3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
48 #ifdef HAVE_SYS_STAT_H
49 # include <sys/stat.h>
53 #include "wsutil/wsgetopt.h"
57 #include <epan/epan.h>
58 #include <epan/filesystem.h>
59 #include <wsutil/privileges.h>
60 #include <wsutil/file_util.h>
63 #include <epan/timestamp.h>
64 #include <epan/packet.h>
66 #include "disabled_protos.h"
67 #include <epan/prefs.h>
68 #include <epan/column.h>
70 #include <epan/addr_resolv.h>
72 #include "clopts_common.h"
73 #include "console_io.h"
74 #include "cmdarg_err.h"
75 #include "version_info.h"
76 #include <epan/plugins.h>
78 #include <epan/epan_dissect.h>
80 #include <epan/stat_cmd_args.h>
81 #include <epan/timestamp.h>
82 #include <epan/ex-opt.h>
85 #include "capture_ui_utils.h"
86 #include "capture_ifinfo.h"
87 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
92 #include "capture_sync.h"
93 #endif /* HAVE_LIBPCAP */
95 #include <epan/funnel.h>
96 #include "capture_opts.h"
99 * This is the template for the decode as option; it is shared between the
100 * various functions that output the usage for this parameter.
102 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
104 static guint32 cum_bytes;
105 static nstime_t first_ts;
106 static frame_data *prev_dis;
107 static frame_data prev_dis_frame;
108 static frame_data *prev_cap;
109 static frame_data prev_cap_frame;
111 static gboolean print_packet_info; /* TRUE if we're to print packet information */
112 static const char* prev_display_dissector_name = NULL;
114 static gboolean perform_two_pass_analysis;
117 * The way the packet decode is to be written.
120 WRITE_TEXT, /* summary or detail text */
121 WRITE_XML, /* PDML or PSML */
122 WRITE_FIELDS /* User defined list of fields */
123 /* Add CSV and the like here */
126 static output_action_e output_action;
127 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
128 static gboolean verbose;
129 static gboolean print_hex;
130 static gboolean line_buffered;
132 static print_format_e print_format = PR_FMT_TEXT;
133 static print_stream_t *print_stream;
135 static output_fields_t* output_fields = NULL;
137 /* The line separator used between packets, changeable via the -S option */
138 static char *separator = "";
142 * TRUE if we're to print packet counts to keep track of captured packets.
144 static gboolean print_packet_counts;
146 static capture_options global_capture_opts;
149 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
150 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
153 static gboolean capture(void);
154 static void report_counts(void);
156 static BOOL WINAPI capture_cleanup(DWORD);
158 static void capture_cleanup(int);
160 static void report_counts_siginfo(int);
163 #endif /* HAVE_LIBPCAP */
165 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
166 static gboolean process_packet(capture_file *cf, gint64 offset,
167 struct wtap_pkthdr *whdr,
168 const guchar *pd, gboolean filtering_tap_listeners, guint tap_flags);
169 static void show_capture_file_io_error(const char *, int, gboolean);
170 static void show_print_file_io_error(int err);
171 static gboolean write_preamble(capture_file *cf);
172 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
173 static gboolean write_finale(void);
174 static const char *cf_open_error_message(int err, gchar *err_info,
175 gboolean for_writing, int file_type);
177 static void open_failure_message(const char *filename, int err,
178 gboolean for_writing);
179 static void failure_message(const char *msg_format, va_list ap);
180 static void read_failure_message(const char *filename, int err);
181 static void write_failure_message(const char *filename, int err);
186 const char *sstr; /* The short string */
187 const char *lstr; /* The long string */
191 string_compare(gconstpointer a, gconstpointer b)
193 return strcmp(((const struct string_elem *)a)->sstr,
194 ((const struct string_elem *)b)->sstr);
198 string_elem_print(gpointer data, gpointer not_used _U_)
200 fprintf(stderr, " %s - %s\n",
201 ((struct string_elem *)data)->sstr,
202 ((struct string_elem *)data)->lstr);
206 list_capture_types(void) {
208 struct string_elem *captypes;
211 captypes = g_malloc(sizeof(struct string_elem) * WTAP_NUM_FILE_TYPES);
213 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
214 for (i = 0; i < WTAP_NUM_FILE_TYPES; i++) {
215 if (wtap_dump_can_open(i)) {
216 captypes[i].sstr = wtap_file_type_short_string(i);
217 captypes[i].lstr = wtap_file_type_string(i);
218 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
221 g_slist_foreach(list, string_elem_print, NULL);
227 print_usage(gboolean print_ver)
234 "TShark " VERSION "%s\n"
235 "Dump and analyze network traffic.\n"
236 "See http://www.wireshark.org for more information.\n"
239 wireshark_svnversion, get_copyright_info());
243 fprintf(output, "\n");
244 fprintf(output, "Usage: tshark [options] ...\n");
245 fprintf(output, "\n");
248 fprintf(output, "Capture interface:\n");
249 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
250 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
251 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
252 fprintf(output, " -p don't capture in promiscuous mode\n");
253 #ifdef HAVE_PCAP_CREATE
254 fprintf(output, " -I capture in monitor mode, if available\n");
256 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
257 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
259 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
260 fprintf(output, " -D print list of interfaces and exit\n");
261 fprintf(output, " -L print list of link-layer types of iface and exit\n");
262 fprintf(output, "\n");
263 fprintf(output, "Capture stop conditions:\n");
264 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
265 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
266 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
267 fprintf(output, " files:NUM - stop after NUM files\n");
268 /*fprintf(output, "\n");*/
269 fprintf(output, "Capture output:\n");
270 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
271 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
272 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
273 #endif /* HAVE_LIBPCAP */
274 #ifdef HAVE_PCAP_REMOTE
275 fprintf(output, "RPCAP options:\n");
276 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
278 /*fprintf(output, "\n");*/
279 fprintf(output, "Input file:\n");
280 fprintf(output, " -r <infile> set the filename to read from (no pipes or stdin!)\n");
282 fprintf(output, "\n");
283 fprintf(output, "Processing:\n");
284 fprintf(output, " -2 perform a two-pass analysis\n");
285 fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
286 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
287 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
288 fprintf(output, " -d %s ...\n", decode_as_arg_template);
289 fprintf(output, " \"Decode As\", see the man page for details\n");
290 fprintf(output, " Example: tcp.port==8888,http\n");
291 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
292 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
294 /*fprintf(output, "\n");*/
295 fprintf(output, "Output:\n");
296 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
297 fprintf(output, " (or to the standard output for \"-\")\n");
298 fprintf(output, " -C <config profile> start with specified configuration profile\n");
299 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
300 fprintf(output, " an empty \"-F\" option will list the file types\n");
301 fprintf(output, " -V add output of packet tree (Packet Details)\n");
302 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
303 fprintf(output, " separated\n");
304 fprintf(output, " -P print packets even when writing to a file\n");
305 fprintf(output, " -S <separator> the line separator to print between packets\n");
306 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
307 fprintf(output, " -T pdml|ps|psml|text|fields\n");
308 fprintf(output, " format of text output (def: text)\n");
309 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port);\n");
310 fprintf(output, " this option can be repeated to print multiple fields\n");
311 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
312 fprintf(output, " header=y|n switch headers on and off\n");
313 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
314 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
315 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
316 fprintf(output, " aggregator\n");
317 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
318 fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
319 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
320 fprintf(output, " -l flush standard output after each packet\n");
321 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
322 fprintf(output, " -W n Save extra information in the file, if supported.\n");
323 fprintf(output, " n = write network address resolution information\n");
324 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
325 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
327 fprintf(output, "\n");
328 fprintf(output, "Miscellaneous:\n");
329 fprintf(output, " -h display this help and exit\n");
330 fprintf(output, " -v display version info and exit\n");
331 fprintf(output, " -o <name>:<value> ... override preference setting\n");
332 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
333 fprintf(output, " -G [report] dump one of several available reports and exit\n");
334 fprintf(output, " default report=\"fields\"\n");
335 fprintf(output, " use \"-G ?\" for more help\n");
339 glossary_option_help(void)
345 fprintf(output, "TShark " VERSION "%s\n", wireshark_svnversion);
347 fprintf(output, "\n");
348 fprintf(output, "Usage: tshark -G [report]\n");
349 fprintf(output, "\n");
350 fprintf(output, "Glossary table reports:\n");
351 fprintf(output, " -G [fields] dump glossary in original format and exit\n");
352 fprintf(output, " -G fields2 dump glossary in format 2 and exit\n");
353 fprintf(output, " -G fields3 dump glossary in format 3 and exit\n");
354 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
355 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
356 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
357 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
358 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
359 fprintf(output, "\n");
360 fprintf(output, "Preference reports:\n");
361 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
362 fprintf(output, " -G currentprefs dump current preferences and exit\n");
363 fprintf(output, "\n");
368 * For a dissector table, print on the stream described by output,
369 * its short name (which is what's used in the "-d" option) and its
373 display_dissector_table_names(const char *table_name, const char *ui_name,
376 if ((prev_display_dissector_name == NULL) ||
377 (strcmp(prev_display_dissector_name, table_name) != 0)) {
378 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
379 prev_display_dissector_name = table_name;
384 * For a dissector handle, print on the stream described by output,
385 * the filter name (which is what's used in the "-d" option) and the full
386 * name for the protocol that corresponds to this handle.
389 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
392 const gchar* proto_filter_name;
393 const gchar* proto_ui_name;
395 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
397 if (proto_id != -1) {
398 proto_filter_name = proto_get_protocol_filter_name(proto_id);
399 proto_ui_name = proto_get_protocol_name(proto_id);
400 g_assert(proto_filter_name != NULL);
401 g_assert(proto_ui_name != NULL);
403 if ((prev_display_dissector_name == NULL) ||
404 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
405 fprintf((FILE *)output, "\t%s (%s)\n",
408 prev_display_dissector_name = proto_filter_name;
414 * The protocol_name_search structure is used by find_protocol_name_func()
415 * to pass parameters and store results
417 struct protocol_name_search{
418 gchar *searched_name; /* Protocol filter name we are looking for */
419 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
420 guint nb_match; /* How many dissectors matched searched_name */
422 typedef struct protocol_name_search *protocol_name_search_t;
425 * This function parses all dissectors associated with a table to find the
426 * one whose protocol has the specified filter name. It is called
427 * as a reference function in a call to dissector_table_foreach_handle.
428 * The name we are looking for, as well as the results, are stored in the
429 * protocol_name_search struct pointed to by user_data.
430 * If called using dissector_table_foreach_handle, we actually parse the
431 * whole list of dissectors.
434 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
438 const gchar *protocol_filter_name;
439 protocol_name_search_t search_info;
443 search_info = (protocol_name_search_t)user_data;
445 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
446 if (proto_id != -1) {
447 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
448 g_assert(protocol_filter_name != NULL);
449 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
451 if (search_info->nb_match == 0) {
452 /* Record this handle only if this is the first match */
453 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
455 search_info->nb_match++;
461 * Allow dissector key names to be sorted alphabetically
465 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
467 return strcmp((const char*)dissector_a, (const char*)dissector_b);
471 * Print all layer type names supported.
472 * We send the output to the stream described by the handle output.
476 fprint_all_layer_types(FILE *output)
479 prev_display_dissector_name = NULL;
480 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
484 * Print all protocol names supported for a specific layer type.
485 * table_name contains the layer type name in which the search is performed.
486 * We send the output to the stream described by the handle output.
490 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
493 prev_display_dissector_name = NULL;
494 dissector_table_foreach_handle(table_name,
495 display_dissector_names,
500 * The function below parses the command-line parameters for the decode as
501 * feature (a string pointer by cl_param).
502 * It checks the format of the command-line, searches for a matching table
503 * and dissector. If a table/dissector match is not found, we display a
504 * summary of the available tables/dissectors (on stderr) and return FALSE.
505 * If everything is fine, we get the "Decode as" preference activated,
506 * then we return TRUE.
509 add_decode_as(const gchar *cl_param)
513 gchar *decoded_param;
514 gchar *remaining_param;
516 gchar *dissector_str;
517 dissector_handle_t dissector_matching;
518 dissector_table_t table_matching;
519 ftenum_t dissector_table_selector_type;
520 struct protocol_name_search user_protocol_name;
522 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
525 decoded_param = g_strdup(cl_param);
526 g_assert(decoded_param);
529 /* The lines below will parse this string (modifying it) to extract all
530 necessary information. Note that decoded_param is still needed since
531 strings are not copied - we just save pointers. */
533 /* This section extracts a layer type (table_name) from decoded_param */
534 table_name = decoded_param; /* Layer type string starts from beginning */
536 remaining_param = strchr(table_name, '=');
537 if (remaining_param == NULL) {
538 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
539 /* If the argument does not follow the template, carry on anyway to check
540 if the table name is at least correct. If remaining_param is NULL,
541 we'll exit anyway further down */
544 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
547 /* Remove leading and trailing spaces from the table name */
548 while ( table_name[0] == ' ' )
550 while ( table_name[strlen(table_name) - 1] == ' ' )
551 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
553 /* The following part searches a table matching with the layer type specified */
554 table_matching = NULL;
556 /* Look for the requested table */
557 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
558 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
561 table_matching = find_dissector_table(table_name);
562 if (!table_matching) {
563 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
567 if (!table_matching) {
568 /* Display a list of supported layer types to help the user, if the
569 specified layer type was not found */
570 cmdarg_err("Valid layer types are:");
571 fprint_all_layer_types(stderr);
573 if (remaining_param == NULL || !table_matching) {
574 /* Exit if the layer type was not found, or if no '=' separator was found
576 g_free(decoded_param);
580 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
581 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
584 remaining_param++; /* Move to the second '=' */
585 *remaining_param = '\0'; /* Remove the second '=' */
587 remaining_param++; /* Position after the layer type string */
589 /* This section extracts a selector value (selector_str) from decoded_param */
591 selector_str = remaining_param; /* Next part starts with the selector number */
593 remaining_param = strchr(selector_str, ',');
594 if (remaining_param == NULL) {
595 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
596 /* If the argument does not follow the template, carry on anyway to check
597 if the selector value is at least correct. If remaining_param is NULL,
598 we'll exit anyway further down */
601 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
604 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
606 switch (dissector_table_selector_type) {
612 /* The selector for this table is an unsigned number. Parse it as such.
613 There's no need to remove leading and trailing spaces from the
614 selector number string, because sscanf will do that for us. */
615 if ( sscanf(selector_str, "%u", &selector) != 1 ) {
616 cmdarg_err("Invalid selector number \"%s\"", selector_str);
617 g_free(decoded_param);
624 /* The selector for this table is a string. */
628 /* There are currently no dissector tables with any types other
629 than the ones listed above. */
630 g_assert_not_reached();
633 if (remaining_param == NULL) {
634 /* Exit if no ',' separator was found (see above) */
635 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
636 fprint_all_protocols_for_layer_types(stderr, table_name);
637 g_free(decoded_param);
641 remaining_param++; /* Position after the selector number string */
643 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
645 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
647 /* Remove leading and trailing spaces from the dissector name */
648 while ( dissector_str[0] == ' ' )
650 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
651 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
653 dissector_matching = NULL;
655 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
656 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
657 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
660 user_protocol_name.nb_match = 0;
661 user_protocol_name.searched_name = dissector_str;
662 user_protocol_name.matched_handle = NULL;
664 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
666 if (user_protocol_name.nb_match != 0) {
667 dissector_matching = user_protocol_name.matched_handle;
668 if (user_protocol_name.nb_match > 1) {
669 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
673 /* OK, check whether the problem is that there isn't any such
674 protocol, or that there is but it's not specified as a protocol
675 that's valid for that dissector table.
676 Note, we don't exit here, but dissector_matching will remain NULL,
678 if (proto_get_id_by_filter_name(dissector_str) == -1) {
679 /* No such protocol */
680 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
682 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
683 dissector_str, table_name);
688 if (!dissector_matching) {
689 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
690 fprint_all_protocols_for_layer_types(stderr, table_name);
691 g_free(decoded_param);
695 /* This is the end of the code that parses the command-line options.
696 All information is now stored in the variables:
700 The above variables that are strings are still pointing to areas within
701 decoded_parm. decoded_parm thus still needs to be kept allocated in
702 until we stop needing these variables
703 decoded_param will be deallocated at each exit point of this function */
706 /* We now have a pointer to the handle for the requested dissector
707 (requested protocol) inside the variable dissector_matching */
708 switch (dissector_table_selector_type) {
714 /* The selector for this table is an unsigned number. */
715 dissector_change_uint(table_name, selector, dissector_matching);
720 /* The selector for this table is a string. */
721 dissector_change_string(table_name, selector_str, dissector_matching);
725 /* There are currently no dissector tables with any types other
726 than the ones listed above. */
727 g_assert_not_reached();
729 g_free(decoded_param); /* "Decode As" rule has been successfully added */
734 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
735 const gchar *message, gpointer user_data)
737 /* ignore log message, if log_level isn't interesting based
738 upon the console log preferences.
739 If the preferences haven't been loaded loaded yet, display the
742 The default console_log_level preference value is such that only
743 ERROR, CRITICAL and WARNING level messages are processed;
744 MESSAGE, INFO and DEBUG level messages are ignored.
746 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
747 ERROR and CRITICAL level messages so the current code is a behavioral
748 change. The current behavior is the same as in Wireshark.
750 if((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
751 prefs.console_log_level != 0) {
755 g_log_default_handler(log_domain, log_level, message, user_data);
760 output_file_description(const char *fname)
762 char *save_file_string;
764 /* Get a string that describes what we're writing to */
765 if (strcmp(fname, "-") == 0) {
766 /* We're writing to the standard output */
767 save_file_string = g_strdup("standard output");
769 /* We're writing to a file with the name in save_file */
770 save_file_string = g_strdup_printf("file \"%s\"", fname);
772 return save_file_string;
776 print_current_user(void) {
777 gchar *cur_user, *cur_group;
778 if (started_with_special_privs()) {
779 cur_user = get_cur_username();
780 cur_group = get_cur_groupname();
781 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
782 cur_user, cur_group);
785 if (running_with_special_privs()) {
786 fprintf(stderr, " This could be dangerous.");
788 fprintf(stderr, "\n");
793 check_capture_privs(void) {
796 /* Warn the user if npf.sys isn't loaded. */
797 if (!npf_sys_is_running() && get_os_major_version() >= 6) {
798 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
799 "capturing or\nlisting interfaces.\n");
805 show_version(GString *comp_info_str, GString *runtime_info_str)
807 printf("TShark " VERSION "%s\n"
814 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
815 runtime_info_str->str);
819 main(int argc, char *argv[])
821 char *init_progfile_dir_error;
823 gboolean arg_error = FALSE;
829 char *gpf_path, *pf_path;
830 char *gdp_path, *dp_path;
831 int gpf_open_errno, gpf_read_errno;
832 int pf_open_errno, pf_read_errno;
833 int gdp_open_errno, gdp_read_errno;
834 int dp_open_errno, dp_read_errno;
836 volatile int exit_status = 0;
838 gboolean list_link_layer_types = FALSE;
839 gboolean start_capture = FALSE;
844 interface_options interface_opts;
846 gboolean capture_option_specified = FALSE;
848 gboolean quiet = FALSE;
849 #ifdef PCAP_NG_DEFAULT
850 volatile int out_file_type = WTAP_FILE_PCAPNG;
852 volatile int out_file_type = WTAP_FILE_PCAP;
854 volatile gboolean out_file_name_res = FALSE;
855 gchar *volatile cf_name = NULL;
856 gchar *rfilter = NULL;
857 #ifdef HAVE_PCAP_OPEN_DEAD
858 struct bpf_program fcode;
860 dfilter_t *rfcode = NULL;
863 GLogLevelFlags log_flags;
865 gchar *output_only = NULL;
867 #ifdef HAVE_PCAP_REMOTE
868 #define OPTSTRING_A "A:"
870 #define OPTSTRING_A ""
873 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
874 #define OPTSTRING_B "B:"
876 #define OPTSTRING_B ""
877 #endif /* _WIN32 or HAVE_PCAP_CREATE */
878 #else /* HAVE_LIBPCAP */
879 #define OPTSTRING_B ""
880 #endif /* HAVE_LIBPCAP */
882 #ifdef HAVE_PCAP_CREATE
883 #define OPTSTRING_I "I"
885 #define OPTSTRING_I ""
888 #define OPTSTRING "2a:" OPTSTRING_A "b:" OPTSTRING_B "c:C:d:De:E:f:F:G:hH:i:" OPTSTRING_I "K:lLnN:o:O:pPqr:R:s:S:t:T:u:vVw:W:xX:y:z:"
890 static const char optstring[] = OPTSTRING;
893 arg_list_utf_16to8(argc, argv);
894 #if !GLIB_CHECK_VERSION(2,31,0)
900 * Get credential information for later use.
902 init_process_policies();
905 * Attempt to get the pathname of the executable file.
907 init_progfile_dir_error = init_progfile_dir(argv[0], main);
908 if (init_progfile_dir_error != NULL) {
909 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
910 init_progfile_dir_error);
914 * In order to have the -X opts assigned before the wslua machine starts
915 * we need to call getopts before epan_init() gets called.
918 optind_initial = optind;
920 while ((opt = getopt(argc, argv, optstring)) != -1) {
922 case 'C': /* Configuration Profile */
923 if (profile_exists (optarg, FALSE)) {
924 set_profile_name (optarg);
926 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
938 optind = optind_initial;
943 /** Send All g_log messages to our own handler **/
947 G_LOG_LEVEL_CRITICAL|
952 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
954 g_log_set_handler(NULL,
956 tshark_log_handler, NULL /* user_data */);
957 g_log_set_handler(LOG_DOMAIN_MAIN,
959 tshark_log_handler, NULL /* user_data */);
962 g_log_set_handler(LOG_DOMAIN_CAPTURE,
964 tshark_log_handler, NULL /* user_data */);
965 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
967 tshark_log_handler, NULL /* user_data */);
970 initialize_funnel_ops();
973 capture_opts_init(&global_capture_opts, &cfile);
976 timestamp_set_type(TS_RELATIVE);
977 timestamp_set_precision(TS_PREC_AUTO);
978 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
980 /* Register all dissectors; we must do this before checking for the
981 "-G" flag, as the "-G" flag dumps information registered by the
982 dissectors, and we must do it before we read the preferences, in
983 case any dissectors register preferences. */
984 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
985 failure_message, open_failure_message, read_failure_message,
986 write_failure_message);
988 /* Register all tap listeners; we do this before we parse the arguments,
989 as the "-z" argument can specify a registered tap. */
991 /* we register the plugin taps before the other taps because
992 stats_tree taps plugins will be registered as tap listeners
993 by stats_tree_stat.c and need to registered before that */
995 register_all_plugin_tap_listeners();
997 register_all_tap_listeners();
999 /* If invoked with the "-G" flag, we dump out information based on
1000 the argument to the "-G" flag; if no argument is specified,
1001 for backwards compatibility we dump out a glossary of display
1004 XXX - we do this here, for now, to support "-G" with no arguments.
1005 If none of our build or other processes uses "-G" with no arguments,
1006 we can just process it with the other arguments. */
1007 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1008 proto_initialize_all_prefixes();
1011 proto_registrar_dump_fields(1);
1013 if (strcmp(argv[2], "fields") == 0)
1014 proto_registrar_dump_fields(1);
1015 else if (strcmp(argv[2], "fields2") == 0)
1016 proto_registrar_dump_fields(2);
1017 else if (strcmp(argv[2], "fields3") == 0)
1018 proto_registrar_dump_fields(3);
1019 else if (strcmp(argv[2], "protocols") == 0)
1020 proto_registrar_dump_protocols();
1021 else if (strcmp(argv[2], "values") == 0)
1022 proto_registrar_dump_values();
1023 else if (strcmp(argv[2], "ftypes") == 0)
1024 proto_registrar_dump_ftypes();
1025 else if (strcmp(argv[2], "decodes") == 0)
1026 dissector_dump_decodes();
1027 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1028 dissector_dump_heur_decodes();
1029 else if (strcmp(argv[2], "defaultprefs") == 0)
1031 else if (strcmp(argv[2], "plugins") == 0)
1033 else if (strcmp(argv[2], "?") == 0)
1034 glossary_option_help();
1035 else if (strcmp(argv[2], "-?") == 0)
1036 glossary_option_help();
1037 else if (strcmp(argv[2], "currentprefs") == 0) {
1038 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1039 &pf_open_errno, &pf_read_errno, &pf_path);
1042 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1049 /* Set the C-language locale to the native environment. */
1050 setlocale(LC_ALL, "");
1052 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1053 &pf_open_errno, &pf_read_errno, &pf_path);
1054 if (gpf_path != NULL) {
1055 if (gpf_open_errno != 0) {
1056 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1057 pf_path, g_strerror(gpf_open_errno));
1059 if (gpf_read_errno != 0) {
1060 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1061 pf_path, g_strerror(gpf_read_errno));
1064 if (pf_path != NULL) {
1065 if (pf_open_errno != 0) {
1066 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1067 g_strerror(pf_open_errno));
1069 if (pf_read_errno != 0) {
1070 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1071 pf_path, g_strerror(pf_read_errno));
1077 /* Read the disabled protocols file. */
1078 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1079 &dp_path, &dp_open_errno, &dp_read_errno);
1080 if (gdp_path != NULL) {
1081 if (gdp_open_errno != 0) {
1082 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1083 gdp_path, g_strerror(gdp_open_errno));
1085 if (gdp_read_errno != 0) {
1086 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1087 gdp_path, g_strerror(gdp_read_errno));
1091 if (dp_path != NULL) {
1092 if (dp_open_errno != 0) {
1094 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1095 g_strerror(dp_open_errno));
1097 if (dp_read_errno != 0) {
1099 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1100 g_strerror(dp_read_errno));
1105 check_capture_privs();
1107 cap_file_init(&cfile);
1109 /* Print format defaults to this. */
1110 print_format = PR_FMT_TEXT;
1112 output_fields = output_fields_new();
1114 /* Now get our args */
1115 while ((opt = getopt(argc, argv, optstring)) != -1) {
1117 case '2': /* Perform two pass analysis */
1118 perform_two_pass_analysis = TRUE;
1120 case 'a': /* autostop criteria */
1121 case 'b': /* Ringbuffer option */
1122 case 'c': /* Capture x packets */
1123 case 'f': /* capture filter */
1124 case 'i': /* Use interface x */
1125 case 'p': /* Don't capture in promiscuous mode */
1126 #ifdef HAVE_PCAP_REMOTE
1127 case 'A': /* Authentication */
1129 #ifdef HAVE_PCAP_CREATE
1130 case 'I': /* Capture in monitor mode, if available */
1132 case 's': /* Set the snapshot (capture) length */
1133 case 'w': /* Write to capture file x */
1134 case 'y': /* Set the pcap data link type */
1135 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1136 case 'B': /* Buffer size */
1137 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1139 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1144 capture_option_specified = TRUE;
1149 /* Configuration profile settings were already processed just ignore them this time*/
1151 case 'd': /* Decode as rule */
1152 if (!add_decode_as(optarg))
1155 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1156 case 'K': /* Kerberos keytab file */
1157 read_keytab_file(optarg);
1160 case 'D': /* Print a list of capture devices and exit */
1162 if_list = capture_interface_list(&err, &err_str);
1163 if (if_list == NULL) {
1165 case CANT_GET_INTERFACE_LIST:
1166 case DONT_HAVE_PCAP:
1167 cmdarg_err("%s", err_str);
1171 case NO_INTERFACES_FOUND:
1172 cmdarg_err("There are no interfaces on which a capture can be done");
1177 capture_opts_print_interfaces(if_list);
1178 free_interface_list(if_list);
1181 capture_option_specified = TRUE;
1187 output_fields_add(output_fields, optarg);
1191 if(!output_fields_set_option(output_fields, optarg)) {
1192 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1193 output_fields_list_options(stderr);
1198 out_file_type = wtap_short_string_to_file_type(optarg);
1199 if (out_file_type < 0) {
1200 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1201 list_capture_types();
1205 case 'W': /* Select extra information to save in our capture file */
1206 /* This is patterned after the -N flag which may not be the best idea. */
1207 if (strchr(optarg, 'n'))
1208 out_file_name_res = TRUE;
1210 case 'H': /* Read address to name mappings from a hosts file */
1211 if (! read_hosts_file(optarg))
1213 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1216 out_file_name_res = TRUE;
1219 case 'h': /* Print help and exit */
1223 case 'l': /* "Line-buffer" standard output */
1224 /* This isn't line-buffering, strictly speaking, it's just
1225 flushing the standard output after the information for
1226 each packet is printed; however, that should be good
1227 enough for all the purposes to which "-l" is put (and
1228 is probably actually better for "-V", as it does fewer
1231 See the comment in "process_packet()" for an explanation of
1232 why we do that, and why we don't just use "setvbuf()" to
1233 make the standard output line-buffered (short version: in
1234 Windows, "line-buffered" is the same as "fully-buffered",
1235 and the output buffer is only flushed when it fills up). */
1236 line_buffered = TRUE;
1238 case 'L': /* Print list of link-layer types and exit */
1240 list_link_layer_types = TRUE;
1242 capture_option_specified = TRUE;
1246 case 'n': /* No name resolution */
1247 gbl_resolv_flags.mac_name = FALSE;
1248 gbl_resolv_flags.network_name = FALSE;
1249 gbl_resolv_flags.transport_name = FALSE;
1250 gbl_resolv_flags.concurrent_dns = FALSE;
1252 case 'N': /* Select what types of addresses/port #s to resolve */
1253 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1254 if (badopt != '\0') {
1255 cmdarg_err("-N specifies unknown resolving option '%c';",
1257 cmdarg_err_cont( " Valid options are 'm', 'n', 't', and 'C'");
1261 case 'o': /* Override preference from command line */
1262 switch (prefs_set_pref(optarg)) {
1267 case PREFS_SET_SYNTAX_ERR:
1268 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1272 case PREFS_SET_NO_SUCH_PREF:
1273 case PREFS_SET_OBSOLETE:
1274 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1279 case 'q': /* Quiet */
1282 case 'r': /* Read capture file x */
1283 cf_name = g_strdup(optarg);
1285 case 'R': /* Read file filter */
1288 case 'P': /* Print packets even when writing to a file */
1289 print_packet_info = TRUE;
1291 case 'S': /* Set the line Separator to be printed between packets */
1292 separator = strdup(optarg);
1294 case 't': /* Time stamp type */
1295 if (strcmp(optarg, "r") == 0)
1296 timestamp_set_type(TS_RELATIVE);
1297 else if (strcmp(optarg, "a") == 0)
1298 timestamp_set_type(TS_ABSOLUTE);
1299 else if (strcmp(optarg, "ad") == 0)
1300 timestamp_set_type(TS_ABSOLUTE_WITH_DATE);
1301 else if (strcmp(optarg, "d") == 0)
1302 timestamp_set_type(TS_DELTA);
1303 else if (strcmp(optarg, "dd") == 0)
1304 timestamp_set_type(TS_DELTA_DIS);
1305 else if (strcmp(optarg, "e") == 0)
1306 timestamp_set_type(TS_EPOCH);
1307 else if (strcmp(optarg, "u") == 0)
1308 timestamp_set_type(TS_UTC);
1309 else if (strcmp(optarg, "ud") == 0)
1310 timestamp_set_type(TS_UTC_WITH_DATE);
1312 cmdarg_err("Invalid time stamp type \"%s\"",
1314 cmdarg_err_cont("It must be \"r\" for relative, \"a\" for absolute,");
1315 cmdarg_err_cont("\"ad\" for absolute with date, or \"d\" for delta.");
1319 case 'T': /* printing Type */
1320 if (strcmp(optarg, "text") == 0) {
1321 output_action = WRITE_TEXT;
1322 print_format = PR_FMT_TEXT;
1323 } else if (strcmp(optarg, "ps") == 0) {
1324 output_action = WRITE_TEXT;
1325 print_format = PR_FMT_PS;
1326 } else if (strcmp(optarg, "pdml") == 0) {
1327 output_action = WRITE_XML;
1329 } else if (strcmp(optarg, "psml") == 0) {
1330 output_action = WRITE_XML;
1332 } else if(strcmp(optarg, "fields") == 0) {
1333 output_action = WRITE_FIELDS;
1334 verbose = TRUE; /* Need full tree info */
1336 cmdarg_err("Invalid -T parameter.");
1337 cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
1341 case 'u': /* Seconds type */
1342 if (strcmp(optarg, "s") == 0)
1343 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1344 else if (strcmp(optarg, "hms") == 0)
1345 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1347 cmdarg_err("Invalid seconds type \"%s\"", optarg);
1348 cmdarg_err_cont("It must be \"s\" for seconds or \"hms\" for hours, minutes and seconds.");
1352 case 'v': /* Show version and exit */
1354 GString *comp_info_str;
1355 GString *runtime_info_str;
1356 /* Assemble the compile-time version information string */
1357 comp_info_str = g_string_new("Compiled ");
1358 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1360 /* Assemble the run-time version information string */
1361 runtime_info_str = g_string_new("Running ");
1362 get_runtime_version_info(runtime_info_str, NULL);
1363 show_version(comp_info_str, runtime_info_str);
1364 g_string_free(comp_info_str, TRUE);
1365 g_string_free(runtime_info_str, TRUE);
1368 case 'O': /* Only output these protocols */
1369 output_only = g_strdup(optarg);
1371 case 'V': /* Verbose */
1373 /* The user asked for a verbose output, so let's ensure they get it,
1374 * even if they're writing to a file.
1376 print_packet_info = TRUE;
1378 case 'x': /* Print packet data in hex (and ASCII) */
1380 /* The user asked for hex output, so let's ensure they get it,
1381 * even if they're writing to a file.
1383 print_packet_info = TRUE;
1388 /* We won't call the init function for the stat this soon
1389 as it would disallow MATE's fields (which are registered
1390 by the preferences set callback) from being used as
1391 part of a tap filter. Instead, we just add the argument
1392 to a list of stat arguments. */
1393 if (!process_stat_cmd_arg(optarg)) {
1394 cmdarg_err("invalid -z argument.");
1395 cmdarg_err_cont(" -z argument must be one of :");
1396 list_stat_cmd_args();
1401 case '?': /* Bad flag - print usage message */
1404 list_capture_types();
1414 /* If we specified output fields, but not the output field type... */
1415 if(WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1416 cmdarg_err("Output fields were specified with \"-e\", "
1417 "but \"-Tfields\" was not specified.");
1419 } else if(WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1420 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1421 "specified with \"-e\".");
1426 /* If no capture filter or read filter has been specified, and there are
1427 still command-line arguments, treat them as the tokens of a capture
1428 filter (if no "-r" flag was specified) or a read filter (if a "-r"
1429 flag was specified. */
1430 if (optind < argc) {
1431 if (cf_name != NULL) {
1432 if (rfilter != NULL) {
1433 cmdarg_err("Read filters were specified both with \"-R\" "
1434 "and with additional command-line arguments.");
1437 rfilter = get_args_as_string(argc, argv, optind);
1440 if (global_capture_opts.default_options.cfilter) {
1441 cmdarg_err("A default capture filter was specified both with \"-f\""
1442 " and with additional command-line arguments.");
1445 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1446 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1447 if (interface_opts.cfilter == NULL) {
1448 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1449 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1450 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1452 cmdarg_err("A capture filter was specified both with \"-f\""
1453 " and with additional command-line arguments.");
1457 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1459 capture_option_specified = TRUE;
1465 if (!global_capture_opts.saving_to_file) {
1466 /* We're not saving the capture to a file; if "-q" wasn't specified,
1467 we should print packet information */
1469 print_packet_info = TRUE;
1471 /* We're saving to a file; if we're writing to the standard output.
1472 and we'll also be writing dissected packets to the standard
1473 output, reject the request. At best, we could redirect that
1474 to the standard error; we *can't* write both to the standard
1475 output and have either of them be useful. */
1476 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1477 cmdarg_err("You can't write both raw packet data and dissected packets"
1478 " to the standard output.");
1483 /* We're not saving the capture to a file; if "-q" wasn't specified,
1484 we should print packet information */
1486 print_packet_info = TRUE;
1489 #ifndef HAVE_LIBPCAP
1490 if (capture_option_specified)
1491 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1498 /* We don't support capture filters when reading from a capture file
1499 (the BPF compiler doesn't support all link-layer types that we
1500 support in capture files we read). */
1502 if (cf_name != NULL) {
1503 if (global_capture_opts.default_options.cfilter) {
1504 cmdarg_err("Only read filters, not capture filters, "
1505 "can be specified when reading a capture file.");
1512 if (output_action != WRITE_TEXT) {
1513 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1518 if (output_only != NULL) {
1522 cmdarg_err("-O requires -V");
1526 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1527 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1528 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1533 if (list_link_layer_types) {
1534 /* We're supposed to list the link-layer types for an interface;
1535 did the user also specify a capture file to be read? */
1537 /* Yes - that's bogus. */
1538 cmdarg_err("You can't specify -L and a capture file to be read.");
1541 /* No - did they specify a ring buffer option? */
1542 if (global_capture_opts.multi_files_on) {
1543 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1549 * "-r" was specified, so we're reading a capture file.
1550 * Capture options don't apply here.
1552 if (global_capture_opts.multi_files_on) {
1553 cmdarg_err("Multiple capture files requested, but "
1554 "a capture isn't being done.");
1557 if (global_capture_opts.has_file_duration) {
1558 cmdarg_err("Switching capture files after a time interval was specified, but "
1559 "a capture isn't being done.");
1562 if (global_capture_opts.has_ring_num_files) {
1563 cmdarg_err("A ring buffer of capture files was specified, but "
1564 "a capture isn't being done.");
1567 if (global_capture_opts.has_autostop_files) {
1568 cmdarg_err("A maximum number of capture files was specified, but "
1569 "a capture isn't being done.");
1573 /* Note: TShark now allows the restriction of a _read_ file by packet count
1574 * and byte count as well as a write file. Other autostop options remain valid
1575 * only for a write file.
1577 if (global_capture_opts.has_autostop_duration) {
1578 cmdarg_err("A maximum capture time was specified, but "
1579 "a capture isn't being done.");
1584 * "-r" wasn't specified, so we're doing a live capture.
1586 if (global_capture_opts.saving_to_file) {
1587 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1589 /* When capturing, we only support writing pcap or pcap-ng format. */
1590 if (out_file_type != WTAP_FILE_PCAP && out_file_type != WTAP_FILE_PCAPNG) {
1591 cmdarg_err("Live captures can only be saved in libpcap format.");
1594 if (global_capture_opts.multi_files_on) {
1595 /* Multiple-file mode doesn't work under certain conditions:
1596 a) it doesn't work if you're writing to the standard output;
1597 b) it doesn't work if you're writing to a pipe;
1599 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1600 cmdarg_err("Multiple capture files requested, but "
1601 "the capture is being written to the standard output.");
1604 if (global_capture_opts.output_to_pipe) {
1605 cmdarg_err("Multiple capture files requested, but "
1606 "the capture file is a pipe.");
1609 if (!global_capture_opts.has_autostop_filesize &&
1610 !global_capture_opts.has_file_duration) {
1611 cmdarg_err("Multiple capture files requested, but "
1612 "no maximum capture file size or duration was specified.");
1616 /* Currently, we don't support read filters when capturing
1617 and saving the packets. */
1618 if (rfilter != NULL) {
1619 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1623 /* They didn't specify a "-w" flag, so we won't be saving to a
1624 capture file. Check for options that only make sense if
1625 we're saving to a file. */
1626 if (global_capture_opts.has_autostop_filesize) {
1627 cmdarg_err("Maximum capture file size specified, but "
1628 "capture isn't being saved to a file.");
1631 if (global_capture_opts.multi_files_on) {
1632 cmdarg_err("Multiple capture files requested, but "
1633 "the capture isn't being saved to a file.");
1642 /* Start windows sockets */
1643 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1646 /* Notify all registered modules that have had any of their preferences
1647 changed either from one of the preferences file or from the command
1648 line that their preferences have changed. */
1651 /* At this point MATE will have registered its field array so we can
1652 have a tap filter with one of MATE's late-registered fields as part
1653 of the filter. We can now process all the "-z" arguments. */
1654 start_requested_stats();
1657 /* We currently don't support taps, or printing dissected packets,
1658 if we're writing to a pipe. */
1659 if (global_capture_opts.saving_to_file &&
1660 global_capture_opts.output_to_pipe) {
1661 if (tap_listeners_require_dissection()) {
1662 cmdarg_err("Taps aren't supported when saving to a pipe.");
1665 if (print_packet_info) {
1666 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1672 /* disabled protocols as per configuration file */
1673 if (gdp_path == NULL && dp_path == NULL) {
1674 set_disabled_protos_list();
1677 /* Build the column format array */
1678 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1681 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1682 capture_opts_trim_ring_num_files(&global_capture_opts);
1685 if (rfilter != NULL) {
1686 if (!dfilter_compile(rfilter, &rfcode)) {
1687 cmdarg_err("%s", dfilter_error_msg);
1689 #ifdef HAVE_PCAP_OPEN_DEAD
1693 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1695 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1697 " Note: That display filter code looks like a valid capture filter;");
1699 " maybe you mixed them up?");
1708 cfile.rfcode = rfcode;
1710 if (print_packet_info) {
1711 /* If we're printing as text or PostScript, we have
1712 to create a print stream. */
1713 if (output_action == WRITE_TEXT) {
1714 switch (print_format) {
1717 print_stream = print_stream_text_stdio_new(stdout);
1721 print_stream = print_stream_ps_stdio_new(stdout);
1725 g_assert_not_reached();
1730 /* We have to dissect each packet if:
1732 we're printing information about each packet;
1734 we're using a read filter on the packets;
1736 we're using any taps that need dissection. */
1737 do_dissection = print_packet_info || rfcode || tap_listeners_require_dissection();
1741 * We're reading a capture file.
1745 * Immediately relinquish any special privileges we have; we must not
1746 * be allowed to read any capture files the user running TShark
1749 relinquish_special_privs_perm();
1750 print_current_user();
1752 if (cf_open(&cfile, cf_name, FALSE, &err) != CF_OK) {
1757 /* Set timestamp precision; there should arguably be a command-line
1758 option to let the user set this. */
1759 switch(wtap_file_tsprecision(cfile.wth)) {
1760 case(WTAP_FILE_TSPREC_SEC):
1761 timestamp_set_precision(TS_PREC_AUTO_SEC);
1763 case(WTAP_FILE_TSPREC_DSEC):
1764 timestamp_set_precision(TS_PREC_AUTO_DSEC);
1766 case(WTAP_FILE_TSPREC_CSEC):
1767 timestamp_set_precision(TS_PREC_AUTO_CSEC);
1769 case(WTAP_FILE_TSPREC_MSEC):
1770 timestamp_set_precision(TS_PREC_AUTO_MSEC);
1772 case(WTAP_FILE_TSPREC_USEC):
1773 timestamp_set_precision(TS_PREC_AUTO_USEC);
1775 case(WTAP_FILE_TSPREC_NSEC):
1776 timestamp_set_precision(TS_PREC_AUTO_NSEC);
1779 g_assert_not_reached();
1782 /* Process the packets in the file */
1785 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
1786 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
1787 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
1789 err = load_cap_file(&cfile, NULL, out_file_type, out_file_name_res, 0, 0);
1792 CATCH(OutOfMemoryError) {
1796 "Sorry, but TShark has to terminate now!\n"
1798 "Some infos / workarounds can be found at:\n"
1799 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
1804 /* We still dump out the results of taps, etc., as we might have
1805 read some packets; however, we exit with an error status. */
1809 /* No capture file specified, so we're supposed to do a live capture
1810 (or get a list of link-layer types for a live capture device);
1811 do we have support for live captures? */
1813 /* trim the interface name and exit if that failed */
1814 if (!capture_opts_trim_iface(&global_capture_opts,
1815 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL)) {
1819 /* if requested, list the link layer types and exit */
1820 if (list_link_layer_types) {
1822 interface_options interface_opts;
1824 /* Get the list of link-layer types for the capture devices. */
1825 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1826 if_capabilities_t *caps;
1828 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1829 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str);
1831 cmdarg_err("%s", err_str);
1835 if (caps->data_link_types == NULL) {
1836 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
1839 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
1840 free_if_capabilities(caps);
1845 if (print_packet_info) {
1846 if (!write_preamble(NULL)) {
1847 show_print_file_io_error(errno);
1850 } else if (!quiet) {
1852 * We're not printing information for each packet, and the user
1853 * didn't ask us not to print a count of packets as they arrive,
1854 * so print that count so the user knows that packets are arriving.
1856 * XXX - what if the user wants to do a live capture, doesn't want
1857 * to save it to a file, doesn't want information printed for each
1858 * packet, does want some "-z" statistic, and wants packet counts
1859 * so they know whether they're seeing any packets?
1861 print_packet_counts = TRUE;
1864 /* For now, assume libpcap gives microsecond precision. */
1865 timestamp_set_precision(TS_PREC_AUTO_USEC);
1868 * XXX - this returns FALSE if an error occurred, but it also
1869 * returns FALSE if the capture stops because a time limit
1870 * was reached (and possibly other limits), so we can't assume
1871 * it means an error.
1873 * The capture code is a bit twisty, so it doesn't appear to
1874 * be an easy fix. We just ignore the return value for now.
1875 * Instead, pass on the exit status from the capture child.
1878 exit_status = global_capture_opts.fork_child_status;
1880 if (print_packet_info) {
1881 if (!write_finale()) {
1883 show_print_file_io_error(err);
1887 /* No - complain. */
1888 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1895 if (cfile.frames != NULL) {
1896 free_frame_data_sequence(cfile.frames);
1897 cfile.frames = NULL;
1900 draw_tap_listeners(TRUE);
1901 funnel_dump_all_text_windows();
1904 output_fields_free(output_fields);
1905 output_fields = NULL;
1910 /*#define USE_BROKEN_G_MAIN_LOOP*/
1912 #ifdef USE_BROKEN_G_MAIN_LOOP
1915 gboolean loop_running = FALSE;
1917 guint32 packet_count = 0;
1920 /* XXX - move to the right position / file */
1921 /* read from a pipe (callback) */
1922 typedef gboolean (*pipe_input_cb_t) (gint source, gpointer user_data);
1924 typedef struct pipe_input_tag {
1928 pipe_input_cb_t input_cb;
1929 guint pipe_input_id;
1931 GMutex *callback_running;
1935 static pipe_input_t pipe_input;
1938 /* The timer has expired, see if there's stuff to read from the pipe,
1939 if so, do the callback */
1941 pipe_timer_cb(gpointer data)
1947 pipe_input_t *pipe_input_p = data;
1948 gint iterations = 0;
1950 g_mutex_lock (pipe_input_p->callback_running);
1952 /* try to read data from the pipe only 5 times, to avoid blocking */
1953 while(iterations < 5) {
1954 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
1956 /* Oddly enough although Named pipes don't work on win9x,
1957 PeekNamedPipe does !!! */
1958 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
1959 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
1961 /* Get the child process exit status */
1962 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
1965 /* If the Peek returned an error, or there are bytes to be read
1966 or the childwatcher thread has terminated then call the normal
1968 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
1970 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
1972 /* And call the real handler */
1973 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
1974 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
1975 /* pipe closed, return false so that the timer is stopped */
1976 g_mutex_unlock (pipe_input_p->callback_running);
1981 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
1982 /* No data, stop now */
1989 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
1991 g_mutex_unlock (pipe_input_p->callback_running);
1993 /* we didn't stopped the timer, so let it run */
2000 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2003 pipe_input.source = source;
2004 pipe_input.child_process = child_process;
2005 pipe_input.user_data = user_data;
2006 pipe_input.input_cb = input_cb;
2009 #if GLIB_CHECK_VERSION(2,31,0)
2010 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2011 g_mutex_init(pipe_input.callback_running);
2013 pipe_input.callback_running = g_mutex_new();
2015 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2016 do this but that doesn't cover all win32 platforms. GTK can do
2017 this but doesn't seem to work over processes. Attempt to do
2018 something similar here, start a timer and check for data on every
2020 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2021 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2032 GString *str = g_string_new("");
2033 #ifdef USE_TSHARK_SELECT
2037 struct sigaction action, oldaction;
2041 * XXX - dropping privileges is still required, until code cleanup is done
2043 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2044 * when it's done, we don't need special privileges to run tshark at all,
2045 * therefore we don't need to drop these privileges
2046 * The only thing we might want to keep is a warning if tshark is run as root,
2047 * as it's no longer necessary and potentially dangerous.
2049 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2050 * We've opened the capture device, so we shouldn't need any special
2051 * privileges any more; relinquish those privileges.
2053 * XXX - if we have saved set-user-ID support, we should give up those
2054 * privileges immediately, and then reclaim them long enough to get
2055 * a list of network interfaces and to open one, and then give them
2056 * up again, so that stuff we do while processing the argument list,
2057 * reading the user's preferences, loading and starting plugins
2058 * (especially *user* plugins), etc. is done with the user's privileges,
2059 * not special privileges.
2061 relinquish_special_privs_perm();
2062 print_current_user();
2064 /* Cleanup all data structures used for dissection. */
2065 cleanup_dissection();
2066 /* Initialize all data structures used for dissection. */
2070 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2071 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2073 /* Catch SIGINT and SIGTERM and, if we get either of them,
2074 clean up and exit. If SIGHUP isn't being ignored, catch
2075 it too and, if we get it, clean up and exit.
2077 We restart any read that was in progress, so that it doesn't
2078 disrupt reading from the sync pipe. The signal handler tells
2079 the capture child to finish; it will report that it finished,
2080 or will exit abnormally, so we'll stop reading from the sync
2081 pipe, pick up the exit status, and quit. */
2082 memset(&action, 0, sizeof(action));
2083 action.sa_handler = capture_cleanup;
2084 action.sa_flags = SA_RESTART;
2085 sigemptyset(&action.sa_mask);
2086 sigaction(SIGTERM, &action, NULL);
2087 sigaction(SIGINT, &action, NULL);
2088 sigaction(SIGHUP, NULL, &oldaction);
2089 if (oldaction.sa_handler == SIG_DFL)
2090 sigaction(SIGHUP, &action, NULL);
2093 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2094 quiet mode, report the number of packets we've captured.
2096 Again, restart any read that was in progress, so that it doesn't
2097 disrupt reading from the sync pipe. */
2098 action.sa_handler = report_counts_siginfo;
2099 action.sa_flags = SA_RESTART;
2100 sigemptyset(&action.sa_mask);
2101 sigaction(SIGINFO, &action, NULL);
2102 #endif /* SIGINFO */
2105 global_capture_opts.state = CAPTURE_PREPARING;
2107 /* Let the user know which interfaces were chosen. */
2108 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2109 interface_options interface_opts;
2111 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2112 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2113 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2114 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2117 if (global_capture_opts.ifaces->len < 2) {
2119 if (global_capture_opts.ifaces->len < 4) {
2121 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2122 interface_options interface_opts;
2124 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2126 if (global_capture_opts.ifaces->len > 2) {
2127 g_string_append_printf(str, ",");
2129 g_string_append_printf(str, " ");
2130 if (i == global_capture_opts.ifaces->len - 1) {
2131 g_string_append_printf(str, "and ");
2134 g_string_append_printf(str, "%s", interface_opts.descr);
2137 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2139 fprintf(stderr, "Capturing on %s\n", str->str);
2140 g_string_free(str, TRUE);
2142 ret = sync_pipe_start(&global_capture_opts);
2147 /* the actual capture loop
2149 * XXX - glib doesn't seem to provide any event based loop handling.
2151 * XXX - for whatever reason,
2152 * calling g_main_loop_new() ends up in 100% cpu load.
2154 * But that doesn't matter: in UNIX we can use select() to find an input
2155 * source with something to do.
2157 * But that doesn't matter because we're in a CLI (that doesn't need to
2158 * update a GUI or something at the same time) so it's OK if we block
2159 * trying to read from the pipe.
2161 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2162 * wrong (but I leave it there in case I am...).
2165 #ifdef USE_TSHARK_SELECT
2167 FD_SET(pipe_input.source, &readfds);
2170 loop_running = TRUE;
2174 while (loop_running)
2176 #ifdef USE_TSHARK_SELECT
2177 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2183 } else if (ret == 1) {
2185 /* Call the real handler */
2186 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2187 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2190 #ifdef USE_TSHARK_SELECT
2195 CATCH(OutOfMemoryError) {
2199 "Sorry, but TShark has to terminate now!\n"
2201 "Some infos / workarounds can be found at:\n"
2202 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2210 /* XXX - move the call to main_window_update() out of capture_sync.c */
2211 /* dummy for capture_sync.c to make linker happy */
2212 void main_window_update(void)
2216 /* capture child detected an error */
2218 capture_input_error_message(capture_options *capture_opts _U_, char *error_msg, char *secondary_error_msg)
2220 cmdarg_err("%s", error_msg);
2221 cmdarg_err_cont("%s", secondary_error_msg);
2225 /* capture child detected an capture filter related error */
2227 capture_input_cfilter_error_message(capture_options *capture_opts, guint i, char *error_message)
2229 dfilter_t *rfcode = NULL;
2230 interface_options interface_opts;
2232 g_assert(i < capture_opts->ifaces->len);
2233 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2235 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2237 "Invalid capture filter \"%s\" for interface %s!\n"
2239 "That string looks like a valid display filter; however, it isn't a valid\n"
2240 "capture filter (%s).\n"
2242 "Note that display filters and capture filters don't have the same syntax,\n"
2243 "so you can't use most display filter expressions as capture filters.\n"
2245 "See the User's Guide for a description of the capture filter syntax.",
2246 interface_opts.cfilter, interface_opts.descr, error_message);
2247 dfilter_free(rfcode);
2250 "Invalid capture filter \"%s\" for interface %s!\n"
2252 "That string isn't a valid capture filter (%s).\n"
2253 "See the User's Guide for a description of the capture filter syntax.",
2254 interface_opts.cfilter, interface_opts.descr, error_message);
2259 /* capture child tells us we have a new (or the first) capture file */
2261 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
2263 gboolean is_tempfile;
2266 if(capture_opts->state == CAPTURE_PREPARING) {
2267 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2269 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2271 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
2273 /* free the old filename */
2274 if (capture_opts->save_file != NULL) {
2276 /* we start a new capture file, close the old one (if we had one before) */
2277 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
2278 if ( ((capture_file *) capture_opts->cf)->wth != NULL) {
2279 wtap_close(((capture_file *) capture_opts->cf)->wth);
2281 ((capture_file *) capture_opts->cf)->state = FILE_CLOSED;
2284 g_free(capture_opts->save_file);
2285 is_tempfile = FALSE;
2287 /* we didn't had a save_file before, must be a tempfile */
2291 /* save the new filename */
2292 capture_opts->save_file = g_strdup(new_file);
2294 /* if we are in real-time mode, open the new file now */
2296 /* Attempt to open the capture file and set up to read from it. */
2297 switch(cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
2301 /* Don't unlink (delete) the save file - leave it around,
2302 for debugging purposes. */
2303 g_free(capture_opts->save_file);
2304 capture_opts->save_file = NULL;
2309 capture_opts->state = CAPTURE_RUNNING;
2315 /* capture child tells us we have new packets to read */
2317 capture_input_new_packets(capture_options *capture_opts, int to_read)
2323 capture_file *cf = capture_opts->cf;
2324 gboolean filtering_tap_listeners;
2329 * Prevent a SIGINFO handler from writing to the standard error while
2330 * we're doing so or writing to the standard output; instead, have it
2331 * just set a flag telling us to print that information when we're done.
2334 #endif /* SIGINFO */
2336 /* Do we have any tap listeners with filters? */
2337 filtering_tap_listeners = have_filtering_tap_listeners();
2339 /* Get the union of the flags for all tap listeners. */
2340 tap_flags = union_of_tap_listener_flags();
2343 while (to_read-- && cf->wth) {
2344 wtap_cleareof(cf->wth);
2345 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2347 /* read from file failed, tell the capture child to stop */
2348 sync_pipe_stop(capture_opts);
2349 wtap_close(cf->wth);
2352 ret = process_packet(cf, data_offset, wtap_phdr(cf->wth),
2353 wtap_buf_ptr(cf->wth),
2354 filtering_tap_listeners, tap_flags);
2357 /* packet successfully read and gone through the "Read Filter" */
2363 * Dumpcap's doing all the work; we're not doing any dissection.
2364 * Count all the packets it wrote.
2366 packet_count += to_read;
2369 if (print_packet_counts) {
2370 /* We're printing packet counts. */
2371 if (packet_count != 0) {
2372 fprintf(stderr, "\r%u ", packet_count);
2373 /* stderr could be line buffered */
2380 * Allow SIGINFO handlers to write.
2385 * If a SIGINFO handler asked us to write out capture counts, do so.
2389 #endif /* SIGINFO */
2395 if (!print_packet_counts) {
2396 /* Report the count only if we aren't printing a packet count
2397 as packets arrive. */
2398 fprintf(stderr, "%u packet%s captured\n", packet_count,
2399 plurality(packet_count, "", "s"));
2402 infoprint = FALSE; /* we just reported it */
2403 #endif /* SIGINFO */
2408 report_counts_siginfo(int signum _U_)
2410 int sav_errno = errno;
2411 /* If we've been told to delay printing, just set a flag asking
2412 that we print counts (if we're supposed to), otherwise print
2413 the count of packets captured (if we're supposed to). */
2420 #endif /* SIGINFO */
2423 /* capture child detected any packet drops? */
2425 capture_input_drops(capture_options *capture_opts _U_, guint32 dropped)
2427 if (print_packet_counts) {
2428 /* We're printing packet counts to stderr.
2429 Send a newline so that we move to the line after the packet count. */
2430 fprintf(stderr, "\n");
2434 /* We're printing packet counts to stderr.
2435 Send a newline so that we move to the line after the packet count. */
2436 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2442 * Capture child closed its side of the pipe, report any error and
2443 * do the required cleanup.
2446 capture_input_closed(capture_options *capture_opts, gchar *msg)
2448 capture_file *cf = (capture_file *) capture_opts->cf;
2451 fprintf(stderr, "tshark: %s\n", msg);
2455 if(cf != NULL && cf->wth != NULL) {
2456 wtap_close(cf->wth);
2457 if(cf->is_tempfile) {
2458 ws_unlink(cf->filename);
2461 #ifdef USE_BROKEN_G_MAIN_LOOP
2462 /*g_main_loop_quit(loop);*/
2465 loop_running = FALSE;
2474 capture_cleanup(DWORD ctrltype _U_)
2476 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2477 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2478 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2479 like SIGTERM at least when the machine's shutting down.
2481 For now, we handle them all as indications that we should clean up
2482 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2485 We must return TRUE so that no other handler - such as one that would
2486 terminate the process - gets called.
2488 XXX - for some reason, typing ^C to TShark, if you run this in
2489 a Cygwin console window in at least some versions of Cygwin,
2490 causes TShark to terminate immediately; this routine gets
2491 called, but the main loop doesn't get a chance to run and
2492 exit cleanly, at least if this is compiled with Microsoft Visual
2493 C++ (i.e., it's a property of the Cygwin console window or Bash;
2494 it happens if TShark is not built with Cygwin - for all I know,
2495 building it with Cygwin may make the problem go away). */
2497 /* tell the capture child to stop */
2498 sync_pipe_stop(&global_capture_opts);
2500 /* don't stop our own loop already here, otherwise status messages and
2501 * cleanup wouldn't be done properly. The child will indicate the stop of
2502 * everything by calling capture_input_closed() later */
2508 capture_cleanup(int signum _U_)
2510 /* tell the capture child to stop */
2511 sync_pipe_stop(&global_capture_opts);
2513 /* don't stop our own loop already here, otherwise status messages and
2514 * cleanup wouldn't be done properly. The child will indicate the stop of
2515 * everything by calling capture_input_closed() later */
2518 #endif /* HAVE_LIBPCAP */
2521 process_packet_first_pass(capture_file *cf,
2522 gint64 offset, struct wtap_pkthdr *whdr,
2527 gboolean create_proto_tree = FALSE;
2531 /* The frame number of this packet is one more than the count of
2532 frames in this packet. */
2533 framenum = cf->count + 1;
2535 /* If we're not running a display filter and we're not printing any
2536 packet information, we don't need to do a dissection. This means
2537 that all packets can be marked as 'passed'. */
2540 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2542 /* If we're going to print packet information, or we're going to
2543 run a read filter, or we're going to process taps, set up to
2544 do a dissection and do so. */
2545 if (do_dissection) {
2546 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2547 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2548 /* Grab any resolved addresses */
2549 host_name_lookup_process();
2551 /* If we're going to be applying a read filter, we'll need to
2552 create a protocol tree against which to apply the filter. */
2554 create_proto_tree = TRUE;
2556 /* We're not going to display the protocol tree on this pass,
2557 so it's not going to be "visible". */
2558 epan_dissect_init(&edt, create_proto_tree, FALSE);
2560 /* If we're running a read filter, prime the epan_dissect_t with that
2563 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2565 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2566 &first_ts, prev_dis, prev_cap);
2568 epan_dissect_run(&edt, whdr, pd, &fdlocal, NULL);
2570 /* Run the read filter if we have one. */
2572 passed = dfilter_apply_edt(cf->rfcode, &edt);
2576 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2577 prev_dis_frame = fdlocal;
2578 prev_dis = &prev_dis_frame;
2579 frame_data_sequence_add(cf->frames, &fdlocal);
2583 prev_cap_frame = fdlocal;
2584 prev_cap = &prev_cap_frame;
2587 epan_dissect_cleanup(&edt);
2593 process_packet_second_pass(capture_file *cf, frame_data *fdata,
2594 struct wtap_pkthdr *phdr, const guchar *pd,
2595 gboolean filtering_tap_listeners, guint tap_flags)
2597 gboolean create_proto_tree;
2602 /* If we're not running a display filter and we're not printing any
2603 packet information, we don't need to do a dissection. This means
2604 that all packets can be marked as 'passed'. */
2607 /* If we're going to print packet information, or we're going to
2608 run a read filter, or we're going to process taps, set up to
2609 do a dissection and do so. */
2610 if (do_dissection) {
2611 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2612 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2613 /* Grab any resolved addresses */
2614 host_name_lookup_process();
2616 if (cf->rfcode || verbose || filtering_tap_listeners ||
2617 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2618 create_proto_tree = TRUE;
2620 create_proto_tree = FALSE;
2622 /* The protocol tree will be "visible", i.e., printed, only if we're
2623 printing packet details, which is true if we're printing stuff
2624 ("print_packet_info" is true) and we're in verbose mode ("verbose"
2626 epan_dissect_init(&edt, create_proto_tree, print_packet_info && verbose);
2628 /* If we're running a read filter, prime the epan_dissect_t with that
2631 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2633 col_custom_prime_edt(&edt, &cf->cinfo);
2635 /* We only need the columns if either
2637 1) some tap needs the columns
2641 2) we're printing packet info but we're *not* verbose; in verbose
2642 mode, we print the protocol tree, not the protocol summary. */
2643 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && !verbose))
2648 epan_dissect_run_with_taps(&edt, phdr, pd, fdata, cinfo);
2650 /* Run the read filter if we have one. */
2652 passed = dfilter_apply_edt(cf->rfcode, &edt);
2656 /* Process this packet. */
2657 if (print_packet_info) {
2658 /* We're printing packet information; print the information for
2661 print_packet(cf, &edt);
2663 print_packet(cf, NULL);
2665 /* The ANSI C standard does not appear to *require* that a line-buffered
2666 stream be flushed to the host environment whenever a newline is
2667 written, it just says that, on such a stream, characters "are
2668 intended to be transmitted to or from the host environment as a
2669 block when a new-line character is encountered".
2671 The Visual C++ 6.0 C implementation doesn't do what is intended;
2672 even if you set a stream to be line-buffered, it still doesn't
2673 flush the buffer at the end of every line.
2675 So, if the "-l" flag was specified, we flush the standard output
2676 at the end of a packet. This will do the right thing if we're
2677 printing packet summary lines, and, as we print the entire protocol
2678 tree for a single packet without waiting for anything to happen,
2679 it should be as good as line-buffered mode if we're printing
2680 protocol trees. (The whole reason for the "-l" flag in either
2681 tcpdump or TShark is to allow the output of a live capture to
2682 be piped to a program or script and to have that script see the
2683 information for the packet as soon as it's printed, rather than
2684 having to wait until a standard I/O buffer fills up. */
2688 if (ferror(stdout)) {
2689 show_print_file_io_error(errno);
2695 if (do_dissection) {
2696 epan_dissect_cleanup(&edt);
2702 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
2703 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2706 int snapshot_length;
2710 gchar *err_info = NULL;
2712 char *save_file_string = NULL;
2713 gboolean filtering_tap_listeners;
2715 wtapng_section_t *shb_hdr;
2716 wtapng_iface_descriptions_t *idb_inf;
2719 shb_hdr = wtap_file_get_shb_info(cf->wth);
2720 idb_inf = wtap_file_get_idb_info(cf->wth);
2721 #ifdef PCAP_NG_DEFAULT
2722 if (idb_inf->number_of_interfaces > 0) {
2723 linktype = WTAP_ENCAP_PER_PACKET;
2725 linktype = wtap_file_encap(cf->wth);
2728 linktype = wtap_file_encap(cf->wth);
2730 if (save_file != NULL) {
2731 /* Get a string that describes what we're writing to */
2732 save_file_string = output_file_description(save_file);
2734 /* Set up to write to the capture file. */
2735 snapshot_length = wtap_snapshot_length(cf->wth);
2736 if (snapshot_length == 0) {
2737 /* Snapshot length of input file not known. */
2738 snapshot_length = WTAP_MAX_PACKET_SIZE;
2740 /* If we don't have an application name add Tshark */
2741 if(shb_hdr->shb_user_appl == NULL) {
2742 g_snprintf(appname, sizeof(appname), "TShark " VERSION "%s", wireshark_svnversion);
2743 shb_hdr->shb_user_appl = appname;
2746 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype, snapshot_length,
2747 FALSE /* compressed */, shb_hdr, idb_inf, &err);
2753 /* We couldn't set up to write to the capture file. */
2756 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
2757 cmdarg_err("Capture files can't be written in that format.");
2760 case WTAP_ERR_UNSUPPORTED_ENCAP:
2761 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
2762 cmdarg_err("The capture file being read can't be written as a "
2763 "\"%s\" file.", wtap_file_type_short_string(out_file_type));
2766 case WTAP_ERR_CANT_OPEN:
2767 cmdarg_err("The %s couldn't be created for some "
2768 "unknown reason.", save_file_string);
2771 case WTAP_ERR_SHORT_WRITE:
2772 cmdarg_err("A full header couldn't be written to the %s.",
2777 cmdarg_err("The %s could not be created: %s.", save_file_string,
2778 wtap_strerror(err));
2784 if (print_packet_info) {
2785 if (!write_preamble(cf)) {
2787 show_print_file_io_error(err);
2794 if (pdh && out_file_name_res) {
2795 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
2796 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
2797 wtap_file_type_short_string(out_file_type));
2801 /* Do we have any tap listeners with filters? */
2802 filtering_tap_listeners = have_filtering_tap_listeners();
2804 /* Get the union of the flags for all tap listeners. */
2805 tap_flags = union_of_tap_listener_flags();
2807 if (perform_two_pass_analysis) {
2809 int old_max_packet_count = max_packet_count;
2811 /* Allocate a frame_data_sequence for all the frames. */
2812 cf->frames = new_frame_data_sequence();
2814 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2815 if (process_packet_first_pass(cf, data_offset, wtap_phdr(cf->wth),
2816 wtap_buf_ptr(cf->wth))) {
2817 /* Stop reading if we have the maximum number of packets;
2818 * When the -c option has not been used, max_packet_count
2819 * starts at 0, which practically means, never stop reading.
2820 * (unless we roll over max_packet_count ?)
2822 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2823 err = 0; /* This is not an error */
2829 /* Close the sequential I/O side, to free up memory it requires. */
2830 wtap_sequential_close(cf->wth);
2832 /* Allow the protocol dissectors to free up memory that they
2833 * don't need after the sequential run-through of the packets. */
2834 postseq_cleanup_all_protocols();
2836 max_packet_count = old_max_packet_count;
2838 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
2839 fdata = frame_data_sequence_find(cf->frames, framenum);
2840 if (wtap_seek_read(cf->wth, fdata->file_off, &cf->phdr,
2841 cf->pd, fdata->cap_len, &err, &err_info)) {
2842 if (process_packet_second_pass(cf, fdata,
2844 filtering_tap_listeners, tap_flags)) {
2845 /* Either there's no read filtering or this packet passed the
2846 filter, so, if we're writing to a capture file, write
2849 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
2850 /* Error writing to a capture file */
2853 case WTAP_ERR_UNSUPPORTED_ENCAP:
2855 * This is a problem with the particular frame we're writing;
2856 * note that, and give the frame number.
2858 * XXX - framenum is not necessarily the frame number in
2859 * the input file if there was a read filter.
2862 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2863 framenum, cf->filename,
2864 wtap_file_type_short_string(out_file_type));
2868 show_capture_file_io_error(save_file, err, FALSE);
2871 wtap_dump_close(pdh, &err);
2876 /* Stop reading if we have the maximum number of packets;
2877 * When the -c option has not been used, max_packet_count
2878 * starts at 0, which practically means, never stop reading.
2879 * (unless we roll over max_packet_count ?)
2881 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2882 err = 0; /* This is not an error */
2891 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2894 if (process_packet(cf, data_offset, wtap_phdr(cf->wth),
2895 wtap_buf_ptr(cf->wth),
2896 filtering_tap_listeners, tap_flags)) {
2897 /* Either there's no read filtering or this packet passed the
2898 filter, so, if we're writing to a capture file, write
2901 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
2902 /* Error writing to a capture file */
2905 case WTAP_ERR_UNSUPPORTED_ENCAP:
2907 * This is a problem with the particular frame we're writing;
2908 * note that, and give the frame number.
2911 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2912 framenum, cf->filename,
2913 wtap_file_type_short_string(out_file_type));
2917 show_capture_file_io_error(save_file, err, FALSE);
2920 wtap_dump_close(pdh, &err);
2925 /* Stop reading if we have the maximum number of packets;
2926 * When the -c option has not been used, max_packet_count
2927 * starts at 0, which practically means, never stop reading.
2928 * (unless we roll over max_packet_count ?)
2930 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2931 err = 0; /* This is not an error */
2940 * Print a message noting that the read failed somewhere along the line.
2942 * If we're printing packet data, and the standard output and error are
2943 * going to the same place, flush the standard output, so everything
2944 * buffered up is written, and then print a newline to the standard error
2945 * before printing the error message, to separate it from the packet
2946 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
2947 * the _fstat() documentation at Microsoft doesn't indicate whether
2948 * st_ino is even supported.)
2951 if (print_packet_info) {
2952 struct stat stat_stdout, stat_stderr;
2954 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
2955 if (stat_stdout.st_dev == stat_stderr.st_dev &&
2956 stat_stdout.st_ino == stat_stderr.st_ino) {
2958 fprintf(stderr, "\n");
2965 case WTAP_ERR_UNSUPPORTED:
2966 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
2967 cf->filename, err_info);
2971 case WTAP_ERR_UNSUPPORTED_ENCAP:
2972 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
2973 cf->filename, err_info);
2977 case WTAP_ERR_CANT_READ:
2978 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
2982 case WTAP_ERR_SHORT_READ:
2983 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
2987 case WTAP_ERR_BAD_FILE:
2988 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
2989 cf->filename, err_info);
2993 case WTAP_ERR_DECOMPRESS:
2994 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
2995 "(%s)", cf->filename, err_info);
2999 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3000 cf->filename, wtap_strerror(err));
3003 if (save_file != NULL) {
3004 /* Now close the capture file. */
3005 if (!wtap_dump_close(pdh, &err))
3006 show_capture_file_io_error(save_file, err, TRUE);
3009 if (save_file != NULL) {
3010 /* Now close the capture file. */
3011 if (!wtap_dump_close(pdh, &err))
3012 show_capture_file_io_error(save_file, err, TRUE);
3014 if (print_packet_info) {
3015 if (!write_finale()) {
3017 show_print_file_io_error(err);
3024 wtap_close(cf->wth);
3027 g_free(save_file_string);
3034 process_packet(capture_file *cf, gint64 offset, struct wtap_pkthdr *whdr,
3036 gboolean filtering_tap_listeners, guint tap_flags)
3039 gboolean create_proto_tree;
3044 /* Count this packet. */
3047 /* If we're not running a display filter and we're not printing any
3048 packet information, we don't need to do a dissection. This means
3049 that all packets can be marked as 'passed'. */
3052 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3054 /* If we're going to print packet information, or we're going to
3055 run a read filter, or we're going to process taps, set up to
3056 do a dissection and do so. */
3057 if (do_dissection) {
3058 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3059 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3060 /* Grab any resolved addresses */
3061 host_name_lookup_process();
3063 if (cf->rfcode || verbose || filtering_tap_listeners ||
3064 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3065 create_proto_tree = TRUE;
3067 create_proto_tree = FALSE;
3069 /* The protocol tree will be "visible", i.e., printed, only if we're
3070 printing packet details, which is true if we're printing stuff
3071 ("print_packet_info" is true) and we're in verbose mode ("verbose"
3073 epan_dissect_init(&edt, create_proto_tree, print_packet_info && verbose);
3075 /* If we're running a read filter, prime the epan_dissect_t with that
3078 epan_dissect_prime_dfilter(&edt, cf->rfcode);
3080 col_custom_prime_edt(&edt, &cf->cinfo);
3082 /* We only need the columns if either
3084 1) some tap needs the columns
3088 2) we're printing packet info but we're *not* verbose; in verbose
3089 mode, we print the protocol tree, not the protocol summary. */
3090 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && !verbose))
3095 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3096 &first_ts, prev_dis, prev_cap);
3098 epan_dissect_run_with_taps(&edt, whdr, pd, &fdata, cinfo);
3100 /* Run the read filter if we have one. */
3102 passed = dfilter_apply_edt(cf->rfcode, &edt);
3106 frame_data_set_after_dissect(&fdata, &cum_bytes);
3107 prev_dis_frame = fdata;
3108 prev_dis = &prev_dis_frame;
3110 /* Process this packet. */
3111 if (print_packet_info) {
3112 /* We're printing packet information; print the information for
3115 print_packet(cf, &edt);
3117 print_packet(cf, NULL);
3119 /* The ANSI C standard does not appear to *require* that a line-buffered
3120 stream be flushed to the host environment whenever a newline is
3121 written, it just says that, on such a stream, characters "are
3122 intended to be transmitted to or from the host environment as a
3123 block when a new-line character is encountered".
3125 The Visual C++ 6.0 C implementation doesn't do what is intended;
3126 even if you set a stream to be line-buffered, it still doesn't
3127 flush the buffer at the end of every line.
3129 So, if the "-l" flag was specified, we flush the standard output
3130 at the end of a packet. This will do the right thing if we're
3131 printing packet summary lines, and, as we print the entire protocol
3132 tree for a single packet without waiting for anything to happen,
3133 it should be as good as line-buffered mode if we're printing
3134 protocol trees. (The whole reason for the "-l" flag in either
3135 tcpdump or TShark is to allow the output of a live capture to
3136 be piped to a program or script and to have that script see the
3137 information for the packet as soon as it's printed, rather than
3138 having to wait until a standard I/O buffer fills up. */
3142 if (ferror(stdout)) {
3143 show_print_file_io_error(errno);
3149 prev_cap_frame = fdata;
3150 prev_cap = &prev_cap_frame;
3152 if (do_dissection) {
3153 epan_dissect_cleanup(&edt);
3154 frame_data_cleanup(&fdata);
3160 write_preamble(capture_file *cf)
3162 switch (output_action) {
3165 return print_preamble(print_stream, cf ? cf->filename : NULL);
3169 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3171 write_psml_preamble(stdout);
3172 return !ferror(stdout);
3175 write_fields_preamble(output_fields, stdout);
3176 return !ferror(stdout);
3179 g_assert_not_reached();
3185 get_line_buf(size_t len)
3187 static char *line_bufp = NULL;
3188 static size_t line_buf_len = 256;
3189 size_t new_line_buf_len;
3191 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3192 new_line_buf_len *= 2)
3194 if (line_bufp == NULL) {
3195 line_buf_len = new_line_buf_len;
3196 line_bufp = g_malloc(line_buf_len + 1);
3198 if (new_line_buf_len > line_buf_len) {
3199 line_buf_len = new_line_buf_len;
3200 line_bufp = g_realloc(line_bufp, line_buf_len + 1);
3207 print_columns(capture_file *cf)
3214 line_bufp = get_line_buf(256);
3217 for (i = 0; i < cf->cinfo.num_cols; i++) {
3218 /* Skip columns not marked as visible. */
3219 if (!get_column_visible(i))
3221 switch (cf->cinfo.col_fmt[i]) {
3225 * Don't print this if we're doing a live capture from a network
3226 * interface - if we're doing a live capture, you won't be
3227 * able to look at the capture in the future (it's not being
3228 * saved anywhere), so the frame numbers are unlikely to be
3231 * (XXX - it might be nice to be able to save and print at
3232 * the same time, sort of like an "Update list of packets
3233 * in real time" capture in Wireshark.)
3235 if (global_capture_opts.ifaces->len > 0)
3238 column_len = strlen(cf->cinfo.col_data[i]);
3241 line_bufp = get_line_buf(buf_offset + column_len);
3242 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%3s", cf->cinfo.col_data[i]);
3248 case COL_ABS_DATE_TIME:
3250 case COL_UTC_DATE_TIME: /* XXX - wider */
3251 column_len = strlen(cf->cinfo.col_data[i]);
3252 if (column_len < 10)
3254 line_bufp = get_line_buf(buf_offset + column_len);
3255 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%10s", cf->cinfo.col_data[i]);
3261 case COL_DEF_DL_SRC:
3262 case COL_RES_DL_SRC:
3263 case COL_UNRES_DL_SRC:
3264 case COL_DEF_NET_SRC:
3265 case COL_RES_NET_SRC:
3266 case COL_UNRES_NET_SRC:
3267 column_len = strlen(cf->cinfo.col_data[i]);
3268 if (column_len < 12)
3270 line_bufp = get_line_buf(buf_offset + column_len);
3271 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%12s", cf->cinfo.col_data[i]);
3277 case COL_DEF_DL_DST:
3278 case COL_RES_DL_DST:
3279 case COL_UNRES_DL_DST:
3280 case COL_DEF_NET_DST:
3281 case COL_RES_NET_DST:
3282 case COL_UNRES_NET_DST:
3283 column_len = strlen(cf->cinfo.col_data[i]);
3284 if (column_len < 12)
3286 line_bufp = get_line_buf(buf_offset + column_len);
3287 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%-12s", cf->cinfo.col_data[i]);
3291 column_len = strlen(cf->cinfo.col_data[i]);
3292 line_bufp = get_line_buf(buf_offset + column_len);
3293 g_strlcat(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len + 1);
3296 buf_offset += column_len;
3297 if (i != cf->cinfo.num_cols - 1) {
3299 * This isn't the last column, so we need to print a
3300 * separator between this column and the next.
3302 * If we printed a network source and are printing a
3303 * network destination of the same type next, separate
3304 * them with " -> "; if we printed a network destination
3305 * and are printing a network source of the same type
3306 * next, separate them with " <- "; otherwise separate them
3309 * We add enough space to the buffer for " <- " or " -> ",
3310 * even if we're only adding " ".
3312 line_bufp = get_line_buf(buf_offset + 4);
3313 switch (cf->cinfo.col_fmt[i]) {
3318 switch (cf->cinfo.col_fmt[i + 1]) {
3323 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3328 g_strlcat(line_bufp + buf_offset, " ", 5);
3334 case COL_DEF_DL_SRC:
3335 case COL_RES_DL_SRC:
3336 case COL_UNRES_DL_SRC:
3337 switch (cf->cinfo.col_fmt[i + 1]) {
3339 case COL_DEF_DL_DST:
3340 case COL_RES_DL_DST:
3341 case COL_UNRES_DL_DST:
3342 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3347 g_strlcat(line_bufp + buf_offset, " ", 5);
3353 case COL_DEF_NET_SRC:
3354 case COL_RES_NET_SRC:
3355 case COL_UNRES_NET_SRC:
3356 switch (cf->cinfo.col_fmt[i + 1]) {
3358 case COL_DEF_NET_DST:
3359 case COL_RES_NET_DST:
3360 case COL_UNRES_NET_DST:
3361 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3366 g_strlcat(line_bufp + buf_offset, " ", 5);
3375 switch (cf->cinfo.col_fmt[i + 1]) {
3380 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3385 g_strlcat(line_bufp + buf_offset, " ", 5);
3391 case COL_DEF_DL_DST:
3392 case COL_RES_DL_DST:
3393 case COL_UNRES_DL_DST:
3394 switch (cf->cinfo.col_fmt[i + 1]) {
3396 case COL_DEF_DL_SRC:
3397 case COL_RES_DL_SRC:
3398 case COL_UNRES_DL_SRC:
3399 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3404 g_strlcat(line_bufp + buf_offset, " ", 5);
3410 case COL_DEF_NET_DST:
3411 case COL_RES_NET_DST:
3412 case COL_UNRES_NET_DST:
3413 switch (cf->cinfo.col_fmt[i + 1]) {
3415 case COL_DEF_NET_SRC:
3416 case COL_RES_NET_SRC:
3417 case COL_UNRES_NET_SRC:
3418 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3423 g_strlcat(line_bufp + buf_offset, " ", 5);
3430 g_strlcat(line_bufp + buf_offset, " ", 5);
3436 return print_line(print_stream, 0, line_bufp);
3440 print_packet(capture_file *cf, epan_dissect_t *edt)
3442 print_args_t print_args;
3445 /* Print the information in the protocol tree. */
3446 switch (output_action) {
3449 /* Only initialize the fields that are actually used in proto_tree_print.
3450 * This is particularly important for .range, as that's heap memory which
3451 * we would otherwise have to g_free().
3452 print_args.to_file = TRUE;
3453 print_args.format = print_format;
3454 print_args.print_summary = !verbose;
3455 print_args.print_formfeed = FALSE;
3456 packet_range_init(&print_args.range, &cfile);
3458 print_args.print_hex = verbose && print_hex;
3459 print_args.print_dissections = verbose ? print_dissections_expanded : print_dissections_none;
3461 if (!proto_tree_print(&print_args, edt, print_stream))
3464 /* "print_hex_data()" will put out a leading blank line, as well
3465 as a trailing one; print one here, to separate the packets,
3466 only if "print_hex_data()" won't be called. */
3467 if (!print_line(print_stream, 0, separator))
3473 proto_tree_write_pdml(edt, stdout);
3475 return !ferror(stdout);
3477 proto_tree_write_fields(output_fields, edt, stdout);
3479 return !ferror(stdout);
3482 /* Just fill in the columns. */
3483 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3485 /* Now print them. */
3486 switch (output_action) {
3489 if (!print_columns(cf))
3494 proto_tree_write_psml(edt, stdout);
3495 return !ferror(stdout);
3496 case WRITE_FIELDS: /*No non-verbose "fields" format */
3497 g_assert_not_reached();
3502 if (!print_hex_data(print_stream, edt))
3504 if (!print_line(print_stream, 0, ""))
3513 switch (output_action) {
3516 return print_finale(print_stream);
3520 write_pdml_finale(stdout);
3522 write_psml_finale(stdout);
3523 return !ferror(stdout);
3526 write_fields_finale(output_fields, stdout);
3527 return !ferror(stdout);
3530 g_assert_not_reached();
3536 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
3540 char err_msg[2048+1];
3542 wth = wtap_open_offline(fname, err, &err_info, perform_two_pass_analysis);
3546 /* The open succeeded. Fill in the information for this file. */
3548 /* Cleanup all data structures used for dissection. */
3549 cleanup_dissection();
3550 /* Initialize all data structures used for dissection. */
3554 cf->f_datalen = 0; /* not used, but set it anyway */
3556 /* Set the file name because we need it to set the follow stream filter.
3557 XXX - is that still true? We need it for other reasons, though,
3559 cf->filename = g_strdup(fname);
3561 /* Indicate whether it's a permanent or temporary file. */
3562 cf->is_tempfile = is_tempfile;
3564 /* No user changes yet. */
3565 cf->unsaved_changes = FALSE;
3567 cf->cd_t = wtap_file_type(cf->wth);
3569 cf->drops_known = FALSE;
3571 cf->snap = wtap_snapshot_length(cf->wth);
3572 if (cf->snap == 0) {
3573 /* Snapshot length not known. */
3574 cf->has_snap = FALSE;
3575 cf->snap = WTAP_MAX_PACKET_SIZE;
3577 cf->has_snap = TRUE;
3578 nstime_set_zero(&cf->elapsed_time);
3579 nstime_set_unset(&first_ts);
3583 cf->state = FILE_READ_IN_PROGRESS;
3585 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3586 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3591 g_snprintf(err_msg, sizeof err_msg,
3592 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
3593 cmdarg_err("%s", err_msg);
3598 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
3600 char *save_file_string;
3602 save_file_string = output_file_description(fname);
3607 cmdarg_err("Not all the packets could be written to the %s because there is "
3608 "no space left on the file system.",
3614 cmdarg_err("Not all the packets could be written to the %s because you are "
3615 "too close to, or over your disk quota.",
3620 case WTAP_ERR_CANT_CLOSE:
3621 cmdarg_err("The %s couldn't be closed for some unknown reason.",
3625 case WTAP_ERR_SHORT_WRITE:
3626 cmdarg_err("Not all the packets could be written to the %s.",
3632 cmdarg_err("The %s could not be closed: %s.", save_file_string,
3633 wtap_strerror(err));
3635 cmdarg_err("An error occurred while writing to the %s: %s.",
3636 save_file_string, wtap_strerror(err));
3640 g_free(save_file_string);
3644 show_print_file_io_error(int err)
3649 cmdarg_err("Not all the packets could be printed because there is "
3650 "no space left on the file system.");
3655 cmdarg_err("Not all the packets could be printed because you are "
3656 "too close to, or over your disk quota.");
3661 cmdarg_err("An error occurred while printing packets: %s.",
3668 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
3672 static char errmsg_errno[1024+1];
3675 /* Wiretap error. */
3678 case WTAP_ERR_NOT_REGULAR_FILE:
3679 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
3682 case WTAP_ERR_RANDOM_OPEN_PIPE:
3683 /* Seen only when opening a capture file for reading. */
3684 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
3687 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
3688 /* Seen only when opening a capture file for reading. */
3689 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
3692 case WTAP_ERR_UNSUPPORTED:
3693 /* Seen only when opening a capture file for reading. */
3694 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3695 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
3698 errmsg = errmsg_errno;
3701 case WTAP_ERR_CANT_WRITE_TO_PIPE:
3702 /* Seen only when opening a capture file for writing. */
3703 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3704 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
3705 "written to a pipe.", wtap_file_type_short_string(file_type));
3706 errmsg = errmsg_errno;
3709 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3710 /* Seen only when opening a capture file for writing. */
3711 errmsg = "TShark doesn't support writing capture files in that format.";
3714 case WTAP_ERR_UNSUPPORTED_ENCAP:
3716 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3717 "TShark can't save this capture as a \"%s\" file.",
3718 wtap_file_type_short_string(file_type));
3720 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3721 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
3725 errmsg = errmsg_errno;
3728 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3730 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3731 "TShark can't save this capture as a \"%s\" file.",
3732 wtap_file_type_short_string(file_type));
3733 errmsg = errmsg_errno;
3735 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
3738 case WTAP_ERR_BAD_FILE:
3739 /* Seen only when opening a capture file for reading. */
3740 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3741 "The file \"%%s\" appears to be damaged or corrupt.\n"
3744 errmsg = errmsg_errno;
3747 case WTAP_ERR_CANT_OPEN:
3749 errmsg = "The file \"%s\" could not be created for some unknown reason.";
3751 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
3754 case WTAP_ERR_SHORT_READ:
3755 errmsg = "The file \"%s\" appears to have been cut short"
3756 " in the middle of a packet or other data.";
3759 case WTAP_ERR_SHORT_WRITE:
3760 errmsg = "A full header couldn't be written to the file \"%s\".";
3763 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
3764 errmsg = "This file type cannot be written as a compressed file.";
3767 case WTAP_ERR_DECOMPRESS:
3768 /* Seen only when opening a capture file for reading. */
3769 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3770 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
3773 errmsg = errmsg_errno;
3777 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3778 "The file \"%%s\" could not be %s: %s.",
3779 for_writing ? "created" : "opened",
3780 wtap_strerror(err));
3781 errmsg = errmsg_errno;
3785 errmsg = file_open_error_message(err, for_writing);
3790 * Open/create errors are reported with an console message in TShark.
3793 open_failure_message(const char *filename, int err, gboolean for_writing)
3795 fprintf(stderr, "tshark: ");
3796 fprintf(stderr, file_open_error_message(err, for_writing), filename);
3797 fprintf(stderr, "\n");
3802 * General errors are reported with an console message in TShark.
3805 failure_message(const char *msg_format, va_list ap)
3807 fprintf(stderr, "tshark: ");
3808 vfprintf(stderr, msg_format, ap);
3809 fprintf(stderr, "\n");
3813 * Read errors are reported with an console message in TShark.
3816 read_failure_message(const char *filename, int err)
3818 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
3819 filename, g_strerror(err));
3823 * Write errors are reported with an console message in TShark.
3826 write_failure_message(const char *filename, int err)
3828 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
3829 filename, g_strerror(err));
3833 * Print to the standard error. This is a command-line tool, so there's
3834 * no need to pop up a console.
3837 vfprintf_stderr(const char *fmt, va_list ap)
3839 vfprintf(stderr, fmt, ap);
3843 fprintf_stderr(const char *fmt, ...)
3848 vfprintf_stderr(fmt, ap);
3853 * Report an error in command-line arguments.
3856 cmdarg_err(const char *fmt, ...)
3861 failure_message(fmt, ap);
3866 * Report additional information for an error in command-line arguments.
3869 cmdarg_err_cont(const char *fmt, ...)
3874 vfprintf(stderr, fmt, ap);
3875 fprintf(stderr, "\n");
git.samba.org / jelmer / wireshark.git / blob