3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
15 #define WS_LOG_DOMAIN LOG_DOMAIN_MAIN
23 #include <wsutil/ws_getopt.h>
28 # include <winsock2.h>
37 #include <epan/exceptions.h>
38 #include <epan/epan.h>
40 #include <ws_exit_codes.h>
41 #include <wsutil/clopts_common.h>
42 #include <wsutil/cmdarg_err.h>
44 #include <wsutil/filesystem.h>
45 #include <wsutil/file_util.h>
46 #include <wsutil/time_util.h>
47 #include <wsutil/socket.h>
48 #include <wsutil/privileges.h>
49 #include <wsutil/report_message.h>
50 #include <wsutil/please_report_bug.h>
51 #include <wsutil/wslog.h>
52 #include <wsutil/ws_assert.h>
53 #include <wsutil/strtoi.h>
55 #include <wsutil/version_info.h>
56 #include <wiretap/wtap_opttypes.h>
59 #include <epan/timestamp.h>
60 #include <epan/packet.h>
62 #include <epan/wslua/init_wslua.h>
64 #include "frame_tvbuff.h"
65 #include <epan/disabled_protos.h>
66 #include <epan/prefs.h>
67 #include <epan/column.h>
68 #include <epan/decode_as.h>
69 #include <epan/print.h>
70 #include <epan/addr_resolv.h>
71 #include <epan/enterprises.h>
72 #include <epan/manuf.h>
73 #include <epan/services.h>
75 #include "ui/capture_ui_utils.h"
79 #include "ui/ws_ui_util.h"
80 #include "ui/decode_as_utils.h"
81 #include "wsutil/filter_files.h"
82 #include "ui/cli/tshark-tap.h"
83 #include "ui/cli/tap-exportobject.h"
84 #include "ui/tap_export_pdu.h"
85 #include "ui/dissect_opts.h"
86 #include "ui/ssl_key_export.h"
87 #include "ui/failure_message.h"
88 #if defined(HAVE_LIBSMI)
89 #include "epan/oids.h"
91 #include "epan/maxmind_db.h"
92 #include <epan/epan_dissect.h>
94 #include <epan/stat_tap_ui.h>
95 #include <epan/conversation_table.h>
96 #include <epan/srt_table.h>
97 #include <epan/rtd_table.h>
98 #include <epan/ex-opt.h>
99 #include <epan/exported_pdu.h>
100 #include <epan/secrets.h>
102 #include "capture_opts.h"
104 #include "capture/capture-pcap-util.h"
107 #include "capture/capture_ifinfo.h"
109 #include "capture/capture-wpcap.h"
111 #include <capture/capture_session.h>
112 #include <capture/capture_sync.h>
113 #include <ui/capture_info.h>
114 #endif /* HAVE_LIBPCAP */
115 #include <epan/funnel.h>
117 #include <wsutil/str_util.h>
118 #include <wsutil/utf8_entities.h>
119 #include <wsutil/json_dumper.h>
120 #include <wsutil/wslog.h>
122 #include <wsutil/win32-utils.h>
128 #include <wsutil/codecs.h>
129 #include <wsutil/plugins.h>
132 /* Additional exit codes */
133 #define INVALID_EXPORT 2
134 #define INVALID_TAP 2
135 #define INVALID_CAPTURE 2
137 #define LONGOPT_EXPORT_OBJECTS LONGOPT_BASE_APPLICATION+1
138 #define LONGOPT_COLOR LONGOPT_BASE_APPLICATION+2
139 #define LONGOPT_NO_DUPLICATE_KEYS LONGOPT_BASE_APPLICATION+3
140 #define LONGOPT_ELASTIC_MAPPING_FILTER LONGOPT_BASE_APPLICATION+4
141 #define LONGOPT_EXPORT_TLS_SESSION_KEYS LONGOPT_BASE_APPLICATION+5
142 #define LONGOPT_CAPTURE_COMMENT LONGOPT_BASE_APPLICATION+6
143 #define LONGOPT_HEXDUMP LONGOPT_BASE_APPLICATION+7
144 #define LONGOPT_SELECTED_FRAME LONGOPT_BASE_APPLICATION+8
145 #define LONGOPT_PRINT_TIMERS LONGOPT_BASE_APPLICATION+9
149 static guint32 cum_bytes;
150 static frame_data ref_frame;
151 static frame_data prev_dis_frame;
152 static frame_data prev_cap_frame;
154 static gboolean perform_two_pass_analysis;
155 static guint32 epan_auto_reset_count;
156 static gboolean epan_auto_reset;
158 static guint32 selected_frame_number;
161 * The way the packet decode is to be written.
164 WRITE_NONE, /* dummy initial state */
165 WRITE_TEXT, /* summary or detail text */
166 WRITE_XML, /* PDML or PSML */
167 WRITE_FIELDS, /* User defined list of fields */
168 WRITE_JSON, /* JSON */
169 WRITE_JSON_RAW, /* JSON only raw hex */
170 WRITE_EK /* JSON bulk insert to Elasticsearch */
171 /* Add CSV and the like here */
174 static output_action_e output_action;
175 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
176 static gboolean print_packet_info; /* TRUE if we're to print packet information */
177 static gboolean print_summary; /* TRUE if we're to print packet summary information */
178 static gboolean print_details; /* TRUE if we're to print packet details information */
179 static gboolean print_hex; /* TRUE if we're to print hex/ascii information */
180 static gboolean line_buffered;
181 static gboolean quiet;
182 static gboolean really_quiet;
183 static gchar* delimiter_char = " ";
184 static gboolean dissect_color;
185 static guint hexdump_source_option = HEXDUMP_SOURCE_MULTI; /* Default - Enable legacy multi-source mode */
186 static guint hexdump_ascii_option = HEXDUMP_ASCII_INCLUDE; /* Default - Enable legacy undelimited ASCII dump */
188 static print_format_e print_format = PR_FMT_TEXT;
189 static print_stream_t *print_stream;
191 static char *output_file_name;
193 static output_fields_t* output_fields;
195 static gboolean no_duplicate_keys;
196 static proto_node_children_grouper_func node_children_grouper = proto_node_group_children_by_unique;
198 static json_dumper jdumper;
200 /* The line separator used between packets, changeable via the -S option */
201 static const char *separator = "";
203 /* Per-file comments to be added to the output file. */
204 static GPtrArray *capture_comments;
206 static gboolean prefs_loaded;
210 * TRUE if we're to print packet counts to keep track of captured packets.
212 static gboolean print_packet_counts;
214 static capture_options global_capture_opts;
215 static capture_session global_capture_session;
216 static info_data_t global_info_data;
219 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
220 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
223 static gboolean capture(void);
224 static bool capture_input_new_file(capture_session *cap_session,
226 static void capture_input_new_packets(capture_session *cap_session,
228 static void capture_input_drops(capture_session *cap_session, guint32 dropped,
229 const char* interface_name);
230 static void capture_input_error(capture_session *cap_session,
231 char *error_msg, char *secondary_error_msg);
232 static void capture_input_cfilter_error(capture_session *cap_session,
233 guint i, const char *error_message);
234 static void capture_input_closed(capture_session *cap_session, gchar *msg);
236 static void report_counts(void);
238 static BOOL WINAPI capture_cleanup(DWORD);
240 static void capture_cleanup(int);
242 static void report_counts_siginfo(int);
245 #endif /* HAVE_LIBPCAP */
247 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
250 PROCESS_FILE_SUCCEEDED,
251 PROCESS_FILE_NO_FILE_PROCESSED,
253 PROCESS_FILE_INTERRUPTED
254 } process_file_status_t;
255 static process_file_status_t process_cap_file(capture_file *, char *, int, gboolean, int, gint64, int);
257 static gboolean process_packet_single_pass(capture_file *cf,
258 epan_dissect_t *edt, gint64 offset, wtap_rec *rec, Buffer *buf,
260 static void show_print_file_io_error(void);
261 static gboolean write_preamble(capture_file *cf);
262 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
263 static gboolean write_finale(void);
265 static void tshark_cmdarg_err(const char *msg_format, va_list ap);
266 static void tshark_cmdarg_err_cont(const char *msg_format, va_list ap);
268 static GHashTable *output_only_tables;
270 static gboolean opt_print_timers;
271 struct elapsed_pass_s {
274 gint64 dfilter_filter;
277 gint64 dfilter_expand;
278 gint64 dfilter_compile;
279 struct elapsed_pass_s first_pass;
280 gint64 elapsed_first_pass;
281 struct elapsed_pass_s second_pass;
282 gint64 elapsed_second_pass;
287 print_elapsed_json(const char *cf_name, const char *dfilter)
289 json_dumper dumper = {
290 .output_file = stderr,
291 .flags = JSON_DUMPER_FLAGS_PRETTY_PRINT,
294 if (tshark_elapsed.elapsed_first_pass == 0) {
296 ws_warning("Print timers requested but no timing info provided");
300 #define DUMP(name, val) \
301 json_dumper_set_member_name(&dumper, name); \
302 json_dumper_value_anyf(&dumper, "%"PRId64, val)
304 json_dumper_begin_object(&dumper);
305 json_dumper_set_member_name(&dumper, "version");
306 json_dumper_value_string(&dumper, get_ws_vcs_version_info_short());
308 json_dumper_set_member_name(&dumper, "path");
309 json_dumper_value_string(&dumper, cf_name);
312 json_dumper_set_member_name(&dumper, "filter");
313 json_dumper_value_string(&dumper, dfilter);
315 json_dumper_set_member_name(&dumper, "time_unit");
316 json_dumper_value_string(&dumper, "microseconds");
317 DUMP("elapsed", tshark_elapsed.elapsed_first_pass +
318 tshark_elapsed.elapsed_second_pass);
319 DUMP("dfilter_expand", tshark_elapsed.dfilter_expand);
320 DUMP("dfilter_compile", tshark_elapsed.dfilter_compile);
321 json_dumper_begin_array(&dumper);
322 json_dumper_begin_object(&dumper);
323 DUMP("elapsed", tshark_elapsed.elapsed_first_pass);
324 DUMP("dissect", tshark_elapsed.first_pass.dissect);
325 DUMP("display_filter", tshark_elapsed.first_pass.dfilter_filter);
326 DUMP("read_filter", tshark_elapsed.first_pass.dfilter_read);
327 json_dumper_end_object(&dumper);
328 if (tshark_elapsed.elapsed_second_pass) {
329 json_dumper_begin_object(&dumper);
330 DUMP("elapsed", tshark_elapsed.elapsed_second_pass);
331 DUMP("dissect", tshark_elapsed.second_pass.dissect);
332 DUMP("display_filter", tshark_elapsed.second_pass.dfilter_filter);
333 DUMP("read_filter", tshark_elapsed.second_pass.dfilter_read);
334 json_dumper_end_object(&dumper);
336 json_dumper_end_array(&dumper);
337 json_dumper_end_object(&dumper);
338 json_dumper_finish(&dumper);
342 list_capture_types(void)
344 GArray *writable_type_subtypes;
346 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
347 writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME);
348 for (guint i = 0; i < writable_type_subtypes->len; i++) {
349 int ft = g_array_index(writable_type_subtypes, int, i);
350 fprintf(stderr, " %s - %s\n", wtap_file_type_subtype_name(ft),
351 wtap_file_type_subtype_description(ft));
353 g_array_free(writable_type_subtypes, TRUE);
357 const char *sstr; /* The short string */
358 const char *lstr; /* The long string */
362 string_compare(gconstpointer a, gconstpointer b)
364 return strcmp(((const struct string_elem *)a)->sstr,
365 ((const struct string_elem *)b)->sstr);
369 string_elem_print(gpointer data)
371 fprintf(stderr, " %s - %s\n",
372 ((struct string_elem *)data)->sstr,
373 ((struct string_elem *)data)->lstr);
377 list_read_capture_types(void)
380 size_t num_file_types;
381 struct string_elem *captypes;
383 const char *magic = "Magic-value-based";
384 const char *heuristic = "Heuristics-based";
386 /* How many readable file types are there? */
388 for (i = 0; open_routines[i].name != NULL; i++)
390 captypes = g_new(struct string_elem, num_file_types);
392 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
393 for (i = 0; i < num_file_types && open_routines[i].name != NULL; i++) {
394 captypes[i].sstr = open_routines[i].name;
395 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
396 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
398 g_slist_free_full(list, string_elem_print);
403 list_export_pdu_taps(void)
405 fprintf(stderr, "tshark: The available export tap names and the encapsulation types they produce for the \"-U tap_name\" option are:\n");
406 for (GSList *export_pdu_tap_name_list = get_export_pdu_tap_list();
407 export_pdu_tap_name_list != NULL;
408 export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
409 fprintf(stderr, " %s - %s\n", (const char*)(export_pdu_tap_name_list->data), wtap_encap_description(export_pdu_tap_get_encap((const char*)export_pdu_tap_name_list->data)));
414 print_usage(FILE *output)
416 fprintf(output, "\n");
417 fprintf(output, "Usage: tshark [options] ...\n");
418 fprintf(output, "\n");
421 fprintf(output, "Capture interface:\n");
422 fprintf(output, " -i <interface>, --interface <interface>\n");
423 fprintf(output, " name or idx of interface (def: first non-loopback)\n");
424 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
425 fprintf(output, " -s <snaplen>, --snapshot-length <snaplen>\n");
426 #ifdef HAVE_PCAP_CREATE
427 fprintf(output, " packet snapshot length (def: appropriate maximum)\n");
429 fprintf(output, " packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
431 fprintf(output, " -p, --no-promiscuous-mode\n");
432 fprintf(output, " don't capture in promiscuous mode\n");
433 #ifdef HAVE_PCAP_CREATE
434 fprintf(output, " -I, --monitor-mode capture in monitor mode, if available\n");
436 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
437 fprintf(output, " -B <buffer size>, --buffer-size <buffer size>\n");
438 fprintf(output, " size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
440 fprintf(output, " -y <link type>, --linktype <link type>\n");
441 fprintf(output, " link layer type (def: first appropriate)\n");
442 fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
443 fprintf(output, " -D, --list-interfaces print list of interfaces and exit\n");
444 fprintf(output, " -L, --list-data-link-types\n");
445 fprintf(output, " print list of link-layer types of iface and exit\n");
446 fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
447 fprintf(output, " --update-interval interval between updates with new packets (def: %dms)\n", DEFAULT_UPDATE_INTERVAL);
448 fprintf(output, "\n");
449 fprintf(output, "Capture stop conditions:\n");
450 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
451 fprintf(output, " -a <autostop cond.> ..., --autostop <autostop cond.> ...\n");
452 fprintf(output, " duration:NUM - stop after NUM seconds\n");
453 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
454 fprintf(output, " files:NUM - stop after NUM files\n");
455 fprintf(output, " packets:NUM - stop after NUM packets\n");
456 /*fprintf(output, "\n");*/
457 fprintf(output, "Capture output:\n");
458 fprintf(output, " -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\n");
459 fprintf(output, " duration:NUM - switch to next file after NUM secs\n");
460 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
461 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
462 fprintf(output, " packets:NUM - switch to next file after NUM packets\n");
463 fprintf(output, " interval:NUM - switch to next file when the time is\n");
464 fprintf(output, " an exact multiple of NUM secs\n");
465 fprintf(output, " printname:FILE - print filename to FILE when written\n");
466 fprintf(output, " (can use 'stdout' or 'stderr')\n");
467 #endif /* HAVE_LIBPCAP */
468 #ifdef HAVE_PCAP_REMOTE
469 fprintf(output, "RPCAP options:\n");
470 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
472 /*fprintf(output, "\n");*/
473 fprintf(output, "Input file:\n");
474 fprintf(output, " -r <infile>, --read-file <infile>\n");
475 fprintf(output, " set the filename to read from (or '-' for stdin)\n");
477 fprintf(output, "\n");
478 fprintf(output, "Processing:\n");
479 fprintf(output, " -2 perform a two-pass analysis\n");
480 fprintf(output, " -M <packet count> perform session auto reset\n");
481 fprintf(output, " -R <read filter>, --read-filter <read filter>\n");
482 fprintf(output, " packet Read filter in Wireshark display filter syntax\n");
483 fprintf(output, " (requires -2)\n");
484 fprintf(output, " -Y <display filter>, --display-filter <display filter>\n");
485 fprintf(output, " packet displaY filter in Wireshark display filter\n");
486 fprintf(output, " syntax\n");
487 fprintf(output, " -n disable all name resolutions (def: \"mNd\" enabled, or\n");
488 fprintf(output, " as set in preferences)\n");
489 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtdv\"\n");
490 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
491 fprintf(output, " \"Decode As\", see the man page for details\n");
492 fprintf(output, " Example: tcp.port==8888,http\n");
493 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
494 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
495 fprintf(output, " --enable-protocol <proto_name>\n");
496 fprintf(output, " enable dissection of proto_name\n");
497 fprintf(output, " --disable-protocol <proto_name>\n");
498 fprintf(output, " disable dissection of proto_name\n");
499 fprintf(output, " --only-protocols <protocols>\n");
500 fprintf(output, " Only enable dissection of these protocols, comma\n");
501 fprintf(output, " separated. Disable everything else\n");
502 fprintf(output, " --disable-all-protocols\n");
503 fprintf(output, " Disable dissection of all protocols\n");
504 fprintf(output, " --enable-heuristic <short_name>\n");
505 fprintf(output, " enable dissection of heuristic protocol\n");
506 fprintf(output, " --disable-heuristic <short_name>\n");
507 fprintf(output, " disable dissection of heuristic protocol\n");
509 /*fprintf(output, "\n");*/
510 fprintf(output, "Output:\n");
511 fprintf(output, " -w <outfile|-> write packets to a pcapng-format file named \"outfile\"\n");
512 fprintf(output, " (or '-' for stdout)\n");
513 fprintf(output, " --capture-comment <comment>\n");
514 fprintf(output, " add a capture file comment, if supported\n");
515 fprintf(output, " -C <config profile> start with specified configuration profile\n");
516 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
517 fprintf(output, " an empty \"-F\" option will list the file types\n");
518 fprintf(output, " -V add output of packet tree (Packet Details)\n");
519 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
520 fprintf(output, " separated\n");
521 fprintf(output, " -P, --print print packet summary even when writing to a file\n");
522 fprintf(output, " -S <separator> the line separator to print between packets\n");
523 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
524 fprintf(output, " --hexdump <hexoption> add hexdump, set options for data source and ASCII dump\n");
525 fprintf(output, " all dump all data sources (-x default)\n");
526 fprintf(output, " frames dump only frame data source\n");
527 fprintf(output, " ascii include ASCII dump text (-x default)\n");
528 fprintf(output, " delimit delimit ASCII dump text with '|' characters\n");
529 fprintf(output, " noascii exclude ASCII dump text\n");
530 fprintf(output, " help display help for --hexdump and exit\n");
531 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
532 fprintf(output, " format of text output (def: text)\n");
533 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
534 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
535 fprintf(output, " nodes, unless child is specified also in the filter)\n");
536 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
537 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
538 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
539 fprintf(output, " _ws.col.info)\n");
540 fprintf(output, " this option can be repeated to print multiple fields\n");
541 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
542 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
543 fprintf(output, " header=y|n switch headers on and off\n");
544 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
545 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
546 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
547 fprintf(output, " aggregator\n");
548 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
549 fprintf(output, " -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]\n");
550 fprintf(output, " output format of time stamps (def: r: rel. to first)\n");
551 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
552 fprintf(output, " -l flush standard output after each packet\n");
553 fprintf(output, " (implies --update-interval 0)\n");
554 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
555 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
556 fprintf(output, " -g enable group read access on the output file(s)\n");
557 fprintf(output, " -W n Save extra information in the file, if supported.\n");
558 fprintf(output, " n = write network address resolution information\n");
559 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
560 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
561 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
562 fprintf(output, " --export-objects <protocol>,<destdir>\n");
563 fprintf(output, " save exported objects for a protocol to a directory\n");
564 fprintf(output, " named \"destdir\"\n");
565 fprintf(output, " --export-tls-session-keys <keyfile>\n");
566 fprintf(output, " export TLS Session Keys to a file named \"keyfile\"\n");
567 fprintf(output, " --color color output text similarly to the Wireshark GUI,\n");
568 fprintf(output, " requires a terminal with 24-bit color support\n");
569 fprintf(output, " Also supplies color attributes to pdml and psml formats\n");
570 fprintf(output, " (Note that attributes are nonstandard)\n");
571 fprintf(output, " --no-duplicate-keys If -T json is specified, merge duplicate keys in an object\n");
572 fprintf(output, " into a single key with as value a json array containing all\n");
573 fprintf(output, " values\n");
574 fprintf(output, " --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the\n");
575 fprintf(output, " specified protocols within the mapping file\n");
576 fprintf(output, " --temp-dir <directory> write temporary files to this directory\n");
577 fprintf(output, " (default: %s)\n", g_get_tmp_dir());
578 fprintf(output, "\n");
580 ws_log_print_usage(output);
581 fprintf(output, "\n");
583 fprintf(output, "Miscellaneous:\n");
584 fprintf(output, " -h, --help display this help and exit\n");
585 fprintf(output, " -v, --version display version info and exit\n");
586 fprintf(output, " -o <name>:<value> ... override preference setting\n");
587 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
588 fprintf(output, " -G [report] dump one of several available reports and exit\n");
589 fprintf(output, " default report=\"fields\"\n");
590 fprintf(output, " use \"-G help\" for more help\n");
592 fprintf(output, "\n");
593 fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
594 fprintf(output, "You might want to enable it by executing:\n");
595 fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
596 fprintf(output, "Note that this can make your system less secure!\n");
602 glossary_option_help(void)
608 fprintf(output, "%s\n", get_appname_and_version());
610 fprintf(output, "\n");
611 fprintf(output, "Usage: tshark -G [report]\n");
612 fprintf(output, "\n");
613 fprintf(output, "Glossary table reports:\n");
614 fprintf(output, " -G column-formats dump column format codes and exit\n");
615 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
616 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
617 fprintf(output, " -G dissectors dump registered dissector names\n");
618 fprintf(output, " -G elastic-mapping dump ElasticSearch mapping file\n");
619 fprintf(output, " -G enterprises dump IANA Private Enterprise Number (PEN) table\n");
620 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
621 fprintf(output, " -G fields [prefix] dump fields glossary and exit\n");
622 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
623 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
624 fprintf(output, " -G manuf dump ethernet manufacturer tables\n");
625 fprintf(output, " -G plugins dump installed plugins and exit\n");
626 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
627 fprintf(output, " -G services dump transport service (port) names\n");
628 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
629 fprintf(output, "\n");
630 fprintf(output, "Preference reports:\n");
631 fprintf(output, " -G currentprefs dump current preferences and exit\n");
632 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
633 fprintf(output, " -G folders dump about:folders\n");
634 fprintf(output, "\n");
638 hexdump_option_help(FILE *output)
640 fprintf(output, "%s\n", get_appname_and_version());
641 fprintf(output, "\n");
642 fprintf(output, "tshark: Valid --hexdump <hexoption> values include:\n");
643 fprintf(output, "\n");
644 fprintf(output, "Data source options:\n");
645 fprintf(output, " all add hexdump, dump all data sources (-x default)\n");
646 fprintf(output, " frames add hexdump, dump only frame data source\n");
647 fprintf(output, "\n");
648 fprintf(output, "ASCII options:\n");
649 fprintf(output, " ascii add hexdump, include ASCII dump text (-x default)\n");
650 fprintf(output, " delimit add hexdump, delimit ASCII dump text with '|' characters\n");
651 fprintf(output, " noascii add hexdump, exclude ASCII dump text\n");
652 fprintf(output, "\n");
653 fprintf(output, "Miscellaneous:\n");
654 fprintf(output, " help display this help and exit\n");
655 fprintf(output, "\n");
656 fprintf(output, "Example:\n");
657 fprintf(output, "\n");
658 fprintf(output, " $ tshark ... --hexdump frames --hexdump delimit ...\n");
659 fprintf(output, "\n");
663 print_current_user(void)
665 gchar *cur_user, *cur_group;
667 if (started_with_special_privs()) {
668 cur_user = get_cur_username();
669 cur_group = get_cur_groupname();
670 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
671 cur_user, cur_group);
674 if (running_with_special_privs()) {
675 fprintf(stderr, " This could be dangerous.");
677 fprintf(stderr, "\n");
682 gather_tshark_compile_info(feature_list l)
684 /* Capture libraries */
685 gather_caplibs_compile_info(l);
686 epan_gather_compile_info(l);
690 gather_tshark_runtime_info(feature_list l)
693 gather_caplibs_runtime_info(l);
696 /* stuff used by libwireshark */
697 epan_gather_runtime_info(l);
701 _compile_dfilter(const char *text, dfilter_t **dfp, const char *caller)
707 gint64 elapsed_start;
709 elapsed_start = g_get_monotonic_time();
710 expanded = dfilter_expand(text, &df_err);
711 if (expanded == NULL) {
712 cmdarg_err("%s", df_err->msg);
713 df_error_free(&df_err);
716 tshark_elapsed.dfilter_expand = g_get_monotonic_time() - elapsed_start;
718 elapsed_start = g_get_monotonic_time();
719 ok = dfilter_compile_full(expanded, dfp, &df_err, DF_OPTIMIZE, caller);
721 cmdarg_err("%s", df_err->msg);
723 if (df_err->loc.col_start >= 0) {
724 err_off = ws_strdup_underline(NULL, df_err->loc.col_start, df_err->loc.col_len);
725 cmdarg_err_cont(" %s", expanded);
726 cmdarg_err_cont(" %s", err_off);
729 df_error_free(&df_err);
731 tshark_elapsed.dfilter_compile = g_get_monotonic_time() - elapsed_start;
737 #define compile_dfilter(text, dfp) _compile_dfilter(text, dfp, __func__)
740 protocolfilter_add_opt(const char* arg, pf_flags filter_flags)
742 gchar **newfilter = NULL;
743 for (newfilter = wmem_strsplit(wmem_epan_scope(), arg, " ", -1); *newfilter; newfilter++) {
744 if (strcmp(*newfilter, "") == 0) {
745 /* Don't treat the empty string as an intended field abbreviation
746 * to output, consecutive spaces on the command line probably
747 * aren't intentional.
751 if (!output_fields_add_protocolfilter(output_fields, *newfilter, filter_flags)) {
752 cmdarg_err("%s was already specified with different filter flags. Overwriting previous protocol filter.", *newfilter);
761 const char *constpath;
769 * Fetching the "File" dialogs folder not implemented.
770 * This is arguably just a pwd for a ui/cli .
774 constpath = g_get_tmp_dir();
776 /* global_capture_opts only exists in this case */
777 if (global_capture_opts.temp_dir)
778 constpath = global_capture_opts.temp_dir;
780 printf("%-21s\t%s\n", "Temp:", constpath);
783 path = get_persconffile_path("", FALSE);
784 printf("%-21s\t%s\n", "Personal configuration:", path);
788 constpath = get_datafile_dir();
789 if (constpath != NULL) {
790 printf("%-21s\t%s\n", "Global configuration:", constpath);
794 constpath = get_systemfile_dir();
795 printf("%-21s\t%s\n", "System:", constpath);
798 constpath = get_progfile_dir();
799 printf("%-21s\t%s\n", "Program:", constpath);
803 printf("%-21s\t%s\n", "Personal Plugins:", get_plugins_pers_dir_with_version());
806 printf("%-21s\t%s\n", "Global Plugins:", get_plugins_dir_with_version());
810 /* pers lua plugins */
811 printf("%-21s\t%s\n", "Personal Lua Plugins:", get_plugins_pers_dir());
813 /* global lua plugins */
814 printf("%-21s\t%s\n", "Global Lua Plugins:", get_plugins_dir());
817 /* Personal Extcap */
818 constpath = get_extcap_pers_dir();
820 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
821 for(i = 0; resultArray[i]; i++)
822 printf("%-21s\t%s\n", "Personal Extcap path:", g_strstrip(resultArray[i]));
824 g_strfreev(resultArray);
827 constpath = get_extcap_dir();
829 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
830 for(i = 0; resultArray[i]; i++)
831 printf("%-21s\t%s\n", "Global Extcap path:", g_strstrip(resultArray[i]));
833 g_strfreev(resultArray);
836 path = maxmind_db_get_paths();
838 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
840 for(i = 0; resultArray[i]; i++)
841 printf("%-21s\t%s\n", "MaxMind database path:", g_strstrip(resultArray[i]));
843 g_strfreev(resultArray);
848 path = oid_get_default_mib_path();
850 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 20);
852 for(i = 0; resultArray[i]; i++)
853 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
855 g_strfreev(resultArray);
862 must_do_dissection(dfilter_t *rfcode, dfilter_t *dfcode,
863 gchar *volatile pdu_export_arg)
865 /* We have to dissect each packet if:
867 we're printing information about each packet;
869 we're using a read filter on the packets;
871 we're using a display filter on the packets;
873 we're exporting PDUs;
875 we're using any taps that need dissection. */
876 return print_packet_info || rfcode || dfcode || pdu_export_arg ||
877 tap_listeners_require_dissection();
882 * Check whether a purported *shark packet-matching expression (display
883 * or read filter) looks like a capture filter and, if so, print a
886 * Used, for example, if the string in question isn't a valid packet-
887 * matching expression.
890 warn_about_capture_filter(const char *rfilter)
892 struct bpf_program fcode;
895 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
897 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
898 pcap_freecode(&fcode);
900 " Note: That read filter code looks like a valid capture filter;\n"
901 " maybe you mixed them up?");
909 static GList *cached_if_list;
912 capture_opts_get_interface_list(int *err, char **err_str)
914 if (cached_if_list == NULL) {
916 * This isn't a GUI tool, so no need for a callback.
918 cached_if_list = capture_interface_list(err, err_str, NULL);
921 * Routines expect to free the returned interface list, so return
924 return interface_list_copy(cached_if_list);
929 main(int argc, char *argv[])
932 static const struct report_message_routines tshark_report_routines = {
935 open_failure_message,
936 read_failure_message,
937 write_failure_message,
938 cfile_open_failure_message,
939 cfile_dump_open_failure_message,
940 cfile_read_failure_message,
941 cfile_write_failure_message,
942 cfile_close_failure_message
945 static const struct ws_option long_options[] = {
946 {"help", ws_no_argument, NULL, 'h'},
947 {"version", ws_no_argument, NULL, 'v'},
948 LONGOPT_CAPTURE_COMMON
949 LONGOPT_DISSECT_COMMON
950 LONGOPT_READ_CAPTURE_COMMON
951 {"print", ws_no_argument, NULL, 'P'},
952 {"export-objects", ws_required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
953 {"export-tls-session-keys", ws_required_argument, NULL, LONGOPT_EXPORT_TLS_SESSION_KEYS},
954 {"color", ws_no_argument, NULL, LONGOPT_COLOR},
955 {"no-duplicate-keys", ws_no_argument, NULL, LONGOPT_NO_DUPLICATE_KEYS},
956 {"elastic-mapping-filter", ws_required_argument, NULL, LONGOPT_ELASTIC_MAPPING_FILTER},
957 {"capture-comment", ws_required_argument, NULL, LONGOPT_CAPTURE_COMMENT},
958 {"hexdump", ws_required_argument, NULL, LONGOPT_HEXDUMP},
959 {"selected-frame", ws_required_argument, NULL, LONGOPT_SELECTED_FRAME},
960 {"print-timers", ws_no_argument, NULL, LONGOPT_PRINT_TIMERS},
963 gboolean arg_error = FALSE;
964 gboolean has_extcap_options = FALSE;
965 gboolean is_capturing = TRUE;
969 gboolean exp_pdu_status;
970 volatile process_file_status_t status;
971 volatile gboolean draw_taps = FALSE;
972 volatile int exit_status = EXIT_SUCCESS;
974 int caps_queries = 0;
976 gchar *err_str, *err_str_secondary;
978 gboolean capture_option_specified = FALSE;
979 volatile int max_packet_count = 0;
981 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_UNKNOWN;
982 volatile gboolean out_file_name_res = FALSE;
983 volatile int in_file_type = WTAP_TYPE_AUTO;
984 gchar *volatile cf_name = NULL;
985 gchar *rfilter = NULL;
986 gchar *volatile dfilter = NULL;
987 dfilter_t *rfcode = NULL;
988 dfilter_t *dfcode = NULL;
990 gchar *output_only = NULL;
991 gchar *volatile pdu_export_arg = NULL;
992 char *volatile exp_pdu_filename = NULL;
993 const gchar *volatile tls_session_keys_file = NULL;
994 exp_pdu_t exp_pdu_tap_data;
995 const gchar* elastic_mapping_filter = NULL;
998 * The leading + ensures that getopt_long() does not permute the argv[]
1001 * We have to make sure that the first getopt_long() preserves the content
1002 * of argv[] for the subsequent getopt_long() call.
1004 * We use getopt_long() in both cases to ensure that we're using a routine
1005 * whose permutation behavior we can control in the same fashion on all
1006 * platforms, and so that, if we ever need to process a long argument before
1007 * doing further initialization, we can do so.
1009 * Glibc and Solaris libc document that a leading + disables permutation
1010 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1011 * and macOS don't document it, but do so anyway.
1013 * We do *not* use a leading - because the behavior of a leading - is
1014 * platform-dependent.
1016 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON OPTSTRING_READ_CAPTURE_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQS:T:U:vVw:W:xX:z:"
1018 static const char optstring[] = OPTSTRING;
1021 * Set the C-language locale to the native environment and set the
1022 * code page to UTF-8 on Windows.
1025 setlocale(LC_ALL, ".UTF-8");
1027 setlocale(LC_ALL, "");
1032 cmdarg_err_init(tshark_cmdarg_err, tshark_cmdarg_err_cont);
1034 /* Initialize log handler early so we can have proper logging during startup. */
1035 ws_log_init("tshark", vcmdarg_err);
1037 /* Early logging command-line initialization. */
1038 ws_log_parse_args(&argc, argv, vcmdarg_err, WS_EXIT_INVALID_OPTION);
1040 ws_noisy("Finished log init and parsing command line log arguments");
1041 ws_debug("tshark started with %d args", argc);
1044 create_app_running_mutex();
1048 * Get credential information for later use, and drop privileges
1049 * before doing anything else.
1050 * Let the user know if anything happened.
1052 init_process_policies();
1053 relinquish_special_privs_perm();
1054 print_current_user();
1057 * Attempt to get the pathname of the directory containing the
1060 err_msg = configuration_init(argv[0], NULL);
1061 if (err_msg != NULL) {
1063 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
1064 "It won't be possible to capture traffic.\n"
1065 "Report this to the Wireshark developers.",
1070 initialize_funnel_ops();
1073 ws_init_dll_search_path();
1075 /* Load wpcap if possible. Do this before collecting the run-time version information */
1077 #endif /* HAVE_LIBPCAP */
1080 /* Initialize the version information. */
1081 ws_init_version_info("TShark",
1082 gather_tshark_compile_info, gather_tshark_runtime_info);
1084 /* Fail sometimes. Useful for testing fuzz scripts. */
1085 /* if (g_random_int_range(0, 100) < 5) abort(); */
1088 * In order to have the -X opts assigned before the wslua machine starts
1089 * we need to call getopt_long before epan_init() gets called.
1091 * In order to handle, for example, -o options, we also need to call it
1092 * *after* epan_init() gets called, so that the dissectors have had a
1093 * chance to register their preferences.
1095 * Spawning a bunch of extcap processes can delay program startup,
1096 * particularly on Windows. Check to see if we have any options that
1097 * might require extcap and set has_extcap_options = TRUE if that's
1100 * XXX - can we do this all with one getopt_long() call, saving the
1101 * arguments we can't handle until after initializing libwireshark,
1102 * and then process them after initializing libwireshark?
1106 while ((opt = ws_getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1108 case 'C': /* Configuration Profile */
1109 if (profile_exists (ws_optarg, FALSE)) {
1110 set_profile_name (ws_optarg);
1111 } else if (profile_exists (ws_optarg, TRUE)) {
1112 char *pf_dir_path, *pf_dir_path2, *pf_filename;
1113 /* Copy from global profile */
1114 if (create_persconffile_profile(ws_optarg, &pf_dir_path) == -1) {
1115 cmdarg_err("Can't create directory\n\"%s\":\n%s.",
1116 pf_dir_path, g_strerror(errno));
1118 g_free(pf_dir_path);
1119 exit_status = WS_EXIT_INVALID_FILE;
1122 if (copy_persconffile_profile(ws_optarg, ws_optarg, TRUE, &pf_filename,
1123 &pf_dir_path, &pf_dir_path2) == -1) {
1124 cmdarg_err("Can't copy file \"%s\" in directory\n\"%s\" to\n\"%s\":\n%s.",
1125 pf_filename, pf_dir_path2, pf_dir_path, g_strerror(errno));
1127 g_free(pf_filename);
1128 g_free(pf_dir_path);
1129 g_free(pf_dir_path2);
1130 exit_status = WS_EXIT_INVALID_FILE;
1133 set_profile_name (ws_optarg);
1135 cmdarg_err("Configuration Profile \"%s\" does not exist", ws_optarg);
1136 exit_status = WS_EXIT_INVALID_OPTION;
1141 if (g_str_has_suffix(ws_optarg, "prefs")) {
1142 has_extcap_options = TRUE;
1144 is_capturing = FALSE;
1147 has_extcap_options = TRUE;
1150 if (g_str_has_prefix(ws_optarg, "extcap.")) {
1151 has_extcap_options = TRUE;
1154 case 'P': /* Print packet summary info even when writing to a file */
1155 print_packet_info = TRUE;
1156 print_summary = TRUE;
1158 case 'r': /* Read capture file x */
1159 cf_name = g_strdup(ws_optarg);
1160 is_capturing = FALSE;
1162 case 'O': /* Only output these protocols */
1163 output_only = g_strdup(ws_optarg);
1165 case 'V': /* Verbose */
1166 print_details = TRUE;
1167 print_packet_info = TRUE;
1169 case 'x': /* Print packet data in hex (and ASCII) */
1171 /* The user asked for hex output, so let's ensure they get it,
1172 * even if they're writing to a file.
1174 print_packet_info = TRUE;
1177 ex_opt_add(ws_optarg);
1181 is_capturing = FALSE;
1183 case LONGOPT_ELASTIC_MAPPING_FILTER:
1184 elastic_mapping_filter = ws_optarg;
1192 if (ex_opt_count("lua_script") > 0) {
1193 cmdarg_err("This version of TShark was not built with support for Lua scripting.");
1194 exit_status = WS_EXIT_INIT_FAILED;
1197 #endif /* HAVE_LUA */
1199 init_report_message("TShark", &tshark_report_routines);
1202 capture_opts_init(&global_capture_opts, capture_opts_get_interface_list);
1203 capture_session_init(&global_capture_session, &cfile,
1204 capture_input_new_file, capture_input_new_packets,
1205 capture_input_drops, capture_input_error,
1206 capture_input_cfilter_error, capture_input_closed);
1209 timestamp_set_type(TS_RELATIVE);
1210 timestamp_set_precision(TS_PREC_AUTO);
1211 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1214 * Libwiretap must be initialized before libwireshark is, so that
1215 * dissection-time handlers for file-type-dependent blocks can
1216 * register using the file type/subtype value for the file type.
1220 /* Register all dissectors; we must do this before checking for the
1221 "-G" flag, as the "-G" flag dumps information registered by the
1222 dissectors, and we must do it before we read the preferences, in
1223 case any dissectors register preferences. */
1224 if (!epan_init(NULL, NULL, TRUE)) {
1225 exit_status = WS_EXIT_INIT_FAILED;
1229 /* Register all tap listeners; we do this before we parse the arguments,
1230 as the "-z" argument can specify a registered tap. */
1232 register_all_tap_listeners(tap_reg_listener);
1234 /* Register extcap preferences only when needed. */
1235 if (has_extcap_options || is_capturing) {
1236 extcap_register_preferences();
1239 conversation_table_set_gui_info(init_iousers);
1240 endpoint_table_set_gui_info(init_endpoints);
1241 srt_table_iterate_tables(register_srt_tables, NULL);
1242 rtd_table_iterate_tables(register_rtd_tables, NULL);
1243 stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1245 /* If invoked with the "-G" flag, we dump out information based on
1246 the argument to the "-G" flag; if no argument is specified,
1247 for backwards compatibility we dump out a glossary of display
1250 XXX - we do this here, for now, to support "-G" with no arguments.
1251 If none of our build or other processes uses "-G" with no arguments,
1252 we can just process it with the other arguments. */
1254 /* NOTE: This is before the preferences are loaded with
1255 * epan_load_settings() below, so if you add a new report
1256 * and it depends on the profile settings, call epan_load_settings()
1259 * It is after addr_resolv_init() is called (done by epan_init()),
1260 * so "manuf", "enterprises", and "services" have the values from
1261 * the global and personal profile files already loaded.
1263 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1264 proto_initialize_all_prefixes();
1267 cmdarg_err("-G with no argument is deprecated and will removed in a future version.");
1268 cmdarg_err_cont("Generating fields glossary.");
1269 proto_registrar_dump_fields();
1271 if (strcmp(argv[2], "column-formats") == 0)
1272 column_dump_column_formats();
1273 else if (strcmp(argv[2], "currentprefs") == 0) {
1274 epan_load_settings();
1277 else if (strcmp(argv[2], "decodes") == 0) {
1278 epan_load_settings();
1279 dissector_dump_decodes();
1280 } else if (strcmp(argv[2], "defaultprefs") == 0)
1282 else if (strcmp(argv[2], "dissector-tables") == 0)
1283 dissector_dump_dissector_tables();
1284 else if (strcmp(argv[2], "dissectors") == 0)
1285 dissector_dump_dissectors();
1286 else if (strcmp(argv[2], "elastic-mapping") == 0)
1287 proto_registrar_dump_elastic(elastic_mapping_filter);
1288 else if (strcmp(argv[2], "fieldcount") == 0) {
1289 /* return value for the test suite */
1290 exit_status = proto_registrar_dump_fieldcount();
1293 else if (strcmp(argv[2], "fields") == 0) {
1295 gboolean matched = proto_registrar_dump_field_completions(argv[3]);
1297 cmdarg_err("No field or protocol begins with \"%s\"", argv[3]);
1298 exit_status = EXIT_FAILURE;
1303 proto_registrar_dump_fields();
1306 else if (strcmp(argv[2], "folders") == 0) {
1307 epan_load_settings();
1309 } else if (strcmp(argv[2], "ftypes") == 0)
1310 proto_registrar_dump_ftypes();
1311 else if (strcmp(argv[2], "heuristic-decodes") == 0) {
1312 epan_load_settings();
1313 dissector_dump_heur_decodes();
1314 } else if (strcmp(argv[2], "manuf") == 0)
1315 ws_manuf_dump(stdout);
1316 else if (strcmp(argv[2], "enterprises") == 0)
1317 global_enterprises_dump(stdout);
1318 else if (strcmp(argv[2], "services") == 0)
1319 global_services_dump(stdout);
1320 else if (strcmp(argv[2], "plugins") == 0) {
1326 wslua_plugins_dump_all();
1330 else if (strcmp(argv[2], "protocols") == 0) {
1331 epan_load_settings();
1332 proto_registrar_dump_protocols();
1333 } else if (strcmp(argv[2], "values") == 0)
1334 proto_registrar_dump_values();
1335 else if (strcmp(argv[2], "help") == 0)
1336 glossary_option_help();
1337 /* These are supported only for backwards compatibility and may or may not work
1338 * for a given user in a given directory on a given operating system with a given
1339 * command-line interpreter.
1341 else if (strcmp(argv[2], "?") == 0)
1342 glossary_option_help();
1343 else if (strcmp(argv[2], "-?") == 0)
1344 glossary_option_help();
1346 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G help for more help.", argv[2]);
1347 exit_status = WS_EXIT_INVALID_OPTION;
1351 exit_status = EXIT_SUCCESS;
1355 ws_debug("tshark reading settings");
1357 /* Load libwireshark settings from the current profile. */
1358 prefs_p = epan_load_settings();
1359 prefs_loaded = TRUE;
1361 cap_file_init(&cfile);
1363 /* Print format defaults to this. */
1364 print_format = PR_FMT_TEXT;
1365 delimiter_char = " ";
1367 output_fields = output_fields_new();
1370 * To reset the options parser, set ws_optreset to 1 and set ws_optind to 1.
1372 * Also reset ws_opterr to 1, so that error messages are printed by
1379 /* Now get our args */
1380 while ((opt = ws_getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1382 case '2': /* Perform two-pass analysis */
1383 if(epan_auto_reset){
1384 cmdarg_err("-2 does not support auto session reset.");
1387 perform_two_pass_analysis = TRUE;
1390 if(perform_two_pass_analysis){
1391 cmdarg_err("-M does not support two-pass analysis.");
1394 epan_auto_reset_count = get_positive_int(ws_optarg, "epan reset count");
1395 epan_auto_reset = TRUE;
1397 case 'a': /* autostop criteria */
1398 case 'b': /* Ringbuffer option */
1399 case 'f': /* capture filter */
1400 case 'g': /* enable group read access on file(s) */
1401 case 'i': /* Use interface x */
1402 case LONGOPT_SET_TSTAMP_TYPE: /* Set capture timestamp type */
1403 case 'p': /* Don't capture in promiscuous mode */
1404 #ifdef HAVE_PCAP_REMOTE
1405 case 'A': /* Authentication */
1407 #ifdef HAVE_PCAP_CREATE
1408 case 'I': /* Capture in monitor mode, if available */
1410 case 's': /* Set the snapshot (capture) length */
1411 case 'y': /* Set the pcap data link type */
1412 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1413 case 'B': /* Buffer size */
1415 case LONGOPT_COMPRESS_TYPE: /* compress type */
1416 case LONGOPT_CAPTURE_TMPDIR: /* capture temp directory */
1417 case LONGOPT_UPDATE_INTERVAL: /* sync pipe update interval */
1418 /* These are options only for packet capture. */
1420 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1421 if (exit_status != 0) {
1425 capture_option_specified = TRUE;
1429 case 'c': /* Stop after x packets */
1431 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1432 if (exit_status != 0) {
1436 max_packet_count = get_positive_int(ws_optarg, "packet count");
1439 case 'w': /* Write to file x */
1440 output_file_name = g_strdup(ws_optarg);
1442 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1443 if (exit_status != 0) {
1449 /* already processed; just ignore it now */
1451 case 'D': /* Print a list of capture devices and exit */
1453 exit_status = EXIT_SUCCESS;
1454 if_list = capture_interface_list(&err, &err_str,NULL);
1457 * An error occurred when fetching the local
1458 * interfaces. Report it.
1460 cmdarg_err("%s", err_str);
1462 exit_status = WS_EXIT_PCAP_ERROR;
1464 if (if_list == NULL) {
1466 * No interfaces were found. If that's not the
1467 * result of an error when fetching the local
1468 * interfaces, let the user know.
1471 cmdarg_err("There are no interfaces on which a capture can be done");
1472 exit_status = WS_EXIT_NO_INTERFACES;
1476 capture_opts_print_interfaces(if_list);
1477 free_interface_list(if_list);
1480 capture_option_specified = TRUE;
1487 const char* col_field = try_convert_to_column_field(ws_optarg);
1489 output_fields_add(output_fields, col_field);
1491 header_field_info *hfi = proto_registrar_get_byalias(ws_optarg);
1493 output_fields_add(output_fields, hfi->abbrev);
1495 output_fields_add(output_fields, ws_optarg);
1501 if (!output_fields_set_option(output_fields, ws_optarg)) {
1502 cmdarg_err("\"%s\" is not a valid field output option=value pair.", ws_optarg);
1503 output_fields_list_options(stderr);
1504 exit_status = WS_EXIT_INVALID_OPTION;
1509 out_file_type = wtap_name_to_file_type_subtype(ws_optarg);
1510 if (out_file_type < 0) {
1511 cmdarg_err("\"%s\" isn't a valid capture file type", ws_optarg);
1512 list_capture_types();
1513 exit_status = WS_EXIT_INVALID_OPTION;
1518 cmdarg_err("-G only valid as first option");
1519 exit_status = WS_EXIT_INVALID_OPTION;
1523 if (!protocolfilter_add_opt(ws_optarg, PF_NONE)) {
1524 exit_status = WS_EXIT_INVALID_OPTION;
1529 if (!protocolfilter_add_opt(ws_optarg, PF_INCLUDE_CHILDREN)) {
1530 exit_status = WS_EXIT_INVALID_OPTION;
1534 case 'W': /* Select extra information to save in our capture file */
1535 /* This is patterned after the -N flag which may not be the best idea. */
1536 if (strchr(ws_optarg, 'n')) {
1537 out_file_name_res = TRUE;
1539 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", ws_optarg);
1540 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1541 exit_status = WS_EXIT_INVALID_OPTION;
1545 case 'H': /* Read address to name mappings from a hosts file */
1546 if (! add_hosts_file(ws_optarg))
1548 cmdarg_err("Can't read host entries from \"%s\"", ws_optarg);
1549 exit_status = WS_EXIT_INVALID_OPTION;
1552 out_file_name_res = TRUE;
1555 case 'h': /* Print help and exit */
1556 show_help_header("Dump and analyze network traffic.");
1557 print_usage(stdout);
1558 exit_status = EXIT_SUCCESS;
1561 case 'l': /* "Line-buffer" standard output */
1562 /* The ANSI C standard does not appear to *require* that a line-buffered
1563 stream be flushed to the host environment whenever a newline is
1564 written, it just says that, on such a stream, characters "are
1565 intended to be transmitted to or from the host environment as a
1566 block when a new-line character is encountered".
1568 The Visual C++ 6.0 C implementation doesn't do what is intended;
1569 even if you set a stream to be line-buffered, it still doesn't
1570 flush the buffer at the end of every line.
1572 The whole reason for the "-l" flag in either tcpdump or TShark
1573 is to allow the output of a live capture to be piped to a program
1574 or script and to have that script see the information for the
1575 packet as soon as it's printed, rather than having to wait until
1576 a standard I/O buffer fills up.
1578 So, if the "-l" flag is specified, we flush the standard output
1579 at the end of a packet. This will do the right thing if we're
1580 printing packet summary lines, and, as we print the entire protocol
1581 tree for a single packet without waiting for anything to happen,
1582 it should be as good as line-buffered mode if we're printing
1583 protocol trees - arguably even better, as it may do fewer
1585 line_buffered = TRUE;
1587 /* Set the update-interval to 0 so that dumpcap reports packets
1588 * as soon as available instead of buffering them.
1590 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1591 if (exit_status != 0) {
1596 case 'L': /* Print list of link-layer types and exit */
1598 caps_queries |= CAPS_QUERY_LINK_TYPES;
1600 capture_option_specified = TRUE;
1604 case LONGOPT_LIST_TSTAMP_TYPES: /* List possible timestamp types */
1606 caps_queries |= CAPS_QUERY_TIMESTAMP_TYPES;
1608 capture_option_specified = TRUE;
1612 case 'o': /* Override preference from command line */
1614 char *errmsg = NULL;
1616 switch (prefs_set_pref(ws_optarg, &errmsg)) {
1621 case PREFS_SET_SYNTAX_ERR:
1622 cmdarg_err("Invalid -o flag \"%s\"%s%s", ws_optarg,
1623 errmsg ? ": " : "", errmsg ? errmsg : "");
1625 exit_status = WS_EXIT_INVALID_OPTION;
1629 case PREFS_SET_NO_SUCH_PREF:
1630 cmdarg_err("-o flag \"%s\" specifies unknown preference", ws_optarg);
1631 exit_status = WS_EXIT_INVALID_OPTION;
1635 case PREFS_SET_OBSOLETE:
1636 cmdarg_err("-o flag \"%s\" specifies obsolete preference", ws_optarg);
1637 exit_status = WS_EXIT_INVALID_OPTION;
1643 case 'q': /* Quiet */
1646 case 'Q': /* Really quiet */
1648 really_quiet = TRUE;
1651 /* already processed; just ignore it now */
1653 case 'R': /* Read file filter */
1654 rfilter = ws_optarg;
1657 /* already processed; just ignore it now */
1659 case 'S': /* Set the line Separator to be printed between packets */
1660 separator = ws_optarg;
1662 case 'T': /* printing Type */
1663 /* output_action has been already set. It means multiple -T. */
1664 if (output_action > WRITE_NONE) {
1665 cmdarg_err("Multiple -T parameters are unsupported");
1666 exit_status = WS_EXIT_INVALID_OPTION;
1669 print_packet_info = TRUE;
1670 if (strcmp(ws_optarg, "text") == 0) {
1671 output_action = WRITE_TEXT;
1672 print_format = PR_FMT_TEXT;
1673 } else if (strcmp(ws_optarg, "tabs") == 0) {
1674 output_action = WRITE_TEXT;
1675 print_format = PR_FMT_TEXT;
1676 delimiter_char = "\t";
1677 } else if (strcmp(ws_optarg, "ps") == 0) {
1678 output_action = WRITE_TEXT;
1679 print_format = PR_FMT_PS;
1680 } else if (strcmp(ws_optarg, "pdml") == 0) {
1681 output_action = WRITE_XML;
1682 print_details = TRUE; /* Need details */
1683 print_summary = FALSE; /* Don't allow summary */
1684 } else if (strcmp(ws_optarg, "psml") == 0) {
1685 output_action = WRITE_XML;
1686 print_details = FALSE; /* Don't allow details */
1687 print_summary = TRUE; /* Need summary */
1688 } else if (strcmp(ws_optarg, "fields") == 0) {
1689 output_action = WRITE_FIELDS;
1690 print_details = TRUE; /* Need full tree info */
1691 print_summary = FALSE; /* Don't allow summary */
1692 } else if (strcmp(ws_optarg, "json") == 0) {
1693 output_action = WRITE_JSON;
1694 print_details = TRUE; /* Need details */
1695 print_summary = FALSE; /* Don't allow summary */
1696 } else if (strcmp(ws_optarg, "ek") == 0) {
1697 output_action = WRITE_EK;
1699 print_details = TRUE;
1700 } else if (strcmp(ws_optarg, "jsonraw") == 0) {
1701 output_action = WRITE_JSON_RAW;
1702 print_details = TRUE; /* Need details */
1703 print_summary = FALSE; /* Don't allow summary */
1706 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", ws_optarg); /* x */
1707 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1708 "\t specified by the -E option.\n"
1709 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1710 "\t details of a decoded packet. This information is equivalent to\n"
1711 "\t the packet details printed with the -V flag.\n"
1712 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1713 "\t the packets, or a multi-line view of the details of each of\n"
1714 "\t the packets, depending on whether the -V flag was specified.\n"
1715 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1716 "\t summary information of a decoded packet. This information is\n"
1717 "\t equivalent to the information shown in the one-line summary\n"
1718 "\t printed by default.\n"
1719 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1720 "\t summary information of a decoded packet. This information is \n"
1721 "\t equivalent to the packet details printed with the -V flag.\n"
1722 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1723 "\t including only raw hex decoded fields (same as -T json -x but\n"
1724 "\t without text decoding, only raw fields included). \n"
1725 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1726 "\t into elastic search cluster. This information is \n"
1727 "\t equivalent to the packet details printed with the -V flag.\n"
1728 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1729 "\t packets, or a multi-line view of the details of each of the\n"
1730 "\t packets, depending on whether the -V flag was specified.\n"
1731 "\t This is the default.\n"
1732 "\t\"tabs\" Similar to the text report except that each column of the\n"
1733 "\t human-readable one-line summary is delimited with an ASCII\n"
1734 "\t horizontal tab character.");
1735 exit_status = WS_EXIT_INVALID_OPTION;
1739 case 'U': /* Export PDUs to file */
1740 if (strcmp(ws_optarg, "") == 0 || strcmp(ws_optarg, "?") == 0) {
1741 list_export_pdu_taps();
1742 exit_status = WS_EXIT_INVALID_OPTION;
1745 pdu_export_arg = g_strdup(ws_optarg);
1747 case 'v': /* Show version and exit */
1749 /* We don't really have to cleanup here, but it's a convenient way to test
1750 * start-up and shut-down of the epan library without any UI-specific
1751 * cruft getting in the way. Makes the results of running
1752 * $ ./tools/valgrind-wireshark -n
1753 * much more useful. */
1756 exit_status = EXIT_SUCCESS;
1758 case 'O': /* Only output these protocols */
1759 /* already processed; just ignore it now */
1761 case 'V': /* Verbose */
1762 /* already processed; just ignore it now */
1764 case 'x': /* Print packet data in hex (and ASCII) */
1765 /* already processed; just ignore it now */
1768 /* already processed; just ignore it now */
1771 dfilter = g_strdup(ws_optarg);
1774 /* We won't call the init function for the stat this soon
1775 as it would disallow MATE's fields (which are registered
1776 by the preferences set callback) from being used as
1777 part of a tap filter. Instead, we just add the argument
1778 to a list of stat arguments. */
1779 if (strcmp("help", ws_optarg) == 0) {
1780 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1781 list_stat_cmd_args();
1782 exit_status = EXIT_SUCCESS;
1785 if (!process_stat_cmd_arg(ws_optarg)) {
1786 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", ws_optarg);
1787 list_stat_cmd_args();
1788 exit_status = WS_EXIT_INVALID_OPTION;
1792 case 'd': /* Decode as rule */
1793 case 'K': /* Kerberos keytab file */
1794 case 'n': /* No name resolution */
1795 case 'N': /* Select what types of addresses/port #s to resolve */
1796 case 't': /* Time stamp type */
1797 case 'u': /* Seconds type */
1798 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1799 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1800 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1801 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1802 case LONGOPT_ONLY_PROTOCOLS: /* enable dissection of only this comma separated list of protocols */
1803 case LONGOPT_DISABLE_ALL_PROTOCOLS: /* enable dissection of protocol (that is disabled by default) */
1804 if (!dissect_opts_handle_opt(opt, ws_optarg)) {
1805 exit_status = WS_EXIT_INVALID_OPTION;
1809 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1810 if (strcmp("help", ws_optarg) == 0) {
1811 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1812 eo_list_object_types();
1813 exit_status = EXIT_SUCCESS;
1816 if (!eo_tap_opt_add(ws_optarg)) {
1817 exit_status = WS_EXIT_INVALID_OPTION;
1821 case LONGOPT_EXPORT_TLS_SESSION_KEYS: /* --export-tls-session-keys */
1822 tls_session_keys_file = ws_optarg;
1824 case LONGOPT_COLOR: /* print in color where appropriate */
1825 dissect_color = TRUE;
1826 /* This has no effect if we don't print packet info or filter
1827 (we can filter on the coloring rules). Should we warn or
1828 error later if so, instead of silently ignoring it? */
1830 case LONGOPT_NO_DUPLICATE_KEYS:
1831 no_duplicate_keys = TRUE;
1832 node_children_grouper = proto_node_group_children_by_json_key;
1834 case LONGOPT_CAPTURE_COMMENT: /* capture comment */
1835 if (capture_comments == NULL) {
1836 capture_comments = g_ptr_array_new_with_free_func(g_free);
1838 g_ptr_array_add(capture_comments, g_strdup(ws_optarg));
1840 case LONGOPT_HEXDUMP:
1842 print_packet_info = TRUE;
1843 if (strcmp(ws_optarg, "all") == 0)
1844 hexdump_source_option = HEXDUMP_SOURCE_MULTI;
1845 else if (strcmp(ws_optarg, "frames") == 0)
1846 hexdump_source_option = HEXDUMP_SOURCE_PRIMARY;
1847 else if (strcmp(ws_optarg, "ascii") == 0)
1848 hexdump_ascii_option = HEXDUMP_ASCII_INCLUDE;
1849 else if (strcmp(ws_optarg, "delimit") == 0)
1850 hexdump_ascii_option = HEXDUMP_ASCII_DELIMIT;
1851 else if (strcmp(ws_optarg, "noascii") == 0)
1852 hexdump_ascii_option = HEXDUMP_ASCII_EXCLUDE;
1853 else if (strcmp("help", ws_optarg) == 0) {
1854 hexdump_option_help(stdout);
1855 exit_status = EXIT_SUCCESS;
1858 fprintf(stderr, "tshark: \"%s\" is an invalid value for --hexdump <hexoption>\n", ws_optarg);
1859 fprintf(stderr, "For valid <hexoption> values enter: tshark --hexdump help\n");
1860 exit_status = WS_EXIT_INVALID_OPTION;
1864 case LONGOPT_SELECTED_FRAME:
1865 /* Hidden option to mark a frame as "selected". Used for testing and debugging.
1866 * Only active in two-pass mode. */
1867 if (!ws_strtou32(ws_optarg, NULL, &selected_frame_number)) {
1868 fprintf(stderr, "tshark: \"%s\" is not a valid frame number\n", ws_optarg);
1869 exit_status = WS_EXIT_INVALID_OPTION;
1873 case LONGOPT_PRINT_TIMERS:
1874 opt_print_timers = TRUE;
1877 case '?': /* Bad flag - print usage message */
1880 list_capture_types();
1883 print_usage(stderr);
1885 exit_status = WS_EXIT_INVALID_OPTION;
1891 /* set the default output action to TEXT */
1892 if (output_action == WRITE_NONE)
1893 output_action = WRITE_TEXT;
1895 /* set the default file type to pcapng */
1896 if (out_file_type == WTAP_FILE_TYPE_SUBTYPE_UNKNOWN)
1897 out_file_type = wtap_pcapng_file_type_subtype();
1900 * Print packet summary information is the default if neither -V or -x
1901 * were specified. Note that this is new behavior, which allows for the
1902 * possibility of printing only hex/ascii output without necessarily
1903 * requiring that either the summary or details be printed too.
1905 if (!print_summary && !print_details && !print_hex)
1906 print_summary = TRUE;
1908 if (no_duplicate_keys && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW) {
1909 cmdarg_err("--no-duplicate-keys can only be used with \"-T json\" and \"-T jsonraw\"");
1910 exit_status = WS_EXIT_INVALID_OPTION;
1914 /* If we specified output fields, but not the output field type... */
1915 /* XXX: If we specfied both output fields with -e *and* protocol filters
1916 * with -j/-J, only the former are used. Should we warn or abort?
1917 * This also doesn't distinguish PDML from PSML, but shouldn't allow the
1920 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1921 cmdarg_err("Output fields were specified with \"-e\", "
1922 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1923 exit_status = WS_EXIT_INVALID_OPTION;
1925 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1926 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1927 "specified with \"-e\".");
1929 exit_status = WS_EXIT_INVALID_OPTION;
1933 if (dissect_color) {
1934 if (!color_filters_init(&err_msg, NULL)) {
1935 fprintf(stderr, "%s\n", err_msg);
1940 /* If no capture filter or display filter has been specified, and there are
1941 still command-line arguments, treat them as the tokens of a capture
1942 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1943 flag was specified. */
1944 if (ws_optind < argc) {
1945 if (cf_name != NULL) {
1946 if (dfilter != NULL) {
1947 cmdarg_err("Display filters were specified both with \"-Y\" "
1948 "and with additional command-line arguments.");
1949 exit_status = WS_EXIT_INVALID_OPTION;
1952 dfilter = get_args_as_string(argc, argv, ws_optind);
1957 if (global_capture_opts.default_options.cfilter) {
1958 cmdarg_err("A default capture filter was specified both with \"-f\""
1959 " and with additional command-line arguments.");
1960 exit_status = WS_EXIT_INVALID_OPTION;
1963 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1964 interface_options *interface_opts;
1965 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
1966 if (interface_opts->cfilter == NULL) {
1967 interface_opts->cfilter = get_args_as_string(argc, argv, ws_optind);
1969 cmdarg_err("A capture filter was specified both with \"-f\""
1970 " and with additional command-line arguments.");
1971 exit_status = WS_EXIT_INVALID_OPTION;
1975 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, ws_optind);
1977 capture_option_specified = TRUE;
1982 if (!output_file_name) {
1983 /* We're not saving the capture to a file; if "-q" wasn't specified,
1984 we should print packet information */
1986 print_packet_info = TRUE;
1988 const char *save_file = output_file_name;
1989 /* We're saving to a file; if we're writing to the standard output.
1990 and we'll also be writing dissected packets to the standard
1991 output, reject the request. At best, we could redirect that
1992 to the standard error; we *can't* write both to the standard
1993 output and have either of them be useful. */
1994 if (strcmp(save_file, "-") == 0 && print_packet_info) {
1995 cmdarg_err("You can't write both raw packet data and dissected packets"
1996 " to the standard output.");
1997 exit_status = WS_EXIT_INVALID_OPTION;
2002 #ifndef HAVE_LIBPCAP
2003 if (capture_option_specified)
2004 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2007 print_usage(stderr);
2008 exit_status = WS_EXIT_INVALID_OPTION;
2013 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
2014 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
2015 exit_status = WS_EXIT_INVALID_OPTION;
2020 if (output_only != NULL) {
2023 if (!print_details) {
2024 cmdarg_err("-O requires -V");
2025 exit_status = WS_EXIT_INVALID_OPTION;
2029 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
2030 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
2031 const char *name = ps;
2032 header_field_info *hfi = proto_registrar_get_byalias(name);
2036 g_hash_table_insert(output_only_tables, (gpointer)name, (gpointer)name);
2040 if (rfilter != NULL && !perform_two_pass_analysis) {
2041 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
2042 exit_status = WS_EXIT_INVALID_OPTION;
2048 /* We're supposed to list the link-layer/timestamp types for an interface;
2049 did the user also specify a capture file to be read? */
2051 /* Yes - that's bogus. */
2052 cmdarg_err("You can't specify %s and a capture file to be read.",
2053 caps_queries & CAPS_QUERY_LINK_TYPES ? "-L" : "--list-time-stamp-types");
2054 exit_status = WS_EXIT_INVALID_OPTION;
2057 /* No - did they specify a ring buffer option? */
2058 if (global_capture_opts.multi_files_on) {
2059 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
2060 exit_status = WS_EXIT_INVALID_OPTION;
2066 * "-r" was specified, so we're reading a capture file.
2067 * Capture options don't apply here.
2070 /* We don't support capture filters when reading from a capture file
2071 (the BPF compiler doesn't support all link-layer types that we
2072 support in capture files we read). */
2073 if (global_capture_opts.default_options.cfilter) {
2074 cmdarg_err("Only read filters, not capture filters, "
2075 "can be specified when reading a capture file.");
2076 exit_status = WS_EXIT_INVALID_OPTION;
2079 if (global_capture_opts.multi_files_on) {
2080 cmdarg_err("Multiple capture files requested, but "
2081 "a capture isn't being done.");
2082 exit_status = WS_EXIT_INVALID_OPTION;
2085 if (global_capture_opts.has_file_duration) {
2086 cmdarg_err("Switching capture files after a time period was specified, but "
2087 "a capture isn't being done.");
2088 exit_status = WS_EXIT_INVALID_OPTION;
2091 if (global_capture_opts.has_file_interval) {
2092 cmdarg_err("Switching capture files after a time interval was specified, but "
2093 "a capture isn't being done.");
2094 exit_status = WS_EXIT_INVALID_OPTION;
2097 if (global_capture_opts.has_ring_num_files) {
2098 cmdarg_err("A ring buffer of capture files was specified, but "
2099 "a capture isn't being done.");
2100 exit_status = WS_EXIT_INVALID_OPTION;
2103 if (global_capture_opts.has_autostop_files) {
2104 cmdarg_err("A maximum number of capture files was specified, but "
2105 "a capture isn't being done.");
2106 exit_status = WS_EXIT_INVALID_OPTION;
2110 /* Note: TShark now allows the restriction of a _read_ file by packet count
2111 * and byte count as well as a write file. Other autostop options remain valid
2112 * only for a write file.
2114 if (global_capture_opts.has_autostop_duration) {
2115 cmdarg_err("A maximum capture time was specified, but "
2116 "a capture isn't being done.");
2117 exit_status = WS_EXIT_INVALID_OPTION;
2122 * "-r" wasn't specified, so we're doing a live capture.
2124 gboolean use_pcapng = TRUE;
2126 if (perform_two_pass_analysis) {
2127 /* Two-pass analysis doesn't work with live capture since it requires us
2128 * to buffer packets until we've read all of them, but a live capture
2129 * has no useful/meaningful definition of "all" */
2130 cmdarg_err("Live captures do not support two-pass analysis.");
2131 exit_status = WS_EXIT_INVALID_OPTION;
2135 if (global_capture_opts.saving_to_file) {
2136 /* They specified a "-w" flag, so we'll be saving to a capture file. */
2138 /* When capturing, we only support writing pcap or pcapng format. */
2139 if (out_file_type == wtap_pcapng_file_type_subtype()) {
2141 } else if (out_file_type == wtap_pcap_file_type_subtype()) {
2144 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
2145 exit_status = WS_EXIT_INVALID_OPTION;
2148 if (capture_comments != NULL && !use_pcapng) {
2149 cmdarg_err("Capture comments can only be written to a pcapng file.");
2150 exit_status = WS_EXIT_INVALID_OPTION;
2153 if (global_capture_opts.multi_files_on) {
2154 /* Multiple-file mode doesn't work under certain conditions:
2155 a) it doesn't work if you're writing to the standard output;
2156 b) it doesn't work if you're writing to a pipe;
2158 if (strcmp(global_capture_opts.save_file, "-") == 0) {
2159 cmdarg_err("Multiple capture files requested, but "
2160 "the capture is being written to the standard output.");
2161 exit_status = WS_EXIT_INVALID_OPTION;
2164 if (global_capture_opts.output_to_pipe) {
2165 cmdarg_err("Multiple capture files requested, but "
2166 "the capture file is a pipe.");
2167 exit_status = WS_EXIT_INVALID_OPTION;
2170 if (!global_capture_opts.has_autostop_filesize &&
2171 !global_capture_opts.has_file_duration &&
2172 !global_capture_opts.has_file_interval &&
2173 !global_capture_opts.has_file_packets) {
2174 cmdarg_err("Multiple capture files requested, but "
2175 "no maximum capture file size, duration, interval or packets were specified.");
2176 exit_status = WS_EXIT_INVALID_OPTION;
2180 /* Currently, we don't support read or display filters when capturing
2181 and saving the packets. */
2182 if (rfilter != NULL) {
2183 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
2184 exit_status = WS_EXIT_INVALID_OPTION;
2187 if (dfilter != NULL) {
2188 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
2189 exit_status = WS_EXIT_INVALID_OPTION;
2192 global_capture_opts.use_pcapng = use_pcapng;
2194 /* They didn't specify a "-w" flag, so we won't be saving to a
2195 capture file. Check for options that only make sense if
2196 we're saving to a file. */
2197 if (global_capture_opts.has_autostop_filesize) {
2198 cmdarg_err("Maximum capture file size specified, but "
2199 "capture isn't being saved to a file.");
2200 exit_status = WS_EXIT_INVALID_OPTION;
2203 if (global_capture_opts.multi_files_on) {
2204 cmdarg_err("Multiple capture files requested, but "
2205 "the capture isn't being saved to a file.");
2206 exit_status = WS_EXIT_INVALID_OPTION;
2209 if (capture_comments != NULL) {
2210 cmdarg_err("Capture comments were specified, but "
2211 "the capture isn't being saved to a file.");
2212 exit_status = WS_EXIT_INVALID_OPTION;
2221 * If capture comments were specified, -w also has to have been specified.
2223 if (capture_comments != NULL) {
2224 if (output_file_name) {
2225 /* They specified a "-w" flag, so we'll be saving to a capture file.
2226 * This is fine if they're writing in a format that supports
2227 * section block comments.
2229 if (wtap_file_type_subtype_supports_option(out_file_type,
2231 OPT_COMMENT) == OPTION_NOT_SUPPORTED) {
2232 GArray *writable_type_subtypes;
2234 cmdarg_err("Capture comments can only be written to files of the following types:");
2235 writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME);
2236 for (guint i = 0; i < writable_type_subtypes->len; i++) {
2237 int ft = g_array_index(writable_type_subtypes, int, i);
2239 if (wtap_file_type_subtype_supports_option(ft, WTAP_BLOCK_SECTION,
2240 OPT_COMMENT) != OPTION_NOT_SUPPORTED)
2241 cmdarg_err_cont(" %s - %s", wtap_file_type_subtype_name(ft),
2242 wtap_file_type_subtype_description(ft));
2244 exit_status = WS_EXIT_INVALID_OPTION;
2249 cmdarg_err("Capture comments were specified, but you aren't writing a capture file.");
2250 exit_status = WS_EXIT_INVALID_OPTION;
2255 err_msg = ws_init_sockets();
2256 if (err_msg != NULL)
2258 cmdarg_err("%s", err_msg);
2260 cmdarg_err_cont("%s", please_report_bug());
2261 exit_status = WS_EXIT_INIT_FAILED;
2265 /* Notify all registered modules that have had any of their preferences
2266 changed either from one of the preferences file or from the command
2267 line that their preferences have changed. */
2270 /* We can also enable specified taps for export object */
2271 start_exportobjects();
2273 /* At this point MATE will have registered its field array so we can
2274 check if the fields specified by the user are all good.
2278 GSList *invalid_fields = output_fields_valid(output_fields);
2279 if (invalid_fields != NULL) {
2281 cmdarg_err("Some fields aren't valid:");
2282 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2283 cmdarg_err_cont("\t%s", (gchar *)it->data);
2285 g_slist_free(invalid_fields);
2286 exit_status = WS_EXIT_INVALID_OPTION;
2291 if (ex_opt_count("read_format") > 0) {
2292 const gchar* name = ex_opt_get_next("read_format");
2293 in_file_type = open_info_name_to_type(name);
2294 if (in_file_type == WTAP_TYPE_AUTO) {
2295 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2296 list_read_capture_types();
2297 exit_status = WS_EXIT_INVALID_OPTION;
2302 if (global_dissect_options.time_format != TS_NOT_SET)
2303 timestamp_set_type(global_dissect_options.time_format);
2304 if (global_dissect_options.time_precision != TS_PREC_NOT_SET)
2305 timestamp_set_precision(global_dissect_options.time_precision);
2308 * Enabled and disabled protocols and heuristic dissectors as per
2309 * command-line options.
2311 if (!setup_enabled_and_disabled_protocols()) {
2312 exit_status = WS_EXIT_INVALID_OPTION;
2316 /* Build the column format array */
2317 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2320 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2321 capture_opts_trim_ring_num_files(&global_capture_opts);
2324 if (rfilter != NULL) {
2325 ws_debug("Compiling read filter: '%s'", rfilter);
2326 if (!compile_dfilter(rfilter, &rfcode)) {
2331 warn_about_capture_filter(rfilter);
2334 exit_status = WS_EXIT_INVALID_INTERFACE;
2338 cfile.rfcode = rfcode;
2340 if (dfilter != NULL) {
2341 ws_debug("Compiling display filter: '%s'", dfilter);
2342 if (!compile_dfilter(dfilter, &dfcode)) {
2347 warn_about_capture_filter(dfilter);
2350 exit_status = WS_EXIT_INVALID_FILTER;
2354 cfile.dfcode = dfcode;
2356 if (print_packet_info) {
2357 /* If we're printing as text or PostScript, we have
2358 to create a print stream. */
2359 if (output_action == WRITE_TEXT) {
2360 switch (print_format) {
2363 print_stream = print_stream_text_stdio_new(stdout);
2367 print_stream = print_stream_ps_stdio_new(stdout);
2371 ws_assert_not_reached();
2376 /* PDU export requested. Take the ownership of the '-w' file, apply tap
2377 * filters and start tapping. */
2378 if (pdu_export_arg) {
2379 const char *exp_pdu_tap_name = pdu_export_arg;
2380 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
2381 char *exp_pdu_error;
2386 cmdarg_err("PDUs export requires a capture file (specify with -r).");
2387 exit_status = WS_EXIT_INVALID_OPTION;
2390 /* Take ownership of the '-w' output file. */
2391 exp_pdu_filename = output_file_name;
2392 output_file_name = NULL;
2394 global_capture_opts.save_file = NULL;
2396 if (exp_pdu_filename == NULL) {
2397 cmdarg_err("PDUs export requires an output file (-w).");
2398 exit_status = WS_EXIT_INVALID_OPTION;
2402 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
2404 if (exp_pdu_error) {
2405 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
2406 g_free(exp_pdu_error);
2407 list_export_pdu_taps();
2408 exit_status = INVALID_TAP;
2412 if (strcmp(exp_pdu_filename, "-") == 0) {
2413 /* Write to the standard output. */
2416 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2418 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2419 exit_status = WS_EXIT_INVALID_FILE;
2424 /* Activate the export PDU tap */
2425 /* Write to our output file with this comment (if the type supports it,
2426 * otherwise exp_pdu_open() will ignore the comment) */
2427 comment = ws_strdup_printf("Dump of PDUs from %s", cf_name);
2428 exp_pdu_status = exp_pdu_open(&exp_pdu_tap_data, exp_pdu_filename,
2429 out_file_type, exp_fd, comment,
2432 if (!exp_pdu_status) {
2433 cfile_dump_open_failure_message(exp_pdu_filename, err, err_info,
2435 exit_status = INVALID_EXPORT;
2441 ws_debug("tshark: Opening capture file: %s", cf_name);
2443 * We're reading a capture file.
2445 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2448 exit_status = WS_EXIT_INVALID_FILE;
2452 /* Start statistics taps; we do so after successfully opening the
2453 capture file, so we know we have something to compute stats
2454 on, and after registering all dissectors, so that MATE will
2455 have registered its field array so we can have a tap filter
2456 with one of MATE's late-registered fields as part of the
2458 start_requested_stats();
2460 /* Do we need to do dissection of packets? That depends on, among
2461 other things, what taps are listening, so determine that after
2462 starting the statistics taps. */
2463 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2464 ws_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2466 /* Process the packets in the file */
2467 ws_debug("tshark: invoking process_cap_file() to process the packets");
2469 status = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res,
2471 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2472 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0,
2473 global_capture_opts.has_autostop_written_packets ? global_capture_opts.autostop_written_packets : 0);
2480 CATCH(OutOfMemoryError) {
2484 "Sorry, but TShark has to terminate now.\n"
2486 "More information and workarounds can be found at\n"
2487 WS_WIKI_URL("KnownBugs/OutOfMemory") "\n");
2488 status = PROCESS_FILE_ERROR;
2494 case PROCESS_FILE_SUCCEEDED:
2495 /* Everything worked OK; draw the taps. */
2499 case PROCESS_FILE_NO_FILE_PROCESSED:
2500 /* We never got to try to read the file, so there are no tap
2501 results to dump. Exit with an error status. */
2505 case PROCESS_FILE_ERROR:
2506 /* We still dump out the results of taps, etc., as we might have
2507 read some packets; however, we exit with an error status. */
2512 case PROCESS_FILE_INTERRUPTED:
2513 /* The user interrupted the read process; Don't dump out the
2514 result of taps, etc., and exit with an error status. */
2519 if (pdu_export_arg) {
2520 if (!exp_pdu_close(&exp_pdu_tap_data, &err, &err_info)) {
2521 cfile_close_failure_message(exp_pdu_filename, err, err_info);
2524 g_free(pdu_export_arg);
2525 g_free(exp_pdu_filename);
2528 ws_debug("tshark: no capture file specified");
2529 /* No capture file specified, so we're supposed to do a live capture
2530 or get a list of link-layer types for a live capture device;
2531 do we have support for live captures? */
2534 /* Warn the user if npf.sys isn't loaded. */
2535 if (!npf_sys_is_running()) {
2536 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
2537 "capturing or\nlisting interfaces.\n");
2541 /* if no interface was specified, pick a default */
2542 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2543 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2544 if (exit_status != 0) {
2549 * If requested, list the link layer types and/or time stamp types
2555 /* Get the list of link-layer types for the capture devices. */
2556 exit_status = EXIT_SUCCESS;
2557 GList *if_cap_queries = NULL;
2558 if_cap_query_t *if_cap_query;
2559 GHashTable *capability_hash;
2560 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2561 interface_options *interface_opts;
2562 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2563 if_cap_query = g_new(if_cap_query_t, 1);
2564 if_cap_query->name = interface_opts->name;
2565 if_cap_query->monitor_mode = interface_opts->monitor_mode;
2566 if_cap_query->auth_username = NULL;
2567 if_cap_query->auth_password = NULL;
2568 #ifdef HAVE_PCAP_REMOTE
2569 if (interface_opts->auth_type == CAPTURE_AUTH_PWD) {
2570 if_cap_query->auth_username = interface_opts->auth_username;
2571 if_cap_query->auth_password = interface_opts->auth_password;
2574 if_cap_queries = g_list_prepend(if_cap_queries, if_cap_query);
2576 if_cap_queries = g_list_reverse(if_cap_queries);
2577 capability_hash = capture_get_if_list_capabilities(if_cap_queries, &err_str, &err_str_secondary, NULL);
2578 g_list_free_full(if_cap_queries, g_free);
2579 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2580 interface_options *interface_opts;
2581 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2582 if_capabilities_t *caps;
2583 caps = g_hash_table_lookup(capability_hash, interface_opts->name);
2585 cmdarg_err("%s%s%s", err_str, err_str_secondary ? "\n" : "", err_str_secondary ? err_str_secondary : "");
2587 g_free(err_str_secondary);
2588 exit_status = WS_EXIT_INVALID_CAPABILITY;
2591 exit_status = capture_opts_print_if_capabilities(caps, interface_opts,
2593 if (exit_status != EXIT_SUCCESS) {
2597 g_hash_table_destroy(capability_hash);
2602 * If the standard error isn't a terminal, don't print packet counts,
2603 * as they won't show up on the user's terminal and they'll get in
2604 * the way of error messages in the file (to which we assume the
2605 * standard error was redirected; if it's redirected to the null
2606 * device, there's no point in printing packet counts anyway).
2608 * Otherwise, if we're printing packet information and the standard
2609 * output is a terminal (which we assume means the standard output and
2610 * error are going to the same terminal), don't print packet counts,
2611 * as they'll get in the way of the packet information.
2613 * Otherwise, if the user specified -q, don't print packet counts.
2615 * Otherwise, print packet counts.
2617 * XXX - what if the user wants to do a live capture, doesn't want
2618 * to save it to a file, doesn't want information printed for each
2619 * packet, does want some "-z" statistic, and wants packet counts
2620 * so they know whether they're seeing any packets? -q will
2621 * suppress the information printed for each packet, but it'll
2622 * also suppress the packet counts.
2624 if (!ws_isatty(ws_fileno(stderr)))
2625 print_packet_counts = FALSE;
2626 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2627 print_packet_counts = FALSE;
2629 print_packet_counts = FALSE;
2631 print_packet_counts = TRUE;
2633 ws_debug("tshark: performing live capture");
2635 /* Start statistics taps; we should only do so after the capture
2636 started successfully, so we know we have something to compute
2637 stats, but we currently don't check for that - see below.
2639 We do so after registering all dissectors, so that MATE will
2640 have registered its field array so we can have a tap filter
2641 with one of MATE's late-registered fields as part of the
2643 start_requested_stats();
2645 /* Do we need to do dissection of packets? That depends on, among
2646 other things, what taps are listening, so determine that after
2647 starting the statistics taps. */
2648 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2649 ws_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2651 /* We're doing live capture; if the capture child is writing to a pipe,
2652 we can't do dissection, because that would mean two readers for
2653 the pipe, tshark and whatever else. */
2654 if (do_dissection && global_capture_opts.output_to_pipe) {
2655 if (tap_listeners_require_dissection()) {
2656 cmdarg_err("Taps aren't supported when capturing and saving to a pipe.");
2657 exit_status = WS_EXIT_INVALID_OPTION;
2660 if (print_packet_info) {
2661 cmdarg_err("Printing dissected packets isn't supported when capturing and saving to a pipe.");
2662 exit_status = WS_EXIT_INVALID_OPTION;
2665 /* We already checked the next three reasons for supersets of
2666 capturing and saving to a pipe, but this doesn't hurt. */
2667 if (pdu_export_arg) {
2668 cmdarg_err("PDUs export isn't supported when capturing and saving to a pipe.");
2669 exit_status = WS_EXIT_INVALID_OPTION;
2672 if (rfcode != NULL) {
2673 cmdarg_err("Read filters aren't supported when capturing and saving to a pipe.");
2674 exit_status = WS_EXIT_INVALID_OPTION;
2677 if (dfcode != NULL) {
2678 cmdarg_err("Display filters aren't supported when capturing and saving to a pipe.");
2679 exit_status = WS_EXIT_INVALID_OPTION;
2682 /* There's some other reason we're dissecting. */
2683 cmdarg_err("Dissection isn't supported when capturing and saving to a pipe.");
2684 exit_status = WS_EXIT_INVALID_OPTION;
2688 /* Write a preamble if we're printing one. Do this after all checking
2689 * for invalid options, so we don't print just a preamble and quit. */
2690 if (print_packet_info) {
2691 if (!write_preamble(&cfile)) {
2692 show_print_file_io_error();
2693 exit_status = WS_EXIT_INVALID_FILE;
2699 * XXX - this returns FALSE if an error occurred, but it also
2700 * returns FALSE if the capture stops because a time limit
2701 * was reached (and possibly other limits), so we can't assume
2702 * it means an error.
2704 * The capture code is a bit twisty, so it doesn't appear to
2705 * be an easy fix. We just ignore the return value for now.
2706 * Instead, pass on the exit status from the capture child.
2709 exit_status = global_capture_session.fork_child_status;
2711 if (print_packet_info) {
2712 if (!write_finale()) {
2713 show_print_file_io_error();
2718 * If we never got a capture file, don't draw the taps; we not only
2719 * didn't capture any packets, we never even did any capturing.
2721 if (cfile.filename != NULL)
2724 /* No - complain. */
2725 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2726 exit_status = INVALID_CAPTURE;
2731 if (cfile.provider.frames != NULL) {
2732 free_frame_data_sequence(cfile.provider.frames);
2733 cfile.provider.frames = NULL;
2737 draw_tap_listeners(TRUE);
2739 if (tls_session_keys_file) {
2740 gsize keylist_length;
2741 gchar *keylist = ssl_export_sessions(&keylist_length);
2742 write_file_binary_mode(tls_session_keys_file, keylist, keylist_length);
2746 if (opt_print_timers) {
2747 if (cf_name == NULL) {
2748 /* We're doind a live capture. That isn't currently supported
2750 ws_message("Ignoring option --print-timers because we are doing a live capture");
2753 print_elapsed_json(cf_name, dfilter);
2757 /* Memory cleanup */
2758 reset_tap_listeners();
2759 funnel_dump_all_text_windows();
2760 epan_free(cfile.epan);
2764 output_fields_free(output_fields);
2765 output_fields = NULL;
2770 destroy_print_stream(print_stream);
2771 g_free(output_file_name);
2773 capture_opts_cleanup(&global_capture_opts);
2774 if (cached_if_list) {
2775 free_interface_list(cached_if_list);
2778 col_cleanup(&cfile.cinfo);
2781 dfilter_free(dfcode);
2786 gboolean loop_running;
2787 guint32 packet_count;
2790 tshark_epan_new(capture_file *cf)
2792 static const struct packet_provider_funcs funcs = {
2793 cap_file_provider_get_frame_ts,
2794 cap_file_provider_get_interface_name,
2795 cap_file_provider_get_interface_description,
2799 return epan_new(&cf->provider, &funcs);
2806 volatile gboolean ret = TRUE;
2810 struct sigaction action, oldaction;
2813 /* Create new dissection section. */
2814 epan_free(cfile.epan);
2815 cfile.epan = tshark_epan_new(&cfile);
2818 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2819 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2821 /* Catch SIGINT and SIGTERM and, if we get either of them,
2822 clean up and exit. If SIGHUP isn't being ignored, catch
2823 it too and, if we get it, clean up and exit.
2825 We restart any read that was in progress, so that it doesn't
2826 disrupt reading from the sync pipe. The signal handler tells
2827 the capture child to finish; it will report that it finished,
2828 or will exit abnormally, so we'll stop reading from the sync
2829 pipe, pick up the exit status, and quit. */
2830 memset(&action, 0, sizeof(action));
2831 action.sa_handler = capture_cleanup;
2832 action.sa_flags = SA_RESTART;
2833 sigemptyset(&action.sa_mask);
2834 sigaction(SIGTERM, &action, NULL);
2835 sigaction(SIGINT, &action, NULL);
2836 sigaction(SIGHUP, NULL, &oldaction);
2837 if (oldaction.sa_handler == SIG_DFL)
2838 sigaction(SIGHUP, &action, NULL);
2841 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2842 quiet mode, report the number of packets we've captured.
2844 Again, restart any read that was in progress, so that it doesn't
2845 disrupt reading from the sync pipe. */
2846 action.sa_handler = report_counts_siginfo;
2847 action.sa_flags = SA_RESTART;
2848 sigemptyset(&action.sa_mask);
2849 sigaction(SIGINFO, &action, NULL);
2850 #endif /* SIGINFO */
2853 global_capture_session.state = CAPTURE_PREPARING;
2855 /* Let the user know which interfaces were chosen. */
2856 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2857 if (really_quiet == FALSE)
2858 fprintf(stderr, "Capturing on %s\n", str->str);
2860 g_string_free(str, TRUE);
2862 ret = sync_pipe_start(&global_capture_opts, capture_comments,
2863 &global_capture_session, &global_info_data, NULL);
2869 * Force synchronous resolution of IP addresses; we're doing only
2870 * one pass, so we can't do it in the background and fix up past
2873 set_resolution_synchrony(TRUE);
2875 /* the actual capture loop */
2876 ctx = g_main_context_default();
2877 loop_running = TRUE;
2881 while (loop_running)
2883 g_main_context_iteration(ctx, TRUE);
2886 CATCH(OutOfMemoryError) {
2890 "Sorry, but TShark has to terminate now.\n"
2892 "More information and workarounds can be found at\n"
2893 WS_WIKI_URL("KnownBugs/OutOfMemory") "\n");
2900 /* capture child detected an error */
2902 capture_input_error(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2904 /* The primary message might be an empty string, e.g. when the error was
2905 * from extcap. (The extcap stderr is gathered when the session closes
2906 * and printed in capture_input_closed below.) */
2907 if (*error_msg != '\0') {
2908 cmdarg_err("%s", error_msg);
2909 if (secondary_error_msg != NULL && *secondary_error_msg != '\0') {
2910 /* We have both primary and secondary messages. */
2911 cmdarg_err_cont("%s", secondary_error_msg);
2917 /* capture child detected an capture filter related error */
2919 capture_input_cfilter_error(capture_session *cap_session, guint i, const char *error_message)
2921 capture_options *capture_opts = cap_session->capture_opts;
2922 dfilter_t *rfcode = NULL;
2923 interface_options *interface_opts;
2925 ws_assert(i < capture_opts->ifaces->len);
2926 interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
2928 if (dfilter_compile(interface_opts->cfilter, &rfcode, NULL) && rfcode != NULL) {
2930 "Invalid capture filter \"%s\" for interface '%s'.\n"
2932 "That string looks like a valid display filter; however, it isn't a valid\n"
2933 "capture filter (%s).\n"
2935 "Note that display filters and capture filters don't have the same syntax,\n"
2936 "so you can't use most display filter expressions as capture filters.\n"
2938 "See the User's Guide for a description of the capture filter syntax.",
2939 interface_opts->cfilter, interface_opts->descr, error_message);
2940 dfilter_free(rfcode);
2943 "Invalid capture filter \"%s\" for interface '%s'.\n"
2945 "That string isn't a valid capture filter (%s).\n"
2946 "See the User's Guide for a description of the capture filter syntax.",
2947 interface_opts->cfilter, interface_opts->descr, error_message);
2952 /* capture child tells us we have a new (or the first) capture file */
2954 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2956 capture_options *capture_opts = cap_session->capture_opts;
2957 capture_file *cf = cap_session->cf;
2958 gboolean is_tempfile;
2961 if (really_quiet == FALSE) {
2962 if (cap_session->state == CAPTURE_PREPARING) {
2963 ws_info("Capture started.");
2965 ws_info("File: \"%s\"", new_file);
2968 ws_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2970 /* free the old filename */
2971 if (capture_opts->save_file != NULL) {
2973 /* we start a new capture file, close the old one (if we had one before) */
2974 if (cf->state != FILE_CLOSED) {
2978 g_free(capture_opts->save_file);
2979 is_tempfile = FALSE;
2981 epan_free(cf->epan);
2982 cf->epan = tshark_epan_new(cf);
2984 /* we didn't had a save_file before, must be a tempfile */
2988 /* save the new filename */
2989 capture_opts->save_file = g_strdup(new_file);
2991 /* if we are in real-time mode, open the new file now */
2992 if (do_dissection) {
2993 /* this is probably unnecessary, but better safe than sorry */
2994 cap_session->cf->open_type = WTAP_TYPE_AUTO;
2995 /* Attempt to open the capture file and set up to read from it. */
2996 switch(cf_open(cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
3000 /* Don't unlink (delete) the save file - leave it around,
3001 for debugging purposes. */
3002 g_free(capture_opts->save_file);
3003 capture_opts->save_file = NULL;
3006 } else if (quiet && is_tempfile) {
3007 cf->state = FILE_READ_ABORTED;
3008 cf->filename = g_strdup(new_file);
3009 cf->is_tempfile = is_tempfile;
3012 cap_session->state = CAPTURE_RUNNING;
3018 /* capture child tells us we have new packets to read */
3020 capture_input_new_packets(capture_session *cap_session, int to_read)
3026 capture_file *cf = cap_session->cf;
3027 gboolean filtering_tap_listeners;
3032 * Prevent a SIGINFO handler from writing to the standard error while
3033 * we're doing so or writing to the standard output; instead, have it
3034 * just set a flag telling us to print that information when we're done.
3037 #endif /* SIGINFO */
3039 /* Do we have any tap listeners with filters? */
3040 filtering_tap_listeners = have_filtering_tap_listeners();
3042 /* Get the union of the flags for all tap listeners. */
3043 tap_flags = union_of_tap_listener_flags();
3045 if (do_dissection) {
3046 gboolean create_proto_tree;
3047 epan_dissect_t *edt;
3052 * Determine whether we need to create a protocol tree.
3055 * we're going to apply a read filter;
3057 * we're going to apply a display filter;
3059 * we're going to print the protocol tree;
3061 * one of the tap listeners is going to apply a filter;
3063 * one of the tap listeners requires a protocol tree;
3065 * a postdissector wants field values or protocols
3066 * on the first pass;
3068 * we have custom columns (which require field values, which
3069 * currently requires that we build a protocol tree).
3072 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3073 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3074 have_custom_cols(&cf->cinfo) || dissect_color);
3076 /* The protocol tree will be "visible", i.e., nothing faked, only if
3077 we're printing packet details, which is true if we're printing stuff
3078 ("print_packet_info" is true) and we're in verbose mode
3079 ("packet_details" is true). But if we specified certain fields with
3080 "-e", we'll prime those directly later. */
3081 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3082 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3084 wtap_rec_init(&rec);
3085 ws_buffer_init(&buf, 1514);
3087 while (to_read-- && cf->provider.wth) {
3088 wtap_cleareof(cf->provider.wth);
3089 ret = wtap_read(cf->provider.wth, &rec, &buf, &err, &err_info, &data_offset);
3090 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3092 /* read from file failed, tell the capture child to stop */
3093 sync_pipe_stop(cap_session);
3094 wtap_close(cf->provider.wth);
3095 cf->provider.wth = NULL;
3097 ret = process_packet_single_pass(cf, edt, data_offset, &rec, &buf,
3101 /* packet successfully read and gone through the "Read Filter" */
3104 wtap_rec_reset(&rec);
3107 epan_dissect_free(edt);
3109 wtap_rec_cleanup(&rec);
3110 ws_buffer_free(&buf);
3114 * Dumpcap's doing all the work; we're not doing any dissection.
3115 * Count all the packets it wrote.
3117 packet_count += to_read;
3120 if (print_packet_counts) {
3121 /* We're printing packet counts. */
3122 if (packet_count != 0) {
3123 fprintf(stderr, "\r%u ", packet_count);
3124 /* stderr could be line buffered */
3131 * Allow SIGINFO handlers to write.
3136 * If a SIGINFO handler asked us to write out capture counts, do so.
3140 #endif /* SIGINFO */
3146 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
3147 /* Report the count only if we aren't printing a packet count
3148 as packets arrive. */
3149 fprintf(stderr, "%u packet%s captured\n", packet_count,
3150 plurality(packet_count, "", "s"));
3153 infoprint = FALSE; /* we just reported it */
3154 #endif /* SIGINFO */
3159 report_counts_siginfo(int signum _U_)
3161 int sav_errno = errno;
3162 /* If we've been told to delay printing, just set a flag asking
3163 that we print counts (if we're supposed to), otherwise print
3164 the count of packets captured (if we're supposed to). */
3171 #endif /* SIGINFO */
3174 /* capture child detected any packet drops? */
3176 capture_input_drops(capture_session *cap_session _U_, guint32 dropped, const char* interface_name)
3178 if (print_packet_counts) {
3179 /* We're printing packet counts to stderr.
3180 Send a newline so that we move to the line after the packet count. */
3181 fprintf(stderr, "\n");
3185 /* We're printing packet counts to stderr.
3186 Send a newline so that we move to the line after the packet count. */
3187 if (interface_name != NULL) {
3188 fprintf(stderr, "%u packet%s dropped from %s\n", dropped, plurality(dropped, "", "s"), interface_name);
3190 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
3197 * Capture child closed its side of the pipe, report any error and
3198 * do the required cleanup.
3201 capture_input_closed(capture_session *cap_session _U_, gchar *msg)
3203 if (msg != NULL && *msg != '\0')
3204 fprintf(stderr, "tshark: %s\n", msg);
3208 loop_running = FALSE;
3213 capture_cleanup(DWORD ctrltype _U_)
3215 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3216 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3217 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3218 like SIGTERM at least when the machine's shutting down.
3220 For now, we handle them all as indications that we should clean up
3221 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3224 We must return TRUE so that no other handler - such as one that would
3225 terminate the process - gets called.
3227 XXX - for some reason, typing ^C to TShark, if you run this in
3228 a Cygwin console window in at least some versions of Cygwin,
3229 causes TShark to terminate immediately; this routine gets
3230 called, but the main loop doesn't get a chance to run and
3231 exit cleanly, at least if this is compiled with Microsoft Visual
3232 C++ (i.e., it's a property of the Cygwin console window or Bash;
3233 it happens if TShark is not built with Cygwin - for all I know,
3234 building it with Cygwin may make the problem go away). */
3236 /* tell the capture child to stop */
3237 sync_pipe_stop(&global_capture_session);
3239 /* don't stop our own loop already here, otherwise status messages and
3240 * cleanup wouldn't be done properly. The child will indicate the stop of
3241 * everything by calling capture_input_closed() later */
3247 capture_cleanup(int signum _U_)
3249 /* tell the capture child to stop */
3250 sync_pipe_stop(&global_capture_session);
3252 /* don't stop our own loop already here, otherwise status messages and
3253 * cleanup wouldn't be done properly. The child will indicate the stop of
3254 * everything by calling capture_input_closed() later */
3257 #endif /* HAVE_LIBPCAP */
3260 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
3261 gint64 offset, wtap_rec *rec, Buffer *buf)
3266 gint64 elapsed_start;
3268 /* The frame number of this packet is one more than the count of
3269 frames in this packet. */
3270 framenum = cf->count + 1;
3272 /* If we're not running a display filter and we're not printing any
3273 packet information, we don't need to do a dissection. This means
3274 that all packets can be marked as 'passed'. */
3277 frame_data_init(&fdlocal, framenum, rec, offset, cum_bytes);
3279 /* If we're going to run a read filter or a display filter, set up to
3280 do a dissection and do so. (This is the first pass of two passes
3281 over the packets, so we will not be printing any information
3282 from the dissection or running taps on the packet; if we're doing
3283 any of that, we'll do it in the second pass.) */
3285 if (gbl_resolv_flags.network_name || gbl_resolv_flags.maxmind_geoip) {
3286 /* If we're doing async lookups, send any that are queued and
3289 * Ideally we'd force any lookups that need to happen on the second pass
3290 * to be sent asynchronously on this pass so the results would be ready.
3291 * That will happen if they're involved in a filter (because we prime the
3292 * tree below), but not currently for taps, if we're printing packet
3293 * summaries or details, etc.
3295 * XXX - If we're running a read filter that depends on a resolved
3296 * name, we should be doing synchronous lookups in that case. Also
3297 * marking the dependent frames below might not work with a display
3298 * filter that depends on a resolved name.
3300 host_name_lookup_process();
3303 column_info *cinfo = NULL;
3305 /* If we're running a read filter, prime the epan_dissect_t with that
3308 epan_dissect_prime_with_dfilter(edt, cf->rfcode);
3311 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3313 /* This is the first pass, so prime the epan_dissect_t with the
3314 hfids postdissectors want on the first pass. */
3315 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
3317 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3318 &cf->provider.ref, cf->provider.prev_dis);
3319 if (cf->provider.ref == &fdlocal) {
3320 ref_frame = fdlocal;
3321 cf->provider.ref = &ref_frame;
3324 /* If we're applying a filter that needs the columns, construct them. */
3325 if (dfilter_requires_columns(cf->rfcode) || dfilter_requires_columns(cf->dfcode)) {
3329 elapsed_start = g_get_monotonic_time();
3330 epan_dissect_run(edt, cf->cd_t, rec,
3331 frame_tvbuff_new_buffer(&cf->provider, &fdlocal, buf),
3333 tshark_elapsed.first_pass.dissect += g_get_monotonic_time() - elapsed_start;
3335 /* Run the read filter if we have one. */
3337 elapsed_start = g_get_monotonic_time();
3338 passed = dfilter_apply_edt(cf->rfcode, edt);
3339 tshark_elapsed.first_pass.dfilter_read += g_get_monotonic_time() - elapsed_start;
3344 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3345 cf->provider.prev_cap = cf->provider.prev_dis = frame_data_sequence_add(cf->provider.frames, &fdlocal);
3347 /* If we're not doing dissection then there won't be any dependent frames.
3348 * More importantly, edt.pi.fd.dependent_frames won't be initialized because
3349 * epan hasn't been initialized.
3350 * if we *are* doing dissection, then mark the dependent frames, but only
3351 * if a display filter was given and it matches this packet.
3353 if (edt && cf->dfcode) {
3354 elapsed_start = g_get_monotonic_time();
3355 if (dfilter_apply_edt(cf->dfcode, edt) && edt->pi.fd->dependent_frames) {
3356 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
3359 if (selected_frame_number != 0 && selected_frame_number == cf->count + 1) {
3360 /* If we are doing dissection and we have a "selected frame"
3361 * then load that frame's references (if any) onto the compiled
3362 * display filter. Selected frame number is ordinal, count is cardinal. */
3363 dfilter_load_field_references(cf->dfcode, edt->tree);
3365 tshark_elapsed.first_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
3370 /* if we don't add it to the frame_data_sequence, clean it up right now
3372 frame_data_destroy(&fdlocal);
3376 epan_dissect_reset(edt);
3382 * Set if reading a file was interrupted by a CTRL_ event on Windows or
3385 static gboolean read_interrupted;
3389 read_cleanup(DWORD ctrltype _U_)
3391 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3392 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3393 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3394 like SIGTERM at least when the machine's shutting down.
3396 For now, we handle them all as indications that we should clean up
3397 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3400 We must return TRUE so that no other handler - such as one that would
3401 terminate the process - gets called.
3403 XXX - for some reason, typing ^C to TShark, if you run this in
3404 a Cygwin console window in at least some versions of Cygwin,
3405 causes TShark to terminate immediately; this routine gets
3406 called, but the main loop doesn't get a chance to run and
3407 exit cleanly, at least if this is compiled with Microsoft Visual
3408 C++ (i.e., it's a property of the Cygwin console window or Bash;
3409 it happens if TShark is not built with Cygwin - for all I know,
3410 building it with Cygwin may make the problem go away). */
3412 /* tell the read to stop */
3413 read_interrupted = TRUE;
3419 read_cleanup(int signum _U_)
3421 /* tell the read to stop */
3422 read_interrupted = TRUE;
3433 static pass_status_t
3434 process_cap_file_first_pass(capture_file *cf, int max_packet_count,
3435 gint64 max_byte_count, int *err, gchar **err_info)
3439 epan_dissect_t *edt = NULL;
3441 pass_status_t status = PASS_SUCCEEDED;
3444 wtap_rec_init(&rec);
3445 ws_buffer_init(&buf, 1514);
3447 /* Allocate a frame_data_sequence for all the frames. */
3448 cf->provider.frames = new_frame_data_sequence();
3450 if (do_dissection) {
3451 gboolean create_proto_tree;
3454 * Determine whether we need to create a protocol tree.
3457 * we're going to apply a read filter;
3459 * we're going to apply a display filter;
3461 * a postdissector wants field values or protocols
3462 * on the first pass.
3465 (cf->rfcode != NULL || cf->dfcode != NULL || postdissectors_want_hfids() || dissect_color);
3467 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3469 /* We're not going to display the protocol tree on this pass,
3470 so it's not going to be "visible". */
3471 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3474 ws_debug("tshark: reading records for first pass");
3476 while (wtap_read(cf->provider.wth, &rec, &buf, err, err_info, &data_offset)) {
3477 if (read_interrupted) {
3478 status = PASS_INTERRUPTED;
3483 if (process_packet_first_pass(cf, edt, data_offset, &rec, &buf)) {
3484 /* Stop reading if we hit a stop condition */
3485 if (max_packet_count > 0 && framenum >= max_packet_count) {
3486 ws_debug("tshark: max_packet_count (%d) reached", max_packet_count);
3487 *err = 0; /* This is not an error */
3490 if (max_byte_count != 0 && data_offset >= max_byte_count) {
3491 ws_debug("tshark: max_byte_count (%" PRId64 "/%" PRId64 ") reached",
3492 data_offset, max_byte_count);
3493 *err = 0; /* This is not an error */
3497 wtap_rec_reset(&rec);
3500 status = PASS_READ_ERROR;
3503 epan_dissect_free(edt);
3505 /* Close the sequential I/O side, to free up memory it requires. */
3506 wtap_sequential_close(cf->provider.wth);
3508 /* Allow the protocol dissectors to free up memory that they
3509 * don't need after the sequential run-through of the packets. */
3510 postseq_cleanup_all_protocols();
3512 cf->provider.prev_dis = NULL;
3513 cf->provider.prev_cap = NULL;
3515 ws_buffer_free(&buf);
3516 wtap_rec_cleanup(&rec);
3522 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt,
3523 frame_data *fdata, wtap_rec *rec,
3524 Buffer *buf, guint tap_flags _U_)
3528 wtap_block_t block = NULL;
3529 gint64 elapsed_start;
3531 /* If we're not running a display filter and we're not printing any
3532 packet information, we don't need to do a dissection. This means
3533 that all packets can be marked as 'passed'. */
3536 /* If we're going to print packet information, or we're going to
3537 run a read filter, or we're going to process taps, set up to
3538 do a dissection and do so. (This is the second pass of two
3539 passes over the packets; that's the pass where we print
3540 packet information or run taps.) */
3542 /* If we're running a display filter, prime the epan_dissect_t with that
3545 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3547 col_custom_prime_edt(edt, &cf->cinfo);
3549 output_fields_prime_edt(edt, output_fields);
3550 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
3551 * information from our 'frame' protocol.
3553 if (output_fields_num_fields(output_fields) != 0 &&
3554 output_action == WRITE_XML) {
3555 epan_dissect_prime_with_hfid(edt, proto_registrar_get_id_byname("frame"));
3558 /* We only need the columns if either
3559 1) some tap or filter needs the columns
3561 2) we're printing packet info but we're *not* verbose; in verbose
3562 mode, we print the protocol tree, not the protocol summary.
3564 3) there is a column mapped to an individual field
3566 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
3571 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3572 &cf->provider.ref, cf->provider.prev_dis);
3573 if (cf->provider.ref == fdata) {
3575 cf->provider.ref = &ref_frame;
3578 if (dissect_color) {
3579 color_filters_prime_edt(edt);
3580 fdata->need_colorize = 1;
3583 /* epan_dissect_run (and epan_dissect_reset) unref the block.
3584 * We need it later, e.g. in order to copy the options. */
3585 block = wtap_block_ref(rec->block);
3586 elapsed_start = g_get_monotonic_time();
3587 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
3588 frame_tvbuff_new_buffer(&cf->provider, fdata, buf),
3590 tshark_elapsed.second_pass.dissect += g_get_monotonic_time() - elapsed_start;
3592 /* Run the display filter if we have one. */
3594 elapsed_start = g_get_monotonic_time();
3595 passed = dfilter_apply_edt(cf->dfcode, edt);
3596 tshark_elapsed.second_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
3601 frame_data_set_after_dissect(fdata, &cum_bytes);
3602 /* Process this packet. */
3603 if (print_packet_info) {
3604 /* We're printing packet information; print the information for
3606 print_packet(cf, edt);
3608 /* If we're doing "line-buffering", flush the standard output
3609 after every packet. See the comment above, for the "-l"
3610 option, for an explanation of why we do that. */
3614 if (ferror(stdout)) {
3615 show_print_file_io_error();
3619 cf->provider.prev_dis = fdata;
3621 cf->provider.prev_cap = fdata;
3624 epan_dissect_reset(edt);
3627 return passed || fdata->dependent_of_displayed;
3631 process_new_idbs(wtap *wth, wtap_dumper *pdh, int *err, gchar **err_info)
3633 wtap_block_t if_data;
3635 while ((if_data = wtap_get_next_interface_description(wth)) != NULL) {
3637 * Only add interface blocks if the output file supports (meaning
3640 * That mean that the abstract interface provided by libwiretap
3641 * involves WTAP_BLOCK_IF_ID_AND_INFO blocks.
3644 if (wtap_file_type_subtype_supports_block(wtap_dump_file_type_subtype(pdh), WTAP_BLOCK_IF_ID_AND_INFO) != BLOCK_NOT_SUPPORTED) {
3645 if (!wtap_dump_add_idb(pdh, if_data, err, err_info))
3653 static pass_status_t
3654 process_cap_file_second_pass(capture_file *cf, wtap_dumper *pdh,
3655 int *err, gchar **err_info,
3656 volatile guint32 *err_framenum,
3657 int max_write_packet_count)
3662 int write_framenum = 0;
3664 gboolean filtering_tap_listeners;
3666 epan_dissect_t *edt = NULL;
3667 pass_status_t status = PASS_SUCCEEDED;
3670 * Process whatever IDBs we haven't seen yet. This will be all
3671 * the IDBs in the file, as we've finished reading it; they'll
3672 * all be at the beginning of the output file.
3674 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3676 return PASS_WRITE_ERROR;
3679 wtap_rec_init(&rec);
3680 ws_buffer_init(&buf, 1514);
3682 /* Do we have any tap listeners with filters? */
3683 filtering_tap_listeners = have_filtering_tap_listeners();
3685 /* Get the union of the flags for all tap listeners. */
3686 tap_flags = union_of_tap_listener_flags();
3688 if (do_dissection) {
3689 gboolean create_proto_tree;
3692 * Determine whether we need to create a protocol tree.
3695 * we're going to apply a display filter;
3697 * we're going to print the protocol tree;
3699 * one of the tap listeners requires a protocol tree;
3701 * we have custom columns (which require field values, which
3702 * currently requires that we build a protocol tree).
3705 (cf->dfcode || print_details || filtering_tap_listeners ||
3706 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo) || dissect_color);
3708 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3710 /* The protocol tree will be "visible", i.e., nothing faked, only if
3711 we're printing packet details, which is true if we're printing stuff
3712 ("print_packet_info" is true) and we're in verbose mode
3713 ("packet_details" is true). But if we specified certain fields with
3714 "-e", we'll prime those directly later. */
3715 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3716 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3720 * Force synchronous resolution of IP addresses; in this pass, we
3721 * can't do it in the background and fix up past dissections.
3723 set_resolution_synchrony(TRUE);
3725 for (framenum = 1; framenum <= (int)cf->count; framenum++) {
3726 if (read_interrupted) {
3727 status = PASS_INTERRUPTED;
3730 fdata = frame_data_sequence_find(cf->provider.frames, framenum);
3731 if (!wtap_seek_read(cf->provider.wth, fdata->file_off, &rec, &buf, err,
3733 /* Error reading from the input file. */
3734 status = PASS_READ_ERROR;
3737 ws_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3738 if (process_packet_second_pass(cf, edt, fdata, &rec, &buf, tap_flags)) {
3739 /* Either there's no read filtering or this packet passed the
3740 filter, so, if we're writing to a capture file, write
3744 ws_debug("tshark: writing packet #%d to outfile packet #%d", framenum, write_framenum);
3745 if (!wtap_dump(pdh, &rec, ws_buffer_start_ptr(&buf), err, err_info)) {
3746 /* Error writing to the output file. */
3747 ws_debug("tshark: error writing to a capture file (%d)", *err);
3748 *err_framenum = framenum;
3749 status = PASS_WRITE_ERROR;
3752 /* Stop reading if we hit a stop condition */
3753 if (max_write_packet_count > 0 && write_framenum >= max_write_packet_count) {
3754 ws_debug("tshark: max_write_packet_count (%d) reached", max_write_packet_count);
3755 *err = 0; /* This is not an error */
3760 wtap_rec_reset(&rec);
3764 epan_dissect_free(edt);
3766 ws_buffer_free(&buf);
3767 wtap_rec_cleanup(&rec);
3772 static pass_status_t
3773 process_cap_file_single_pass(capture_file *cf, wtap_dumper *pdh,
3774 int max_packet_count, gint64 max_byte_count,
3775 int max_write_packet_count,
3776 int *err, gchar **err_info,
3777 volatile guint32 *err_framenum)
3781 gboolean create_proto_tree = FALSE;
3782 gboolean filtering_tap_listeners;
3785 int write_framenum = 0;
3786 epan_dissect_t *edt = NULL;
3788 pass_status_t status = PASS_SUCCEEDED;
3790 wtap_rec_init(&rec);
3791 ws_buffer_init(&buf, 1514);
3793 /* Do we have any tap listeners with filters? */
3794 filtering_tap_listeners = have_filtering_tap_listeners();
3796 /* Get the union of the flags for all tap listeners. */
3797 tap_flags = union_of_tap_listener_flags();
3799 if (do_dissection) {
3801 * Determine whether we need to create a protocol tree.
3804 * we're going to apply a read filter;
3806 * we're going to apply a display filter;
3808 * we're going to print the protocol tree;
3810 * one of the tap listeners is going to apply a filter;
3812 * one of the tap listeners requires a protocol tree;
3814 * a postdissector wants field values or protocols
3815 * on the first pass;
3817 * we have custom columns (which require field values, which
3818 * currently requires that we build a protocol tree).
3821 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3822 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3823 have_custom_cols(&cf->cinfo) || dissect_color);
3825 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3827 /* The protocol tree will be "visible", i.e., nothing faked, only if
3828 we're printing packet details, which is true if we're printing stuff
3829 ("print_packet_info" is true) and we're in verbose mode
3830 ("packet_details" is true). But if we specified certain fields with
3831 "-e", we'll prime those directly later. */
3832 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3833 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3837 * Force synchronous resolution of IP addresses; we're doing only
3838 * one pass, so we can't do it in the background and fix up past
3841 set_resolution_synchrony(TRUE);
3844 while (wtap_read(cf->provider.wth, &rec, &buf, err, err_info, &data_offset)) {
3845 if (read_interrupted) {
3846 status = PASS_INTERRUPTED;
3852 * Process whatever IDBs we haven't seen yet.
3854 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3855 *err_framenum = framenum;
3856 status = PASS_WRITE_ERROR;
3860 ws_debug("tshark: processing packet #%d", framenum);
3862 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3864 if (process_packet_single_pass(cf, edt, data_offset, &rec, &buf, tap_flags)) {
3865 /* Either there's no read filtering or this packet passed the
3866 filter, so, if we're writing to a capture file, write
3870 ws_debug("tshark: writing packet #%d to outfile as #%d",
3871 framenum, write_framenum);
3872 if (!wtap_dump(pdh, &rec, ws_buffer_start_ptr(&buf), err, err_info)) {
3873 /* Error writing to the output file. */
3874 ws_debug("tshark: error writing to a capture file (%d)", *err);
3875 *err_framenum = framenum;
3876 status = PASS_WRITE_ERROR;
3881 /* Stop reading if we hit a stop condition */
3882 if (max_packet_count > 0 && framenum >= max_packet_count) {
3883 ws_debug("tshark: max_packet_count (%d) reached", max_packet_count);
3884 *err = 0; /* This is not an error */
3887 if (max_write_packet_count > 0 && write_framenum >= max_write_packet_count) {
3888 ws_debug("tshark: max_write_packet_count (%d) reached", max_write_packet_count);
3889 *err = 0; /* This is not an error */
3892 if (max_byte_count != 0 && data_offset >= max_byte_count) {
3893 ws_debug("tshark: max_byte_count (%" PRId64 "/%" PRId64 ") reached",
3894 data_offset, max_byte_count);
3895 *err = 0; /* This is not an error */
3898 wtap_rec_reset(&rec);
3900 if (status == PASS_SUCCEEDED) {
3902 /* Error reading from the input file. */
3903 status = PASS_READ_ERROR;
3906 * Process whatever IDBs we haven't seen yet.
3908 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3909 *err_framenum = framenum;
3910 status = PASS_WRITE_ERROR;
3916 epan_dissect_free(edt);
3918 ws_buffer_free(&buf);
3919 wtap_rec_cleanup(&rec);
3924 static process_file_status_t
3925 process_cap_file(capture_file *cf, char *save_file, int out_file_type,
3926 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count,
3927 int max_write_packet_count)
3929 process_file_status_t status = PROCESS_FILE_SUCCEEDED;
3932 struct sigaction action, oldaction;
3934 int err = 0, err_pass1 = 0;
3935 gchar *err_info = NULL, *err_info_pass1 = NULL;
3936 volatile guint32 err_framenum;
3937 wtap_dump_params params = WTAP_DUMP_PARAMS_INIT;
3938 char *shb_user_appl;
3939 pass_status_t first_pass_status, second_pass_status;
3940 gint64 elapsed_start;
3942 if (save_file != NULL) {
3943 /* Set up to write to the capture file. */
3944 wtap_dump_params_init_no_idbs(¶ms, cf->provider.wth);
3946 /* If we don't have an application name add TShark */
3947 if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3948 /* this is free'd by wtap_block_unref() later */
3949 wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "%s", get_appname_and_version());
3951 if (capture_comments != NULL) {
3952 for (guint i = 0; i < capture_comments->len; i++) {
3953 wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0),
3955 (char *)g_ptr_array_index(capture_comments, i));
3959 ws_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3960 if (strcmp(save_file, "-") == 0) {
3961 /* Write to the standard output. */
3962 pdh = wtap_dump_open_stdout(out_file_type, WTAP_UNCOMPRESSED, ¶ms,
3965 pdh = wtap_dump_open(save_file, out_file_type, WTAP_UNCOMPRESSED, ¶ms,
3969 g_free(params.idb_inf);
3970 params.idb_inf = NULL;
3973 /* We couldn't set up to write to the capture file. */
3974 cfile_dump_open_failure_message(save_file, err, err_info,
3976 status = PROCESS_FILE_NO_FILE_PROCESSED;
3980 /* Set up to print packet information. */
3981 if (print_packet_info) {
3982 if (!write_preamble(cf)) {
3983 show_print_file_io_error();
3984 status = PROCESS_FILE_NO_FILE_PROCESSED;
3992 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
3993 SetConsoleCtrlHandler(read_cleanup, TRUE);
3995 /* Catch SIGINT and SIGTERM and, if we get either of them,
3996 clean up and exit. If SIGHUP isn't being ignored, catch
3997 it too and, if we get it, clean up and exit.
3999 We restart any read that was in progress, so that it doesn't
4000 disrupt reading from the sync pipe. The signal handler tells
4001 the capture child to finish; it will report that it finished,
4002 or will exit abnormally, so we'll stop reading from the sync
4003 pipe, pick up the exit status, and quit. */
4004 memset(&action, 0, sizeof(action));
4005 action.sa_handler = read_cleanup;
4006 action.sa_flags = SA_RESTART;
4007 sigemptyset(&action.sa_mask);
4008 sigaction(SIGTERM, &action, NULL);
4009 sigaction(SIGINT, &action, NULL);
4010 sigaction(SIGHUP, NULL, &oldaction);
4011 if (oldaction.sa_handler == SIG_DFL)
4012 sigaction(SIGHUP, &action, NULL);
4015 if (perform_two_pass_analysis) {
4016 ws_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4018 elapsed_start = g_get_monotonic_time();
4019 first_pass_status = process_cap_file_first_pass(cf, max_packet_count,
4023 tshark_elapsed.elapsed_first_pass = g_get_monotonic_time() - elapsed_start;
4025 ws_debug("tshark: done with first pass");
4027 if (first_pass_status == PASS_INTERRUPTED) {
4028 /* The first pass was interrupted; skip the second pass.
4029 It won't be run, so it won't get an error. */
4030 second_pass_status = PASS_SUCCEEDED;
4033 * If we got a read error on the first pass, we still do the second
4034 * pass, so we can at least process the packets we read, and then
4035 * report the first-pass error after the second pass (and before
4036 * we report any second-pass errors), so all the errors show up
4039 elapsed_start = g_get_monotonic_time();
4040 second_pass_status = process_cap_file_second_pass(cf, pdh, &err, &err_info,
4042 max_write_packet_count);
4043 tshark_elapsed.elapsed_second_pass = g_get_monotonic_time() - elapsed_start;
4045 ws_debug("tshark: done with second pass");
4049 /* !perform_two_pass_analysis */
4050 ws_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4052 first_pass_status = PASS_SUCCEEDED; /* There is no first pass */
4054 elapsed_start = g_get_monotonic_time();
4055 second_pass_status = process_cap_file_single_pass(cf, pdh,
4058 max_write_packet_count,
4061 tshark_elapsed.elapsed_first_pass = g_get_monotonic_time() - elapsed_start;
4063 ws_debug("tshark: done with single pass");
4066 if (first_pass_status != PASS_SUCCEEDED ||
4067 second_pass_status != PASS_SUCCEEDED) {
4069 * At least one of the passes didn't succeed; either it got a failure
4070 * or it was interrupted.
4072 if (first_pass_status != PASS_INTERRUPTED ||
4073 second_pass_status != PASS_INTERRUPTED) {
4074 /* At least one of the passes got an error. */
4075 ws_debug("tshark: something failed along the line (%d)", err);
4077 * If we're printing packet data, and the standard output and error
4078 * are going to the same place, flush the standard output, so everything
4079 * buffered up is written, and then print a newline to the standard
4080 * error before printing the error message, to separate it from the
4081 * packet data. (Alas, that only works on UN*X; st_dev is meaningless,
4082 * and the _fstat() documentation at Microsoft doesn't indicate whether
4083 * st_ino is even supported.)
4086 if (print_packet_info) {
4087 ws_statb64 stat_stdout, stat_stderr;
4089 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
4090 if (stat_stdout.st_dev == stat_stderr.st_dev &&
4091 stat_stdout.st_ino == stat_stderr.st_ino) {
4093 fprintf(stderr, "\n");
4099 /* Report status of pass 1 of two-pass processing. */
4100 switch (first_pass_status) {
4102 case PASS_SUCCEEDED:
4106 case PASS_READ_ERROR:
4108 cfile_read_failure_message(cf->filename, err_pass1, err_info_pass1);
4109 status = PROCESS_FILE_ERROR;
4112 case PASS_WRITE_ERROR:
4113 /* Won't happen on the first pass. */
4116 case PASS_INTERRUPTED:
4117 /* Not an error, so nothing to report. */
4118 status = PROCESS_FILE_INTERRUPTED;
4122 /* Report status of pass 2 of two-pass processing or the only pass
4123 of one-pass processing. */
4124 switch (second_pass_status) {
4126 case PASS_SUCCEEDED:
4130 case PASS_READ_ERROR:
4132 cfile_read_failure_message(cf->filename, err, err_info);
4133 status = PROCESS_FILE_ERROR;
4136 case PASS_WRITE_ERROR:
4138 XXX - framenum is not necessarily the frame number in
4139 the input file if there was a read filter. */
4140 cfile_write_failure_message(cf->filename, save_file, err, err_info,
4141 err_framenum, out_file_type);
4142 status = PROCESS_FILE_ERROR;
4145 case PASS_INTERRUPTED:
4146 /* Not an error, so nothing to report. */
4147 status = PROCESS_FILE_INTERRUPTED;
4151 if (save_file != NULL) {
4152 if (second_pass_status != PASS_WRITE_ERROR) {
4153 if (pdh && out_file_name_res) {
4154 /* XXX: This doesn't work as expected. First, it should be
4155 * moved to between the first and second passes (if doing
4156 * two-pass mode), so that the new NRB appears before packets,
4157 * which is better for subsequent one-pass mode. It never works
4158 * well in one-pass mode.
4160 * Second, it only writes hosts that we've done lookups for,
4161 * which means unless packet details are printed (or there's
4162 * a display filter that matches something that will do a host
4163 * lookup, e.g. -Y "ip") it doesn't actually have anything
4164 * in the list to save. Notably, that includes the case of
4165 * "tshark [-2] -H hosts.txt -r <infile> -w <outfile>",
4166 * which a user would certainly expect to dissect packets,
4167 * lookup hostnames, and add them to an NRB for later use.
4168 * A workaround is if "-V > /dev/null" is added, but who
4171 * A third issue is that name resolution blocks aren't
4172 * written for live captures.
4174 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
4175 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
4176 wtap_file_type_subtype_name(out_file_type));
4179 /* Now close the capture file. */
4180 if (!wtap_dump_close(pdh, NULL, &err, &err_info)) {
4181 cfile_close_failure_message(save_file, err, err_info);
4182 status = PROCESS_FILE_ERROR;
4185 /* We got a write error; it was reported, so just close the dump file
4186 without bothering to check for further errors. */
4187 wtap_dump_close(pdh, NULL, &err, &err_info);
4189 status = PROCESS_FILE_ERROR;
4192 if (print_packet_info) {
4193 if (!write_finale()) {
4194 show_print_file_io_error();
4195 status = PROCESS_FILE_ERROR;
4201 wtap_close(cf->provider.wth);
4202 cf->provider.wth = NULL;
4204 wtap_dump_params_cleanup(¶ms);
4210 process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,
4211 wtap_rec *rec, Buffer *buf, guint tap_flags _U_)
4216 wtap_block_t block = NULL;
4217 gint64 elapsed_start;
4219 /* Count this packet. */
4222 /* If we're not running a display filter and we're not printing any
4223 packet information, we don't need to do a dissection. This means
4224 that all packets can be marked as 'passed'. */
4227 frame_data_init(&fdata, cf->count, rec, offset, cum_bytes);
4229 /* If we're going to print packet information, or we're going to
4230 run a read filter, or we're going to process taps, set up to
4231 do a dissection and do so. (This is the one and only pass
4232 over the packets, so, if we'll be printing packet information
4233 or running taps, we'll be doing it here.) */
4235 /* If we're running a filter, prime the epan_dissect_t with that
4238 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
4240 /* This is the first and only pass, so prime the epan_dissect_t
4241 with the hfids postdissectors want on the first pass. */
4242 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
4244 col_custom_prime_edt(edt, &cf->cinfo);
4246 output_fields_prime_edt(edt, output_fields);
4247 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
4248 * information from our 'frame' protocol.
4250 if (output_fields_num_fields(output_fields) != 0 &&
4251 output_action == WRITE_XML) {
4252 epan_dissect_prime_with_hfid(edt, proto_registrar_get_id_byname("frame"));
4255 /* We only need the columns if either
4256 1) some tap or filter needs the columns
4258 2) we're printing packet info but we're *not* verbose; in verbose
4259 mode, we print the protocol tree, not the protocol summary.
4261 3) there is a column mapped as an individual field */
4262 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
4267 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
4268 &cf->provider.ref, cf->provider.prev_dis);
4269 if (cf->provider.ref == &fdata) {
4271 cf->provider.ref = &ref_frame;
4274 if (dissect_color) {
4275 color_filters_prime_edt(edt);
4276 fdata.need_colorize = 1;
4279 /* epan_dissect_run (and epan_dissect_reset) unref the block.
4280 * We need it later, e.g. in order to copy the options. */
4281 block = wtap_block_ref(rec->block);
4282 elapsed_start = g_get_monotonic_time();
4283 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
4284 frame_tvbuff_new_buffer(&cf->provider, &fdata, buf),
4286 tshark_elapsed.first_pass.dissect += g_get_monotonic_time() - elapsed_start;
4288 /* Run the filter if we have it. */
4290 elapsed_start = g_get_monotonic_time();
4291 passed = dfilter_apply_edt(cf->dfcode, edt);
4292 tshark_elapsed.first_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
4297 frame_data_set_after_dissect(&fdata, &cum_bytes);
4299 /* Process this packet. */
4300 if (print_packet_info) {
4301 /* We're printing packet information; print the information for
4304 print_packet(cf, edt);
4306 /* If we're doing "line-buffering", flush the standard output
4307 after every packet. See the comment above, for the "-l"
4308 option, for an explanation of why we do that. */
4312 if (ferror(stdout)) {
4313 show_print_file_io_error();
4318 /* this must be set after print_packet() [bug #8160] */
4319 prev_dis_frame = fdata;
4320 cf->provider.prev_dis = &prev_dis_frame;
4323 prev_cap_frame = fdata;
4324 cf->provider.prev_cap = &prev_cap_frame;
4327 epan_dissect_reset(edt);
4328 frame_data_destroy(&fdata);
4335 write_preamble(capture_file *cf)
4337 switch (output_action) {
4340 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
4344 write_pdml_preamble(stdout, cf->filename);
4346 write_psml_preamble(&cf->cinfo, stdout);
4347 return !ferror(stdout);
4350 write_fields_preamble(output_fields, stdout);
4351 return !ferror(stdout);
4354 case WRITE_JSON_RAW:
4355 jdumper = write_json_preamble(stdout);
4356 return !ferror(stdout);
4362 ws_assert_not_reached();
4368 get_line_buf(size_t len)
4370 static char *line_bufp = NULL;
4371 static size_t line_buf_len = 256;
4372 size_t new_line_buf_len;
4374 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
4375 new_line_buf_len *= 2)
4377 if (line_bufp == NULL) {
4378 line_buf_len = new_line_buf_len;
4379 line_bufp = (char *)g_malloc(line_buf_len + 1);
4381 if (new_line_buf_len > line_buf_len) {
4382 line_buf_len = new_line_buf_len;
4383 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
4390 put_string(char *dest, const char *str, size_t str_len)
4392 memcpy(dest, str, str_len);
4393 dest[str_len] = '\0';
4397 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
4401 for (i = str_len; i < str_with_spaces; i++)
4404 put_string(dest, str, str_len);
4408 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
4412 memcpy(dest, str, str_len);
4413 for (i = str_len; i < str_with_spaces; i++)
4416 dest[str_with_spaces] = '\0';
4420 print_columns(capture_file *cf, const epan_dissect_t *edt)
4427 col_item_t* col_item;
4428 gchar str_format[11];
4429 const color_filter_t *color_filter = NULL;
4431 line_bufp = get_line_buf(256);
4436 color_filter = edt->pi.fd->color_filter;
4438 for (i = 0; i < cf->cinfo.num_cols; i++) {
4439 col_item = &cf->cinfo.columns[i];
4440 /* Skip columns not marked as visible. */
4441 if (!get_column_visible(i))
4443 const gchar* col_text = get_column_text(&cf->cinfo, i);
4444 switch (col_item->col_fmt) {
4446 column_len = col_len = strlen(col_text);
4449 line_bufp = get_line_buf(buf_offset + column_len);
4450 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4456 case COL_ABS_YMD_TIME: /* XXX - wider */
4457 case COL_ABS_YDOY_TIME: /* XXX - wider */
4459 case COL_UTC_YMD_TIME: /* XXX - wider */
4460 case COL_UTC_YDOY_TIME: /* XXX - wider */
4461 column_len = col_len = strlen(col_text);
4462 if (column_len < 10)
4464 line_bufp = get_line_buf(buf_offset + column_len);
4465 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4471 case COL_DEF_DL_SRC:
4472 case COL_RES_DL_SRC:
4473 case COL_UNRES_DL_SRC:
4474 case COL_DEF_NET_SRC:
4475 case COL_RES_NET_SRC:
4476 case COL_UNRES_NET_SRC:
4477 column_len = col_len = strlen(col_text);
4478 if (column_len < 12)
4480 line_bufp = get_line_buf(buf_offset + column_len);
4481 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4487 case COL_DEF_DL_DST:
4488 case COL_RES_DL_DST:
4489 case COL_UNRES_DL_DST:
4490 case COL_DEF_NET_DST:
4491 case COL_RES_NET_DST:
4492 case COL_UNRES_NET_DST:
4493 column_len = col_len = strlen(col_text);
4494 if (column_len < 12)
4496 line_bufp = get_line_buf(buf_offset + column_len);
4497 put_string_spaces(line_bufp + buf_offset, col_text, col_len, column_len);
4501 column_len = strlen(col_text);
4502 line_bufp = get_line_buf(buf_offset + column_len);
4503 put_string(line_bufp + buf_offset, col_text, column_len);
4506 buf_offset += column_len;
4507 if (i != cf->cinfo.num_cols - 1) {
4509 * This isn't the last column, so we need to print a
4510 * separator between this column and the next.
4512 * If we printed a network source and are printing a
4513 * network destination of the same type next, separate
4514 * them with a UTF-8 right arrow; if we printed a network
4515 * destination and are printing a network source of the same
4516 * type next, separate them with a UTF-8 left arrow;
4517 * otherwise separate them with a space.
4519 * We add enough space to the buffer for " \xe2\x86\x90 "
4520 * or " \xe2\x86\x92 ", even if we're only adding " ".
4522 line_bufp = get_line_buf(buf_offset + 5);
4523 switch (col_item->col_fmt) {
4528 switch (cf->cinfo.columns[i+1].col_fmt) {
4533 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4534 put_string(line_bufp + buf_offset, str_format, 5);
4539 put_string(line_bufp + buf_offset, delimiter_char, 1);
4545 case COL_DEF_DL_SRC:
4546 case COL_RES_DL_SRC:
4547 case COL_UNRES_DL_SRC:
4548 switch (cf->cinfo.columns[i+1].col_fmt) {
4550 case COL_DEF_DL_DST:
4551 case COL_RES_DL_DST:
4552 case COL_UNRES_DL_DST:
4553 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4554 put_string(line_bufp + buf_offset, str_format, 5);
4559 put_string(line_bufp + buf_offset, delimiter_char, 1);
4565 case COL_DEF_NET_SRC:
4566 case COL_RES_NET_SRC:
4567 case COL_UNRES_NET_SRC:
4568 switch (cf->cinfo.columns[i+1].col_fmt) {
4570 case COL_DEF_NET_DST:
4571 case COL_RES_NET_DST:
4572 case COL_UNRES_NET_DST:
4573 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4574 put_string(line_bufp + buf_offset, str_format, 5);
4579 put_string(line_bufp + buf_offset, delimiter_char, 1);
4588 switch (cf->cinfo.columns[i+1].col_fmt) {
4593 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4594 put_string(line_bufp + buf_offset, str_format, 5);
4599 put_string(line_bufp + buf_offset, delimiter_char, 1);
4605 case COL_DEF_DL_DST:
4606 case COL_RES_DL_DST:
4607 case COL_UNRES_DL_DST:
4608 switch (cf->cinfo.columns[i+1].col_fmt) {
4610 case COL_DEF_DL_SRC:
4611 case COL_RES_DL_SRC:
4612 case COL_UNRES_DL_SRC:
4613 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4614 put_string(line_bufp + buf_offset, str_format, 5);
4619 put_string(line_bufp + buf_offset, delimiter_char, 1);
4625 case COL_DEF_NET_DST:
4626 case COL_RES_NET_DST:
4627 case COL_UNRES_NET_DST:
4628 switch (cf->cinfo.columns[i+1].col_fmt) {
4630 case COL_DEF_NET_SRC:
4631 case COL_RES_NET_SRC:
4632 case COL_UNRES_NET_SRC:
4633 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4634 put_string(line_bufp + buf_offset, str_format, 5);
4639 put_string(line_bufp + buf_offset, delimiter_char, 1);
4646 put_string(line_bufp + buf_offset, delimiter_char, 1);
4653 if (dissect_color && color_filter != NULL)
4654 return print_line_color(print_stream, 0, line_bufp, &color_filter->fg_color, &color_filter->bg_color);
4656 return print_line(print_stream, 0, line_bufp);
4660 print_packet(capture_file *cf, epan_dissect_t *edt)
4662 if (print_summary || output_fields_has_cols(output_fields))
4663 /* Just fill in the columns. */
4664 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4666 /* Print summary columns and/or protocol tree */
4667 switch (output_action) {
4670 if (print_summary && !print_columns(cf, edt))
4672 if (print_details) {
4673 if (!proto_tree_print(print_details ? print_dissections_expanded : print_dissections_none,
4674 print_hex, edt, output_only_tables, print_stream))
4677 if (!print_line(print_stream, 0, separator))
4684 if (print_summary) {
4685 write_psml_columns(edt, stdout, dissect_color);
4686 return !ferror(stdout);
4688 if (print_details) {
4689 write_pdml_proto_tree(output_fields, edt, &cf->cinfo, stdout, dissect_color);
4691 return !ferror(stdout);
4696 if (print_summary) {
4697 /*No non-verbose "fields" format */
4698 ws_assert_not_reached();
4700 if (print_details) {
4701 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4703 return !ferror(stdout);
4709 ws_assert_not_reached();
4710 if (print_details) {
4711 write_json_proto_tree(output_fields, print_dissections_expanded,
4712 print_hex, edt, &cf->cinfo, node_children_grouper, &jdumper);
4713 return !ferror(stdout);
4717 case WRITE_JSON_RAW:
4719 ws_assert_not_reached();
4720 if (print_details) {
4721 write_json_proto_tree(output_fields, print_dissections_none,
4722 TRUE, edt, &cf->cinfo, node_children_grouper, &jdumper);
4723 return !ferror(stdout);
4728 write_ek_proto_tree(output_fields, print_summary, print_hex,
4729 edt, &cf->cinfo, stdout);
4730 return !ferror(stdout);
4733 ws_assert_not_reached();
4737 if (print_summary || print_details) {
4738 if (!print_line(print_stream, 0, ""))
4741 if (!print_hex_data(print_stream, edt, hexdump_source_option | hexdump_ascii_option))
4743 if (!print_line(print_stream, 0, separator))
4752 switch (output_action) {
4755 return print_finale(print_stream);
4759 write_pdml_finale(stdout);
4761 write_psml_finale(stdout);
4762 return !ferror(stdout);
4765 write_fields_finale(output_fields, stdout);
4766 return !ferror(stdout);
4769 case WRITE_JSON_RAW:
4770 write_json_finale(&jdumper);
4771 return !ferror(stdout);
4777 ws_assert_not_reached();
4783 cf_close(capture_file *cf)
4785 if (cf->state == FILE_CLOSED)
4786 return; /* Nothing to do */
4788 if (cf->provider.wth != NULL) {
4789 wtap_close(cf->provider.wth);
4790 cf->provider.wth = NULL;
4792 /* We have no file open... */
4793 if (cf->filename != NULL) {
4794 /* If it's a temporary file, remove it. */
4795 if (cf->is_tempfile)
4796 ws_unlink(cf->filename);
4797 g_free(cf->filename);
4798 cf->filename = NULL;
4801 /* We have no file open. */
4802 cf->state = FILE_CLOSED;
4806 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4811 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4815 /* The open succeeded. Fill in the information for this file. */
4817 cf->provider.wth = wth;
4818 cf->f_datalen = 0; /* not used, but set it anyway */
4820 /* Set the file name because we need it to set the follow stream filter.
4821 XXX - is that still true? We need it for other reasons, though,
4823 cf->filename = g_strdup(fname);
4825 /* Indicate whether it's a permanent or temporary file. */
4826 cf->is_tempfile = is_tempfile;
4828 /* No user changes yet. */
4829 cf->unsaved_changes = FALSE;
4831 cf->cd_t = wtap_file_type_subtype(cf->provider.wth);
4832 cf->open_type = type;
4834 cf->drops_known = FALSE;
4836 cf->snap = wtap_snapshot_length(cf->provider.wth);
4837 nstime_set_zero(&cf->elapsed_time);
4838 cf->provider.ref = NULL;
4839 cf->provider.prev_dis = NULL;
4840 cf->provider.prev_cap = NULL;
4842 cf->state = FILE_READ_IN_PROGRESS;
4844 /* Create new epan session for dissection. */
4845 epan_free(cf->epan);
4846 cf->epan = tshark_epan_new(cf);
4848 wtap_set_cb_new_ipv4(cf->provider.wth, add_ipv4_name);
4849 wtap_set_cb_new_ipv6(cf->provider.wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4850 wtap_set_cb_new_secrets(cf->provider.wth, secrets_wtap_callback);
4855 cfile_open_failure_message(fname, *err, err_info);
4860 show_print_file_io_error(void)
4865 cmdarg_err("Not all the packets could be printed because there is "
4866 "no space left on the file system.");
4871 cmdarg_err("Not all the packets could be printed because you are "
4872 "too close to, or over your disk quota.");
4878 * This almost certainly means "the next program after us in
4879 * the pipeline exited before we were finished writing", so
4880 * this isn't a real error, it just means we're done. (We
4881 * don't get SIGPIPE because libwireshark ignores SIGPIPE
4882 * to avoid getting killed if writing to the MaxMind process
4883 * gets SIGPIPE because that process died.)
4885 * Presumably either that program exited deliberately (for
4886 * example, "head -N" read N lines and printed them), in
4887 * which case there's no error to report, or it terminated
4888 * due to an error or a signal, in which case *that's* the
4889 * error and that error has been reported.
4895 if (errno == EINVAL && _doserrno == ERROR_NO_DATA) {
4897 * XXX - on Windows, a write to a pipe where the read side
4898 * has been closed apparently may return the Windows error
4899 * ERROR_BROKEN_PIPE, which the Visual Studio C library maps
4900 * to EPIPE, or may return the Windows error ERROR_NO_DATA,
4901 * which the Visual Studio C library maps to EINVAL.
4903 * Either of those almost certainly means "the next program
4904 * after us in the pipeline exited before we were finished
4905 * writing", so, if _doserrno is ERROR_NO_DATA, this isn't
4906 * a real error, it just means we're done. (Windows doesn't
4909 * Presumably either that program exited deliberately (for
4910 * example, "head -N" read N lines and printed them), in
4911 * which case there's no error to report, or it terminated
4912 * due to an error or a signal, in which case *that's* the
4913 * error and that error has been reported.
4919 * It's a different error; report it, but with the error
4920 * message for _doserrno, which will give more detail
4921 * than just "Invalid argument".
4923 cmdarg_err("An error occurred while printing packets: %s.",
4924 win32strerror(_doserrno));
4926 cmdarg_err("An error occurred while printing packets: %s.",
4934 * Report an error in command-line arguments.
4937 tshark_cmdarg_err(const char *msg_format, va_list ap)
4939 fprintf(stderr, "tshark: ");
4940 vfprintf(stderr, msg_format, ap);
4941 fprintf(stderr, "\n");
4945 * Report additional information for an error in command-line arguments.
4948 tshark_cmdarg_err_cont(const char *msg_format, va_list ap)
4950 vfprintf(stderr, msg_format, ap);
4951 fprintf(stderr, "\n");
4955 reset_epan_mem(capture_file *cf,epan_dissect_t *edt, gboolean tree, gboolean visual)
4957 if (!epan_auto_reset || (cf->count < epan_auto_reset_count))
4960 fprintf(stderr, "resetting session.\n");
4962 epan_dissect_cleanup(edt);
4963 epan_free(cf->epan);
4965 cf->epan = tshark_epan_new(cf);
4966 epan_dissect_init(edt, cf->epan, tree, visual);
git.samba.org / metze / wireshark / wip.git / blob