3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
50 #ifdef HAVE_SYS_STAT_H
51 # include <sys/stat.h>
55 #include <zlib.h> /* to get the libz version number */
59 #include "wsutil/wsgetopt.h"
64 #include <epan/exceptions.h>
65 #include <epan/epan-int.h>
66 #include <epan/epan.h>
67 #include <wsutil/crash_info.h>
68 #include <wsutil/privileges.h>
69 #include <wsutil/file_util.h>
70 #include <wsutil/filesystem.h>
71 #include <wsutil/report_err.h>
72 #include <wsutil/copyright_info.h>
73 #include <wsutil/os_version_info.h>
74 #include <wsutil/ws_version_info.h>
77 #include <epan/timestamp.h>
78 #include <epan/packet.h>
80 #include <epan/wslua/init_wslua.h>
83 #include "frame_tvbuff.h"
84 #include <epan/disabled_protos.h>
85 #include <epan/prefs.h>
86 #include <epan/column.h>
87 #include <epan/print.h>
88 #include <epan/addr_resolv.h>
90 #include "ui/ui_util.h"
91 #include "clopts_common.h"
92 #include "cmdarg_err.h"
93 #include "version_info.h"
95 #include <epan/epan_dissect.h>
97 #include <epan/stat_cmd_args.h>
98 #include <epan/timestamp.h>
99 #include <epan/ex-opt.h>
101 #include "capture_opts.h"
104 #include "capture_ui_utils.h"
105 #include <capchild/capture_ifinfo.h>
106 #include "capture-pcap-util.h"
108 #include "capture-wpcap.h"
109 #include <wsutil/unicode-utils.h>
111 #include "capture_session.h"
112 #include <capchild/capture_sync.h>
113 #include "capture_opts.h"
114 #endif /* HAVE_LIBPCAP */
116 #include <epan/funnel.h>
119 #include <wsutil/plugins.h>
123 * This is the template for the decode as option; it is shared between the
124 * various functions that output the usage for this parameter.
126 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
128 static guint32 cum_bytes;
129 static const frame_data *ref;
130 static frame_data ref_frame;
131 static frame_data *prev_dis;
132 static frame_data prev_dis_frame;
133 static frame_data *prev_cap;
134 static frame_data prev_cap_frame;
136 static const char* prev_display_dissector_name = NULL;
138 static gboolean perform_two_pass_analysis;
141 * The way the packet decode is to be written.
144 WRITE_TEXT, /* summary or detail text */
145 WRITE_XML, /* PDML or PSML */
146 WRITE_FIELDS /* User defined list of fields */
147 /* Add CSV and the like here */
150 static output_action_e output_action;
151 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
152 static gboolean print_packet_info; /* TRUE if we're to print packet information */
153 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
154 static gboolean print_details; /* TRUE if we're to print packet details information */
155 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
156 static gboolean line_buffered;
157 static gboolean really_quiet = FALSE;
159 static print_format_e print_format = PR_FMT_TEXT;
160 static print_stream_t *print_stream;
162 static output_fields_t* output_fields = NULL;
164 /* The line separator used between packets, changeable via the -S option */
165 static const char *separator = "";
169 * TRUE if we're to print packet counts to keep track of captured packets.
171 static gboolean print_packet_counts;
173 static capture_options global_capture_opts;
174 static capture_session global_capture_session;
177 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
178 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
181 static gboolean capture(void);
182 static void report_counts(void);
184 static BOOL WINAPI capture_cleanup(DWORD);
186 static void capture_cleanup(int);
188 static void report_counts_siginfo(int);
192 #else /* HAVE_LIBPCAP */
194 static char *output_file_name;
196 #endif /* HAVE_LIBPCAP */
198 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
199 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
200 struct wtap_pkthdr *whdr, const guchar *pd,
202 static void show_capture_file_io_error(const char *, int, gboolean);
203 static void show_print_file_io_error(int err);
204 static gboolean write_preamble(capture_file *cf);
205 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
206 static gboolean write_finale(void);
207 static const char *cf_open_error_message(int err, gchar *err_info,
208 gboolean for_writing, int file_type);
210 static void open_failure_message(const char *filename, int err,
211 gboolean for_writing);
212 static void failure_message(const char *msg_format, va_list ap);
213 static void read_failure_message(const char *filename, int err);
214 static void write_failure_message(const char *filename, int err);
219 const char *sstr; /* The short string */
220 const char *lstr; /* The long string */
224 string_compare(gconstpointer a, gconstpointer b)
226 return strcmp(((const struct string_elem *)a)->sstr,
227 ((const struct string_elem *)b)->sstr);
231 string_elem_print(gpointer data, gpointer not_used _U_)
233 fprintf(stderr, " %s - %s\n",
234 ((struct string_elem *)data)->sstr,
235 ((struct string_elem *)data)->lstr);
239 list_capture_types(void) {
241 struct string_elem *captypes;
244 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
246 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
247 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
248 if (wtap_dump_can_open(i)) {
249 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
250 captypes[i].lstr = wtap_file_type_subtype_string(i);
251 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
254 g_slist_foreach(list, string_elem_print, NULL);
260 list_read_capture_types(void) {
262 struct string_elem *captypes;
264 const char *magic = "Magic-value-based";
265 const char *heuristic = "Heuristics-based";
267 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
268 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
270 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
271 for (i = 0; open_routines[i].name != NULL; i++) {
272 captypes[i].sstr = open_routines[i].name;
273 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
274 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
276 g_slist_foreach(list, string_elem_print, NULL);
282 print_usage(gboolean print_ver)
290 "Dump and analyze network traffic.\n"
291 "See http://www.wireshark.org for more information.\n"
294 get_ws_vcs_version_info(), get_copyright_info());
298 fprintf(output, "\n");
299 fprintf(output, "Usage: tshark [options] ...\n");
300 fprintf(output, "\n");
303 fprintf(output, "Capture interface:\n");
304 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
305 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
306 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
307 fprintf(output, " -p don't capture in promiscuous mode\n");
308 #ifdef HAVE_PCAP_CREATE
309 fprintf(output, " -I capture in monitor mode, if available\n");
311 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
312 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
314 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
315 fprintf(output, " -D print list of interfaces and exit\n");
316 fprintf(output, " -L print list of link-layer types of iface and exit\n");
317 fprintf(output, "\n");
318 fprintf(output, "Capture stop conditions:\n");
319 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
320 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
321 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
322 fprintf(output, " files:NUM - stop after NUM files\n");
323 /*fprintf(output, "\n");*/
324 fprintf(output, "Capture output:\n");
325 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
326 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
327 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
328 #endif /* HAVE_LIBPCAP */
329 #ifdef HAVE_PCAP_REMOTE
330 fprintf(output, "RPCAP options:\n");
331 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
333 /*fprintf(output, "\n");*/
334 fprintf(output, "Input file:\n");
335 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
337 fprintf(output, "\n");
338 fprintf(output, "Processing:\n");
339 fprintf(output, " -2 perform a two-pass analysis\n");
340 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
341 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
342 fprintf(output, " syntax\n");
343 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
344 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
345 fprintf(output, " -d %s ...\n", decode_as_arg_template);
346 fprintf(output, " \"Decode As\", see the man page for details\n");
347 fprintf(output, " Example: tcp.port==8888,http\n");
348 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
349 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
351 /*fprintf(output, "\n");*/
352 fprintf(output, "Output:\n");
353 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
354 fprintf(output, " (or to the standard output for \"-\")\n");
355 fprintf(output, " -C <config profile> start with specified configuration profile\n");
356 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
357 fprintf(output, " an empty \"-F\" option will list the file types\n");
358 fprintf(output, " -V add output of packet tree (Packet Details)\n");
359 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
360 fprintf(output, " separated\n");
361 fprintf(output, " -P print packet summary even when writing to a file\n");
362 fprintf(output, " -S <separator> the line separator to print between packets\n");
363 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
364 fprintf(output, " -T pdml|ps|psml|text|fields\n");
365 fprintf(output, " format of text output (def: text)\n");
366 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
367 fprintf(output, " _ws.col.Info)\n");
368 fprintf(output, " this option can be repeated to print multiple fields\n");
369 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
370 fprintf(output, " header=y|n switch headers on and off\n");
371 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
372 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
373 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
374 fprintf(output, " aggregator\n");
375 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
376 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
377 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
378 fprintf(output, " -l flush standard output after each packet\n");
379 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
380 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
381 fprintf(output, " -g enable group read access on the output file(s)\n");
382 fprintf(output, " -W n Save extra information in the file, if supported.\n");
383 fprintf(output, " n = write network address resolution information\n");
384 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
385 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
386 fprintf(output, " --capture-comment <comment>\n");
387 fprintf(output, " add a capture comment to the newly created\n");
388 fprintf(output, " output file (only for pcapng)\n");
390 fprintf(output, "\n");
391 fprintf(output, "Miscellaneous:\n");
392 fprintf(output, " -h display this help and exit\n");
393 fprintf(output, " -v display version info and exit\n");
394 fprintf(output, " -o <name>:<value> ... override preference setting\n");
395 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
396 fprintf(output, " -G [report] dump one of several available reports and exit\n");
397 fprintf(output, " default report=\"fields\"\n");
398 fprintf(output, " use \"-G ?\" for more help\n");
400 fprintf(output, "\n");
401 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
402 fprintf(output, "You might want to reset it\n");
403 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
404 fprintf(output, "\n");
410 glossary_option_help(void)
416 fprintf(output, "TShark %s\n", get_ws_vcs_version_info());
418 fprintf(output, "\n");
419 fprintf(output, "Usage: tshark -G [report]\n");
420 fprintf(output, "\n");
421 fprintf(output, "Glossary table reports:\n");
422 fprintf(output, " -G column-formats dump column format codes and exit\n");
423 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
424 fprintf(output, " -G fields dump fields glossary and exit\n");
425 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
426 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
427 fprintf(output, " -G plugins dump installed plugins and exit\n");
428 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
429 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
430 fprintf(output, "\n");
431 fprintf(output, "Preference reports:\n");
432 fprintf(output, " -G currentprefs dump current preferences and exit\n");
433 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
434 fprintf(output, "\n");
438 * For a dissector table, print on the stream described by output,
439 * its short name (which is what's used in the "-d" option) and its
443 display_dissector_table_names(const char *table_name, const char *ui_name,
446 if ((prev_display_dissector_name == NULL) ||
447 (strcmp(prev_display_dissector_name, table_name) != 0)) {
448 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
449 prev_display_dissector_name = table_name;
454 * For a dissector handle, print on the stream described by output,
455 * the filter name (which is what's used in the "-d" option) and the full
456 * name for the protocol that corresponds to this handle.
459 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
462 const gchar *proto_filter_name;
463 const gchar *proto_ui_name;
465 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
467 if (proto_id != -1) {
468 proto_filter_name = proto_get_protocol_filter_name(proto_id);
469 proto_ui_name = proto_get_protocol_name(proto_id);
470 g_assert(proto_filter_name != NULL);
471 g_assert(proto_ui_name != NULL);
473 if ((prev_display_dissector_name == NULL) ||
474 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
475 fprintf((FILE *)output, "\t%s (%s)\n",
478 prev_display_dissector_name = proto_filter_name;
484 * The protocol_name_search structure is used by find_protocol_name_func()
485 * to pass parameters and store results
487 struct protocol_name_search{
488 gchar *searched_name; /* Protocol filter name we are looking for */
489 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
490 guint nb_match; /* How many dissectors matched searched_name */
492 typedef struct protocol_name_search *protocol_name_search_t;
495 * This function parses all dissectors associated with a table to find the
496 * one whose protocol has the specified filter name. It is called
497 * as a reference function in a call to dissector_table_foreach_handle.
498 * The name we are looking for, as well as the results, are stored in the
499 * protocol_name_search struct pointed to by user_data.
500 * If called using dissector_table_foreach_handle, we actually parse the
501 * whole list of dissectors.
504 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
508 const gchar *protocol_filter_name;
509 protocol_name_search_t search_info;
513 search_info = (protocol_name_search_t)user_data;
515 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
516 if (proto_id != -1) {
517 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
518 g_assert(protocol_filter_name != NULL);
519 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
521 if (search_info->nb_match == 0) {
522 /* Record this handle only if this is the first match */
523 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
525 search_info->nb_match++;
531 * Allow dissector key names to be sorted alphabetically
535 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
537 return strcmp((const char*)dissector_a, (const char*)dissector_b);
541 * Print all layer type names supported.
542 * We send the output to the stream described by the handle output.
546 fprint_all_layer_types(FILE *output)
549 prev_display_dissector_name = NULL;
550 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
554 * Print all protocol names supported for a specific layer type.
555 * table_name contains the layer type name in which the search is performed.
556 * We send the output to the stream described by the handle output.
560 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
563 prev_display_dissector_name = NULL;
564 dissector_table_foreach_handle(table_name,
565 display_dissector_names,
570 * The function below parses the command-line parameters for the decode as
571 * feature (a string pointer by cl_param).
572 * It checks the format of the command-line, searches for a matching table
573 * and dissector. If a table/dissector match is not found, we display a
574 * summary of the available tables/dissectors (on stderr) and return FALSE.
575 * If everything is fine, we get the "Decode as" preference activated,
576 * then we return TRUE.
579 add_decode_as(const gchar *cl_param)
582 guint32 selector, selector2;
583 gchar *decoded_param;
584 gchar *remaining_param;
586 gchar *dissector_str;
587 dissector_handle_t dissector_matching;
588 dissector_table_t table_matching;
589 ftenum_t dissector_table_selector_type;
590 struct protocol_name_search user_protocol_name;
594 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
597 decoded_param = g_strdup(cl_param);
598 g_assert(decoded_param);
601 /* The lines below will parse this string (modifying it) to extract all
602 necessary information. Note that decoded_param is still needed since
603 strings are not copied - we just save pointers. */
605 /* This section extracts a layer type (table_name) from decoded_param */
606 table_name = decoded_param; /* Layer type string starts from beginning */
608 remaining_param = strchr(table_name, '=');
609 if (remaining_param == NULL) {
610 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
611 /* If the argument does not follow the template, carry on anyway to check
612 if the table name is at least correct. If remaining_param is NULL,
613 we'll exit anyway further down */
616 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
619 /* Remove leading and trailing spaces from the table name */
620 while ( table_name[0] == ' ' )
622 while ( table_name[strlen(table_name) - 1] == ' ' )
623 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
625 /* The following part searches a table matching with the layer type specified */
626 table_matching = NULL;
628 /* Look for the requested table */
629 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
630 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
633 table_matching = find_dissector_table(table_name);
634 if (!table_matching) {
635 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
639 if (!table_matching) {
640 /* Display a list of supported layer types to help the user, if the
641 specified layer type was not found */
642 cmdarg_err("Valid layer types are:");
643 fprint_all_layer_types(stderr);
645 if (remaining_param == NULL || !table_matching) {
646 /* Exit if the layer type was not found, or if no '=' separator was found
648 g_free(decoded_param);
652 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
653 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
656 remaining_param++; /* Move to the second '=' */
657 *remaining_param = '\0'; /* Remove the second '=' */
659 remaining_param++; /* Position after the layer type string */
661 /* This section extracts a selector value (selector_str) from decoded_param */
663 selector_str = remaining_param; /* Next part starts with the selector number */
665 remaining_param = strchr(selector_str, ',');
666 if (remaining_param == NULL) {
667 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
668 /* If the argument does not follow the template, carry on anyway to check
669 if the selector value is at least correct. If remaining_param is NULL,
670 we'll exit anyway further down */
673 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
676 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
678 switch (dissector_table_selector_type) {
684 /* The selector for this table is an unsigned number. Parse it as such.
685 There's no need to remove leading and trailing spaces from the
686 selector number string, because sscanf will do that for us. */
687 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
692 if (op != ':' && op != '-') {
693 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
694 g_free(decoded_param);
698 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
699 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
700 g_free(decoded_param);
704 else if (selector2 < selector) {
705 /* We could swap them for the user, but maybe it's better to call
706 * this out as an error in case it's not what was intended? */
707 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
708 g_free(decoded_param);
713 cmdarg_err("Invalid selector number \"%s\"", selector_str);
714 g_free(decoded_param);
723 /* The selector for this table is a string. */
727 /* There are currently no dissector tables with any types other
728 than the ones listed above. */
729 g_assert_not_reached();
732 if (remaining_param == NULL) {
733 /* Exit if no ',' separator was found (see above) */
734 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
735 fprint_all_protocols_for_layer_types(stderr, table_name);
736 g_free(decoded_param);
740 remaining_param++; /* Position after the selector number string */
742 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
744 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
746 /* Remove leading and trailing spaces from the dissector name */
747 while ( dissector_str[0] == ' ' )
749 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
750 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
752 dissector_matching = NULL;
754 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
755 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
756 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
759 user_protocol_name.nb_match = 0;
760 user_protocol_name.searched_name = dissector_str;
761 user_protocol_name.matched_handle = NULL;
763 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
765 if (user_protocol_name.nb_match != 0) {
766 dissector_matching = user_protocol_name.matched_handle;
767 if (user_protocol_name.nb_match > 1) {
768 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
772 /* OK, check whether the problem is that there isn't any such
773 protocol, or that there is but it's not specified as a protocol
774 that's valid for that dissector table.
775 Note, we don't exit here, but dissector_matching will remain NULL,
777 if (proto_get_id_by_filter_name(dissector_str) == -1) {
778 /* No such protocol */
779 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
781 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
782 dissector_str, table_name);
787 if (!dissector_matching) {
788 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
789 fprint_all_protocols_for_layer_types(stderr, table_name);
790 g_free(decoded_param);
794 /* This is the end of the code that parses the command-line options.
795 All information is now stored in the variables:
799 The above variables that are strings are still pointing to areas within
800 decoded_parm. decoded_parm thus still needs to be kept allocated in
801 until we stop needing these variables
802 decoded_param will be deallocated at each exit point of this function */
805 /* We now have a pointer to the handle for the requested dissector
806 (requested protocol) inside the variable dissector_matching */
807 switch (dissector_table_selector_type) {
813 /* The selector for this table is an unsigned number. */
815 dissector_change_uint(table_name, selector, dissector_matching);
816 } else if (op == ':') {
817 for (i = selector; i < (guint64)selector + selector2; i++) {
818 dissector_change_uint(table_name, (guint32)i, dissector_matching);
820 } else { /* op == '-' */
821 for (i = selector; i <= selector2; i++) {
822 dissector_change_uint(table_name, (guint32)i, dissector_matching);
831 /* The selector for this table is a string. */
832 dissector_change_string(table_name, selector_str, dissector_matching);
836 /* There are currently no dissector tables with any types other
837 than the ones listed above. */
838 g_assert_not_reached();
840 g_free(decoded_param); /* "Decode As" rule has been successfully added */
845 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
846 const gchar *message, gpointer user_data)
848 /* ignore log message, if log_level isn't interesting based
849 upon the console log preferences.
850 If the preferences haven't been loaded loaded yet, display the
853 The default console_log_level preference value is such that only
854 ERROR, CRITICAL and WARNING level messages are processed;
855 MESSAGE, INFO and DEBUG level messages are ignored.
857 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
858 ERROR and CRITICAL level messages so the current code is a behavioral
859 change. The current behavior is the same as in Wireshark.
861 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
862 prefs.console_log_level != 0) {
866 g_log_default_handler(log_domain, log_level, message, user_data);
871 output_file_description(const char *fname)
873 char *save_file_string;
875 /* Get a string that describes what we're writing to */
876 if (strcmp(fname, "-") == 0) {
877 /* We're writing to the standard output */
878 save_file_string = g_strdup("standard output");
880 /* We're writing to a file with the name in save_file */
881 save_file_string = g_strdup_printf("file \"%s\"", fname);
883 return save_file_string;
887 print_current_user(void) {
888 gchar *cur_user, *cur_group;
890 if (started_with_special_privs()) {
891 cur_user = get_cur_username();
892 cur_group = get_cur_groupname();
893 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
894 cur_user, cur_group);
897 if (running_with_special_privs()) {
898 fprintf(stderr, " This could be dangerous.");
900 fprintf(stderr, "\n");
905 show_version(GString *comp_info_str, GString *runtime_info_str)
914 get_ws_vcs_version_info(), get_copyright_info(), comp_info_str->str,
915 runtime_info_str->str);
919 get_tshark_runtime_info(GString *str)
923 g_string_append(str, ", ");
924 get_runtime_pcap_version(str);
928 #if defined(HAVE_LIBZ) && !defined(_WIN32)
929 g_string_append_printf(str, ", with libz %s", zlibVersion());
932 /* stuff used by libwireshark */
933 epan_get_runtime_version_info(str);
937 main(int argc, char *argv[])
939 GString *comp_info_str;
940 GString *runtime_info_str;
941 char *init_progfile_dir_error;
943 static const struct option long_options[] = {
944 {(char *)"help", no_argument, NULL, 'h'},
945 {(char *)"version", no_argument, NULL, 'v'},
946 LONGOPT_CAPTURE_COMMON
949 gboolean arg_error = FALSE;
955 char *gpf_path, *pf_path;
956 char *gdp_path, *dp_path;
957 int gpf_open_errno, gpf_read_errno;
958 int pf_open_errno, pf_read_errno;
959 int gdp_open_errno, gdp_read_errno;
960 int dp_open_errno, dp_read_errno;
962 volatile int exit_status = 0;
964 gboolean list_link_layer_types = FALSE;
965 gboolean start_capture = FALSE;
970 gboolean capture_option_specified = FALSE;
972 gboolean quiet = FALSE;
973 #ifdef PCAP_NG_DEFAULT
974 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
976 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
978 volatile gboolean out_file_name_res = FALSE;
979 volatile int in_file_type = WTAP_TYPE_AUTO;
980 gchar *volatile cf_name = NULL;
981 gchar *rfilter = NULL;
982 gchar *dfilter = NULL;
983 #ifdef HAVE_PCAP_OPEN_DEAD
984 struct bpf_program fcode;
986 dfilter_t *rfcode = NULL;
987 dfilter_t *dfcode = NULL;
992 gchar *output_only = NULL;
994 /* the leading - ensures that getopt() does not permute the argv[] entries
995 we have to make sure that the first getopt() preserves the content of argv[]
996 for the subsequent getopt_long() call */
997 #define OPTSTRING "-2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
999 static const char optstring[] = OPTSTRING;
1002 /* Load wpcap if possible. Do this before collecting the run-time version information */
1005 /* Warn the user if npf.sys isn't loaded. */
1006 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1007 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1008 "capturing or\nlisting interfaces.\n");
1012 /* Assemble the compile-time version information string */
1013 comp_info_str = g_string_new("Compiled ");
1014 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1016 /* Assemble the run-time version information string */
1017 runtime_info_str = g_string_new("Running ");
1018 get_runtime_version_info(runtime_info_str, get_tshark_runtime_info);
1020 /* Add it to the information to be reported on a crash. */
1021 ws_add_crash_info("TShark %s\n"
1026 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1029 arg_list_utf_16to8(argc, argv);
1030 create_app_running_mutex();
1031 #if !GLIB_CHECK_VERSION(2,31,0)
1032 g_thread_init(NULL);
1037 * Get credential information for later use.
1039 init_process_policies();
1042 * Attempt to get the pathname of the executable file.
1044 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1045 if (init_progfile_dir_error != NULL) {
1046 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1047 init_progfile_dir_error);
1051 * In order to have the -X opts assigned before the wslua machine starts
1052 * we need to call getopts before epan_init() gets called.
1055 optind_initial = optind;
1057 while ((opt = getopt(argc, argv, optstring)) != -1) {
1059 case 'C': /* Configuration Profile */
1060 if (profile_exists (optarg, FALSE)) {
1061 set_profile_name (optarg);
1063 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1067 case 'P': /* Print packet summary info even when writing to a file */
1068 print_packet_info = TRUE;
1069 print_summary = TRUE;
1071 case 'O': /* Only output these protocols */
1072 output_only = g_strdup(optarg);
1074 case 'V': /* Verbose */
1075 print_details = TRUE;
1076 print_packet_info = TRUE;
1078 case 'x': /* Print packet data in hex (and ASCII) */
1080 /* The user asked for hex output, so let's ensure they get it,
1081 * even if they're writing to a file.
1083 print_packet_info = TRUE;
1094 * Print packet summary information is the default, unless either -V or -x
1095 * were specified and -P was not. Note that this is new behavior, which
1096 * allows for the possibility of printing only hex/ascii output without
1097 * necessarily requiring that either the summary or details be printed too.
1099 if (print_summary == -1)
1100 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1102 optind = optind_initial;
1107 /** Send All g_log messages to our own handler **/
1111 G_LOG_LEVEL_CRITICAL|
1112 G_LOG_LEVEL_WARNING|
1113 G_LOG_LEVEL_MESSAGE|
1116 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1118 g_log_set_handler(NULL,
1119 (GLogLevelFlags)log_flags,
1120 tshark_log_handler, NULL /* user_data */);
1121 g_log_set_handler(LOG_DOMAIN_MAIN,
1122 (GLogLevelFlags)log_flags,
1123 tshark_log_handler, NULL /* user_data */);
1126 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1127 (GLogLevelFlags)log_flags,
1128 tshark_log_handler, NULL /* user_data */);
1129 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1130 (GLogLevelFlags)log_flags,
1131 tshark_log_handler, NULL /* user_data */);
1134 initialize_funnel_ops();
1136 init_report_err(failure_message, open_failure_message, read_failure_message,
1137 write_failure_message);
1140 capture_opts_init(&global_capture_opts);
1141 capture_session_init(&global_capture_session, (void *)&cfile);
1144 timestamp_set_type(TS_RELATIVE);
1145 timestamp_set_precision(TS_PREC_AUTO);
1146 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1148 init_open_routines();
1151 /* Register all the plugin types we have. */
1152 epan_register_plugin_types(); /* Types known to libwireshark */
1153 wtap_register_plugin_types(); /* Types known to libwiretap */
1155 /* Scan for plugins. This does *not* call their registration routines;
1156 that's done later. */
1159 /* Register all libwiretap plugin modules. */
1160 register_all_wiretap_modules();
1163 /* Register all dissectors; we must do this before checking for the
1164 "-G" flag, as the "-G" flag dumps information registered by the
1165 dissectors, and we must do it before we read the preferences, in
1166 case any dissectors register preferences. */
1167 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1169 /* Register all tap listeners; we do this before we parse the arguments,
1170 as the "-z" argument can specify a registered tap. */
1172 /* we register the plugin taps before the other taps because
1173 stats_tree taps plugins will be registered as tap listeners
1174 by stats_tree_stat.c and need to registered before that */
1176 register_all_plugin_tap_listeners();
1178 register_all_tap_listeners();
1180 /* If invoked with the "-G" flag, we dump out information based on
1181 the argument to the "-G" flag; if no argument is specified,
1182 for backwards compatibility we dump out a glossary of display
1185 XXX - we do this here, for now, to support "-G" with no arguments.
1186 If none of our build or other processes uses "-G" with no arguments,
1187 we can just process it with the other arguments. */
1188 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1189 proto_initialize_all_prefixes();
1192 proto_registrar_dump_fields();
1194 if (strcmp(argv[2], "column-formats") == 0)
1195 column_dump_column_formats();
1196 else if (strcmp(argv[2], "currentprefs") == 0) {
1197 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1198 &pf_open_errno, &pf_read_errno, &pf_path);
1201 else if (strcmp(argv[2], "decodes") == 0)
1202 dissector_dump_decodes();
1203 else if (strcmp(argv[2], "defaultprefs") == 0)
1205 else if (strcmp(argv[2], "fields") == 0)
1206 proto_registrar_dump_fields();
1207 else if (strcmp(argv[2], "ftypes") == 0)
1208 proto_registrar_dump_ftypes();
1209 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1210 dissector_dump_heur_decodes();
1211 else if (strcmp(argv[2], "plugins") == 0) {
1216 wslua_plugins_dump_all();
1219 else if (strcmp(argv[2], "protocols") == 0)
1220 proto_registrar_dump_protocols();
1221 else if (strcmp(argv[2], "values") == 0)
1222 proto_registrar_dump_values();
1223 else if (strcmp(argv[2], "?") == 0)
1224 glossary_option_help();
1225 else if (strcmp(argv[2], "-?") == 0)
1226 glossary_option_help();
1228 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1235 /* Set the C-language locale to the native environment. */
1236 setlocale(LC_ALL, "");
1238 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1239 &pf_open_errno, &pf_read_errno, &pf_path);
1240 if (gpf_path != NULL) {
1241 if (gpf_open_errno != 0) {
1242 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1243 pf_path, g_strerror(gpf_open_errno));
1245 if (gpf_read_errno != 0) {
1246 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1247 pf_path, g_strerror(gpf_read_errno));
1250 if (pf_path != NULL) {
1251 if (pf_open_errno != 0) {
1252 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1253 g_strerror(pf_open_errno));
1255 if (pf_read_errno != 0) {
1256 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1257 pf_path, g_strerror(pf_read_errno));
1263 /* Read the disabled protocols file. */
1264 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1265 &dp_path, &dp_open_errno, &dp_read_errno);
1266 if (gdp_path != NULL) {
1267 if (gdp_open_errno != 0) {
1268 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1269 gdp_path, g_strerror(gdp_open_errno));
1271 if (gdp_read_errno != 0) {
1272 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1273 gdp_path, g_strerror(gdp_read_errno));
1277 if (dp_path != NULL) {
1278 if (dp_open_errno != 0) {
1280 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1281 g_strerror(dp_open_errno));
1283 if (dp_read_errno != 0) {
1285 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1286 g_strerror(dp_read_errno));
1291 cap_file_init(&cfile);
1293 /* Print format defaults to this. */
1294 print_format = PR_FMT_TEXT;
1296 output_fields = output_fields_new();
1298 /* Now get our args */
1299 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1301 case '2': /* Perform two pass analysis */
1302 perform_two_pass_analysis = TRUE;
1304 case 'a': /* autostop criteria */
1305 case 'b': /* Ringbuffer option */
1306 case 'c': /* Capture x packets */
1307 case 'f': /* capture filter */
1308 case 'g': /* enable group read access on file(s) */
1309 case 'i': /* Use interface x */
1310 case 'p': /* Don't capture in promiscuous mode */
1311 #ifdef HAVE_PCAP_REMOTE
1312 case 'A': /* Authentication */
1314 #ifdef HAVE_PCAP_CREATE
1315 case 'I': /* Capture in monitor mode, if available */
1317 case 's': /* Set the snapshot (capture) length */
1318 case 'w': /* Write to capture file x */
1319 case 'y': /* Set the pcap data link type */
1320 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1321 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1322 case 'B': /* Buffer size */
1323 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1325 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1332 * Output file name, if we're reading a file and writing to another
1335 output_file_name = optarg;
1337 capture_option_specified = TRUE;
1343 /* Configuration profile settings were already processed just ignore them this time*/
1345 case 'd': /* Decode as rule */
1346 if (!add_decode_as(optarg))
1349 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1350 case 'K': /* Kerberos keytab file */
1351 read_keytab_file(optarg);
1354 case 'D': /* Print a list of capture devices and exit */
1356 if_list = capture_interface_list(&err, &err_str,NULL);
1357 if (if_list == NULL) {
1359 case CANT_GET_INTERFACE_LIST:
1360 case DONT_HAVE_PCAP:
1361 cmdarg_err("%s", err_str);
1365 case NO_INTERFACES_FOUND:
1366 cmdarg_err("There are no interfaces on which a capture can be done");
1371 capture_opts_print_interfaces(if_list);
1372 free_interface_list(if_list);
1375 capture_option_specified = TRUE;
1381 output_fields_add(output_fields, optarg);
1385 if (!output_fields_set_option(output_fields, optarg)) {
1386 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1387 output_fields_list_options(stderr);
1392 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1393 if (out_file_type < 0) {
1394 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1395 list_capture_types();
1399 case 'W': /* Select extra information to save in our capture file */
1400 /* This is patterned after the -N flag which may not be the best idea. */
1401 if (strchr(optarg, 'n')) {
1402 out_file_name_res = TRUE;
1404 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1405 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1409 case 'H': /* Read address to name mappings from a hosts file */
1410 if (! add_hosts_file(optarg))
1412 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1415 out_file_name_res = TRUE;
1418 case 'h': /* Print help and exit */
1422 case 'l': /* "Line-buffer" standard output */
1423 /* This isn't line-buffering, strictly speaking, it's just
1424 flushing the standard output after the information for
1425 each packet is printed; however, that should be good
1426 enough for all the purposes to which "-l" is put (and
1427 is probably actually better for "-V", as it does fewer
1430 See the comment in "process_packet()" for an explanation of
1431 why we do that, and why we don't just use "setvbuf()" to
1432 make the standard output line-buffered (short version: in
1433 Windows, "line-buffered" is the same as "fully-buffered",
1434 and the output buffer is only flushed when it fills up). */
1435 line_buffered = TRUE;
1437 case 'L': /* Print list of link-layer types and exit */
1439 list_link_layer_types = TRUE;
1441 capture_option_specified = TRUE;
1445 case 'n': /* No name resolution */
1446 gbl_resolv_flags.mac_name = FALSE;
1447 gbl_resolv_flags.network_name = FALSE;
1448 gbl_resolv_flags.transport_name = FALSE;
1449 gbl_resolv_flags.concurrent_dns = FALSE;
1451 case 'N': /* Select what types of addresses/port #s to resolve */
1452 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1453 if (badopt != '\0') {
1454 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1456 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1457 "\t'm' to enable MAC address resolution\n"
1458 "\t'n' to enable network address resolution\n"
1459 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1460 "\t for network address resolution\n"
1461 "\t't' to enable transport-layer port number resolution");
1465 case 'o': /* Override preference from command line */
1466 switch (prefs_set_pref(optarg)) {
1471 case PREFS_SET_SYNTAX_ERR:
1472 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1476 case PREFS_SET_NO_SUCH_PREF:
1477 case PREFS_SET_OBSOLETE:
1478 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1483 case 'q': /* Quiet */
1486 case 'Q': /* Really quiet */
1488 really_quiet = TRUE;
1490 case 'r': /* Read capture file x */
1491 cf_name = g_strdup(optarg);
1493 case 'R': /* Read file filter */
1497 /* already processed; just ignore it now */
1499 case 'S': /* Set the line Separator to be printed between packets */
1502 case 't': /* Time stamp type */
1503 if (strcmp(optarg, "r") == 0)
1504 timestamp_set_type(TS_RELATIVE);
1505 else if (strcmp(optarg, "a") == 0)
1506 timestamp_set_type(TS_ABSOLUTE);
1507 else if (strcmp(optarg, "ad") == 0)
1508 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1509 else if (strcmp(optarg, "adoy") == 0)
1510 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1511 else if (strcmp(optarg, "d") == 0)
1512 timestamp_set_type(TS_DELTA);
1513 else if (strcmp(optarg, "dd") == 0)
1514 timestamp_set_type(TS_DELTA_DIS);
1515 else if (strcmp(optarg, "e") == 0)
1516 timestamp_set_type(TS_EPOCH);
1517 else if (strcmp(optarg, "u") == 0)
1518 timestamp_set_type(TS_UTC);
1519 else if (strcmp(optarg, "ud") == 0)
1520 timestamp_set_type(TS_UTC_WITH_YMD);
1521 else if (strcmp(optarg, "udoy") == 0)
1522 timestamp_set_type(TS_UTC_WITH_YDOY);
1524 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1525 cmdarg_err_cont("\t\"a\" for absolute\n"
1526 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1527 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1528 "\t\"d\" for delta\n"
1529 "\t\"dd\" for delta displayed\n"
1530 "\t\"e\" for epoch\n"
1531 "\t\"r\" for relative\n"
1532 "\t\"u\" for absolute UTC\n"
1533 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1534 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1538 case 'T': /* printing Type */
1539 print_packet_info = TRUE;
1540 if (strcmp(optarg, "text") == 0) {
1541 output_action = WRITE_TEXT;
1542 print_format = PR_FMT_TEXT;
1543 } else if (strcmp(optarg, "ps") == 0) {
1544 output_action = WRITE_TEXT;
1545 print_format = PR_FMT_PS;
1546 } else if (strcmp(optarg, "pdml") == 0) {
1547 output_action = WRITE_XML;
1548 print_details = TRUE; /* Need details */
1549 print_summary = FALSE; /* Don't allow summary */
1550 } else if (strcmp(optarg, "psml") == 0) {
1551 output_action = WRITE_XML;
1552 print_details = FALSE; /* Don't allow details */
1553 print_summary = TRUE; /* Need summary */
1554 } else if (strcmp(optarg, "fields") == 0) {
1555 output_action = WRITE_FIELDS;
1556 print_details = TRUE; /* Need full tree info */
1557 print_summary = FALSE; /* Don't allow summary */
1559 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1560 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1561 "\t specified by the -E option.\n"
1562 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1563 "\t details of a decoded packet. This information is equivalent to\n"
1564 "\t the packet details printed with the -V flag.\n"
1565 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1566 "\t the packets, or a multi-line view of the details of each of\n"
1567 "\t the packets, depending on whether the -V flag was specified.\n"
1568 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1569 "\t summary information of a decoded packet. This information is\n"
1570 "\t equivalent to the information shown in the one-line summary\n"
1571 "\t printed by default.\n"
1572 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1573 "\t packets, or a multi-line view of the details of each of the\n"
1574 "\t packets, depending on whether the -V flag was specified.\n"
1575 "\t This is the default.");
1579 case 'u': /* Seconds type */
1580 if (strcmp(optarg, "s") == 0)
1581 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1582 else if (strcmp(optarg, "hms") == 0)
1583 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1585 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1586 cmdarg_err_cont("\t\"s\" for seconds\n"
1587 "\t\"hms\" for hours, minutes and seconds");
1591 case 'v': /* Show version and exit */
1593 show_version(comp_info_str, runtime_info_str);
1594 g_string_free(comp_info_str, TRUE);
1595 g_string_free(runtime_info_str, TRUE);
1596 /* We don't really have to cleanup here, but it's a convenient way to test
1597 * start-up and shut-down of the epan library without any UI-specific
1598 * cruft getting in the way. Makes the results of running
1599 * $ ./tools/valgrind-wireshark -n
1600 * much more useful. */
1604 case 'O': /* Only output these protocols */
1605 /* already processed; just ignore it now */
1607 case 'V': /* Verbose */
1608 /* already processed; just ignore it now */
1610 case 'x': /* Print packet data in hex (and ASCII) */
1611 /* already processed; just ignore it now */
1619 /* We won't call the init function for the stat this soon
1620 as it would disallow MATE's fields (which are registered
1621 by the preferences set callback) from being used as
1622 part of a tap filter. Instead, we just add the argument
1623 to a list of stat arguments. */
1624 if (!process_stat_cmd_arg(optarg)) {
1625 if (strcmp("help", optarg)==0) {
1626 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1627 list_stat_cmd_args();
1630 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1631 list_stat_cmd_args();
1636 case '?': /* Bad flag - print usage message */
1639 list_capture_types();
1649 /* If we specified output fields, but not the output field type... */
1650 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1651 cmdarg_err("Output fields were specified with \"-e\", "
1652 "but \"-Tfields\" was not specified.");
1654 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1655 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1656 "specified with \"-e\".");
1661 /* If no capture filter or display filter has been specified, and there are
1662 still command-line arguments, treat them as the tokens of a capture
1663 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1664 flag was specified. */
1665 if (optind < argc) {
1666 if (cf_name != NULL) {
1667 if (dfilter != NULL) {
1668 cmdarg_err("Display filters were specified both with \"-d\" "
1669 "and with additional command-line arguments.");
1672 dfilter = get_args_as_string(argc, argv, optind);
1677 if (global_capture_opts.default_options.cfilter) {
1678 cmdarg_err("A default capture filter was specified both with \"-f\""
1679 " and with additional command-line arguments.");
1682 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1683 interface_options interface_opts;
1684 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1685 if (interface_opts.cfilter == NULL) {
1686 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1687 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1688 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1690 cmdarg_err("A capture filter was specified both with \"-f\""
1691 " and with additional command-line arguments.");
1695 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1697 capture_option_specified = TRUE;
1703 if (!global_capture_opts.saving_to_file) {
1704 /* We're not saving the capture to a file; if "-q" wasn't specified,
1705 we should print packet information */
1707 print_packet_info = TRUE;
1709 /* We're saving to a file; if we're writing to the standard output.
1710 and we'll also be writing dissected packets to the standard
1711 output, reject the request. At best, we could redirect that
1712 to the standard error; we *can't* write both to the standard
1713 output and have either of them be useful. */
1714 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1715 cmdarg_err("You can't write both raw packet data and dissected packets"
1716 " to the standard output.");
1721 /* We're not saving the capture to a file; if "-q" wasn't specified,
1722 we should print packet information */
1724 print_packet_info = TRUE;
1727 #ifndef HAVE_LIBPCAP
1728 if (capture_option_specified)
1729 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1737 if (output_action != WRITE_TEXT) {
1738 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1743 if (output_only != NULL) {
1746 if (!print_details) {
1747 cmdarg_err("-O requires -V");
1751 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1752 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1753 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1757 if (rfilter != NULL && !perform_two_pass_analysis) {
1758 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1763 if (list_link_layer_types) {
1764 /* We're supposed to list the link-layer types for an interface;
1765 did the user also specify a capture file to be read? */
1767 /* Yes - that's bogus. */
1768 cmdarg_err("You can't specify -L and a capture file to be read.");
1771 /* No - did they specify a ring buffer option? */
1772 if (global_capture_opts.multi_files_on) {
1773 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1779 * "-r" was specified, so we're reading a capture file.
1780 * Capture options don't apply here.
1783 /* We don't support capture filters when reading from a capture file
1784 (the BPF compiler doesn't support all link-layer types that we
1785 support in capture files we read). */
1786 if (global_capture_opts.default_options.cfilter) {
1787 cmdarg_err("Only read filters, not capture filters, "
1788 "can be specified when reading a capture file.");
1791 if (global_capture_opts.multi_files_on) {
1792 cmdarg_err("Multiple capture files requested, but "
1793 "a capture isn't being done.");
1796 if (global_capture_opts.has_file_duration) {
1797 cmdarg_err("Switching capture files after a time interval was specified, but "
1798 "a capture isn't being done.");
1801 if (global_capture_opts.has_ring_num_files) {
1802 cmdarg_err("A ring buffer of capture files was specified, but "
1803 "a capture isn't being done.");
1806 if (global_capture_opts.has_autostop_files) {
1807 cmdarg_err("A maximum number of capture files was specified, but "
1808 "a capture isn't being done.");
1811 if (global_capture_opts.capture_comment) {
1812 cmdarg_err("A capture comment was specified, but "
1813 "a capture isn't being done.\nThere's no support for adding "
1814 "a capture comment to an existing capture file.");
1818 /* Note: TShark now allows the restriction of a _read_ file by packet count
1819 * and byte count as well as a write file. Other autostop options remain valid
1820 * only for a write file.
1822 if (global_capture_opts.has_autostop_duration) {
1823 cmdarg_err("A maximum capture time was specified, but "
1824 "a capture isn't being done.");
1829 * "-r" wasn't specified, so we're doing a live capture.
1831 if (perform_two_pass_analysis) {
1832 /* Two-pass analysis doesn't work with live capture since it requires us
1833 * to buffer packets until we've read all of them, but a live capture
1834 * has no useful/meaningful definition of "all" */
1835 cmdarg_err("Live captures do not support two-pass analysis.");
1839 if (global_capture_opts.saving_to_file) {
1840 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1842 /* When capturing, we only support writing pcap or pcap-ng format. */
1843 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1844 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1845 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1848 if (global_capture_opts.capture_comment &&
1849 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1850 cmdarg_err("A capture comment can only be written to a pcapng file.");
1853 if (global_capture_opts.multi_files_on) {
1854 /* Multiple-file mode doesn't work under certain conditions:
1855 a) it doesn't work if you're writing to the standard output;
1856 b) it doesn't work if you're writing to a pipe;
1858 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1859 cmdarg_err("Multiple capture files requested, but "
1860 "the capture is being written to the standard output.");
1863 if (global_capture_opts.output_to_pipe) {
1864 cmdarg_err("Multiple capture files requested, but "
1865 "the capture file is a pipe.");
1868 if (!global_capture_opts.has_autostop_filesize &&
1869 !global_capture_opts.has_file_duration) {
1870 cmdarg_err("Multiple capture files requested, but "
1871 "no maximum capture file size or duration was specified.");
1875 /* Currently, we don't support read or display filters when capturing
1876 and saving the packets. */
1877 if (rfilter != NULL) {
1878 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1881 if (dfilter != NULL) {
1882 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1885 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1887 /* They didn't specify a "-w" flag, so we won't be saving to a
1888 capture file. Check for options that only make sense if
1889 we're saving to a file. */
1890 if (global_capture_opts.has_autostop_filesize) {
1891 cmdarg_err("Maximum capture file size specified, but "
1892 "capture isn't being saved to a file.");
1895 if (global_capture_opts.multi_files_on) {
1896 cmdarg_err("Multiple capture files requested, but "
1897 "the capture isn't being saved to a file.");
1900 if (global_capture_opts.capture_comment) {
1901 cmdarg_err("A capture comment was specified, but "
1902 "the capture isn't being saved to a file.");
1911 /* Start windows sockets */
1912 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1915 /* Notify all registered modules that have had any of their preferences
1916 changed either from one of the preferences file or from the command
1917 line that their preferences have changed. */
1920 /* At this point MATE will have registered its field array so we can
1921 have a tap filter with one of MATE's late-registered fields as part
1922 of the filter. We can now process all the "-z" arguments. */
1923 start_requested_stats();
1925 /* At this point MATE will have registered its field array so we can
1926 check if the fields specified by the user are all good.
1928 if (!output_fields_valid(output_fields)) {
1929 cmdarg_err("Some fields aren't valid");
1934 /* We currently don't support taps, or printing dissected packets,
1935 if we're writing to a pipe. */
1936 if (global_capture_opts.saving_to_file &&
1937 global_capture_opts.output_to_pipe) {
1938 if (tap_listeners_require_dissection()) {
1939 cmdarg_err("Taps aren't supported when saving to a pipe.");
1942 if (print_packet_info) {
1943 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1949 if (ex_opt_count("read_format") > 0) {
1950 const gchar* name = ex_opt_get_next("read_format");
1951 in_file_type = open_info_name_to_type(name);
1952 if (in_file_type == WTAP_TYPE_AUTO) {
1953 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1954 list_read_capture_types();
1959 /* disabled protocols as per configuration file */
1960 if (gdp_path == NULL && dp_path == NULL) {
1961 set_disabled_protos_list();
1964 /* Build the column format array */
1965 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1968 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1969 capture_opts_trim_ring_num_files(&global_capture_opts);
1972 if (rfilter != NULL) {
1973 if (!dfilter_compile(rfilter, &rfcode)) {
1974 cmdarg_err("%s", dfilter_error_msg);
1976 #ifdef HAVE_PCAP_OPEN_DEAD
1980 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1982 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1984 " Note: That read filter code looks like a valid capture filter;\n"
1985 " maybe you mixed them up?");
1994 cfile.rfcode = rfcode;
1996 if (dfilter != NULL) {
1997 if (!dfilter_compile(dfilter, &dfcode)) {
1998 cmdarg_err("%s", dfilter_error_msg);
2000 #ifdef HAVE_PCAP_OPEN_DEAD
2004 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2006 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2008 " Note: That display filter code looks like a valid capture filter;\n"
2009 " maybe you mixed them up?");
2018 cfile.dfcode = dfcode;
2020 if (print_packet_info) {
2021 /* If we're printing as text or PostScript, we have
2022 to create a print stream. */
2023 if (output_action == WRITE_TEXT) {
2024 switch (print_format) {
2027 print_stream = print_stream_text_stdio_new(stdout);
2031 print_stream = print_stream_ps_stdio_new(stdout);
2035 g_assert_not_reached();
2040 /* We have to dissect each packet if:
2042 we're printing information about each packet;
2044 we're using a read filter on the packets;
2046 we're using a display filter on the packets;
2048 we're using any taps that need dissection. */
2049 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2053 * We're reading a capture file.
2057 * Immediately relinquish any special privileges we have; we must not
2058 * be allowed to read any capture files the user running TShark
2061 relinquish_special_privs_perm();
2062 print_current_user();
2064 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2069 /* Set timestamp precision; there should arguably be a command-line
2070 option to let the user set this. */
2071 switch(wtap_file_tsprecision(cfile.wth)) {
2072 case(WTAP_FILE_TSPREC_SEC):
2073 timestamp_set_precision(TS_PREC_AUTO_SEC);
2075 case(WTAP_FILE_TSPREC_DSEC):
2076 timestamp_set_precision(TS_PREC_AUTO_DSEC);
2078 case(WTAP_FILE_TSPREC_CSEC):
2079 timestamp_set_precision(TS_PREC_AUTO_CSEC);
2081 case(WTAP_FILE_TSPREC_MSEC):
2082 timestamp_set_precision(TS_PREC_AUTO_MSEC);
2084 case(WTAP_FILE_TSPREC_USEC):
2085 timestamp_set_precision(TS_PREC_AUTO_USEC);
2087 case(WTAP_FILE_TSPREC_NSEC):
2088 timestamp_set_precision(TS_PREC_AUTO_NSEC);
2091 g_assert_not_reached();
2094 /* Process the packets in the file */
2097 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2098 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2099 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2101 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2104 CATCH(OutOfMemoryError) {
2108 "Sorry, but TShark has to terminate now!\n"
2110 "Some infos / workarounds can be found at:\n"
2111 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2116 /* We still dump out the results of taps, etc., as we might have
2117 read some packets; however, we exit with an error status. */
2121 /* No capture file specified, so we're supposed to do a live capture
2122 or get a list of link-layer types for a live capture device;
2123 do we have support for live captures? */
2125 /* if no interface was specified, pick a default */
2126 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2127 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2128 if (exit_status != 0)
2131 /* if requested, list the link layer types and exit */
2132 if (list_link_layer_types) {
2135 /* Get the list of link-layer types for the capture devices. */
2136 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2137 interface_options interface_opts;
2138 if_capabilities_t *caps;
2140 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2141 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2143 cmdarg_err("%s", err_str);
2147 if (caps->data_link_types == NULL) {
2148 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2151 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2152 free_if_capabilities(caps);
2158 * If the standard error isn't a terminal, don't print packet counts,
2159 * as they won't show up on the user's terminal and they'll get in
2160 * the way of error messages in the file (to which we assume the
2161 * standard error was redirected; if it's redirected to the null
2162 * device, there's no point in printing packet counts anyway).
2164 * Otherwise, if we're printing packet information and the standard
2165 * output is a terminal (which we assume means the standard output and
2166 * error are going to the same terminal), don't print packet counts,
2167 * as they'll get in the way of the packet information.
2169 * Otherwise, if the user specified -q, don't print packet counts.
2171 * Otherwise, print packet counts.
2173 * XXX - what if the user wants to do a live capture, doesn't want
2174 * to save it to a file, doesn't want information printed for each
2175 * packet, does want some "-z" statistic, and wants packet counts
2176 * so they know whether they're seeing any packets? -q will
2177 * suppress the information printed for each packet, but it'll
2178 * also suppress the packet counts.
2180 if (!isatty(fileno(stderr)))
2181 print_packet_counts = FALSE;
2182 else if (print_packet_info && isatty(fileno(stdout)))
2183 print_packet_counts = FALSE;
2185 print_packet_counts = FALSE;
2187 print_packet_counts = TRUE;
2189 if (print_packet_info) {
2190 if (!write_preamble(NULL)) {
2191 show_print_file_io_error(errno);
2196 /* For now, assume libpcap gives microsecond precision. */
2197 timestamp_set_precision(TS_PREC_AUTO_USEC);
2200 * XXX - this returns FALSE if an error occurred, but it also
2201 * returns FALSE if the capture stops because a time limit
2202 * was reached (and possibly other limits), so we can't assume
2203 * it means an error.
2205 * The capture code is a bit twisty, so it doesn't appear to
2206 * be an easy fix. We just ignore the return value for now.
2207 * Instead, pass on the exit status from the capture child.
2210 exit_status = global_capture_session.fork_child_status;
2212 if (print_packet_info) {
2213 if (!write_finale()) {
2215 show_print_file_io_error(err);
2219 /* No - complain. */
2220 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2227 if (cfile.frames != NULL) {
2228 free_frame_data_sequence(cfile.frames);
2229 cfile.frames = NULL;
2232 draw_tap_listeners(TRUE);
2233 funnel_dump_all_text_windows();
2234 epan_free(cfile.epan);
2237 output_fields_free(output_fields);
2238 output_fields = NULL;
2243 /*#define USE_BROKEN_G_MAIN_LOOP*/
2245 #ifdef USE_BROKEN_G_MAIN_LOOP
2248 gboolean loop_running = FALSE;
2250 guint32 packet_count = 0;
2253 typedef struct pipe_input_tag {
2257 pipe_input_cb_t input_cb;
2258 guint pipe_input_id;
2260 GMutex *callback_running;
2264 static pipe_input_t pipe_input;
2267 /* The timer has expired, see if there's stuff to read from the pipe,
2268 if so, do the callback */
2270 pipe_timer_cb(gpointer data)
2276 pipe_input_t *pipe_input_p = data;
2277 gint iterations = 0;
2279 g_mutex_lock (pipe_input_p->callback_running);
2281 /* try to read data from the pipe only 5 times, to avoid blocking */
2282 while(iterations < 5) {
2283 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2285 /* Oddly enough although Named pipes don't work on win9x,
2286 PeekNamedPipe does !!! */
2287 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2288 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2290 /* Get the child process exit status */
2291 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2294 /* If the Peek returned an error, or there are bytes to be read
2295 or the childwatcher thread has terminated then call the normal
2297 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2299 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2301 /* And call the real handler */
2302 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2303 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2304 /* pipe closed, return false so that the timer is stopped */
2305 g_mutex_unlock (pipe_input_p->callback_running);
2310 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2311 /* No data, stop now */
2318 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2320 g_mutex_unlock (pipe_input_p->callback_running);
2322 /* we didn't stopped the timer, so let it run */
2329 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2332 pipe_input.source = source;
2333 pipe_input.child_process = child_process;
2334 pipe_input.user_data = user_data;
2335 pipe_input.input_cb = input_cb;
2338 #if GLIB_CHECK_VERSION(2,31,0)
2339 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2340 g_mutex_init(pipe_input.callback_running);
2342 pipe_input.callback_running = g_mutex_new();
2344 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2345 do this but that doesn't cover all win32 platforms. GTK can do
2346 this but doesn't seem to work over processes. Attempt to do
2347 something similar here, start a timer and check for data on every
2349 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2350 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2354 static const nstime_t *
2355 tshark_get_frame_ts(void *data, guint32 frame_num)
2357 capture_file *cf = (capture_file *) data;
2359 if (ref && ref->num == frame_num)
2360 return &ref->abs_ts;
2362 if (prev_dis && prev_dis->num == frame_num)
2363 return &prev_dis->abs_ts;
2365 if (prev_cap && prev_cap->num == frame_num)
2366 return &prev_cap->abs_ts;
2369 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2371 return (fd) ? &fd->abs_ts : NULL;
2378 tshark_epan_new(capture_file *cf)
2380 epan_t *epan = epan_new();
2383 epan->get_frame_ts = tshark_get_frame_ts;
2384 epan->get_interface_name = cap_file_get_interface_name;
2385 epan->get_user_comment = NULL;
2396 GString *str = g_string_new("");
2397 #ifdef USE_TSHARK_SELECT
2401 struct sigaction action, oldaction;
2405 * XXX - dropping privileges is still required, until code cleanup is done
2407 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2408 * when it's done, we don't need special privileges to run tshark at all,
2409 * therefore we don't need to drop these privileges
2410 * The only thing we might want to keep is a warning if tshark is run as root,
2411 * as it's no longer necessary and potentially dangerous.
2413 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2414 * We've opened the capture device, so we shouldn't need any special
2415 * privileges any more; relinquish those privileges.
2417 * XXX - if we have saved set-user-ID support, we should give up those
2418 * privileges immediately, and then reclaim them long enough to get
2419 * a list of network interfaces and to open one, and then give them
2420 * up again, so that stuff we do while processing the argument list,
2421 * reading the user's preferences, loading and starting plugins
2422 * (especially *user* plugins), etc. is done with the user's privileges,
2423 * not special privileges.
2425 relinquish_special_privs_perm();
2426 print_current_user();
2428 /* Create new dissection section. */
2429 epan_free(cfile.epan);
2430 cfile.epan = tshark_epan_new(&cfile);
2433 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2434 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2436 /* Catch SIGINT and SIGTERM and, if we get either of them,
2437 clean up and exit. If SIGHUP isn't being ignored, catch
2438 it too and, if we get it, clean up and exit.
2440 We restart any read that was in progress, so that it doesn't
2441 disrupt reading from the sync pipe. The signal handler tells
2442 the capture child to finish; it will report that it finished,
2443 or will exit abnormally, so we'll stop reading from the sync
2444 pipe, pick up the exit status, and quit. */
2445 memset(&action, 0, sizeof(action));
2446 action.sa_handler = capture_cleanup;
2447 action.sa_flags = SA_RESTART;
2448 sigemptyset(&action.sa_mask);
2449 sigaction(SIGTERM, &action, NULL);
2450 sigaction(SIGINT, &action, NULL);
2451 sigaction(SIGHUP, NULL, &oldaction);
2452 if (oldaction.sa_handler == SIG_DFL)
2453 sigaction(SIGHUP, &action, NULL);
2456 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2457 quiet mode, report the number of packets we've captured.
2459 Again, restart any read that was in progress, so that it doesn't
2460 disrupt reading from the sync pipe. */
2461 action.sa_handler = report_counts_siginfo;
2462 action.sa_flags = SA_RESTART;
2463 sigemptyset(&action.sa_mask);
2464 sigaction(SIGINFO, &action, NULL);
2465 #endif /* SIGINFO */
2468 global_capture_session.state = CAPTURE_PREPARING;
2470 /* Let the user know which interfaces were chosen. */
2471 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2472 interface_options interface_opts;
2474 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2475 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2476 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2477 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2480 if (global_capture_opts.ifaces->len < 2)
2482 if (global_capture_opts.ifaces->len < 4)
2485 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2486 interface_options interface_opts;
2488 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2490 if (global_capture_opts.ifaces->len > 2) {
2491 g_string_append_printf(str, ",");
2493 g_string_append_printf(str, " ");
2494 if (i == global_capture_opts.ifaces->len - 1) {
2495 g_string_append_printf(str, "and ");
2498 g_string_append_printf(str, "'%s'", interface_opts.descr);
2501 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2503 if (really_quiet == FALSE)
2504 fprintf(stderr, "Capturing on %s\n", str->str);
2506 g_string_free(str, TRUE);
2508 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2513 /* the actual capture loop
2515 * XXX - glib doesn't seem to provide any event based loop handling.
2517 * XXX - for whatever reason,
2518 * calling g_main_loop_new() ends up in 100% cpu load.
2520 * But that doesn't matter: in UNIX we can use select() to find an input
2521 * source with something to do.
2523 * But that doesn't matter because we're in a CLI (that doesn't need to
2524 * update a GUI or something at the same time) so it's OK if we block
2525 * trying to read from the pipe.
2527 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2528 * wrong (but I leave it there in case I am...).
2531 #ifdef USE_TSHARK_SELECT
2533 FD_SET(pipe_input.source, &readfds);
2536 loop_running = TRUE;
2540 while (loop_running)
2542 #ifdef USE_TSHARK_SELECT
2543 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2547 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2549 } else if (ret == 1) {
2551 /* Call the real handler */
2552 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2553 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2556 #ifdef USE_TSHARK_SELECT
2561 CATCH(OutOfMemoryError) {
2565 "Sorry, but TShark has to terminate now!\n"
2567 "Some infos / workarounds can be found at:\n"
2568 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2575 /* capture child detected an error */
2577 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2579 cmdarg_err("%s", error_msg);
2580 cmdarg_err_cont("%s", secondary_error_msg);
2584 /* capture child detected an capture filter related error */
2586 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2588 capture_options *capture_opts = cap_session->capture_opts;
2589 dfilter_t *rfcode = NULL;
2590 interface_options interface_opts;
2592 g_assert(i < capture_opts->ifaces->len);
2593 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2595 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2597 "Invalid capture filter \"%s\" for interface '%s'!\n"
2599 "That string looks like a valid display filter; however, it isn't a valid\n"
2600 "capture filter (%s).\n"
2602 "Note that display filters and capture filters don't have the same syntax,\n"
2603 "so you can't use most display filter expressions as capture filters.\n"
2605 "See the User's Guide for a description of the capture filter syntax.",
2606 interface_opts.cfilter, interface_opts.descr, error_message);
2607 dfilter_free(rfcode);
2610 "Invalid capture filter \"%s\" for interface '%s'!\n"
2612 "That string isn't a valid capture filter (%s).\n"
2613 "See the User's Guide for a description of the capture filter syntax.",
2614 interface_opts.cfilter, interface_opts.descr, error_message);
2619 /* capture child tells us we have a new (or the first) capture file */
2621 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2623 capture_options *capture_opts = cap_session->capture_opts;
2624 gboolean is_tempfile;
2627 if (cap_session->state == CAPTURE_PREPARING) {
2628 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2630 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2632 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2634 /* free the old filename */
2635 if (capture_opts->save_file != NULL) {
2637 /* we start a new capture file, close the old one (if we had one before) */
2638 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2639 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2640 wtap_close(((capture_file *) cap_session->cf)->wth);
2641 ((capture_file *) cap_session->cf)->wth = NULL;
2643 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2646 g_free(capture_opts->save_file);
2647 is_tempfile = FALSE;
2649 /* we didn't had a save_file before, must be a tempfile */
2653 /* save the new filename */
2654 capture_opts->save_file = g_strdup(new_file);
2656 /* if we are in real-time mode, open the new file now */
2657 if (do_dissection) {
2658 /* this is probably unecessary, but better safe than sorry */
2659 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2660 /* Attempt to open the capture file and set up to read from it. */
2661 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2665 /* Don't unlink (delete) the save file - leave it around,
2666 for debugging purposes. */
2667 g_free(capture_opts->save_file);
2668 capture_opts->save_file = NULL;
2673 cap_session->state = CAPTURE_RUNNING;
2679 /* capture child tells us we have new packets to read */
2681 capture_input_new_packets(capture_session *cap_session, int to_read)
2687 capture_file *cf = (capture_file *)cap_session->cf;
2688 gboolean filtering_tap_listeners;
2693 * Prevent a SIGINFO handler from writing to the standard error while
2694 * we're doing so or writing to the standard output; instead, have it
2695 * just set a flag telling us to print that information when we're done.
2698 #endif /* SIGINFO */
2700 /* Do we have any tap listeners with filters? */
2701 filtering_tap_listeners = have_filtering_tap_listeners();
2703 /* Get the union of the flags for all tap listeners. */
2704 tap_flags = union_of_tap_listener_flags();
2706 if (do_dissection) {
2707 gboolean create_proto_tree;
2708 epan_dissect_t *edt;
2710 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2711 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2712 create_proto_tree = TRUE;
2714 create_proto_tree = FALSE;
2716 /* The protocol tree will be "visible", i.e., printed, only if we're
2717 printing packet details, which is true if we're printing stuff
2718 ("print_packet_info" is true) and we're in verbose mode
2719 ("packet_details" is true). */
2720 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2722 while (to_read-- && cf->wth) {
2723 wtap_cleareof(cf->wth);
2724 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2726 /* read from file failed, tell the capture child to stop */
2727 sync_pipe_stop(cap_session);
2728 wtap_close(cf->wth);
2731 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2732 wtap_buf_ptr(cf->wth),
2736 /* packet successfully read and gone through the "Read Filter" */
2741 epan_dissect_free(edt);
2745 * Dumpcap's doing all the work; we're not doing any dissection.
2746 * Count all the packets it wrote.
2748 packet_count += to_read;
2751 if (print_packet_counts) {
2752 /* We're printing packet counts. */
2753 if (packet_count != 0) {
2754 fprintf(stderr, "\r%u ", packet_count);
2755 /* stderr could be line buffered */
2762 * Allow SIGINFO handlers to write.
2767 * If a SIGINFO handler asked us to write out capture counts, do so.
2771 #endif /* SIGINFO */
2777 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2778 /* Report the count only if we aren't printing a packet count
2779 as packets arrive. */
2780 fprintf(stderr, "%u packet%s captured\n", packet_count,
2781 plurality(packet_count, "", "s"));
2784 infoprint = FALSE; /* we just reported it */
2785 #endif /* SIGINFO */
2790 report_counts_siginfo(int signum _U_)
2792 int sav_errno = errno;
2793 /* If we've been told to delay printing, just set a flag asking
2794 that we print counts (if we're supposed to), otherwise print
2795 the count of packets captured (if we're supposed to). */
2802 #endif /* SIGINFO */
2805 /* capture child detected any packet drops? */
2807 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2809 if (print_packet_counts) {
2810 /* We're printing packet counts to stderr.
2811 Send a newline so that we move to the line after the packet count. */
2812 fprintf(stderr, "\n");
2816 /* We're printing packet counts to stderr.
2817 Send a newline so that we move to the line after the packet count. */
2818 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2824 * Capture child closed its side of the pipe, report any error and
2825 * do the required cleanup.
2828 capture_input_closed(capture_session *cap_session, gchar *msg)
2830 capture_file *cf = (capture_file *) cap_session->cf;
2833 fprintf(stderr, "tshark: %s\n", msg);
2837 if (cf != NULL && cf->wth != NULL) {
2838 wtap_close(cf->wth);
2839 if (cf->is_tempfile) {
2840 ws_unlink(cf->filename);
2843 #ifdef USE_BROKEN_G_MAIN_LOOP
2844 /*g_main_loop_quit(loop);*/
2845 g_main_loop_quit(loop);
2847 loop_running = FALSE;
2856 capture_cleanup(DWORD ctrltype _U_)
2858 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2859 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2860 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2861 like SIGTERM at least when the machine's shutting down.
2863 For now, we handle them all as indications that we should clean up
2864 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2867 We must return TRUE so that no other handler - such as one that would
2868 terminate the process - gets called.
2870 XXX - for some reason, typing ^C to TShark, if you run this in
2871 a Cygwin console window in at least some versions of Cygwin,
2872 causes TShark to terminate immediately; this routine gets
2873 called, but the main loop doesn't get a chance to run and
2874 exit cleanly, at least if this is compiled with Microsoft Visual
2875 C++ (i.e., it's a property of the Cygwin console window or Bash;
2876 it happens if TShark is not built with Cygwin - for all I know,
2877 building it with Cygwin may make the problem go away). */
2879 /* tell the capture child to stop */
2880 sync_pipe_stop(&global_capture_session);
2882 /* don't stop our own loop already here, otherwise status messages and
2883 * cleanup wouldn't be done properly. The child will indicate the stop of
2884 * everything by calling capture_input_closed() later */
2890 capture_cleanup(int signum _U_)
2892 /* tell the capture child to stop */
2893 sync_pipe_stop(&global_capture_session);
2895 /* don't stop our own loop already here, otherwise status messages and
2896 * cleanup wouldn't be done properly. The child will indicate the stop of
2897 * everything by calling capture_input_closed() later */
2900 #endif /* HAVE_LIBPCAP */
2903 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2904 gint64 offset, struct wtap_pkthdr *whdr,
2911 /* The frame number of this packet is one more than the count of
2912 frames in this packet. */
2913 framenum = cf->count + 1;
2915 /* If we're not running a display filter and we're not printing any
2916 packet information, we don't need to do a dissection. This means
2917 that all packets can be marked as 'passed'. */
2920 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2922 /* If we're going to print packet information, or we're going to
2923 run a read filter, or display filter, or we're going to process taps, set up to
2924 do a dissection and do so. */
2926 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2927 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2928 /* Grab any resolved addresses */
2929 host_name_lookup_process();
2931 /* If we're running a read filter, prime the epan_dissect_t with that
2934 epan_dissect_prime_dfilter(edt, cf->rfcode);
2937 epan_dissect_prime_dfilter(edt, cf->dfcode);
2939 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2941 if (ref == &fdlocal) {
2942 ref_frame = fdlocal;
2946 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2948 /* Run the read filter if we have one. */
2950 passed = dfilter_apply_edt(cf->rfcode, edt);
2954 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2955 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2957 /* If we're not doing dissection then there won't be any dependent frames.
2958 * More importantly, edt.pi.dependent_frames won't be initialized because
2959 * epan hasn't been initialized.
2960 * if we *are* doing dissection, then mark the dependent frames, but only
2961 * if a display filter was given and it matches this packet.
2963 if (edt && cf->dfcode) {
2964 if (dfilter_apply_edt(cf->dfcode, edt)) {
2965 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2971 /* if we don't add it to the frame_data_sequence, clean it up right now
2973 frame_data_destroy(&fdlocal);
2977 epan_dissect_reset(edt);
2983 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2984 struct wtap_pkthdr *phdr, Buffer *buf,
2990 /* If we're not running a display filter and we're not printing any
2991 packet information, we don't need to do a dissection. This means
2992 that all packets can be marked as 'passed'. */
2995 /* If we're going to print packet information, or we're going to
2996 run a read filter, or we're going to process taps, set up to
2997 do a dissection and do so. */
2999 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3000 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3001 /* Grab any resolved addresses */
3002 host_name_lookup_process();
3004 /* If we're running a display filter, prime the epan_dissect_t with that
3007 epan_dissect_prime_dfilter(edt, cf->dfcode);
3009 col_custom_prime_edt(edt, &cf->cinfo);
3011 /* We only need the columns if either
3012 1) some tap needs the columns
3014 2) we're printing packet info but we're *not* verbose; in verbose
3015 mode, we print the protocol tree, not the protocol summary.
3017 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3022 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3029 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3031 /* Run the read/display filter if we have one. */
3033 passed = dfilter_apply_edt(cf->dfcode, edt);
3037 frame_data_set_after_dissect(fdata, &cum_bytes);
3038 /* Process this packet. */
3039 if (print_packet_info) {
3040 /* We're printing packet information; print the information for
3042 print_packet(cf, edt);
3044 /* The ANSI C standard does not appear to *require* that a line-buffered
3045 stream be flushed to the host environment whenever a newline is
3046 written, it just says that, on such a stream, characters "are
3047 intended to be transmitted to or from the host environment as a
3048 block when a new-line character is encountered".
3050 The Visual C++ 6.0 C implementation doesn't do what is intended;
3051 even if you set a stream to be line-buffered, it still doesn't
3052 flush the buffer at the end of every line.
3054 So, if the "-l" flag was specified, we flush the standard output
3055 at the end of a packet. This will do the right thing if we're
3056 printing packet summary lines, and, as we print the entire protocol
3057 tree for a single packet without waiting for anything to happen,
3058 it should be as good as line-buffered mode if we're printing
3059 protocol trees. (The whole reason for the "-l" flag in either
3060 tcpdump or TShark is to allow the output of a live capture to
3061 be piped to a program or script and to have that script see the
3062 information for the packet as soon as it's printed, rather than
3063 having to wait until a standard I/O buffer fills up. */
3067 if (ferror(stdout)) {
3068 show_print_file_io_error(errno);
3077 epan_dissect_reset(edt);
3079 return passed || fdata->flags.dependent_of_displayed;
3083 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3084 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3087 int snapshot_length;
3091 gchar *err_info = NULL;
3093 char *save_file_string = NULL;
3094 gboolean filtering_tap_listeners;
3096 wtapng_section_t *shb_hdr;
3097 wtapng_iface_descriptions_t *idb_inf;
3099 struct wtap_pkthdr phdr;
3101 epan_dissect_t *edt = NULL;
3103 memset(&phdr, 0, sizeof(struct wtap_pkthdr));
3105 shb_hdr = wtap_file_get_shb_info(cf->wth);
3106 idb_inf = wtap_file_get_idb_info(cf->wth);
3107 #ifdef PCAP_NG_DEFAULT
3108 if (idb_inf->interface_data->len > 1) {
3109 linktype = WTAP_ENCAP_PER_PACKET;
3111 linktype = wtap_file_encap(cf->wth);
3114 linktype = wtap_file_encap(cf->wth);
3116 if (save_file != NULL) {
3117 /* Get a string that describes what we're writing to */
3118 save_file_string = output_file_description(save_file);
3120 /* Set up to write to the capture file. */
3121 snapshot_length = wtap_snapshot_length(cf->wth);
3122 if (snapshot_length == 0) {
3123 /* Snapshot length of input file not known. */
3124 snapshot_length = WTAP_MAX_PACKET_SIZE;
3126 /* If we don't have an application name add Tshark */
3127 if (shb_hdr->shb_user_appl == NULL) {
3128 g_snprintf(appname, sizeof(appname), "TShark %s", get_ws_vcs_version_info());
3129 shb_hdr->shb_user_appl = appname;
3132 if (linktype != WTAP_ENCAP_PER_PACKET &&
3133 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3134 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3135 snapshot_length, FALSE /* compressed */, &err);
3137 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3138 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3144 /* We couldn't set up to write to the capture file. */
3147 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3148 cmdarg_err("Capture files can't be written in that format.");
3151 case WTAP_ERR_UNSUPPORTED_ENCAP:
3152 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3153 cmdarg_err("The capture file being read can't be written as a "
3154 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3157 case WTAP_ERR_CANT_OPEN:
3158 cmdarg_err("The %s couldn't be created for some "
3159 "unknown reason.", save_file_string);
3162 case WTAP_ERR_SHORT_WRITE:
3163 cmdarg_err("A full header couldn't be written to the %s.",
3168 cmdarg_err("The %s could not be created: %s.", save_file_string,
3169 wtap_strerror(err));
3175 if (print_packet_info) {
3176 if (!write_preamble(cf)) {
3178 show_print_file_io_error(err);
3187 if (pdh && out_file_name_res) {
3188 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3189 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3190 wtap_file_type_subtype_short_string(out_file_type));
3194 /* Do we have any tap listeners with filters? */
3195 filtering_tap_listeners = have_filtering_tap_listeners();
3197 /* Get the union of the flags for all tap listeners. */
3198 tap_flags = union_of_tap_listener_flags();
3200 if (perform_two_pass_analysis) {
3203 /* Allocate a frame_data_sequence for all the frames. */
3204 cf->frames = new_frame_data_sequence();
3206 if (do_dissection) {
3207 gboolean create_proto_tree = FALSE;
3209 /* If we're going to be applying a filter, we'll need to
3210 create a protocol tree against which to apply the filter. */
3211 if (cf->rfcode || cf->dfcode)
3212 create_proto_tree = TRUE;
3214 /* We're not going to display the protocol tree on this pass,
3215 so it's not going to be "visible". */
3216 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3219 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3220 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3221 wtap_buf_ptr(cf->wth))) {
3222 /* Stop reading if we have the maximum number of packets;
3223 * When the -c option has not been used, max_packet_count
3224 * starts at 0, which practically means, never stop reading.
3225 * (unless we roll over max_packet_count ?)
3227 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3228 err = 0; /* This is not an error */
3235 epan_dissect_free(edt);
3239 /* Close the sequential I/O side, to free up memory it requires. */
3240 wtap_sequential_close(cf->wth);
3242 /* Allow the protocol dissectors to free up memory that they
3243 * don't need after the sequential run-through of the packets. */
3244 postseq_cleanup_all_protocols();
3248 buffer_init(&buf, 1500);
3250 if (do_dissection) {
3251 gboolean create_proto_tree;
3253 if (cf->dfcode || print_details || filtering_tap_listeners ||
3254 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3255 create_proto_tree = TRUE;
3257 create_proto_tree = FALSE;
3259 /* The protocol tree will be "visible", i.e., printed, only if we're
3260 printing packet details, which is true if we're printing stuff
3261 ("print_packet_info" is true) and we're in verbose mode
3262 ("packet_details" is true). */
3263 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3266 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3267 fdata = frame_data_sequence_find(cf->frames, framenum);
3268 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3270 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3272 /* Either there's no read filtering or this packet passed the
3273 filter, so, if we're writing to a capture file, write
3276 if (!wtap_dump(pdh, &phdr, buffer_start_ptr(&buf), &err)) {
3277 /* Error writing to a capture file */
3280 case WTAP_ERR_UNSUPPORTED_ENCAP:
3282 * This is a problem with the particular frame we're writing
3283 * and the file type and subtype we're writing; note that,
3284 * and report the frame number and file type/subtype.
3286 * XXX - framenum is not necessarily the frame number in
3287 * the input file if there was a read filter.
3290 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3291 framenum, cf->filename,
3292 wtap_file_type_subtype_short_string(out_file_type));
3295 case WTAP_ERR_PACKET_TOO_LARGE:
3297 * This is a problem with the particular frame we're writing
3298 * and the file type and subtype we're writing; note that,
3299 * and report the frame number and file type/subtype.
3301 * XXX - framenum is not necessarily the frame number in
3302 * the input file if there was a read filter.
3305 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3306 framenum, cf->filename,
3307 wtap_file_type_subtype_short_string(out_file_type));
3311 show_capture_file_io_error(save_file, err, FALSE);
3314 wtap_dump_close(pdh, &err);
3324 epan_dissect_free(edt);
3333 if (do_dissection) {
3334 gboolean create_proto_tree;
3336 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3337 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3338 create_proto_tree = TRUE;
3340 create_proto_tree = FALSE;
3342 /* The protocol tree will be "visible", i.e., printed, only if we're
3343 printing packet details, which is true if we're printing stuff
3344 ("print_packet_info" is true) and we're in verbose mode
3345 ("packet_details" is true). */
3346 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3349 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3352 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3353 wtap_buf_ptr(cf->wth),
3355 /* Either there's no read filtering or this packet passed the
3356 filter, so, if we're writing to a capture file, write
3359 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3360 /* Error writing to a capture file */
3363 case WTAP_ERR_UNSUPPORTED_ENCAP:
3365 * This is a problem with the particular frame we're writing
3366 * and the file type and subtype we're writing; note that,
3367 * and report the frame number and file type/subtype.
3370 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3371 framenum, cf->filename,
3372 wtap_file_type_subtype_short_string(out_file_type));
3375 case WTAP_ERR_PACKET_TOO_LARGE:
3377 * This is a problem with the particular frame we're writing
3378 * and the file type and subtype we're writing; note that,
3379 * and report the frame number and file type/subtype.
3382 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3383 framenum, cf->filename,
3384 wtap_file_type_subtype_short_string(out_file_type));
3388 show_capture_file_io_error(save_file, err, FALSE);
3391 wtap_dump_close(pdh, &err);
3397 /* Stop reading if we have the maximum number of packets;
3398 * When the -c option has not been used, max_packet_count
3399 * starts at 0, which practically means, never stop reading.
3400 * (unless we roll over max_packet_count ?)
3402 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3403 err = 0; /* This is not an error */
3409 epan_dissect_free(edt);
3416 * Print a message noting that the read failed somewhere along the line.
3418 * If we're printing packet data, and the standard output and error are
3419 * going to the same place, flush the standard output, so everything
3420 * buffered up is written, and then print a newline to the standard error
3421 * before printing the error message, to separate it from the packet
3422 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3423 * the _fstat() documentation at Microsoft doesn't indicate whether
3424 * st_ino is even supported.)
3427 if (print_packet_info) {
3428 struct stat stat_stdout, stat_stderr;
3430 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3431 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3432 stat_stdout.st_ino == stat_stderr.st_ino) {
3434 fprintf(stderr, "\n");
3441 case WTAP_ERR_UNSUPPORTED:
3442 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3443 cf->filename, err_info);
3447 case WTAP_ERR_UNSUPPORTED_ENCAP:
3448 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3449 cf->filename, err_info);
3453 case WTAP_ERR_CANT_READ:
3454 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3458 case WTAP_ERR_SHORT_READ:
3459 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3463 case WTAP_ERR_BAD_FILE:
3464 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3465 cf->filename, err_info);
3469 case WTAP_ERR_DECOMPRESS:
3470 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3471 "(%s)", cf->filename, err_info);
3475 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3476 cf->filename, wtap_strerror(err));
3479 if (save_file != NULL) {
3480 /* Now close the capture file. */
3481 if (!wtap_dump_close(pdh, &err))
3482 show_capture_file_io_error(save_file, err, TRUE);
3485 if (save_file != NULL) {
3486 /* Now close the capture file. */
3487 if (!wtap_dump_close(pdh, &err))
3488 show_capture_file_io_error(save_file, err, TRUE);
3490 if (print_packet_info) {
3491 if (!write_finale()) {
3493 show_print_file_io_error(err);
3500 wtap_close(cf->wth);
3503 g_free(save_file_string);
3510 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3511 const guchar *pd, guint tap_flags)
3517 /* Count this packet. */
3520 /* If we're not running a display filter and we're not printing any
3521 packet information, we don't need to do a dissection. This means
3522 that all packets can be marked as 'passed'. */
3525 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3527 /* If we're going to print packet information, or we're going to
3528 run a read filter, or we're going to process taps, set up to
3529 do a dissection and do so. */
3531 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3532 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3533 /* Grab any resolved addresses */
3534 host_name_lookup_process();
3536 /* If we're running a filter, prime the epan_dissect_t with that
3539 epan_dissect_prime_dfilter(edt, cf->dfcode);
3541 col_custom_prime_edt(edt, &cf->cinfo);
3543 /* We only need the columns if either
3544 1) some tap needs the columns
3546 2) we're printing packet info but we're *not* verbose; in verbose
3547 mode, we print the protocol tree, not the protocol summary.
3549 3) there is a column mapped as an individual field */
3550 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3555 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3557 if (ref == &fdata) {
3562 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3564 /* Run the filter if we have it. */
3566 passed = dfilter_apply_edt(cf->dfcode, edt);
3570 frame_data_set_after_dissect(&fdata, &cum_bytes);
3572 /* Process this packet. */
3573 if (print_packet_info) {
3574 /* We're printing packet information; print the information for
3576 print_packet(cf, edt);
3578 /* The ANSI C standard does not appear to *require* that a line-buffered
3579 stream be flushed to the host environment whenever a newline is
3580 written, it just says that, on such a stream, characters "are
3581 intended to be transmitted to or from the host environment as a
3582 block when a new-line character is encountered".
3584 The Visual C++ 6.0 C implementation doesn't do what is intended;
3585 even if you set a stream to be line-buffered, it still doesn't
3586 flush the buffer at the end of every line.
3588 So, if the "-l" flag was specified, we flush the standard output
3589 at the end of a packet. This will do the right thing if we're
3590 printing packet summary lines, and, as we print the entire protocol
3591 tree for a single packet without waiting for anything to happen,
3592 it should be as good as line-buffered mode if we're printing
3593 protocol trees. (The whole reason for the "-l" flag in either
3594 tcpdump or TShark is to allow the output of a live capture to
3595 be piped to a program or script and to have that script see the
3596 information for the packet as soon as it's printed, rather than
3597 having to wait until a standard I/O buffer fills up. */
3601 if (ferror(stdout)) {
3602 show_print_file_io_error(errno);
3607 /* this must be set after print_packet() [bug #8160] */
3608 prev_dis_frame = fdata;
3609 prev_dis = &prev_dis_frame;
3612 prev_cap_frame = fdata;
3613 prev_cap = &prev_cap_frame;
3616 epan_dissect_reset(edt);
3617 frame_data_destroy(&fdata);
3623 write_preamble(capture_file *cf)
3625 switch (output_action) {
3628 return print_preamble(print_stream, cf ? cf->filename : NULL, get_ws_vcs_version_info());
3632 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3634 write_psml_preamble(stdout);
3635 return !ferror(stdout);
3638 write_fields_preamble(output_fields, stdout);
3639 return !ferror(stdout);
3642 g_assert_not_reached();
3648 get_line_buf(size_t len)
3650 static char *line_bufp = NULL;
3651 static size_t line_buf_len = 256;
3652 size_t new_line_buf_len;
3654 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3655 new_line_buf_len *= 2)
3657 if (line_bufp == NULL) {
3658 line_buf_len = new_line_buf_len;
3659 line_bufp = (char *)g_malloc(line_buf_len + 1);
3661 if (new_line_buf_len > line_buf_len) {
3662 line_buf_len = new_line_buf_len;
3663 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3670 put_string(char *dest, const char *str, size_t str_len)
3672 memcpy(dest, str, str_len);
3673 dest[str_len] = '\0';
3677 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3681 for (i = str_len; i < str_with_spaces; i++)
3684 put_string(dest, str, str_len);
3688 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3692 memcpy(dest, str, str_len);
3693 for (i = str_len; i < str_with_spaces; i++)
3696 dest[str_with_spaces] = '\0';
3700 print_columns(capture_file *cf)
3708 line_bufp = get_line_buf(256);
3711 for (i = 0; i < cf->cinfo.num_cols; i++) {
3712 /* Skip columns not marked as visible. */
3713 if (!get_column_visible(i))
3715 switch (cf->cinfo.col_fmt[i]) {
3717 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3720 line_bufp = get_line_buf(buf_offset + column_len);
3721 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3727 case COL_ABS_YMD_TIME: /* XXX - wider */
3728 case COL_ABS_YDOY_TIME: /* XXX - wider */
3730 case COL_UTC_YMD_TIME: /* XXX - wider */
3731 case COL_UTC_YDOY_TIME: /* XXX - wider */
3732 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3733 if (column_len < 10)
3735 line_bufp = get_line_buf(buf_offset + column_len);
3736 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3742 case COL_DEF_DL_SRC:
3743 case COL_RES_DL_SRC:
3744 case COL_UNRES_DL_SRC:
3745 case COL_DEF_NET_SRC:
3746 case COL_RES_NET_SRC:
3747 case COL_UNRES_NET_SRC:
3748 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3749 if (column_len < 12)
3751 line_bufp = get_line_buf(buf_offset + column_len);
3752 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3758 case COL_DEF_DL_DST:
3759 case COL_RES_DL_DST:
3760 case COL_UNRES_DL_DST:
3761 case COL_DEF_NET_DST:
3762 case COL_RES_NET_DST:
3763 case COL_UNRES_NET_DST:
3764 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3765 if (column_len < 12)
3767 line_bufp = get_line_buf(buf_offset + column_len);
3768 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3772 column_len = strlen(cf->cinfo.col_data[i]);
3773 line_bufp = get_line_buf(buf_offset + column_len);
3774 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3777 buf_offset += column_len;
3778 if (i != cf->cinfo.num_cols - 1) {
3780 * This isn't the last column, so we need to print a
3781 * separator between this column and the next.
3783 * If we printed a network source and are printing a
3784 * network destination of the same type next, separate
3785 * them with " -> "; if we printed a network destination
3786 * and are printing a network source of the same type
3787 * next, separate them with " <- "; otherwise separate them
3790 * We add enough space to the buffer for " <- " or " -> ",
3791 * even if we're only adding " ".
3793 line_bufp = get_line_buf(buf_offset + 4);
3794 switch (cf->cinfo.col_fmt[i]) {
3799 switch (cf->cinfo.col_fmt[i + 1]) {
3804 put_string(line_bufp + buf_offset, " -> ", 4);
3809 put_string(line_bufp + buf_offset, " ", 1);
3815 case COL_DEF_DL_SRC:
3816 case COL_RES_DL_SRC:
3817 case COL_UNRES_DL_SRC:
3818 switch (cf->cinfo.col_fmt[i + 1]) {
3820 case COL_DEF_DL_DST:
3821 case COL_RES_DL_DST:
3822 case COL_UNRES_DL_DST:
3823 put_string(line_bufp + buf_offset, " -> ", 4);
3828 put_string(line_bufp + buf_offset, " ", 1);
3834 case COL_DEF_NET_SRC:
3835 case COL_RES_NET_SRC:
3836 case COL_UNRES_NET_SRC:
3837 switch (cf->cinfo.col_fmt[i + 1]) {
3839 case COL_DEF_NET_DST:
3840 case COL_RES_NET_DST:
3841 case COL_UNRES_NET_DST:
3842 put_string(line_bufp + buf_offset, " -> ", 4);
3847 put_string(line_bufp + buf_offset, " ", 1);
3856 switch (cf->cinfo.col_fmt[i + 1]) {
3861 put_string(line_bufp + buf_offset, " <- ", 4);
3866 put_string(line_bufp + buf_offset, " ", 1);
3872 case COL_DEF_DL_DST:
3873 case COL_RES_DL_DST:
3874 case COL_UNRES_DL_DST:
3875 switch (cf->cinfo.col_fmt[i + 1]) {
3877 case COL_DEF_DL_SRC:
3878 case COL_RES_DL_SRC:
3879 case COL_UNRES_DL_SRC:
3880 put_string(line_bufp + buf_offset, " <- ", 4);
3885 put_string(line_bufp + buf_offset, " ", 1);
3891 case COL_DEF_NET_DST:
3892 case COL_RES_NET_DST:
3893 case COL_UNRES_NET_DST:
3894 switch (cf->cinfo.col_fmt[i + 1]) {
3896 case COL_DEF_NET_SRC:
3897 case COL_RES_NET_SRC:
3898 case COL_UNRES_NET_SRC:
3899 put_string(line_bufp + buf_offset, " <- ", 4);
3904 put_string(line_bufp + buf_offset, " ", 1);
3911 put_string(line_bufp + buf_offset, " ", 1);
3917 return print_line(print_stream, 0, line_bufp);
3921 print_packet(capture_file *cf, epan_dissect_t *edt)
3923 print_args_t print_args;
3925 if (print_summary || output_fields_has_cols(output_fields)) {
3926 /* Just fill in the columns. */
3927 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3929 if (print_summary) {
3930 /* Now print them. */
3931 switch (output_action) {
3934 if (!print_columns(cf))
3939 proto_tree_write_psml(edt, stdout);
3940 return !ferror(stdout);
3941 case WRITE_FIELDS: /*No non-verbose "fields" format */
3942 g_assert_not_reached();
3947 if (print_details) {
3948 /* Print the information in the protocol tree. */
3949 switch (output_action) {
3952 /* Only initialize the fields that are actually used in proto_tree_print.
3953 * This is particularly important for .range, as that's heap memory which
3954 * we would otherwise have to g_free().
3955 print_args.to_file = TRUE;
3956 print_args.format = print_format;
3957 print_args.print_summary = print_summary;
3958 print_args.print_formfeed = FALSE;
3959 packet_range_init(&print_args.range, &cfile);
3961 print_args.print_hex = print_hex;
3962 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3964 if (!proto_tree_print(&print_args, edt, print_stream))
3967 if (!print_line(print_stream, 0, separator))
3973 proto_tree_write_pdml(edt, stdout);
3975 return !ferror(stdout);
3977 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3979 return !ferror(stdout);
3983 if (print_summary || print_details) {
3984 if (!print_line(print_stream, 0, ""))
3987 if (!print_hex_data(print_stream, edt))
3989 if (!print_line(print_stream, 0, separator))
3998 switch (output_action) {
4001 return print_finale(print_stream);
4005 write_pdml_finale(stdout);
4007 write_psml_finale(stdout);
4008 return !ferror(stdout);
4011 write_fields_finale(output_fields, stdout);
4012 return !ferror(stdout);
4015 g_assert_not_reached();
4021 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4025 char err_msg[2048+1];
4027 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4031 /* The open succeeded. Fill in the information for this file. */
4033 /* Create new epan session for dissection. */
4034 epan_free(cf->epan);
4035 cf->epan = tshark_epan_new(cf);
4038 cf->f_datalen = 0; /* not used, but set it anyway */
4040 /* Set the file name because we need it to set the follow stream filter.
4041 XXX - is that still true? We need it for other reasons, though,
4043 cf->filename = g_strdup(fname);
4045 /* Indicate whether it's a permanent or temporary file. */
4046 cf->is_tempfile = is_tempfile;
4048 /* No user changes yet. */
4049 cf->unsaved_changes = FALSE;
4051 cf->cd_t = wtap_file_type_subtype(cf->wth);
4052 cf->open_type = type;
4054 cf->drops_known = FALSE;
4056 cf->snap = wtap_snapshot_length(cf->wth);
4057 if (cf->snap == 0) {
4058 /* Snapshot length not known. */
4059 cf->has_snap = FALSE;
4060 cf->snap = WTAP_MAX_PACKET_SIZE;
4062 cf->has_snap = TRUE;
4063 nstime_set_zero(&cf->elapsed_time);
4068 cf->state = FILE_READ_IN_PROGRESS;
4070 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4071 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4076 g_snprintf(err_msg, sizeof err_msg,
4077 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4078 cmdarg_err("%s", err_msg);
4083 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4085 char *save_file_string;
4087 save_file_string = output_file_description(fname);
4092 cmdarg_err("Not all the packets could be written to the %s because there is "
4093 "no space left on the file system.",
4099 cmdarg_err("Not all the packets could be written to the %s because you are "
4100 "too close to, or over your disk quota.",
4105 case WTAP_ERR_CANT_CLOSE:
4106 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4110 case WTAP_ERR_SHORT_WRITE:
4111 cmdarg_err("Not all the packets could be written to the %s.",
4117 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4118 wtap_strerror(err));
4120 cmdarg_err("An error occurred while writing to the %s: %s.",
4121 save_file_string, wtap_strerror(err));
4125 g_free(save_file_string);
4129 show_print_file_io_error(int err)
4134 cmdarg_err("Not all the packets could be printed because there is "
4135 "no space left on the file system.");
4140 cmdarg_err("Not all the packets could be printed because you are "
4141 "too close to, or over your disk quota.");
4146 cmdarg_err("An error occurred while printing packets: %s.",
4153 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4157 static char errmsg_errno[1024+1];
4160 /* Wiretap error. */
4163 case WTAP_ERR_NOT_REGULAR_FILE:
4164 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4167 case WTAP_ERR_RANDOM_OPEN_PIPE:
4168 /* Seen only when opening a capture file for reading. */
4169 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4172 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4173 /* Seen only when opening a capture file for reading. */
4174 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4177 case WTAP_ERR_UNSUPPORTED:
4178 /* Seen only when opening a capture file for reading. */
4179 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4180 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4183 errmsg = errmsg_errno;
4186 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4187 /* Seen only when opening a capture file for writing. */
4188 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4189 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4190 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4191 errmsg = errmsg_errno;
4194 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4195 /* Seen only when opening a capture file for writing. */
4196 errmsg = "TShark doesn't support writing capture files in that format.";
4199 case WTAP_ERR_UNSUPPORTED_ENCAP:
4201 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4202 "TShark can't save this capture as a \"%s\" file.",
4203 wtap_file_type_subtype_short_string(file_type));
4205 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4206 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4210 errmsg = errmsg_errno;
4213 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4215 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4216 "TShark can't save this capture as a \"%s\" file.",
4217 wtap_file_type_subtype_short_string(file_type));
4218 errmsg = errmsg_errno;
4220 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4223 case WTAP_ERR_BAD_FILE:
4224 /* Seen only when opening a capture file for reading. */
4225 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4226 "The file \"%%s\" appears to be damaged or corrupt.\n"
4229 errmsg = errmsg_errno;
4232 case WTAP_ERR_CANT_OPEN:
4234 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4236 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4239 case WTAP_ERR_SHORT_READ:
4240 errmsg = "The file \"%s\" appears to have been cut short"
4241 " in the middle of a packet or other data.";
4244 case WTAP_ERR_SHORT_WRITE:
4245 errmsg = "A full header couldn't be written to the file \"%s\".";
4248 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4249 errmsg = "This file type cannot be written as a compressed file.";
4252 case WTAP_ERR_DECOMPRESS:
4253 /* Seen only when opening a capture file for reading. */
4254 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4255 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4258 errmsg = errmsg_errno;
4262 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4263 "The file \"%%s\" could not be %s: %s.",
4264 for_writing ? "created" : "opened",
4265 wtap_strerror(err));
4266 errmsg = errmsg_errno;
4270 errmsg = file_open_error_message(err, for_writing);
4275 * Open/create errors are reported with an console message in TShark.
4278 open_failure_message(const char *filename, int err, gboolean for_writing)
4280 fprintf(stderr, "tshark: ");
4281 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4282 fprintf(stderr, "\n");
4287 * General errors are reported with an console message in TShark.
4290 failure_message(const char *msg_format, va_list ap)
4292 fprintf(stderr, "tshark: ");
4293 vfprintf(stderr, msg_format, ap);
4294 fprintf(stderr, "\n");
4298 * Read errors are reported with an console message in TShark.
4301 read_failure_message(const char *filename, int err)
4303 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4304 filename, g_strerror(err));
4308 * Write errors are reported with an console message in TShark.
4311 write_failure_message(const char *filename, int err)
4313 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4314 filename, g_strerror(err));
4318 * Report an error in command-line arguments.
4321 cmdarg_err(const char *fmt, ...)
4326 failure_message(fmt, ap);
4331 * Report additional information for an error in command-line arguments.
4334 cmdarg_err_cont(const char *fmt, ...)
4339 vfprintf(stderr, fmt, ap);
4340 fprintf(stderr, "\n");
4346 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4351 * indent-tabs-mode: nil
4354 * vi: set shiftwidth=2 tabstop=8 expandtab:
4355 * :indentSize=2:tabSize=8:noTabs=true: