3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 # include <sys/capability.h>
47 #ifndef HAVE_GETOPT_LONG
48 #include "wsutil/wsgetopt.h"
53 #include <epan/exceptions.h>
54 #include <epan/epan-int.h>
55 #include <epan/epan.h>
57 #include <wsutil/clopts_common.h>
58 #include <wsutil/cmdarg_err.h>
59 #include <wsutil/crash_info.h>
60 #include <wsutil/filesystem.h>
61 #include <wsutil/file_util.h>
62 #include <wsutil/privileges.h>
63 #include <wsutil/report_err.h>
64 #include <ws_version_info.h>
65 #include <wiretap/wtap_opttypes.h>
66 #include <wiretap/pcapng.h>
69 #include <epan/timestamp.h>
70 #include <epan/packet.h>
72 #include <epan/wslua/init_wslua.h>
74 #include "frame_tvbuff.h"
75 #include <epan/disabled_protos.h>
76 #include <epan/prefs.h>
77 #include <epan/column.h>
78 #include <epan/decode_as.h>
79 #include <epan/print.h>
80 #include <epan/addr_resolv.h>
82 #include "ui/capture_ui_utils.h"
85 #include "ui/ui_util.h"
86 #include "ui/decode_as_utils.h"
87 #include "ui/cli/tshark-tap.h"
88 #include "ui/cli/tap-exportobject.h"
89 #include "ui/tap_export_pdu.h"
90 #include "ui/dissect_opts.h"
91 #if defined(HAVE_LIBSMI)
92 #include "epan/oids.h"
94 #if defined(HAVE_GEOIP)
95 #include "epan/geoip_db.h"
98 #include "filter_files.h"
99 #include <epan/epan_dissect.h>
100 #include <epan/tap.h>
101 #include <epan/stat_tap_ui.h>
102 #include <epan/conversation_table.h>
103 #include <epan/srt_table.h>
104 #include <epan/rtd_table.h>
105 #include <epan/ex-opt.h>
106 #include <epan/exported_pdu.h>
108 #include "capture_opts.h"
110 #include "caputils/capture-pcap-util.h"
113 #include "caputils/capture_ifinfo.h"
115 #include "caputils/capture-wpcap.h"
116 #include <wsutil/os_version_info.h>
117 #include <wsutil/unicode-utils.h>
119 #include <capchild/capture_session.h>
120 #include <capchild/capture_sync.h>
121 #include <capture_info.h>
122 #endif /* HAVE_LIBPCAP */
124 #include <epan/funnel.h>
126 #include <wsutil/str_util.h>
127 #include <wsutil/utf8_entities.h>
134 #include <wsutil/plugins.h>
138 #define INVALID_OPTION 1
139 #define INVALID_INTERFACE 2
140 #define INVALID_FILE 2
141 #define INVALID_FILTER 2
142 #define INVALID_EXPORT 2
143 #define INVALID_CAPABILITY 2
144 #define INVALID_TAP 2
145 #define INVALID_DATA_LINK 2
146 #define INVALID_CAPTURE 2
147 #define INIT_FAILED 2
150 #define tshark_debug(...) g_warning(__VA_ARGS__)
152 #define tshark_debug(...)
155 static guint32 cum_bytes;
156 static const frame_data *ref;
157 static frame_data ref_frame;
158 static frame_data *prev_dis;
159 static frame_data prev_dis_frame;
160 static frame_data *prev_cap;
161 static frame_data prev_cap_frame;
163 static gboolean perform_two_pass_analysis;
166 * The way the packet decode is to be written.
169 WRITE_TEXT, /* summary or detail text */
170 WRITE_XML, /* PDML or PSML */
171 WRITE_FIELDS, /* User defined list of fields */
172 WRITE_JSON, /* JSON */
173 WRITE_EK /* JSON bulk insert to Elasticsearch */
174 /* Add CSV and the like here */
177 static output_action_e output_action;
178 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
179 static gboolean print_packet_info; /* TRUE if we're to print packet information */
180 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
181 static gboolean print_details; /* TRUE if we're to print packet details information */
182 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
183 static gboolean line_buffered;
184 static gboolean really_quiet = FALSE;
186 static print_format_e print_format = PR_FMT_TEXT;
187 static print_stream_t *print_stream;
189 static output_fields_t* output_fields = NULL;
190 static gchar **protocolfilter = NULL;
191 static pf_flags protocolfilter_flags = PF_NONE;
193 /* The line separator used between packets, changeable via the -S option */
194 static const char *separator = "";
198 * TRUE if we're to print packet counts to keep track of captured packets.
200 static gboolean print_packet_counts;
202 static capture_options global_capture_opts;
203 static capture_session global_capture_session;
204 static info_data_t global_info_data;
207 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
208 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
211 static gboolean capture(void);
212 static void report_counts(void);
214 static BOOL WINAPI capture_cleanup(DWORD);
216 static void capture_cleanup(int);
218 static void report_counts_siginfo(int);
222 #else /* HAVE_LIBPCAP */
224 static char *output_file_name;
226 #endif /* HAVE_LIBPCAP */
228 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
229 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
230 struct wtap_pkthdr *whdr, const guchar *pd,
232 static void show_capture_file_io_error(const char *, int, gboolean);
233 static void show_print_file_io_error(int err);
234 static gboolean write_preamble(capture_file *cf);
235 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
236 static gboolean write_finale(void);
237 static const char *cf_open_error_message(int err, gchar *err_info,
238 gboolean for_writing, int file_type);
240 static void open_failure_message(const char *filename, int err,
241 gboolean for_writing);
242 static void failure_message(const char *msg_format, va_list ap);
243 static void read_failure_message(const char *filename, int err);
244 static void write_failure_message(const char *filename, int err);
245 static void failure_message_cont(const char *msg_format, va_list ap);
249 static GHashTable *output_only_tables = NULL;
252 const char *sstr; /* The short string */
253 const char *lstr; /* The long string */
257 string_compare(gconstpointer a, gconstpointer b)
259 return strcmp(((const struct string_elem *)a)->sstr,
260 ((const struct string_elem *)b)->sstr);
264 string_elem_print(gpointer data, gpointer not_used _U_)
266 fprintf(stderr, " %s - %s\n",
267 ((struct string_elem *)data)->sstr,
268 ((struct string_elem *)data)->lstr);
272 list_capture_types(void) {
274 struct string_elem *captypes;
277 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
279 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
280 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
281 if (wtap_dump_can_open(i)) {
282 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
283 captypes[i].lstr = wtap_file_type_subtype_string(i);
284 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
287 g_slist_foreach(list, string_elem_print, NULL);
293 list_read_capture_types(void) {
295 struct string_elem *captypes;
297 const char *magic = "Magic-value-based";
298 const char *heuristic = "Heuristics-based";
300 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
301 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
303 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
304 for (i = 0; open_routines[i].name != NULL; i++) {
305 captypes[i].sstr = open_routines[i].name;
306 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
307 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
309 g_slist_foreach(list, string_elem_print, NULL);
315 print_usage(FILE *output)
317 fprintf(output, "\n");
318 fprintf(output, "Usage: tshark [options] ...\n");
319 fprintf(output, "\n");
322 fprintf(output, "Capture interface:\n");
323 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
324 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
325 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
326 fprintf(output, " -p don't capture in promiscuous mode\n");
327 #ifdef HAVE_PCAP_CREATE
328 fprintf(output, " -I capture in monitor mode, if available\n");
330 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
331 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
333 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
334 fprintf(output, " -D print list of interfaces and exit\n");
335 fprintf(output, " -L print list of link-layer types of iface and exit\n");
336 fprintf(output, "\n");
337 fprintf(output, "Capture stop conditions:\n");
338 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
339 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
340 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
341 fprintf(output, " files:NUM - stop after NUM files\n");
342 /*fprintf(output, "\n");*/
343 fprintf(output, "Capture output:\n");
344 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
345 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
346 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
347 #endif /* HAVE_LIBPCAP */
348 #ifdef HAVE_PCAP_REMOTE
349 fprintf(output, "RPCAP options:\n");
350 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
352 /*fprintf(output, "\n");*/
353 fprintf(output, "Input file:\n");
354 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
356 fprintf(output, "\n");
357 fprintf(output, "Processing:\n");
358 fprintf(output, " -2 perform a two-pass analysis\n");
359 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
360 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
361 fprintf(output, " syntax\n");
362 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
363 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
364 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
365 fprintf(output, " \"Decode As\", see the man page for details\n");
366 fprintf(output, " Example: tcp.port==8888,http\n");
367 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
368 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
369 fprintf(output, " --disable-protocol <proto_name>\n");
370 fprintf(output, " disable dissection of proto_name\n");
371 fprintf(output, " --enable-heuristic <short_name>\n");
372 fprintf(output, " enable dissection of heuristic protocol\n");
373 fprintf(output, " --disable-heuristic <short_name>\n");
374 fprintf(output, " disable dissection of heuristic protocol\n");
376 /*fprintf(output, "\n");*/
377 fprintf(output, "Output:\n");
378 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
379 fprintf(output, " (or to the standard output for \"-\")\n");
380 fprintf(output, " -C <config profile> start with specified configuration profile\n");
381 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
382 fprintf(output, " an empty \"-F\" option will list the file types\n");
383 fprintf(output, " -V add output of packet tree (Packet Details)\n");
384 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
385 fprintf(output, " separated\n");
386 fprintf(output, " -P print packet summary even when writing to a file\n");
387 fprintf(output, " -S <separator> the line separator to print between packets\n");
388 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
389 fprintf(output, " -T pdml|ps|psml|json|ek|text|fields\n");
390 fprintf(output, " format of text output (def: text)\n");
391 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
392 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
393 fprintf(output, " nodes, unless child is specified also in the filter)\n");
394 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
395 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
396 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
397 fprintf(output, " _ws.col.Info)\n");
398 fprintf(output, " this option can be repeated to print multiple fields\n");
399 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
400 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
401 fprintf(output, " header=y|n switch headers on and off\n");
402 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
403 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
404 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
405 fprintf(output, " aggregator\n");
406 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
407 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
408 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
409 fprintf(output, " -l flush standard output after each packet\n");
410 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
411 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
412 fprintf(output, " -g enable group read access on the output file(s)\n");
413 fprintf(output, " -W n Save extra information in the file, if supported.\n");
414 fprintf(output, " n = write network address resolution information\n");
415 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
416 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
417 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
418 fprintf(output, " --capture-comment <comment>\n");
419 fprintf(output, " add a capture comment to the newly created\n");
420 fprintf(output, " output file (only for pcapng)\n");
421 fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
422 fprintf(output, " a directory named \"destdir\"\n");
424 fprintf(output, "\n");
425 fprintf(output, "Miscellaneous:\n");
426 fprintf(output, " -h display this help and exit\n");
427 fprintf(output, " -v display version info and exit\n");
428 fprintf(output, " -o <name>:<value> ... override preference setting\n");
429 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
430 fprintf(output, " -G [report] dump one of several available reports and exit\n");
431 fprintf(output, " default report=\"fields\"\n");
432 fprintf(output, " use \"-G ?\" for more help\n");
434 fprintf(output, "\n");
435 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
436 fprintf(output, "You might want to reset it\n");
437 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
438 fprintf(output, "\n");
444 glossary_option_help(void)
450 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
452 fprintf(output, "\n");
453 fprintf(output, "Usage: tshark -G [report]\n");
454 fprintf(output, "\n");
455 fprintf(output, "Glossary table reports:\n");
456 fprintf(output, " -G column-formats dump column format codes and exit\n");
457 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
458 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
459 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
460 fprintf(output, " -G fields dump fields glossary and exit\n");
461 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
462 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
463 fprintf(output, " -G plugins dump installed plugins and exit\n");
464 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
465 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
466 fprintf(output, "\n");
467 fprintf(output, "Preference reports:\n");
468 fprintf(output, " -G currentprefs dump current preferences and exit\n");
469 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
470 fprintf(output, " -G folders dump about:folders\n");
471 fprintf(output, "\n");
475 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
476 const gchar *message, gpointer user_data)
478 /* ignore log message, if log_level isn't interesting based
479 upon the console log preferences.
480 If the preferences haven't been loaded loaded yet, display the
483 The default console_log_level preference value is such that only
484 ERROR, CRITICAL and WARNING level messages are processed;
485 MESSAGE, INFO and DEBUG level messages are ignored.
487 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
488 ERROR and CRITICAL level messages so the current code is a behavioral
489 change. The current behavior is the same as in Wireshark.
