3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
50 #ifdef HAVE_SYS_STAT_H
51 # include <sys/stat.h>
55 #include "wsutil/wsgetopt.h"
59 #include <epan/epan.h>
60 #include <epan/filesystem.h>
61 #include <wsutil/privileges.h>
62 #include <wsutil/file_util.h>
65 #include <epan/timestamp.h>
66 #include <epan/packet.h>
68 #include "disabled_protos.h"
69 #include <epan/prefs.h>
70 #include <epan/column.h>
72 #include <epan/addr_resolv.h>
74 #include "clopts_common.h"
75 #include "console_io.h"
76 #include "cmdarg_err.h"
77 #include "version_info.h"
78 #include <epan/plugins.h>
80 #include <epan/epan_dissect.h>
82 #include <epan/stat_cmd_args.h>
83 #include <epan/timestamp.h>
84 #include <epan/ex-opt.h>
87 #include "capture_ui_utils.h"
88 #include "capture_ifinfo.h"
89 #include "capture-pcap-util.h"
91 #include "capture-wpcap.h"
92 #include <wsutil/unicode-utils.h>
94 #include "capture_sync.h"
95 #endif /* HAVE_LIBPCAP */
97 #include <epan/funnel.h>
100 * This is the template for the decode as option; it is shared between the
101 * various functions that output the usage for this parameter.
103 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
105 static guint32 cum_bytes;
106 static nstime_t first_ts;
107 static nstime_t prev_dis_ts;
108 static nstime_t prev_cap_ts;
110 static gboolean print_packet_info; /* TRUE if we're to print packet information */
112 static gboolean perform_two_pass_analysis;
115 * The way the packet decode is to be written.
118 WRITE_TEXT, /* summary or detail text */
119 WRITE_XML, /* PDML or PSML */
120 WRITE_FIELDS /* User defined list of fields */
121 /* Add CSV and the like here */
124 static output_action_e output_action;
125 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
126 static gboolean verbose;
127 static gboolean print_hex;
128 static gboolean line_buffered;
130 static print_format_e print_format = PR_FMT_TEXT;
131 static print_stream_t *print_stream;
133 static output_fields_t* output_fields = NULL;
135 /* The line separator used between packets, changeable via the -S option */
136 static char *separator = "";
140 * TRUE if we're to print packet counts to keep track of captured packets.
142 static gboolean print_packet_counts;
144 static capture_options global_capture_opts;
147 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
148 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
151 static gboolean capture(void);
152 static void report_counts(void);
154 static BOOL WINAPI capture_cleanup(DWORD);
156 static void capture_cleanup(int);
158 static void report_counts_siginfo(int);
161 #endif /* HAVE_LIBPCAP */
163 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
164 static gboolean process_packet(capture_file *cf, gint64 offset,
165 const struct wtap_pkthdr *whdr, union wtap_pseudo_header *pseudo_header,
166 const guchar *pd, gboolean filtering_tap_listeners, guint tap_flags);
167 static void show_capture_file_io_error(const char *, int, gboolean);
168 static void show_print_file_io_error(int err);
169 static gboolean write_preamble(capture_file *cf);
170 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
171 static gboolean write_finale(void);
172 static const char *cf_open_error_message(int err, gchar *err_info,
173 gboolean for_writing, int file_type);
175 static void open_failure_message(const char *filename, int err,
176 gboolean for_writing);
177 static void failure_message(const char *msg_format, va_list ap);
178 static void read_failure_message(const char *filename, int err);
179 static void write_failure_message(const char *filename, int err);
184 const char *sstr; /* The short string */
185 const char *lstr; /* The long string */
189 string_compare(gconstpointer a, gconstpointer b)
191 return strcmp(((const struct string_elem *)a)->sstr,
192 ((const struct string_elem *)b)->sstr);
196 string_elem_print(gpointer data, gpointer not_used _U_)
198 fprintf(stderr, " %s - %s\n",
199 ((struct string_elem *)data)->sstr,
200 ((struct string_elem *)data)->lstr);
204 list_capture_types(void) {
206 struct string_elem *captypes;
209 captypes = g_malloc(sizeof(struct string_elem) * WTAP_NUM_FILE_TYPES);
211 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
212 for (i = 0; i < WTAP_NUM_FILE_TYPES; i++) {
213 if (wtap_dump_can_open(i)) {
214 captypes[i].sstr = wtap_file_type_short_string(i);
215 captypes[i].lstr = wtap_file_type_string(i);
216 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
219 g_slist_foreach(list, string_elem_print, NULL);
225 print_usage(gboolean print_ver)
232 "TShark " VERSION "%s\n"
233 "Dump and analyze network traffic.\n"
234 "See http://www.wireshark.org for more information.\n"
237 wireshark_svnversion, get_copyright_info());
241 fprintf(output, "\n");
242 fprintf(output, "Usage: tshark [options] ...\n");
243 fprintf(output, "\n");
246 fprintf(output, "Capture interface:\n");
247 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
248 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
249 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
250 fprintf(output, " -p don't capture in promiscuous mode\n");
251 #ifdef HAVE_PCAP_CREATE
252 fprintf(output, " -I capture in monitor mode, if available\n");
254 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
255 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
257 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
258 fprintf(output, " -D print list of interfaces and exit\n");
259 fprintf(output, " -L print list of link-layer types of iface and exit\n");
260 fprintf(output, "\n");
261 fprintf(output, "Capture stop conditions:\n");
262 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
263 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
264 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
265 fprintf(output, " files:NUM - stop after NUM files\n");
266 /*fprintf(output, "\n");*/
267 fprintf(output, "Capture output:\n");
268 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
269 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
270 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
271 #endif /* HAVE_LIBPCAP */
273 /*fprintf(output, "\n");*/
274 fprintf(output, "Input file:\n");
275 fprintf(output, " -r <infile> set the filename to read from (no pipes or stdin!)\n");
277 fprintf(output, "\n");
278 fprintf(output, "Processing:\n");
279 fprintf(output, " -2 perform a two-pass analysis\n");
280 fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
281 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
282 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
283 fprintf(output, " -d %s ...\n", decode_as_arg_template);
284 fprintf(output, " \"Decode As\", see the man page for details\n");
285 fprintf(output, " Example: tcp.port==8888,http\n");
286 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
287 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
289 /*fprintf(output, "\n");*/
290 fprintf(output, "Output:\n");
291 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
292 fprintf(output, " (or to the standard output for \"-\")\n");
293 fprintf(output, " -C <config profile> start with specified configuration profile\n");
294 fprintf(output, " -F <output file type> set the output file type, default is libpcap\n");
295 fprintf(output, " an empty \"-F\" option will list the file types\n");
296 fprintf(output, " -V add output of packet tree (Packet Details)\n");
297 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
298 fprintf(output, " separated\n");
299 fprintf(output, " -P print packets even when writing to a file\n");
300 fprintf(output, " -S <separator> the line separator to print between packets\n");
301 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
302 fprintf(output, " -T pdml|ps|psml|text|fields\n");
303 fprintf(output, " format of text output (def: text)\n");
304 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port);\n");
305 fprintf(output, " this option can be repeated to print multiple fields\n");
306 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
307 fprintf(output, " header=y|n switch headers on and off\n");
308 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
309 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
310 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
311 fprintf(output, " aggregator\n");
312 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
313 fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
314 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
315 fprintf(output, " -l flush standard output after each packet\n");
316 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
317 fprintf(output, " -W n Save extra information in the file, if supported.\n");
318 fprintf(output, " n = write network address resolution information\n");
319 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
320 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
322 fprintf(output, "\n");
323 fprintf(output, "Miscellaneous:\n");
324 fprintf(output, " -h display this help and exit\n");
325 fprintf(output, " -v display version info and exit\n");
326 fprintf(output, " -o <name>:<value> ... override preference setting\n");
327 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
328 fprintf(output, " -G [report] dump one of several available reports and exit\n");
329 fprintf(output, " default report=\"fields\"\n");
330 fprintf(output, " use \"-G ?\" for more help\n");
334 glossary_option_help(void)
340 fprintf(output, "TShark " VERSION "%s\n", wireshark_svnversion);
342 fprintf(output, "\n");
343 fprintf(output, "Usage: tshark -G [report]\n");
344 fprintf(output, "\n");
345 fprintf(output, "Glossary table reports:\n");
346 fprintf(output, " -G [fields] dump glossary in original format and exit\n");
347 fprintf(output, " -G fields2 dump glossary in format 2 and exit\n");
348 fprintf(output, " -G fields3 dump glossary in format 3 and exit\n");
349 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
350 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
351 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
352 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
353 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
354 fprintf(output, "\n");
355 fprintf(output, "Preference reports:\n");
356 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
357 fprintf(output, " -G currentprefs dump current preferences and exit\n");
358 fprintf(output, "\n");
363 * For a dissector table, print on the stream described by output,
364 * its short name (which is what's used in the "-d" option) and its
368 display_dissector_table_names(const char *table_name, const char *ui_name,
371 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
375 * For a dissector handle, print on the stream described by output,
376 * the filter name (which is what's used in the "-d" option) and the full
377 * name for the protocol that corresponds to this handle.
380 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
383 const gchar* proto_filter_name;
384 const gchar* proto_ui_name;
386 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
388 if (proto_id != -1) {
389 proto_filter_name = proto_get_protocol_filter_name(proto_id);
390 proto_ui_name = proto_get_protocol_name(proto_id);
391 g_assert(proto_filter_name != NULL);
392 g_assert(proto_ui_name != NULL);
394 fprintf((FILE *)output, "\t%s (%s)\n",
401 * The protocol_name_search structure is used by find_protocol_name_func()
402 * to pass parameters and store results
404 struct protocol_name_search{
405 gchar *searched_name; /* Protocol filter name we are looking for */
406 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
407 guint nb_match; /* How many dissectors matched searched_name */
409 typedef struct protocol_name_search *protocol_name_search_t;
412 * This function parses all dissectors associated with a table to find the
413 * one whose protocol has the specified filter name. It is called
414 * as a reference function in a call to dissector_table_foreach_handle.
415 * The name we are looking for, as well as the results, are stored in the
416 * protocol_name_search struct pointed to by user_data.
417 * If called using dissector_table_foreach_handle, we actually parse the
418 * whole list of dissectors.
421 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
425 const gchar *protocol_filter_name;
426 protocol_name_search_t search_info;
430 search_info = (protocol_name_search_t)user_data;
432 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
433 if (proto_id != -1) {
434 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
435 g_assert(protocol_filter_name != NULL);
436 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
438 if (search_info->nb_match == 0) {
439 /* Record this handle only if this is the first match */
440 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
442 search_info->nb_match++;
448 * Print all layer type names supported.
449 * We send the output to the stream described by the handle output.
453 fprint_all_layer_types(FILE *output)
456 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output);
460 * Print all protocol names supported for a specific layer type.
461 * table_name contains the layer type name in which the search is performed.
462 * We send the output to the stream described by the handle output.
466 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
469 dissector_table_foreach_handle(table_name,
470 display_dissector_names,
475 * The function below parses the command-line parameters for the decode as
476 * feature (a string pointer by cl_param).
477 * It checks the format of the command-line, searches for a matching table
478 * and dissector. If a table/dissector match is not found, we display a
479 * summary of the available tables/dissectors (on stderr) and return FALSE.
480 * If everything is fine, we get the "Decode as" preference activated,
481 * then we return TRUE.
484 add_decode_as(const gchar *cl_param)
488 gchar *decoded_param;
489 gchar *remaining_param;
491 gchar *dissector_str;
492 dissector_handle_t dissector_matching;
493 dissector_table_t table_matching;
494 ftenum_t dissector_table_selector_type;
495 struct protocol_name_search user_protocol_name;
497 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
500 decoded_param = g_strdup(cl_param);
501 g_assert(decoded_param);
504 /* The lines below will parse this string (modifying it) to extract all
505 necessary information. Note that decoded_param is still needed since
506 strings are not copied - we just save pointers. */
508 /* This section extracts a layer type (table_name) from decoded_param */
509 table_name = decoded_param; /* Layer type string starts from beginning */
511 remaining_param = strchr(table_name, '=');
512 if (remaining_param == NULL) {
513 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
514 /* If the argument does not follow the template, carry on anyway to check
515 if the table name is at least correct. If remaining_param is NULL,
516 we'll exit anyway further down */
519 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
522 /* Remove leading and trailing spaces from the table name */
523 while ( table_name[0] == ' ' )
525 while ( table_name[strlen(table_name) - 1] == ' ' )
526 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
528 /* The following part searches a table matching with the layer type specified */
529 table_matching = NULL;
531 /* Look for the requested table */
532 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
533 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
536 table_matching = find_dissector_table(table_name);
537 if (!table_matching) {
538 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
542 if (!table_matching) {
543 /* Display a list of supported layer types to help the user, if the
544 specified layer type was not found */
545 cmdarg_err("Valid layer types are:");
546 fprint_all_layer_types(stderr);
548 if (remaining_param == NULL || !table_matching) {
549 /* Exit if the layer type was not found, or if no '=' separator was found
551 g_free(decoded_param);
555 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
556 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
559 remaining_param++; /* Move to the second '=' */
560 *remaining_param = '\0'; /* Remove the second '=' */
562 remaining_param++; /* Position after the layer type string */
564 /* This section extracts a selector value (selector_str) from decoded_param */
566 selector_str = remaining_param; /* Next part starts with the selector number */
568 remaining_param = strchr(selector_str, ',');
569 if (remaining_param == NULL) {
570 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
571 /* If the argument does not follow the template, carry on anyway to check
572 if the selector value is at least correct. If remaining_param is NULL,
573 we'll exit anyway further down */
576 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
579 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
581 switch (dissector_table_selector_type) {
587 /* The selector for this table is an unsigned number. Parse it as such.
588 There's no need to remove leading and trailing spaces from the
589 selector number string, because sscanf will do that for us. */
590 if ( sscanf(selector_str, "%u", &selector) != 1 ) {
591 cmdarg_err("Invalid selector number \"%s\"", selector_str);
592 g_free(decoded_param);
599 /* The selector for this table is a string. */
603 /* There are currently no dissector tables with any types other
604 than the ones listed above. */
605 g_assert_not_reached();
608 if (remaining_param == NULL) {
609 /* Exit if no ',' separator was found (see above) */
610 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
611 fprint_all_protocols_for_layer_types(stderr, table_name);
612 g_free(decoded_param);
616 remaining_param++; /* Position after the selector number string */
618 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
620 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
622 /* Remove leading and trailing spaces from the dissector name */
623 while ( dissector_str[0] == ' ' )
625 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
626 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
628 dissector_matching = NULL;
630 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
631 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
632 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
635 user_protocol_name.nb_match = 0;
636 user_protocol_name.searched_name = dissector_str;
637 user_protocol_name.matched_handle = NULL;
639 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
641 if (user_protocol_name.nb_match != 0) {
642 dissector_matching = user_protocol_name.matched_handle;
643 if (user_protocol_name.nb_match > 1) {
644 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
648 /* OK, check whether the problem is that there isn't any such
649 protocol, or that there is but it's not specified as a protocol
650 that's valid for that dissector table.
651 Note, we don't exit here, but dissector_matching will remain NULL,
653 if (proto_get_id_by_filter_name(dissector_str) == -1) {
654 /* No such protocol */
655 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
657 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
658 dissector_str, table_name);
663 if (!dissector_matching) {
664 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
665 fprint_all_protocols_for_layer_types(stderr, table_name);
666 g_free(decoded_param);
670 /* This is the end of the code that parses the command-line options.
671 All information is now stored in the variables:
675 The above variables that are strings are still pointing to areas within
676 decoded_parm. decoded_parm thus still needs to be kept allocated in
677 until we stop needing these variables
678 decoded_param will be deallocated at each exit point of this function */
681 /* We now have a pointer to the handle for the requested dissector
682 (requested protocol) inside the variable dissector_matching */
683 switch (dissector_table_selector_type) {
689 /* The selector for this table is an unsigned number. */
690 dissector_change_uint(table_name, selector, dissector_matching);
695 /* The selector for this table is a string. */
696 dissector_change_string(table_name, selector_str, dissector_matching);
700 /* There are currently no dissector tables with any types other
701 than the ones listed above. */
702 g_assert_not_reached();
704 g_free(decoded_param); /* "Decode As" rule has been successfully added */
709 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
710 const gchar *message, gpointer user_data)
712 /* ignore log message, if log_level isn't interesting based
713 upon the console log preferences.
714 If the preferences haven't been loaded loaded yet, display the
717 The default console_log_level preference value is such that only
718 ERROR, CRITICAL and WARNING level messages are processed;
719 MESSAGE, INFO and DEBUG level messages are ignored.
721 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
722 ERROR and CRITICAL level messages so the current code is a behavioral
723 change. The current behavior is the same as in Wireshark.
725 if((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
726 prefs.console_log_level != 0) {
730 g_log_default_handler(log_domain, log_level, message, user_data);
735 output_file_description(const char *fname)
737 char *save_file_string;
739 /* Get a string that describes what we're writing to */
740 if (strcmp(fname, "-") == 0) {
741 /* We're writing to the standard output */
742 save_file_string = g_strdup("standard output");
744 /* We're writing to a file with the name in save_file */
745 save_file_string = g_strdup_printf("file \"%s\"", fname);
747 return save_file_string;
751 print_current_user(void) {
752 gchar *cur_user, *cur_group;
753 if (started_with_special_privs()) {
754 cur_user = get_cur_username();
755 cur_group = get_cur_groupname();
756 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
757 cur_user, cur_group);
760 if (running_with_special_privs()) {
761 fprintf(stderr, " This could be dangerous.");
763 fprintf(stderr, "\n");
768 check_capture_privs(void) {
771 /* Warn the user if npf.sys isn't loaded. */
772 if (!npf_sys_is_running() && get_os_major_version() >= 6) {
773 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
774 "capturing or\nlisting interfaces.\n");
780 show_version(GString *comp_info_str, GString *runtime_info_str)
782 printf("TShark " VERSION "%s\n"
789 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
790 runtime_info_str->str);
794 main(int argc, char *argv[])
796 char *init_progfile_dir_error;
798 gboolean arg_error = FALSE;
804 char *gpf_path, *pf_path;
805 char *gdp_path, *dp_path;
806 int gpf_open_errno, gpf_read_errno;
807 int pf_open_errno, pf_read_errno;
808 int gdp_open_errno, gdp_read_errno;
809 int dp_open_errno, dp_read_errno;
811 volatile int exit_status = 0;
813 gboolean list_link_layer_types = FALSE;
814 gboolean start_capture = FALSE;
819 interface_options interface_opts;
821 gboolean capture_option_specified = FALSE;
823 gboolean quiet = FALSE;
824 #ifdef PCAP_NG_DEFAULT
825 volatile int out_file_type = WTAP_FILE_PCAPNG;
827 volatile int out_file_type = WTAP_FILE_PCAP;
829 volatile gboolean out_file_name_res = FALSE;
830 gchar *volatile cf_name = NULL;
831 gchar *rfilter = NULL;
832 #ifdef HAVE_PCAP_OPEN_DEAD
833 struct bpf_program fcode;
835 dfilter_t *rfcode = NULL;
838 GLogLevelFlags log_flags;
840 gchar *output_only = NULL;
843 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
844 #define OPTSTRING_B "B:"
846 #define OPTSTRING_B ""
847 #endif /* _WIN32 or HAVE_PCAP_CREATE */
848 #else /* HAVE_LIBPCAP */
849 #define OPTSTRING_B ""
850 #endif /* HAVE_LIBPCAP */
852 #ifdef HAVE_PCAP_CREATE
853 #define OPTSTRING_I "I"
855 #define OPTSTRING_I ""
858 #define OPTSTRING "2a:A:b:" OPTSTRING_B "c:C:d:De:E:f:F:G:hH:i:" OPTSTRING_I "K:lLnN:o:O:pPqr:R:s:S:t:T:u:vVw:W:xX:y:z:"
860 static const char optstring[] = OPTSTRING;
863 arg_list_utf_16to8(argc, argv);
864 #if !GLIB_CHECK_VERSION(2,31,0)
870 * Get credential information for later use.
872 init_process_policies();
875 * Attempt to get the pathname of the executable file.
877 init_progfile_dir_error = init_progfile_dir(argv[0], main);
878 if (init_progfile_dir_error != NULL) {
879 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
880 init_progfile_dir_error);
884 * In order to have the -X opts assigned before the wslua machine starts
885 * we need to call getopts before epan_init() gets called.
888 optind_initial = optind;
890 while ((opt = getopt(argc, argv, optstring)) != -1) {
892 case 'C': /* Configuration Profile */
893 if (profile_exists (optarg, FALSE)) {
894 set_profile_name (optarg);
896 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
908 optind = optind_initial;
913 /** Send All g_log messages to our own handler **/
917 G_LOG_LEVEL_CRITICAL|
922 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
924 g_log_set_handler(NULL,
926 tshark_log_handler, NULL /* user_data */);
927 g_log_set_handler(LOG_DOMAIN_MAIN,
929 tshark_log_handler, NULL /* user_data */);
932 g_log_set_handler(LOG_DOMAIN_CAPTURE,
934 tshark_log_handler, NULL /* user_data */);
935 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
937 tshark_log_handler, NULL /* user_data */);
940 initialize_funnel_ops();
943 capture_opts_init(&global_capture_opts, &cfile);
946 timestamp_set_type(TS_RELATIVE);
947 timestamp_set_precision(TS_PREC_AUTO);
948 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
950 /* Register all dissectors; we must do this before checking for the
951 "-G" flag, as the "-G" flag dumps information registered by the
952 dissectors, and we must do it before we read the preferences, in
953 case any dissectors register preferences. */
954 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
955 failure_message, open_failure_message, read_failure_message,
956 write_failure_message);
958 /* Register all tap listeners; we do this before we parse the arguments,
959 as the "-z" argument can specify a registered tap. */
961 /* we register the plugin taps before the other taps because
962 stats_tree taps plugins will be registered as tap listeners
963 by stats_tree_stat.c and need to registered before that */
965 register_all_plugin_tap_listeners();
967 register_all_tap_listeners();
969 /* Now register the preferences for any non-dissector modules.
970 We must do that before we read the preferences as well. */
971 prefs_register_modules();
973 /* If invoked with the "-G" flag, we dump out information based on
974 the argument to the "-G" flag; if no argument is specified,
975 for backwards compatibility we dump out a glossary of display
978 XXX - we do this here, for now, to support "-G" with no arguments.
979 If none of our build or other processes uses "-G" with no arguments,
980 we can just process it with the other arguments. */
981 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
982 proto_initialize_all_prefixes();
985 proto_registrar_dump_fields(1);
987 if (strcmp(argv[2], "fields") == 0)
988 proto_registrar_dump_fields(1);
989 else if (strcmp(argv[2], "fields2") == 0)
990 proto_registrar_dump_fields(2);
991 else if (strcmp(argv[2], "fields3") == 0)
992 proto_registrar_dump_fields(3);
993 else if (strcmp(argv[2], "protocols") == 0)
994 proto_registrar_dump_protocols();
995 else if (strcmp(argv[2], "values") == 0)
996 proto_registrar_dump_values();
997 else if (strcmp(argv[2], "ftypes") == 0)
998 proto_registrar_dump_ftypes();
999 else if (strcmp(argv[2], "decodes") == 0)
1000 dissector_dump_decodes();
1001 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1002 dissector_dump_heur_decodes();
1003 else if (strcmp(argv[2], "defaultprefs") == 0)
1005 else if (strcmp(argv[2], "plugins") == 0)
1007 else if (strcmp(argv[2], "?") == 0)
1008 glossary_option_help();
1009 else if (strcmp(argv[2], "-?") == 0)
1010 glossary_option_help();
1011 else if (strcmp(argv[2], "currentprefs") == 0) {
1012 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1013 &pf_open_errno, &pf_read_errno, &pf_path);
1016 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1023 /* Set the C-language locale to the native environment. */
1024 setlocale(LC_ALL, "");
1026 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1027 &pf_open_errno, &pf_read_errno, &pf_path);
1028 if (gpf_path != NULL) {
1029 if (gpf_open_errno != 0) {
1030 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1031 pf_path, g_strerror(gpf_open_errno));
1033 if (gpf_read_errno != 0) {
1034 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1035 pf_path, g_strerror(gpf_read_errno));
1038 if (pf_path != NULL) {
1039 if (pf_open_errno != 0) {
1040 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1041 g_strerror(pf_open_errno));
1043 if (pf_read_errno != 0) {
1044 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1045 pf_path, g_strerror(pf_read_errno));
1051 /* Set the name resolution code's flags from the preferences. */
1052 gbl_resolv_flags = prefs_p->name_resolve;
1054 /* Read the disabled protocols file. */
1055 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1056 &dp_path, &dp_open_errno, &dp_read_errno);
1057 if (gdp_path != NULL) {
1058 if (gdp_open_errno != 0) {
1059 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1060 gdp_path, g_strerror(gdp_open_errno));
1062 if (gdp_read_errno != 0) {
1063 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1064 gdp_path, g_strerror(gdp_read_errno));
1068 if (dp_path != NULL) {
1069 if (dp_open_errno != 0) {
1071 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1072 g_strerror(dp_open_errno));
1074 if (dp_read_errno != 0) {
1076 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1077 g_strerror(dp_read_errno));
1082 check_capture_privs();
1084 cap_file_init(&cfile);
1086 /* Print format defaults to this. */
1087 print_format = PR_FMT_TEXT;
1089 output_fields = output_fields_new();
1091 /* Now get our args */
1092 while ((opt = getopt(argc, argv, optstring)) != -1) {
1094 case '2': /* Perform two pass analysis */
1095 perform_two_pass_analysis = TRUE;
1097 case 'a': /* autostop criteria */
1098 case 'b': /* Ringbuffer option */
1099 case 'c': /* Capture x packets */
1100 case 'f': /* capture filter */
1101 case 'i': /* Use interface x */
1102 case 'p': /* Don't capture in promiscuous mode */
1103 #ifdef HAVE_PCAP_CREATE
1104 case 'I': /* Capture in monitor mode, if available */
1106 case 's': /* Set the snapshot (capture) length */
1107 case 'w': /* Write to capture file x */
1108 case 'y': /* Set the pcap data link type */
1109 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1110 case 'B': /* Buffer size */
1111 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1113 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1118 capture_option_specified = TRUE;
1123 /* Configuration profile settings were already processed just ignore them this time*/
1125 case 'd': /* Decode as rule */
1126 if (!add_decode_as(optarg))
1129 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1130 case 'K': /* Kerberos keytab file */
1131 read_keytab_file(optarg);
1134 case 'D': /* Print a list of capture devices and exit */
1136 if_list = capture_interface_list(&err, &err_str);
1137 if (if_list == NULL) {
1139 case CANT_GET_INTERFACE_LIST:
1140 case DONT_HAVE_PCAP:
1141 cmdarg_err("%s", err_str);
1145 case NO_INTERFACES_FOUND:
1146 cmdarg_err("There are no interfaces on which a capture can be done");
1151 capture_opts_print_interfaces(if_list);
1152 free_interface_list(if_list);
1155 capture_option_specified = TRUE;
1161 output_fields_add(output_fields, optarg);
1165 if(!output_fields_set_option(output_fields, optarg)) {
1166 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1167 output_fields_list_options(stderr);
1172 out_file_type = wtap_short_string_to_file_type(optarg);
1173 if (out_file_type < 0) {
1174 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1175 list_capture_types();
1179 case 'W': /* Select extra information to save in our capture file */
1180 /* This is patterned after the -N flag which may not be the best idea. */
1181 if (strchr(optarg, 'n'))
1182 out_file_name_res = TRUE;
1184 case 'H': /* Read address to name mappings from a hosts file */
1185 if (! read_hosts_file(optarg))
1187 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1190 out_file_name_res = TRUE;
1193 case 'h': /* Print help and exit */
1197 case 'l': /* "Line-buffer" standard output */
1198 /* This isn't line-buffering, strictly speaking, it's just
1199 flushing the standard output after the information for
1200 each packet is printed; however, that should be good
1201 enough for all the purposes to which "-l" is put (and
1202 is probably actually better for "-V", as it does fewer
1205 See the comment in "process_packet()" for an explanation of
1206 why we do that, and why we don't just use "setvbuf()" to
1207 make the standard output line-buffered (short version: in
1208 Windows, "line-buffered" is the same as "fully-buffered",
1209 and the output buffer is only flushed when it fills up). */
1210 line_buffered = TRUE;
1212 case 'L': /* Print list of link-layer types and exit */
1214 list_link_layer_types = TRUE;
1216 capture_option_specified = TRUE;
1220 case 'n': /* No name resolution */
1221 gbl_resolv_flags = RESOLV_NONE;
1223 case 'N': /* Select what types of addresses/port #s to resolve */
1224 if (gbl_resolv_flags == RESOLV_ALL)
1225 gbl_resolv_flags = RESOLV_NONE;
1226 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1227 if (badopt != '\0') {
1228 cmdarg_err("-N specifies unknown resolving option '%c';",
1230 cmdarg_err_cont( " Valid options are 'm', 'n', 't', and 'C'");
1234 case 'o': /* Override preference from command line */
1235 switch (prefs_set_pref(optarg)) {
1240 case PREFS_SET_SYNTAX_ERR:
1241 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1245 case PREFS_SET_NO_SUCH_PREF:
1246 case PREFS_SET_OBSOLETE:
1247 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1252 case 'q': /* Quiet */
1255 case 'r': /* Read capture file x */
1256 cf_name = g_strdup(optarg);
1258 case 'R': /* Read file filter */
1261 case 'P': /* Print packets even when writing to a file */
1262 print_packet_info = TRUE;
1264 case 'S': /* Set the line Separator to be printed between packets */
1265 separator = strdup(optarg);
1267 case 't': /* Time stamp type */
1268 if (strcmp(optarg, "r") == 0)
1269 timestamp_set_type(TS_RELATIVE);
1270 else if (strcmp(optarg, "a") == 0)
1271 timestamp_set_type(TS_ABSOLUTE);
1272 else if (strcmp(optarg, "ad") == 0)
1273 timestamp_set_type(TS_ABSOLUTE_WITH_DATE);
1274 else if (strcmp(optarg, "d") == 0)
1275 timestamp_set_type(TS_DELTA);
1276 else if (strcmp(optarg, "dd") == 0)
1277 timestamp_set_type(TS_DELTA_DIS);
1278 else if (strcmp(optarg, "e") == 0)
1279 timestamp_set_type(TS_EPOCH);
1280 else if (strcmp(optarg, "u") == 0)
1281 timestamp_set_type(TS_UTC);
1282 else if (strcmp(optarg, "ud") == 0)
1283 timestamp_set_type(TS_UTC_WITH_DATE);
1285 cmdarg_err("Invalid time stamp type \"%s\"",
1287 cmdarg_err_cont("It must be \"r\" for relative, \"a\" for absolute,");
1288 cmdarg_err_cont("\"ad\" for absolute with date, or \"d\" for delta.");
1292 case 'T': /* printing Type */
1293 if (strcmp(optarg, "text") == 0) {
1294 output_action = WRITE_TEXT;
1295 print_format = PR_FMT_TEXT;
1296 } else if (strcmp(optarg, "ps") == 0) {
1297 output_action = WRITE_TEXT;
1298 print_format = PR_FMT_PS;
1299 } else if (strcmp(optarg, "pdml") == 0) {
1300 output_action = WRITE_XML;
1302 } else if (strcmp(optarg, "psml") == 0) {
1303 output_action = WRITE_XML;
1305 } else if(strcmp(optarg, "fields") == 0) {
1306 output_action = WRITE_FIELDS;
1307 verbose = TRUE; /* Need full tree info */
1309 cmdarg_err("Invalid -T parameter.");
1310 cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
1314 case 'u': /* Seconds type */
1315 if (strcmp(optarg, "s") == 0)
1316 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1317 else if (strcmp(optarg, "hms") == 0)
1318 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1320 cmdarg_err("Invalid seconds type \"%s\"", optarg);
1321 cmdarg_err_cont("It must be \"s\" for seconds or \"hms\" for hours, minutes and seconds.");
1325 case 'v': /* Show version and exit */
1327 GString *comp_info_str;
1328 GString *runtime_info_str;
1329 /* Assemble the compile-time version information string */
1330 comp_info_str = g_string_new("Compiled ");
1331 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1333 /* Assemble the run-time version information string */
1334 runtime_info_str = g_string_new("Running ");
1335 get_runtime_version_info(runtime_info_str, NULL);
1336 show_version(comp_info_str, runtime_info_str);
1337 g_string_free(comp_info_str, TRUE);
1338 g_string_free(runtime_info_str, TRUE);
1342 case 'O': /* Only output these protocols */
1343 output_only = g_strdup(optarg);
1345 case 'V': /* Verbose */
1347 /* The user asked for a verbose output, so let's ensure they get it,
1348 * even if they're writing to a file.
1350 print_packet_info = TRUE;
1352 case 'x': /* Print packet data in hex (and ASCII) */
1354 /* The user asked for hex output, so let's ensure they get it,
1355 * even if they're writing to a file.
1357 print_packet_info = TRUE;
1362 /* We won't call the init function for the stat this soon
1363 as it would disallow MATE's fields (which are registered
1364 by the preferences set callback) from being used as
1365 part of a tap filter. Instead, we just add the argument
1366 to a list of stat arguments. */
1367 if (!process_stat_cmd_arg(optarg)) {
1368 cmdarg_err("invalid -z argument.");
1369 cmdarg_err_cont(" -z argument must be one of :");
1370 list_stat_cmd_args();
1375 case '?': /* Bad flag - print usage message */
1378 list_capture_types();
1388 /* If we specified output fields, but not the output field type... */
1389 if(WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1390 cmdarg_err("Output fields were specified with \"-e\", "
1391 "but \"-Tfields\" was not specified.");
1393 } else if(WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1394 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1395 "specified with \"-e\".");
1400 /* If no capture filter or read filter has been specified, and there are
1401 still command-line arguments, treat them as the tokens of a capture
1402 filter (if no "-r" flag was specified) or a read filter (if a "-r"
1403 flag was specified. */
1404 if (optind < argc) {
1405 if (cf_name != NULL) {
1406 if (rfilter != NULL) {
1407 cmdarg_err("Read filters were specified both with \"-R\" "
1408 "and with additional command-line arguments.");
1411 rfilter = get_args_as_string(argc, argv, optind);
1414 if (global_capture_opts.default_options.cfilter) {
1415 cmdarg_err("A default capture filter was specified both with \"-f\""
1416 " and with additional command-line arguments.");
1419 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1420 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1421 if (interface_opts.cfilter == NULL) {
1422 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1423 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1424 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1426 cmdarg_err("A capture filter was specified both with \"-f\""
1427 " and with additional command-line arguments.");
1431 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1433 capture_option_specified = TRUE;
1439 if (!global_capture_opts.saving_to_file) {
1440 /* We're not saving the capture to a file; if "-q" wasn't specified,
1441 we should print packet information */
1443 print_packet_info = TRUE;
1445 /* We're saving to a file; if we're writing to the standard output.
1446 and we'll also be writing dissected packets to the standard
1447 output, reject the request. At best, we could redirect that
1448 to the standard error; we *can't* write both to the standard
1449 output and have either of them be useful. */
1450 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1451 cmdarg_err("You can't write both raw packet data and dissected packets"
1452 " to the standard output.");
1457 /* We're not saving the capture to a file; if "-q" wasn't specified,
1458 we should print packet information */
1460 print_packet_info = TRUE;
1463 #ifndef HAVE_LIBPCAP
1464 if (capture_option_specified)
1465 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1472 /* We don't support capture filters when reading from a capture file
1473 (the BPF compiler doesn't support all link-layer types that we
1474 support in capture files we read). */
1476 if (cf_name != NULL) {
1477 if (global_capture_opts.default_options.cfilter) {
1478 cmdarg_err("Only read filters, not capture filters, "
1479 "can be specified when reading a capture file.");
1486 if (output_action != WRITE_TEXT) {
1487 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1492 if (output_only != NULL) {
1496 cmdarg_err("-O requires -V");
1500 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1501 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1502 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1507 if (list_link_layer_types) {
1508 /* We're supposed to list the link-layer types for an interface;
1509 did the user also specify a capture file to be read? */
1511 /* Yes - that's bogus. */
1512 cmdarg_err("You can't specify -L and a capture file to be read.");
1515 /* No - did they specify a ring buffer option? */
1516 if (global_capture_opts.multi_files_on) {
1517 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1523 * "-r" was specified, so we're reading a capture file.
1524 * Capture options don't apply here.
1526 if (global_capture_opts.multi_files_on) {
1527 cmdarg_err("Multiple capture files requested, but "
1528 "a capture isn't being done.");
1531 if (global_capture_opts.has_file_duration) {
1532 cmdarg_err("Switching capture files after a time interval was specified, but "
1533 "a capture isn't being done.");
1536 if (global_capture_opts.has_ring_num_files) {
1537 cmdarg_err("A ring buffer of capture files was specified, but "
1538 "a capture isn't being done.");
1541 if (global_capture_opts.has_autostop_files) {
1542 cmdarg_err("A maximum number of capture files was specified, but "
1543 "a capture isn't being done.");
1547 /* Note: TShark now allows the restriction of a _read_ file by packet count
1548 * and byte count as well as a write file. Other autostop options remain valid
1549 * only for a write file.
1551 if (global_capture_opts.has_autostop_duration) {
1552 cmdarg_err("A maximum capture time was specified, but "
1553 "a capture isn't being done.");
1558 * "-r" wasn't specified, so we're doing a live capture.
1560 if (global_capture_opts.saving_to_file) {
1561 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1563 /* When capturing, we only support writing pcap or pcap-ng format. */
1564 if (out_file_type != WTAP_FILE_PCAP && out_file_type != WTAP_FILE_PCAPNG) {
1565 cmdarg_err("Live captures can only be saved in libpcap format.");
1568 if (global_capture_opts.multi_files_on) {
1569 /* Multiple-file mode doesn't work under certain conditions:
1570 a) it doesn't work if you're writing to the standard output;
1571 b) it doesn't work if you're writing to a pipe;
1573 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1574 cmdarg_err("Multiple capture files requested, but "
1575 "the capture is being written to the standard output.");
1578 if (global_capture_opts.output_to_pipe) {
1579 cmdarg_err("Multiple capture files requested, but "
1580 "the capture file is a pipe.");
1583 if (!global_capture_opts.has_autostop_filesize &&
1584 !global_capture_opts.has_file_duration) {
1585 cmdarg_err("Multiple capture files requested, but "
1586 "no maximum capture file size or duration was specified.");
1590 /* Currently, we don't support read filters when capturing
1591 and saving the packets. */
1592 if (rfilter != NULL) {
1593 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1597 /* They didn't specify a "-w" flag, so we won't be saving to a
1598 capture file. Check for options that only make sense if
1599 we're saving to a file. */
1600 if (global_capture_opts.has_autostop_filesize) {
1601 cmdarg_err("Maximum capture file size specified, but "
1602 "capture isn't being saved to a file.");
1605 if (global_capture_opts.multi_files_on) {
1606 cmdarg_err("Multiple capture files requested, but "
1607 "the capture isn't being saved to a file.");
1616 /* Start windows sockets */
1617 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1620 /* Notify all registered modules that have had any of their preferences
1621 changed either from one of the preferences file or from the command
1622 line that their preferences have changed. */
1625 /* At this point MATE will have registered its field array so we can
1626 have a tap filter with one of MATE's late-registered fields as part
1627 of the filter. We can now process all the "-z" arguments. */
1628 start_requested_stats();
1631 /* We currently don't support taps, or printing dissected packets,
1632 if we're writing to a pipe. */
1633 if (global_capture_opts.saving_to_file &&
1634 global_capture_opts.output_to_pipe) {
1635 if (tap_listeners_require_dissection()) {
1636 cmdarg_err("Taps aren't supported when saving to a pipe.");
1639 if (print_packet_info) {
1640 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1646 /* disabled protocols as per configuration file */
1647 if (gdp_path == NULL && dp_path == NULL) {
1648 set_disabled_protos_list();
1651 /* Build the column format array */
1652 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1655 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1656 capture_opts_trim_ring_num_files(&global_capture_opts);
1659 if (rfilter != NULL) {
1660 if (!dfilter_compile(rfilter, &rfcode)) {
1661 cmdarg_err("%s", dfilter_error_msg);
1663 #ifdef HAVE_PCAP_OPEN_DEAD
1667 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1669 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1671 " Note: That display filter code looks like a valid capture filter;");
1673 " maybe you mixed them up?");
1682 cfile.rfcode = rfcode;
1684 if (print_packet_info) {
1685 /* If we're printing as text or PostScript, we have
1686 to create a print stream. */
1687 if (output_action == WRITE_TEXT) {
1688 switch (print_format) {
1691 print_stream = print_stream_text_stdio_new(stdout);
1695 print_stream = print_stream_ps_stdio_new(stdout);
1699 g_assert_not_reached();
1704 /* We have to dissect each packet if:
1706 we're printing information about each packet;
1708 we're using a read filter on the packets;
1710 we're using any taps that need dissection. */
1711 do_dissection = print_packet_info || rfcode || tap_listeners_require_dissection();
1715 * We're reading a capture file.
1719 * Immediately relinquish any special privileges we have; we must not
1720 * be allowed to read any capture files the user running TShark
1723 relinquish_special_privs_perm();
1724 print_current_user();
1726 if (cf_open(&cfile, cf_name, FALSE, &err) != CF_OK) {
1731 /* Set timestamp precision; there should arguably be a command-line
1732 option to let the user set this. */
1733 switch(wtap_file_tsprecision(cfile.wth)) {
1734 case(WTAP_FILE_TSPREC_SEC):
1735 timestamp_set_precision(TS_PREC_AUTO_SEC);
1737 case(WTAP_FILE_TSPREC_DSEC):
1738 timestamp_set_precision(TS_PREC_AUTO_DSEC);
1740 case(WTAP_FILE_TSPREC_CSEC):
1741 timestamp_set_precision(TS_PREC_AUTO_CSEC);
1743 case(WTAP_FILE_TSPREC_MSEC):
1744 timestamp_set_precision(TS_PREC_AUTO_MSEC);
1746 case(WTAP_FILE_TSPREC_USEC):
1747 timestamp_set_precision(TS_PREC_AUTO_USEC);
1749 case(WTAP_FILE_TSPREC_NSEC):
1750 timestamp_set_precision(TS_PREC_AUTO_NSEC);
1753 g_assert_not_reached();
1756 /* Process the packets in the file */
1759 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
1760 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
1761 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
1763 err = load_cap_file(&cfile, NULL, out_file_type, out_file_name_res, 0, 0);
1766 CATCH(OutOfMemoryError) {
1770 "Sorry, but TShark has to terminate now!\n"
1772 "Some infos / workarounds can be found at:\n"
1773 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
1778 /* We still dump out the results of taps, etc., as we might have
1779 read some packets; however, we exit with an error status. */
1783 /* No capture file specified, so we're supposed to do a live capture
1784 (or get a list of link-layer types for a live capture device);
1785 do we have support for live captures? */
1792 cmdarg_err("WinPcap couldn't be found.");
1793 detailed_err = cant_load_winpcap_err("TShark");
1794 cmdarg_err_cont("%s", detailed_err);
1795 g_free(detailed_err);
1800 /* trim the interface name and exit if that failed */
1801 if (!capture_opts_trim_iface(&global_capture_opts,
1802 (prefs_p->capture_device) ? get_if_name(prefs_p->capture_device) : NULL)) {
1806 /* if requested, list the link layer types and exit */
1807 if (list_link_layer_types) {
1809 interface_options interface_opts;
1811 /* Get the list of link-layer types for the capture devices. */
1812 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1813 if_capabilities_t *caps;
1815 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1816 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str);
1818 cmdarg_err("%s", err_str);
1822 if (caps->data_link_types == NULL) {
1823 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
1826 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
1827 free_if_capabilities(caps);
1832 if (print_packet_info) {
1833 if (!write_preamble(NULL)) {
1834 show_print_file_io_error(errno);
1837 } else if (!quiet) {
1839 * We're not printing information for each packet, and the user
1840 * didn't ask us not to print a count of packets as they arrive,
1841 * so print that count so the user knows that packets are arriving.
1843 * XXX - what if the user wants to do a live capture, doesn't want
1844 * to save it to a file, doesn't want information printed for each
1845 * packet, does want some "-z" statistic, and wants packet counts
1846 * so they know whether they're seeing any packets?
1848 print_packet_counts = TRUE;
1851 /* For now, assume libpcap gives microsecond precision. */
1852 timestamp_set_precision(TS_PREC_AUTO_USEC);
1855 * XXX - this returns FALSE if an error occurred, but it also
1856 * returns FALSE if the capture stops because a time limit
1857 * was reached (and possibly other limits), so we can't assume
1858 * it means an error.
1860 * The capture code is a bit twisty, so it doesn't appear to
1861 * be an easy fix. We just ignore the return value for now.
1862 * Instead, pass on the exit status from the capture child.
1865 exit_status = global_capture_opts.fork_child_status;
1867 if (print_packet_info) {
1868 if (!write_finale()) {
1870 show_print_file_io_error(err);
1874 /* No - complain. */
1875 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1882 if (cfile.frames != NULL) {
1883 free_frame_data_sequence(cfile.frames);
1884 cfile.frames = NULL;
1887 draw_tap_listeners(TRUE);
1888 funnel_dump_all_text_windows();
1891 output_fields_free(output_fields);
1892 output_fields = NULL;
1897 /*#define USE_BROKEN_G_MAIN_LOOP*/
1899 #ifdef USE_BROKEN_G_MAIN_LOOP
1902 gboolean loop_running = FALSE;
1904 guint32 packet_count = 0;
1907 /* XXX - move to the right position / file */
1908 /* read from a pipe (callback) */
1909 typedef gboolean (*pipe_input_cb_t) (gint source, gpointer user_data);
1911 typedef struct pipe_input_tag {
1915 pipe_input_cb_t input_cb;
1916 guint pipe_input_id;
1918 GMutex *callback_running;
1922 static pipe_input_t pipe_input;
1925 /* The timer has expired, see if there's stuff to read from the pipe,
1926 if so, do the callback */
1928 pipe_timer_cb(gpointer data)
1932 gboolean result, result1;
1934 pipe_input_t *pipe_input_p = data;
1935 gint iterations = 0;
1937 g_mutex_lock (pipe_input_p->callback_running);
1939 /* try to read data from the pipe only 5 times, to avoid blocking */
1940 while(iterations < 5) {
1941 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
1943 /* Oddly enough although Named pipes don't work on win9x,
1944 PeekNamedPipe does !!! */
1945 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
1946 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
1948 /* Get the child process exit status */
1949 result1 = GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
1952 /* If the Peek returned an error, or there are bytes to be read
1953 or the childwatcher thread has terminated then call the normal
1955 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
1957 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
1959 /* And call the real handler */
1960 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
1961 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
1962 /* pipe closed, return false so that the timer is stopped */
1963 g_mutex_unlock (pipe_input_p->callback_running);
1968 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
1969 /* No data, stop now */
1976 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
1978 g_mutex_unlock (pipe_input_p->callback_running);
1980 /* we didn't stopped the timer, so let it run */
1987 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
1990 pipe_input.source = source;
1991 pipe_input.child_process = child_process;
1992 pipe_input.user_data = user_data;
1993 pipe_input.input_cb = input_cb;
1996 #if GLIB_CHECK_VERSION(2,31,0)
1997 pipe_input.callback_running = g_malloc(sizeof(GMutex));
1998 g_mutex_init(pipe_input.callback_running);
2000 pipe_input.callback_running = g_mutex_new();
2002 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2003 do this but that doesn't cover all win32 platforms. GTK can do
2004 this but doesn't seem to work over processes. Attempt to do
2005 something similar here, start a timer and check for data on every
2007 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2008 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2019 GString *str = g_string_new("");
2020 #ifdef USE_TSHARK_SELECT
2024 struct sigaction action, oldaction;
2028 * XXX - dropping privileges is still required, until code cleanup is done
2030 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2031 * when it's done, we don't need special privileges to run tshark at all,
2032 * therefore we don't need to drop these privileges
2033 * The only thing we might want to keep is a warning if tshark is run as root,
2034 * as it's no longer necessary and potentially dangerous.
2036 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2037 * We've opened the capture device, so we shouldn't need any special
2038 * privileges any more; relinquish those privileges.
2040 * XXX - if we have saved set-user-ID support, we should give up those
2041 * privileges immediately, and then reclaim them long enough to get
2042 * a list of network interfaces and to open one, and then give them
2043 * up again, so that stuff we do while processing the argument list,
2044 * reading the user's preferences, loading and starting plugins
2045 * (especially *user* plugins), etc. is done with the user's privileges,
2046 * not special privileges.
2048 relinquish_special_privs_perm();
2049 print_current_user();
2051 /* Cleanup all data structures used for dissection. */
2052 cleanup_dissection();
2053 /* Initialize all data structures used for dissection. */
2057 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2058 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2060 /* Catch SIGINT and SIGTERM and, if we get either of them,
2061 clean up and exit. If SIGHUP isn't being ignored, catch
2062 it too and, if we get it, clean up and exit.
2064 We restart any read that was in progress, so that it doesn't
2065 disrupt reading from the sync pipe. The signal handler tells
2066 the capture child to finish; it will report that it finished,
2067 or will exit abnormally, so we'll stop reading from the sync
2068 pipe, pick up the exit status, and quit. */
2069 action.sa_handler = capture_cleanup;
2070 action.sa_flags = SA_RESTART;
2071 sigemptyset(&action.sa_mask);
2072 sigaction(SIGTERM, &action, NULL);
2073 sigaction(SIGINT, &action, NULL);
2074 sigaction(SIGHUP, NULL, &oldaction);
2075 if (oldaction.sa_handler == SIG_DFL)
2076 sigaction(SIGHUP, &action, NULL);
2079 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2080 quiet mode, report the number of packets we've captured.
2082 Again, restart any read that was in progress, so that it doesn't
2083 disrupt reading from the sync pipe. */
2084 action.sa_handler = report_counts_siginfo;
2085 action.sa_flags = SA_RESTART;
2086 sigemptyset(&action.sa_mask);
2087 sigaction(SIGINFO, &action, NULL);
2088 #endif /* SIGINFO */
2091 global_capture_opts.state = CAPTURE_PREPARING;
2093 /* Let the user know which interfaces were chosen. */
2094 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2095 interface_options interface_opts;
2097 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2098 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2099 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2100 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2103 if (global_capture_opts.ifaces->len < 2) {
2105 if (global_capture_opts.ifaces->len < 4) {
2107 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2108 interface_options interface_opts;
2110 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2112 if (global_capture_opts.ifaces->len > 2) {
2113 g_string_append_printf(str, ",");
2115 g_string_append_printf(str, " ");
2116 if (i == global_capture_opts.ifaces->len - 1) {
2117 g_string_append_printf(str, "and ");
2120 g_string_append_printf(str, "%s", interface_opts.descr);
2123 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2125 fprintf(stderr, "Capturing on %s\n", str->str);
2126 g_string_free(str, TRUE);
2128 ret = sync_pipe_start(&global_capture_opts);
2133 /* the actual capture loop
2135 * XXX - glib doesn't seem to provide any event based loop handling.
2137 * XXX - for whatever reason,
2138 * calling g_main_loop_new() ends up in 100% cpu load.
2140 * But that doesn't matter: in UNIX we can use select() to find an input
2141 * source with something to do.
2143 * But that doesn't matter because we're in a CLI (that doesn't need to
2144 * update a GUI or something at the same time) so it's OK if we block
2145 * trying to read from the pipe.
2147 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2148 * wrong (but I leave it there in case I am...).
2151 #ifdef USE_TSHARK_SELECT
2153 FD_SET(pipe_input.source, &readfds);
2156 loop_running = TRUE;
2160 while (loop_running)
2162 #ifdef USE_TSHARK_SELECT
2163 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2169 } else if (ret == 1) {
2171 /* Call the real handler */
2172 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2173 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2176 #ifdef USE_TSHARK_SELECT
2181 CATCH(OutOfMemoryError) {
2185 "Sorry, but TShark has to terminate now!\n"
2187 "Some infos / workarounds can be found at:\n"
2188 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2196 /* XXX - move the call to main_window_update() out of capture_sync.c */
2197 /* dummy for capture_sync.c to make linker happy */
2198 void main_window_update(void)
2202 /* capture child detected an error */
2204 capture_input_error_message(capture_options *capture_opts _U_, char *error_msg, char *secondary_error_msg)
2206 cmdarg_err("%s", error_msg);
2207 cmdarg_err_cont("%s", secondary_error_msg);
2211 /* capture child detected an capture filter related error */
2213 capture_input_cfilter_error_message(capture_options *capture_opts, guint i, char *error_message)
2215 dfilter_t *rfcode = NULL;
2216 interface_options interface_opts;
2218 g_assert(i < capture_opts->ifaces->len);
2219 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2221 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2223 "Invalid capture filter \"%s\" for interface %s!\n"
2225 "That string looks like a valid display filter; however, it isn't a valid\n"
2226 "capture filter (%s).\n"
2228 "Note that display filters and capture filters don't have the same syntax,\n"
2229 "so you can't use most display filter expressions as capture filters.\n"
2231 "See the User's Guide for a description of the capture filter syntax.",
2232 interface_opts.cfilter, interface_opts.descr, error_message);
2233 dfilter_free(rfcode);
2236 "Invalid capture filter \"%s\" for interface %s!\n"
2238 "That string isn't a valid capture filter (%s).\n"
2239 "See the User's Guide for a description of the capture filter syntax.",
2240 interface_opts.cfilter, interface_opts.descr, error_message);
2245 /* capture child tells us we have a new (or the first) capture file */
2247 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
2249 gboolean is_tempfile;
2252 if(capture_opts->state == CAPTURE_PREPARING) {
2253 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2255 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2257 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
2259 /* free the old filename */
2260 if (capture_opts->save_file != NULL) {
2262 /* we start a new capture file, close the old one (if we had one before) */
2263 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
2264 if ( ((capture_file *) capture_opts->cf)->wth != NULL) {
2265 wtap_close(((capture_file *) capture_opts->cf)->wth);
2267 ((capture_file *) capture_opts->cf)->state = FILE_CLOSED;
2270 g_free(capture_opts->save_file);
2271 is_tempfile = FALSE;
2273 /* we didn't had a save_file before, must be a tempfile */
2277 /* save the new filename */
2278 capture_opts->save_file = g_strdup(new_file);
2280 /* if we are in real-time mode, open the new file now */
2282 /* Attempt to open the capture file and set up to read from it. */
2283 switch(cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
2287 /* Don't unlink (delete) the save file - leave it around,
2288 for debugging purposes. */
2289 g_free(capture_opts->save_file);
2290 capture_opts->save_file = NULL;
2295 capture_opts->state = CAPTURE_RUNNING;
2301 /* capture child tells us we have new packets to read */
2303 capture_input_new_packets(capture_options *capture_opts, int to_read)
2309 capture_file *cf = capture_opts->cf;
2310 gboolean filtering_tap_listeners;
2315 * Prevent a SIGINFO handler from writing to the standard error while
2316 * we're doing so or writing to the standard output; instead, have it
2317 * just set a flag telling us to print that information when we're done.
2320 #endif /* SIGINFO */
2322 /* Do we have any tap listeners with filters? */
2323 filtering_tap_listeners = have_filtering_tap_listeners();
2325 /* Get the union of the flags for all tap listeners. */
2326 tap_flags = union_of_tap_listener_flags();
2329 while (to_read-- && cf->wth) {
2330 wtap_cleareof(cf->wth);
2331 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2333 /* read from file failed, tell the capture child to stop */
2334 sync_pipe_stop(capture_opts);
2335 wtap_close(cf->wth);
2338 ret = process_packet(cf, data_offset, wtap_phdr(cf->wth),
2339 wtap_pseudoheader(cf->wth), wtap_buf_ptr(cf->wth),
2340 filtering_tap_listeners, tap_flags);
2343 /* packet successfully read and gone through the "Read Filter" */
2349 * Dumpcap's doing all the work; we're not doing any dissection.
2350 * Count all the packets it wrote.
2352 packet_count += to_read;
2355 if (print_packet_counts) {
2356 /* We're printing packet counts. */
2357 if (packet_count != 0) {
2358 fprintf(stderr, "\r%u ", packet_count);
2359 /* stderr could be line buffered */
2366 * Allow SIGINFO handlers to write.
2371 * If a SIGINFO handler asked us to write out capture counts, do so.
2375 #endif /* SIGINFO */
2381 if (!print_packet_counts) {
2382 /* Report the count only if we aren't printing a packet count
2383 as packets arrive. */
2384 fprintf(stderr, "%u packet%s captured\n", packet_count,
2385 plurality(packet_count, "", "s"));
2388 infoprint = FALSE; /* we just reported it */
2389 #endif /* SIGINFO */
2394 report_counts_siginfo(int signum _U_)
2396 int sav_errno = errno;
2397 /* If we've been told to delay printing, just set a flag asking
2398 that we print counts (if we're supposed to), otherwise print
2399 the count of packets captured (if we're supposed to). */
2406 #endif /* SIGINFO */
2409 /* capture child detected any packet drops? */
2411 capture_input_drops(capture_options *capture_opts _U_, guint32 dropped)
2413 if (print_packet_counts) {
2414 /* We're printing packet counts to stderr.
2415 Send a newline so that we move to the line after the packet count. */
2416 fprintf(stderr, "\n");
2420 /* We're printing packet counts to stderr.
2421 Send a newline so that we move to the line after the packet count. */
2422 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2428 * Capture child closed its side of the pipe, report any error and
2429 * do the required cleanup.
2432 capture_input_closed(capture_options *capture_opts, gchar *msg)
2435 fprintf(stderr, "tshark: %s\n", msg);
2439 if(capture_opts->cf != NULL && ((capture_file *) capture_opts->cf)->wth != NULL) {
2440 wtap_close(((capture_file *) capture_opts->cf)->wth);
2441 if(((capture_file *) capture_opts->cf)->user_saved == FALSE) {
2442 ws_unlink(((capture_file *) capture_opts->cf)->filename);
2445 #ifdef USE_BROKEN_G_MAIN_LOOP
2446 /*g_main_loop_quit(loop);*/
2449 loop_running = FALSE;
2458 capture_cleanup(DWORD ctrltype _U_)
2460 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2461 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2462 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2463 like SIGTERM at least when the machine's shutting down.
2465 For now, we handle them all as indications that we should clean up
2466 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2469 We must return TRUE so that no other handler - such as one that would
2470 terminate the process - gets called.
2472 XXX - for some reason, typing ^C to TShark, if you run this in
2473 a Cygwin console window in at least some versions of Cygwin,
2474 causes TShark to terminate immediately; this routine gets
2475 called, but the main loop doesn't get a chance to run and
2476 exit cleanly, at least if this is compiled with Microsoft Visual
2477 C++ (i.e., it's a property of the Cygwin console window or Bash;
2478 it happens if TShark is not built with Cygwin - for all I know,
2479 building it with Cygwin may make the problem go away). */
2481 /* tell the capture child to stop */
2482 sync_pipe_stop(&global_capture_opts);
2484 /* don't stop our own loop already here, otherwise status messages and
2485 * cleanup wouldn't be done properly. The child will indicate the stop of
2486 * everything by calling capture_input_closed() later */
2492 capture_cleanup(int signum _U_)
2494 /* tell the capture child to stop */
2495 sync_pipe_stop(&global_capture_opts);
2497 /* don't stop our own loop already here, otherwise status messages and
2498 * cleanup wouldn't be done properly. The child will indicate the stop of
2499 * everything by calling capture_input_closed() later */
2502 #endif /* HAVE_LIBPCAP */
2505 process_packet_first_pass(capture_file *cf,
2506 gint64 offset, const struct wtap_pkthdr *whdr,
2507 union wtap_pseudo_header *pseudo_header, const guchar *pd)
2514 /* The frame number of this packet is one more than the count of
2515 frames in this packet. */
2516 framenum = cf->count + 1;
2518 /* If we're not running a display filter and we're not printing any
2519 packet information, we don't need to do a dissection. This means
2520 that all packets can be marked as 'passed'. */
2523 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2525 /* If we're going to print packet information, or we're going to
2526 run a read filter, or we're going to process taps, set up to
2527 do a dissection and do so. */
2528 if (do_dissection) {
2529 if (gbl_resolv_flags)
2530 /* Grab any resolved addresses */
2531 host_name_lookup_process(NULL);
2533 /* The protocol tree will be "visible", i.e., printed, only if we're
2534 printing packet details, which is true if we're printing stuff
2535 ("print_packet_info" is true) and we're in verbose mode ("verbose"
2537 epan_dissect_init(&edt, FALSE, FALSE);
2539 /* If we're running a read filter, prime the epan_dissect_t with that
2542 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2544 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2545 &first_ts, &prev_dis_ts, &prev_cap_ts);
2547 epan_dissect_run(&edt, pseudo_header, pd, &fdlocal, NULL);
2549 /* Run the read filter if we have one. */
2551 passed = dfilter_apply_edt(cf->rfcode, &edt);
2555 frame_data_set_after_dissect(&fdlocal, &cum_bytes, &prev_dis_ts);
2556 frame_data_sequence_add(cf->frames, &fdlocal);
2561 epan_dissect_cleanup(&edt);
2567 process_packet_second_pass(capture_file *cf, frame_data *fdata,
2568 union wtap_pseudo_header *pseudo_header, const guchar *pd,
2569 gboolean filtering_tap_listeners, guint tap_flags)
2571 gboolean create_proto_tree;
2576 /* If we're not running a display filter and we're not printing any
2577 packet information, we don't need to do a dissection. This means
2578 that all packets can be marked as 'passed'. */
2581 /* If we're going to print packet information, or we're going to
2582 run a read filter, or we're going to process taps, set up to
2583 do a dissection and do so. */
2584 if (do_dissection) {
2585 if (gbl_resolv_flags)
2586 /* Grab any resolved addresses */
2587 host_name_lookup_process(NULL);
2589 if (cf->rfcode || verbose || filtering_tap_listeners ||
2590 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2591 create_proto_tree = TRUE;
2593 create_proto_tree = FALSE;
2595 /* The protocol tree will be "visible", i.e., printed, only if we're
2596 printing packet details, which is true if we're printing stuff
2597 ("print_packet_info" is true) and we're in verbose mode ("verbose"
2599 epan_dissect_init(&edt, create_proto_tree, print_packet_info && verbose);
2601 /* If we're running a read filter, prime the epan_dissect_t with that
2604 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2606 col_custom_prime_edt(&edt, &cf->cinfo);
2608 tap_queue_init(&edt);
2610 /* We only need the columns if either
2612 1) some tap needs the columns
2616 2) we're printing packet info but we're *not* verbose; in verbose
2617 mode, we print the protocol tree, not the protocol summary. */
2618 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && !verbose))
2623 epan_dissect_run(&edt, pseudo_header, pd, fdata, cinfo);
2625 tap_push_tapped_queue(&edt);
2627 /* Run the read filter if we have one. */
2629 passed = dfilter_apply_edt(cf->rfcode, &edt);
2633 /* Process this packet. */
2634 if (print_packet_info) {
2635 /* We're printing packet information; print the information for
2638 print_packet(cf, &edt);
2640 print_packet(cf, NULL);
2642 /* The ANSI C standard does not appear to *require* that a line-buffered
2643 stream be flushed to the host environment whenever a newline is
2644 written, it just says that, on such a stream, characters "are
2645 intended to be transmitted to or from the host environment as a
2646 block when a new-line character is encountered".
2648 The Visual C++ 6.0 C implementation doesn't do what is intended;
2649 even if you set a stream to be line-buffered, it still doesn't
2650 flush the buffer at the end of every line.
2652 So, if the "-l" flag was specified, we flush the standard output
2653 at the end of a packet. This will do the right thing if we're
2654 printing packet summary lines, and, as we print the entire protocol
2655 tree for a single packet without waiting for anything to happen,
2656 it should be as good as line-buffered mode if we're printing
2657 protocol trees. (The whole reason for the "-l" flag in either
2658 tcpdump or TShark is to allow the output of a live capture to
2659 be piped to a program or script and to have that script see the
2660 information for the packet as soon as it's printed, rather than
2661 having to wait until a standard I/O buffer fills up. */
2665 if (ferror(stdout)) {
2666 show_print_file_io_error(errno);
2672 if (do_dissection) {
2673 epan_dissect_cleanup(&edt);
2679 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
2680 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2683 int snapshot_length;
2687 gchar *err_info = NULL;
2689 char *save_file_string = NULL;
2690 gboolean filtering_tap_listeners;
2693 #ifdef PCAP_NG_DEFAULT
2694 linktype = WTAP_ENCAP_PER_PACKET;
2696 linktype = wtap_file_encap(cf->wth);
2698 if (save_file != NULL) {
2699 /* Get a string that describes what we're writing to */
2700 save_file_string = output_file_description(save_file);
2702 /* Set up to write to the capture file. */
2703 snapshot_length = wtap_snapshot_length(cf->wth);
2704 if (snapshot_length == 0) {
2705 /* Snapshot length of input file not known. */
2706 snapshot_length = WTAP_MAX_PACKET_SIZE;
2708 pdh = wtap_dump_open(save_file, out_file_type, linktype, snapshot_length,
2709 FALSE /* compressed */, &err);
2712 /* We couldn't set up to write to the capture file. */
2715 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
2716 cmdarg_err("Capture files can't be written in that format.");
2719 case WTAP_ERR_UNSUPPORTED_ENCAP:
2720 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
2721 cmdarg_err("The capture file being read can't be written as a "
2722 "\"%s\" file.", wtap_file_type_short_string(out_file_type));
2725 case WTAP_ERR_CANT_OPEN:
2726 cmdarg_err("The %s couldn't be created for some "
2727 "unknown reason.", save_file_string);
2730 case WTAP_ERR_SHORT_WRITE:
2731 cmdarg_err("A full header couldn't be written to the %s.",
2736 cmdarg_err("The %s could not be created: %s.", save_file_string,
2737 wtap_strerror(err));
2743 if (print_packet_info) {
2744 if (!write_preamble(cf)) {
2746 show_print_file_io_error(err);
2753 if (pdh && out_file_name_res) {
2754 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
2755 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
2756 wtap_file_type_short_string(out_file_type));
2760 /* Do we have any tap listeners with filters? */
2761 filtering_tap_listeners = have_filtering_tap_listeners();
2763 /* Get the union of the flags for all tap listeners. */
2764 tap_flags = union_of_tap_listener_flags();
2766 if (perform_two_pass_analysis) {
2768 int old_max_packet_count = max_packet_count;
2770 /* Allocate a frame_data_sequence for all the frames. */
2771 cf->frames = new_frame_data_sequence();
2773 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2774 if (process_packet_first_pass(cf, data_offset, wtap_phdr(cf->wth),
2775 wtap_pseudoheader(cf->wth), wtap_buf_ptr(cf->wth))) {
2776 /* Stop reading if we have the maximum number of packets;
2777 * When the -c option has not been used, max_packet_count
2778 * starts at 0, which practically means, never stop reading.
2779 * (unless we roll over max_packet_count ?)
2781 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2782 err = 0; /* This is not an error */
2788 /* Close the sequential I/O side, to free up memory it requires. */
2789 wtap_sequential_close(cf->wth);
2791 /* Allow the protocol dissectors to free up memory that they
2792 * don't need after the sequential run-through of the packets. */
2793 postseq_cleanup_all_protocols();
2795 max_packet_count = old_max_packet_count;
2797 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
2798 fdata = frame_data_sequence_find(cf->frames, framenum);
2799 if (wtap_seek_read(cf->wth, fdata->file_off, &cf->pseudo_header,
2800 cf->pd, fdata->cap_len, &err, &err_info)) {
2801 if (process_packet_second_pass(cf, fdata,
2802 &cf->pseudo_header, cf->pd,
2803 filtering_tap_listeners, tap_flags)) {
2804 /* Either there's no read filtering or this packet passed the
2805 filter, so, if we're writing to a capture file, write
2808 if (!wtap_dump(pdh, wtap_phdr(cf->wth),
2809 wtap_pseudoheader(cf->wth), wtap_buf_ptr(cf->wth),
2811 /* Error writing to a capture file */
2814 case WTAP_ERR_UNSUPPORTED_ENCAP:
2816 * This is a problem with the particular frame we're writing;
2817 * note that, and give the frame number.
2819 * XXX - framenum is not necessarily the frame number in
2820 * the input file if there was a read filter.
2823 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2824 framenum, cf->filename,
2825 wtap_file_type_short_string(out_file_type));
2829 show_capture_file_io_error(save_file, err, FALSE);
2832 wtap_dump_close(pdh, &err);
2836 /* Stop reading if we have the maximum number of packets;
2837 * When the -c option has not been used, max_packet_count
2838 * starts at 0, which practically means, never stop reading.
2839 * (unless we roll over max_packet_count ?)
2841 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2842 err = 0; /* This is not an error */
2851 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2854 if (process_packet(cf, data_offset, wtap_phdr(cf->wth),
2855 wtap_pseudoheader(cf->wth), wtap_buf_ptr(cf->wth),
2856 filtering_tap_listeners, tap_flags)) {
2857 /* Either there's no read filtering or this packet passed the
2858 filter, so, if we're writing to a capture file, write
2861 if (!wtap_dump(pdh, wtap_phdr(cf->wth),
2862 wtap_pseudoheader(cf->wth), wtap_buf_ptr(cf->wth),
2864 /* Error writing to a capture file */
2867 case WTAP_ERR_UNSUPPORTED_ENCAP:
2869 * This is a problem with the particular frame we're writing;
2870 * note that, and give the frame number.
2873 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2874 framenum, cf->filename,
2875 wtap_file_type_short_string(out_file_type));
2879 show_capture_file_io_error(save_file, err, FALSE);
2882 wtap_dump_close(pdh, &err);
2886 /* Stop reading if we have the maximum number of packets;
2887 * When the -c option has not been used, max_packet_count
2888 * starts at 0, which practically means, never stop reading.
2889 * (unless we roll over max_packet_count ?)
2891 if( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2892 err = 0; /* This is not an error */
2901 * Print a message noting that the read failed somewhere along the line.
2903 * If we're printing packet data, and the standard output and error are
2904 * going to the same place, flush the standard output, so everything
2905 * buffered up is written, and then print a newline to the standard error
2906 * before printing the error message, to separate it from the packet
2907 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
2908 * the _fstat() documentation at Microsoft doesn't indicate whether
2909 * st_ino is even supported.)
2912 if (print_packet_info) {
2913 struct stat stat_stdout, stat_stderr;
2915 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
2916 if (stat_stdout.st_dev == stat_stderr.st_dev &&
2917 stat_stdout.st_ino == stat_stderr.st_ino) {
2919 fprintf(stderr, "\n");
2926 case WTAP_ERR_UNSUPPORTED_ENCAP:
2927 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
2928 cf->filename, err_info);
2932 case WTAP_ERR_CANT_READ:
2933 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
2937 case WTAP_ERR_SHORT_READ:
2938 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
2942 case WTAP_ERR_BAD_FILE:
2943 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
2944 cf->filename, err_info);
2948 case WTAP_ERR_DECOMPRESS:
2949 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
2950 "(%s)", cf->filename, err_info);
2954 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
2955 cf->filename, wtap_strerror(err));
2958 if (save_file != NULL) {
2959 /* Now close the capture file. */
2960 if (!wtap_dump_close(pdh, &err))
2961 show_capture_file_io_error(save_file, err, TRUE);
2964 if (save_file != NULL) {
2965 /* Now close the capture file. */
2966 if (!wtap_dump_close(pdh, &err))
2967 show_capture_file_io_error(save_file, err, TRUE);
2969 if (print_packet_info) {
2970 if (!write_finale()) {
2972 show_print_file_io_error(err);
2979 wtap_close(cf->wth);
2982 g_free(save_file_string);
2988 process_packet(capture_file *cf, gint64 offset, const struct wtap_pkthdr *whdr,
2989 union wtap_pseudo_header *pseudo_header, const guchar *pd,
2990 gboolean filtering_tap_listeners, guint tap_flags)
2993 gboolean create_proto_tree;
2998 /* Count this packet. */
3001 /* If we're not running a display filter and we're not printing any
3002 packet information, we don't need to do a dissection. This means
3003 that all packets can be marked as 'passed'. */
3006 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3008 /* If we're going to print packet information, or we're going to
3009 run a read filter, or we're going to process taps, set up to
3010 do a dissection and do so. */
3011 if (do_dissection) {
3012 if (print_packet_info && gbl_resolv_flags)
3013 /* Grab any resolved addresses */
3014 host_name_lookup_process(NULL);
3016 if (cf->rfcode || verbose || filtering_tap_listeners ||
3017 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3018 create_proto_tree = TRUE;
3020 create_proto_tree = FALSE;
3022 /* The protocol tree will be "visible", i.e., printed, only if we're
3023 printing packet details, which is true if we're printing stuff
3024 ("print_packet_info" is true) and we're in verbose mode ("verbose"
3026 epan_dissect_init(&edt, create_proto_tree, print_packet_info && verbose);
3028 /* If we're running a read filter, prime the epan_dissect_t with that
3031 epan_dissect_prime_dfilter(&edt, cf->rfcode);
3033 col_custom_prime_edt(&edt, &cf->cinfo);
3035 tap_queue_init(&edt);
3037 /* We only need the columns if either
3039 1) some tap needs the columns
3043 2) we're printing packet info but we're *not* verbose; in verbose
3044 mode, we print the protocol tree, not the protocol summary. */
3045 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && !verbose))
3050 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3051 &first_ts, &prev_dis_ts, &prev_cap_ts);
3053 epan_dissect_run(&edt, pseudo_header, pd, &fdata, cinfo);
3055 tap_push_tapped_queue(&edt);
3057 /* Run the read filter if we have one. */
3059 passed = dfilter_apply_edt(cf->rfcode, &edt);
3063 frame_data_set_after_dissect(&fdata, &cum_bytes, &prev_dis_ts);
3065 /* Process this packet. */
3066 if (print_packet_info) {
3067 /* We're printing packet information; print the information for
3070 print_packet(cf, &edt);
3072 print_packet(cf, NULL);
3074 /* The ANSI C standard does not appear to *require* that a line-buffered
3075 stream be flushed to the host environment whenever a newline is
3076 written, it just says that, on such a stream, characters "are
3077 intended to be transmitted to or from the host environment as a
3078 block when a new-line character is encountered".
3080 The Visual C++ 6.0 C implementation doesn't do what is intended;
3081 even if you set a stream to be line-buffered, it still doesn't
3082 flush the buffer at the end of every line.
3084 So, if the "-l" flag was specified, we flush the standard output
3085 at the end of a packet. This will do the right thing if we're
3086 printing packet summary lines, and, as we print the entire protocol
3087 tree for a single packet without waiting for anything to happen,
3088 it should be as good as line-buffered mode if we're printing
3089 protocol trees. (The whole reason for the "-l" flag in either
3090 tcpdump or TShark is to allow the output of a live capture to
3091 be piped to a program or script and to have that script see the
3092 information for the packet as soon as it's printed, rather than
3093 having to wait until a standard I/O buffer fills up. */
3097 if (ferror(stdout)) {
3098 show_print_file_io_error(errno);
3104 if (do_dissection) {
3105 epan_dissect_cleanup(&edt);
3106 frame_data_cleanup(&fdata);
3112 write_preamble(capture_file *cf)
3114 switch (output_action) {
3117 return print_preamble(print_stream, cf ? cf->filename : NULL);
3121 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3123 write_psml_preamble(stdout);
3124 return !ferror(stdout);
3127 write_fields_preamble(output_fields, stdout);
3128 return !ferror(stdout);
3131 g_assert_not_reached();
3137 get_line_buf(size_t len)
3139 static char *line_bufp = NULL;
3140 static size_t line_buf_len = 256;
3141 size_t new_line_buf_len;
3143 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3144 new_line_buf_len *= 2)
3146 if (line_bufp == NULL) {
3147 line_buf_len = new_line_buf_len;
3148 line_bufp = g_malloc(line_buf_len + 1);
3150 if (new_line_buf_len > line_buf_len) {
3151 line_buf_len = new_line_buf_len;
3152 line_bufp = g_realloc(line_bufp, line_buf_len + 1);
3159 print_columns(capture_file *cf)
3166 line_bufp = get_line_buf(256);
3169 for (i = 0; i < cf->cinfo.num_cols; i++) {
3170 /* Skip columns not marked as visible. */
3171 if (!get_column_visible(i))
3173 switch (cf->cinfo.col_fmt[i]) {
3177 * Don't print this if we're doing a live capture from a network
3178 * interface - if we're doing a live capture, you won't be
3179 * able to look at the capture in the future (it's not being
3180 * saved anywhere), so the frame numbers are unlikely to be
3183 * (XXX - it might be nice to be able to save and print at
3184 * the same time, sort of like an "Update list of packets
3185 * in real time" capture in Wireshark.)
3187 if (global_capture_opts.ifaces->len > 0)
3190 column_len = strlen(cf->cinfo.col_data[i]);
3193 line_bufp = get_line_buf(buf_offset + column_len);
3194 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%3s", cf->cinfo.col_data[i]);
3200 case COL_ABS_DATE_TIME:
3202 case COL_UTC_DATE_TIME: /* XXX - wider */
3203 column_len = strlen(cf->cinfo.col_data[i]);
3204 if (column_len < 10)
3206 line_bufp = get_line_buf(buf_offset + column_len);
3207 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%10s", cf->cinfo.col_data[i]);
3213 case COL_DEF_DL_SRC:
3214 case COL_RES_DL_SRC:
3215 case COL_UNRES_DL_SRC:
3216 case COL_DEF_NET_SRC:
3217 case COL_RES_NET_SRC:
3218 case COL_UNRES_NET_SRC:
3219 column_len = strlen(cf->cinfo.col_data[i]);
3220 if (column_len < 12)
3222 line_bufp = get_line_buf(buf_offset + column_len);
3223 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%12s", cf->cinfo.col_data[i]);
3229 case COL_DEF_DL_DST:
3230 case COL_RES_DL_DST:
3231 case COL_UNRES_DL_DST:
3232 case COL_DEF_NET_DST:
3233 case COL_RES_NET_DST:
3234 case COL_UNRES_NET_DST:
3235 column_len = strlen(cf->cinfo.col_data[i]);
3236 if (column_len < 12)
3238 line_bufp = get_line_buf(buf_offset + column_len);
3239 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%-12s", cf->cinfo.col_data[i]);
3243 column_len = strlen(cf->cinfo.col_data[i]);
3244 line_bufp = get_line_buf(buf_offset + column_len);
3245 g_strlcat(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len + 1);
3248 buf_offset += column_len;
3249 if (i != cf->cinfo.num_cols - 1) {
3251 * This isn't the last column, so we need to print a
3252 * separator between this column and the next.
3254 * If we printed a network source and are printing a
3255 * network destination of the same type next, separate
3256 * them with " -> "; if we printed a network destination
3257 * and are printing a network source of the same type
3258 * next, separate them with " <- "; otherwise separate them
3261 * We add enough space to the buffer for " <- " or " -> ",
3262 * even if we're only adding " ".
3264 line_bufp = get_line_buf(buf_offset + 4);
3265 switch (cf->cinfo.col_fmt[i]) {
3270 switch (cf->cinfo.col_fmt[i + 1]) {
3275 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3280 g_strlcat(line_bufp + buf_offset, " ", 5);
3286 case COL_DEF_DL_SRC:
3287 case COL_RES_DL_SRC:
3288 case COL_UNRES_DL_SRC:
3289 switch (cf->cinfo.col_fmt[i + 1]) {
3291 case COL_DEF_DL_DST:
3292 case COL_RES_DL_DST:
3293 case COL_UNRES_DL_DST:
3294 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3299 g_strlcat(line_bufp + buf_offset, " ", 5);
3305 case COL_DEF_NET_SRC:
3306 case COL_RES_NET_SRC:
3307 case COL_UNRES_NET_SRC:
3308 switch (cf->cinfo.col_fmt[i + 1]) {
3310 case COL_DEF_NET_DST:
3311 case COL_RES_NET_DST:
3312 case COL_UNRES_NET_DST:
3313 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3318 g_strlcat(line_bufp + buf_offset, " ", 5);
3327 switch (cf->cinfo.col_fmt[i + 1]) {
3332 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3337 g_strlcat(line_bufp + buf_offset, " ", 5);
3343 case COL_DEF_DL_DST:
3344 case COL_RES_DL_DST:
3345 case COL_UNRES_DL_DST:
3346 switch (cf->cinfo.col_fmt[i + 1]) {
3348 case COL_DEF_DL_SRC:
3349 case COL_RES_DL_SRC:
3350 case COL_UNRES_DL_SRC:
3351 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3356 g_strlcat(line_bufp + buf_offset, " ", 5);
3362 case COL_DEF_NET_DST:
3363 case COL_RES_NET_DST:
3364 case COL_UNRES_NET_DST:
3365 switch (cf->cinfo.col_fmt[i + 1]) {
3367 case COL_DEF_NET_SRC:
3368 case COL_RES_NET_SRC:
3369 case COL_UNRES_NET_SRC:
3370 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3375 g_strlcat(line_bufp + buf_offset, " ", 5);
3382 g_strlcat(line_bufp + buf_offset, " ", 5);
3388 return print_line(print_stream, 0, line_bufp);
3392 print_packet(capture_file *cf, epan_dissect_t *edt)
3394 print_args_t print_args;
3397 /* Print the information in the protocol tree. */
3398 switch (output_action) {
3401 print_args.to_file = TRUE;
3402 print_args.format = print_format;
3403 print_args.print_summary = !verbose;
3404 print_args.print_hex = verbose && print_hex;
3405 print_args.print_formfeed = FALSE;
3406 print_args.print_dissections = verbose ? print_dissections_expanded : print_dissections_none;
3408 /* init the packet range */
3409 packet_range_init(&print_args.range);
3411 if (!proto_tree_print(&print_args, edt, print_stream))
3414 /* "print_hex_data()" will put out a leading blank line, as well
3415 as a trailing one; print one here, to separate the packets,
3416 only if "print_hex_data()" won't be called. */
3417 if (!print_line(print_stream, 0, separator))
3423 proto_tree_write_pdml(edt, stdout);
3425 return !ferror(stdout);
3427 proto_tree_write_fields(output_fields, edt, stdout);
3429 return !ferror(stdout);
3432 /* Just fill in the columns. */
3433 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3435 /* Now print them. */
3436 switch (output_action) {
3439 if (!print_columns(cf))
3444 proto_tree_write_psml(edt, stdout);
3445 return !ferror(stdout);
3446 case WRITE_FIELDS: /*No non-verbose "fields" format */
3447 g_assert_not_reached();
3452 if (!print_hex_data(print_stream, edt))
3454 if (!print_line(print_stream, 0, ""))
3463 switch (output_action) {
3466 return print_finale(print_stream);
3470 write_pdml_finale(stdout);
3472 write_psml_finale(stdout);
3473 return !ferror(stdout);
3476 write_fields_finale(output_fields, stdout);
3477 return !ferror(stdout);
3480 g_assert_not_reached();
3486 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
3490 char err_msg[2048+1];
3492 wth = wtap_open_offline(fname, err, &err_info, perform_two_pass_analysis);
3496 /* The open succeeded. Fill in the information for this file. */
3498 /* Cleanup all data structures used for dissection. */
3499 cleanup_dissection();
3500 /* Initialize all data structures used for dissection. */
3504 cf->f_datalen = 0; /* not used, but set it anyway */
3506 /* Set the file name because we need it to set the follow stream filter.
3507 XXX - is that still true? We need it for other reasons, though,
3509 cf->filename = g_strdup(fname);
3511 /* Indicate whether it's a permanent or temporary file. */
3512 cf->is_tempfile = is_tempfile;
3514 /* If it's a temporary capture buffer file, mark it as not saved. */
3515 cf->user_saved = !is_tempfile;
3517 cf->cd_t = wtap_file_type(cf->wth);
3519 cf->drops_known = FALSE;
3521 cf->snap = wtap_snapshot_length(cf->wth);
3522 if (cf->snap == 0) {
3523 /* Snapshot length not known. */
3524 cf->has_snap = FALSE;
3525 cf->snap = WTAP_MAX_PACKET_SIZE;
3527 cf->has_snap = TRUE;
3528 nstime_set_zero(&cf->elapsed_time);
3529 nstime_set_unset(&first_ts);
3530 nstime_set_unset(&prev_dis_ts);
3531 nstime_set_unset(&prev_cap_ts);
3533 cf->state = FILE_READ_IN_PROGRESS;
3535 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3536 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3541 g_snprintf(err_msg, sizeof err_msg,
3542 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
3543 cmdarg_err("%s", err_msg);
3548 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
3550 char *save_file_string;
3552 save_file_string = output_file_description(fname);
3557 cmdarg_err("Not all the packets could be written to the %s because there is "
3558 "no space left on the file system.",
3564 cmdarg_err("Not all the packets could be written to the %s because you are "
3565 "too close to, or over your disk quota.",
3570 case WTAP_ERR_CANT_CLOSE:
3571 cmdarg_err("The %s couldn't be closed for some unknown reason.",
3575 case WTAP_ERR_SHORT_WRITE:
3576 cmdarg_err("Not all the packets could be written to the %s.",
3582 cmdarg_err("The %s could not be closed: %s.", save_file_string,
3583 wtap_strerror(err));
3585 cmdarg_err("An error occurred while writing to the %s: %s.",
3586 save_file_string, wtap_strerror(err));
3590 g_free(save_file_string);
3594 show_print_file_io_error(int err)
3599 cmdarg_err("Not all the packets could be printed because there is "
3600 "no space left on the file system.");
3605 cmdarg_err("Not all the packets could be printed because you are "
3606 "too close to, or over your disk quota.");
3611 cmdarg_err("An error occurred while printing packets: %s.",
3618 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
3622 static char errmsg_errno[1024+1];
3625 /* Wiretap error. */
3628 case WTAP_ERR_NOT_REGULAR_FILE:
3629 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
3632 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
3633 /* Seen only when opening a capture file for reading. */
3634 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
3637 case WTAP_ERR_UNSUPPORTED:
3638 /* Seen only when opening a capture file for reading. */
3639 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3640 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
3643 errmsg = errmsg_errno;
3646 case WTAP_ERR_CANT_WRITE_TO_PIPE:
3647 /* Seen only when opening a capture file for writing. */
3648 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3649 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
3650 "written to a pipe.", wtap_file_type_short_string(file_type));
3651 errmsg = errmsg_errno;
3654 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3655 /* Seen only when opening a capture file for writing. */
3656 errmsg = "TShark doesn't support writing capture files in that format.";
3659 case WTAP_ERR_UNSUPPORTED_ENCAP:
3661 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3662 "TShark can't save this capture as a \"%s\" file.",
3663 wtap_file_type_short_string(file_type));
3665 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3666 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
3670 errmsg = errmsg_errno;
3673 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3675 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3676 "TShark can't save this capture as a \"%s\" file.",
3677 wtap_file_type_short_string(file_type));
3678 errmsg = errmsg_errno;
3680 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
3683 case WTAP_ERR_BAD_FILE:
3684 /* Seen only when opening a capture file for reading. */
3685 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3686 "The file \"%%s\" appears to be damaged or corrupt.\n"
3689 errmsg = errmsg_errno;
3692 case WTAP_ERR_CANT_OPEN:
3694 errmsg = "The file \"%s\" could not be created for some unknown reason.";
3696 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
3699 case WTAP_ERR_SHORT_READ:
3700 errmsg = "The file \"%s\" appears to have been cut short"
3701 " in the middle of a packet or other data.";
3704 case WTAP_ERR_SHORT_WRITE:
3705 errmsg = "A full header couldn't be written to the file \"%s\".";
3708 case WTAP_ERR_DECOMPRESS:
3709 /* Seen only when opening a capture file for reading. */
3710 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3711 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
3714 errmsg = errmsg_errno;
3718 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3719 "The file \"%%s\" could not be %s: %s.",
3720 for_writing ? "created" : "opened",
3721 wtap_strerror(err));
3722 errmsg = errmsg_errno;
3726 errmsg = file_open_error_message(err, for_writing);
3731 * Open/create errors are reported with an console message in TShark.
3734 open_failure_message(const char *filename, int err, gboolean for_writing)
3736 fprintf(stderr, "tshark: ");
3737 fprintf(stderr, file_open_error_message(err, for_writing), filename);
3738 fprintf(stderr, "\n");
3743 * General errors are reported with an console message in TShark.
3746 failure_message(const char *msg_format, va_list ap)
3748 fprintf(stderr, "tshark: ");
3749 vfprintf(stderr, msg_format, ap);
3750 fprintf(stderr, "\n");
3754 * Read errors are reported with an console message in TShark.
3757 read_failure_message(const char *filename, int err)
3759 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
3760 filename, g_strerror(err));
3764 * Write errors are reported with an console message in TShark.
3767 write_failure_message(const char *filename, int err)
3769 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
3770 filename, g_strerror(err));
3774 * Print to the standard error. This is a command-line tool, so there's
3775 * no need to pop up a console.
3778 vfprintf_stderr(const char *fmt, va_list ap)
3780 vfprintf(stderr, fmt, ap);
3784 fprintf_stderr(const char *fmt, ...)
3789 vfprintf_stderr(fmt, ap);
3794 * Report an error in command-line arguments.
3797 cmdarg_err(const char *fmt, ...)
3802 failure_message(fmt, ap);
3807 * Report additional information for an error in command-line arguments.
3810 cmdarg_err_cont(const char *fmt, ...)
3815 vfprintf(stderr, fmt, ap);
3816 fprintf(stderr, "\n");