S<[ B<-n> ]>
S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
S<[ B<-o> E<lt>preference settingE<gt> ] ...>
-S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-p> ]>
+S<[ B<-r> E<lt>pipeE<gt>|- ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
S<[ B<-s> ]>
S<[ B<-S> E<lt>field formatE<gt> ]>
useful. The other flags listed above follow the same conventions as
B<Wireshark> and B<TShark>.
-B<Rawshark> expects input records with the following format. Note that this
-matches the pcap_pkthdr struct and packet data used in libpcap.
+B<Rawshark> expects input records with the following format by default. This
+matches the format of the packet header and packet data in a libpcap-formatted
+file on disk.
struct rawshark_rec_s {
uint32_t ts_sec; /* Time stamp (seconds) */
uint8_t data[caplen]; /* Packet data */
};
+If B<-p> is supplied B<rawshark> expects the following format. This matches the
+pcap_pkthdr struct and packet data used in libpcap. Note that the time stamp
+value will match the previous format on some systems but not others.
+
+ struct rawshark_rec_s {
+ struct timeval ts; /* Time stamp */
+ uint32_t caplen; /* Length of the packet buffer */
+ uint32_t len; /* "On the wire" length of the packet */
+ uint8_t *data; /* Packet data */
+ };
+
+In either case, the endianness (byte ordering) of each integer must match the
+system on which B<rawshark> is running.
+
=head1 OUTPUT
If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
preference (which is the same name that would appear in the preference
file), and I<value> is the value to which it should be set.
-=item -r E<lt>input file or pipeE<gt>
+=item -p
+
+Assume that packet data is preceded by a pcap_pkthdr struct as defined in
+pcap.h. On some systems the size of the timestamp data will be different from
+the data written to disk. On other systems they are identical and this flag has
+no effect.
+
+=item -r E<lt>pipeE<gt>|-
-Read packet data from I<input source>. It can be a regular file or pipe,
-and must be have the record format specified above.
+Read packet data from I<input source>. It can be either the name of a FIFO
+(named pipe) or ``-'' to read data from the standard input, and must have
+the record format specified above.
=item -R E<lt>read (display) filterE<gt>
variable a number higher than the default (20) would make false positives
less likely.
+=item IPFIX_RECORDS_TO_CHECK
+
+This environment variable controls the number of IPFIX records checked when
+deciding if a file really is in the IPFIX format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
If this environment variable is set, B<Rawshark> will call abort(3)
exit abnormally; if you are running B<Rawshark> in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
-your environment is configured correctly, generate a core dump file.
+your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.
+=item WIRESHARK_EP_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after each
+packet has been fully dissected. This can be useful to developers writing or
+auditing code.
+
+=item WIRESHARK_SE_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after when
+a capture file is closed. This can be useful to developers writing or
+auditing code.
+
=back
=head1 SEE ALSO