3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
50 #ifdef HAVE_SYS_STAT_H
51 # include <sys/stat.h>
55 #include <zlib.h> /* to get the libz version number */
59 # include <sys/capability.h>
63 #include "wsutil/wsgetopt.h"
68 #include <epan/exceptions.h>
69 #include <epan/epan-int.h>
70 #include <epan/epan.h>
72 #include <wsutil/clopts_common.h>
73 #include <wsutil/cmdarg_err.h>
74 #include <wsutil/crash_info.h>
75 #include <wsutil/privileges.h>
76 #include <wsutil/file_util.h>
77 #include <wsutil/filesystem.h>
78 #include <wsutil/report_err.h>
79 #include <wsutil/copyright_info.h>
80 #include <wsutil/os_version_info.h>
81 #include <wsutil/ws_version_info.h>
84 #include <epan/timestamp.h>
85 #include <epan/packet.h>
87 #include <epan/wslua/init_wslua.h>
90 #include "frame_tvbuff.h"
91 #include <epan/disabled_protos.h>
92 #include <epan/prefs.h>
93 #include <epan/column.h>
94 #include <epan/print.h>
95 #include <epan/addr_resolv.h>
97 #include "ui/capture_ui_utils.h"
100 #include "ui/ui_util.h"
101 #include "version_info.h"
102 #include "register.h"
103 #include <epan/epan_dissect.h>
104 #include <epan/tap.h>
105 #include <epan/stat_cmd_args.h>
106 #include <epan/timestamp.h>
107 #include <epan/ex-opt.h>
109 #include "capture_opts.h"
111 #include "caputils/capture-pcap-util.h"
114 #include "caputils/capture_ifinfo.h"
116 #include "caputils/capture-wpcap.h"
117 #include <wsutil/unicode-utils.h>
119 #include <capchild/capture_session.h>
120 #include <capchild/capture_sync.h>
121 #include "capture_opts.h"
122 #endif /* HAVE_LIBPCAP */
124 #include <epan/funnel.h>
127 #include <wsutil/plugins.h>
131 * This is the template for the decode as option; it is shared between the
132 * various functions that output the usage for this parameter.
134 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
136 static guint32 cum_bytes;
137 static const frame_data *ref;
138 static frame_data ref_frame;
139 static frame_data *prev_dis;
140 static frame_data prev_dis_frame;
141 static frame_data *prev_cap;
142 static frame_data prev_cap_frame;
144 static const char* prev_display_dissector_name = NULL;
146 static gboolean perform_two_pass_analysis;
149 * The way the packet decode is to be written.
152 WRITE_TEXT, /* summary or detail text */
153 WRITE_XML, /* PDML or PSML */
154 WRITE_FIELDS /* User defined list of fields */
155 /* Add CSV and the like here */
158 static output_action_e output_action;
159 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
160 static gboolean print_packet_info; /* TRUE if we're to print packet information */
161 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
162 static gboolean print_details; /* TRUE if we're to print packet details information */
163 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
164 static gboolean line_buffered;
165 static gboolean really_quiet = FALSE;
167 static print_format_e print_format = PR_FMT_TEXT;
168 static print_stream_t *print_stream;
170 static output_fields_t* output_fields = NULL;
172 /* The line separator used between packets, changeable via the -S option */
173 static const char *separator = "";
177 * TRUE if we're to print packet counts to keep track of captured packets.
179 static gboolean print_packet_counts;
181 static capture_options global_capture_opts;
182 static capture_session global_capture_session;
185 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
186 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
189 static gboolean capture(void);
190 static void report_counts(void);
192 static BOOL WINAPI capture_cleanup(DWORD);
194 static void capture_cleanup(int);
196 static void report_counts_siginfo(int);
200 #else /* HAVE_LIBPCAP */
202 static char *output_file_name;
204 #endif /* HAVE_LIBPCAP */
206 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
207 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
208 struct wtap_pkthdr *whdr, const guchar *pd,
210 static void show_capture_file_io_error(const char *, int, gboolean);
211 static void show_print_file_io_error(int err);
212 static gboolean write_preamble(capture_file *cf);
213 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
214 static gboolean write_finale(void);
215 static const char *cf_open_error_message(int err, gchar *err_info,
216 gboolean for_writing, int file_type);
218 static void open_failure_message(const char *filename, int err,
219 gboolean for_writing);
220 static void failure_message(const char *msg_format, va_list ap);
221 static void read_failure_message(const char *filename, int err);
222 static void write_failure_message(const char *filename, int err);
223 static void failure_message_cont(const char *msg_format, va_list ap);
228 const char *sstr; /* The short string */
229 const char *lstr; /* The long string */
233 string_compare(gconstpointer a, gconstpointer b)
235 return strcmp(((const struct string_elem *)a)->sstr,
236 ((const struct string_elem *)b)->sstr);
240 string_elem_print(gpointer data, gpointer not_used _U_)
242 fprintf(stderr, " %s - %s\n",
243 ((struct string_elem *)data)->sstr,
244 ((struct string_elem *)data)->lstr);
248 list_capture_types(void) {
250 struct string_elem *captypes;
253 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
255 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
256 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
257 if (wtap_dump_can_open(i)) {
258 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
259 captypes[i].lstr = wtap_file_type_subtype_string(i);
260 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
263 g_slist_foreach(list, string_elem_print, NULL);
269 list_read_capture_types(void) {
271 struct string_elem *captypes;
273 const char *magic = "Magic-value-based";
274 const char *heuristic = "Heuristics-based";
276 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
277 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
279 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
280 for (i = 0; open_routines[i].name != NULL; i++) {
281 captypes[i].sstr = open_routines[i].name;
282 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
283 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
285 g_slist_foreach(list, string_elem_print, NULL);
291 print_usage(FILE *output)
293 fprintf(output, "\n");
294 fprintf(output, "Usage: tshark [options] ...\n");
295 fprintf(output, "\n");
298 fprintf(output, "Capture interface:\n");
299 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
300 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
301 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
302 fprintf(output, " -p don't capture in promiscuous mode\n");
303 #ifdef HAVE_PCAP_CREATE
304 fprintf(output, " -I capture in monitor mode, if available\n");
306 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
307 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
309 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
310 fprintf(output, " -D print list of interfaces and exit\n");
311 fprintf(output, " -L print list of link-layer types of iface and exit\n");
312 fprintf(output, "\n");
313 fprintf(output, "Capture stop conditions:\n");
314 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
315 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
316 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
317 fprintf(output, " files:NUM - stop after NUM files\n");
318 /*fprintf(output, "\n");*/
319 fprintf(output, "Capture output:\n");
320 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
321 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
322 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
323 #endif /* HAVE_LIBPCAP */
324 #ifdef HAVE_PCAP_REMOTE
325 fprintf(output, "RPCAP options:\n");
326 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
328 /*fprintf(output, "\n");*/
329 fprintf(output, "Input file:\n");
330 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
332 fprintf(output, "\n");
333 fprintf(output, "Processing:\n");
334 fprintf(output, " -2 perform a two-pass analysis\n");
335 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
336 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
337 fprintf(output, " syntax\n");
338 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
339 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
340 fprintf(output, " -d %s ...\n", decode_as_arg_template);
341 fprintf(output, " \"Decode As\", see the man page for details\n");
342 fprintf(output, " Example: tcp.port==8888,http\n");
343 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
344 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
346 /*fprintf(output, "\n");*/
347 fprintf(output, "Output:\n");
348 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
349 fprintf(output, " (or to the standard output for \"-\")\n");
350 fprintf(output, " -C <config profile> start with specified configuration profile\n");
351 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
352 fprintf(output, " an empty \"-F\" option will list the file types\n");
353 fprintf(output, " -V add output of packet tree (Packet Details)\n");
354 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
355 fprintf(output, " separated\n");
356 fprintf(output, " -P print packet summary even when writing to a file\n");
357 fprintf(output, " -S <separator> the line separator to print between packets\n");
358 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
359 fprintf(output, " -T pdml|ps|psml|text|fields\n");
360 fprintf(output, " format of text output (def: text)\n");
361 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
362 fprintf(output, " _ws.col.Info)\n");
363 fprintf(output, " this option can be repeated to print multiple fields\n");
364 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
365 fprintf(output, " header=y|n switch headers on and off\n");
366 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
367 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
368 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
369 fprintf(output, " aggregator\n");
370 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
371 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
372 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
373 fprintf(output, " -l flush standard output after each packet\n");
374 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
375 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
376 fprintf(output, " -g enable group read access on the output file(s)\n");
377 fprintf(output, " -W n Save extra information in the file, if supported.\n");
378 fprintf(output, " n = write network address resolution information\n");
379 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
380 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
381 fprintf(output, " --capture-comment <comment>\n");
382 fprintf(output, " add a capture comment to the newly created\n");
383 fprintf(output, " output file (only for pcapng)\n");
385 fprintf(output, "\n");
386 fprintf(output, "Miscellaneous:\n");
387 fprintf(output, " -h display this help and exit\n");
388 fprintf(output, " -v display version info and exit\n");
389 fprintf(output, " -o <name>:<value> ... override preference setting\n");
390 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
391 fprintf(output, " -G [report] dump one of several available reports and exit\n");
392 fprintf(output, " default report=\"fields\"\n");
393 fprintf(output, " use \"-G ?\" for more help\n");
395 fprintf(output, "\n");
396 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
397 fprintf(output, "You might want to reset it\n");
398 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
399 fprintf(output, "\n");
405 glossary_option_help(void)
411 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
413 fprintf(output, "\n");
414 fprintf(output, "Usage: tshark -G [report]\n");
415 fprintf(output, "\n");
416 fprintf(output, "Glossary table reports:\n");
417 fprintf(output, " -G column-formats dump column format codes and exit\n");
418 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
419 fprintf(output, " -G fields dump fields glossary and exit\n");
420 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
421 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
422 fprintf(output, " -G plugins dump installed plugins and exit\n");
423 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
424 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
425 fprintf(output, "\n");
426 fprintf(output, "Preference reports:\n");
427 fprintf(output, " -G currentprefs dump current preferences and exit\n");
428 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
429 fprintf(output, "\n");
433 * For a dissector table, print on the stream described by output,
434 * its short name (which is what's used in the "-d" option) and its
438 display_dissector_table_names(const char *table_name, const char *ui_name,
441 if ((prev_display_dissector_name == NULL) ||
442 (strcmp(prev_display_dissector_name, table_name) != 0)) {
443 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
444 prev_display_dissector_name = table_name;
449 * For a dissector handle, print on the stream described by output,
450 * the filter name (which is what's used in the "-d" option) and the full
451 * name for the protocol that corresponds to this handle.
454 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
457 const gchar *proto_filter_name;
458 const gchar *proto_ui_name;
460 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
462 if (proto_id != -1) {
463 proto_filter_name = proto_get_protocol_filter_name(proto_id);
464 proto_ui_name = proto_get_protocol_name(proto_id);
465 g_assert(proto_filter_name != NULL);
466 g_assert(proto_ui_name != NULL);
468 if ((prev_display_dissector_name == NULL) ||
469 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
470 fprintf((FILE *)output, "\t%s (%s)\n",
473 prev_display_dissector_name = proto_filter_name;
479 * The protocol_name_search structure is used by find_protocol_name_func()
480 * to pass parameters and store results
482 struct protocol_name_search{
483 gchar *searched_name; /* Protocol filter name we are looking for */
484 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
485 guint nb_match; /* How many dissectors matched searched_name */
487 typedef struct protocol_name_search *protocol_name_search_t;
490 * This function parses all dissectors associated with a table to find the
491 * one whose protocol has the specified filter name. It is called
492 * as a reference function in a call to dissector_table_foreach_handle.
493 * The name we are looking for, as well as the results, are stored in the
494 * protocol_name_search struct pointed to by user_data.
495 * If called using dissector_table_foreach_handle, we actually parse the
496 * whole list of dissectors.
499 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
503 const gchar *protocol_filter_name;
504 protocol_name_search_t search_info;
508 search_info = (protocol_name_search_t)user_data;
510 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
511 if (proto_id != -1) {
512 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
513 g_assert(protocol_filter_name != NULL);
514 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
516 if (search_info->nb_match == 0) {
517 /* Record this handle only if this is the first match */
518 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
520 search_info->nb_match++;
526 * Allow dissector key names to be sorted alphabetically
530 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
532 return strcmp((const char*)dissector_a, (const char*)dissector_b);
536 * Print all layer type names supported.
537 * We send the output to the stream described by the handle output.
541 fprint_all_layer_types(FILE *output)
544 prev_display_dissector_name = NULL;
545 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
549 * Print all protocol names supported for a specific layer type.
550 * table_name contains the layer type name in which the search is performed.
551 * We send the output to the stream described by the handle output.
555 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
558 prev_display_dissector_name = NULL;
559 dissector_table_foreach_handle(table_name,
560 display_dissector_names,
565 * The function below parses the command-line parameters for the decode as
566 * feature (a string pointer by cl_param).
567 * It checks the format of the command-line, searches for a matching table
568 * and dissector. If a table/dissector match is not found, we display a
569 * summary of the available tables/dissectors (on stderr) and return FALSE.
570 * If everything is fine, we get the "Decode as" preference activated,
571 * then we return TRUE.
574 add_decode_as(const gchar *cl_param)
577 guint32 selector, selector2;
578 gchar *decoded_param;
579 gchar *remaining_param;
581 gchar *dissector_str;
582 dissector_handle_t dissector_matching;
583 dissector_table_t table_matching;
584 ftenum_t dissector_table_selector_type;
585 struct protocol_name_search user_protocol_name;
589 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
592 decoded_param = g_strdup(cl_param);
593 g_assert(decoded_param);
596 /* The lines below will parse this string (modifying it) to extract all
597 necessary information. Note that decoded_param is still needed since
598 strings are not copied - we just save pointers. */
600 /* This section extracts a layer type (table_name) from decoded_param */
601 table_name = decoded_param; /* Layer type string starts from beginning */
603 remaining_param = strchr(table_name, '=');
604 if (remaining_param == NULL) {
605 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
606 /* If the argument does not follow the template, carry on anyway to check
607 if the table name is at least correct. If remaining_param is NULL,
608 we'll exit anyway further down */
611 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
614 /* Remove leading and trailing spaces from the table name */
615 while ( table_name[0] == ' ' )
617 while ( table_name[strlen(table_name) - 1] == ' ' )
618 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
620 /* The following part searches a table matching with the layer type specified */
621 table_matching = NULL;
623 /* Look for the requested table */
624 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
625 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
628 table_matching = find_dissector_table(table_name);
629 if (!table_matching) {
630 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
634 if (!table_matching) {
635 /* Display a list of supported layer types to help the user, if the
636 specified layer type was not found */
637 cmdarg_err("Valid layer types are:");
638 fprint_all_layer_types(stderr);
640 if (remaining_param == NULL || !table_matching) {
641 /* Exit if the layer type was not found, or if no '=' separator was found
643 g_free(decoded_param);
647 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
648 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
651 remaining_param++; /* Move to the second '=' */
652 *remaining_param = '\0'; /* Remove the second '=' */
654 remaining_param++; /* Position after the layer type string */
656 /* This section extracts a selector value (selector_str) from decoded_param */
658 selector_str = remaining_param; /* Next part starts with the selector number */
660 remaining_param = strchr(selector_str, ',');
661 if (remaining_param == NULL) {
662 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
663 /* If the argument does not follow the template, carry on anyway to check
664 if the selector value is at least correct. If remaining_param is NULL,
665 we'll exit anyway further down */
668 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
671 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
673 switch (dissector_table_selector_type) {
679 /* The selector for this table is an unsigned number. Parse it as such.
680 There's no need to remove leading and trailing spaces from the
681 selector number string, because sscanf will do that for us. */
682 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
687 if (op != ':' && op != '-') {
688 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
689 g_free(decoded_param);
693 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
694 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
695 g_free(decoded_param);
699 else if (selector2 < selector) {
700 /* We could swap them for the user, but maybe it's better to call
701 * this out as an error in case it's not what was intended? */
702 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
703 g_free(decoded_param);
708 cmdarg_err("Invalid selector number \"%s\"", selector_str);
709 g_free(decoded_param);
718 /* The selector for this table is a string. */
722 /* There are currently no dissector tables with any types other
723 than the ones listed above. */
724 g_assert_not_reached();
727 if (remaining_param == NULL) {
728 /* Exit if no ',' separator was found (see above) */
729 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
730 fprint_all_protocols_for_layer_types(stderr, table_name);
731 g_free(decoded_param);
735 remaining_param++; /* Position after the selector number string */
737 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
739 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
741 /* Remove leading and trailing spaces from the dissector name */
742 while ( dissector_str[0] == ' ' )
744 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
745 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
747 dissector_matching = NULL;
749 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
750 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
751 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
754 user_protocol_name.nb_match = 0;
755 user_protocol_name.searched_name = dissector_str;
756 user_protocol_name.matched_handle = NULL;
758 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
760 if (user_protocol_name.nb_match != 0) {
761 dissector_matching = user_protocol_name.matched_handle;
762 if (user_protocol_name.nb_match > 1) {
763 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
767 /* OK, check whether the problem is that there isn't any such
768 protocol, or that there is but it's not specified as a protocol
769 that's valid for that dissector table.
770 Note, we don't exit here, but dissector_matching will remain NULL,
772 if (proto_get_id_by_filter_name(dissector_str) == -1) {
773 /* No such protocol */
774 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
776 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
777 dissector_str, table_name);
782 if (!dissector_matching) {
783 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
784 fprint_all_protocols_for_layer_types(stderr, table_name);
785 g_free(decoded_param);
789 /* This is the end of the code that parses the command-line options.
790 All information is now stored in the variables:
794 The above variables that are strings are still pointing to areas within
795 decoded_parm. decoded_parm thus still needs to be kept allocated in
796 until we stop needing these variables
797 decoded_param will be deallocated at each exit point of this function */
800 /* We now have a pointer to the handle for the requested dissector
801 (requested protocol) inside the variable dissector_matching */
802 switch (dissector_table_selector_type) {
808 /* The selector for this table is an unsigned number. */
810 dissector_change_uint(table_name, selector, dissector_matching);
811 } else if (op == ':') {
812 for (i = selector; i < (guint64)selector + selector2; i++) {
813 dissector_change_uint(table_name, (guint32)i, dissector_matching);
815 } else { /* op == '-' */
816 for (i = selector; i <= selector2; i++) {
817 dissector_change_uint(table_name, (guint32)i, dissector_matching);
826 /* The selector for this table is a string. */
827 dissector_change_string(table_name, selector_str, dissector_matching);
831 /* There are currently no dissector tables with any types other
832 than the ones listed above. */
833 g_assert_not_reached();
835 g_free(decoded_param); /* "Decode As" rule has been successfully added */
840 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
841 const gchar *message, gpointer user_data)
843 /* ignore log message, if log_level isn't interesting based
844 upon the console log preferences.
845 If the preferences haven't been loaded loaded yet, display the
848 The default console_log_level preference value is such that only
849 ERROR, CRITICAL and WARNING level messages are processed;
850 MESSAGE, INFO and DEBUG level messages are ignored.
852 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
853 ERROR and CRITICAL level messages so the current code is a behavioral
854 change. The current behavior is the same as in Wireshark.
856 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
857 prefs.console_log_level != 0) {
861 g_log_default_handler(log_domain, log_level, message, user_data);
866 output_file_description(const char *fname)
868 char *save_file_string;
870 /* Get a string that describes what we're writing to */
871 if (strcmp(fname, "-") == 0) {
872 /* We're writing to the standard output */
873 save_file_string = g_strdup("standard output");
875 /* We're writing to a file with the name in save_file */
876 save_file_string = g_strdup_printf("file \"%s\"", fname);
878 return save_file_string;
882 print_current_user(void) {
883 gchar *cur_user, *cur_group;
885 if (started_with_special_privs()) {
886 cur_user = get_cur_username();
887 cur_group = get_cur_groupname();
888 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
889 cur_user, cur_group);
892 if (running_with_special_privs()) {
893 fprintf(stderr, " This could be dangerous.");
895 fprintf(stderr, "\n");
900 show_version(GString *comp_info_str, GString *runtime_info_str)
902 printf("TShark (Wireshark) %s\n"
909 get_ws_vcs_version_info(), get_copyright_info(),
910 comp_info_str->str, runtime_info_str->str);
914 get_tshark_compiled_version_info(GString *str)
916 /* Capture libraries */
917 get_compiled_caplibs_version(str);
920 g_string_append(str, ", ");
922 g_string_append(str, "with libz ");
924 g_string_append(str, ZLIB_VERSION);
925 #else /* ZLIB_VERSION */
926 g_string_append(str, "(version unknown)");
927 #endif /* ZLIB_VERSION */
928 #else /* HAVE_LIBZ */
929 g_string_append(str, "without libz");
930 #endif /* HAVE_LIBZ */
934 get_tshark_runtime_version_info(GString *str)
937 /* Capture libraries */
938 g_string_append(str, ", ");
939 get_runtime_caplibs_version(str);
943 #if defined(HAVE_LIBZ) && !defined(_WIN32)
944 g_string_append_printf(str, ", with libz %s", zlibVersion());
947 /* stuff used by libwireshark */
948 epan_get_runtime_version_info(str);
952 main(int argc, char *argv[])
954 GString *comp_info_str;
955 GString *runtime_info_str;
956 char *init_progfile_dir_error;
958 static const struct option long_options[] = {
959 {(char *)"help", no_argument, NULL, 'h'},
960 {(char *)"version", no_argument, NULL, 'v'},
961 LONGOPT_CAPTURE_COMMON
964 gboolean arg_error = FALSE;
970 char *gpf_path, *pf_path;
971 char *gdp_path, *dp_path;
972 int gpf_open_errno, gpf_read_errno;
973 int pf_open_errno, pf_read_errno;
974 int gdp_open_errno, gdp_read_errno;
975 int dp_open_errno, dp_read_errno;
977 volatile int exit_status = 0;
979 gboolean list_link_layer_types = FALSE;
980 gboolean start_capture = FALSE;
985 gboolean capture_option_specified = FALSE;
987 gboolean quiet = FALSE;
988 #ifdef PCAP_NG_DEFAULT
989 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
991 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
993 volatile gboolean out_file_name_res = FALSE;
994 volatile int in_file_type = WTAP_TYPE_AUTO;
995 gchar *volatile cf_name = NULL;
996 gchar *rfilter = NULL;
997 gchar *dfilter = NULL;
998 #ifdef HAVE_PCAP_OPEN_DEAD
999 struct bpf_program fcode;
1001 dfilter_t *rfcode = NULL;
1002 dfilter_t *dfcode = NULL;
1007 gchar *output_only = NULL;
1009 /* the leading - ensures that getopt() does not permute the argv[] entries
1010 we have to make sure that the first getopt() preserves the content of argv[]
1011 for the subsequent getopt_long() call */
1012 #define OPTSTRING "-2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1014 static const char optstring[] = OPTSTRING;
1016 cmdarg_err_init(failure_message, failure_message_cont);
1019 arg_list_utf_16to8(argc, argv);
1020 create_app_running_mutex();
1021 #if !GLIB_CHECK_VERSION(2,31,0)
1022 g_thread_init(NULL);
1027 * Get credential information for later use, and drop privileges
1028 * before doing anything else.
1029 * Let the user know if anything happened.
1031 init_process_policies();
1032 relinquish_special_privs_perm();
1033 print_current_user();
1036 * Attempt to get the pathname of the executable file.
1038 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1039 if (init_progfile_dir_error != NULL) {
1040 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1041 init_progfile_dir_error);
1044 initialize_funnel_ops();
1047 /* Load wpcap if possible. Do this before collecting the run-time version information */
1050 /* Warn the user if npf.sys isn't loaded. */
1051 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1052 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1053 "capturing or\nlisting interfaces.\n");
1057 /* Assemble the compile-time version information string */
1058 comp_info_str = g_string_new("Compiled ");
1059 get_compiled_version_info(comp_info_str, get_tshark_compiled_version_info,
1060 epan_get_compiled_version_info);
1062 /* Assemble the run-time version information string */
1063 runtime_info_str = g_string_new("Running ");
1064 get_runtime_version_info(runtime_info_str, get_tshark_runtime_version_info);
1066 /* Add it to the information to be reported on a crash. */
1067 ws_add_crash_info("TShark (Wireshark) %s\n"
1072 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1075 * In order to have the -X opts assigned before the wslua machine starts
1076 * we need to call getopts before epan_init() gets called.
1079 optind_initial = optind;
1081 while ((opt = getopt(argc, argv, optstring)) != -1) {
1083 case 'C': /* Configuration Profile */
1084 if (profile_exists (optarg, FALSE)) {
1085 set_profile_name (optarg);
1087 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1091 case 'P': /* Print packet summary info even when writing to a file */
1092 print_packet_info = TRUE;
1093 print_summary = TRUE;
1095 case 'O': /* Only output these protocols */
1096 output_only = g_strdup(optarg);
1098 case 'V': /* Verbose */
1099 print_details = TRUE;
1100 print_packet_info = TRUE;
1102 case 'x': /* Print packet data in hex (and ASCII) */
1104 /* The user asked for hex output, so let's ensure they get it,
1105 * even if they're writing to a file.
1107 print_packet_info = TRUE;
1118 * Print packet summary information is the default, unless either -V or -x
1119 * were specified and -P was not. Note that this is new behavior, which
1120 * allows for the possibility of printing only hex/ascii output without
1121 * necessarily requiring that either the summary or details be printed too.
1123 if (print_summary == -1)
1124 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1126 optind = optind_initial;
1131 /** Send All g_log messages to our own handler **/
1135 G_LOG_LEVEL_CRITICAL|
1136 G_LOG_LEVEL_WARNING|
1137 G_LOG_LEVEL_MESSAGE|
1140 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1142 g_log_set_handler(NULL,
1143 (GLogLevelFlags)log_flags,
1144 tshark_log_handler, NULL /* user_data */);
1145 g_log_set_handler(LOG_DOMAIN_MAIN,
1146 (GLogLevelFlags)log_flags,
1147 tshark_log_handler, NULL /* user_data */);
1150 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1151 (GLogLevelFlags)log_flags,
1152 tshark_log_handler, NULL /* user_data */);
1153 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1154 (GLogLevelFlags)log_flags,
1155 tshark_log_handler, NULL /* user_data */);
1158 init_report_err(failure_message, open_failure_message, read_failure_message,
1159 write_failure_message);
1162 capture_opts_init(&global_capture_opts);
1163 capture_session_init(&global_capture_session, (void *)&cfile);
1166 timestamp_set_type(TS_RELATIVE);
1167 timestamp_set_precision(TS_PREC_AUTO);
1168 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1170 init_open_routines();
1173 /* Register all the plugin types we have. */
1174 epan_register_plugin_types(); /* Types known to libwireshark */
1175 wtap_register_plugin_types(); /* Types known to libwiretap */
1177 /* Scan for plugins. This does *not* call their registration routines;
1178 that's done later. */
1181 /* Register all libwiretap plugin modules. */
1182 register_all_wiretap_modules();
1185 /* Register all dissectors; we must do this before checking for the
1186 "-G" flag, as the "-G" flag dumps information registered by the
1187 dissectors, and we must do it before we read the preferences, in
1188 case any dissectors register preferences. */
1189 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1191 /* Register all tap listeners; we do this before we parse the arguments,
1192 as the "-z" argument can specify a registered tap. */
1194 /* we register the plugin taps before the other taps because
1195 stats_tree taps plugins will be registered as tap listeners
1196 by stats_tree_stat.c and need to registered before that */
1198 register_all_plugin_tap_listeners();
1200 register_all_tap_listeners();
1202 /* If invoked with the "-G" flag, we dump out information based on
1203 the argument to the "-G" flag; if no argument is specified,
1204 for backwards compatibility we dump out a glossary of display
1207 XXX - we do this here, for now, to support "-G" with no arguments.
1208 If none of our build or other processes uses "-G" with no arguments,
1209 we can just process it with the other arguments. */
1210 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1211 proto_initialize_all_prefixes();
1214 proto_registrar_dump_fields();
1216 if (strcmp(argv[2], "column-formats") == 0)
1217 column_dump_column_formats();
1218 else if (strcmp(argv[2], "currentprefs") == 0) {
1219 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1220 &pf_open_errno, &pf_read_errno, &pf_path);
1223 else if (strcmp(argv[2], "decodes") == 0)
1224 dissector_dump_decodes();
1225 else if (strcmp(argv[2], "defaultprefs") == 0)
1227 else if (strcmp(argv[2], "fields") == 0)
1228 proto_registrar_dump_fields();
1229 else if (strcmp(argv[2], "ftypes") == 0)
1230 proto_registrar_dump_ftypes();
1231 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1232 dissector_dump_heur_decodes();
1233 else if (strcmp(argv[2], "plugins") == 0) {
1238 wslua_plugins_dump_all();
1241 else if (strcmp(argv[2], "protocols") == 0)
1242 proto_registrar_dump_protocols();
1243 else if (strcmp(argv[2], "values") == 0)
1244 proto_registrar_dump_values();
1245 else if (strcmp(argv[2], "?") == 0)
1246 glossary_option_help();
1247 else if (strcmp(argv[2], "-?") == 0)
1248 glossary_option_help();
1250 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1257 /* Set the C-language locale to the native environment. */
1258 setlocale(LC_ALL, "");
1260 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1261 &pf_open_errno, &pf_read_errno, &pf_path);
1262 if (gpf_path != NULL) {
1263 if (gpf_open_errno != 0) {
1264 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1265 pf_path, g_strerror(gpf_open_errno));
1267 if (gpf_read_errno != 0) {
1268 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1269 pf_path, g_strerror(gpf_read_errno));
1272 if (pf_path != NULL) {
1273 if (pf_open_errno != 0) {
1274 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1275 g_strerror(pf_open_errno));
1277 if (pf_read_errno != 0) {
1278 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1279 pf_path, g_strerror(pf_read_errno));
1285 /* Read the disabled protocols file. */
1286 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1287 &dp_path, &dp_open_errno, &dp_read_errno);
1288 if (gdp_path != NULL) {
1289 if (gdp_open_errno != 0) {
1290 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1291 gdp_path, g_strerror(gdp_open_errno));
1293 if (gdp_read_errno != 0) {
1294 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1295 gdp_path, g_strerror(gdp_read_errno));
1299 if (dp_path != NULL) {
1300 if (dp_open_errno != 0) {
1302 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1303 g_strerror(dp_open_errno));
1305 if (dp_read_errno != 0) {
1307 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1308 g_strerror(dp_read_errno));
1313 cap_file_init(&cfile);
1315 /* Print format defaults to this. */
1316 print_format = PR_FMT_TEXT;
1318 output_fields = output_fields_new();
1320 /* Now get our args */
1321 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1323 case '2': /* Perform two pass analysis */
1324 perform_two_pass_analysis = TRUE;
1326 case 'a': /* autostop criteria */
1327 case 'b': /* Ringbuffer option */
1328 case 'c': /* Capture x packets */
1329 case 'f': /* capture filter */
1330 case 'g': /* enable group read access on file(s) */
1331 case 'i': /* Use interface x */
1332 case 'p': /* Don't capture in promiscuous mode */
1333 #ifdef HAVE_PCAP_REMOTE
1334 case 'A': /* Authentication */
1336 #ifdef HAVE_PCAP_CREATE
1337 case 'I': /* Capture in monitor mode, if available */
1339 case 's': /* Set the snapshot (capture) length */
1340 case 'w': /* Write to capture file x */
1341 case 'y': /* Set the pcap data link type */
1342 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1343 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1344 case 'B': /* Buffer size */
1345 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1347 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1354 * Output file name, if we're reading a file and writing to another
1357 output_file_name = optarg;
1359 capture_option_specified = TRUE;
1365 /* Configuration profile settings were already processed just ignore them this time*/
1367 case 'd': /* Decode as rule */
1368 if (!add_decode_as(optarg))
1371 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1372 case 'K': /* Kerberos keytab file */
1373 read_keytab_file(optarg);
1376 case 'D': /* Print a list of capture devices and exit */
1378 if_list = capture_interface_list(&err, &err_str,NULL);
1379 if (if_list == NULL) {
1381 case CANT_GET_INTERFACE_LIST:
1382 case DONT_HAVE_PCAP:
1383 cmdarg_err("%s", err_str);
1387 case NO_INTERFACES_FOUND:
1388 cmdarg_err("There are no interfaces on which a capture can be done");
1393 capture_opts_print_interfaces(if_list);
1394 free_interface_list(if_list);
1397 capture_option_specified = TRUE;
1403 output_fields_add(output_fields, optarg);
1407 if (!output_fields_set_option(output_fields, optarg)) {
1408 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1409 output_fields_list_options(stderr);
1414 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1415 if (out_file_type < 0) {
1416 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1417 list_capture_types();
1421 case 'W': /* Select extra information to save in our capture file */
1422 /* This is patterned after the -N flag which may not be the best idea. */
1423 if (strchr(optarg, 'n')) {
1424 out_file_name_res = TRUE;
1426 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1427 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1431 case 'H': /* Read address to name mappings from a hosts file */
1432 if (! add_hosts_file(optarg))
1434 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1437 out_file_name_res = TRUE;
1440 case 'h': /* Print help and exit */
1441 printf("TShark (Wireshark) %s\n"
1442 "Dump and analyze network traffic.\n"
1443 "See http://www.wireshark.org for more information.\n",
1444 get_ws_vcs_version_info());
1445 print_usage(stdout);
1448 case 'l': /* "Line-buffer" standard output */
1449 /* This isn't line-buffering, strictly speaking, it's just
1450 flushing the standard output after the information for
1451 each packet is printed; however, that should be good
1452 enough for all the purposes to which "-l" is put (and
1453 is probably actually better for "-V", as it does fewer
1456 See the comment in "process_packet()" for an explanation of
1457 why we do that, and why we don't just use "setvbuf()" to
1458 make the standard output line-buffered (short version: in
1459 Windows, "line-buffered" is the same as "fully-buffered",
1460 and the output buffer is only flushed when it fills up). */
1461 line_buffered = TRUE;
1463 case 'L': /* Print list of link-layer types and exit */
1465 list_link_layer_types = TRUE;
1467 capture_option_specified = TRUE;
1471 case 'n': /* No name resolution */
1472 gbl_resolv_flags.mac_name = FALSE;
1473 gbl_resolv_flags.network_name = FALSE;
1474 gbl_resolv_flags.transport_name = FALSE;
1475 gbl_resolv_flags.concurrent_dns = FALSE;
1477 case 'N': /* Select what types of addresses/port #s to resolve */
1478 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1479 if (badopt != '\0') {
1480 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1482 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1483 "\t'm' to enable MAC address resolution\n"
1484 "\t'n' to enable network address resolution\n"
1485 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1486 "\t for network address resolution\n"
1487 "\t't' to enable transport-layer port number resolution");
1491 case 'o': /* Override preference from command line */
1492 switch (prefs_set_pref(optarg)) {
1497 case PREFS_SET_SYNTAX_ERR:
1498 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1502 case PREFS_SET_NO_SUCH_PREF:
1503 case PREFS_SET_OBSOLETE:
1504 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1509 case 'q': /* Quiet */
1512 case 'Q': /* Really quiet */
1514 really_quiet = TRUE;
1516 case 'r': /* Read capture file x */
1517 cf_name = g_strdup(optarg);
1519 case 'R': /* Read file filter */
1523 /* already processed; just ignore it now */
1525 case 'S': /* Set the line Separator to be printed between packets */
1528 case 't': /* Time stamp type */
1529 if (strcmp(optarg, "r") == 0)
1530 timestamp_set_type(TS_RELATIVE);
1531 else if (strcmp(optarg, "a") == 0)
1532 timestamp_set_type(TS_ABSOLUTE);
1533 else if (strcmp(optarg, "ad") == 0)
1534 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1535 else if (strcmp(optarg, "adoy") == 0)
1536 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1537 else if (strcmp(optarg, "d") == 0)
1538 timestamp_set_type(TS_DELTA);
1539 else if (strcmp(optarg, "dd") == 0)
1540 timestamp_set_type(TS_DELTA_DIS);
1541 else if (strcmp(optarg, "e") == 0)
1542 timestamp_set_type(TS_EPOCH);
1543 else if (strcmp(optarg, "u") == 0)
1544 timestamp_set_type(TS_UTC);
1545 else if (strcmp(optarg, "ud") == 0)
1546 timestamp_set_type(TS_UTC_WITH_YMD);
1547 else if (strcmp(optarg, "udoy") == 0)
1548 timestamp_set_type(TS_UTC_WITH_YDOY);
1550 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1551 cmdarg_err_cont("\t\"a\" for absolute\n"
1552 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1553 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1554 "\t\"d\" for delta\n"
1555 "\t\"dd\" for delta displayed\n"
1556 "\t\"e\" for epoch\n"
1557 "\t\"r\" for relative\n"
1558 "\t\"u\" for absolute UTC\n"
1559 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1560 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1564 case 'T': /* printing Type */
1565 print_packet_info = TRUE;
1566 if (strcmp(optarg, "text") == 0) {
1567 output_action = WRITE_TEXT;
1568 print_format = PR_FMT_TEXT;
1569 } else if (strcmp(optarg, "ps") == 0) {
1570 output_action = WRITE_TEXT;
1571 print_format = PR_FMT_PS;
1572 } else if (strcmp(optarg, "pdml") == 0) {
1573 output_action = WRITE_XML;
1574 print_details = TRUE; /* Need details */
1575 print_summary = FALSE; /* Don't allow summary */
1576 } else if (strcmp(optarg, "psml") == 0) {
1577 output_action = WRITE_XML;
1578 print_details = FALSE; /* Don't allow details */
1579 print_summary = TRUE; /* Need summary */
1580 } else if (strcmp(optarg, "fields") == 0) {
1581 output_action = WRITE_FIELDS;
1582 print_details = TRUE; /* Need full tree info */
1583 print_summary = FALSE; /* Don't allow summary */
1585 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1586 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1587 "\t specified by the -E option.\n"
1588 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1589 "\t details of a decoded packet. This information is equivalent to\n"
1590 "\t the packet details printed with the -V flag.\n"
1591 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1592 "\t the packets, or a multi-line view of the details of each of\n"
1593 "\t the packets, depending on whether the -V flag was specified.\n"
1594 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1595 "\t summary information of a decoded packet. This information is\n"
1596 "\t equivalent to the information shown in the one-line summary\n"
1597 "\t printed by default.\n"
1598 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1599 "\t packets, or a multi-line view of the details of each of the\n"
1600 "\t packets, depending on whether the -V flag was specified.\n"
1601 "\t This is the default.");
1605 case 'u': /* Seconds type */
1606 if (strcmp(optarg, "s") == 0)
1607 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1608 else if (strcmp(optarg, "hms") == 0)
1609 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1611 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1612 cmdarg_err_cont("\t\"s\" for seconds\n"
1613 "\t\"hms\" for hours, minutes and seconds");
1617 case 'v': /* Show version and exit */
1619 show_version(comp_info_str, runtime_info_str);
1620 g_string_free(comp_info_str, TRUE);
1621 g_string_free(runtime_info_str, TRUE);
1622 /* We don't really have to cleanup here, but it's a convenient way to test
1623 * start-up and shut-down of the epan library without any UI-specific
1624 * cruft getting in the way. Makes the results of running
1625 * $ ./tools/valgrind-wireshark -n
1626 * much more useful. */
1630 case 'O': /* Only output these protocols */
1631 /* already processed; just ignore it now */
1633 case 'V': /* Verbose */
1634 /* already processed; just ignore it now */
1636 case 'x': /* Print packet data in hex (and ASCII) */
1637 /* already processed; just ignore it now */
1645 /* We won't call the init function for the stat this soon
1646 as it would disallow MATE's fields (which are registered
1647 by the preferences set callback) from being used as
1648 part of a tap filter. Instead, we just add the argument
1649 to a list of stat arguments. */
1650 if (!process_stat_cmd_arg(optarg)) {
1651 if (strcmp("help", optarg)==0) {
1652 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1653 list_stat_cmd_args();
1656 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1657 list_stat_cmd_args();
1662 case '?': /* Bad flag - print usage message */
1665 list_capture_types();
1668 print_usage(stderr);
1675 /* If we specified output fields, but not the output field type... */
1676 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1677 cmdarg_err("Output fields were specified with \"-e\", "
1678 "but \"-Tfields\" was not specified.");
1680 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1681 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1682 "specified with \"-e\".");
1687 /* If no capture filter or display filter has been specified, and there are
1688 still command-line arguments, treat them as the tokens of a capture
1689 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1690 flag was specified. */
1691 if (optind < argc) {
1692 if (cf_name != NULL) {
1693 if (dfilter != NULL) {
1694 cmdarg_err("Display filters were specified both with \"-d\" "
1695 "and with additional command-line arguments.");
1698 dfilter = get_args_as_string(argc, argv, optind);
1703 if (global_capture_opts.default_options.cfilter) {
1704 cmdarg_err("A default capture filter was specified both with \"-f\""
1705 " and with additional command-line arguments.");
1708 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1709 interface_options interface_opts;
1710 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1711 if (interface_opts.cfilter == NULL) {
1712 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1713 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1714 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1716 cmdarg_err("A capture filter was specified both with \"-f\""
1717 " and with additional command-line arguments.");
1721 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1723 capture_option_specified = TRUE;
1729 if (!global_capture_opts.saving_to_file) {
1730 /* We're not saving the capture to a file; if "-q" wasn't specified,
1731 we should print packet information */
1733 print_packet_info = TRUE;
1735 /* We're saving to a file; if we're writing to the standard output.
1736 and we'll also be writing dissected packets to the standard
1737 output, reject the request. At best, we could redirect that
1738 to the standard error; we *can't* write both to the standard
1739 output and have either of them be useful. */
1740 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1741 cmdarg_err("You can't write both raw packet data and dissected packets"
1742 " to the standard output.");
1747 /* We're not saving the capture to a file; if "-q" wasn't specified,
1748 we should print packet information */
1750 print_packet_info = TRUE;
1753 #ifndef HAVE_LIBPCAP
1754 if (capture_option_specified)
1755 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1758 print_usage(stderr);
1763 if (output_action != WRITE_TEXT) {
1764 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1769 if (output_only != NULL) {
1772 if (!print_details) {
1773 cmdarg_err("-O requires -V");
1777 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1778 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1779 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1783 if (rfilter != NULL && !perform_two_pass_analysis) {
1784 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1789 if (list_link_layer_types) {
1790 /* We're supposed to list the link-layer types for an interface;
1791 did the user also specify a capture file to be read? */
1793 /* Yes - that's bogus. */
1794 cmdarg_err("You can't specify -L and a capture file to be read.");
1797 /* No - did they specify a ring buffer option? */
1798 if (global_capture_opts.multi_files_on) {
1799 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1805 * "-r" was specified, so we're reading a capture file.
1806 * Capture options don't apply here.
1809 /* We don't support capture filters when reading from a capture file
1810 (the BPF compiler doesn't support all link-layer types that we
1811 support in capture files we read). */
1812 if (global_capture_opts.default_options.cfilter) {
1813 cmdarg_err("Only read filters, not capture filters, "
1814 "can be specified when reading a capture file.");
1817 if (global_capture_opts.multi_files_on) {
1818 cmdarg_err("Multiple capture files requested, but "
1819 "a capture isn't being done.");
1822 if (global_capture_opts.has_file_duration) {
1823 cmdarg_err("Switching capture files after a time interval was specified, but "
1824 "a capture isn't being done.");
1827 if (global_capture_opts.has_ring_num_files) {
1828 cmdarg_err("A ring buffer of capture files was specified, but "
1829 "a capture isn't being done.");
1832 if (global_capture_opts.has_autostop_files) {
1833 cmdarg_err("A maximum number of capture files was specified, but "
1834 "a capture isn't being done.");
1837 if (global_capture_opts.capture_comment) {
1838 cmdarg_err("A capture comment was specified, but "
1839 "a capture isn't being done.\nThere's no support for adding "
1840 "a capture comment to an existing capture file.");
1844 /* Note: TShark now allows the restriction of a _read_ file by packet count
1845 * and byte count as well as a write file. Other autostop options remain valid
1846 * only for a write file.
1848 if (global_capture_opts.has_autostop_duration) {
1849 cmdarg_err("A maximum capture time was specified, but "
1850 "a capture isn't being done.");
1855 * "-r" wasn't specified, so we're doing a live capture.
1857 if (perform_two_pass_analysis) {
1858 /* Two-pass analysis doesn't work with live capture since it requires us
1859 * to buffer packets until we've read all of them, but a live capture
1860 * has no useful/meaningful definition of "all" */
1861 cmdarg_err("Live captures do not support two-pass analysis.");
1865 if (global_capture_opts.saving_to_file) {
1866 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1868 /* When capturing, we only support writing pcap or pcap-ng format. */
1869 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1870 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1871 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1874 if (global_capture_opts.capture_comment &&
1875 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1876 cmdarg_err("A capture comment can only be written to a pcapng file.");
1879 if (global_capture_opts.multi_files_on) {
1880 /* Multiple-file mode doesn't work under certain conditions:
1881 a) it doesn't work if you're writing to the standard output;
1882 b) it doesn't work if you're writing to a pipe;
1884 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1885 cmdarg_err("Multiple capture files requested, but "
1886 "the capture is being written to the standard output.");
1889 if (global_capture_opts.output_to_pipe) {
1890 cmdarg_err("Multiple capture files requested, but "
1891 "the capture file is a pipe.");
1894 if (!global_capture_opts.has_autostop_filesize &&
1895 !global_capture_opts.has_file_duration) {
1896 cmdarg_err("Multiple capture files requested, but "
1897 "no maximum capture file size or duration was specified.");
1901 /* Currently, we don't support read or display filters when capturing
1902 and saving the packets. */
1903 if (rfilter != NULL) {
1904 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1907 if (dfilter != NULL) {
1908 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1911 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1913 /* They didn't specify a "-w" flag, so we won't be saving to a
1914 capture file. Check for options that only make sense if
1915 we're saving to a file. */
1916 if (global_capture_opts.has_autostop_filesize) {
1917 cmdarg_err("Maximum capture file size specified, but "
1918 "capture isn't being saved to a file.");
1921 if (global_capture_opts.multi_files_on) {
1922 cmdarg_err("Multiple capture files requested, but "
1923 "the capture isn't being saved to a file.");
1926 if (global_capture_opts.capture_comment) {
1927 cmdarg_err("A capture comment was specified, but "
1928 "the capture isn't being saved to a file.");
1937 /* Start windows sockets */
1938 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1941 /* Notify all registered modules that have had any of their preferences
1942 changed either from one of the preferences file or from the command
1943 line that their preferences have changed. */
1946 /* At this point MATE will have registered its field array so we can
1947 have a tap filter with one of MATE's late-registered fields as part
1948 of the filter. We can now process all the "-z" arguments. */
1949 start_requested_stats();
1951 /* At this point MATE will have registered its field array so we can
1952 check if the fields specified by the user are all good.
1954 if (!output_fields_valid(output_fields)) {
1955 cmdarg_err("Some fields aren't valid");
1960 /* We currently don't support taps, or printing dissected packets,
1961 if we're writing to a pipe. */
1962 if (global_capture_opts.saving_to_file &&
1963 global_capture_opts.output_to_pipe) {
1964 if (tap_listeners_require_dissection()) {
1965 cmdarg_err("Taps aren't supported when saving to a pipe.");
1968 if (print_packet_info) {
1969 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1975 if (ex_opt_count("read_format") > 0) {
1976 const gchar* name = ex_opt_get_next("read_format");
1977 in_file_type = open_info_name_to_type(name);
1978 if (in_file_type == WTAP_TYPE_AUTO) {
1979 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1980 list_read_capture_types();
1985 /* disabled protocols as per configuration file */
1986 if (gdp_path == NULL && dp_path == NULL) {
1987 set_disabled_protos_list();
1990 /* Build the column format array */
1991 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1994 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1995 capture_opts_trim_ring_num_files(&global_capture_opts);
1998 if (rfilter != NULL) {
1999 if (!dfilter_compile(rfilter, &rfcode)) {
2000 cmdarg_err("%s", dfilter_error_msg);
2002 #ifdef HAVE_PCAP_OPEN_DEAD
2006 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2008 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2010 " Note: That read filter code looks like a valid capture filter;\n"
2011 " maybe you mixed them up?");
2020 cfile.rfcode = rfcode;
2022 if (dfilter != NULL) {
2023 if (!dfilter_compile(dfilter, &dfcode)) {
2024 cmdarg_err("%s", dfilter_error_msg);
2026 #ifdef HAVE_PCAP_OPEN_DEAD
2030 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2032 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2034 " Note: That display filter code looks like a valid capture filter;\n"
2035 " maybe you mixed them up?");
2044 cfile.dfcode = dfcode;
2046 if (print_packet_info) {
2047 /* If we're printing as text or PostScript, we have
2048 to create a print stream. */
2049 if (output_action == WRITE_TEXT) {
2050 switch (print_format) {
2053 print_stream = print_stream_text_stdio_new(stdout);
2057 print_stream = print_stream_ps_stdio_new(stdout);
2061 g_assert_not_reached();
2066 /* We have to dissect each packet if:
2068 we're printing information about each packet;
2070 we're using a read filter on the packets;
2072 we're using a display filter on the packets;
2074 we're using any taps that need dissection. */
2075 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2079 * We're reading a capture file.
2081 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2086 /* Set timestamp precision; there should arguably be a command-line
2087 option to let the user set this. */
2088 switch(wtap_file_tsprecision(cfile.wth)) {
2089 case(WTAP_FILE_TSPREC_SEC):
2090 timestamp_set_precision(TS_PREC_AUTO_SEC);
2092 case(WTAP_FILE_TSPREC_DSEC):
2093 timestamp_set_precision(TS_PREC_AUTO_DSEC);
2095 case(WTAP_FILE_TSPREC_CSEC):
2096 timestamp_set_precision(TS_PREC_AUTO_CSEC);
2098 case(WTAP_FILE_TSPREC_MSEC):
2099 timestamp_set_precision(TS_PREC_AUTO_MSEC);
2101 case(WTAP_FILE_TSPREC_USEC):
2102 timestamp_set_precision(TS_PREC_AUTO_USEC);
2104 case(WTAP_FILE_TSPREC_NSEC):
2105 timestamp_set_precision(TS_PREC_AUTO_NSEC);
2108 g_assert_not_reached();
2111 /* Process the packets in the file */
2114 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2115 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2116 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2118 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2121 CATCH(OutOfMemoryError) {
2125 "Sorry, but TShark has to terminate now!\n"
2127 "Some infos / workarounds can be found at:\n"
2128 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2133 /* We still dump out the results of taps, etc., as we might have
2134 read some packets; however, we exit with an error status. */
2138 /* No capture file specified, so we're supposed to do a live capture
2139 or get a list of link-layer types for a live capture device;
2140 do we have support for live captures? */
2142 /* if no interface was specified, pick a default */
2143 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2144 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2145 if (exit_status != 0)
2148 /* if requested, list the link layer types and exit */
2149 if (list_link_layer_types) {
2152 /* Get the list of link-layer types for the capture devices. */
2153 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2154 interface_options interface_opts;
2155 if_capabilities_t *caps;
2157 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2158 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2160 cmdarg_err("%s", err_str);
2164 if (caps->data_link_types == NULL) {
2165 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2168 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2169 free_if_capabilities(caps);
2175 * If the standard error isn't a terminal, don't print packet counts,
2176 * as they won't show up on the user's terminal and they'll get in
2177 * the way of error messages in the file (to which we assume the
2178 * standard error was redirected; if it's redirected to the null
2179 * device, there's no point in printing packet counts anyway).
2181 * Otherwise, if we're printing packet information and the standard
2182 * output is a terminal (which we assume means the standard output and
2183 * error are going to the same terminal), don't print packet counts,
2184 * as they'll get in the way of the packet information.
2186 * Otherwise, if the user specified -q, don't print packet counts.
2188 * Otherwise, print packet counts.
2190 * XXX - what if the user wants to do a live capture, doesn't want
2191 * to save it to a file, doesn't want information printed for each
2192 * packet, does want some "-z" statistic, and wants packet counts
2193 * so they know whether they're seeing any packets? -q will
2194 * suppress the information printed for each packet, but it'll
2195 * also suppress the packet counts.
2197 if (!isatty(fileno(stderr)))
2198 print_packet_counts = FALSE;
2199 else if (print_packet_info && isatty(fileno(stdout)))
2200 print_packet_counts = FALSE;
2202 print_packet_counts = FALSE;
2204 print_packet_counts = TRUE;
2206 if (print_packet_info) {
2207 if (!write_preamble(NULL)) {
2208 show_print_file_io_error(errno);
2213 /* For now, assume libpcap gives microsecond precision. */
2214 timestamp_set_precision(TS_PREC_AUTO_USEC);
2217 * XXX - this returns FALSE if an error occurred, but it also
2218 * returns FALSE if the capture stops because a time limit
2219 * was reached (and possibly other limits), so we can't assume
2220 * it means an error.
2222 * The capture code is a bit twisty, so it doesn't appear to
2223 * be an easy fix. We just ignore the return value for now.
2224 * Instead, pass on the exit status from the capture child.
2227 exit_status = global_capture_session.fork_child_status;
2229 if (print_packet_info) {
2230 if (!write_finale()) {
2232 show_print_file_io_error(err);
2236 /* No - complain. */
2237 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2244 if (cfile.frames != NULL) {
2245 free_frame_data_sequence(cfile.frames);
2246 cfile.frames = NULL;
2249 draw_tap_listeners(TRUE);
2250 funnel_dump_all_text_windows();
2251 epan_free(cfile.epan);
2254 output_fields_free(output_fields);
2255 output_fields = NULL;
2260 /*#define USE_BROKEN_G_MAIN_LOOP*/
2262 #ifdef USE_BROKEN_G_MAIN_LOOP
2265 gboolean loop_running = FALSE;
2267 guint32 packet_count = 0;
2270 typedef struct pipe_input_tag {
2274 pipe_input_cb_t input_cb;
2275 guint pipe_input_id;
2277 GMutex *callback_running;
2281 static pipe_input_t pipe_input;
2284 /* The timer has expired, see if there's stuff to read from the pipe,
2285 if so, do the callback */
2287 pipe_timer_cb(gpointer data)
2293 pipe_input_t *pipe_input_p = data;
2294 gint iterations = 0;
2296 g_mutex_lock (pipe_input_p->callback_running);
2298 /* try to read data from the pipe only 5 times, to avoid blocking */
2299 while(iterations < 5) {
2300 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2302 /* Oddly enough although Named pipes don't work on win9x,
2303 PeekNamedPipe does !!! */
2304 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2305 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2307 /* Get the child process exit status */
2308 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2311 /* If the Peek returned an error, or there are bytes to be read
2312 or the childwatcher thread has terminated then call the normal
2314 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2316 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2318 /* And call the real handler */
2319 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2320 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2321 /* pipe closed, return false so that the timer is stopped */
2322 g_mutex_unlock (pipe_input_p->callback_running);
2327 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2328 /* No data, stop now */
2335 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2337 g_mutex_unlock (pipe_input_p->callback_running);
2339 /* we didn't stopped the timer, so let it run */
2346 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2349 pipe_input.source = source;
2350 pipe_input.child_process = child_process;
2351 pipe_input.user_data = user_data;
2352 pipe_input.input_cb = input_cb;
2355 #if GLIB_CHECK_VERSION(2,31,0)
2356 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2357 g_mutex_init(pipe_input.callback_running);
2359 pipe_input.callback_running = g_mutex_new();
2361 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2362 do this but that doesn't cover all win32 platforms. GTK can do
2363 this but doesn't seem to work over processes. Attempt to do
2364 something similar here, start a timer and check for data on every
2366 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2367 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2371 static const nstime_t *
2372 tshark_get_frame_ts(void *data, guint32 frame_num)
2374 capture_file *cf = (capture_file *) data;
2376 if (ref && ref->num == frame_num)
2377 return &ref->abs_ts;
2379 if (prev_dis && prev_dis->num == frame_num)
2380 return &prev_dis->abs_ts;
2382 if (prev_cap && prev_cap->num == frame_num)
2383 return &prev_cap->abs_ts;
2386 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2388 return (fd) ? &fd->abs_ts : NULL;
2395 tshark_epan_new(capture_file *cf)
2397 epan_t *epan = epan_new();
2400 epan->get_frame_ts = tshark_get_frame_ts;
2401 epan->get_interface_name = cap_file_get_interface_name;
2402 epan->get_user_comment = NULL;
2413 GString *str = g_string_new("");
2414 #ifdef USE_TSHARK_SELECT
2418 struct sigaction action, oldaction;
2421 /* Create new dissection section. */
2422 epan_free(cfile.epan);
2423 cfile.epan = tshark_epan_new(&cfile);
2426 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2427 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2429 /* Catch SIGINT and SIGTERM and, if we get either of them,
2430 clean up and exit. If SIGHUP isn't being ignored, catch
2431 it too and, if we get it, clean up and exit.
2433 We restart any read that was in progress, so that it doesn't
2434 disrupt reading from the sync pipe. The signal handler tells
2435 the capture child to finish; it will report that it finished,
2436 or will exit abnormally, so we'll stop reading from the sync
2437 pipe, pick up the exit status, and quit. */
2438 memset(&action, 0, sizeof(action));
2439 action.sa_handler = capture_cleanup;
2440 action.sa_flags = SA_RESTART;
2441 sigemptyset(&action.sa_mask);
2442 sigaction(SIGTERM, &action, NULL);
2443 sigaction(SIGINT, &action, NULL);
2444 sigaction(SIGHUP, NULL, &oldaction);
2445 if (oldaction.sa_handler == SIG_DFL)
2446 sigaction(SIGHUP, &action, NULL);
2449 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2450 quiet mode, report the number of packets we've captured.
2452 Again, restart any read that was in progress, so that it doesn't
2453 disrupt reading from the sync pipe. */
2454 action.sa_handler = report_counts_siginfo;
2455 action.sa_flags = SA_RESTART;
2456 sigemptyset(&action.sa_mask);
2457 sigaction(SIGINFO, &action, NULL);
2458 #endif /* SIGINFO */
2461 global_capture_session.state = CAPTURE_PREPARING;
2463 /* Let the user know which interfaces were chosen. */
2464 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2465 interface_options interface_opts;
2467 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2468 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2469 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2470 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2473 if (global_capture_opts.ifaces->len < 2)
2475 if (global_capture_opts.ifaces->len < 4)
2478 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2479 interface_options interface_opts;
2481 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2483 if (global_capture_opts.ifaces->len > 2) {
2484 g_string_append_printf(str, ",");
2486 g_string_append_printf(str, " ");
2487 if (i == global_capture_opts.ifaces->len - 1) {
2488 g_string_append_printf(str, "and ");
2491 g_string_append_printf(str, "'%s'", interface_opts.descr);
2494 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2496 if (really_quiet == FALSE)
2497 fprintf(stderr, "Capturing on %s\n", str->str);
2499 g_string_free(str, TRUE);
2501 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2506 /* the actual capture loop
2508 * XXX - glib doesn't seem to provide any event based loop handling.
2510 * XXX - for whatever reason,
2511 * calling g_main_loop_new() ends up in 100% cpu load.
2513 * But that doesn't matter: in UNIX we can use select() to find an input
2514 * source with something to do.
2516 * But that doesn't matter because we're in a CLI (that doesn't need to
2517 * update a GUI or something at the same time) so it's OK if we block
2518 * trying to read from the pipe.
2520 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2521 * wrong (but I leave it there in case I am...).
2524 #ifdef USE_TSHARK_SELECT
2526 FD_SET(pipe_input.source, &readfds);
2529 loop_running = TRUE;
2533 while (loop_running)
2535 #ifdef USE_TSHARK_SELECT
2536 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2540 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2542 } else if (ret == 1) {
2544 /* Call the real handler */
2545 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2546 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2549 #ifdef USE_TSHARK_SELECT
2554 CATCH(OutOfMemoryError) {
2558 "Sorry, but TShark has to terminate now!\n"
2560 "Some infos / workarounds can be found at:\n"
2561 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2568 /* capture child detected an error */
2570 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2572 cmdarg_err("%s", error_msg);
2573 cmdarg_err_cont("%s", secondary_error_msg);
2577 /* capture child detected an capture filter related error */
2579 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2581 capture_options *capture_opts = cap_session->capture_opts;
2582 dfilter_t *rfcode = NULL;
2583 interface_options interface_opts;
2585 g_assert(i < capture_opts->ifaces->len);
2586 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2588 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2590 "Invalid capture filter \"%s\" for interface '%s'!\n"
2592 "That string looks like a valid display filter; however, it isn't a valid\n"
2593 "capture filter (%s).\n"
2595 "Note that display filters and capture filters don't have the same syntax,\n"
2596 "so you can't use most display filter expressions as capture filters.\n"
2598 "See the User's Guide for a description of the capture filter syntax.",
2599 interface_opts.cfilter, interface_opts.descr, error_message);
2600 dfilter_free(rfcode);
2603 "Invalid capture filter \"%s\" for interface '%s'!\n"
2605 "That string isn't a valid capture filter (%s).\n"
2606 "See the User's Guide for a description of the capture filter syntax.",
2607 interface_opts.cfilter, interface_opts.descr, error_message);
2612 /* capture child tells us we have a new (or the first) capture file */
2614 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2616 capture_options *capture_opts = cap_session->capture_opts;
2617 gboolean is_tempfile;
2620 if (cap_session->state == CAPTURE_PREPARING) {
2621 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2623 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2625 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2627 /* free the old filename */
2628 if (capture_opts->save_file != NULL) {
2630 /* we start a new capture file, close the old one (if we had one before) */
2631 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2632 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2633 wtap_close(((capture_file *) cap_session->cf)->wth);
2634 ((capture_file *) cap_session->cf)->wth = NULL;
2636 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2639 g_free(capture_opts->save_file);
2640 is_tempfile = FALSE;
2642 /* we didn't had a save_file before, must be a tempfile */
2646 /* save the new filename */
2647 capture_opts->save_file = g_strdup(new_file);
2649 /* if we are in real-time mode, open the new file now */
2650 if (do_dissection) {
2651 /* this is probably unecessary, but better safe than sorry */
2652 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2653 /* Attempt to open the capture file and set up to read from it. */
2654 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2658 /* Don't unlink (delete) the save file - leave it around,
2659 for debugging purposes. */
2660 g_free(capture_opts->save_file);
2661 capture_opts->save_file = NULL;
2666 cap_session->state = CAPTURE_RUNNING;
2672 /* capture child tells us we have new packets to read */
2674 capture_input_new_packets(capture_session *cap_session, int to_read)
2680 capture_file *cf = (capture_file *)cap_session->cf;
2681 gboolean filtering_tap_listeners;
2686 * Prevent a SIGINFO handler from writing to the standard error while
2687 * we're doing so or writing to the standard output; instead, have it
2688 * just set a flag telling us to print that information when we're done.
2691 #endif /* SIGINFO */
2693 /* Do we have any tap listeners with filters? */
2694 filtering_tap_listeners = have_filtering_tap_listeners();
2696 /* Get the union of the flags for all tap listeners. */
2697 tap_flags = union_of_tap_listener_flags();
2699 if (do_dissection) {
2700 gboolean create_proto_tree;
2701 epan_dissect_t *edt;
2703 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2704 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2705 create_proto_tree = TRUE;
2707 create_proto_tree = FALSE;
2709 /* The protocol tree will be "visible", i.e., printed, only if we're
2710 printing packet details, which is true if we're printing stuff
2711 ("print_packet_info" is true) and we're in verbose mode
2712 ("packet_details" is true). */
2713 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2715 while (to_read-- && cf->wth) {
2716 wtap_cleareof(cf->wth);
2717 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2719 /* read from file failed, tell the capture child to stop */
2720 sync_pipe_stop(cap_session);
2721 wtap_close(cf->wth);
2724 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2725 wtap_buf_ptr(cf->wth),
2729 /* packet successfully read and gone through the "Read Filter" */
2734 epan_dissect_free(edt);
2738 * Dumpcap's doing all the work; we're not doing any dissection.
2739 * Count all the packets it wrote.
2741 packet_count += to_read;
2744 if (print_packet_counts) {
2745 /* We're printing packet counts. */
2746 if (packet_count != 0) {
2747 fprintf(stderr, "\r%u ", packet_count);
2748 /* stderr could be line buffered */
2755 * Allow SIGINFO handlers to write.
2760 * If a SIGINFO handler asked us to write out capture counts, do so.
2764 #endif /* SIGINFO */
2770 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2771 /* Report the count only if we aren't printing a packet count
2772 as packets arrive. */
2773 fprintf(stderr, "%u packet%s captured\n", packet_count,
2774 plurality(packet_count, "", "s"));
2777 infoprint = FALSE; /* we just reported it */
2778 #endif /* SIGINFO */
2783 report_counts_siginfo(int signum _U_)
2785 int sav_errno = errno;
2786 /* If we've been told to delay printing, just set a flag asking
2787 that we print counts (if we're supposed to), otherwise print
2788 the count of packets captured (if we're supposed to). */
2795 #endif /* SIGINFO */
2798 /* capture child detected any packet drops? */
2800 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2802 if (print_packet_counts) {
2803 /* We're printing packet counts to stderr.
2804 Send a newline so that we move to the line after the packet count. */
2805 fprintf(stderr, "\n");
2809 /* We're printing packet counts to stderr.
2810 Send a newline so that we move to the line after the packet count. */
2811 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2817 * Capture child closed its side of the pipe, report any error and
2818 * do the required cleanup.
2821 capture_input_closed(capture_session *cap_session, gchar *msg)
2823 capture_file *cf = (capture_file *) cap_session->cf;
2826 fprintf(stderr, "tshark: %s\n", msg);
2830 if (cf != NULL && cf->wth != NULL) {
2831 wtap_close(cf->wth);
2832 if (cf->is_tempfile) {
2833 ws_unlink(cf->filename);
2836 #ifdef USE_BROKEN_G_MAIN_LOOP
2837 /*g_main_loop_quit(loop);*/
2838 g_main_loop_quit(loop);
2840 loop_running = FALSE;
2849 capture_cleanup(DWORD ctrltype _U_)
2851 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2852 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2853 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2854 like SIGTERM at least when the machine's shutting down.
2856 For now, we handle them all as indications that we should clean up
2857 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2860 We must return TRUE so that no other handler - such as one that would
2861 terminate the process - gets called.
2863 XXX - for some reason, typing ^C to TShark, if you run this in
2864 a Cygwin console window in at least some versions of Cygwin,
2865 causes TShark to terminate immediately; this routine gets
2866 called, but the main loop doesn't get a chance to run and
2867 exit cleanly, at least if this is compiled with Microsoft Visual
2868 C++ (i.e., it's a property of the Cygwin console window or Bash;
2869 it happens if TShark is not built with Cygwin - for all I know,
2870 building it with Cygwin may make the problem go away). */
2872 /* tell the capture child to stop */
2873 sync_pipe_stop(&global_capture_session);
2875 /* don't stop our own loop already here, otherwise status messages and
2876 * cleanup wouldn't be done properly. The child will indicate the stop of
2877 * everything by calling capture_input_closed() later */
2883 capture_cleanup(int signum _U_)
2885 /* tell the capture child to stop */
2886 sync_pipe_stop(&global_capture_session);
2888 /* don't stop our own loop already here, otherwise status messages and
2889 * cleanup wouldn't be done properly. The child will indicate the stop of
2890 * everything by calling capture_input_closed() later */
2893 #endif /* HAVE_LIBPCAP */
2896 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2897 gint64 offset, struct wtap_pkthdr *whdr,
2904 /* The frame number of this packet is one more than the count of
2905 frames in this packet. */
2906 framenum = cf->count + 1;
2908 /* If we're not running a display filter and we're not printing any
2909 packet information, we don't need to do a dissection. This means
2910 that all packets can be marked as 'passed'. */
2913 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2915 /* If we're going to print packet information, or we're going to
2916 run a read filter, or display filter, or we're going to process taps, set up to
2917 do a dissection and do so. */
2919 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2920 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2921 /* Grab any resolved addresses */
2922 host_name_lookup_process();
2924 /* If we're running a read filter, prime the epan_dissect_t with that
2927 epan_dissect_prime_dfilter(edt, cf->rfcode);
2930 epan_dissect_prime_dfilter(edt, cf->dfcode);
2932 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2934 if (ref == &fdlocal) {
2935 ref_frame = fdlocal;
2939 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2941 /* Run the read filter if we have one. */
2943 passed = dfilter_apply_edt(cf->rfcode, edt);
2947 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2948 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2950 /* If we're not doing dissection then there won't be any dependent frames.
2951 * More importantly, edt.pi.dependent_frames won't be initialized because
2952 * epan hasn't been initialized.
2953 * if we *are* doing dissection, then mark the dependent frames, but only
2954 * if a display filter was given and it matches this packet.
2956 if (edt && cf->dfcode) {
2957 if (dfilter_apply_edt(cf->dfcode, edt)) {
2958 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2964 /* if we don't add it to the frame_data_sequence, clean it up right now
2966 frame_data_destroy(&fdlocal);
2970 epan_dissect_reset(edt);
2976 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2977 struct wtap_pkthdr *phdr, Buffer *buf,
2983 /* If we're not running a display filter and we're not printing any
2984 packet information, we don't need to do a dissection. This means
2985 that all packets can be marked as 'passed'. */
2988 /* If we're going to print packet information, or we're going to
2989 run a read filter, or we're going to process taps, set up to
2990 do a dissection and do so. */
2992 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2993 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2994 /* Grab any resolved addresses */
2995 host_name_lookup_process();
2997 /* If we're running a display filter, prime the epan_dissect_t with that
3000 epan_dissect_prime_dfilter(edt, cf->dfcode);
3002 col_custom_prime_edt(edt, &cf->cinfo);
3004 /* We only need the columns if either
3005 1) some tap needs the columns
3007 2) we're printing packet info but we're *not* verbose; in verbose
3008 mode, we print the protocol tree, not the protocol summary.
3010 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3015 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3022 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3024 /* Run the read/display filter if we have one. */
3026 passed = dfilter_apply_edt(cf->dfcode, edt);
3030 frame_data_set_after_dissect(fdata, &cum_bytes);
3031 /* Process this packet. */
3032 if (print_packet_info) {
3033 /* We're printing packet information; print the information for
3035 print_packet(cf, edt);
3037 /* The ANSI C standard does not appear to *require* that a line-buffered
3038 stream be flushed to the host environment whenever a newline is
3039 written, it just says that, on such a stream, characters "are
3040 intended to be transmitted to or from the host environment as a
3041 block when a new-line character is encountered".
3043 The Visual C++ 6.0 C implementation doesn't do what is intended;
3044 even if you set a stream to be line-buffered, it still doesn't
3045 flush the buffer at the end of every line.
3047 So, if the "-l" flag was specified, we flush the standard output
3048 at the end of a packet. This will do the right thing if we're
3049 printing packet summary lines, and, as we print the entire protocol
3050 tree for a single packet without waiting for anything to happen,
3051 it should be as good as line-buffered mode if we're printing
3052 protocol trees. (The whole reason for the "-l" flag in either
3053 tcpdump or TShark is to allow the output of a live capture to
3054 be piped to a program or script and to have that script see the
3055 information for the packet as soon as it's printed, rather than
3056 having to wait until a standard I/O buffer fills up. */
3060 if (ferror(stdout)) {
3061 show_print_file_io_error(errno);
3070 epan_dissect_reset(edt);
3072 return passed || fdata->flags.dependent_of_displayed;
3076 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3077 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3080 int snapshot_length;
3084 gchar *err_info = NULL;
3086 char *save_file_string = NULL;
3087 gboolean filtering_tap_listeners;
3089 wtapng_section_t *shb_hdr;
3090 wtapng_iface_descriptions_t *idb_inf;
3092 struct wtap_pkthdr phdr;
3094 epan_dissect_t *edt = NULL;
3096 memset(&phdr, 0, sizeof(struct wtap_pkthdr));
3098 shb_hdr = wtap_file_get_shb_info(cf->wth);
3099 idb_inf = wtap_file_get_idb_info(cf->wth);
3100 #ifdef PCAP_NG_DEFAULT
3101 if (idb_inf->interface_data->len > 1) {
3102 linktype = WTAP_ENCAP_PER_PACKET;
3104 linktype = wtap_file_encap(cf->wth);
3107 linktype = wtap_file_encap(cf->wth);
3109 if (save_file != NULL) {
3110 /* Get a string that describes what we're writing to */
3111 save_file_string = output_file_description(save_file);
3113 /* Set up to write to the capture file. */
3114 snapshot_length = wtap_snapshot_length(cf->wth);
3115 if (snapshot_length == 0) {
3116 /* Snapshot length of input file not known. */
3117 snapshot_length = WTAP_MAX_PACKET_SIZE;
3119 /* If we don't have an application name add Tshark */
3120 if (shb_hdr->shb_user_appl == NULL) {
3121 g_snprintf(appname, sizeof(appname), "TShark (Wireshark) %s", get_ws_vcs_version_info());
3122 shb_hdr->shb_user_appl = appname;
3125 if (linktype != WTAP_ENCAP_PER_PACKET &&
3126 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3127 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3128 snapshot_length, FALSE /* compressed */, &err);
3130 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3131 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3137 /* We couldn't set up to write to the capture file. */
3140 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3141 cmdarg_err("Capture files can't be written in that format.");
3144 case WTAP_ERR_UNSUPPORTED_ENCAP:
3145 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3146 cmdarg_err("The capture file being read can't be written as a "
3147 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3150 case WTAP_ERR_CANT_OPEN:
3151 cmdarg_err("The %s couldn't be created for some "
3152 "unknown reason.", save_file_string);
3155 case WTAP_ERR_SHORT_WRITE:
3156 cmdarg_err("A full header couldn't be written to the %s.",
3161 cmdarg_err("The %s could not be created: %s.", save_file_string,
3162 wtap_strerror(err));
3168 if (print_packet_info) {
3169 if (!write_preamble(cf)) {
3171 show_print_file_io_error(err);
3180 if (pdh && out_file_name_res) {
3181 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3182 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3183 wtap_file_type_subtype_short_string(out_file_type));
3187 /* Do we have any tap listeners with filters? */
3188 filtering_tap_listeners = have_filtering_tap_listeners();
3190 /* Get the union of the flags for all tap listeners. */
3191 tap_flags = union_of_tap_listener_flags();
3193 if (perform_two_pass_analysis) {
3196 /* Allocate a frame_data_sequence for all the frames. */
3197 cf->frames = new_frame_data_sequence();
3199 if (do_dissection) {
3200 gboolean create_proto_tree = FALSE;
3202 /* If we're going to be applying a filter, we'll need to
3203 create a protocol tree against which to apply the filter. */
3204 if (cf->rfcode || cf->dfcode)
3205 create_proto_tree = TRUE;
3207 /* We're not going to display the protocol tree on this pass,
3208 so it's not going to be "visible". */
3209 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3212 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3213 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3214 wtap_buf_ptr(cf->wth))) {
3215 /* Stop reading if we have the maximum number of packets;
3216 * When the -c option has not been used, max_packet_count
3217 * starts at 0, which practically means, never stop reading.
3218 * (unless we roll over max_packet_count ?)
3220 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3221 err = 0; /* This is not an error */
3228 epan_dissect_free(edt);
3232 /* Close the sequential I/O side, to free up memory it requires. */
3233 wtap_sequential_close(cf->wth);
3235 /* Allow the protocol dissectors to free up memory that they
3236 * don't need after the sequential run-through of the packets. */
3237 postseq_cleanup_all_protocols();
3241 buffer_init(&buf, 1500);
3243 if (do_dissection) {
3244 gboolean create_proto_tree;
3246 if (cf->dfcode || print_details || filtering_tap_listeners ||
3247 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3248 create_proto_tree = TRUE;
3250 create_proto_tree = FALSE;
3252 /* The protocol tree will be "visible", i.e., printed, only if we're
3253 printing packet details, which is true if we're printing stuff
3254 ("print_packet_info" is true) and we're in verbose mode
3255 ("packet_details" is true). */
3256 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3259 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3260 fdata = frame_data_sequence_find(cf->frames, framenum);
3261 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3263 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3265 /* Either there's no read filtering or this packet passed the
3266 filter, so, if we're writing to a capture file, write
3269 if (!wtap_dump(pdh, &phdr, buffer_start_ptr(&buf), &err)) {
3270 /* Error writing to a capture file */
3273 case WTAP_ERR_UNSUPPORTED_ENCAP:
3275 * This is a problem with the particular frame we're writing
3276 * and the file type and subtype we're writing; note that,
3277 * and report the frame number and file type/subtype.
3279 * XXX - framenum is not necessarily the frame number in
3280 * the input file if there was a read filter.
3283 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3284 framenum, cf->filename,
3285 wtap_file_type_subtype_short_string(out_file_type));
3288 case WTAP_ERR_PACKET_TOO_LARGE:
3290 * This is a problem with the particular frame we're writing
3291 * and the file type and subtype we're writing; note that,
3292 * and report the frame number and file type/subtype.
3294 * XXX - framenum is not necessarily the frame number in
3295 * the input file if there was a read filter.
3298 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3299 framenum, cf->filename,
3300 wtap_file_type_subtype_short_string(out_file_type));
3304 show_capture_file_io_error(save_file, err, FALSE);
3307 wtap_dump_close(pdh, &err);
3317 epan_dissect_free(edt);
3326 if (do_dissection) {
3327 gboolean create_proto_tree;
3329 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3330 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3331 create_proto_tree = TRUE;
3333 create_proto_tree = FALSE;
3335 /* The protocol tree will be "visible", i.e., printed, only if we're
3336 printing packet details, which is true if we're printing stuff
3337 ("print_packet_info" is true) and we're in verbose mode
3338 ("packet_details" is true). */
3339 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3342 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3345 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3346 wtap_buf_ptr(cf->wth),
3348 /* Either there's no read filtering or this packet passed the
3349 filter, so, if we're writing to a capture file, write
3352 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3353 /* Error writing to a capture file */
3356 case WTAP_ERR_UNSUPPORTED_ENCAP:
3358 * This is a problem with the particular frame we're writing
3359 * and the file type and subtype we're writing; note that,
3360 * and report the frame number and file type/subtype.
3363 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3364 framenum, cf->filename,
3365 wtap_file_type_subtype_short_string(out_file_type));
3368 case WTAP_ERR_PACKET_TOO_LARGE:
3370 * This is a problem with the particular frame we're writing
3371 * and the file type and subtype we're writing; note that,
3372 * and report the frame number and file type/subtype.
3375 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3376 framenum, cf->filename,
3377 wtap_file_type_subtype_short_string(out_file_type));
3381 show_capture_file_io_error(save_file, err, FALSE);
3384 wtap_dump_close(pdh, &err);
3390 /* Stop reading if we have the maximum number of packets;
3391 * When the -c option has not been used, max_packet_count
3392 * starts at 0, which practically means, never stop reading.
3393 * (unless we roll over max_packet_count ?)
3395 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3396 err = 0; /* This is not an error */
3402 epan_dissect_free(edt);
3409 * Print a message noting that the read failed somewhere along the line.
3411 * If we're printing packet data, and the standard output and error are
3412 * going to the same place, flush the standard output, so everything
3413 * buffered up is written, and then print a newline to the standard error
3414 * before printing the error message, to separate it from the packet
3415 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3416 * the _fstat() documentation at Microsoft doesn't indicate whether
3417 * st_ino is even supported.)
3420 if (print_packet_info) {
3421 struct stat stat_stdout, stat_stderr;
3423 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3424 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3425 stat_stdout.st_ino == stat_stderr.st_ino) {
3427 fprintf(stderr, "\n");
3434 case WTAP_ERR_UNSUPPORTED:
3435 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3436 cf->filename, err_info);
3440 case WTAP_ERR_UNSUPPORTED_ENCAP:
3441 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3442 cf->filename, err_info);
3446 case WTAP_ERR_CANT_READ:
3447 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3451 case WTAP_ERR_SHORT_READ:
3452 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3456 case WTAP_ERR_BAD_FILE:
3457 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3458 cf->filename, err_info);
3462 case WTAP_ERR_DECOMPRESS:
3463 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3464 "(%s)", cf->filename, err_info);
3468 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3469 cf->filename, wtap_strerror(err));
3472 if (save_file != NULL) {
3473 /* Now close the capture file. */
3474 if (!wtap_dump_close(pdh, &err))
3475 show_capture_file_io_error(save_file, err, TRUE);
3478 if (save_file != NULL) {
3479 /* Now close the capture file. */
3480 if (!wtap_dump_close(pdh, &err))
3481 show_capture_file_io_error(save_file, err, TRUE);
3483 if (print_packet_info) {
3484 if (!write_finale()) {
3486 show_print_file_io_error(err);
3493 wtap_close(cf->wth);
3496 g_free(save_file_string);
3503 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3504 const guchar *pd, guint tap_flags)
3510 /* Count this packet. */
3513 /* If we're not running a display filter and we're not printing any
3514 packet information, we don't need to do a dissection. This means
3515 that all packets can be marked as 'passed'. */
3518 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3520 /* If we're going to print packet information, or we're going to
3521 run a read filter, or we're going to process taps, set up to
3522 do a dissection and do so. */
3524 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3525 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3526 /* Grab any resolved addresses */
3527 host_name_lookup_process();
3529 /* If we're running a filter, prime the epan_dissect_t with that
3532 epan_dissect_prime_dfilter(edt, cf->dfcode);
3534 col_custom_prime_edt(edt, &cf->cinfo);
3536 /* We only need the columns if either
3537 1) some tap needs the columns
3539 2) we're printing packet info but we're *not* verbose; in verbose
3540 mode, we print the protocol tree, not the protocol summary.
3542 3) there is a column mapped as an individual field */
3543 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3548 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3550 if (ref == &fdata) {
3555 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3557 /* Run the filter if we have it. */
3559 passed = dfilter_apply_edt(cf->dfcode, edt);
3563 frame_data_set_after_dissect(&fdata, &cum_bytes);
3565 /* Process this packet. */
3566 if (print_packet_info) {
3567 /* We're printing packet information; print the information for
3569 print_packet(cf, edt);
3571 /* The ANSI C standard does not appear to *require* that a line-buffered
3572 stream be flushed to the host environment whenever a newline is
3573 written, it just says that, on such a stream, characters "are
3574 intended to be transmitted to or from the host environment as a
3575 block when a new-line character is encountered".
3577 The Visual C++ 6.0 C implementation doesn't do what is intended;
3578 even if you set a stream to be line-buffered, it still doesn't
3579 flush the buffer at the end of every line.
3581 So, if the "-l" flag was specified, we flush the standard output
3582 at the end of a packet. This will do the right thing if we're
3583 printing packet summary lines, and, as we print the entire protocol
3584 tree for a single packet without waiting for anything to happen,
3585 it should be as good as line-buffered mode if we're printing
3586 protocol trees. (The whole reason for the "-l" flag in either
3587 tcpdump or TShark is to allow the output of a live capture to
3588 be piped to a program or script and to have that script see the
3589 information for the packet as soon as it's printed, rather than
3590 having to wait until a standard I/O buffer fills up. */
3594 if (ferror(stdout)) {
3595 show_print_file_io_error(errno);
3600 /* this must be set after print_packet() [bug #8160] */
3601 prev_dis_frame = fdata;
3602 prev_dis = &prev_dis_frame;
3605 prev_cap_frame = fdata;
3606 prev_cap = &prev_cap_frame;
3609 epan_dissect_reset(edt);
3610 frame_data_destroy(&fdata);
3616 write_preamble(capture_file *cf)
3618 switch (output_action) {
3621 return print_preamble(print_stream, cf ? cf->filename : NULL, get_ws_vcs_version_info());
3625 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3627 write_psml_preamble(stdout);
3628 return !ferror(stdout);
3631 write_fields_preamble(output_fields, stdout);
3632 return !ferror(stdout);
3635 g_assert_not_reached();
3641 get_line_buf(size_t len)
3643 static char *line_bufp = NULL;
3644 static size_t line_buf_len = 256;
3645 size_t new_line_buf_len;
3647 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3648 new_line_buf_len *= 2)
3650 if (line_bufp == NULL) {
3651 line_buf_len = new_line_buf_len;
3652 line_bufp = (char *)g_malloc(line_buf_len + 1);
3654 if (new_line_buf_len > line_buf_len) {
3655 line_buf_len = new_line_buf_len;
3656 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3663 put_string(char *dest, const char *str, size_t str_len)
3665 memcpy(dest, str, str_len);
3666 dest[str_len] = '\0';
3670 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3674 for (i = str_len; i < str_with_spaces; i++)
3677 put_string(dest, str, str_len);
3681 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3685 memcpy(dest, str, str_len);
3686 for (i = str_len; i < str_with_spaces; i++)
3689 dest[str_with_spaces] = '\0';
3693 print_columns(capture_file *cf)
3701 line_bufp = get_line_buf(256);
3704 for (i = 0; i < cf->cinfo.num_cols; i++) {
3705 /* Skip columns not marked as visible. */
3706 if (!get_column_visible(i))
3708 switch (cf->cinfo.col_fmt[i]) {
3710 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3713 line_bufp = get_line_buf(buf_offset + column_len);
3714 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3720 case COL_ABS_YMD_TIME: /* XXX - wider */
3721 case COL_ABS_YDOY_TIME: /* XXX - wider */
3723 case COL_UTC_YMD_TIME: /* XXX - wider */
3724 case COL_UTC_YDOY_TIME: /* XXX - wider */
3725 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3726 if (column_len < 10)
3728 line_bufp = get_line_buf(buf_offset + column_len);
3729 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3735 case COL_DEF_DL_SRC:
3736 case COL_RES_DL_SRC:
3737 case COL_UNRES_DL_SRC:
3738 case COL_DEF_NET_SRC:
3739 case COL_RES_NET_SRC:
3740 case COL_UNRES_NET_SRC:
3741 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3742 if (column_len < 12)
3744 line_bufp = get_line_buf(buf_offset + column_len);
3745 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3751 case COL_DEF_DL_DST:
3752 case COL_RES_DL_DST:
3753 case COL_UNRES_DL_DST:
3754 case COL_DEF_NET_DST:
3755 case COL_RES_NET_DST:
3756 case COL_UNRES_NET_DST:
3757 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3758 if (column_len < 12)
3760 line_bufp = get_line_buf(buf_offset + column_len);
3761 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3765 column_len = strlen(cf->cinfo.col_data[i]);
3766 line_bufp = get_line_buf(buf_offset + column_len);
3767 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3770 buf_offset += column_len;
3771 if (i != cf->cinfo.num_cols - 1) {
3773 * This isn't the last column, so we need to print a
3774 * separator between this column and the next.
3776 * If we printed a network source and are printing a
3777 * network destination of the same type next, separate
3778 * them with " -> "; if we printed a network destination
3779 * and are printing a network source of the same type
3780 * next, separate them with " <- "; otherwise separate them
3783 * We add enough space to the buffer for " <- " or " -> ",
3784 * even if we're only adding " ".
3786 line_bufp = get_line_buf(buf_offset + 4);
3787 switch (cf->cinfo.col_fmt[i]) {
3792 switch (cf->cinfo.col_fmt[i + 1]) {
3797 put_string(line_bufp + buf_offset, " -> ", 4);
3802 put_string(line_bufp + buf_offset, " ", 1);
3808 case COL_DEF_DL_SRC:
3809 case COL_RES_DL_SRC:
3810 case COL_UNRES_DL_SRC:
3811 switch (cf->cinfo.col_fmt[i + 1]) {
3813 case COL_DEF_DL_DST:
3814 case COL_RES_DL_DST:
3815 case COL_UNRES_DL_DST:
3816 put_string(line_bufp + buf_offset, " -> ", 4);
3821 put_string(line_bufp + buf_offset, " ", 1);
3827 case COL_DEF_NET_SRC:
3828 case COL_RES_NET_SRC:
3829 case COL_UNRES_NET_SRC:
3830 switch (cf->cinfo.col_fmt[i + 1]) {
3832 case COL_DEF_NET_DST:
3833 case COL_RES_NET_DST:
3834 case COL_UNRES_NET_DST:
3835 put_string(line_bufp + buf_offset, " -> ", 4);
3840 put_string(line_bufp + buf_offset, " ", 1);
3849 switch (cf->cinfo.col_fmt[i + 1]) {
3854 put_string(line_bufp + buf_offset, " <- ", 4);
3859 put_string(line_bufp + buf_offset, " ", 1);
3865 case COL_DEF_DL_DST:
3866 case COL_RES_DL_DST:
3867 case COL_UNRES_DL_DST:
3868 switch (cf->cinfo.col_fmt[i + 1]) {
3870 case COL_DEF_DL_SRC:
3871 case COL_RES_DL_SRC:
3872 case COL_UNRES_DL_SRC:
3873 put_string(line_bufp + buf_offset, " <- ", 4);
3878 put_string(line_bufp + buf_offset, " ", 1);
3884 case COL_DEF_NET_DST:
3885 case COL_RES_NET_DST:
3886 case COL_UNRES_NET_DST:
3887 switch (cf->cinfo.col_fmt[i + 1]) {
3889 case COL_DEF_NET_SRC:
3890 case COL_RES_NET_SRC:
3891 case COL_UNRES_NET_SRC:
3892 put_string(line_bufp + buf_offset, " <- ", 4);
3897 put_string(line_bufp + buf_offset, " ", 1);
3904 put_string(line_bufp + buf_offset, " ", 1);
3910 return print_line(print_stream, 0, line_bufp);
3914 print_packet(capture_file *cf, epan_dissect_t *edt)
3916 print_args_t print_args;
3918 if (print_summary || output_fields_has_cols(output_fields)) {
3919 /* Just fill in the columns. */
3920 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3922 if (print_summary) {
3923 /* Now print them. */
3924 switch (output_action) {
3927 if (!print_columns(cf))
3932 proto_tree_write_psml(edt, stdout);
3933 return !ferror(stdout);
3934 case WRITE_FIELDS: /*No non-verbose "fields" format */
3935 g_assert_not_reached();
3940 if (print_details) {
3941 /* Print the information in the protocol tree. */
3942 switch (output_action) {
3945 /* Only initialize the fields that are actually used in proto_tree_print.
3946 * This is particularly important for .range, as that's heap memory which
3947 * we would otherwise have to g_free().
3948 print_args.to_file = TRUE;
3949 print_args.format = print_format;
3950 print_args.print_summary = print_summary;
3951 print_args.print_formfeed = FALSE;
3952 packet_range_init(&print_args.range, &cfile);
3954 print_args.print_hex = print_hex;
3955 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3957 if (!proto_tree_print(&print_args, edt, print_stream))
3960 if (!print_line(print_stream, 0, separator))
3966 proto_tree_write_pdml(edt, stdout);
3968 return !ferror(stdout);
3970 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3972 return !ferror(stdout);
3976 if (print_summary || print_details) {
3977 if (!print_line(print_stream, 0, ""))
3980 if (!print_hex_data(print_stream, edt))
3982 if (!print_line(print_stream, 0, separator))
3991 switch (output_action) {
3994 return print_finale(print_stream);
3998 write_pdml_finale(stdout);
4000 write_psml_finale(stdout);
4001 return !ferror(stdout);
4004 write_fields_finale(output_fields, stdout);
4005 return !ferror(stdout);
4008 g_assert_not_reached();
4014 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4018 char err_msg[2048+1];
4020 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4024 /* The open succeeded. Fill in the information for this file. */
4026 /* Create new epan session for dissection. */
4027 epan_free(cf->epan);
4028 cf->epan = tshark_epan_new(cf);
4031 cf->f_datalen = 0; /* not used, but set it anyway */
4033 /* Set the file name because we need it to set the follow stream filter.
4034 XXX - is that still true? We need it for other reasons, though,
4036 cf->filename = g_strdup(fname);
4038 /* Indicate whether it's a permanent or temporary file. */
4039 cf->is_tempfile = is_tempfile;
4041 /* No user changes yet. */
4042 cf->unsaved_changes = FALSE;
4044 cf->cd_t = wtap_file_type_subtype(cf->wth);
4045 cf->open_type = type;
4047 cf->drops_known = FALSE;
4049 cf->snap = wtap_snapshot_length(cf->wth);
4050 if (cf->snap == 0) {
4051 /* Snapshot length not known. */
4052 cf->has_snap = FALSE;
4053 cf->snap = WTAP_MAX_PACKET_SIZE;
4055 cf->has_snap = TRUE;
4056 nstime_set_zero(&cf->elapsed_time);
4061 cf->state = FILE_READ_IN_PROGRESS;
4063 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4064 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4069 g_snprintf(err_msg, sizeof err_msg,
4070 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4071 cmdarg_err("%s", err_msg);
4076 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4078 char *save_file_string;
4080 save_file_string = output_file_description(fname);
4085 cmdarg_err("Not all the packets could be written to the %s because there is "
4086 "no space left on the file system.",
4092 cmdarg_err("Not all the packets could be written to the %s because you are "
4093 "too close to, or over your disk quota.",
4098 case WTAP_ERR_CANT_CLOSE:
4099 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4103 case WTAP_ERR_SHORT_WRITE:
4104 cmdarg_err("Not all the packets could be written to the %s.",
4110 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4111 wtap_strerror(err));
4113 cmdarg_err("An error occurred while writing to the %s: %s.",
4114 save_file_string, wtap_strerror(err));
4118 g_free(save_file_string);
4122 show_print_file_io_error(int err)
4127 cmdarg_err("Not all the packets could be printed because there is "
4128 "no space left on the file system.");
4133 cmdarg_err("Not all the packets could be printed because you are "
4134 "too close to, or over your disk quota.");
4139 cmdarg_err("An error occurred while printing packets: %s.",
4146 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4150 static char errmsg_errno[1024+1];
4153 /* Wiretap error. */
4156 case WTAP_ERR_NOT_REGULAR_FILE:
4157 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4160 case WTAP_ERR_RANDOM_OPEN_PIPE:
4161 /* Seen only when opening a capture file for reading. */
4162 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4165 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4166 /* Seen only when opening a capture file for reading. */
4167 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4170 case WTAP_ERR_UNSUPPORTED:
4171 /* Seen only when opening a capture file for reading. */
4172 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4173 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4176 errmsg = errmsg_errno;
4179 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4180 /* Seen only when opening a capture file for writing. */
4181 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4182 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4183 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4184 errmsg = errmsg_errno;
4187 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4188 /* Seen only when opening a capture file for writing. */
4189 errmsg = "TShark doesn't support writing capture files in that format.";
4192 case WTAP_ERR_UNSUPPORTED_ENCAP:
4194 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4195 "TShark can't save this capture as a \"%s\" file.",
4196 wtap_file_type_subtype_short_string(file_type));
4198 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4199 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4203 errmsg = errmsg_errno;
4206 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4208 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4209 "TShark can't save this capture as a \"%s\" file.",
4210 wtap_file_type_subtype_short_string(file_type));
4211 errmsg = errmsg_errno;
4213 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4216 case WTAP_ERR_BAD_FILE:
4217 /* Seen only when opening a capture file for reading. */
4218 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4219 "The file \"%%s\" appears to be damaged or corrupt.\n"
4222 errmsg = errmsg_errno;
4225 case WTAP_ERR_CANT_OPEN:
4227 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4229 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4232 case WTAP_ERR_SHORT_READ:
4233 errmsg = "The file \"%s\" appears to have been cut short"
4234 " in the middle of a packet or other data.";
4237 case WTAP_ERR_SHORT_WRITE:
4238 errmsg = "A full header couldn't be written to the file \"%s\".";
4241 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4242 errmsg = "This file type cannot be written as a compressed file.";
4245 case WTAP_ERR_DECOMPRESS:
4246 /* Seen only when opening a capture file for reading. */
4247 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4248 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4251 errmsg = errmsg_errno;
4255 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4256 "The file \"%%s\" could not be %s: %s.",
4257 for_writing ? "created" : "opened",
4258 wtap_strerror(err));
4259 errmsg = errmsg_errno;
4263 errmsg = file_open_error_message(err, for_writing);
4268 * Open/create errors are reported with an console message in TShark.
4271 open_failure_message(const char *filename, int err, gboolean for_writing)
4273 fprintf(stderr, "tshark: ");
4274 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4275 fprintf(stderr, "\n");
4279 * General errors are reported with an console message in TShark.
4282 failure_message(const char *msg_format, va_list ap)
4284 fprintf(stderr, "tshark: ");
4285 vfprintf(stderr, msg_format, ap);
4286 fprintf(stderr, "\n");
4290 * Read errors are reported with an console message in TShark.
4293 read_failure_message(const char *filename, int err)
4295 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4296 filename, g_strerror(err));
4300 * Write errors are reported with an console message in TShark.
4303 write_failure_message(const char *filename, int err)
4305 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4306 filename, g_strerror(err));
4310 * Report additional information for an error in command-line arguments.
4313 failure_message_cont(const char *msg_format, va_list ap)
4315 vfprintf(stderr, msg_format, ap);
4316 fprintf(stderr, "\n");
4320 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4325 * indent-tabs-mode: nil
4328 * vi: set shiftwidth=2 tabstop=8 expandtab:
4329 * :indentSize=2:tabSize=8:noTabs=true: