3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
52 #ifdef HAVE_SYS_STAT_H
53 # include <sys/stat.h>
57 #include "wsutil/wsgetopt.h"
62 #include <epan/exceptions.h>
63 #include <epan/epan-int.h>
64 #include <epan/epan.h>
65 #include <wsutil/crash_info.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/file_util.h>
68 #include <wsutil/filesystem.h>
71 #include <epan/timestamp.h>
72 #include <epan/packet.h>
74 #include <epan/wslua/init_wslua.h>
77 #include "frame_tvbuff.h"
78 #include <epan/disabled_protos.h>
79 #include <epan/prefs.h>
80 #include <epan/column.h>
81 #include <epan/print.h>
82 #include <epan/addr_resolv.h>
84 #include "clopts_common.h"
85 #include "cmdarg_err.h"
86 #include "version_info.h"
88 #include <epan/epan_dissect.h>
90 #include <epan/stat_cmd_args.h>
91 #include <epan/timestamp.h>
92 #include <epan/ex-opt.h>
94 #include "capture_opts.h"
97 #include "capture_ui_utils.h"
98 #include "capture_ifinfo.h"
99 #include "capture-pcap-util.h"
101 #include "capture-wpcap.h"
102 #include <wsutil/unicode-utils.h>
104 #include "capture_session.h"
105 #include "capture_sync.h"
106 #include "capture_opts.h"
107 #endif /* HAVE_LIBPCAP */
109 #include <epan/funnel.h>
112 #include <wsutil/plugins.h>
116 * This is the template for the decode as option; it is shared between the
117 * various functions that output the usage for this parameter.
119 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
121 static guint32 cum_bytes;
122 static const frame_data *ref;
123 static frame_data ref_frame;
124 static frame_data *prev_dis;
125 static frame_data prev_dis_frame;
126 static frame_data *prev_cap;
127 static frame_data prev_cap_frame;
129 static const char* prev_display_dissector_name = NULL;
131 static gboolean perform_two_pass_analysis;
134 * The way the packet decode is to be written.
137 WRITE_TEXT, /* summary or detail text */
138 WRITE_XML, /* PDML or PSML */
139 WRITE_FIELDS /* User defined list of fields */
140 /* Add CSV and the like here */
143 static output_action_e output_action;
144 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
145 static gboolean print_packet_info; /* TRUE if we're to print packet information */
146 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
147 static gboolean print_details; /* TRUE if we're to print packet details information */
148 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
149 static gboolean line_buffered;
150 static gboolean really_quiet = FALSE;
152 static print_format_e print_format = PR_FMT_TEXT;
153 static print_stream_t *print_stream;
155 static output_fields_t* output_fields = NULL;
157 /* The line separator used between packets, changeable via the -S option */
158 static const char *separator = "";
162 * TRUE if we're to print packet counts to keep track of captured packets.
164 static gboolean print_packet_counts;
166 static capture_options global_capture_opts;
167 static capture_session global_capture_session;
170 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
171 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
174 static gboolean capture(void);
175 static void report_counts(void);
177 static BOOL WINAPI capture_cleanup(DWORD);
179 static void capture_cleanup(int);
181 static void report_counts_siginfo(int);
184 #endif /* HAVE_LIBPCAP */
186 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
187 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
188 struct wtap_pkthdr *whdr, const guchar *pd,
190 static void show_capture_file_io_error(const char *, int, gboolean);
191 static void show_print_file_io_error(int err);
192 static gboolean write_preamble(capture_file *cf);
193 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
194 static gboolean write_finale(void);
195 static const char *cf_open_error_message(int err, gchar *err_info,
196 gboolean for_writing, int file_type);
198 static void open_failure_message(const char *filename, int err,
199 gboolean for_writing);
200 static void failure_message(const char *msg_format, va_list ap);
201 static void read_failure_message(const char *filename, int err);
202 static void write_failure_message(const char *filename, int err);
207 const char *sstr; /* The short string */
208 const char *lstr; /* The long string */
212 string_compare(gconstpointer a, gconstpointer b)
214 return strcmp(((const struct string_elem *)a)->sstr,
215 ((const struct string_elem *)b)->sstr);
219 string_elem_print(gpointer data, gpointer not_used _U_)
221 fprintf(stderr, " %s - %s\n",
222 ((struct string_elem *)data)->sstr,
223 ((struct string_elem *)data)->lstr);
227 list_capture_types(void) {
229 struct string_elem *captypes;
232 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
234 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
235 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
236 if (wtap_dump_can_open(i)) {
237 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
238 captypes[i].lstr = wtap_file_type_subtype_string(i);
239 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
242 g_slist_foreach(list, string_elem_print, NULL);
248 print_usage(gboolean print_ver)
255 "TShark " VERSION "%s\n"
256 "Dump and analyze network traffic.\n"
257 "See http://www.wireshark.org for more information.\n"
260 wireshark_svnversion, get_copyright_info());
264 fprintf(output, "\n");
265 fprintf(output, "Usage: tshark [options] ...\n");
266 fprintf(output, "\n");
269 fprintf(output, "Capture interface:\n");
270 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
271 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
272 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
273 fprintf(output, " -p don't capture in promiscuous mode\n");
274 #ifdef HAVE_PCAP_CREATE
275 fprintf(output, " -I capture in monitor mode, if available\n");
277 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
278 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
280 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
281 fprintf(output, " -D print list of interfaces and exit\n");
282 fprintf(output, " -L print list of link-layer types of iface and exit\n");
283 fprintf(output, "\n");
284 fprintf(output, "Capture stop conditions:\n");
285 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
286 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
287 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
288 fprintf(output, " files:NUM - stop after NUM files\n");
289 /*fprintf(output, "\n");*/
290 fprintf(output, "Capture output:\n");
291 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
292 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
293 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
294 #endif /* HAVE_LIBPCAP */
295 #ifdef HAVE_PCAP_REMOTE
296 fprintf(output, "RPCAP options:\n");
297 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
299 /*fprintf(output, "\n");*/
300 fprintf(output, "Input file:\n");
301 fprintf(output, " -r <infile> set the filename to read from (no pipes or stdin!)\n");
303 fprintf(output, "\n");
304 fprintf(output, "Processing:\n");
305 fprintf(output, " -2 perform a two-pass analysis\n");
306 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
307 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter syntax\n");
308 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
309 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
310 fprintf(output, " -d %s ...\n", decode_as_arg_template);
311 fprintf(output, " \"Decode As\", see the man page for details\n");
312 fprintf(output, " Example: tcp.port==8888,http\n");
313 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
314 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
316 /*fprintf(output, "\n");*/
317 fprintf(output, "Output:\n");
318 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
319 fprintf(output, " (or to the standard output for \"-\")\n");
320 fprintf(output, " -C <config profile> start with specified configuration profile\n");
321 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
322 fprintf(output, " an empty \"-F\" option will list the file types\n");
323 fprintf(output, " -V add output of packet tree (Packet Details)\n");
324 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
325 fprintf(output, " separated\n");
326 fprintf(output, " -P print packet summary even when writing to a file\n");
327 fprintf(output, " -S <separator> the line separator to print between packets\n");
328 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
329 fprintf(output, " -T pdml|ps|psml|text|fields\n");
330 fprintf(output, " format of text output (def: text)\n");
331 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port, _ws.col.Info);\n");
332 fprintf(output, " this option can be repeated to print multiple fields\n");
333 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
334 fprintf(output, " header=y|n switch headers on and off\n");
335 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
336 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
337 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
338 fprintf(output, " aggregator\n");
339 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
340 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
341 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
342 fprintf(output, " -l flush standard output after each packet\n");
343 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
344 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
345 fprintf(output, " -g enable group read access on the output file(s)\n");
346 fprintf(output, " -W n Save extra information in the file, if supported.\n");
347 fprintf(output, " n = write network address resolution information\n");
348 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
349 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
350 fprintf(output, " --capture-comment <comment>\n");
351 fprintf(output, " add a capture comment to the newly created\n");
352 fprintf(output, " output file (only for pcapng)\n");
354 fprintf(output, "\n");
355 fprintf(output, "Miscellaneous:\n");
356 fprintf(output, " -h display this help and exit\n");
357 fprintf(output, " -v display version info and exit\n");
358 fprintf(output, " -o <name>:<value> ... override preference setting\n");
359 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
360 fprintf(output, " -G [report] dump one of several available reports and exit\n");
361 fprintf(output, " default report=\"fields\"\n");
362 fprintf(output, " use \"-G ?\" for more help\n");
364 fprintf(output, "\n");
365 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
366 fprintf(output, "You might want to reset it\n");
367 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
368 fprintf(output, "\n");
374 glossary_option_help(void)
380 fprintf(output, "TShark " VERSION "%s\n", wireshark_svnversion);
382 fprintf(output, "\n");
383 fprintf(output, "Usage: tshark -G [report]\n");
384 fprintf(output, "\n");
385 fprintf(output, "Glossary table reports:\n");
386 fprintf(output, " -G column-formats dump column format codes and exit\n");
387 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
388 fprintf(output, " -G fields dump fields glossary and exit\n");
389 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
390 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
391 fprintf(output, " -G plugins dump installed plugins and exit\n");
392 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
393 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
394 fprintf(output, "\n");
395 fprintf(output, "Preference reports:\n");
396 fprintf(output, " -G currentprefs dump current preferences and exit\n");
397 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
398 fprintf(output, "\n");
402 * For a dissector table, print on the stream described by output,
403 * its short name (which is what's used in the "-d" option) and its
407 display_dissector_table_names(const char *table_name, const char *ui_name,
410 if ((prev_display_dissector_name == NULL) ||
411 (strcmp(prev_display_dissector_name, table_name) != 0)) {
412 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
413 prev_display_dissector_name = table_name;
418 * For a dissector handle, print on the stream described by output,
419 * the filter name (which is what's used in the "-d" option) and the full
420 * name for the protocol that corresponds to this handle.
423 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
426 const gchar *proto_filter_name;
427 const gchar *proto_ui_name;
429 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
431 if (proto_id != -1) {
432 proto_filter_name = proto_get_protocol_filter_name(proto_id);
433 proto_ui_name = proto_get_protocol_name(proto_id);
434 g_assert(proto_filter_name != NULL);
435 g_assert(proto_ui_name != NULL);
437 if ((prev_display_dissector_name == NULL) ||
438 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
439 fprintf((FILE *)output, "\t%s (%s)\n",
442 prev_display_dissector_name = proto_filter_name;
448 * The protocol_name_search structure is used by find_protocol_name_func()
449 * to pass parameters and store results
451 struct protocol_name_search{
452 gchar *searched_name; /* Protocol filter name we are looking for */
453 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
454 guint nb_match; /* How many dissectors matched searched_name */
456 typedef struct protocol_name_search *protocol_name_search_t;
459 * This function parses all dissectors associated with a table to find the
460 * one whose protocol has the specified filter name. It is called
461 * as a reference function in a call to dissector_table_foreach_handle.
462 * The name we are looking for, as well as the results, are stored in the
463 * protocol_name_search struct pointed to by user_data.
464 * If called using dissector_table_foreach_handle, we actually parse the
465 * whole list of dissectors.
468 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
472 const gchar *protocol_filter_name;
473 protocol_name_search_t search_info;
477 search_info = (protocol_name_search_t)user_data;
479 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
480 if (proto_id != -1) {
481 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
482 g_assert(protocol_filter_name != NULL);
483 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
485 if (search_info->nb_match == 0) {
486 /* Record this handle only if this is the first match */
487 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
489 search_info->nb_match++;
495 * Allow dissector key names to be sorted alphabetically
499 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
501 return strcmp((const char*)dissector_a, (const char*)dissector_b);
505 * Print all layer type names supported.
506 * We send the output to the stream described by the handle output.
510 fprint_all_layer_types(FILE *output)
513 prev_display_dissector_name = NULL;
514 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
518 * Print all protocol names supported for a specific layer type.
519 * table_name contains the layer type name in which the search is performed.
520 * We send the output to the stream described by the handle output.
524 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
527 prev_display_dissector_name = NULL;
528 dissector_table_foreach_handle(table_name,
529 display_dissector_names,
534 * The function below parses the command-line parameters for the decode as
535 * feature (a string pointer by cl_param).
536 * It checks the format of the command-line, searches for a matching table
537 * and dissector. If a table/dissector match is not found, we display a
538 * summary of the available tables/dissectors (on stderr) and return FALSE.
539 * If everything is fine, we get the "Decode as" preference activated,
540 * then we return TRUE.
543 add_decode_as(const gchar *cl_param)
546 guint32 selector, selector2;
547 gchar *decoded_param;
548 gchar *remaining_param;
550 gchar *dissector_str;
551 dissector_handle_t dissector_matching;
552 dissector_table_t table_matching;
553 ftenum_t dissector_table_selector_type;
554 struct protocol_name_search user_protocol_name;
558 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
561 decoded_param = g_strdup(cl_param);
562 g_assert(decoded_param);
565 /* The lines below will parse this string (modifying it) to extract all
566 necessary information. Note that decoded_param is still needed since
567 strings are not copied - we just save pointers. */
569 /* This section extracts a layer type (table_name) from decoded_param */
570 table_name = decoded_param; /* Layer type string starts from beginning */
572 remaining_param = strchr(table_name, '=');
573 if (remaining_param == NULL) {
574 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
575 /* If the argument does not follow the template, carry on anyway to check
576 if the table name is at least correct. If remaining_param is NULL,
577 we'll exit anyway further down */
580 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
583 /* Remove leading and trailing spaces from the table name */
584 while ( table_name[0] == ' ' )
586 while ( table_name[strlen(table_name) - 1] == ' ' )
587 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
589 /* The following part searches a table matching with the layer type specified */
590 table_matching = NULL;
592 /* Look for the requested table */
593 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
594 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
597 table_matching = find_dissector_table(table_name);
598 if (!table_matching) {
599 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
603 if (!table_matching) {
604 /* Display a list of supported layer types to help the user, if the
605 specified layer type was not found */
606 cmdarg_err("Valid layer types are:");
607 fprint_all_layer_types(stderr);
609 if (remaining_param == NULL || !table_matching) {
610 /* Exit if the layer type was not found, or if no '=' separator was found
612 g_free(decoded_param);
616 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
617 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
620 remaining_param++; /* Move to the second '=' */
621 *remaining_param = '\0'; /* Remove the second '=' */
623 remaining_param++; /* Position after the layer type string */
625 /* This section extracts a selector value (selector_str) from decoded_param */
627 selector_str = remaining_param; /* Next part starts with the selector number */
629 remaining_param = strchr(selector_str, ',');
630 if (remaining_param == NULL) {
631 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
632 /* If the argument does not follow the template, carry on anyway to check
633 if the selector value is at least correct. If remaining_param is NULL,
634 we'll exit anyway further down */
637 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
640 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
642 switch (dissector_table_selector_type) {
648 /* The selector for this table is an unsigned number. Parse it as such.
649 There's no need to remove leading and trailing spaces from the
650 selector number string, because sscanf will do that for us. */
651 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
656 if (op != ':' && op != '-') {
657 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
658 g_free(decoded_param);
662 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
663 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
664 g_free(decoded_param);
668 else if (selector2 < selector) {
669 /* We could swap them for the user, but maybe it's better to call
670 * this out as an error in case it's not what was intended? */
671 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
672 g_free(decoded_param);
677 cmdarg_err("Invalid selector number \"%s\"", selector_str);
678 g_free(decoded_param);
685 /* The selector for this table is a string. */
689 /* There are currently no dissector tables with any types other
690 than the ones listed above. */
691 g_assert_not_reached();
694 if (remaining_param == NULL) {
695 /* Exit if no ',' separator was found (see above) */
696 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
697 fprint_all_protocols_for_layer_types(stderr, table_name);
698 g_free(decoded_param);
702 remaining_param++; /* Position after the selector number string */
704 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
706 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
708 /* Remove leading and trailing spaces from the dissector name */
709 while ( dissector_str[0] == ' ' )
711 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
712 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
714 dissector_matching = NULL;
716 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
717 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
718 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
721 user_protocol_name.nb_match = 0;
722 user_protocol_name.searched_name = dissector_str;
723 user_protocol_name.matched_handle = NULL;
725 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
727 if (user_protocol_name.nb_match != 0) {
728 dissector_matching = user_protocol_name.matched_handle;
729 if (user_protocol_name.nb_match > 1) {
730 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
734 /* OK, check whether the problem is that there isn't any such
735 protocol, or that there is but it's not specified as a protocol
736 that's valid for that dissector table.
737 Note, we don't exit here, but dissector_matching will remain NULL,
739 if (proto_get_id_by_filter_name(dissector_str) == -1) {
740 /* No such protocol */
741 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
743 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
744 dissector_str, table_name);
749 if (!dissector_matching) {
750 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
751 fprint_all_protocols_for_layer_types(stderr, table_name);
752 g_free(decoded_param);
756 /* This is the end of the code that parses the command-line options.
757 All information is now stored in the variables:
761 The above variables that are strings are still pointing to areas within
762 decoded_parm. decoded_parm thus still needs to be kept allocated in
763 until we stop needing these variables
764 decoded_param will be deallocated at each exit point of this function */
767 /* We now have a pointer to the handle for the requested dissector
768 (requested protocol) inside the variable dissector_matching */
769 switch (dissector_table_selector_type) {
775 /* The selector for this table is an unsigned number. */
777 dissector_change_uint(table_name, selector, dissector_matching);
778 } else if (op == ':') {
779 for (i = selector; i < (guint64)selector + selector2; i++) {
780 dissector_change_uint(table_name, (guint32)i, dissector_matching);
782 } else { /* op == '-' */
783 for (i = selector; i <= selector2; i++) {
784 dissector_change_uint(table_name, (guint32)i, dissector_matching);
791 /* The selector for this table is a string. */
792 dissector_change_string(table_name, selector_str, dissector_matching);
796 /* There are currently no dissector tables with any types other
797 than the ones listed above. */
798 g_assert_not_reached();
800 g_free(decoded_param); /* "Decode As" rule has been successfully added */
805 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
806 const gchar *message, gpointer user_data)
808 /* ignore log message, if log_level isn't interesting based
809 upon the console log preferences.
810 If the preferences haven't been loaded loaded yet, display the
813 The default console_log_level preference value is such that only
814 ERROR, CRITICAL and WARNING level messages are processed;
815 MESSAGE, INFO and DEBUG level messages are ignored.
817 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
818 ERROR and CRITICAL level messages so the current code is a behavioral
819 change. The current behavior is the same as in Wireshark.
821 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
822 prefs.console_log_level != 0) {
826 g_log_default_handler(log_domain, log_level, message, user_data);
831 output_file_description(const char *fname)
833 char *save_file_string;
835 /* Get a string that describes what we're writing to */
836 if (strcmp(fname, "-") == 0) {
837 /* We're writing to the standard output */
838 save_file_string = g_strdup("standard output");
840 /* We're writing to a file with the name in save_file */
841 save_file_string = g_strdup_printf("file \"%s\"", fname);
843 return save_file_string;
847 print_current_user(void) {
848 gchar *cur_user, *cur_group;
850 if (started_with_special_privs()) {
851 cur_user = get_cur_username();
852 cur_group = get_cur_groupname();
853 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
854 cur_user, cur_group);
857 if (running_with_special_privs()) {
858 fprintf(stderr, " This could be dangerous.");
860 fprintf(stderr, "\n");
865 check_capture_privs(void) {
868 /* Warn the user if npf.sys isn't loaded. */
869 if (!npf_sys_is_running() && get_os_major_version() >= 6) {
870 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
871 "capturing or\nlisting interfaces.\n");
877 show_version(GString *comp_info_str, GString *runtime_info_str)
879 printf("TShark " VERSION "%s\n"
886 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
887 runtime_info_str->str);
891 main(int argc, char *argv[])
893 GString *comp_info_str;
894 GString *runtime_info_str;
895 char *init_progfile_dir_error;
897 struct option long_options[] = {
898 {(char *)"capture-comment", required_argument, NULL, LONGOPT_NUM_CAP_COMMENT },
901 gboolean arg_error = FALSE;
907 char *gpf_path, *pf_path;
908 char *gdp_path, *dp_path;
909 int gpf_open_errno, gpf_read_errno;
910 int pf_open_errno, pf_read_errno;
911 int gdp_open_errno, gdp_read_errno;
912 int dp_open_errno, dp_read_errno;
914 volatile int exit_status = 0;
916 gboolean list_link_layer_types = FALSE;
917 gboolean start_capture = FALSE;
922 gboolean capture_option_specified = FALSE;
924 gboolean quiet = FALSE;
925 #ifdef PCAP_NG_DEFAULT
926 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
928 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
930 volatile gboolean out_file_name_res = FALSE;
931 gchar *volatile cf_name = NULL;
932 gchar *rfilter = NULL;
933 gchar *dfilter = NULL;
934 #ifdef HAVE_PCAP_OPEN_DEAD
935 struct bpf_program fcode;
937 dfilter_t *rfcode = NULL;
938 dfilter_t *dfcode = NULL;
943 gchar *output_only = NULL;
945 #ifdef HAVE_PCAP_REMOTE
946 #define OPTSTRING_A "A:"
948 #define OPTSTRING_A ""
951 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
952 #define OPTSTRING_B "B:"
954 #define OPTSTRING_B ""
955 #endif /* _WIN32 or HAVE_PCAP_CREATE */
956 #else /* HAVE_LIBPCAP */
957 #define OPTSTRING_B ""
958 #endif /* HAVE_LIBPCAP */
960 #ifdef HAVE_PCAP_CREATE
961 #define OPTSTRING_I "I"
963 #define OPTSTRING_I ""
966 /* the leading - ensures that getopt() does not permute the argv[] entries
967 we have to make sure that the first getopt() preserves the content of argv[]
968 for the subsequent getopt_long() call */
969 #define OPTSTRING "-2a:" OPTSTRING_A "b:" OPTSTRING_B "c:C:d:De:E:f:F:gG:hH:i:" OPTSTRING_I "K:lLnN:o:O:pPqQr:R:s:S:t:T:u:vVw:W:xX:y:Y:z:"
971 static const char optstring[] = OPTSTRING;
973 /* Assemble the compile-time version information string */
974 comp_info_str = g_string_new("Compiled ");
975 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
977 /* Assemble the run-time version information string */
978 runtime_info_str = g_string_new("Running ");
979 get_runtime_version_info(runtime_info_str, NULL);
981 /* Add it to the information to be reported on a crash. */
982 ws_add_crash_info("TShark " VERSION "%s\n"
987 wireshark_svnversion, comp_info_str->str, runtime_info_str->str);
990 arg_list_utf_16to8(argc, argv);
991 create_app_running_mutex();
992 #if !GLIB_CHECK_VERSION(2,31,0)
998 * Get credential information for later use.
1000 init_process_policies();
1003 * Attempt to get the pathname of the executable file.
1005 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1006 if (init_progfile_dir_error != NULL) {
1007 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1008 init_progfile_dir_error);
1012 * In order to have the -X opts assigned before the wslua machine starts
1013 * we need to call getopts before epan_init() gets called.
1016 optind_initial = optind;
1018 while ((opt = getopt(argc, argv, optstring)) != -1) {
1020 case 'C': /* Configuration Profile */
1021 if (profile_exists (optarg, FALSE)) {
1022 set_profile_name (optarg);
1024 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1028 case 'P': /* Print packet summary info even when writing to a file */
1029 print_packet_info = TRUE;
1030 print_summary = TRUE;
1032 case 'O': /* Only output these protocols */
1033 output_only = g_strdup(optarg);
1035 case 'V': /* Verbose */
1036 print_details = TRUE;
1037 print_packet_info = TRUE;
1039 case 'x': /* Print packet data in hex (and ASCII) */
1041 /* The user asked for hex output, so let's ensure they get it,
1042 * even if they're writing to a file.
1044 print_packet_info = TRUE;
1055 * Print packet summary information is the default, unless either -V or -x
1056 * were specified and -P was not. Note that this is new behavior, which
1057 * allows for the possibility of printing only hex/ascii output without
1058 * necessarily requiring that either the summary or details be printed too.
1060 if (print_summary == -1)
1061 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1063 optind = optind_initial;
1068 /** Send All g_log messages to our own handler **/
1072 G_LOG_LEVEL_CRITICAL|
1073 G_LOG_LEVEL_WARNING|
1074 G_LOG_LEVEL_MESSAGE|
1077 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1079 g_log_set_handler(NULL,
1080 (GLogLevelFlags)log_flags,
1081 tshark_log_handler, NULL /* user_data */);
1082 g_log_set_handler(LOG_DOMAIN_MAIN,
1083 (GLogLevelFlags)log_flags,
1084 tshark_log_handler, NULL /* user_data */);
1087 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1088 (GLogLevelFlags)log_flags,
1089 tshark_log_handler, NULL /* user_data */);
1090 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1091 (GLogLevelFlags)log_flags,
1092 tshark_log_handler, NULL /* user_data */);
1095 initialize_funnel_ops();
1098 capture_opts_init(&global_capture_opts);
1099 capture_session_init(&global_capture_session, (void *)&cfile);
1102 timestamp_set_type(TS_RELATIVE);
1103 timestamp_set_precision(TS_PREC_AUTO);
1104 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1107 /* Register all the plugin types we have. */
1108 epan_register_plugin_types(); /* Types known to libwireshark */
1109 wtap_register_plugin_types(); /* Types known to libwiretap */
1111 /* Scan for plugins. This does *not* call their registration routines;
1112 that's done later. */
1115 /* Register all libwiretap plugin modules. */
1116 register_all_wiretap_modules();
1119 /* Register all dissectors; we must do this before checking for the
1120 "-G" flag, as the "-G" flag dumps information registered by the
1121 dissectors, and we must do it before we read the preferences, in
1122 case any dissectors register preferences. */
1123 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
1124 failure_message, open_failure_message, read_failure_message,
1125 write_failure_message);
1127 /* Register all tap listeners; we do this before we parse the arguments,
1128 as the "-z" argument can specify a registered tap. */
1130 /* we register the plugin taps before the other taps because
1131 stats_tree taps plugins will be registered as tap listeners
1132 by stats_tree_stat.c and need to registered before that */
1134 register_all_plugin_tap_listeners();
1136 register_all_tap_listeners();
1138 /* If invoked with the "-G" flag, we dump out information based on
1139 the argument to the "-G" flag; if no argument is specified,
1140 for backwards compatibility we dump out a glossary of display
1143 XXX - we do this here, for now, to support "-G" with no arguments.
1144 If none of our build or other processes uses "-G" with no arguments,
1145 we can just process it with the other arguments. */
1146 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1147 proto_initialize_all_prefixes();
1150 proto_registrar_dump_fields();
1152 if (strcmp(argv[2], "column-formats") == 0)
1153 column_dump_column_formats();
1154 else if (strcmp(argv[2], "currentprefs") == 0) {
1155 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1156 &pf_open_errno, &pf_read_errno, &pf_path);
1159 else if (strcmp(argv[2], "decodes") == 0)
1160 dissector_dump_decodes();
1161 else if (strcmp(argv[2], "defaultprefs") == 0)
1163 else if (strcmp(argv[2], "fields") == 0)
1164 proto_registrar_dump_fields();
1165 else if (strcmp(argv[2], "ftypes") == 0)
1166 proto_registrar_dump_ftypes();
1167 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1168 dissector_dump_heur_decodes();
1169 else if (strcmp(argv[2], "plugins") == 0) {
1174 wslua_plugins_dump_all();
1177 else if (strcmp(argv[2], "protocols") == 0)
1178 proto_registrar_dump_protocols();
1179 else if (strcmp(argv[2], "values") == 0)
1180 proto_registrar_dump_values();
1181 else if (strcmp(argv[2], "?") == 0)
1182 glossary_option_help();
1183 else if (strcmp(argv[2], "-?") == 0)
1184 glossary_option_help();
1186 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1193 /* Set the C-language locale to the native environment. */
1194 setlocale(LC_ALL, "");
1196 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1197 &pf_open_errno, &pf_read_errno, &pf_path);
1198 if (gpf_path != NULL) {
1199 if (gpf_open_errno != 0) {
1200 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1201 pf_path, g_strerror(gpf_open_errno));
1203 if (gpf_read_errno != 0) {
1204 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1205 pf_path, g_strerror(gpf_read_errno));
1208 if (pf_path != NULL) {
1209 if (pf_open_errno != 0) {
1210 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1211 g_strerror(pf_open_errno));
1213 if (pf_read_errno != 0) {
1214 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1215 pf_path, g_strerror(pf_read_errno));
1221 /* Read the disabled protocols file. */
1222 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1223 &dp_path, &dp_open_errno, &dp_read_errno);
1224 if (gdp_path != NULL) {
1225 if (gdp_open_errno != 0) {
1226 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1227 gdp_path, g_strerror(gdp_open_errno));
1229 if (gdp_read_errno != 0) {
1230 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1231 gdp_path, g_strerror(gdp_read_errno));
1235 if (dp_path != NULL) {
1236 if (dp_open_errno != 0) {
1238 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1239 g_strerror(dp_open_errno));
1241 if (dp_read_errno != 0) {
1243 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1244 g_strerror(dp_read_errno));
1249 check_capture_privs();
1251 cap_file_init(&cfile);
1253 /* Print format defaults to this. */
1254 print_format = PR_FMT_TEXT;
1256 output_fields = output_fields_new();
1258 /* Now get our args */
1259 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1261 case '2': /* Perform two pass analysis */
1262 perform_two_pass_analysis = TRUE;
1264 case 'a': /* autostop criteria */
1265 case 'b': /* Ringbuffer option */
1266 case 'c': /* Capture x packets */
1267 case 'f': /* capture filter */
1268 case 'g': /* enable group read access on file(s) */
1269 case 'i': /* Use interface x */
1270 case 'p': /* Don't capture in promiscuous mode */
1271 #ifdef HAVE_PCAP_REMOTE
1272 case 'A': /* Authentication */
1274 #ifdef HAVE_PCAP_CREATE
1275 case 'I': /* Capture in monitor mode, if available */
1277 case 's': /* Set the snapshot (capture) length */
1278 case 'w': /* Write to capture file x */
1279 case 'y': /* Set the pcap data link type */
1280 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1281 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1282 case 'B': /* Buffer size */
1283 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1285 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1290 capture_option_specified = TRUE;
1295 /* Configuration profile settings were already processed just ignore them this time*/
1297 case 'd': /* Decode as rule */
1298 if (!add_decode_as(optarg))
1301 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1302 case 'K': /* Kerberos keytab file */
1303 read_keytab_file(optarg);
1306 case 'D': /* Print a list of capture devices and exit */
1308 if_list = capture_interface_list(&err, &err_str,NULL);
1309 if (if_list == NULL) {
1311 case CANT_GET_INTERFACE_LIST:
1312 case DONT_HAVE_PCAP:
1313 cmdarg_err("%s", err_str);
1317 case NO_INTERFACES_FOUND:
1318 cmdarg_err("There are no interfaces on which a capture can be done");
1323 capture_opts_print_interfaces(if_list);
1324 free_interface_list(if_list);
1327 capture_option_specified = TRUE;
1333 output_fields_add(output_fields, optarg);
1337 if (!output_fields_set_option(output_fields, optarg)) {
1338 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1339 output_fields_list_options(stderr);
1344 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1345 if (out_file_type < 0) {
1346 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1347 list_capture_types();
1351 case 'W': /* Select extra information to save in our capture file */
1352 /* This is patterned after the -N flag which may not be the best idea. */
1353 if (strchr(optarg, 'n')) {
1354 out_file_name_res = TRUE;
1356 cmdarg_err("Invalid -W argument \"%s\"", optarg);
1360 case 'H': /* Read address to name mappings from a hosts file */
1361 if (! add_hosts_file(optarg))
1363 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1366 out_file_name_res = TRUE;
1369 case 'h': /* Print help and exit */
1373 case 'l': /* "Line-buffer" standard output */
1374 /* This isn't line-buffering, strictly speaking, it's just
1375 flushing the standard output after the information for
1376 each packet is printed; however, that should be good
1377 enough for all the purposes to which "-l" is put (and
1378 is probably actually better for "-V", as it does fewer
1381 See the comment in "process_packet()" for an explanation of
1382 why we do that, and why we don't just use "setvbuf()" to
1383 make the standard output line-buffered (short version: in
1384 Windows, "line-buffered" is the same as "fully-buffered",
1385 and the output buffer is only flushed when it fills up). */
1386 line_buffered = TRUE;
1388 case 'L': /* Print list of link-layer types and exit */
1390 list_link_layer_types = TRUE;
1392 capture_option_specified = TRUE;
1396 case 'n': /* No name resolution */
1397 gbl_resolv_flags.mac_name = FALSE;
1398 gbl_resolv_flags.network_name = FALSE;
1399 gbl_resolv_flags.transport_name = FALSE;
1400 gbl_resolv_flags.concurrent_dns = FALSE;
1402 case 'N': /* Select what types of addresses/port #s to resolve */
1403 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1404 if (badopt != '\0') {
1405 cmdarg_err("-N specifies unknown resolving option '%c';",
1407 cmdarg_err_cont( " Valid options are 'm', 'n', 't', and 'C'");
1411 case 'o': /* Override preference from command line */
1412 switch (prefs_set_pref(optarg)) {
1417 case PREFS_SET_SYNTAX_ERR:
1418 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1422 case PREFS_SET_NO_SUCH_PREF:
1423 case PREFS_SET_OBSOLETE:
1424 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1429 case 'q': /* Quiet */
1432 case 'Q': /* Really quiet */
1434 really_quiet = TRUE;
1436 case 'r': /* Read capture file x */
1437 cf_name = g_strdup(optarg);
1439 case 'R': /* Read file filter */
1443 /* already processed; just ignore it now */
1445 case 'S': /* Set the line Separator to be printed between packets */
1446 separator = strdup(optarg);
1448 case 't': /* Time stamp type */
1449 if (strcmp(optarg, "r") == 0)
1450 timestamp_set_type(TS_RELATIVE);
1451 else if (strcmp(optarg, "a") == 0)
1452 timestamp_set_type(TS_ABSOLUTE);
1453 else if (strcmp(optarg, "ad") == 0)
1454 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1455 else if (strcmp(optarg, "adoy") == 0)
1456 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1457 else if (strcmp(optarg, "d") == 0)
1458 timestamp_set_type(TS_DELTA);
1459 else if (strcmp(optarg, "dd") == 0)
1460 timestamp_set_type(TS_DELTA_DIS);
1461 else if (strcmp(optarg, "e") == 0)
1462 timestamp_set_type(TS_EPOCH);
1463 else if (strcmp(optarg, "u") == 0)
1464 timestamp_set_type(TS_UTC);
1465 else if (strcmp(optarg, "ud") == 0)
1466 timestamp_set_type(TS_UTC_WITH_YMD);
1467 else if (strcmp(optarg, "udoy") == 0)
1468 timestamp_set_type(TS_UTC_WITH_YDOY);
1470 cmdarg_err("Invalid time stamp type \"%s\"", optarg);
1472 "It must be \"a\" for absolute, \"ad\" for absolute with YYYY-MM-DD date,");
1474 "\"adoy\" for absolute with YYYY/DOY date, \"d\" for delta,");
1476 "\"dd\" for delta displayed, \"e\" for epoch, \"r\" for relative,");
1478 "\"u\" for absolute UTC, \"ud\" for absolute UTC with YYYY-MM-DD date,");
1480 "or \"udoy\" for absolute UTC with YYYY/DOY date.");
1484 case 'T': /* printing Type */
1485 if (strcmp(optarg, "text") == 0) {
1486 output_action = WRITE_TEXT;
1487 print_format = PR_FMT_TEXT;
1488 } else if (strcmp(optarg, "ps") == 0) {
1489 output_action = WRITE_TEXT;
1490 print_format = PR_FMT_PS;
1491 } else if (strcmp(optarg, "pdml") == 0) {
1492 output_action = WRITE_XML;
1493 print_details = TRUE; /* Need details */
1494 print_summary = FALSE; /* Don't allow summary */
1495 } else if (strcmp(optarg, "psml") == 0) {
1496 output_action = WRITE_XML;
1497 print_details = FALSE; /* Don't allow details */
1498 print_summary = TRUE; /* Need summary */
1499 } else if (strcmp(optarg, "fields") == 0) {
1500 output_action = WRITE_FIELDS;
1501 print_details = TRUE; /* Need full tree info */
1502 print_summary = FALSE; /* Don't allow summary */
1504 cmdarg_err("Invalid -T parameter.");
1505 cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
1509 case 'u': /* Seconds type */
1510 if (strcmp(optarg, "s") == 0)
1511 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1512 else if (strcmp(optarg, "hms") == 0)
1513 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1515 cmdarg_err("Invalid seconds type \"%s\"", optarg);
1516 cmdarg_err_cont("It must be \"s\" for seconds or \"hms\" for hours, minutes and seconds.");
1520 case 'v': /* Show version and exit */
1522 show_version(comp_info_str, runtime_info_str);
1523 g_string_free(comp_info_str, TRUE);
1524 g_string_free(runtime_info_str, TRUE);
1525 /* We don't really have to cleanup here, but it's a convenient way to test
1526 * start-up and shut-down of the epan library without any UI-specific
1527 * cruft getting in the way. Makes the results of running
1528 * $ ./tools/valgrind-wireshark -n
1529 * much more useful. */
1533 case 'O': /* Only output these protocols */
1534 /* already processed; just ignore it now */
1536 case 'V': /* Verbose */
1537 /* already processed; just ignore it now */
1539 case 'x': /* Print packet data in hex (and ASCII) */
1540 /* already processed; just ignore it now */
1548 /* We won't call the init function for the stat this soon
1549 as it would disallow MATE's fields (which are registered
1550 by the preferences set callback) from being used as
1551 part of a tap filter. Instead, we just add the argument
1552 to a list of stat arguments. */
1553 if (!process_stat_cmd_arg(optarg)) {
1554 if (strcmp("help", optarg)==0) {
1555 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1556 list_stat_cmd_args();
1559 cmdarg_err("Invalid -z argument \"%s\".", optarg);
1560 cmdarg_err_cont(" -z argument must be one of :");
1561 list_stat_cmd_args();
1566 case '?': /* Bad flag - print usage message */
1569 list_capture_types();
1579 /* If we specified output fields, but not the output field type... */
1580 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1581 cmdarg_err("Output fields were specified with \"-e\", "
1582 "but \"-Tfields\" was not specified.");
1584 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1585 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1586 "specified with \"-e\".");
1591 /* If no capture filter or display filter has been specified, and there are
1592 still command-line arguments, treat them as the tokens of a capture
1593 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1594 flag was specified. */
1595 if (optind < argc) {
1596 if (cf_name != NULL) {
1597 if (dfilter != NULL) {
1598 cmdarg_err("Display filters were specified both with \"-d\" "
1599 "and with additional command-line arguments.");
1602 dfilter = get_args_as_string(argc, argv, optind);
1607 if (global_capture_opts.default_options.cfilter) {
1608 cmdarg_err("A default capture filter was specified both with \"-f\""
1609 " and with additional command-line arguments.");
1612 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1613 interface_options interface_opts;
1614 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1615 if (interface_opts.cfilter == NULL) {
1616 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1617 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1618 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1620 cmdarg_err("A capture filter was specified both with \"-f\""
1621 " and with additional command-line arguments.");
1625 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1627 capture_option_specified = TRUE;
1633 if (!global_capture_opts.saving_to_file) {
1634 /* We're not saving the capture to a file; if "-q" wasn't specified,
1635 we should print packet information */
1637 print_packet_info = TRUE;
1639 /* We're saving to a file; if we're writing to the standard output.
1640 and we'll also be writing dissected packets to the standard
1641 output, reject the request. At best, we could redirect that
1642 to the standard error; we *can't* write both to the standard
1643 output and have either of them be useful. */
1644 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1645 cmdarg_err("You can't write both raw packet data and dissected packets"
1646 " to the standard output.");
1651 /* We're not saving the capture to a file; if "-q" wasn't specified,
1652 we should print packet information */
1654 print_packet_info = TRUE;
1657 #ifndef HAVE_LIBPCAP
1658 if (capture_option_specified)
1659 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1667 if (output_action != WRITE_TEXT) {
1668 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1673 if (output_only != NULL) {
1676 if (!print_details) {
1677 cmdarg_err("-O requires -V");
1681 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1682 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1683 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1687 if (rfilter != NULL && !perform_two_pass_analysis) {
1688 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1693 if (list_link_layer_types) {
1694 /* We're supposed to list the link-layer types for an interface;
1695 did the user also specify a capture file to be read? */
1697 /* Yes - that's bogus. */
1698 cmdarg_err("You can't specify -L and a capture file to be read.");
1701 /* No - did they specify a ring buffer option? */
1702 if (global_capture_opts.multi_files_on) {
1703 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1709 * "-r" was specified, so we're reading a capture file.
1710 * Capture options don't apply here.
1713 /* We don't support capture filters when reading from a capture file
1714 (the BPF compiler doesn't support all link-layer types that we
1715 support in capture files we read). */
1716 if (global_capture_opts.default_options.cfilter) {
1717 cmdarg_err("Only read filters, not capture filters, "
1718 "can be specified when reading a capture file.");
1721 if (global_capture_opts.multi_files_on) {
1722 cmdarg_err("Multiple capture files requested, but "
1723 "a capture isn't being done.");
1726 if (global_capture_opts.has_file_duration) {
1727 cmdarg_err("Switching capture files after a time interval was specified, but "
1728 "a capture isn't being done.");
1731 if (global_capture_opts.has_ring_num_files) {
1732 cmdarg_err("A ring buffer of capture files was specified, but "
1733 "a capture isn't being done.");
1736 if (global_capture_opts.has_autostop_files) {
1737 cmdarg_err("A maximum number of capture files was specified, but "
1738 "a capture isn't being done.");
1741 if (global_capture_opts.capture_comment) {
1742 cmdarg_err("A capture comment was specified, but "
1743 "a capture isn't being done.\nThere's no support for adding "
1744 "a capture comment to an existing capture file.");
1748 /* Note: TShark now allows the restriction of a _read_ file by packet count
1749 * and byte count as well as a write file. Other autostop options remain valid
1750 * only for a write file.
1752 if (global_capture_opts.has_autostop_duration) {
1753 cmdarg_err("A maximum capture time was specified, but "
1754 "a capture isn't being done.");
1759 * "-r" wasn't specified, so we're doing a live capture.
1761 if (global_capture_opts.saving_to_file) {
1762 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1764 /* When capturing, we only support writing pcap or pcap-ng format. */
1765 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1766 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1767 cmdarg_err("Live captures can only be saved in libpcap format.");
1770 if (global_capture_opts.capture_comment &&
1771 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1772 cmdarg_err("A capture comment can only be written to a pcapng file.");
1775 if (global_capture_opts.multi_files_on) {
1776 /* Multiple-file mode doesn't work under certain conditions:
1777 a) it doesn't work if you're writing to the standard output;
1778 b) it doesn't work if you're writing to a pipe;
1780 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1781 cmdarg_err("Multiple capture files requested, but "
1782 "the capture is being written to the standard output.");
1785 if (global_capture_opts.output_to_pipe) {
1786 cmdarg_err("Multiple capture files requested, but "
1787 "the capture file is a pipe.");
1790 if (!global_capture_opts.has_autostop_filesize &&
1791 !global_capture_opts.has_file_duration) {
1792 cmdarg_err("Multiple capture files requested, but "
1793 "no maximum capture file size or duration was specified.");
1797 /* Currently, we don't support read or display filters when capturing
1798 and saving the packets. */
1799 if (rfilter != NULL) {
1800 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1803 if (dfilter != NULL) {
1804 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1808 /* They didn't specify a "-w" flag, so we won't be saving to a
1809 capture file. Check for options that only make sense if
1810 we're saving to a file. */
1811 if (global_capture_opts.has_autostop_filesize) {
1812 cmdarg_err("Maximum capture file size specified, but "
1813 "capture isn't being saved to a file.");
1816 if (global_capture_opts.multi_files_on) {
1817 cmdarg_err("Multiple capture files requested, but "
1818 "the capture isn't being saved to a file.");
1821 if (global_capture_opts.capture_comment) {
1822 cmdarg_err("A capture comment was specified, but "
1823 "the capture isn't being saved to a file.");
1832 /* Start windows sockets */
1833 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1836 /* Notify all registered modules that have had any of their preferences
1837 changed either from one of the preferences file or from the command
1838 line that their preferences have changed. */
1841 /* At this point MATE will have registered its field array so we can
1842 have a tap filter with one of MATE's late-registered fields as part
1843 of the filter. We can now process all the "-z" arguments. */
1844 start_requested_stats();
1847 /* We currently don't support taps, or printing dissected packets,
1848 if we're writing to a pipe. */
1849 if (global_capture_opts.saving_to_file &&
1850 global_capture_opts.output_to_pipe) {
1851 if (tap_listeners_require_dissection()) {
1852 cmdarg_err("Taps aren't supported when saving to a pipe.");
1855 if (print_packet_info) {
1856 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1862 /* disabled protocols as per configuration file */
1863 if (gdp_path == NULL && dp_path == NULL) {
1864 set_disabled_protos_list();
1867 /* Build the column format array */
1868 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1871 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1872 capture_opts_trim_ring_num_files(&global_capture_opts);
1875 if (rfilter != NULL) {
1876 if (!dfilter_compile(rfilter, &rfcode)) {
1877 cmdarg_err("%s", dfilter_error_msg);
1879 #ifdef HAVE_PCAP_OPEN_DEAD
1883 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1885 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1887 " Note: That read filter code looks like a valid capture filter;");
1889 " maybe you mixed them up?");
1898 cfile.rfcode = rfcode;
1900 if (dfilter != NULL) {
1901 if (!dfilter_compile(dfilter, &dfcode)) {
1902 cmdarg_err("%s", dfilter_error_msg);
1904 #ifdef HAVE_PCAP_OPEN_DEAD
1908 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1910 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1912 " Note: That display filter code looks like a valid capture filter;");
1914 " maybe you mixed them up?");
1923 cfile.dfcode = dfcode;
1925 if (print_packet_info) {
1926 /* If we're printing as text or PostScript, we have
1927 to create a print stream. */
1928 if (output_action == WRITE_TEXT) {
1929 switch (print_format) {
1932 print_stream = print_stream_text_stdio_new(stdout);
1936 print_stream = print_stream_ps_stdio_new(stdout);
1940 g_assert_not_reached();
1945 /* We have to dissect each packet if:
1947 we're printing information about each packet;
1949 we're using a read filter on the packets;
1951 we're using a display filter on the packets;
1953 we're using any taps that need dissection. */
1954 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
1958 * We're reading a capture file.
1962 * Immediately relinquish any special privileges we have; we must not
1963 * be allowed to read any capture files the user running TShark
1966 relinquish_special_privs_perm();
1967 print_current_user();
1969 if (cf_open(&cfile, cf_name, FALSE, &err) != CF_OK) {
1974 /* Set timestamp precision; there should arguably be a command-line
1975 option to let the user set this. */
1976 switch(wtap_file_tsprecision(cfile.wth)) {
1977 case(WTAP_FILE_TSPREC_SEC):
1978 timestamp_set_precision(TS_PREC_AUTO_SEC);
1980 case(WTAP_FILE_TSPREC_DSEC):
1981 timestamp_set_precision(TS_PREC_AUTO_DSEC);
1983 case(WTAP_FILE_TSPREC_CSEC):
1984 timestamp_set_precision(TS_PREC_AUTO_CSEC);
1986 case(WTAP_FILE_TSPREC_MSEC):
1987 timestamp_set_precision(TS_PREC_AUTO_MSEC);
1989 case(WTAP_FILE_TSPREC_USEC):
1990 timestamp_set_precision(TS_PREC_AUTO_USEC);
1992 case(WTAP_FILE_TSPREC_NSEC):
1993 timestamp_set_precision(TS_PREC_AUTO_NSEC);
1996 g_assert_not_reached();
1999 /* Process the packets in the file */
2002 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2003 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2004 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2006 err = load_cap_file(&cfile, NULL, out_file_type, out_file_name_res, 0, 0);
2009 CATCH(OutOfMemoryError) {
2013 "Sorry, but TShark has to terminate now!\n"
2015 "Some infos / workarounds can be found at:\n"
2016 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2021 /* We still dump out the results of taps, etc., as we might have
2022 read some packets; however, we exit with an error status. */
2026 /* No capture file specified, so we're supposed to do a live capture
2027 or get a list of link-layer types for a live capture device;
2028 do we have support for live captures? */
2030 /* if no interface was specified, pick a default */
2031 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2032 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2033 if (exit_status != 0)
2036 /* if requested, list the link layer types and exit */
2037 if (list_link_layer_types) {
2040 /* Get the list of link-layer types for the capture devices. */
2041 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2042 interface_options interface_opts;
2043 if_capabilities_t *caps;
2045 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2046 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2048 cmdarg_err("%s", err_str);
2052 if (caps->data_link_types == NULL) {
2053 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2056 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2057 free_if_capabilities(caps);
2063 * If the standard error isn't a terminal, don't print packet counts,
2064 * as they won't show up on the user's terminal and they'll get in
2065 * the way of error messages in the file (to which we assume the
2066 * standard error was redirected; if it's redirected to the null
2067 * device, there's no point in printing packet counts anyway).
2069 * Otherwise, if we're printing packet information and the standard
2070 * output is a terminal (which we assume means the standard output and
2071 * error are going to the same terminal), don't print packet counts,
2072 * as they'll get in the way of the packet information.
2074 * Otherwise, if the user specified -q, don't print packet counts.
2076 * Otherwise, print packet counts.
2078 * XXX - what if the user wants to do a live capture, doesn't want
2079 * to save it to a file, doesn't want information printed for each
2080 * packet, does want some "-z" statistic, and wants packet counts
2081 * so they know whether they're seeing any packets? -q will
2082 * suppress the information printed for each packet, but it'll
2083 * also suppress the packet counts.
2085 if (!isatty(fileno(stderr)))
2086 print_packet_counts = FALSE;
2087 else if (print_packet_info && isatty(fileno(stdout)))
2088 print_packet_counts = FALSE;
2090 print_packet_counts = FALSE;
2092 print_packet_counts = TRUE;
2094 if (print_packet_info) {
2095 if (!write_preamble(NULL)) {
2096 show_print_file_io_error(errno);
2101 /* For now, assume libpcap gives microsecond precision. */
2102 timestamp_set_precision(TS_PREC_AUTO_USEC);
2105 * XXX - this returns FALSE if an error occurred, but it also
2106 * returns FALSE if the capture stops because a time limit
2107 * was reached (and possibly other limits), so we can't assume
2108 * it means an error.
2110 * The capture code is a bit twisty, so it doesn't appear to
2111 * be an easy fix. We just ignore the return value for now.
2112 * Instead, pass on the exit status from the capture child.
2115 exit_status = global_capture_session.fork_child_status;
2117 if (print_packet_info) {
2118 if (!write_finale()) {
2120 show_print_file_io_error(err);
2124 /* No - complain. */
2125 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2132 if (cfile.frames != NULL) {
2133 free_frame_data_sequence(cfile.frames);
2134 cfile.frames = NULL;
2137 draw_tap_listeners(TRUE);
2138 funnel_dump_all_text_windows();
2139 epan_free(cfile.epan);
2142 output_fields_free(output_fields);
2143 output_fields = NULL;
2148 /*#define USE_BROKEN_G_MAIN_LOOP*/
2150 #ifdef USE_BROKEN_G_MAIN_LOOP
2153 gboolean loop_running = FALSE;
2155 guint32 packet_count = 0;
2158 /* XXX - move to the right position / file */
2159 /* read from a pipe (callback) */
2160 typedef gboolean (*pipe_input_cb_t) (gint source, gpointer user_data);
2162 typedef struct pipe_input_tag {
2166 pipe_input_cb_t input_cb;
2167 guint pipe_input_id;
2169 GMutex *callback_running;
2173 static pipe_input_t pipe_input;
2176 /* The timer has expired, see if there's stuff to read from the pipe,
2177 if so, do the callback */
2179 pipe_timer_cb(gpointer data)
2185 pipe_input_t *pipe_input_p = data;
2186 gint iterations = 0;
2188 g_mutex_lock (pipe_input_p->callback_running);
2190 /* try to read data from the pipe only 5 times, to avoid blocking */
2191 while(iterations < 5) {
2192 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2194 /* Oddly enough although Named pipes don't work on win9x,
2195 PeekNamedPipe does !!! */
2196 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2197 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2199 /* Get the child process exit status */
2200 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2203 /* If the Peek returned an error, or there are bytes to be read
2204 or the childwatcher thread has terminated then call the normal
2206 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2208 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2210 /* And call the real handler */
2211 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2212 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2213 /* pipe closed, return false so that the timer is stopped */
2214 g_mutex_unlock (pipe_input_p->callback_running);
2219 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2220 /* No data, stop now */
2227 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2229 g_mutex_unlock (pipe_input_p->callback_running);
2231 /* we didn't stopped the timer, so let it run */
2238 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2241 pipe_input.source = source;
2242 pipe_input.child_process = child_process;
2243 pipe_input.user_data = user_data;
2244 pipe_input.input_cb = input_cb;
2247 #if GLIB_CHECK_VERSION(2,31,0)
2248 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2249 g_mutex_init(pipe_input.callback_running);
2251 pipe_input.callback_running = g_mutex_new();
2253 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2254 do this but that doesn't cover all win32 platforms. GTK can do
2255 this but doesn't seem to work over processes. Attempt to do
2256 something similar here, start a timer and check for data on every
2258 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2259 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2263 static const nstime_t *
2264 tshark_get_frame_ts(void *data, guint32 frame_num)
2266 capture_file *cf = (capture_file *) data;
2268 if (ref && ref->num == frame_num)
2269 return &ref->abs_ts;
2271 if (prev_dis && prev_dis->num == frame_num)
2272 return &prev_dis->abs_ts;
2274 if (prev_cap && prev_cap->num == frame_num)
2275 return &prev_cap->abs_ts;
2278 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2280 return (fd) ? &fd->abs_ts : NULL;
2287 tshark_epan_new(capture_file *cf)
2289 epan_t *epan = epan_new();
2292 epan->get_frame_ts = tshark_get_frame_ts;
2293 epan->get_interface_name = cap_file_get_interface_name;
2294 epan->get_user_comment = NULL;
2305 GString *str = g_string_new("");
2306 #ifdef USE_TSHARK_SELECT
2310 struct sigaction action, oldaction;
2314 * XXX - dropping privileges is still required, until code cleanup is done
2316 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2317 * when it's done, we don't need special privileges to run tshark at all,
2318 * therefore we don't need to drop these privileges
2319 * The only thing we might want to keep is a warning if tshark is run as root,
2320 * as it's no longer necessary and potentially dangerous.
2322 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2323 * We've opened the capture device, so we shouldn't need any special
2324 * privileges any more; relinquish those privileges.
2326 * XXX - if we have saved set-user-ID support, we should give up those
2327 * privileges immediately, and then reclaim them long enough to get
2328 * a list of network interfaces and to open one, and then give them
2329 * up again, so that stuff we do while processing the argument list,
2330 * reading the user's preferences, loading and starting plugins
2331 * (especially *user* plugins), etc. is done with the user's privileges,
2332 * not special privileges.
2334 relinquish_special_privs_perm();
2335 print_current_user();
2337 /* Create new dissection section. */
2338 epan_free(cfile.epan);
2339 cfile.epan = tshark_epan_new(&cfile);
2342 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2343 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2345 /* Catch SIGINT and SIGTERM and, if we get either of them,
2346 clean up and exit. If SIGHUP isn't being ignored, catch
2347 it too and, if we get it, clean up and exit.
2349 We restart any read that was in progress, so that it doesn't
2350 disrupt reading from the sync pipe. The signal handler tells
2351 the capture child to finish; it will report that it finished,
2352 or will exit abnormally, so we'll stop reading from the sync
2353 pipe, pick up the exit status, and quit. */
2354 memset(&action, 0, sizeof(action));
2355 action.sa_handler = capture_cleanup;
2356 action.sa_flags = SA_RESTART;
2357 sigemptyset(&action.sa_mask);
2358 sigaction(SIGTERM, &action, NULL);
2359 sigaction(SIGINT, &action, NULL);
2360 sigaction(SIGHUP, NULL, &oldaction);
2361 if (oldaction.sa_handler == SIG_DFL)
2362 sigaction(SIGHUP, &action, NULL);
2365 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2366 quiet mode, report the number of packets we've captured.
2368 Again, restart any read that was in progress, so that it doesn't
2369 disrupt reading from the sync pipe. */
2370 action.sa_handler = report_counts_siginfo;
2371 action.sa_flags = SA_RESTART;
2372 sigemptyset(&action.sa_mask);
2373 sigaction(SIGINFO, &action, NULL);
2374 #endif /* SIGINFO */
2377 global_capture_session.state = CAPTURE_PREPARING;
2379 /* Let the user know which interfaces were chosen. */
2380 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2381 interface_options interface_opts;
2383 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2384 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2385 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2386 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2389 if (global_capture_opts.ifaces->len < 2)
2391 if (global_capture_opts.ifaces->len < 4)
2394 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2395 interface_options interface_opts;
2397 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2399 if (global_capture_opts.ifaces->len > 2) {
2400 g_string_append_printf(str, ",");
2402 g_string_append_printf(str, " ");
2403 if (i == global_capture_opts.ifaces->len - 1) {
2404 g_string_append_printf(str, "and ");
2407 g_string_append_printf(str, "'%s'", interface_opts.descr);
2410 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2412 if (really_quiet == FALSE)
2413 fprintf(stderr, "Capturing on %s\n", str->str);
2415 g_string_free(str, TRUE);
2417 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2422 /* the actual capture loop
2424 * XXX - glib doesn't seem to provide any event based loop handling.
2426 * XXX - for whatever reason,
2427 * calling g_main_loop_new() ends up in 100% cpu load.
2429 * But that doesn't matter: in UNIX we can use select() to find an input
2430 * source with something to do.
2432 * But that doesn't matter because we're in a CLI (that doesn't need to
2433 * update a GUI or something at the same time) so it's OK if we block
2434 * trying to read from the pipe.
2436 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2437 * wrong (but I leave it there in case I am...).
2440 #ifdef USE_TSHARK_SELECT
2442 FD_SET(pipe_input.source, &readfds);
2445 loop_running = TRUE;
2449 while (loop_running)
2451 #ifdef USE_TSHARK_SELECT
2452 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2458 } else if (ret == 1) {
2460 /* Call the real handler */
2461 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2462 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2465 #ifdef USE_TSHARK_SELECT
2470 CATCH(OutOfMemoryError) {
2474 "Sorry, but TShark has to terminate now!\n"
2476 "Some infos / workarounds can be found at:\n"
2477 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2484 /* capture child detected an error */
2486 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2488 cmdarg_err("%s", error_msg);
2489 cmdarg_err_cont("%s", secondary_error_msg);
2493 /* capture child detected an capture filter related error */
2495 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2497 capture_options *capture_opts = cap_session->capture_opts;
2498 dfilter_t *rfcode = NULL;
2499 interface_options interface_opts;
2501 g_assert(i < capture_opts->ifaces->len);
2502 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2504 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2506 "Invalid capture filter \"%s\" for interface '%s'!\n"
2508 "That string looks like a valid display filter; however, it isn't a valid\n"
2509 "capture filter (%s).\n"
2511 "Note that display filters and capture filters don't have the same syntax,\n"
2512 "so you can't use most display filter expressions as capture filters.\n"
2514 "See the User's Guide for a description of the capture filter syntax.",
2515 interface_opts.cfilter, interface_opts.descr, error_message);
2516 dfilter_free(rfcode);
2519 "Invalid capture filter \"%s\" for interface '%s'!\n"
2521 "That string isn't a valid capture filter (%s).\n"
2522 "See the User's Guide for a description of the capture filter syntax.",
2523 interface_opts.cfilter, interface_opts.descr, error_message);
2528 /* capture child tells us we have a new (or the first) capture file */
2530 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2532 capture_options *capture_opts = cap_session->capture_opts;
2533 gboolean is_tempfile;
2536 if (cap_session->state == CAPTURE_PREPARING) {
2537 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2539 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2541 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2543 /* free the old filename */
2544 if (capture_opts->save_file != NULL) {
2546 /* we start a new capture file, close the old one (if we had one before) */
2547 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2548 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2549 wtap_close(((capture_file *) cap_session->cf)->wth);
2550 ((capture_file *) cap_session->cf)->wth = NULL;
2552 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2555 g_free(capture_opts->save_file);
2556 is_tempfile = FALSE;
2558 /* we didn't had a save_file before, must be a tempfile */
2562 /* save the new filename */
2563 capture_opts->save_file = g_strdup(new_file);
2565 /* if we are in real-time mode, open the new file now */
2566 if (do_dissection) {
2567 /* Attempt to open the capture file and set up to read from it. */
2568 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, is_tempfile, &err)) {
2572 /* Don't unlink (delete) the save file - leave it around,
2573 for debugging purposes. */
2574 g_free(capture_opts->save_file);
2575 capture_opts->save_file = NULL;
2580 cap_session->state = CAPTURE_RUNNING;
2586 /* capture child tells us we have new packets to read */
2588 capture_input_new_packets(capture_session *cap_session, int to_read)
2594 capture_file *cf = (capture_file *)cap_session->cf;
2595 gboolean filtering_tap_listeners;
2600 * Prevent a SIGINFO handler from writing to the standard error while
2601 * we're doing so or writing to the standard output; instead, have it
2602 * just set a flag telling us to print that information when we're done.
2605 #endif /* SIGINFO */
2607 /* Do we have any tap listeners with filters? */
2608 filtering_tap_listeners = have_filtering_tap_listeners();
2610 /* Get the union of the flags for all tap listeners. */
2611 tap_flags = union_of_tap_listener_flags();
2613 if (do_dissection) {
2614 gboolean create_proto_tree;
2615 epan_dissect_t *edt;
2617 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2618 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2619 create_proto_tree = TRUE;
2621 create_proto_tree = FALSE;
2623 /* The protocol tree will be "visible", i.e., printed, only if we're
2624 printing packet details, which is true if we're printing stuff
2625 ("print_packet_info" is true) and we're in verbose mode
2626 ("packet_details" is true). */
2627 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2629 while (to_read-- && cf->wth) {
2630 wtap_cleareof(cf->wth);
2631 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2633 /* read from file failed, tell the capture child to stop */
2634 sync_pipe_stop(cap_session);
2635 wtap_close(cf->wth);
2638 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2639 wtap_buf_ptr(cf->wth),
2643 /* packet successfully read and gone through the "Read Filter" */
2648 epan_dissect_free(edt);
2652 * Dumpcap's doing all the work; we're not doing any dissection.
2653 * Count all the packets it wrote.
2655 packet_count += to_read;
2658 if (print_packet_counts) {
2659 /* We're printing packet counts. */
2660 if (packet_count != 0) {
2661 fprintf(stderr, "\r%u ", packet_count);
2662 /* stderr could be line buffered */
2669 * Allow SIGINFO handlers to write.
2674 * If a SIGINFO handler asked us to write out capture counts, do so.
2678 #endif /* SIGINFO */
2684 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2685 /* Report the count only if we aren't printing a packet count
2686 as packets arrive. */
2687 fprintf(stderr, "%u packet%s captured\n", packet_count,
2688 plurality(packet_count, "", "s"));
2691 infoprint = FALSE; /* we just reported it */
2692 #endif /* SIGINFO */
2697 report_counts_siginfo(int signum _U_)
2699 int sav_errno = errno;
2700 /* If we've been told to delay printing, just set a flag asking
2701 that we print counts (if we're supposed to), otherwise print
2702 the count of packets captured (if we're supposed to). */
2709 #endif /* SIGINFO */
2712 /* capture child detected any packet drops? */
2714 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2716 if (print_packet_counts) {
2717 /* We're printing packet counts to stderr.
2718 Send a newline so that we move to the line after the packet count. */
2719 fprintf(stderr, "\n");
2723 /* We're printing packet counts to stderr.
2724 Send a newline so that we move to the line after the packet count. */
2725 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2731 * Capture child closed its side of the pipe, report any error and
2732 * do the required cleanup.
2735 capture_input_closed(capture_session *cap_session, gchar *msg)
2737 capture_file *cf = (capture_file *) cap_session->cf;
2740 fprintf(stderr, "tshark: %s\n", msg);
2744 if (cf != NULL && cf->wth != NULL) {
2745 wtap_close(cf->wth);
2746 if (cf->is_tempfile) {
2747 ws_unlink(cf->filename);
2750 #ifdef USE_BROKEN_G_MAIN_LOOP
2751 /*g_main_loop_quit(loop);*/
2754 loop_running = FALSE;
2763 capture_cleanup(DWORD ctrltype _U_)
2765 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2766 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2767 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2768 like SIGTERM at least when the machine's shutting down.
2770 For now, we handle them all as indications that we should clean up
2771 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2774 We must return TRUE so that no other handler - such as one that would
2775 terminate the process - gets called.
2777 XXX - for some reason, typing ^C to TShark, if you run this in
2778 a Cygwin console window in at least some versions of Cygwin,
2779 causes TShark to terminate immediately; this routine gets
2780 called, but the main loop doesn't get a chance to run and
2781 exit cleanly, at least if this is compiled with Microsoft Visual
2782 C++ (i.e., it's a property of the Cygwin console window or Bash;
2783 it happens if TShark is not built with Cygwin - for all I know,
2784 building it with Cygwin may make the problem go away). */
2786 /* tell the capture child to stop */
2787 sync_pipe_stop(&global_capture_session);
2789 /* don't stop our own loop already here, otherwise status messages and
2790 * cleanup wouldn't be done properly. The child will indicate the stop of
2791 * everything by calling capture_input_closed() later */
2797 capture_cleanup(int signum _U_)
2799 /* tell the capture child to stop */
2800 sync_pipe_stop(&global_capture_session);
2802 /* don't stop our own loop already here, otherwise status messages and
2803 * cleanup wouldn't be done properly. The child will indicate the stop of
2804 * everything by calling capture_input_closed() later */
2807 #endif /* HAVE_LIBPCAP */
2810 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2811 gint64 offset, struct wtap_pkthdr *whdr,
2818 /* The frame number of this packet is one more than the count of
2819 frames in this packet. */
2820 framenum = cf->count + 1;
2822 /* If we're not running a display filter and we're not printing any
2823 packet information, we don't need to do a dissection. This means
2824 that all packets can be marked as 'passed'. */
2827 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2829 /* If we're going to print packet information, or we're going to
2830 run a read filter, or display filter, or we're going to process taps, set up to
2831 do a dissection and do so. */
2833 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2834 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2835 /* Grab any resolved addresses */
2836 host_name_lookup_process();
2838 /* If we're running a read filter, prime the epan_dissect_t with that
2841 epan_dissect_prime_dfilter(edt, cf->rfcode);
2843 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2845 if (ref == &fdlocal) {
2846 ref_frame = fdlocal;
2850 epan_dissect_run(edt, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2852 /* Run the read filter if we have one. */
2854 passed = dfilter_apply_edt(cf->rfcode, edt);
2858 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2859 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2861 /* If we're not doing dissection then there won't be any dependent frames.
2862 * More importantly, edt.pi.dependent_frames won't be initialized because
2863 * epan hasn't been initialized.
2866 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2871 /* if we don't add it to the frame_data_sequence, clean it up right now
2873 frame_data_destroy(&fdlocal);
2877 epan_dissect_reset(edt);
2883 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2884 struct wtap_pkthdr *phdr, Buffer *buf,
2890 /* If we're not running a display filter and we're not printing any
2891 packet information, we don't need to do a dissection. This means
2892 that all packets can be marked as 'passed'. */
2895 /* If we're going to print packet information, or we're going to
2896 run a read filter, or we're going to process taps, set up to
2897 do a dissection and do so. */
2899 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2900 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2901 /* Grab any resolved addresses */
2902 host_name_lookup_process();
2904 /* If we're running a display filter, prime the epan_dissect_t with that
2907 epan_dissect_prime_dfilter(edt, cf->dfcode);
2909 col_custom_prime_edt(edt, &cf->cinfo);
2911 /* We only need the columns if either
2912 1) some tap needs the columns
2914 2) we're printing packet info but we're *not* verbose; in verbose
2915 mode, we print the protocol tree, not the protocol summary.
2917 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
2922 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2929 epan_dissect_run_with_taps(edt, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2931 /* Run the read/display filter if we have one. */
2933 passed = dfilter_apply_edt(cf->dfcode, edt);
2937 frame_data_set_after_dissect(fdata, &cum_bytes);
2938 /* Process this packet. */
2939 if (print_packet_info) {
2940 /* We're printing packet information; print the information for
2942 print_packet(cf, edt);
2944 /* The ANSI C standard does not appear to *require* that a line-buffered
2945 stream be flushed to the host environment whenever a newline is
2946 written, it just says that, on such a stream, characters "are
2947 intended to be transmitted to or from the host environment as a
2948 block when a new-line character is encountered".
2950 The Visual C++ 6.0 C implementation doesn't do what is intended;
2951 even if you set a stream to be line-buffered, it still doesn't
2952 flush the buffer at the end of every line.
2954 So, if the "-l" flag was specified, we flush the standard output
2955 at the end of a packet. This will do the right thing if we're
2956 printing packet summary lines, and, as we print the entire protocol
2957 tree for a single packet without waiting for anything to happen,
2958 it should be as good as line-buffered mode if we're printing
2959 protocol trees. (The whole reason for the "-l" flag in either
2960 tcpdump or TShark is to allow the output of a live capture to
2961 be piped to a program or script and to have that script see the
2962 information for the packet as soon as it's printed, rather than
2963 having to wait until a standard I/O buffer fills up. */
2967 if (ferror(stdout)) {
2968 show_print_file_io_error(errno);
2977 epan_dissect_reset(edt);
2979 return passed || fdata->flags.dependent_of_displayed;
2983 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
2984 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2987 int snapshot_length;
2991 gchar *err_info = NULL;
2993 char *save_file_string = NULL;
2994 gboolean filtering_tap_listeners;
2996 wtapng_section_t *shb_hdr;
2997 wtapng_iface_descriptions_t *idb_inf;
3000 epan_dissect_t *edt = NULL;
3002 shb_hdr = wtap_file_get_shb_info(cf->wth);
3003 idb_inf = wtap_file_get_idb_info(cf->wth);
3004 #ifdef PCAP_NG_DEFAULT
3005 if (idb_inf->number_of_interfaces > 1) {
3006 linktype = WTAP_ENCAP_PER_PACKET;
3008 linktype = wtap_file_encap(cf->wth);
3011 linktype = wtap_file_encap(cf->wth);
3013 if (save_file != NULL) {
3014 /* Get a string that describes what we're writing to */
3015 save_file_string = output_file_description(save_file);
3017 /* Set up to write to the capture file. */
3018 snapshot_length = wtap_snapshot_length(cf->wth);
3019 if (snapshot_length == 0) {
3020 /* Snapshot length of input file not known. */
3021 snapshot_length = WTAP_MAX_PACKET_SIZE;
3023 /* If we don't have an application name add Tshark */
3024 if (shb_hdr->shb_user_appl == NULL) {
3025 g_snprintf(appname, sizeof(appname), "TShark " VERSION "%s", wireshark_svnversion);
3026 shb_hdr->shb_user_appl = appname;
3029 if (linktype != WTAP_ENCAP_PER_PACKET &&
3030 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3031 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3032 snapshot_length, FALSE /* compressed */, &err);
3034 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3035 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3041 /* We couldn't set up to write to the capture file. */
3044 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3045 cmdarg_err("Capture files can't be written in that format.");
3048 case WTAP_ERR_UNSUPPORTED_ENCAP:
3049 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3050 cmdarg_err("The capture file being read can't be written as a "
3051 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3054 case WTAP_ERR_CANT_OPEN:
3055 cmdarg_err("The %s couldn't be created for some "
3056 "unknown reason.", save_file_string);
3059 case WTAP_ERR_SHORT_WRITE:
3060 cmdarg_err("A full header couldn't be written to the %s.",
3065 cmdarg_err("The %s could not be created: %s.", save_file_string,
3066 wtap_strerror(err));
3072 if (print_packet_info) {
3073 if (!write_preamble(cf)) {
3075 show_print_file_io_error(err);
3084 if (pdh && out_file_name_res) {
3085 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3086 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3087 wtap_file_type_subtype_short_string(out_file_type));
3091 /* Do we have any tap listeners with filters? */
3092 filtering_tap_listeners = have_filtering_tap_listeners();
3094 /* Get the union of the flags for all tap listeners. */
3095 tap_flags = union_of_tap_listener_flags();
3097 if (perform_two_pass_analysis) {
3100 /* Allocate a frame_data_sequence for all the frames. */
3101 cf->frames = new_frame_data_sequence();
3103 if (do_dissection) {
3104 gboolean create_proto_tree = FALSE;
3106 /* If we're going to be applying a filter, we'll need to
3107 create a protocol tree against which to apply the filter. */
3109 create_proto_tree = TRUE;
3111 /* We're not going to display the protocol tree on this pass,
3112 so it's not going to be "visible". */
3113 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3116 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3117 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3118 wtap_buf_ptr(cf->wth))) {
3119 /* Stop reading if we have the maximum number of packets;
3120 * When the -c option has not been used, max_packet_count
3121 * starts at 0, which practically means, never stop reading.
3122 * (unless we roll over max_packet_count ?)
3124 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3125 err = 0; /* This is not an error */
3132 epan_dissect_free(edt);
3136 /* Close the sequential I/O side, to free up memory it requires. */
3137 wtap_sequential_close(cf->wth);
3139 /* Allow the protocol dissectors to free up memory that they
3140 * don't need after the sequential run-through of the packets. */
3141 postseq_cleanup_all_protocols();
3145 buffer_init(&buf, 1500);
3147 if (do_dissection) {
3148 gboolean create_proto_tree;
3150 if (cf->dfcode || print_details || filtering_tap_listeners ||
3151 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3152 create_proto_tree = TRUE;
3154 create_proto_tree = FALSE;
3156 /* The protocol tree will be "visible", i.e., printed, only if we're
3157 printing packet details, which is true if we're printing stuff
3158 ("print_packet_info" is true) and we're in verbose mode
3159 ("packet_details" is true). */
3160 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3163 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3164 fdata = frame_data_sequence_find(cf->frames, framenum);
3165 if (wtap_seek_read(cf->wth, fdata->file_off, &cf->phdr,
3166 &buf, fdata->cap_len, &err, &err_info)) {
3167 if (process_packet_second_pass(cf, edt, fdata, &cf->phdr, &buf,
3169 /* Either there's no read filtering or this packet passed the
3170 filter, so, if we're writing to a capture file, write
3173 if (!wtap_dump(pdh, &cf->phdr, buffer_start_ptr(&cf->buf), &err)) {
3174 /* Error writing to a capture file */
3177 case WTAP_ERR_UNSUPPORTED_ENCAP:
3179 * This is a problem with the particular frame we're writing;
3180 * note that, and give the frame number.
3182 * XXX - framenum is not necessarily the frame number in
3183 * the input file if there was a read filter.
3186 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3187 framenum, cf->filename,
3188 wtap_file_type_subtype_short_string(out_file_type));
3192 show_capture_file_io_error(save_file, err, FALSE);
3195 wtap_dump_close(pdh, &err);
3205 epan_dissect_free(edt);
3214 if (do_dissection) {
3215 gboolean create_proto_tree;
3217 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3218 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3219 create_proto_tree = TRUE;
3221 create_proto_tree = FALSE;
3223 /* The protocol tree will be "visible", i.e., printed, only if we're
3224 printing packet details, which is true if we're printing stuff
3225 ("print_packet_info" is true) and we're in verbose mode
3226 ("packet_details" is true). */
3227 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3230 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3233 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3234 wtap_buf_ptr(cf->wth),
3236 /* Either there's no read filtering or this packet passed the
3237 filter, so, if we're writing to a capture file, write
3240 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3241 /* Error writing to a capture file */
3244 case WTAP_ERR_UNSUPPORTED_ENCAP:
3246 * This is a problem with the particular frame we're writing;
3247 * note that, and give the frame number.
3250 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3251 framenum, cf->filename,
3252 wtap_file_type_subtype_short_string(out_file_type));
3256 show_capture_file_io_error(save_file, err, FALSE);
3259 wtap_dump_close(pdh, &err);
3265 /* Stop reading if we have the maximum number of packets;
3266 * When the -c option has not been used, max_packet_count
3267 * starts at 0, which practically means, never stop reading.
3268 * (unless we roll over max_packet_count ?)
3270 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3271 err = 0; /* This is not an error */
3277 epan_dissect_free(edt);
3284 * Print a message noting that the read failed somewhere along the line.
3286 * If we're printing packet data, and the standard output and error are
3287 * going to the same place, flush the standard output, so everything
3288 * buffered up is written, and then print a newline to the standard error
3289 * before printing the error message, to separate it from the packet
3290 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3291 * the _fstat() documentation at Microsoft doesn't indicate whether
3292 * st_ino is even supported.)
3295 if (print_packet_info) {
3296 struct stat stat_stdout, stat_stderr;
3298 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3299 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3300 stat_stdout.st_ino == stat_stderr.st_ino) {
3302 fprintf(stderr, "\n");
3309 case WTAP_ERR_UNSUPPORTED:
3310 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3311 cf->filename, err_info);
3315 case WTAP_ERR_UNSUPPORTED_ENCAP:
3316 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3317 cf->filename, err_info);
3321 case WTAP_ERR_CANT_READ:
3322 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3326 case WTAP_ERR_SHORT_READ:
3327 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3331 case WTAP_ERR_BAD_FILE:
3332 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3333 cf->filename, err_info);
3337 case WTAP_ERR_DECOMPRESS:
3338 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3339 "(%s)", cf->filename, err_info);
3343 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3344 cf->filename, wtap_strerror(err));
3347 if (save_file != NULL) {
3348 /* Now close the capture file. */
3349 if (!wtap_dump_close(pdh, &err))
3350 show_capture_file_io_error(save_file, err, TRUE);
3353 if (save_file != NULL) {
3354 /* Now close the capture file. */
3355 if (!wtap_dump_close(pdh, &err))
3356 show_capture_file_io_error(save_file, err, TRUE);
3358 if (print_packet_info) {
3359 if (!write_finale()) {
3361 show_print_file_io_error(err);
3368 wtap_close(cf->wth);
3371 g_free(save_file_string);
3378 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3379 const guchar *pd, guint tap_flags)
3385 /* Count this packet. */
3388 /* If we're not running a display filter and we're not printing any
3389 packet information, we don't need to do a dissection. This means
3390 that all packets can be marked as 'passed'. */
3393 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3395 /* If we're going to print packet information, or we're going to
3396 run a read filter, or we're going to process taps, set up to
3397 do a dissection and do so. */
3399 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3400 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3401 /* Grab any resolved addresses */
3402 host_name_lookup_process();
3404 /* If we're running a filter, prime the epan_dissect_t with that
3407 epan_dissect_prime_dfilter(edt, cf->dfcode);
3409 col_custom_prime_edt(edt, &cf->cinfo);
3411 /* We only need the columns if either
3412 1) some tap needs the columns
3414 2) we're printing packet info but we're *not* verbose; in verbose
3415 mode, we print the protocol tree, not the protocol summary.
3417 3) there is a column mapped as an individual field */
3418 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3423 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3425 if (ref == &fdata) {
3430 epan_dissect_run_with_taps(edt, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3432 /* Run the filter if we have it. */
3434 passed = dfilter_apply_edt(cf->dfcode, edt);
3438 frame_data_set_after_dissect(&fdata, &cum_bytes);
3440 /* Process this packet. */
3441 if (print_packet_info) {
3442 /* We're printing packet information; print the information for
3444 print_packet(cf, edt);
3446 /* The ANSI C standard does not appear to *require* that a line-buffered
3447 stream be flushed to the host environment whenever a newline is
3448 written, it just says that, on such a stream, characters "are
3449 intended to be transmitted to or from the host environment as a
3450 block when a new-line character is encountered".
3452 The Visual C++ 6.0 C implementation doesn't do what is intended;
3453 even if you set a stream to be line-buffered, it still doesn't
3454 flush the buffer at the end of every line.
3456 So, if the "-l" flag was specified, we flush the standard output
3457 at the end of a packet. This will do the right thing if we're
3458 printing packet summary lines, and, as we print the entire protocol
3459 tree for a single packet without waiting for anything to happen,
3460 it should be as good as line-buffered mode if we're printing
3461 protocol trees. (The whole reason for the "-l" flag in either
3462 tcpdump or TShark is to allow the output of a live capture to
3463 be piped to a program or script and to have that script see the
3464 information for the packet as soon as it's printed, rather than
3465 having to wait until a standard I/O buffer fills up. */
3469 if (ferror(stdout)) {
3470 show_print_file_io_error(errno);
3475 /* this must be set after print_packet() [bug #8160] */
3476 prev_dis_frame = fdata;
3477 prev_dis = &prev_dis_frame;
3480 prev_cap_frame = fdata;
3481 prev_cap = &prev_cap_frame;
3484 epan_dissect_reset(edt);
3485 frame_data_destroy(&fdata);
3491 write_preamble(capture_file *cf)
3493 switch (output_action) {
3496 return print_preamble(print_stream, cf ? cf->filename : NULL, wireshark_svnversion);
3500 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3502 write_psml_preamble(stdout);
3503 return !ferror(stdout);
3506 write_fields_preamble(output_fields, stdout);
3507 return !ferror(stdout);
3510 g_assert_not_reached();
3516 get_line_buf(size_t len)
3518 static char *line_bufp = NULL;
3519 static size_t line_buf_len = 256;
3520 size_t new_line_buf_len;
3522 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3523 new_line_buf_len *= 2)
3525 if (line_bufp == NULL) {
3526 line_buf_len = new_line_buf_len;
3527 line_bufp = (char *)g_malloc(line_buf_len + 1);
3529 if (new_line_buf_len > line_buf_len) {
3530 line_buf_len = new_line_buf_len;
3531 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3538 put_string(char *dest, const char *str, size_t str_len)
3540 memcpy(dest, str, str_len);
3541 dest[str_len] = '\0';
3545 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3549 for (i = str_len; i < str_with_spaces; i++)
3552 put_string(dest, str, str_len);
3556 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3560 memcpy(dest, str, str_len);
3561 for (i = str_len; i < str_with_spaces; i++)
3564 dest[str_with_spaces] = '\0';
3568 print_columns(capture_file *cf)
3576 line_bufp = get_line_buf(256);
3579 for (i = 0; i < cf->cinfo.num_cols; i++) {
3580 /* Skip columns not marked as visible. */
3581 if (!get_column_visible(i))
3583 switch (cf->cinfo.col_fmt[i]) {
3585 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3588 line_bufp = get_line_buf(buf_offset + column_len);
3589 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3595 case COL_ABS_YMD_TIME: /* XXX - wider */
3596 case COL_ABS_YDOY_TIME: /* XXX - wider */
3598 case COL_UTC_YMD_TIME: /* XXX - wider */
3599 case COL_UTC_YDOY_TIME: /* XXX - wider */
3600 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3601 if (column_len < 10)
3603 line_bufp = get_line_buf(buf_offset + column_len);
3604 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3610 case COL_DEF_DL_SRC:
3611 case COL_RES_DL_SRC:
3612 case COL_UNRES_DL_SRC:
3613 case COL_DEF_NET_SRC:
3614 case COL_RES_NET_SRC:
3615 case COL_UNRES_NET_SRC:
3616 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3617 if (column_len < 12)
3619 line_bufp = get_line_buf(buf_offset + column_len);
3620 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3626 case COL_DEF_DL_DST:
3627 case COL_RES_DL_DST:
3628 case COL_UNRES_DL_DST:
3629 case COL_DEF_NET_DST:
3630 case COL_RES_NET_DST:
3631 case COL_UNRES_NET_DST:
3632 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3633 if (column_len < 12)
3635 line_bufp = get_line_buf(buf_offset + column_len);
3636 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3640 column_len = strlen(cf->cinfo.col_data[i]);
3641 line_bufp = get_line_buf(buf_offset + column_len);
3642 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3645 buf_offset += column_len;
3646 if (i != cf->cinfo.num_cols - 1) {
3648 * This isn't the last column, so we need to print a
3649 * separator between this column and the next.
3651 * If we printed a network source and are printing a
3652 * network destination of the same type next, separate
3653 * them with " -> "; if we printed a network destination
3654 * and are printing a network source of the same type
3655 * next, separate them with " <- "; otherwise separate them
3658 * We add enough space to the buffer for " <- " or " -> ",
3659 * even if we're only adding " ".
3661 line_bufp = get_line_buf(buf_offset + 4);
3662 switch (cf->cinfo.col_fmt[i]) {
3667 switch (cf->cinfo.col_fmt[i + 1]) {
3672 put_string(line_bufp + buf_offset, " -> ", 4);
3677 put_string(line_bufp + buf_offset, " ", 1);
3683 case COL_DEF_DL_SRC:
3684 case COL_RES_DL_SRC:
3685 case COL_UNRES_DL_SRC:
3686 switch (cf->cinfo.col_fmt[i + 1]) {
3688 case COL_DEF_DL_DST:
3689 case COL_RES_DL_DST:
3690 case COL_UNRES_DL_DST:
3691 put_string(line_bufp + buf_offset, " -> ", 4);
3696 put_string(line_bufp + buf_offset, " ", 1);
3702 case COL_DEF_NET_SRC:
3703 case COL_RES_NET_SRC:
3704 case COL_UNRES_NET_SRC:
3705 switch (cf->cinfo.col_fmt[i + 1]) {
3707 case COL_DEF_NET_DST:
3708 case COL_RES_NET_DST:
3709 case COL_UNRES_NET_DST:
3710 put_string(line_bufp + buf_offset, " -> ", 4);
3715 put_string(line_bufp + buf_offset, " ", 1);
3724 switch (cf->cinfo.col_fmt[i + 1]) {
3729 put_string(line_bufp + buf_offset, " <- ", 4);
3734 put_string(line_bufp + buf_offset, " ", 1);
3740 case COL_DEF_DL_DST:
3741 case COL_RES_DL_DST:
3742 case COL_UNRES_DL_DST:
3743 switch (cf->cinfo.col_fmt[i + 1]) {
3745 case COL_DEF_DL_SRC:
3746 case COL_RES_DL_SRC:
3747 case COL_UNRES_DL_SRC:
3748 put_string(line_bufp + buf_offset, " <- ", 4);
3753 put_string(line_bufp + buf_offset, " ", 1);
3759 case COL_DEF_NET_DST:
3760 case COL_RES_NET_DST:
3761 case COL_UNRES_NET_DST:
3762 switch (cf->cinfo.col_fmt[i + 1]) {
3764 case COL_DEF_NET_SRC:
3765 case COL_RES_NET_SRC:
3766 case COL_UNRES_NET_SRC:
3767 put_string(line_bufp + buf_offset, " <- ", 4);
3772 put_string(line_bufp + buf_offset, " ", 1);
3779 put_string(line_bufp + buf_offset, " ", 1);
3785 return print_line(print_stream, 0, line_bufp);
3789 print_packet(capture_file *cf, epan_dissect_t *edt)
3791 print_args_t print_args;
3793 if (print_summary || output_fields_has_cols(output_fields)) {
3794 /* Just fill in the columns. */
3795 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3797 if (print_summary) {
3798 /* Now print them. */
3799 switch (output_action) {
3802 if (!print_columns(cf))
3807 proto_tree_write_psml(edt, stdout);
3808 return !ferror(stdout);
3809 case WRITE_FIELDS: /*No non-verbose "fields" format */
3810 g_assert_not_reached();
3815 if (print_details) {
3816 /* Print the information in the protocol tree. */
3817 switch (output_action) {
3820 /* Only initialize the fields that are actually used in proto_tree_print.
3821 * This is particularly important for .range, as that's heap memory which
3822 * we would otherwise have to g_free().
3823 print_args.to_file = TRUE;
3824 print_args.format = print_format;
3825 print_args.print_summary = print_summary;
3826 print_args.print_formfeed = FALSE;
3827 packet_range_init(&print_args.range, &cfile);
3829 print_args.print_hex = print_hex;
3830 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3832 if (!proto_tree_print(&print_args, edt, print_stream))
3835 if (!print_line(print_stream, 0, separator))
3841 proto_tree_write_pdml(edt, stdout);
3843 return !ferror(stdout);
3845 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3847 return !ferror(stdout);
3851 if (print_summary || print_details) {
3852 if (!print_line(print_stream, 0, ""))
3855 if (!print_hex_data(print_stream, edt))
3857 if (!print_line(print_stream, 0, separator))
3866 switch (output_action) {
3869 return print_finale(print_stream);
3873 write_pdml_finale(stdout);
3875 write_psml_finale(stdout);
3876 return !ferror(stdout);
3879 write_fields_finale(output_fields, stdout);
3880 return !ferror(stdout);
3883 g_assert_not_reached();
3889 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
3893 char err_msg[2048+1];
3895 wth = wtap_open_offline(fname, err, &err_info, perform_two_pass_analysis);
3899 /* The open succeeded. Fill in the information for this file. */
3901 /* Create new epan session for dissection. */
3902 epan_free(cf->epan);
3903 cf->epan = tshark_epan_new(cf);
3906 cf->f_datalen = 0; /* not used, but set it anyway */
3908 /* Set the file name because we need it to set the follow stream filter.
3909 XXX - is that still true? We need it for other reasons, though,
3911 cf->filename = g_strdup(fname);
3913 /* Indicate whether it's a permanent or temporary file. */
3914 cf->is_tempfile = is_tempfile;
3916 /* No user changes yet. */
3917 cf->unsaved_changes = FALSE;
3919 cf->cd_t = wtap_file_type_subtype(cf->wth);
3921 cf->drops_known = FALSE;
3923 cf->snap = wtap_snapshot_length(cf->wth);
3924 if (cf->snap == 0) {
3925 /* Snapshot length not known. */
3926 cf->has_snap = FALSE;
3927 cf->snap = WTAP_MAX_PACKET_SIZE;
3929 cf->has_snap = TRUE;
3930 nstime_set_zero(&cf->elapsed_time);
3935 cf->state = FILE_READ_IN_PROGRESS;
3937 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3938 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3943 g_snprintf(err_msg, sizeof err_msg,
3944 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
3945 cmdarg_err("%s", err_msg);
3950 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
3952 char *save_file_string;
3954 save_file_string = output_file_description(fname);
3959 cmdarg_err("Not all the packets could be written to the %s because there is "
3960 "no space left on the file system.",
3966 cmdarg_err("Not all the packets could be written to the %s because you are "
3967 "too close to, or over your disk quota.",
3972 case WTAP_ERR_CANT_CLOSE:
3973 cmdarg_err("The %s couldn't be closed for some unknown reason.",
3977 case WTAP_ERR_SHORT_WRITE:
3978 cmdarg_err("Not all the packets could be written to the %s.",
3984 cmdarg_err("The %s could not be closed: %s.", save_file_string,
3985 wtap_strerror(err));
3987 cmdarg_err("An error occurred while writing to the %s: %s.",
3988 save_file_string, wtap_strerror(err));
3992 g_free(save_file_string);
3996 show_print_file_io_error(int err)
4001 cmdarg_err("Not all the packets could be printed because there is "
4002 "no space left on the file system.");
4007 cmdarg_err("Not all the packets could be printed because you are "
4008 "too close to, or over your disk quota.");
4013 cmdarg_err("An error occurred while printing packets: %s.",
4020 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4024 static char errmsg_errno[1024+1];
4027 /* Wiretap error. */
4030 case WTAP_ERR_NOT_REGULAR_FILE:
4031 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4034 case WTAP_ERR_RANDOM_OPEN_PIPE:
4035 /* Seen only when opening a capture file for reading. */
4036 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4039 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4040 /* Seen only when opening a capture file for reading. */
4041 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4044 case WTAP_ERR_UNSUPPORTED:
4045 /* Seen only when opening a capture file for reading. */
4046 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4047 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4050 errmsg = errmsg_errno;
4053 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4054 /* Seen only when opening a capture file for writing. */
4055 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4056 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4057 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4058 errmsg = errmsg_errno;
4061 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4062 /* Seen only when opening a capture file for writing. */
4063 errmsg = "TShark doesn't support writing capture files in that format.";
4066 case WTAP_ERR_UNSUPPORTED_ENCAP:
4068 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4069 "TShark can't save this capture as a \"%s\" file.",
4070 wtap_file_type_subtype_short_string(file_type));
4072 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4073 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4077 errmsg = errmsg_errno;
4080 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4082 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4083 "TShark can't save this capture as a \"%s\" file.",
4084 wtap_file_type_subtype_short_string(file_type));
4085 errmsg = errmsg_errno;
4087 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4090 case WTAP_ERR_BAD_FILE:
4091 /* Seen only when opening a capture file for reading. */
4092 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4093 "The file \"%%s\" appears to be damaged or corrupt.\n"
4096 errmsg = errmsg_errno;
4099 case WTAP_ERR_CANT_OPEN:
4101 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4103 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4106 case WTAP_ERR_SHORT_READ:
4107 errmsg = "The file \"%s\" appears to have been cut short"
4108 " in the middle of a packet or other data.";
4111 case WTAP_ERR_SHORT_WRITE:
4112 errmsg = "A full header couldn't be written to the file \"%s\".";
4115 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4116 errmsg = "This file type cannot be written as a compressed file.";
4119 case WTAP_ERR_DECOMPRESS:
4120 /* Seen only when opening a capture file for reading. */
4121 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4122 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4125 errmsg = errmsg_errno;
4129 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4130 "The file \"%%s\" could not be %s: %s.",
4131 for_writing ? "created" : "opened",
4132 wtap_strerror(err));
4133 errmsg = errmsg_errno;
4137 errmsg = file_open_error_message(err, for_writing);
4142 * Open/create errors are reported with an console message in TShark.
4145 open_failure_message(const char *filename, int err, gboolean for_writing)
4147 fprintf(stderr, "tshark: ");
4148 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4149 fprintf(stderr, "\n");
4154 * General errors are reported with an console message in TShark.
4157 failure_message(const char *msg_format, va_list ap)
4159 fprintf(stderr, "tshark: ");
4160 vfprintf(stderr, msg_format, ap);
4161 fprintf(stderr, "\n");
4165 * Read errors are reported with an console message in TShark.
4168 read_failure_message(const char *filename, int err)
4170 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4171 filename, g_strerror(err));
4175 * Write errors are reported with an console message in TShark.
4178 write_failure_message(const char *filename, int err)
4180 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4181 filename, g_strerror(err));
4185 * Report an error in command-line arguments.
4188 cmdarg_err(const char *fmt, ...)
4193 failure_message(fmt, ap);
4198 * Report additional information for an error in command-line arguments.
4201 cmdarg_err_cont(const char *fmt, ...)
4206 vfprintf(stderr, fmt, ap);
4207 fprintf(stderr, "\n");
4213 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4218 * indent-tabs-mode: nil
4221 * vi: set shiftwidth=2 tabstop=8 expandtab:
4222 * :indentSize=2:tabSize=8:noTabs=true: