can be found at:\n"
2535 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2542 /* capture child detected an error */
2544 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2546 cmdarg_err("%s", error_msg);
2547 cmdarg_err_cont("%s", secondary_error_msg);
2551 /* capture child detected an capture filter related error */
2553 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2555 capture_options *capture_opts = cap_session->capture_opts;
2556 dfilter_t *rfcode = NULL;
2557 interface_options interface_opts;
2559 g_assert(i < capture_opts->ifaces->len);
2560 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2562 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2564 "Invalid capture filter \"%s\" for interface '%s'!\n"
2566 "That string looks like a valid display filter; however, it isn't a valid\n"
2567 "capture filter (%s).\n"
2569 "Note that display filters and capture filters don't have the same syntax,\n"
2570 "so you can't use most display filter expressions as capture filters.\n"
2572 "See the User's Guide for a description of the capture filter syntax.",
2573 interface_opts.cfilter, interface_opts.descr, error_message);
2574 dfilter_free(rfcode);
2577 "Invalid capture filter \"%s\" for interface '%s'!\n"
2579 "That string isn't a valid capture filter (%s).\n"
2580 "See the User's Guide for a description of the capture filter syntax.",
2581 interface_opts.cfilter, interface_opts.descr, error_message);
2586 /* capture child tells us we have a new (or the first) capture file */
2588 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2590 capture_options *capture_opts = cap_session->capture_opts;
2591 gboolean is_tempfile;
2594 if (cap_session->state == CAPTURE_PREPARING) {
2595 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2597 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2599 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2601 /* free the old filename */
2602 if (capture_opts->save_file != NULL) {
2604 /* we start a new capture file, close the old one (if we had one before) */
2605 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2606 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2607 wtap_close(((capture_file *) cap_session->cf)->wth);
2608 ((capture_file *) cap_session->cf)->wth = NULL;
2610 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2613 g_free(capture_opts->save_file);
2614 is_tempfile = FALSE;
2616 /* we didn't had a save_file before, must be a tempfile */
2620 /* save the new filename */
2621 capture_opts->save_file = g_strdup(new_file);
2623 /* if we are in real-time mode, open the new file now */
2624 if (do_dissection) {
2625 /* this is probably unecessary, but better safe than sorry */
2626 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2627 /* Attempt to open the capture file and set up to read from it. */
2628 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2632 /* Don't unlink (delete) the save file - leave it around,
2633 for debugging purposes. */
2634 g_free(capture_opts->save_file);
2635 capture_opts->save_file = NULL;
2640 cap_session->state = CAPTURE_RUNNING;
2646 /* capture child tells us we have new packets to read */
2648 capture_input_new_packets(capture_session *cap_session, int to_read)
2654 capture_file *cf = (capture_file *)cap_session->cf;
2655 gboolean filtering_tap_listeners;
2660 * Prevent a SIGINFO handler from writing to the standard error while
2661 * we're doing so or writing to the standard output; instead, have it
2662 * just set a flag telling us to print that information when we're done.
2665 #endif /* SIGINFO */
2667 /* Do we have any tap listeners with filters? */
2668 filtering_tap_listeners = have_filtering_tap_listeners();
2670 /* Get the union of the flags for all tap listeners. */
2671 tap_flags = union_of_tap_listener_flags();
2673 if (do_dissection) {
2674 gboolean create_proto_tree;
2675 epan_dissect_t *edt;
2677 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2678 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2679 create_proto_tree = TRUE;
2681 create_proto_tree = FALSE;
2683 /* The protocol tree will be "visible", i.e., printed, only if we're
2684 printing packet details, which is true if we're printing stuff
2685 ("print_packet_info" is true) and we're in verbose mode
2686 ("packet_details" is true). */
2687 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2689 while (to_read-- && cf->wth) {
2690 wtap_cleareof(cf->wth);
2691 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2693 /* read from file failed, tell the capture child to stop */
2694 sync_pipe_stop(cap_session);
2695 wtap_close(cf->wth);
2698 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2699 wtap_buf_ptr(cf->wth),
2703 /* packet successfully read and gone through the "Read Filter" */
2708 epan_dissect_free(edt);
2712 * Dumpcap's doing all the work; we're not doing any dissection.
2713 * Count all the packets it wrote.
2715 packet_count += to_read;
2718 if (print_packet_counts) {
2719 /* We're printing packet counts. */
2720 if (packet_count != 0) {
2721 fprintf(stderr, "\r%u ", packet_count);
2722 /* stderr could be line buffered */
2729 * Allow SIGINFO handlers to write.
2734 * If a SIGINFO handler asked us to write out capture counts, do so.
2738 #endif /* SIGINFO */
2744 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2745 /* Report the count only if we aren't printing a packet count
2746 as packets arrive. */
2747 fprintf(stderr, "%u packet%s captured\n", packet_count,
2748 plurality(packet_count, "", "s"));
2751 infoprint = FALSE; /* we just reported it */
2752 #endif /* SIGINFO */
2757 report_counts_siginfo(int signum _U_)
2759 int sav_errno = errno;
2760 /* If we've been told to delay printing, just set a flag asking
2761 that we print counts (if we're supposed to), otherwise print
2762 the count of packets captured (if we're supposed to). */
2769 #endif /* SIGINFO */
2772 /* capture child detected any packet drops? */
2774 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2776 if (print_packet_counts) {
2777 /* We're printing packet counts to stderr.
2778 Send a newline so that we move to the line after the packet count. */
2779 fprintf(stderr, "\n");
2783 /* We're printing packet counts to stderr.
2784 Send a newline so that we move to the line after the packet count. */
2785 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2791 * Capture child closed its side of the pipe, report any error and
2792 * do the required cleanup.
2795 capture_input_closed(capture_session *cap_session, gchar *msg)
2797 capture_file *cf = (capture_file *) cap_session->cf;
2800 fprintf(stderr, "tshark: %s\n", msg);
2804 if (cf != NULL && cf->wth != NULL) {
2805 wtap_close(cf->wth);
2806 if (cf->is_tempfile) {
2807 ws_unlink(cf->filename);
2810 #ifdef USE_BROKEN_G_MAIN_LOOP
2811 /*g_main_loop_quit(loop);*/
2812 g_main_loop_quit(loop);
2814 loop_running = FALSE;
2823 capture_cleanup(DWORD ctrltype _U_)
2825 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2826 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2827 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2828 like SIGTERM at least when the machine's shutting down.
2830 For now, we handle them all as indications that we should clean up
2831 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2834 We must return TRUE so that no other handler - such as one that would
2835 terminate the process - gets called.
2837 XXX - for some reason, typing ^C to TShark, if you run this in
2838 a Cygwin console window in at least some versions of Cygwin,
2839 causes TShark to terminate immediately; this routine gets
2840 called, but the main loop doesn't get a chance to run and
2841 exit cleanly, at least if this is compiled with Microsoft Visual
2842 C++ (i.e., it's a property of the Cygwin console window or Bash;
2843 it happens if TShark is not built with Cygwin - for all I know,
2844 building it with Cygwin may make the problem go away). */
2846 /* tell the capture child to stop */
2847 sync_pipe_stop(&global_capture_session);
2849 /* don't stop our own loop already here, otherwise status messages and
2850 * cleanup wouldn't be done properly. The child will indicate the stop of
2851 * everything by calling capture_input_closed() later */
2857 capture_cleanup(int signum _U_)
2859 /* tell the capture child to stop */
2860 sync_pipe_stop(&global_capture_session);
2862 /* don't stop our own loop already here, otherwise status messages and
2863 * cleanup wouldn't be done properly. The child will indicate the stop of
2864 * everything by calling capture_input_closed() later */
2867 #endif /* HAVE_LIBPCAP */
2870 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2871 gint64 offset, struct wtap_pkthdr *whdr,
2878 /* The frame number of this packet is one more than the count of
2879 frames in this packet. */
2880 framenum = cf->count + 1;
2882 /* If we're not running a display filter and we're not printing any
2883 packet information, we don't need to do a dissection. This means
2884 that all packets can be marked as 'passed'. */
2887 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2889 /* If we're going to print packet information, or we're going to
2890 run a read filter, or display filter, or we're going to process taps, set up to
2891 do a dissection and do so. */
2893 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2894 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2895 /* Grab any resolved addresses */
2896 host_name_lookup_process();
2898 /* If we're running a read filter, prime the epan_dissect_t with that
2901 epan_dissect_prime_dfilter(edt, cf->rfcode);
2904 epan_dissect_prime_dfilter(edt, cf->dfcode);
2906 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2908 if (ref == &fdlocal) {
2909 ref_frame = fdlocal;
2913 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2915 /* Run the read filter if we have one. */
2917 passed = dfilter_apply_edt(cf->rfcode, edt);
2921 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2922 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2924 /* If we're not doing dissection then there won't be any dependent frames.
2925 * More importantly, edt.pi.dependent_frames won't be initialized because
2926 * epan hasn't been initialized.
2927 * if we *are* doing dissection, then mark the dependent frames, but only
2928 * if a display filter was given and it matches this packet.
2930 if (edt && cf->dfcode) {
2931 if (dfilter_apply_edt(cf->dfcode, edt)) {
2932 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2938 /* if we don't add it to the frame_data_sequence, clean it up right now
2940 frame_data_destroy(&fdlocal);
2944 epan_dissect_reset(edt);
2950 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2951 struct wtap_pkthdr *phdr, Buffer *buf,
2957 /* If we're not running a display filter and we're not printing any
2958 packet information, we don't need to do a dissection. This means
2959 that all packets can be marked as 'passed'. */
2962 /* If we're going to print packet information, or we're going to
2963 run a read filter, or we're going to process taps, set up to
2964 do a dissection and do so. */
2966 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2967 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2968 /* Grab any resolved addresses */
2969 host_name_lookup_process();
2971 /* If we're running a display filter, prime the epan_dissect_t with that
2974 epan_dissect_prime_dfilter(edt, cf->dfcode);
2976 col_custom_prime_edt(edt, &cf->cinfo);
2978 /* We only need the columns if either
2979 1) some tap needs the columns
2981 2) we're printing packet info but we're *not* verbose; in verbose
2982 mode, we print the protocol tree, not the protocol summary.
2984 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
2989 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2996 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2998 /* Run the read/display filter if we have one. */
3000 passed = dfilter_apply_edt(cf->dfcode, edt);
3004 frame_data_set_after_dissect(fdata, &cum_bytes);
3005 /* Process this packet. */
3006 if (print_packet_info) {
3007 /* We're printing packet information; print the information for
3009 print_packet(cf, edt);
3011 /* The ANSI C standard does not appear to *require* that a line-buffered
3012 stream be flushed to the host environment whenever a newline is
3013 written, it just says that, on such a stream, characters "are
3014 intended to be transmitted to or from the host environment as a
3015 block when a new-line character is encountered".
3017 The Visual C++ 6.0 C implementation doesn't do what is intended;
3018 even if you set a stream to be line-buffered, it still doesn't
3019 flush the buffer at the end of every line.
3021 So, if the "-l" flag was specified, we flush the standard output
3022 at the end of a packet. This will do the right thing if we're
3023 printing packet summary lines, and, as we print the entire protocol
3024 tree for a single packet without waiting for anything to happen,
3025 it should be as good as line-buffered mode if we're printing
3026 protocol trees. (The whole reason for the "-l" flag in either
3027 tcpdump or TShark is to allow the output of a live capture to
3028 be piped to a program or script and to have that script see the
3029 information for the packet as soon as it's printed, rather than
3030 having to wait until a standard I/O buffer fills up. */
3034 if (ferror(stdout)) {
3035 show_print_file_io_error(errno);
3044 epan_dissect_reset(edt);
3046 return passed || fdata->flags.dependent_of_displayed;
3050 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3051 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3054 int snapshot_length;
3058 gchar *err_info = NULL;
3060 char *save_file_string = NULL;
3061 gboolean filtering_tap_listeners;
3063 wtapng_section_t *shb_hdr;
3064 wtapng_iface_descriptions_t *idb_inf;
3066 struct wtap_pkthdr phdr;
3068 epan_dissect_t *edt = NULL;
3070 memset(&phdr, 0, sizeof(struct wtap_pkthdr));
3072 shb_hdr = wtap_file_get_shb_info(cf->wth);
3073 idb_inf = wtap_file_get_idb_info(cf->wth);
3074 #ifdef PCAP_NG_DEFAULT
3075 if (idb_inf->interface_data->len > 1) {
3076 linktype = WTAP_ENCAP_PER_PACKET;
3078 linktype = wtap_file_encap(cf->wth);
3081 linktype = wtap_file_encap(cf->wth);
3083 if (save_file != NULL) {
3084 /* Get a string that describes what we're writing to */
3085 save_file_string = output_file_description(save_file);
3087 /* Set up to write to the capture file. */
3088 snapshot_length = wtap_snapshot_length(cf->wth);
3089 if (snapshot_length == 0) {
3090 /* Snapshot length of input file not known. */
3091 snapshot_length = WTAP_MAX_PACKET_SIZE;
3093 /* If we don't have an application name add Tshark */
3094 if (shb_hdr->shb_user_appl == NULL) {
3095 g_snprintf(appname, sizeof(appname), "TShark (Wireshark) %s", get_ws_vcs_version_info());
3096 shb_hdr->shb_user_appl = appname;
3099 if (linktype != WTAP_ENCAP_PER_PACKET &&
3100 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3101 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3102 snapshot_length, FALSE /* compressed */, &err);
3104 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3105 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3111 /* We couldn't set up to write to the capture file. */
3114 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3115 cmdarg_err("Capture files can't be written in that format.");
3118 case WTAP_ERR_UNSUPPORTED_ENCAP:
3119 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3120 cmdarg_err("The capture file being read can't be written as a "
3121 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3124 case WTAP_ERR_CANT_OPEN:
3125 cmdarg_err("The %s couldn't be created for some "
3126 "unknown reason.", save_file_string);
3129 case WTAP_ERR_SHORT_WRITE:
3130 cmdarg_err("A full header couldn't be written to the %s.",
3135 cmdarg_err("The %s could not be created: %s.", save_file_string,
3136 wtap_strerror(err));
3142 if (print_packet_info) {
3143 if (!write_preamble(cf)) {
3145 show_print_file_io_error(err);
3154 if (pdh && out_file_name_res) {
3155 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3156 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3157 wtap_file_type_subtype_short_string(out_file_type));
3161 /* Do we have any tap listeners with filters? */
3162 filtering_tap_listeners = have_filtering_tap_listeners();
3164 /* Get the union of the flags for all tap listeners. */
3165 tap_flags = union_of_tap_listener_flags();
3167 if (perform_two_pass_analysis) {
3170 /* Allocate a frame_data_sequence for all the frames. */
3171 cf->frames = new_frame_data_sequence();
3173 if (do_dissection) {
3174 gboolean create_proto_tree = FALSE;
3176 /* If we're going to be applying a filter, we'll need to
3177 create a protocol tree against which to apply the filter. */
3178 if (cf->rfcode || cf->dfcode)
3179 create_proto_tree = TRUE;
3181 /* We're not going to display the protocol tree on this pass,
3182 so it's not going to be "visible". */
3183 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3186 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3187 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3188 wtap_buf_ptr(cf->wth))) {
3189 /* Stop reading if we have the maximum number of packets;
3190 * When the -c option has not been used, max_packet_count
3191 * starts at 0, which practically means, never stop reading.
3192 * (unless we roll over max_packet_count ?)
3194 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3195 err = 0; /* This is not an error */
3202 epan_dissect_free(edt);
3206 /* Close the sequential I/O side, to free up memory it requires. */
3207 wtap_sequential_close(cf->wth);
3209 /* Allow the protocol dissectors to free up memory that they
3210 * don't need after the sequential run-through of the packets. */
3211 postseq_cleanup_all_protocols();
3215 buffer_init(&buf, 1500);
3217 if (do_dissection) {
3218 gboolean create_proto_tree;
3220 if (cf->dfcode || print_details || filtering_tap_listeners ||
3221 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3222 create_proto_tree = TRUE;
3224 create_proto_tree = FALSE;
3226 /* The protocol tree will be "visible", i.e., printed, only if we're
3227 printing packet details, which is true if we're printing stuff
3228 ("print_packet_info" is true) and we're in verbose mode
3229 ("packet_details" is true). */
3230 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3233 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3234 fdata = frame_data_sequence_find(cf->frames, framenum);
3235 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3237 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3239 /* Either there's no read filtering or this packet passed the
3240 filter, so, if we're writing to a capture file, write
3243 if (!wtap_dump(pdh, &phdr, buffer_start_ptr(&buf), &err)) {
3244 /* Error writing to a capture file */
3247 case WTAP_ERR_UNSUPPORTED_ENCAP:
3249 * This is a problem with the particular frame we're writing
3250 * and the file type and subtype we're writing; note that,
3251 * and report the frame number and file type/subtype.
3253 * XXX - framenum is not necessarily the frame number in
3254 * the input file if there was a read filter.
3257 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3258 framenum, cf->filename,
3259 wtap_file_type_subtype_short_string(out_file_type));
3262 case WTAP_ERR_PACKET_TOO_LARGE:
3264 * This is a problem with the particular frame we're writing
3265 * and the file type and subtype we're writing; note that,
3266 * and report the frame number and file type/subtype.
3268 * XXX - framenum is not necessarily the frame number in
3269 * the input file if there was a read filter.
3272 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3273 framenum, cf->filename,
3274 wtap_file_type_subtype_short_string(out_file_type));
3278 show_capture_file_io_error(save_file, err, FALSE);
3281 wtap_dump_close(pdh, &err);
3291 epan_dissect_free(edt);
3300 if (do_dissection) {
3301 gboolean create_proto_tree;
3303 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3304 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3305 create_proto_tree = TRUE;
3307 create_proto_tree = FALSE;
3309 /* The protocol tree will be "visible", i.e., printed, only if we're
3310 printing packet details, which is true if we're printing stuff
3311 ("print_packet_info" is true) and we're in verbose mode
3312 ("packet_details" is true). */
3313 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3316 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3319 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3320 wtap_buf_ptr(cf->wth),
3322 /* Either there's no read filtering or this packet passed the
3323 filter, so, if we're writing to a capture file, write
3326 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3327 /* Error writing to a capture file */
3330 case WTAP_ERR_UNSUPPORTED_ENCAP:
3332 * This is a problem with the particular frame we're writing
3333 * and the file type and subtype we're writing; note that,
3334 * and report the frame number and file type/subtype.
3337 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3338 framenum, cf->filename,
3339 wtap_file_type_subtype_short_string(out_file_type));
3342 case WTAP_ERR_PACKET_TOO_LARGE:
3344 * This is a problem with the particular frame we're writing
3345 * and the file type and subtype we're writing; note that,
3346 * and report the frame number and file type/subtype.
3349 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3350 framenum, cf->filename,
3351 wtap_file_type_subtype_short_string(out_file_type));
3355 show_capture_file_io_error(save_file, err, FALSE);
3358 wtap_dump_close(pdh, &err);
3364 /* Stop reading if we have the maximum number of packets;
3365 * When the -c option has not been used, max_packet_count
3366 * starts at 0, which practically means, never stop reading.
3367 * (unless we roll over max_packet_count ?)
3369 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3370 err = 0; /* This is not an error */
3376 epan_dissect_free(edt);
3383 * Print a message noting that the read failed somewhere along the line.
3385 * If we're printing packet data, and the standard output and error are
3386 * going to the same place, flush the standard output, so everything
3387 * buffered up is written, and then print a newline to the standard error
3388 * before printing the error message, to separate it from the packet
3389 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3390 * the _fstat() documentation at Microsoft doesn't indicate whether
3391 * st_ino is even supported.)
3394 if (print_packet_info) {
3395 struct stat stat_stdout, stat_stderr;
3397 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3398 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3399 stat_stdout.st_ino == stat_stderr.st_ino) {
3401 fprintf(stderr, "\n");
3408 case WTAP_ERR_UNSUPPORTED:
3409 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3410 cf->filename, err_info);
3414 case WTAP_ERR_UNSUPPORTED_ENCAP:
3415 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3416 cf->filename, err_info);
3420 case WTAP_ERR_CANT_READ:
3421 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3425 case WTAP_ERR_SHORT_READ:
3426 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3430 case WTAP_ERR_BAD_FILE:
3431 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3432 cf->filename, err_info);
3436 case WTAP_ERR_DECOMPRESS:
3437 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3438 "(%s)", cf->filename, err_info);
3442 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3443 cf->filename, wtap_strerror(err));
3446 if (save_file != NULL) {
3447 /* Now close the capture file. */
3448 if (!wtap_dump_close(pdh, &err))
3449 show_capture_file_io_error(save_file, err, TRUE);
3452 if (save_file != NULL) {
3453 /* Now close the capture file. */
3454 if (!wtap_dump_close(pdh, &err))
3455 show_capture_file_io_error(save_file, err, TRUE);
3457 if (print_packet_info) {
3458 if (!write_finale()) {
3460 show_print_file_io_error(err);
3467 wtap_close(cf->wth);
3470 g_free(save_file_string);
3477 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3478 const guchar *pd, guint tap_flags)
3484 /* Count this packet. */
3487 /* If we're not running a display filter and we're not printing any
3488 packet information, we don't need to do a dissection. This means
3489 that all packets can be marked as 'passed'. */
3492 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3494 /* If we're going to print packet information, or we're going to
3495 run a read filter, or we're going to process taps, set up to
3496 do a dissection and do so. */
3498 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3499 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3500 /* Grab any resolved addresses */
3501 host_name_lookup_process();
3503 /* If we're running a filter, prime the epan_dissect_t with that
3506 epan_dissect_prime_dfilter(edt, cf->dfcode);
3508 col_custom_prime_edt(edt, &cf->cinfo);
3510 /* We only need the columns if either
3511 1) some tap needs the columns
3513 2) we're printing packet info but we're *not* verbose; in verbose
3514 mode, we print the protocol tree, not the protocol summary.
3516 3) there is a column mapped as an individual field */
3517 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3522 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3524 if (ref == &fdata) {
3529 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3531 /* Run the filter if we have it. */
3533 passed = dfilter_apply_edt(cf->dfcode, edt);
3537 frame_data_set_after_dissect(&fdata, &cum_bytes);
3539 /* Process this packet. */
3540 if (print_packet_info) {
3541 /* We're printing packet information; print the information for
3543 print_packet(cf, edt);
3545 /* The ANSI C standard does not appear to *require* that a line-buffered
3546 stream be flushed to the host environment whenever a newline is
3547 written, it just says that, on such a stream, characters "are
3548 intended to be transmitted to or from the host environment as a
3549 block when a new-line character is encountered".
3551 The Visual C++ 6.0 C implementation doesn't do what is intended;
3552 even if you set a stream to be line-buffered, it still doesn't
3553 flush the buffer at the end of every line.
3555 So, if the "-l" flag was specified, we flush the standard output
3556 at the end of a packet. This will do the right thing if we're
3557 printing packet summary lines, and, as we print the entire protocol
3558 tree for a single packet without waiting for anything to happen,
3559 it should be as good as line-buffered mode if we're printing
3560 protocol trees. (The whole reason for the "-l" flag in either
3561 tcpdump or TShark is to allow the output of a live capture to
3562 be piped to a program or script and to have that script see the
3563 information for the packet as soon as it's printed, rather than
3564 having to wait until a standard I/O buffer fills up. */
3568 if (ferror(stdout)) {
3569 show_print_file_io_error(errno);
3574 /* this must be set after print_packet() [bug #8160] */
3575 prev_dis_frame = fdata;
3576 prev_dis = &prev_dis_frame;
3579 prev_cap_frame = fdata;
3580 prev_cap = &prev_cap_frame;
3583 epan_dissect_reset(edt);
3584 frame_data_destroy(&fdata);
3590 write_preamble(capture_file *cf)
3592 switch (output_action) {
3595 return print_preamble(print_stream, cf ? cf->filename : NULL, get_ws_vcs_version_info());
3599 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3601 write_psml_preamble(stdout);
3602 return !ferror(stdout);
3605 write_fields_preamble(output_fields, stdout);
3606 return !ferror(stdout);
3609 g_assert_not_reached();
3615 get_line_buf(size_t len)
3617 static char *line_bufp = NULL;
3618 static size_t line_buf_len = 256;
3619 size_t new_line_buf_len;
3621 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3622 new_line_buf_len *= 2)
3624 if (line_bufp == NULL) {
3625 line_buf_len = new_line_buf_len;
3626 line_bufp = (char *)g_malloc(line_buf_len + 1);
3628 if (new_line_buf_len > line_buf_len) {
3629 line_buf_len = new_line_buf_len;
3630 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3637 put_string(char *dest, const char *str, size_t str_len)
3639 memcpy(dest, str, str_len);
3640 dest[str_len] = '\0';
3644 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3648 for (i = str_len; i < str_with_spaces; i++)
3651 put_string(dest, str, str_len);
3655 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3659 memcpy(dest, str, str_len);
3660 for (i = str_len; i < str_with_spaces; i++)
3663 dest[str_with_spaces] = '\0';
3667 print_columns(capture_file *cf)
3675 line_bufp = get_line_buf(256);
3678 for (i = 0; i < cf->cinfo.num_cols; i++) {
3679 /* Skip columns not marked as visible. */
3680 if (!get_column_visible(i))
3682 switch (cf->cinfo.col_fmt[i]) {
3684 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3687 line_bufp = get_line_buf(buf_offset + column_len);
3688 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3694 case COL_ABS_YMD_TIME: /* XXX - wider */
3695 case COL_ABS_YDOY_TIME: /* XXX - wider */
3697 case COL_UTC_YMD_TIME: /* XXX - wider */
3698 case COL_UTC_YDOY_TIME: /* XXX - wider */
3699 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3700 if (column_len < 10)
3702 line_bufp = get_line_buf(buf_offset + column_len);
3703 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3709 case COL_DEF_DL_SRC:
3710 case COL_RES_DL_SRC:
3711 case COL_UNRES_DL_SRC:
3712 case COL_DEF_NET_SRC:
3713 case COL_RES_NET_SRC:
3714 case COL_UNRES_NET_SRC:
3715 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3716 if (column_len < 12)
3718 line_bufp = get_line_buf(buf_offset + column_len);
3719 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3725 case COL_DEF_DL_DST:
3726 case COL_RES_DL_DST:
3727 case COL_UNRES_DL_DST:
3728 case COL_DEF_NET_DST:
3729 case COL_RES_NET_DST:
3730 case COL_UNRES_NET_DST:
3731 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3732 if (column_len < 12)
3734 line_bufp = get_line_buf(buf_offset + column_len);
3735 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3739 column_len = strlen(cf->cinfo.col_data[i]);
3740 line_bufp = get_line_buf(buf_offset + column_len);
3741 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3744 buf_offset += column_len;
3745 if (i != cf->cinfo.num_cols - 1) {
3747 * This isn't the last column, so we need to print a
3748 * separator between this column and the next.
3750 * If we printed a network source and are printing a
3751 * network destination of the same type next, separate
3752 * them with " -> "; if we printed a network destination
3753 * and are printing a network source of the same type
3754 * next, separate them with " <- "; otherwise separate them
3757 * We add enough space to the buffer for " <- " or " -> ",
3758 * even if we're only adding " ".
3760 line_bufp = get_line_buf(buf_offset + 4);
3761 switch (cf->cinfo.col_fmt[i]) {
3766 switch (cf->cinfo.col_fmt[i + 1]) {
3771 put_string(line_bufp + buf_offset, " -> ", 4);
3776 put_string(line_bufp + buf_offset, " ", 1);
3782 case COL_DEF_DL_SRC:
3783 case COL_RES_DL_SRC:
3784 case COL_UNRES_DL_SRC:
3785 switch (cf->cinfo.col_fmt[i + 1]) {
3787 case COL_DEF_DL_DST:
3788 case COL_RES_DL_DST:
3789 case COL_UNRES_DL_DST:
3790 put_string(line_bufp + buf_offset, " -> ", 4);
3795 put_string(line_bufp + buf_offset, " ", 1);
3801 case COL_DEF_NET_SRC:
3802 case COL_RES_NET_SRC:
3803 case COL_UNRES_NET_SRC:
3804 switch (cf->cinfo.col_fmt[i + 1]) {
3806 case COL_DEF_NET_DST:
3807 case COL_RES_NET_DST:
3808 case COL_UNRES_NET_DST:
3809 put_string(line_bufp + buf_offset, " -> ", 4);
3814 put_string(line_bufp + buf_offset, " ", 1);
3823 switch (cf->cinfo.col_fmt[i + 1]) {
3828 put_string(line_bufp + buf_offset, " <- ", 4);
3833 put_string(line_bufp + buf_offset, " ", 1);
3839 case COL_DEF_DL_DST:
3840 case COL_RES_DL_DST:
3841 case COL_UNRES_DL_DST:
3842 switch (cf->cinfo.col_fmt[i + 1]) {
3844 case COL_DEF_DL_SRC:
3845 case COL_RES_DL_SRC:
3846 case COL_UNRES_DL_SRC:
3847 put_string(line_bufp + buf_offset, " <- ", 4);
3852 put_string(line_bufp + buf_offset, " ", 1);
3858 case COL_DEF_NET_DST:
3859 case COL_RES_NET_DST:
3860 case COL_UNRES_NET_DST:
3861 switch (cf->cinfo.col_fmt[i + 1]) {
3863 case COL_DEF_NET_SRC:
3864 case COL_RES_NET_SRC:
3865 case COL_UNRES_NET_SRC:
3866 put_string(line_bufp + buf_offset, " <- ", 4);
3871 put_string(line_bufp + buf_offset, " ", 1);
3878 put_string(line_bufp + buf_offset, " ", 1);
3884 return print_line(print_stream, 0, line_bufp);
3888 print_packet(capture_file *cf, epan_dissect_t *edt)
3890 print_args_t print_args;
3892 if (print_summary || output_fields_has_cols(output_fields)) {
3893 /* Just fill in the columns. */
3894 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3896 if (print_summary) {
3897 /* Now print them. */
3898 switch (output_action) {
3901 if (!print_columns(cf))
3906 proto_tree_write_psml(edt, stdout);
3907 return !ferror(stdout);
3908 case WRITE_FIELDS: /*No non-verbose "fields" format */
3909 g_assert_not_reached();
3914 if (print_details) {
3915 /* Print the information in the protocol tree. */
3916 switch (output_action) {
3919 /* Only initialize the fields that are actually used in proto_tree_print.
3920 * This is particularly important for .range, as that's heap memory which
3921 * we would otherwise have to g_free().
3922 print_args.to_file = TRUE;
3923 print_args.format = print_format;
3924 print_args.print_summary = print_summary;
3925 print_args.print_formfeed = FALSE;
3926 packet_range_init(&print_args.range, &cfile);
3928 print_args.print_hex = print_hex;
3929 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3931 if (!proto_tree_print(&print_args, edt, print_stream))
3934 if (!print_line(print_stream, 0, separator))
3940 proto_tree_write_pdml(edt, stdout);
3942 return !ferror(stdout);
3944 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3946 return !ferror(stdout);
3950 if (print_summary || print_details) {
3951 if (!print_line(print_stream, 0, ""))
3954 if (!print_hex_data(print_stream, edt))
3956 if (!print_line(print_stream, 0, separator))
3965 switch (output_action) {
3968 return print_finale(print_stream);
3972 write_pdml_finale(stdout);
3974 write_psml_finale(stdout);
3975 return !ferror(stdout);
3978 write_fields_finale(output_fields, stdout);
3979 return !ferror(stdout);
3982 g_assert_not_reached();
3988 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
3992 char err_msg[2048+1];
3994 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
3998 /* The open succeeded. Fill in the information for this file. */
4000 /* Create new epan session for dissection. */
4001 epan_free(cf->epan);
4002 cf->epan = tshark_epan_new(cf);
4005 cf->f_datalen = 0; /* not used, but set it anyway */
4007 /* Set the file name because we need it to set the follow stream filter.
4008 XXX - is that still true? We need it for other reasons, though,
4010 cf->filename = g_strdup(fname);
4012 /* Indicate whether it's a permanent or temporary file. */
4013 cf->is_tempfile = is_tempfile;
4015 /* No user changes yet. */
4016 cf->unsaved_changes = FALSE;
4018 cf->cd_t = wtap_file_type_subtype(cf->wth);
4019 cf->open_type = type;
4021 cf->drops_known = FALSE;
4023 cf->snap = wtap_snapshot_length(cf->wth);
4024 if (cf->snap == 0) {
4025 /* Snapshot length not known. */
4026 cf->has_snap = FALSE;
4027 cf->snap = WTAP_MAX_PACKET_SIZE;
4029 cf->has_snap = TRUE;
4030 nstime_set_zero(&cf->elapsed_time);
4035 cf->state = FILE_READ_IN_PROGRESS;
4037 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4038 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4043 g_snprintf(err_msg, sizeof err_msg,
4044 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4045 cmdarg_err("%s", err_msg);
4050 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4052 char *save_file_string;
4054 save_file_string = output_file_description(fname);
4059 cmdarg_err("Not all the packets could be written to the %s because there is "
4060 "no space left on the file system.",
4066 cmdarg_err("Not all the packets could be written to the %s because you are "
4067 "too close to, or over your disk quota.",
4072 case WTAP_ERR_CANT_CLOSE:
4073 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4077 case WTAP_ERR_SHORT_WRITE:
4078 cmdarg_err("Not all the packets could be written to the %s.",
4084 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4085 wtap_strerror(err));
4087 cmdarg_err("An error occurred while writing to the %s: %s.",
4088 save_file_string, wtap_strerror(err));
4092 g_free(save_file_string);
4096 show_print_file_io_error(int err)
4101 cmdarg_err("Not all the packets could be printed because there is "
4102 "no space left on the file system.");
4107 cmdarg_err("Not all the packets could be printed because you are "
4108 "too close to, or over your disk quota.");
4113 cmdarg_err("An error occurred while printing packets: %s.",
4120 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4124 static char errmsg_errno[1024+1];
4127 /* Wiretap error. */
4130 case WTAP_ERR_NOT_REGULAR_FILE:
4131 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4134 case WTAP_ERR_RANDOM_OPEN_PIPE:
4135 /* Seen only when opening a capture file for reading. */
4136 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4139 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4140 /* Seen only when opening a capture file for reading. */
4141 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4144 case WTAP_ERR_UNSUPPORTED:
4145 /* Seen only when opening a capture file for reading. */
4146 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4147 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4150 errmsg = errmsg_errno;
4153 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4154 /* Seen only when opening a capture file for writing. */
4155 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4156 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4157 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4158 errmsg = errmsg_errno;
4161 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4162 /* Seen only when opening a capture file for writing. */
4163 errmsg = "TShark doesn't support writing capture files in that format.";
4166 case WTAP_ERR_UNSUPPORTED_ENCAP:
4168 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4169 "TShark can't save this capture as a \"%s\" file.",
4170 wtap_file_type_subtype_short_string(file_type));
4172 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4173 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4177 errmsg = errmsg_errno;
4180 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4182 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4183 "TShark can't save this capture as a \"%s\" file.",
4184 wtap_file_type_subtype_short_string(file_type));
4185 errmsg = errmsg_errno;
4187 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4190 case WTAP_ERR_BAD_FILE:
4191 /* Seen only when opening a capture file for reading. */
4192 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4193 "The file \"%%s\" appears to be damaged or corrupt.\n"
4196 errmsg = errmsg_errno;
4199 case WTAP_ERR_CANT_OPEN:
4201 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4203 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4206 case WTAP_ERR_SHORT_READ:
4207 errmsg = "The file \"%s\" appears to have been cut short"
4208 " in the middle of a packet or other data.";
4211 case WTAP_ERR_SHORT_WRITE:
4212 errmsg = "A full header couldn't be written to the file \"%s\".";
4215 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4216 errmsg = "This file type cannot be written as a compressed file.";
4219 case WTAP_ERR_DECOMPRESS:
4220 /* Seen only when opening a capture file for reading. */
4221 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4222 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4225 errmsg = errmsg_errno;
4229 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4230 "The file \"%%s\" could not be %s: %s.",
4231 for_writing ? "created" : "opened",
4232 wtap_strerror(err));
4233 errmsg = errmsg_errno;
4237 errmsg = file_open_error_message(err, for_writing);
4242 * Open/create errors are reported with an console message in TShark.
4245 open_failure_message(const char *filename, int err, gboolean for_writing)
4247 fprintf(stderr, "tshark: ");
4248 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4249 fprintf(stderr, "\n");
4254 * General errors are reported with an console message in TShark.
4257 failure_message(const char *msg_format, va_list ap)
4259 fprintf(stderr, "tshark: ");
4260 vfprintf(stderr, msg_format, ap);
4261 fprintf(stderr, "\n");
4265 * Read errors are reported with an console message in TShark.
4268 read_failure_message(const char *filename, int err)
4270 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4271 filename, g_strerror(err));
4275 * Write errors are reported with an console message in TShark.
4278 write_failure_message(const char *filename, int err)
4280 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4281 filename, g_strerror(err));
4285 * Report additional information for an error in command-line arguments.
4288 failure_message_cont(const char *msg_format, va_list ap)
4290 vfprintf(stderr, msg_format, ap);
4291 fprintf(stderr, "\n");
4295 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4300 * indent-tabs-mode: nil
4303 * vi: set shiftwidth=2 tabstop=8 expandtab:
4304 * :indentSize=2:tabSize=8:noTabs=true: