rawshark - Dump and analyze raw libpcap data
-=head1 SYNOPSYS
+=head1 SYNOPSIS
B<rawshark>
S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]>
S<[ B<-n> ]>
S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
S<[ B<-o> E<lt>preference settingE<gt> ] ...>
-S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-p> ]>
+S<[ B<-r> E<lt>pipeE<gt>|- ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
S<[ B<-s> ]>
S<[ B<-S> E<lt>field formatE<gt> ]>
useful. The other flags listed above follow the same conventions as
B<Wireshark> and B<TShark>.
-B<Rawshark> expects input records with the following format. Note that this
-matches the pcap_pkthdr struct and packet data used in libpcap.
+B<Rawshark> expects input records with the following format by default. This
+matches the format of the packet header and packet data in a libpcap-formatted
+file on disk.
struct rawshark_rec_s {
uint32_t ts_sec; /* Time stamp (seconds) */
uint8_t data[caplen]; /* Packet data */
};
+If B<-p> is supplied B<rawshark> expects the following format. This matches the
+pcap_pkthdr struct and packet data used in libpcap. Note that the time stamp
+value will match the previous format on some systems but not others.
+
+ struct rawshark_rec_s {
+ struct timeval ts; /* Time stamp */
+ uint32_t caplen; /* Length of the packet buffer */
+ uint32_t len; /* "On the wire" length of the packet */
+ uint8_t *data; /* Packet data */
+ };
+
+In either case, the endianness (byte ordering) of each integer must match the
+system on which B<rawshark> is running.
+
=head1 OUTPUT
If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
Specify how the packet data should be dissected. The encapsulation is of the
form I<type>B<:>I<value>, where I<type> is one of:
-B<encap>:I<name> Packet data should be dissected using the libpcap data
-link type I<name>, e.g. B<encap:EN10MB> for Ethernet.
-
B<encap>:I<name> Packet data should be dissected using the libpcap data link
type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted
using pcap_datalink_name_to_val().
preference (which is the same name that would appear in the preference
file), and I<value> is the value to which it should be set.
-=item -r E<lt>input file or pipeE<gt>
+=item -p
+
+Assume that packet data is preceded by a pcap_pkthdr struct as defined in
+pcap.h. On some systems the size of the timestamp data will be different from
+the data written to disk. On other systems they are identical and this flag has
+no effect.
-Read packet data from I<input source>. It can be a regular file or pipe,
-and must be have the record format specified above.
+=item -r E<lt>pipeE<gt>|-
+
+Read packet data from I<input source>. It can be either the name of a FIFO
+(named pipe) or ``-'' to read data from the standard input, and must have
+the record format specified above.
=item -R E<lt>read (display) filterE<gt>
Print the version and exit.
-
=back
=head1 READ FILTER SYNTAX
whitespace. The same directory as for the personal preferences file is
used.
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPCAP on Windows. As such the Wireshark personal F<hosts> file
+will not be consulted for capture filter name resolution.
+
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
The personal F<ethers> file is looked for in the same directory as the personal
preferences file.
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPCAP on Windows. As such the Wireshark personal F<ethers> file
+will not be consulted for capture filter name resolution.
+
=item Name Resolution (manuf)
The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
=back
+=head1 ENVIRONMENT VARIABLES
+
+=over 4
+
+=item WIRESHARK_DEBUG_EP_NO_CHUNKS
+
+Normally per-packet memory is allocated in large "chunks." This behavior
+doesn't work well with debugging tools such as Valgrind or ElectricFence.
+Export this environment variable to force individual allocations.
+Note: disabling chunks also disables canaries (see below).
+
+=item WIRESHARK_DEBUG_SE_NO_CHUNKS
+
+Normally per-file memory is allocated in large "chunks." This behavior
+doesn't work well with debugging tools such as Valgrind or ElectricFence.
+Export this environment variable to force individual allocations.
+Note: disabling chunks also disables canaries (see below).
+
+=item WIRESHARK_DEBUG_EP_NO_CANARY
+
+Normally per-packet memory allocations are separated by "canaries" which
+allow detection of memory overruns. This comes at the expense of some extra
+memory usage. Exporting this environment variable disables these canaries.
+
+=item WIRESHARK_DEBUG_SE_USE_CANARY
+
+Exporting this environment variable causes per-file memory allocations to be
+protected with "canaries" which allow for detection of memory overruns.
+This comes at the expense of significant extra memory usage.
+
+=item WIRESHARK_DEBUG_SCRUB_MEMORY
+
+If this environment variable is exported, the contents of per-packet and
+per-file memory is initialized to 0xBADDCAFE when the memory is allocated
+and is reset to 0xDEADBEEF when the memory is freed. This functionality is
+useful mainly to developers looking for bugs in the way memory is handled.
+
+=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
+
+This environment variable causes the plugins and other data files to be loaded
+from the build directory (where the program was compiled) rather than from the
+standard locations. It has no effect when the program in question is running
+with root (or setuid) permissions on *NIX.
+
+=item WIRESHARK_DATA_DIR
+
+This environment variable causes the various data files to be loaded from
+a directory other than the standard locations. It has no effect when the
+program in question is running with root (or setuid) permissions on *NIX.
+
+=item WIRESHARK_PYTHON_DIR
+
+This environment variable points to an alternate location for Python.
+It has no effect when the program in question is running with root (or setuid)
+permissions on *NIX.
+
+=item ERF_RECORDS_TO_CHECK
+
+This environment variable controls the number of ERF records checked when
+deciding if a file really is in the ERF format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item IPFIX_RECORDS_TO_CHECK
+
+This environment variable controls the number of IPFIX records checked when
+deciding if a file really is in the IPFIX format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
+
+If this environment variable is set, B<Rawshark> will call abort(3)
+when a dissector bug is encountered. abort(3) will cause the program to
+exit abnormally; if you are running B<Rawshark> in a debugger, it
+should halt in the debugger and allow inspection of the process, and, if
+you are not running it in a debugger, it will, on some OSes, assuming
+your environment is configured correctly, generate a core dump file.
+This can be useful to developers attempting to troubleshoot a problem
+with a protocol dissector.
+
+=item WIRESHARK_EP_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after each
+packet has been fully dissected. This can be useful to developers writing or
+auditing code.
+
+=item WIRESHARK_SE_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after when
+a capture file is closed. This can be useful to developers writing or
+auditing code.
+
+=back
+
=head1 SEE ALSO
wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),