491 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
492 prefs.console_log_level != 0) {
496 g_log_default_handler(log_domain, log_level, message, user_data);
501 output_file_description(const char *fname)
503 char *save_file_string;
505 /* Get a string that describes what we're writing to */
506 if (strcmp(fname, "-") == 0) {
507 /* We're writing to the standard output */
508 save_file_string = g_strdup("standard output");
510 /* We're writing to a file with the name in save_file */
511 save_file_string = g_strdup_printf("file \"%s\"", fname);
513 return save_file_string;
517 print_current_user(void) {
518 gchar *cur_user, *cur_group;
520 if (started_with_special_privs()) {
521 cur_user = get_cur_username();
522 cur_group = get_cur_groupname();
523 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
524 cur_user, cur_group);
527 if (running_with_special_privs()) {
528 fprintf(stderr, " This could be dangerous.");
530 fprintf(stderr, "\n");
535 get_tshark_compiled_version_info(GString *str)
537 /* Capture libraries */
538 get_compiled_caplibs_version(str);
542 get_tshark_runtime_version_info(GString *str)
545 /* Capture libraries */
546 g_string_append(str, ", ");
547 get_runtime_caplibs_version(str);
550 /* stuff used by libwireshark */
551 epan_get_runtime_version_info(str);
557 const char *constpath;
559 #if defined(HAVE_LIBSMI) || defined(HAVE_GEOIP) || defined(HAVE_EXTCAP)
567 * Fetching the "File" dialogs folder not implemented.
568 * This is arguably just a pwd for a ui/cli .
572 printf("%-21s\t%s\n", "Temp:", g_get_tmp_dir());
575 path = get_persconffile_path("", FALSE);
576 printf("%-21s\t%s\n", "Personal configuration:", path);
580 constpath = get_datafile_dir();
581 if (constpath != NULL) {
582 printf("%-21s\t%s\n", "Global configuration:", constpath);
586 constpath = get_systemfile_dir();
587 printf("%-21s\t%s\n", "System:", constpath);
590 constpath = get_progfile_dir();
591 printf("%-21s\t%s\n", "Program:", constpath);
593 #if defined(HAVE_PLUGINS) || defined(HAVE_LUA)
595 path = get_plugins_pers_dir();
597 printf("%-21s\t%s\n", "Personal Plugins:", path);
602 printf("%-21s\t%s\n", "Global Plugins:", get_plugin_dir());
607 path = geoip_db_get_paths();
609 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
611 for(i = 0; resultArray[i]; i++)
612 printf("%-21s\t%s\n", "GeoIP path:", g_strstrip(resultArray[i]));
614 g_strfreev(resultArray);
620 path = oid_get_default_mib_path();
621 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
623 for(i = 0; resultArray[i]; i++)
624 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
626 g_strfreev(resultArray);
632 constpath = get_extcap_dir();
634 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
635 for(i = 0; resultArray[i]; i++)
636 printf("%-21s\t%s\n", "Extcap path:", g_strstrip(resultArray[i]));
638 g_strfreev(resultArray);
644 main(int argc, char *argv[])
646 GString *comp_info_str;
647 GString *runtime_info_str;
648 char *init_progfile_dir_error;
650 static const struct option long_options[] = {
651 {"help", no_argument, NULL, 'h'},
652 {"version", no_argument, NULL, 'v'},
653 LONGOPT_CAPTURE_COMMON
654 LONGOPT_DISSECT_COMMON
655 {"export-objects", required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
658 gboolean arg_error = FALSE;
664 char *gpf_path, *pf_path;
665 char *gdp_path, *dp_path;
667 int gpf_open_errno, gpf_read_errno;
668 int pf_open_errno, pf_read_errno;
669 int gdp_open_errno, gdp_read_errno;
670 int dp_open_errno, dp_read_errno;
673 volatile int exit_status = EXIT_SUCCESS;
675 gboolean list_link_layer_types = FALSE;
676 gboolean start_capture = FALSE;
680 gboolean capture_option_specified = FALSE;
682 gboolean quiet = FALSE;
683 #ifdef PCAP_NG_DEFAULT
684 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
686 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
688 volatile gboolean out_file_name_res = FALSE;
689 volatile int in_file_type = WTAP_TYPE_AUTO;
690 gchar *volatile cf_name = NULL;
691 gchar *rfilter = NULL;
692 gchar *dfilter = NULL;
693 #ifdef HAVE_PCAP_OPEN_DEAD
694 struct bpf_program fcode;
696 dfilter_t *rfcode = NULL;
697 dfilter_t *dfcode = NULL;
701 gchar *output_only = NULL;
702 gchar *volatile pdu_export_arg = NULL;
703 exp_pdu_t exp_pdu_tap_data;
706 * The leading + ensures that getopt_long() does not permute the argv[]
709 * We have to make sure that the first getopt_long() preserves the content
710 * of argv[] for the subsequent getopt_long() call.
712 * We use getopt_long() in both cases to ensure that we're using a routine
713 * whose permutation behavior we can control in the same fashion on all
714 * platforms, and so that, if we ever need to process a long argument before
715 * doing further initialization, we can do so.
717 * Glibc and Solaris libc document that a leading + disables permutation
718 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
719 * and OS X don't document it, but do so anyway.
721 * We do *not* use a leading - because the behavior of a leading - is
722 * platform-dependent.
724 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON "C:e:E:F:gG:hH:j:J:lo:O:PqQr:R:S:T:U:vVw:W:xX:Y:z:"
726 static const char optstring[] = OPTSTRING;
728 tshark_debug("tshark started with %d args", argc);
730 /* Set the C-language locale to the native environment. */
731 setlocale(LC_ALL, "");
733 cmdarg_err_init(failure_message, failure_message_cont);
736 arg_list_utf_16to8(argc, argv);
737 create_app_running_mutex();
738 #if !GLIB_CHECK_VERSION(2,31,0)
744 * Get credential information for later use, and drop privileges
745 * before doing anything else.
746 * Let the user know if anything happened.
748 init_process_policies();
749 relinquish_special_privs_perm();
750 print_current_user();
753 * Attempt to get the pathname of the directory containing the
756 init_progfile_dir_error = init_progfile_dir(argv[0], main);
757 if (init_progfile_dir_error != NULL) {
759 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
760 "It won't be possible to capture traffic.\n"
761 "Report this to the Wireshark developers.",
762 init_progfile_dir_error);
763 g_free(init_progfile_dir_error);
766 initialize_funnel_ops();
769 ws_init_dll_search_path();
770 /* Load wpcap if possible. Do this before collecting the run-time version information */
773 /* Warn the user if npf.sys isn't loaded. */
774 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
775 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
776 "capturing or\nlisting interfaces.\n");
780 /* Get the compile-time version information string */
781 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
782 epan_get_compiled_version_info);
784 /* Get the run-time version information string */
785 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
787 /* Add it to the information to be reported on a crash. */
788 ws_add_crash_info("TShark (Wireshark) %s\n"
793 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
794 g_string_free(comp_info_str, TRUE);
795 g_string_free(runtime_info_str, TRUE);
797 /* Fail sometimes. Useful for testing fuzz scripts. */
798 /* if (g_random_int_range(0, 100) < 5) abort(); */
801 * In order to have the -X opts assigned before the wslua machine starts
802 * we need to call getopt_long before epan_init() gets called.
804 * In order to handle, for example, -o options, we also need to call it
805 * *after* epan_init() gets called, so that the dissectors have had a
806 * chance to register their preferences.
808 * XXX - can we do this all with one getopt_long() call, saving the
809 * arguments we can't handle until after initializing libwireshark,
810 * and then process them after initializing libwireshark?
814 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
816 case 'C': /* Configuration Profile */
817 if (profile_exists (optarg, FALSE)) {
818 set_profile_name (optarg);
820 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
821 exit_status = INVALID_OPTION;
825 case 'P': /* Print packet summary info even when writing to a file */
826 print_packet_info = TRUE;
827 print_summary = TRUE;
829 case 'O': /* Only output these protocols */
830 output_only = g_strdup(optarg);
832 case 'V': /* Verbose */
833 print_details = TRUE;
834 print_packet_info = TRUE;
836 case 'x': /* Print packet data in hex (and ASCII) */
838 /* The user asked for hex output, so let's ensure they get it,
839 * even if they're writing to a file.
841 print_packet_info = TRUE;
852 * Print packet summary information is the default, unless either -V or -x
853 * were specified and -P was not. Note that this is new behavior, which
854 * allows for the possibility of printing only hex/ascii output without
855 * necessarily requiring that either the summary or details be printed too.
857 if (print_summary == -1)
858 print_summary = (print_details || print_hex) ? FALSE : TRUE;
860 /** Send All g_log messages to our own handler **/
864 G_LOG_LEVEL_CRITICAL|
869 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
871 g_log_set_handler(NULL,
872 (GLogLevelFlags)log_flags,
873 tshark_log_handler, NULL /* user_data */);
874 g_log_set_handler(LOG_DOMAIN_MAIN,
875 (GLogLevelFlags)log_flags,
876 tshark_log_handler, NULL /* user_data */);
879 g_log_set_handler(LOG_DOMAIN_CAPTURE,
880 (GLogLevelFlags)log_flags,
881 tshark_log_handler, NULL /* user_data */);
882 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
883 (GLogLevelFlags)log_flags,
884 tshark_log_handler, NULL /* user_data */);
887 init_report_err(failure_message, open_failure_message, read_failure_message,
888 write_failure_message);
891 capture_opts_init(&global_capture_opts);
892 capture_session_init(&global_capture_session, &cfile);
895 timestamp_set_type(TS_RELATIVE);
896 timestamp_set_precision(TS_PREC_AUTO);
897 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
902 /* Register all the plugin types we have. */
903 epan_register_plugin_types(); /* Types known to libwireshark */
905 /* Scan for plugins. This does *not* call their registration routines;
906 that's done later. */
907 scan_plugins(REPORT_LOAD_FAILURE);
909 /* Register all libwiretap plugin modules. */
910 register_all_wiretap_modules();
913 /* Register all dissectors; we must do this before checking for the
914 "-G" flag, as the "-G" flag dumps information registered by the
915 dissectors, and we must do it before we read the preferences, in
916 case any dissectors register preferences. */
917 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
919 exit_status = INIT_FAILED;
923 /* Register all tap listeners; we do this before we parse the arguments,
924 as the "-z" argument can specify a registered tap. */
926 /* we register the plugin taps before the other taps because
927 stats_tree taps plugins will be registered as tap listeners
928 by stats_tree_stat.c and need to registered before that */
930 register_all_plugin_tap_listeners();
933 extcap_register_preferences();
935 register_all_tap_listeners();
936 conversation_table_set_gui_info(init_iousers);
937 hostlist_table_set_gui_info(init_hostlists);
938 srt_table_iterate_tables(register_srt_tables, NULL);
939 rtd_table_iterate_tables(register_rtd_tables, NULL);
940 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
942 /* If invoked with the "-G" flag, we dump out information based on
943 the argument to the "-G" flag; if no argument is specified,
944 for backwards compatibility we dump out a glossary of display
947 XXX - we do this here, for now, to support "-G" with no arguments.
948 If none of our build or other processes uses "-G" with no arguments,
949 we can just process it with the other arguments. */
950 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
951 proto_initialize_all_prefixes();
954 proto_registrar_dump_fields();
956 if (strcmp(argv[2], "column-formats") == 0)
957 column_dump_column_formats();
958 else if (strcmp(argv[2], "currentprefs") == 0) {
959 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
960 &pf_open_errno, &pf_read_errno, &pf_path);
963 else if (strcmp(argv[2], "decodes") == 0)
964 dissector_dump_decodes();
965 else if (strcmp(argv[2], "defaultprefs") == 0)
967 else if (strcmp(argv[2], "dissector-tables") == 0)
968 dissector_dump_dissector_tables();
969 else if (strcmp(argv[2], "fieldcount") == 0) {
970 /* return value for the test suite */
971 exit_status = proto_registrar_dump_fieldcount();
973 } else if (strcmp(argv[2], "fields") == 0)
974 proto_registrar_dump_fields();
975 else if (strcmp(argv[2], "folders") == 0)
977 else if (strcmp(argv[2], "ftypes") == 0)
978 proto_registrar_dump_ftypes();
979 else if (strcmp(argv[2], "heuristic-decodes") == 0)
980 dissector_dump_heur_decodes();
981 else if (strcmp(argv[2], "plugins") == 0) {
986 wslua_plugins_dump_all();
989 else if (strcmp(argv[2], "protocols") == 0)
990 proto_registrar_dump_protocols();
991 else if (strcmp(argv[2], "values") == 0)
992 proto_registrar_dump_values();
993 else if (strcmp(argv[2], "?") == 0)
994 glossary_option_help();
995 else if (strcmp(argv[2], "-?") == 0)
996 glossary_option_help();
998 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
999 exit_status = INVALID_OPTION;
1003 exit_status = EXIT_SUCCESS;
1007 /* load the decode as entries of this profile */
1008 load_decode_as_entries();
1010 tshark_debug("tshark reading preferences");
1012 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1013 &pf_open_errno, &pf_read_errno, &pf_path);
1014 if (gpf_path != NULL) {
1015 if (gpf_open_errno != 0) {
1016 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1017 pf_path, g_strerror(gpf_open_errno));
1019 if (gpf_read_errno != 0) {
1020 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1021 pf_path, g_strerror(gpf_read_errno));
1024 if (pf_path != NULL) {
1025 if (pf_open_errno != 0) {
1026 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1027 g_strerror(pf_open_errno));
1029 if (pf_read_errno != 0) {
1030 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1031 pf_path, g_strerror(pf_read_errno));
1037 read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno);
1038 if (cf_path != NULL) {
1039 cmdarg_err("Could not open your capture filter file\n\"%s\": %s.",
1040 cf_path, g_strerror(cf_open_errno));
1044 /* Read the disabled protocols file. */
1045 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1046 &dp_path, &dp_open_errno, &dp_read_errno);
1047 read_enabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1048 &dp_path, &dp_open_errno, &dp_read_errno);
1049 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1050 &dp_path, &dp_open_errno, &dp_read_errno);
1051 if (gdp_path != NULL) {
1052 if (gdp_open_errno != 0) {
1053 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1054 gdp_path, g_strerror(gdp_open_errno));
1056 if (gdp_read_errno != 0) {
1057 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1058 gdp_path, g_strerror(gdp_read_errno));
1062 if (dp_path != NULL) {
1063 if (dp_open_errno != 0) {
1065 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1066 g_strerror(dp_open_errno));
1068 if (dp_read_errno != 0) {
1070 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1071 g_strerror(dp_read_errno));
1076 cap_file_init(&cfile);
1078 /* Print format defaults to this. */
1079 print_format = PR_FMT_TEXT;
1081 output_fields = output_fields_new();
1084 * To reset the options parser, set optreset to 1 on platforms that
1085 * have optreset (documented in *BSD and OS X, apparently present but
1086 * not documented in Solaris - the Illumos repository seems to
1087 * suggest that the first Solaris getopt_long(), at least as of 2004,
1088 * was based on the NetBSD one, it had optreset) and set optind to 1,
1089 * and set optind to 0 otherwise (documented as working in the GNU
1090 * getopt_long(). Setting optind to 0 didn't originally work in the
1091 * NetBSD one, but that was added later - we don't want to depend on
1092 * it if we have optreset).
1094 * Also reset opterr to 1, so that error messages are printed by
1097 #ifdef HAVE_OPTRESET
1105 /* Now get our args */
1106 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1108 case '2': /* Perform two pass analysis */
1109 perform_two_pass_analysis = TRUE;
1111 case 'a': /* autostop criteria */
1112 case 'b': /* Ringbuffer option */
1113 case 'c': /* Capture x packets */
1114 case 'f': /* capture filter */
1115 case 'g': /* enable group read access on file(s) */
1116 case 'i': /* Use interface x */
1117 case 'p': /* Don't capture in promiscuous mode */
1118 #ifdef HAVE_PCAP_REMOTE
1119 case 'A': /* Authentication */
1121 #ifdef HAVE_PCAP_CREATE
1122 case 'I': /* Capture in monitor mode, if available */
1124 case 's': /* Set the snapshot (capture) length */
1125 case 'w': /* Write to capture file x */
1126 case 'y': /* Set the pcap data link type */
1127 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1128 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1129 case 'B': /* Buffer size */
1132 exit_status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1133 if (exit_status != 0) {
1139 * Output file name, if we're reading a file and writing to another
1142 output_file_name = optarg;
1144 capture_option_specified = TRUE;
1150 /* already processed; just ignore it now */
1152 case 'D': /* Print a list of capture devices and exit */
1154 if_list = capture_interface_list(&err, &err_str,NULL);
1155 if (if_list == NULL) {
1157 cmdarg_err("There are no interfaces on which a capture can be done");
1159 cmdarg_err("%s", err_str);
1162 exit_status = INVALID_INTERFACE;
1165 capture_opts_print_interfaces(if_list);
1166 free_interface_list(if_list);
1167 exit_status = EXIT_SUCCESS;
1170 capture_option_specified = TRUE;
1176 output_fields_add(output_fields, optarg);
1180 if (!output_fields_set_option(output_fields, optarg)) {
1181 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1182 output_fields_list_options(stderr);
1183 exit_status = INVALID_OPTION;
1188 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1189 if (out_file_type < 0) {
1190 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1191 list_capture_types();
1192 exit_status = INVALID_OPTION;
1197 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1200 protocolfilter_flags = PF_INCLUDE_CHILDREN;
1201 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1203 case 'W': /* Select extra information to save in our capture file */
1204 /* This is patterned after the -N flag which may not be the best idea. */
1205 if (strchr(optarg, 'n')) {
1206 out_file_name_res = TRUE;
1208 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1209 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1210 exit_status = INVALID_OPTION;
1214 case 'H': /* Read address to name mappings from a hosts file */
1215 if (! add_hosts_file(optarg))
1217 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1218 exit_status = INVALID_OPTION;
1221 out_file_name_res = TRUE;
1224 case 'h': /* Print help and exit */
1225 printf("TShark (Wireshark) %s\n"
1226 "Dump and analyze network traffic.\n"
1227 "See https://www.wireshark.org for more information.\n",
1228 get_ws_vcs_version_info());
1229 print_usage(stdout);
1230 exit_status = EXIT_SUCCESS;
1233 case 'l': /* "Line-buffer" standard output */
1234 /* This isn't line-buffering, strictly speaking, it's just
1235 flushing the standard output after the information for
1236 each packet is printed; however, that should be good
1237 enough for all the purposes to which "-l" is put (and
1238 is probably actually better for "-V", as it does fewer
1241 See the comment in "process_packet()" for an explanation of
1242 why we do that, and why we don't just use "setvbuf()" to
1243 make the standard output line-buffered (short version: in
1244 Windows, "line-buffered" is the same as "fully-buffered",
1245 and the output buffer is only flushed when it fills up). */
1246 line_buffered = TRUE;
1248 case 'L': /* Print list of link-layer types and exit */
1250 list_link_layer_types = TRUE;
1252 capture_option_specified = TRUE;
1256 case 'o': /* Override preference from command line */
1257 switch (prefs_set_pref(optarg)) {
1262 case PREFS_SET_SYNTAX_ERR:
1263 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1264 exit_status = INVALID_OPTION;
1268 case PREFS_SET_NO_SUCH_PREF:
1269 case PREFS_SET_OBSOLETE:
1270 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1271 exit_status = INVALID_OPTION;
1276 case 'q': /* Quiet */
1279 case 'Q': /* Really quiet */
1281 really_quiet = TRUE;
1283 case 'r': /* Read capture file x */
1284 cf_name = g_strdup(optarg);
1286 case 'R': /* Read file filter */
1290 /* already processed; just ignore it now */
1292 case 'S': /* Set the line Separator to be printed between packets */
1295 case 'T': /* printing Type */
1296 print_packet_info = TRUE;
1297 if (strcmp(optarg, "text") == 0) {
1298 output_action = WRITE_TEXT;
1299 print_format = PR_FMT_TEXT;
1300 } else if (strcmp(optarg, "ps") == 0) {
1301 output_action = WRITE_TEXT;
1302 print_format = PR_FMT_PS;
1303 } else if (strcmp(optarg, "pdml") == 0) {
1304 output_action = WRITE_XML;
1305 print_details = TRUE; /* Need details */
1306 print_summary = FALSE; /* Don't allow summary */
1307 } else if (strcmp(optarg, "psml") == 0) {
1308 output_action = WRITE_XML;
1309 print_details = FALSE; /* Don't allow details */
1310 print_summary = TRUE; /* Need summary */
1311 } else if (strcmp(optarg, "fields") == 0) {
1312 output_action = WRITE_FIELDS;
1313 print_details = TRUE; /* Need full tree info */
1314 print_summary = FALSE; /* Don't allow summary */
1315 } else if (strcmp(optarg, "json") == 0) {
1316 output_action = WRITE_JSON;
1317 print_details = TRUE; /* Need details */
1318 print_summary = FALSE; /* Don't allow summary */
1319 } else if (strcmp(optarg, "ek") == 0) {
1320 output_action = WRITE_EK;
1321 print_details = TRUE; /* Need details */
1322 print_summary = FALSE; /* Don't allow summary */
1325 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1326 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1327 "\t specified by the -E option.\n"
1328 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1329 "\t details of a decoded packet. This information is equivalent to\n"
1330 "\t the packet details printed with the -V flag.\n"
1331 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1332 "\t the packets, or a multi-line view of the details of each of\n"
1333 "\t the packets, depending on whether the -V flag was specified.\n"
1334 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1335 "\t summary information of a decoded packet. This information is\n"
1336 "\t equivalent to the information shown in the one-line summary\n"
1337 "\t printed by default.\n"
1338 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1339 "\t summary information of a decoded packet. This information is \n"
1340 "\t equivalent to the packet details printed with the -V flag.\n"
1341 "\t\"ek\" Packet Summary, an EK JSON-based format for the bulk insert \n"
1342 "\t into elastic search cluster. This information is \n"
1343 "\t equivalent to the packet details printed with the -V flag.\n"
1344 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1345 "\t packets, or a multi-line view of the details of each of the\n"
1346 "\t packets, depending on whether the -V flag was specified.\n"
1347 "\t This is the default.");
1348 exit_status = INVALID_OPTION;
1352 case 'U': /* Export PDUs to file */
1354 GSList *export_pdu_tap_name_list = NULL;
1357 cmdarg_err("Tap name is required! Valid names are:");
1358 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1359 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1361 exit_status = INVALID_OPTION;
1364 pdu_export_arg = g_strdup(optarg);
1367 case 'v': /* Show version and exit */
1368 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1369 epan_get_compiled_version_info);
1370 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1371 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1372 g_string_free(comp_info_str, TRUE);
1373 g_string_free(runtime_info_str, TRUE);
1374 /* We don't really have to cleanup here, but it's a convenient way to test
1375 * start-up and shut-down of the epan library without any UI-specific
1376 * cruft getting in the way. Makes the results of running
1377 * $ ./tools/valgrind-wireshark -n
1378 * much more useful. */
1383 exit_status = EXIT_SUCCESS;
1385 case 'O': /* Only output these protocols */
1386 /* already processed; just ignore it now */
1388 case 'V': /* Verbose */
1389 /* already processed; just ignore it now */
1391 case 'x': /* Print packet data in hex (and ASCII) */
1392 /* already processed; just ignore it now */
1395 /* already processed; just ignore it now */
1401 /* We won't call the init function for the stat this soon
1402 as it would disallow MATE's fields (which are registered
1403 by the preferences set callback) from being used as
1404 part of a tap filter. Instead, we just add the argument
1405 to a list of stat arguments. */
1406 if (strcmp("help", optarg) == 0) {
1407 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1408 list_stat_cmd_args();
1409 exit_status = EXIT_SUCCESS;
1412 if (!process_stat_cmd_arg(optarg)) {
1413 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1414 list_stat_cmd_args();
1415 exit_status = INVALID_OPTION;
1419 case 'd': /* Decode as rule */
1420 case 'K': /* Kerberos keytab file */
1421 case 'n': /* No name resolution */
1422 case 'N': /* Select what types of addresses/port #s to resolve */
1423 case 't': /* Time stamp type */
1424 case 'u': /* Seconds type */
1425 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1426 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1427 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1428 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1429 if (!dissect_opts_handle_opt(opt, optarg)) {
1430 exit_status = INVALID_OPTION;
1434 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1435 if (strcmp("help", optarg) == 0) {
1436 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1437 eo_list_object_types();
1438 exit_status = EXIT_SUCCESS;
1441 if (!eo_tap_opt_add(optarg)) {
1442 exit_status = INVALID_OPTION;
1447 case '?': /* Bad flag - print usage message */
1450 list_capture_types();
1453 print_usage(stderr);
1455 exit_status = INVALID_OPTION;
1461 /* If we specified output fields, but not the output field type... */
1462 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1463 cmdarg_err("Output fields were specified with \"-e\", "
1464 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1465 exit_status = INVALID_OPTION;
1467 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1468 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1469 "specified with \"-e\".");
1471 exit_status = INVALID_OPTION;
1475 /* If no capture filter or display filter has been specified, and there are
1476 still command-line arguments, treat them as the tokens of a capture
1477 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1478 flag was specified. */
1479 if (optind < argc) {
1480 if (cf_name != NULL) {
1481 if (dfilter != NULL) {
1482 cmdarg_err("Display filters were specified both with \"-d\" "
1483 "and with additional command-line arguments.");
1484 exit_status = INVALID_OPTION;
1487 dfilter = get_args_as_string(argc, argv, optind);
1492 if (global_capture_opts.default_options.cfilter) {
1493 cmdarg_err("A default capture filter was specified both with \"-f\""
1494 " and with additional command-line arguments.");
1495 exit_status = INVALID_OPTION;
1498 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1499 interface_options interface_opts;
1500 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1501 if (interface_opts.cfilter == NULL) {
1502 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1503 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1504 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1506 cmdarg_err("A capture filter was specified both with \"-f\""
1507 " and with additional command-line arguments.");
1508 exit_status = INVALID_OPTION;
1512 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1514 capture_option_specified = TRUE;
1520 if (!global_capture_opts.saving_to_file) {
1521 /* We're not saving the capture to a file; if "-q" wasn't specified,
1522 we should print packet information */
1524 print_packet_info = TRUE;
1526 /* We're saving to a file; if we're writing to the standard output.
1527 and we'll also be writing dissected packets to the standard
1528 output, reject the request. At best, we could redirect that
1529 to the standard error; we *can't* write both to the standard
1530 output and have either of them be useful. */
1531 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1532 cmdarg_err("You can't write both raw packet data and dissected packets"
1533 " to the standard output.");
1534 exit_status = INVALID_OPTION;
1539 /* We're not saving the capture to a file; if "-q" wasn't specified,
1540 we should print packet information */
1542 print_packet_info = TRUE;
1545 #ifndef HAVE_LIBPCAP
1546 if (capture_option_specified)
1547 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1550 print_usage(stderr);
1551 exit_status = INVALID_OPTION;
1556 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_EK) {
1557 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON or EK JSON");
1558 exit_status = INVALID_OPTION;
1563 if (output_only != NULL) {
1566 if (!print_details) {
1567 cmdarg_err("-O requires -V");
1568 exit_status = INVALID_OPTION;
1572 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1573 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1574 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1578 if (rfilter != NULL && !perform_two_pass_analysis) {
1579 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1580 exit_status = INVALID_OPTION;
1585 if (list_link_layer_types) {
1586 /* We're supposed to list the link-layer types for an interface;
1587 did the user also specify a capture file to be read? */
1589 /* Yes - that's bogus. */
1590 cmdarg_err("You can't specify -L and a capture file to be read.");
1591 exit_status = INVALID_OPTION;
1594 /* No - did they specify a ring buffer option? */
1595 if (global_capture_opts.multi_files_on) {
1596 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1597 exit_status = INVALID_OPTION;
1603 * "-r" was specified, so we're reading a capture file.
1604 * Capture options don't apply here.
1607 /* We don't support capture filters when reading from a capture file
1608 (the BPF compiler doesn't support all link-layer types that we
1609 support in capture files we read). */
1610 if (global_capture_opts.default_options.cfilter) {
1611 cmdarg_err("Only read filters, not capture filters, "
1612 "can be specified when reading a capture file.");
1613 exit_status = INVALID_OPTION;
1616 if (global_capture_opts.multi_files_on) {
1617 cmdarg_err("Multiple capture files requested, but "
1618 "a capture isn't being done.");
1619 exit_status = INVALID_OPTION;
1622 if (global_capture_opts.has_file_duration) {
1623 cmdarg_err("Switching capture files after a time interval was specified, but "
1624 "a capture isn't being done.");
1625 exit_status = INVALID_OPTION;
1628 if (global_capture_opts.has_ring_num_files) {
1629 cmdarg_err("A ring buffer of capture files was specified, but "
1630 "a capture isn't being done.");
1631 exit_status = INVALID_OPTION;
1634 if (global_capture_opts.has_autostop_files) {
1635 cmdarg_err("A maximum number of capture files was specified, but "
1636 "a capture isn't being done.");
1637 exit_status = INVALID_OPTION;
1640 if (global_capture_opts.capture_comment) {
1641 cmdarg_err("A capture comment was specified, but "
1642 "a capture isn't being done.\nThere's no support for adding "
1643 "a capture comment to an existing capture file.");
1644 exit_status = INVALID_OPTION;
1648 /* Note: TShark now allows the restriction of a _read_ file by packet count
1649 * and byte count as well as a write file. Other autostop options remain valid
1650 * only for a write file.
1652 if (global_capture_opts.has_autostop_duration) {
1653 cmdarg_err("A maximum capture time was specified, but "
1654 "a capture isn't being done.");
1655 exit_status = INVALID_OPTION;
1660 * "-r" wasn't specified, so we're doing a live capture.
1662 if (perform_two_pass_analysis) {
1663 /* Two-pass analysis doesn't work with live capture since it requires us
1664 * to buffer packets until we've read all of them, but a live capture
1665 * has no useful/meaningful definition of "all" */
1666 cmdarg_err("Live captures do not support two-pass analysis.");
1667 exit_status = INVALID_OPTION;
1671 if (global_capture_opts.saving_to_file) {
1672 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1674 /* When capturing, we only support writing pcap or pcap-ng format. */
1675 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1676 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1677 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1678 exit_status = INVALID_OPTION;
1681 if (global_capture_opts.capture_comment &&
1682 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1683 cmdarg_err("A capture comment can only be written to a pcapng file.");
1684 exit_status = INVALID_OPTION;
1687 if (global_capture_opts.multi_files_on) {
1688 /* Multiple-file mode doesn't work under certain conditions:
1689 a) it doesn't work if you're writing to the standard output;
1690 b) it doesn't work if you're writing to a pipe;
1692 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1693 cmdarg_err("Multiple capture files requested, but "
1694 "the capture is being written to the standard output.");
1695 exit_status = INVALID_OPTION;
1698 if (global_capture_opts.output_to_pipe) {
1699 cmdarg_err("Multiple capture files requested, but "
1700 "the capture file is a pipe.");
1701 exit_status = INVALID_OPTION;
1704 if (!global_capture_opts.has_autostop_filesize &&
1705 !global_capture_opts.has_file_duration) {
1706 cmdarg_err("Multiple capture files requested, but "
1707 "no maximum capture file size or duration was specified.");
1708 exit_status = INVALID_OPTION;
1712 /* Currently, we don't support read or display filters when capturing
1713 and saving the packets. */
1714 if (rfilter != NULL) {
1715 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1716 exit_status = INVALID_OPTION;
1719 if (dfilter != NULL) {
1720 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1721 exit_status = INVALID_OPTION;
1724 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1726 /* They didn't specify a "-w" flag, so we won't be saving to a
1727 capture file. Check for options that only make sense if
1728 we're saving to a file. */
1729 if (global_capture_opts.has_autostop_filesize) {
1730 cmdarg_err("Maximum capture file size specified, but "
1731 "capture isn't being saved to a file.");
1732 exit_status = INVALID_OPTION;
1735 if (global_capture_opts.multi_files_on) {
1736 cmdarg_err("Multiple capture files requested, but "
1737 "the capture isn't being saved to a file.");
1738 exit_status = INVALID_OPTION;
1741 if (global_capture_opts.capture_comment) {
1742 cmdarg_err("A capture comment was specified, but "
1743 "the capture isn't being saved to a file.");
1744 exit_status = INVALID_OPTION;
1753 /* Start windows sockets */
1754 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1757 /* Notify all registered modules that have had any of their preferences
1758 changed either from one of the preferences file or from the command
1759 line that their preferences have changed. */
1762 /* At this point MATE will have registered its field array so we can
1763 have a tap filter with one of MATE's late-registered fields as part
1764 of the filter. We can now process all the "-z" arguments. */
1765 start_requested_stats();
1767 /* We can also enable specified taps for export object */
1768 start_exportobjects();
1770 /* At this point MATE will have registered its field array so we can
1771 check if the fields specified by the user are all good.
1775 GSList *invalid_fields = output_fields_valid(output_fields);
1776 if (invalid_fields != NULL) {
1778 cmdarg_err("Some fields aren't valid:");
1779 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
1780 cmdarg_err_cont("\t%s", (gchar *)it->data);
1782 g_slist_free(invalid_fields);
1783 exit_status = INVALID_OPTION;
1788 /* We currently don't support taps, or printing dissected packets,
1789 if we're writing to a pipe. */
1790 if (global_capture_opts.saving_to_file &&
1791 global_capture_opts.output_to_pipe) {
1792 if (tap_listeners_require_dissection()) {
1793 cmdarg_err("Taps aren't supported when saving to a pipe.");
1794 exit_status = INVALID_OPTION;
1797 if (print_packet_info) {
1798 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1799 exit_status = INVALID_OPTION;
1805 if (ex_opt_count("read_format") > 0) {
1806 const gchar* name = ex_opt_get_next("read_format");
1807 in_file_type = open_info_name_to_type(name);
1808 if (in_file_type == WTAP_TYPE_AUTO) {
1809 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1810 list_read_capture_types();
1811 exit_status = INVALID_OPTION;
1816 timestamp_set_type(global_dissect_options.time_format);
1818 /* disabled protocols as per configuration file */
1819 if (gdp_path == NULL && dp_path == NULL) {
1820 set_disabled_protos_list();
1821 set_enabled_protos_list();
1822 set_disabled_heur_dissector_list();
1825 if(global_dissect_options.disable_protocol_slist) {
1826 GSList *proto_disable;
1827 for (proto_disable = global_dissect_options.disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
1829 proto_disable_proto_by_name((char*)proto_disable->data);
1833 if(global_dissect_options.enable_protocol_slist) {
1834 GSList *proto_enable;
1835 for (proto_enable = global_dissect_options.enable_protocol_slist; proto_enable != NULL; proto_enable = g_slist_next(proto_enable))
1837 proto_enable_proto_by_name((char*)proto_enable->data);
1841 if(global_dissect_options.enable_heur_slist) {
1842 GSList *heur_enable;
1843 for (heur_enable = global_dissect_options.enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
1845 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
1849 if(global_dissect_options.disable_heur_slist) {
1850 GSList *heur_disable;
1851 for (heur_disable = global_dissect_options.disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
1853 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
1857 /* Build the column format array */
1858 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1861 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1862 capture_opts_trim_ring_num_files(&global_capture_opts);
1865 if (rfilter != NULL) {
1866 tshark_debug("Compiling read filter: '%s'", rfilter);
1867 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
1868 cmdarg_err("%s", err_msg);
1874 #ifdef HAVE_PCAP_OPEN_DEAD
1878 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1880 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1882 " Note: That read filter code looks like a valid capture filter;\n"
1883 " maybe you mixed them up?");
1889 exit_status = INVALID_INTERFACE;
1893 cfile.rfcode = rfcode;
1895 if (dfilter != NULL) {
1896 tshark_debug("Compiling display filter: '%s'", dfilter);
1897 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
1898 cmdarg_err("%s", err_msg);
1904 #ifdef HAVE_PCAP_OPEN_DEAD
1908 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1910 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1912 " Note: That display filter code looks like a valid capture filter;\n"
1913 " maybe you mixed them up?");
1919 exit_status = INVALID_FILTER;
1923 cfile.dfcode = dfcode;
1925 if (print_packet_info) {
1926 /* If we're printing as text or PostScript, we have
1927 to create a print stream. */
1928 if (output_action == WRITE_TEXT) {
1929 switch (print_format) {
1932 print_stream = print_stream_text_stdio_new(stdout);
1936 print_stream = print_stream_ps_stdio_new(stdout);
1940 g_assert_not_reached();
1945 /* PDU export requested. Take the ownership of the '-w' file, apply tap
1946 * filters and start tapping. */
1947 if (pdu_export_arg) {
1948 const char *exp_pdu_filename;
1949 const char *exp_pdu_tap_name = pdu_export_arg;
1950 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
1951 char *exp_pdu_error;
1955 cmdarg_err("PDUs export requires a capture file (specify with -r).");
1956 exit_status = INVALID_OPTION;
1959 /* Take ownership of the '-w' output file. */
1961 exp_pdu_filename = global_capture_opts.save_file;
1962 global_capture_opts.save_file = NULL;
1964 exp_pdu_filename = output_file_name;
1965 output_file_name = NULL;
1967 if (exp_pdu_filename == NULL) {
1968 cmdarg_err("PDUs export requires an output file (-w).");
1969 exit_status = INVALID_OPTION;
1973 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
1975 if (exp_pdu_error) {
1976 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
1977 g_free(exp_pdu_error);
1978 exit_status = INVALID_TAP;
1982 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
1984 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
1985 exit_status = INVALID_FILE;
1989 /* Activate the export PDU tap */
1990 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd,
1991 g_strdup_printf("Dump of PDUs from %s", cf_name));
1993 cmdarg_err("Failed to start the PDU export: %s", g_strerror(err));
1994 exit_status = INVALID_EXPORT;
1999 /* We have to dissect each packet if:
2001 we're printing information about each packet;
2003 we're using a read filter on the packets;
2005 we're using a display filter on the packets;
2007 we're exporting PDUs;
2009 we're using any taps that need dissection. */
2010 do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg ||
2011 tap_listeners_require_dissection();
2012 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2015 tshark_debug("tshark: Opening capture file: %s", cf_name);
2017 * We're reading a capture file.
2019 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2024 exit_status = INVALID_FILE;
2028 /* Process the packets in the file */
2029 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2032 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2033 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2034 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2036 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2039 CATCH(OutOfMemoryError) {
2043 "Sorry, but TShark has to terminate now.\n"
2045 "More information and workarounds can be found at\n"
2046 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2051 /* We still dump out the results of taps, etc., as we might have
2052 read some packets; however, we exit with an error status. */
2056 if (pdu_export_arg) {
2057 err = exp_pdu_close(&exp_pdu_tap_data);
2059 cmdarg_err("%s", wtap_strerror(err));
2062 g_free(pdu_export_arg);
2065 tshark_debug("tshark: no capture file specified");
2066 /* No capture file specified, so we're supposed to do a live capture
2067 or get a list of link-layer types for a live capture device;
2068 do we have support for live captures? */
2070 /* if no interface was specified, pick a default */
2071 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2072 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2073 if (exit_status != 0) {
2077 /* if requested, list the link layer types and exit */
2078 if (list_link_layer_types) {
2081 /* Get the list of link-layer types for the capture devices. */
2082 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2083 interface_options interface_opts;
2084 if_capabilities_t *caps;
2085 char *auth_str = NULL;
2087 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2088 #ifdef HAVE_PCAP_REMOTE
2089 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2090 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2093 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2096 cmdarg_err("%s", err_str);
2098 exit_status = INVALID_CAPABILITY;
2101 if (caps->data_link_types == NULL) {
2102 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2103 exit_status = INVALID_DATA_LINK;
2106 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2107 free_if_capabilities(caps);
2109 exit_status = EXIT_SUCCESS;
2114 * If the standard error isn't a terminal, don't print packet counts,
2115 * as they won't show up on the user's terminal and they'll get in
2116 * the way of error messages in the file (to which we assume the
2117 * standard error was redirected; if it's redirected to the null
2118 * device, there's no point in printing packet counts anyway).
2120 * Otherwise, if we're printing packet information and the standard
2121 * output is a terminal (which we assume means the standard output and
2122 * error are going to the same terminal), don't print packet counts,
2123 * as they'll get in the way of the packet information.
2125 * Otherwise, if the user specified -q, don't print packet counts.
2127 * Otherwise, print packet counts.
2129 * XXX - what if the user wants to do a live capture, doesn't want
2130 * to save it to a file, doesn't want information printed for each
2131 * packet, does want some "-z" statistic, and wants packet counts
2132 * so they know whether they're seeing any packets? -q will
2133 * suppress the information printed for each packet, but it'll
2134 * also suppress the packet counts.
2136 if (!ws_isatty(ws_fileno(stderr)))
2137 print_packet_counts = FALSE;
2138 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2139 print_packet_counts = FALSE;
2141 print_packet_counts = FALSE;
2143 print_packet_counts = TRUE;
2145 if (print_packet_info) {
2146 if (!write_preamble(&cfile)) {
2147 show_print_file_io_error(errno);
2148 exit_status = INVALID_FILE;
2153 tshark_debug("tshark: performing live capture");
2155 * XXX - this returns FALSE if an error occurred, but it also
2156 * returns FALSE if the capture stops because a time limit
2157 * was reached (and possibly other limits), so we can't assume
2158 * it means an error.
2160 * The capture code is a bit twisty, so it doesn't appear to
2161 * be an easy fix. We just ignore the return value for now.
2162 * Instead, pass on the exit status from the capture child.
2165 exit_status = global_capture_session.fork_child_status;
2167 if (print_packet_info) {
2168 if (!write_finale()) {
2170 show_print_file_io_error(err);
2174 /* No - complain. */
2175 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2176 exit_status = INVALID_CAPTURE;
2183 if (cfile.frames != NULL) {
2184 free_frame_data_sequence(cfile.frames);
2185 cfile.frames = NULL;
2188 draw_tap_listeners(TRUE);
2189 funnel_dump_all_text_windows();
2190 epan_free(cfile.epan);
2196 output_fields_free(output_fields);
2197 output_fields = NULL;
2201 capture_opts_cleanup(&global_capture_opts);
2203 col_cleanup(&cfile.cinfo);
2204 free_filter_lists();
2208 /*#define USE_BROKEN_G_MAIN_LOOP*/
2210 #ifdef USE_BROKEN_G_MAIN_LOOP
2213 gboolean loop_running = FALSE;
2215 guint32 packet_count = 0;
2218 typedef struct pipe_input_tag {
2221 ws_process_id *child_process;
2222 pipe_input_cb_t input_cb;
2223 guint pipe_input_id;
2225 GMutex *callback_running;
2229 static pipe_input_t pipe_input;
2232 /* The timer has expired, see if there's stuff to read from the pipe,
2233 if so, do the callback */
2235 pipe_timer_cb(gpointer data)
2241 pipe_input_t *pipe_input_p = data;
2242 gint iterations = 0;
2244 g_mutex_lock (pipe_input_p->callback_running);
2246 /* try to read data from the pipe only 5 times, to avoid blocking */
2247 while(iterations < 5) {
2248 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2250 /* Oddly enough although Named pipes don't work on win9x,
2251 PeekNamedPipe does !!! */
2252 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2253 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2255 /* Get the child process exit status */
2256 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2259 /* If the Peek returned an error, or there are bytes to be read
2260 or the childwatcher thread has terminated then call the normal
2262 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2264 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2266 /* And call the real handler */
2267 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2268 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2269 /* pipe closed, return false so that the timer is stopped */
2270 g_mutex_unlock (pipe_input_p->callback_running);
2275 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2276 /* No data, stop now */
2283 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2285 g_mutex_unlock (pipe_input_p->callback_running);
2287 /* we didn't stopped the timer, so let it run */
2294 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2297 pipe_input.source = source;
2298 pipe_input.child_process = child_process;
2299 pipe_input.user_data = user_data;
2300 pipe_input.input_cb = input_cb;
2303 #if GLIB_CHECK_VERSION(2,31,0)
2304 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2305 g_mutex_init(pipe_input.callback_running);
2307 pipe_input.callback_running = g_mutex_new();
2309 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2310 do this but that doesn't cover all win32 platforms. GTK can do
2311 this but doesn't seem to work over processes. Attempt to do
2312 something similar here, start a timer and check for data on every
2314 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2315 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2319 static const nstime_t *
2320 tshark_get_frame_ts(void *data, guint32 frame_num)
2322 capture_file *cf = (capture_file *) data;
2324 if (ref && ref->num == frame_num)
2325 return &ref->abs_ts;
2327 if (prev_dis && prev_dis->num == frame_num)
2328 return &prev_dis->abs_ts;
2330 if (prev_cap && prev_cap->num == frame_num)
2331 return &prev_cap->abs_ts;
2334 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2336 return (fd) ? &fd->abs_ts : NULL;
2343 tshark_epan_new(capture_file *cf)
2345 epan_t *epan = epan_new();
2348 epan->get_frame_ts = tshark_get_frame_ts;
2349 epan->get_interface_name = cap_file_get_interface_name;
2350 epan->get_interface_description = cap_file_get_interface_description;
2351 epan->get_user_comment = NULL;
2363 #ifdef USE_TSHARK_SELECT
2367 struct sigaction action, oldaction;
2370 /* Create new dissection section. */
2371 epan_free(cfile.epan);
2372 cfile.epan = tshark_epan_new(&cfile);
2375 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2376 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2378 /* Catch SIGINT and SIGTERM and, if we get either of them,
2379 clean up and exit. If SIGHUP isn't being ignored, catch
2380 it too and, if we get it, clean up and exit.
2382 We restart any read that was in progress, so that it doesn't
2383 disrupt reading from the sync pipe. The signal handler tells
2384 the capture child to finish; it will report that it finished,
2385 or will exit abnormally, so we'll stop reading from the sync
2386 pipe, pick up the exit status, and quit. */
2387 memset(&action, 0, sizeof(action));
2388 action.sa_handler = capture_cleanup;
2389 action.sa_flags = SA_RESTART;
2390 sigemptyset(&action.sa_mask);
2391 sigaction(SIGTERM, &action, NULL);
2392 sigaction(SIGINT, &action, NULL);
2393 sigaction(SIGHUP, NULL, &oldaction);
2394 if (oldaction.sa_handler == SIG_DFL)
2395 sigaction(SIGHUP, &action, NULL);
2398 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2399 quiet mode, report the number of packets we've captured.
2401 Again, restart any read that was in progress, so that it doesn't
2402 disrupt reading from the sync pipe. */
2403 action.sa_handler = report_counts_siginfo;
2404 action.sa_flags = SA_RESTART;
2405 sigemptyset(&action.sa_mask);
2406 sigaction(SIGINFO, &action, NULL);
2407 #endif /* SIGINFO */
2410 global_capture_session.state = CAPTURE_PREPARING;
2412 /* Let the user know which interfaces were chosen. */
2413 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2414 interface_options interface_opts;
2416 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2417 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2418 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2419 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2421 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2422 if (really_quiet == FALSE)
2423 fprintf(stderr, "Capturing on %s\n", str->str);
2425 g_string_free(str, TRUE);
2427 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2432 /* the actual capture loop
2434 * XXX - glib doesn't seem to provide any event based loop handling.
2436 * XXX - for whatever reason,
2437 * calling g_main_loop_new() ends up in 100% cpu load.
2439 * But that doesn't matter: in UNIX we can use select() to find an input
2440 * source with something to do.
2442 * But that doesn't matter because we're in a CLI (that doesn't need to
2443 * update a GUI or something at the same time) so it's OK if we block
2444 * trying to read from the pipe.
2446 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2447 * wrong (but I leave it there in case I am...).
2450 #ifdef USE_TSHARK_SELECT
2452 FD_SET(pipe_input.source, &readfds);
2455 loop_running = TRUE;
2459 while (loop_running)
2461 #ifdef USE_TSHARK_SELECT
2462 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2466 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2468 } else if (ret == 1) {
2470 /* Call the real handler */
2471 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2472 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2475 #ifdef USE_TSHARK_SELECT
2480 CATCH(OutOfMemoryError) {
2484 "Sorry, but TShark has to terminate now.\n"
2486 "More information and workarounds can be found at\n"
2487 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2494 /* capture child detected an error */
2496 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2498 cmdarg_err("%s", error_msg);
2499 cmdarg_err_cont("%s", secondary_error_msg);
2503 /* capture child detected an capture filter related error */
2505 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2507 capture_options *capture_opts = cap_session->capture_opts;
2508 dfilter_t *rfcode = NULL;
2509 interface_options interface_opts;
2511 g_assert(i < capture_opts->ifaces->len);
2512 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2514 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2516 "Invalid capture filter \"%s\" for interface '%s'.\n"
2518 "That string looks like a valid display filter; however, it isn't a valid\n"
2519 "capture filter (%s).\n"
2521 "Note that display filters and capture filters don't have the same syntax,\n"
2522 "so you can't use most display filter expressions as capture filters.\n"
2524 "See the User's Guide for a description of the capture filter syntax.",
2525 interface_opts.cfilter, interface_opts.descr, error_message);
2526 dfilter_free(rfcode);
2529 "Invalid capture filter \"%s\" for interface '%s'.\n"
2531 "That string isn't a valid capture filter (%s).\n"
2532 "See the User's Guide for a description of the capture filter syntax.",
2533 interface_opts.cfilter, interface_opts.descr, error_message);
2538 /* capture child tells us we have a new (or the first) capture file */
2540 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2542 capture_options *capture_opts = cap_session->capture_opts;
2543 capture_file *cf = (capture_file *) cap_session->cf;
2544 gboolean is_tempfile;
2547 if (cap_session->state == CAPTURE_PREPARING) {
2548 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2550 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2552 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2554 /* free the old filename */
2555 if (capture_opts->save_file != NULL) {
2557 /* we start a new capture file, close the old one (if we had one before) */
2558 if (cf->state != FILE_CLOSED) {
2559 if (cf->wth != NULL) {
2560 wtap_close(cf->wth);
2563 cf->state = FILE_CLOSED;
2566 g_free(capture_opts->save_file);
2567 is_tempfile = FALSE;
2569 epan_free(cf->epan);
2570 cf->epan = tshark_epan_new(cf);
2572 /* we didn't had a save_file before, must be a tempfile */
2576 /* save the new filename */
2577 capture_opts->save_file = g_strdup(new_file);
2579 /* if we are in real-time mode, open the new file now */
2580 if (do_dissection) {
2581 /* this is probably unecessary, but better safe than sorry */
2582 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2583 /* Attempt to open the capture file and set up to read from it. */
2584 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2588 /* Don't unlink (delete) the save file - leave it around,
2589 for debugging purposes. */
2590 g_free(capture_opts->save_file);
2591 capture_opts->save_file = NULL;
2596 cap_session->state = CAPTURE_RUNNING;
2602 /* capture child tells us we have new packets to read */
2604 capture_input_new_packets(capture_session *cap_session, int to_read)
2610 capture_file *cf = (capture_file *)cap_session->cf;
2611 gboolean filtering_tap_listeners;
2616 * Prevent a SIGINFO handler from writing to the standard error while
2617 * we're doing so or writing to the standard output; instead, have it
2618 * just set a flag telling us to print that information when we're done.
2621 #endif /* SIGINFO */
2623 /* Do we have any tap listeners with filters? */
2624 filtering_tap_listeners = have_filtering_tap_listeners();
2626 /* Get the union of the flags for all tap listeners. */
2627 tap_flags = union_of_tap_listener_flags();
2629 if (do_dissection) {
2630 gboolean create_proto_tree;
2631 epan_dissect_t *edt;
2633 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2634 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2635 create_proto_tree = TRUE;
2637 create_proto_tree = FALSE;
2639 /* The protocol tree will be "visible", i.e., printed, only if we're
2640 printing packet details, which is true if we're printing stuff
2641 ("print_packet_info" is true) and we're in verbose mode
2642 ("packet_details" is true). */
2643 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2645 while (to_read-- && cf->wth) {
2646 wtap_cleareof(cf->wth);
2647 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2649 /* read from file failed, tell the capture child to stop */
2650 sync_pipe_stop(cap_session);
2651 wtap_close(cf->wth);
2654 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2655 wtap_buf_ptr(cf->wth),
2659 /* packet successfully read and gone through the "Read Filter" */
2664 epan_dissect_free(edt);
2668 * Dumpcap's doing all the work; we're not doing any dissection.
2669 * Count all the packets it wrote.
2671 packet_count += to_read;
2674 if (print_packet_counts) {
2675 /* We're printing packet counts. */
2676 if (packet_count != 0) {
2677 fprintf(stderr, "\r%u ", packet_count);
2678 /* stderr could be line buffered */
2685 * Allow SIGINFO handlers to write.
2690 * If a SIGINFO handler asked us to write out capture counts, do so.
2694 #endif /* SIGINFO */
2700 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2701 /* Report the count only if we aren't printing a packet count
2702 as packets arrive. */
2703 fprintf(stderr, "%u packet%s captured\n", packet_count,
2704 plurality(packet_count, "", "s"));
2707 infoprint = FALSE; /* we just reported it */
2708 #endif /* SIGINFO */
2713 report_counts_siginfo(int signum _U_)
2715 int sav_errno = errno;
2716 /* If we've been told to delay printing, just set a flag asking
2717 that we print counts (if we're supposed to), otherwise print
2718 the count of packets captured (if we're supposed to). */
2725 #endif /* SIGINFO */
2728 /* capture child detected any packet drops? */
2730 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2732 if (print_packet_counts) {
2733 /* We're printing packet counts to stderr.
2734 Send a newline so that we move to the line after the packet count. */
2735 fprintf(stderr, "\n");
2739 /* We're printing packet counts to stderr.
2740 Send a newline so that we move to the line after the packet count. */
2741 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2747 * Capture child closed its side of the pipe, report any error and
2748 * do the required cleanup.
2751 capture_input_closed(capture_session *cap_session, gchar *msg)
2753 capture_file *cf = (capture_file *) cap_session->cf;
2756 fprintf(stderr, "tshark: %s\n", msg);
2760 if (cf != NULL && cf->wth != NULL) {
2761 wtap_close(cf->wth);
2762 if (cf->is_tempfile) {
2763 ws_unlink(cf->filename);
2766 #ifdef USE_BROKEN_G_MAIN_LOOP
2767 /*g_main_loop_quit(loop);*/
2768 g_main_loop_quit(loop);
2770 loop_running = FALSE;
2779 capture_cleanup(DWORD ctrltype _U_)
2781 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2782 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2783 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2784 like SIGTERM at least when the machine's shutting down.
2786 For now, we handle them all as indications that we should clean up
2787 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2790 We must return TRUE so that no other handler - such as one that would
2791 terminate the process - gets called.
2793 XXX - for some reason, typing ^C to TShark, if you run this in
2794 a Cygwin console window in at least some versions of Cygwin,
2795 causes TShark to terminate immediately; this routine gets
2796 called, but the main loop doesn't get a chance to run and
2797 exit cleanly, at least if this is compiled with Microsoft Visual
2798 C++ (i.e., it's a property of the Cygwin console window or Bash;
2799 it happens if TShark is not built with Cygwin - for all I know,
2800 building it with Cygwin may make the problem go away). */
2802 /* tell the capture child to stop */
2803 sync_pipe_stop(&global_capture_session);
2805 /* don't stop our own loop already here, otherwise status messages and
2806 * cleanup wouldn't be done properly. The child will indicate the stop of
2807 * everything by calling capture_input_closed() later */
2813 capture_cleanup(int signum _U_)
2815 /* tell the capture child to stop */
2816 sync_pipe_stop(&global_capture_session);
2818 /* don't stop our own loop already here, otherwise status messages and
2819 * cleanup wouldn't be done properly. The child will indicate the stop of
2820 * everything by calling capture_input_closed() later */
2823 #endif /* HAVE_LIBPCAP */
2826 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2827 gint64 offset, struct wtap_pkthdr *whdr,
2834 /* The frame number of this packet is one more than the count of
2835 frames in this packet. */
2836 framenum = cf->count + 1;
2838 /* If we're not running a display filter and we're not printing any
2839 packet information, we don't need to do a dissection. This means
2840 that all packets can be marked as 'passed'. */
2843 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2845 /* If we're going to print packet information, or we're going to
2846 run a read filter, or display filter, or we're going to process taps, set up to
2847 do a dissection and do so. */
2849 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2850 gbl_resolv_flags.transport_name)
2851 /* Grab any resolved addresses */
2852 host_name_lookup_process();
2854 /* If we're running a read filter, prime the epan_dissect_t with that
2857 epan_dissect_prime_dfilter(edt, cf->rfcode);
2860 epan_dissect_prime_dfilter(edt, cf->dfcode);
2862 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2864 if (ref == &fdlocal) {
2865 ref_frame = fdlocal;
2869 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2871 /* Run the read filter if we have one. */
2873 passed = dfilter_apply_edt(cf->rfcode, edt);
2877 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2878 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2880 /* If we're not doing dissection then there won't be any dependent frames.
2881 * More importantly, edt.pi.dependent_frames won't be initialized because
2882 * epan hasn't been initialized.
2883 * if we *are* doing dissection, then mark the dependent frames, but only
2884 * if a display filter was given and it matches this packet.
2886 if (edt && cf->dfcode) {
2887 if (dfilter_apply_edt(cf->dfcode, edt)) {
2888 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2894 /* if we don't add it to the frame_data_sequence, clean it up right now
2896 frame_data_destroy(&fdlocal);
2900 epan_dissect_reset(edt);
2906 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2907 struct wtap_pkthdr *phdr, Buffer *buf,
2913 /* If we're not running a display filter and we're not printing any
2914 packet information, we don't need to do a dissection. This means
2915 that all packets can be marked as 'passed'. */
2918 /* If we're going to print packet information, or we're going to
2919 run a read filter, or we're going to process taps, set up to
2920 do a dissection and do so. */
2922 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2923 gbl_resolv_flags.transport_name)
2924 /* Grab any resolved addresses */
2925 host_name_lookup_process();
2927 /* If we're running a display filter, prime the epan_dissect_t with that
2930 epan_dissect_prime_dfilter(edt, cf->dfcode);
2932 col_custom_prime_edt(edt, &cf->cinfo);
2934 /* We only need the columns if either
2935 1) some tap needs the columns
2937 2) we're printing packet info but we're *not* verbose; in verbose
2938 mode, we print the protocol tree, not the protocol summary.
2940 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
2945 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2952 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2954 /* Run the read/display filter if we have one. */
2956 passed = dfilter_apply_edt(cf->dfcode, edt);
2960 frame_data_set_after_dissect(fdata, &cum_bytes);
2961 /* Process this packet. */
2962 if (print_packet_info) {
2963 /* We're printing packet information; print the information for
2965 print_packet(cf, edt);
2967 /* The ANSI C standard does not appear to *require* that a line-buffered
2968 stream be flushed to the host environment whenever a newline is
2969 written, it just says that, on such a stream, characters "are
2970 intended to be transmitted to or from the host environment as a
2971 block when a new-line character is encountered".
2973 The Visual C++ 6.0 C implementation doesn't do what is intended;
2974 even if you set a stream to be line-buffered, it still doesn't
2975 flush the buffer at the end of every line.
2977 So, if the "-l" flag was specified, we flush the standard output
2978 at the end of a packet. This will do the right thing if we're
2979 printing packet summary lines, and, as we print the entire protocol
2980 tree for a single packet without waiting for anything to happen,
2981 it should be as good as line-buffered mode if we're printing
2982 protocol trees. (The whole reason for the "-l" flag in either
2983 tcpdump or TShark is to allow the output of a live capture to
2984 be piped to a program or script and to have that script see the
2985 information for the packet as soon as it's printed, rather than
2986 having to wait until a standard I/O buffer fills up. */
2990 if (ferror(stdout)) {
2991 show_print_file_io_error(errno);
3000 epan_dissect_reset(edt);
3002 return passed || fdata->flags.dependent_of_displayed;
3006 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3007 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3010 int snapshot_length;
3014 gchar *err_info = NULL;
3016 char *save_file_string = NULL;
3017 gboolean filtering_tap_listeners;
3019 GArray *shb_hdrs = NULL;
3020 wtapng_iface_descriptions_t *idb_inf = NULL;
3021 GArray *nrb_hdrs = NULL;
3022 struct wtap_pkthdr phdr;
3024 epan_dissect_t *edt = NULL;
3025 char *shb_user_appl;
3027 wtap_phdr_init(&phdr);
3029 idb_inf = wtap_file_get_idb_info(cf->wth);
3030 #ifdef PCAP_NG_DEFAULT
3031 if (idb_inf->interface_data->len > 1) {
3032 linktype = WTAP_ENCAP_PER_PACKET;
3034 linktype = wtap_file_encap(cf->wth);
3037 linktype = wtap_file_encap(cf->wth);
3039 if (save_file != NULL) {
3040 /* Get a string that describes what we're writing to */
3041 save_file_string = output_file_description(save_file);
3043 /* Set up to write to the capture file. */
3044 snapshot_length = wtap_snapshot_length(cf->wth);
3045 if (snapshot_length == 0) {
3046 /* Snapshot length of input file not known. */
3047 snapshot_length = WTAP_MAX_PACKET_SIZE;
3049 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3051 shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth);
3052 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth);
3054 /* If we don't have an application name add Tshark */
3055 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3056 /* this is free'd by wtap_block_free() later */
3057 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3060 if (linktype != WTAP_ENCAP_PER_PACKET &&
3061 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3062 tshark_debug("tshark: writing PCAP format to %s", save_file);
3063 if (strcmp(save_file, "-") == 0) {
3064 /* Write to the standard output. */
3065 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3066 snapshot_length, FALSE /* compressed */, &err);
3068 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3069 snapshot_length, FALSE /* compressed */, &err);
3073 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3074 if (strcmp(save_file, "-") == 0) {
3075 /* Write to the standard output. */
3076 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3077 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3079 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3080 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3088 /* We couldn't set up to write to the capture file. */
3091 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3092 cmdarg_err("Capture files can't be written in that format.");
3095 case WTAP_ERR_UNWRITABLE_ENCAP:
3096 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3097 cmdarg_err("The capture file being read can't be written as a "
3098 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3101 case WTAP_ERR_CANT_OPEN:
3102 cmdarg_err("The %s couldn't be created for some "
3103 "unknown reason.", save_file_string);
3106 case WTAP_ERR_SHORT_WRITE:
3107 cmdarg_err("A full header couldn't be written to the %s.",
3112 cmdarg_err("The %s could not be created: %s.", save_file_string,
3113 wtap_strerror(err));
3119 if (print_packet_info) {
3120 if (!write_preamble(cf)) {
3122 show_print_file_io_error(err);
3131 /* Do we have any tap listeners with filters? */
3132 filtering_tap_listeners = have_filtering_tap_listeners();
3134 /* Get the union of the flags for all tap listeners. */
3135 tap_flags = union_of_tap_listener_flags();
3137 if (perform_two_pass_analysis) {
3140 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3142 /* Allocate a frame_data_sequence for all the frames. */
3143 cf->frames = new_frame_data_sequence();
3145 if (do_dissection) {
3146 gboolean create_proto_tree = FALSE;
3148 /* If we're going to be applying a filter, we'll need to
3149 create a protocol tree against which to apply the filter. */
3150 if (cf->rfcode || cf->dfcode)
3151 create_proto_tree = TRUE;
3153 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3155 /* We're not going to display the protocol tree on this pass,
3156 so it's not going to be "visible". */
3157 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3160 tshark_debug("tshark: reading records for first pass");
3161 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3162 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3163 wtap_buf_ptr(cf->wth))) {
3164 /* Stop reading if we have the maximum number of packets;
3165 * When the -c option has not been used, max_packet_count
3166 * starts at 0, which practically means, never stop reading.
3167 * (unless we roll over max_packet_count ?)
3169 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3170 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3171 max_packet_count, data_offset, max_byte_count);
3172 err = 0; /* This is not an error */
3179 epan_dissect_free(edt);
3183 /* Close the sequential I/O side, to free up memory it requires. */
3184 wtap_sequential_close(cf->wth);
3186 /* Allow the protocol dissectors to free up memory that they
3187 * don't need after the sequential run-through of the packets. */
3188 postseq_cleanup_all_protocols();
3192 ws_buffer_init(&buf, 1500);
3194 tshark_debug("tshark: done with first pass");
3196 if (do_dissection) {
3197 gboolean create_proto_tree;
3199 if (cf->dfcode || print_details || filtering_tap_listeners ||
3200 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3201 create_proto_tree = TRUE;
3203 create_proto_tree = FALSE;
3205 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3207 /* The protocol tree will be "visible", i.e., printed, only if we're
3208 printing packet details, which is true if we're printing stuff
3209 ("print_packet_info" is true) and we're in verbose mode
3210 ("packet_details" is true). */
3211 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3214 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3215 fdata = frame_data_sequence_find(cf->frames, framenum);
3216 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3218 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3219 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3221 /* Either there's no read filtering or this packet passed the
3222 filter, so, if we're writing to a capture file, write
3225 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3226 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3227 /* Error writing to a capture file */
3228 tshark_debug("tshark: error writing to a capture file (%d)", err);
3231 case WTAP_ERR_UNWRITABLE_ENCAP:
3233 * This is a problem with the particular frame we're writing
3234 * and the file type and subtype we're writing; note that,
3235 * and report the frame number and file type/subtype.
3237 * XXX - framenum is not necessarily the frame number in
3238 * the input file if there was a read filter.
3241 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3242 framenum, cf->filename,
3243 wtap_file_type_subtype_short_string(out_file_type));
3246 case WTAP_ERR_PACKET_TOO_LARGE:
3248 * This is a problem with the particular frame we're writing
3249 * and the file type and subtype we're writing; note that,
3250 * and report the frame number and file type/subtype.
3252 * XXX - framenum is not necessarily the frame number in
3253 * the input file if there was a read filter.
3256 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3257 framenum, cf->filename,
3258 wtap_file_type_subtype_short_string(out_file_type));
3261 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3263 * This is a problem with the particular record we're writing
3264 * and the file type and subtype we're writing; note that,
3265 * and report the record number and file type/subtype.
3267 * XXX - framenum is not necessarily the record number in
3268 * the input file if there was a read filter.
3271 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3272 framenum, cf->filename,
3273 wtap_file_type_subtype_short_string(out_file_type));
3276 case WTAP_ERR_UNWRITABLE_REC_DATA:
3278 * This is a problem with the particular record we're writing
3279 * and the file type and subtype we're writing; note that,
3280 * and report the record number and file type/subtype.
3282 * XXX - framenum is not necessarily the record number in
3283 * the input file if there was a read filter.
3286 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3287 framenum, cf->filename,
3288 wtap_file_type_subtype_short_string(out_file_type),
3289 err_info != NULL ? err_info : "no information supplied");
3294 show_capture_file_io_error(save_file, err, FALSE);
3297 wtap_dump_close(pdh, &err);
3298 wtap_block_array_free(shb_hdrs);
3299 wtap_block_array_free(nrb_hdrs);
3308 epan_dissect_free(edt);
3312 ws_buffer_free(&buf);
3314 tshark_debug("tshark: done with second pass");
3317 /* !perform_two_pass_analysis */
3320 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3322 if (do_dissection) {
3323 gboolean create_proto_tree;
3325 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3326 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3327 create_proto_tree = TRUE;
3329 create_proto_tree = FALSE;
3331 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3333 /* The protocol tree will be "visible", i.e., printed, only if we're
3334 printing packet details, which is true if we're printing stuff
3335 ("print_packet_info" is true) and we're in verbose mode
3336 ("packet_details" is true). */
3337 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3340 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3343 tshark_debug("tshark: processing packet #%d", framenum);
3345 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3346 wtap_buf_ptr(cf->wth),
3348 /* Either there's no read filtering or this packet passed the
3349 filter, so, if we're writing to a capture file, write
3352 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3353 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3354 /* Error writing to a capture file */
3355 tshark_debug("tshark: error writing to a capture file (%d)", err);
3358 case WTAP_ERR_UNWRITABLE_ENCAP:
3360 * This is a problem with the particular frame we're writing
3361 * and the file type and subtype we're writing; note that,
3362 * and report the frame number and file type/subtype.
3365 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3366 framenum, cf->filename,
3367 wtap_file_type_subtype_short_string(out_file_type));
3370 case WTAP_ERR_PACKET_TOO_LARGE:
3372 * This is a problem with the particular frame we're writing
3373 * and the file type and subtype we're writing; note that,
3374 * and report the frame number and file type/subtype.
3377 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3378 framenum, cf->filename,
3379 wtap_file_type_subtype_short_string(out_file_type));
3382 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3384 * This is a problem with the particular record we're writing
3385 * and the file type and subtype we're writing; note that,
3386 * and report the record number and file type/subtype.
3389 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3390 framenum, cf->filename,
3391 wtap_file_type_subtype_short_string(out_file_type));
3394 case WTAP_ERR_UNWRITABLE_REC_DATA:
3396 * This is a problem with the particular record we're writing
3397 * and the file type and subtype we're writing; note that,
3398 * and report the record number and file type/subtype.
3401 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3402 framenum, cf->filename,
3403 wtap_file_type_subtype_short_string(out_file_type),
3404 err_info != NULL ? err_info : "no information supplied");
3409 show_capture_file_io_error(save_file, err, FALSE);
3412 wtap_dump_close(pdh, &err);
3413 wtap_block_array_free(shb_hdrs);
3414 wtap_block_array_free(nrb_hdrs);
3419 /* Stop reading if we have the maximum number of packets;
3420 * When the -c option has not been used, max_packet_count
3421 * starts at 0, which practically means, never stop reading.
3422 * (unless we roll over max_packet_count ?)
3424 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3425 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3426 max_packet_count, data_offset, max_byte_count);
3427 err = 0; /* This is not an error */
3433 epan_dissect_free(edt);
3438 wtap_phdr_cleanup(&phdr);
3441 tshark_debug("tshark: something failed along the line (%d)", err);
3443 * Print a message noting that the read failed somewhere along the line.
3445 * If we're printing packet data, and the standard output and error are
3446 * going to the same place, flush the standard output, so everything
3447 * buffered up is written, and then print a newline to the standard error
3448 * before printing the error message, to separate it from the packet
3449 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3450 * the _fstat() documentation at Microsoft doesn't indicate whether
3451 * st_ino is even supported.)
3454 if (print_packet_info) {
3455 ws_statb64 stat_stdout, stat_stderr;
3457 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3458 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3459 stat_stdout.st_ino == stat_stderr.st_ino) {
3461 fprintf(stderr, "\n");
3468 case WTAP_ERR_UNSUPPORTED:
3469 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3471 err_info != NULL ? err_info : "no information supplied");
3475 case WTAP_ERR_SHORT_READ:
3476 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3480 case WTAP_ERR_BAD_FILE:
3481 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3483 err_info != NULL ? err_info : "no information supplied");
3487 case WTAP_ERR_DECOMPRESS:
3488 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3489 "(%s)", cf->filename,
3490 err_info != NULL ? err_info : "no information supplied");
3495 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3496 cf->filename, wtap_strerror(err));
3499 if (save_file != NULL) {
3500 /* Now close the capture file. */
3501 if (!wtap_dump_close(pdh, &err))
3502 show_capture_file_io_error(save_file, err, TRUE);
3505 if (save_file != NULL) {
3506 if (pdh && out_file_name_res) {
3507 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3508 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3509 wtap_file_type_subtype_short_string(out_file_type));
3512 /* Now close the capture file. */
3513 if (!wtap_dump_close(pdh, &err))
3514 show_capture_file_io_error(save_file, err, TRUE);
3516 if (print_packet_info) {
3517 if (!write_finale()) {
3519 show_print_file_io_error(err);
3526 wtap_close(cf->wth);
3529 g_free(save_file_string);
3530 wtap_block_array_free(shb_hdrs);
3531 wtap_block_array_free(nrb_hdrs);
3537 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3538 const guchar *pd, guint tap_flags)
3544 /* Count this packet. */
3547 /* If we're not running a display filter and we're not printing any
3548 packet information, we don't need to do a dissection. This means
3549 that all packets can be marked as 'passed'. */
3552 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3554 /* If we're going to print packet information, or we're going to
3555 run a read filter, or we're going to process taps, set up to
3556 do a dissection and do so. */
3558 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3559 gbl_resolv_flags.transport_name))
3560 /* Grab any resolved addresses */
3561 host_name_lookup_process();
3563 /* If we're running a filter, prime the epan_dissect_t with that
3566 epan_dissect_prime_dfilter(edt, cf->dfcode);
3568 col_custom_prime_edt(edt, &cf->cinfo);
3570 /* We only need the columns if either
3571 1) some tap needs the columns
3573 2) we're printing packet info but we're *not* verbose; in verbose
3574 mode, we print the protocol tree, not the protocol summary.
3576 3) there is a column mapped as an individual field */
3577 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3582 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3584 if (ref == &fdata) {
3589 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3591 /* Run the filter if we have it. */
3593 passed = dfilter_apply_edt(cf->dfcode, edt);
3597 frame_data_set_after_dissect(&fdata, &cum_bytes);
3599 /* Process this packet. */
3600 if (print_packet_info) {
3601 /* We're printing packet information; print the information for
3603 print_packet(cf, edt);
3605 /* The ANSI C standard does not appear to *require* that a line-buffered
3606 stream be flushed to the host environment whenever a newline is
3607 written, it just says that, on such a stream, characters "are
3608 intended to be transmitted to or from the host environment as a
3609 block when a new-line character is encountered".
3611 The Visual C++ 6.0 C implementation doesn't do what is intended;
3612 even if you set a stream to be line-buffered, it still doesn't
3613 flush the buffer at the end of every line.
3615 So, if the "-l" flag was specified, we flush the standard output
3616 at the end of a packet. This will do the right thing if we're
3617 printing packet summary lines, and, as we print the entire protocol
3618 tree for a single packet without waiting for anything to happen,
3619 it should be as good as line-buffered mode if we're printing
3620 protocol trees. (The whole reason for the "-l" flag in either
3621 tcpdump or TShark is to allow the output of a live capture to
3622 be piped to a program or script and to have that script see the
3623 information for the packet as soon as it's printed, rather than
3624 having to wait until a standard I/O buffer fills up. */
3628 if (ferror(stdout)) {
3629 show_print_file_io_error(errno);
3634 /* this must be set after print_packet() [bug #8160] */
3635 prev_dis_frame = fdata;
3636 prev_dis = &prev_dis_frame;
3639 prev_cap_frame = fdata;
3640 prev_cap = &prev_cap_frame;
3643 epan_dissect_reset(edt);
3644 frame_data_destroy(&fdata);
3650 write_preamble(capture_file *cf)
3652 switch (output_action) {
3655 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3659 write_pdml_preamble(stdout, cf->filename);
3661 write_psml_preamble(&cf->cinfo, stdout);
3662 return !ferror(stdout);
3665 write_fields_preamble(output_fields, stdout);
3666 return !ferror(stdout);
3669 write_json_preamble(stdout);
3670 return !ferror(stdout);
3673 return !ferror(stdout);
3676 g_assert_not_reached();
3682 get_line_buf(size_t len)
3684 static char *line_bufp = NULL;
3685 static size_t line_buf_len = 256;
3686 size_t new_line_buf_len;
3688 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3689 new_line_buf_len *= 2)
3691 if (line_bufp == NULL) {
3692 line_buf_len = new_line_buf_len;
3693 line_bufp = (char *)g_malloc(line_buf_len + 1);
3695 if (new_line_buf_len > line_buf_len) {
3696 line_buf_len = new_line_buf_len;
3697 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3704 put_string(char *dest, const char *str, size_t str_len)
3706 memcpy(dest, str, str_len);
3707 dest[str_len] = '\0';
3711 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3715 for (i = str_len; i < str_with_spaces; i++)
3718 put_string(dest, str, str_len);
3722 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3726 memcpy(dest, str, str_len);
3727 for (i = str_len; i < str_with_spaces; i++)
3730 dest[str_with_spaces] = '\0';
3734 print_columns(capture_file *cf)
3741 col_item_t* col_item;
3743 line_bufp = get_line_buf(256);
3746 for (i = 0; i < cf->cinfo.num_cols; i++) {
3747 col_item = &cf->cinfo.columns[i];
3748 /* Skip columns not marked as visible. */
3749 if (!get_column_visible(i))
3751 switch (col_item->col_fmt) {
3753 column_len = col_len = strlen(col_item->col_data);
3756 line_bufp = get_line_buf(buf_offset + column_len);
3757 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3763 case COL_ABS_YMD_TIME: /* XXX - wider */
3764 case COL_ABS_YDOY_TIME: /* XXX - wider */
3766 case COL_UTC_YMD_TIME: /* XXX - wider */
3767 case COL_UTC_YDOY_TIME: /* XXX - wider */
3768 column_len = col_len = strlen(col_item->col_data);
3769 if (column_len < 10)
3771 line_bufp = get_line_buf(buf_offset + column_len);
3772 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3778 case COL_DEF_DL_SRC:
3779 case COL_RES_DL_SRC:
3780 case COL_UNRES_DL_SRC:
3781 case COL_DEF_NET_SRC:
3782 case COL_RES_NET_SRC:
3783 case COL_UNRES_NET_SRC:
3784 column_len = col_len = strlen(col_item->col_data);
3785 if (column_len < 12)
3787 line_bufp = get_line_buf(buf_offset + column_len);
3788 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3794 case COL_DEF_DL_DST:
3795 case COL_RES_DL_DST:
3796 case COL_UNRES_DL_DST:
3797 case COL_DEF_NET_DST:
3798 case COL_RES_NET_DST:
3799 case COL_UNRES_NET_DST:
3800 column_len = col_len = strlen(col_item->col_data);
3801 if (column_len < 12)
3803 line_bufp = get_line_buf(buf_offset + column_len);
3804 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3808 column_len = strlen(col_item->col_data);
3809 line_bufp = get_line_buf(buf_offset + column_len);
3810 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3813 buf_offset += column_len;
3814 if (i != cf->cinfo.num_cols - 1) {
3816 * This isn't the last column, so we need to print a
3817 * separator between this column and the next.
3819 * If we printed a network source and are printing a
3820 * network destination of the same type next, separate
3821 * them with a UTF-8 right arrow; if we printed a network
3822 * destination and are printing a network source of the same
3823 * type next, separate them with a UTF-8 left arrow;
3824 * otherwise separate them with a space.
3826 * We add enough space to the buffer for " \xe2\x86\x90 "
3827 * or " \xe2\x86\x92 ", even if we're only adding " ".
3829 line_bufp = get_line_buf(buf_offset + 5);
3830 switch (col_item->col_fmt) {
3835 switch (cf->cinfo.columns[i+1].col_fmt) {
3840 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
3845 put_string(line_bufp + buf_offset, " ", 1);
3851 case COL_DEF_DL_SRC:
3852 case COL_RES_DL_SRC:
3853 case COL_UNRES_DL_SRC:
3854 switch (cf->cinfo.columns[i+1].col_fmt) {
3856 case COL_DEF_DL_DST:
3857 case COL_RES_DL_DST:
3858 case COL_UNRES_DL_DST:
3859 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
3864 put_string(line_bufp + buf_offset, " ", 1);
3870 case COL_DEF_NET_SRC:
3871 case COL_RES_NET_SRC:
3872 case COL_UNRES_NET_SRC:
3873 switch (cf->cinfo.columns[i+1].col_fmt) {
3875 case COL_DEF_NET_DST:
3876 case COL_RES_NET_DST:
3877 case COL_UNRES_NET_DST:
3878 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
3883 put_string(line_bufp + buf_offset, " ", 1);
3892 switch (cf->cinfo.columns[i+1].col_fmt) {
3897 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
3902 put_string(line_bufp + buf_offset, " ", 1);
3908 case COL_DEF_DL_DST:
3909 case COL_RES_DL_DST:
3910 case COL_UNRES_DL_DST:
3911 switch (cf->cinfo.columns[i+1].col_fmt) {
3913 case COL_DEF_DL_SRC:
3914 case COL_RES_DL_SRC:
3915 case COL_UNRES_DL_SRC:
3916 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
3921 put_string(line_bufp + buf_offset, " ", 1);
3927 case COL_DEF_NET_DST:
3928 case COL_RES_NET_DST:
3929 case COL_UNRES_NET_DST:
3930 switch (cf->cinfo.columns[i+1].col_fmt) {
3932 case COL_DEF_NET_SRC:
3933 case COL_RES_NET_SRC:
3934 case COL_UNRES_NET_SRC:
3935 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
3940 put_string(line_bufp + buf_offset, " ", 1);
3947 put_string(line_bufp + buf_offset, " ", 1);
3953 return print_line(print_stream, 0, line_bufp);
3957 print_packet(capture_file *cf, epan_dissect_t *edt)
3959 print_args_t print_args;
3961 if (print_summary || output_fields_has_cols(output_fields)) {
3962 /* Just fill in the columns. */
3963 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3965 if (print_summary) {
3966 /* Now print them. */
3967 switch (output_action) {
3970 if (!print_columns(cf))
3975 write_psml_columns(edt, stdout);
3976 return !ferror(stdout);
3977 case WRITE_FIELDS: /*No non-verbose "fields" format */
3980 g_assert_not_reached();
3985 if (print_details) {
3986 /* Print the information in the protocol tree. */
3987 switch (output_action) {
3990 /* Only initialize the fields that are actually used in proto_tree_print.
3991 * This is particularly important for .range, as that's heap memory which
3992 * we would otherwise have to g_free().
3993 print_args.to_file = TRUE;
3994 print_args.format = print_format;
3995 print_args.print_summary = print_summary;
3996 print_args.print_formfeed = FALSE;
3997 packet_range_init(&print_args.range, &cfile);
3999 print_args.print_hex = print_hex;
4000 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4002 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4005 if (!print_line(print_stream, 0, separator))
4011 write_pdml_proto_tree(output_fields, protocolfilter, protocolfilter_flags, edt, stdout);
4013 return !ferror(stdout);
4015 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4017 return !ferror(stdout);
4019 print_args.print_hex = print_hex;
4020 write_json_proto_tree(output_fields, &print_args, protocolfilter, protocolfilter_flags, edt, stdout);
4022 return !ferror(stdout);
4024 print_args.print_hex = print_hex;
4025 write_ek_proto_tree(output_fields, &print_args, protocolfilter, protocolfilter_flags, edt, stdout);
4026 return !ferror(stdout);
4030 if (print_summary || print_details) {
4031 if (!print_line(print_stream, 0, ""))
4034 if (!print_hex_data(print_stream, edt))
4036 if (!print_line(print_stream, 0, separator))
4045 switch (output_action) {
4048 return print_finale(print_stream);
4052 write_pdml_finale(stdout);
4054 write_psml_finale(stdout);
4055 return !ferror(stdout);
4058 write_fields_finale(output_fields, stdout);
4059 return !ferror(stdout);
4062 write_json_finale(stdout);
4063 return !ferror(stdout);
4066 return !ferror(stdout);
4069 g_assert_not_reached();
4075 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4079 char err_msg[2048+1];
4081 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4085 /* The open succeeded. Fill in the information for this file. */
4087 /* Create new epan session for dissection. */
4088 epan_free(cf->epan);
4089 cf->epan = tshark_epan_new(cf);
4092 cf->f_datalen = 0; /* not used, but set it anyway */
4094 /* Set the file name because we need it to set the follow stream filter.
4095 XXX - is that still true? We need it for other reasons, though,
4097 cf->filename = g_strdup(fname);
4099 /* Indicate whether it's a permanent or temporary file. */
4100 cf->is_tempfile = is_tempfile;
4102 /* No user changes yet. */
4103 cf->unsaved_changes = FALSE;
4105 cf->cd_t = wtap_file_type_subtype(cf->wth);
4106 cf->open_type = type;
4108 cf->drops_known = FALSE;
4110 cf->snap = wtap_snapshot_length(cf->wth);
4111 if (cf->snap == 0) {
4112 /* Snapshot length not known. */
4113 cf->has_snap = FALSE;
4114 cf->snap = WTAP_MAX_PACKET_SIZE;
4116 cf->has_snap = TRUE;
4117 nstime_set_zero(&cf->elapsed_time);
4122 cf->state = FILE_READ_IN_PROGRESS;
4124 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4125 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4130 g_snprintf(err_msg, sizeof err_msg,
4131 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4132 cmdarg_err("%s", err_msg);
4137 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4139 char *save_file_string;
4141 save_file_string = output_file_description(fname);
4146 cmdarg_err("Not all the packets could be written to the %s because there is "
4147 "no space left on the file system.",
4153 cmdarg_err("Not all the packets could be written to the %s because you are "
4154 "too close to, or over your disk quota.",
4159 case WTAP_ERR_CANT_CLOSE:
4160 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4164 case WTAP_ERR_SHORT_WRITE:
4165 cmdarg_err("Not all the packets could be written to the %s.",
4171 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4172 wtap_strerror(err));
4174 cmdarg_err("An error occurred while writing to the %s: %s.",
4175 save_file_string, wtap_strerror(err));
4179 g_free(save_file_string);
4183 show_print_file_io_error(int err)
4188 cmdarg_err("Not all the packets could be printed because there is "
4189 "no space left on the file system.");
4194 cmdarg_err("Not all the packets could be printed because you are "
4195 "too close to, or over your disk quota.");
4200 cmdarg_err("An error occurred while printing packets: %s.",
4207 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4211 static char errmsg_errno[1024+1];
4214 /* Wiretap error. */
4217 case WTAP_ERR_NOT_REGULAR_FILE:
4218 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4221 case WTAP_ERR_RANDOM_OPEN_PIPE:
4222 /* Seen only when opening a capture file for reading. */
4223 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4226 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4227 /* Seen only when opening a capture file for reading. */
4228 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4231 case WTAP_ERR_UNSUPPORTED:
4232 /* Seen only when opening a capture file for reading. */
4233 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4234 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4236 err_info != NULL ? err_info : "no information supplied");
4238 errmsg = errmsg_errno;
4241 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4242 /* Seen only when opening a capture file for writing. */
4243 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4244 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4245 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4246 errmsg = errmsg_errno;
4249 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4250 /* Seen only when opening a capture file for writing. */
4251 errmsg = "TShark doesn't support writing capture files in that format.";
4254 case WTAP_ERR_UNWRITABLE_ENCAP:
4255 /* Seen only when opening a capture file for writing. */
4256 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4257 "TShark can't save this capture as a \"%s\" file.",
4258 wtap_file_type_subtype_short_string(file_type));
4259 errmsg = errmsg_errno;
4262 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4264 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4265 "TShark can't save this capture as a \"%s\" file.",
4266 wtap_file_type_subtype_short_string(file_type));
4267 errmsg = errmsg_errno;
4269 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4272 case WTAP_ERR_BAD_FILE:
4273 /* Seen only when opening a capture file for reading. */
4274 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4275 "The file \"%%s\" appears to be damaged or corrupt.\n"
4277 err_info != NULL ? err_info : "no information supplied");
4279 errmsg = errmsg_errno;
4282 case WTAP_ERR_CANT_OPEN:
4284 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4286 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4289 case WTAP_ERR_SHORT_READ:
4290 errmsg = "The file \"%s\" appears to have been cut short"
4291 " in the middle of a packet or other data.";
4294 case WTAP_ERR_SHORT_WRITE:
4295 errmsg = "A full header couldn't be written to the file \"%s\".";
4298 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4299 errmsg = "This file type cannot be written as a compressed file.";
4302 case WTAP_ERR_DECOMPRESS:
4303 /* Seen only when opening a capture file for reading. */
4304 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4305 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4307 err_info != NULL ? err_info : "no information supplied");
4309 errmsg = errmsg_errno;
4313 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4314 "The file \"%%s\" could not be %s: %s.",
4315 for_writing ? "created" : "opened",
4316 wtap_strerror(err));
4317 errmsg = errmsg_errno;
4321 errmsg = file_open_error_message(err, for_writing);
4326 * Open/create errors are reported with an console message in TShark.
4329 open_failure_message(const char *filename, int err, gboolean for_writing)
4331 fprintf(stderr, "tshark: ");
4332 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4333 fprintf(stderr, "\n");
4337 * General errors are reported with an console message in TShark.
4340 failure_message(const char *msg_format, va_list ap)
4342 fprintf(stderr, "tshark: ");
4343 vfprintf(stderr, msg_format, ap);
4344 fprintf(stderr, "\n");
4348 * Read errors are reported with an console message in TShark.
4351 read_failure_message(const char *filename, int err)
4353 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4354 filename, g_strerror(err));
4358 * Write errors are reported with an console message in TShark.
4361 write_failure_message(const char *filename, int err)
4363 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4364 filename, g_strerror(err));
4368 * Report additional information for an error in command-line arguments.
4371 failure_message_cont(const char *msg_format, va_list ap)
4373 vfprintf(stderr, msg_format, ap);
4374 fprintf(stderr, "\n");
4378 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4383 * indent-tabs-mode: nil
4386 * vi: set shiftwidth=2 tabstop=8 expandtab:
4387 * :indentSize=2:tabSize=8:noTabs=true: