3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 # include <sys/capability.h>
47 #ifndef HAVE_GETOPT_LONG
48 #include "wsutil/wsgetopt.h"
53 #include <epan/exceptions.h>
54 #include <epan/epan-int.h>
55 #include <epan/epan.h>
57 #include <wsutil/clopts_common.h>
58 #include <wsutil/cmdarg_err.h>
59 #include <wsutil/crash_info.h>
60 #include <wsutil/filesystem.h>
61 #include <wsutil/file_util.h>
62 #include <wsutil/privileges.h>
63 #include <wsutil/report_err.h>
64 #include <ws_version_info.h>
65 #include <wiretap/wtap_opttypes.h>
66 #include <wiretap/pcapng.h>
69 #include <epan/timestamp.h>
70 #include <epan/packet.h>
72 #include <epan/wslua/init_wslua.h>
74 #include "frame_tvbuff.h"
75 #include <epan/disabled_protos.h>
76 #include <epan/prefs.h>
77 #include <epan/column.h>
78 #include <epan/print.h>
79 #include <epan/addr_resolv.h>
81 #include "ui/capture_ui_utils.h"
84 #include "ui/ui_util.h"
85 #include "ui/decode_as_utils.h"
86 #include "ui/cli/tshark-tap.h"
87 #include "ui/tap_export_pdu.h"
89 #include "filter_files.h"
90 #include <epan/epan_dissect.h>
92 #include <epan/stat_tap_ui.h>
93 #include <epan/conversation_table.h>
94 #include <epan/srt_table.h>
95 #include <epan/rtd_table.h>
96 #include <epan/ex-opt.h>
97 #include <epan/exported_pdu.h>
99 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
100 #include <epan/asn1.h>
101 #include <epan/dissectors/packet-kerberos.h>
104 #include "capture_opts.h"
106 #include "caputils/capture-pcap-util.h"
109 #include "caputils/capture_ifinfo.h"
111 #include "caputils/capture-wpcap.h"
112 #include <wsutil/os_version_info.h>
113 #include <wsutil/unicode-utils.h>
115 #include <capchild/capture_session.h>
116 #include <capchild/capture_sync.h>
117 #include <capture_info.h>
118 #endif /* HAVE_LIBPCAP */
120 #include <epan/funnel.h>
122 #include <wsutil/str_util.h>
123 #include <wsutil/utf8_entities.h>
126 #include <wsutil/plugins.h>
131 #define tshark_debug(...) g_warning(__VA_ARGS__)
133 #define tshark_debug(...)
138 * This is the template for the decode as option; it is shared between the
139 * various functions that output the usage for this parameter.
141 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
143 static guint32 cum_bytes;
144 static const frame_data *ref;
145 static frame_data ref_frame;
146 static frame_data *prev_dis;
147 static frame_data prev_dis_frame;
148 static frame_data *prev_cap;
149 static frame_data prev_cap_frame;
151 static const char* prev_display_dissector_name = NULL;
153 static gboolean perform_two_pass_analysis;
156 * The way the packet decode is to be written.
159 WRITE_TEXT, /* summary or detail text */
160 WRITE_XML, /* PDML or PSML */
161 WRITE_FIELDS, /* User defined list of fields */
162 WRITE_JSON, /* JSON */
163 WRITE_EK /* JSON bulk insert to Elasticsearch */
164 /* Add CSV and the like here */
167 static output_action_e output_action;
168 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
169 static gboolean print_packet_info; /* TRUE if we're to print packet information */
170 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
171 static gboolean print_details; /* TRUE if we're to print packet details information */
172 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
173 static gboolean line_buffered;
174 static gboolean really_quiet = FALSE;
176 static print_format_e print_format = PR_FMT_TEXT;
177 static print_stream_t *print_stream;
179 static output_fields_t* output_fields = NULL;
180 static gchar *jsonfilter = NULL;
182 /* The line separator used between packets, changeable via the -S option */
183 static const char *separator = "";
187 * TRUE if we're to print packet counts to keep track of captured packets.
189 static gboolean print_packet_counts;
191 static capture_options global_capture_opts;
192 static capture_session global_capture_session;
193 static info_data_t global_info_data;
196 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
197 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
200 static gboolean capture(void);
201 static void report_counts(void);
203 static BOOL WINAPI capture_cleanup(DWORD);
205 static void capture_cleanup(int);
207 static void report_counts_siginfo(int);
211 #else /* HAVE_LIBPCAP */
213 static char *output_file_name;
215 #endif /* HAVE_LIBPCAP */
217 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
218 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
219 struct wtap_pkthdr *whdr, const guchar *pd,
221 static void show_capture_file_io_error(const char *, int, gboolean);
222 static void show_print_file_io_error(int err);
223 static gboolean write_preamble(capture_file *cf);
224 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
225 static gboolean write_finale(void);
226 static const char *cf_open_error_message(int err, gchar *err_info,
227 gboolean for_writing, int file_type);
229 static void open_failure_message(const char *filename, int err,
230 gboolean for_writing);
231 static void failure_message(const char *msg_format, va_list ap);
232 static void read_failure_message(const char *filename, int err);
233 static void write_failure_message(const char *filename, int err);
234 static void failure_message_cont(const char *msg_format, va_list ap);
238 static GHashTable *output_only_tables = NULL;
241 const char *sstr; /* The short string */
242 const char *lstr; /* The long string */
246 string_compare(gconstpointer a, gconstpointer b)
248 return strcmp(((const struct string_elem *)a)->sstr,
249 ((const struct string_elem *)b)->sstr);
253 string_elem_print(gpointer data, gpointer not_used _U_)
255 fprintf(stderr, " %s - %s\n",
256 ((struct string_elem *)data)->sstr,
257 ((struct string_elem *)data)->lstr);
261 list_capture_types(void) {
263 struct string_elem *captypes;
266 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
268 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
269 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
270 if (wtap_dump_can_open(i)) {
271 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
272 captypes[i].lstr = wtap_file_type_subtype_string(i);
273 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
276 g_slist_foreach(list, string_elem_print, NULL);
282 list_read_capture_types(void) {
284 struct string_elem *captypes;
286 const char *magic = "Magic-value-based";
287 const char *heuristic = "Heuristics-based";
289 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
290 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
292 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
293 for (i = 0; open_routines[i].name != NULL; i++) {
294 captypes[i].sstr = open_routines[i].name;
295 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
296 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
298 g_slist_foreach(list, string_elem_print, NULL);
304 print_usage(FILE *output)
306 fprintf(output, "\n");
307 fprintf(output, "Usage: tshark [options] ...\n");
308 fprintf(output, "\n");
311 fprintf(output, "Capture interface:\n");
312 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
313 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
314 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
315 fprintf(output, " -p don't capture in promiscuous mode\n");
316 #ifdef HAVE_PCAP_CREATE
317 fprintf(output, " -I capture in monitor mode, if available\n");
319 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
320 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
322 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
323 fprintf(output, " -D print list of interfaces and exit\n");
324 fprintf(output, " -L print list of link-layer types of iface and exit\n");
325 fprintf(output, "\n");
326 fprintf(output, "Capture stop conditions:\n");
327 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
328 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
329 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
330 fprintf(output, " files:NUM - stop after NUM files\n");
331 /*fprintf(output, "\n");*/
332 fprintf(output, "Capture output:\n");
333 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
334 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
335 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
336 #endif /* HAVE_LIBPCAP */
337 #ifdef HAVE_PCAP_REMOTE
338 fprintf(output, "RPCAP options:\n");
339 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
341 /*fprintf(output, "\n");*/
342 fprintf(output, "Input file:\n");
343 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
345 fprintf(output, "\n");
346 fprintf(output, "Processing:\n");
347 fprintf(output, " -2 perform a two-pass analysis\n");
348 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
349 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
350 fprintf(output, " syntax\n");
351 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
352 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
353 fprintf(output, " -d %s ...\n", decode_as_arg_template);
354 fprintf(output, " \"Decode As\", see the man page for details\n");
355 fprintf(output, " Example: tcp.port==8888,http\n");
356 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
357 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
358 fprintf(output, " --disable-protocol <proto_name>\n");
359 fprintf(output, " disable dissection of proto_name\n");
360 fprintf(output, " --enable-heuristic <short_name>\n");
361 fprintf(output, " enable dissection of heuristic protocol\n");
362 fprintf(output, " --disable-heuristic <short_name>\n");
363 fprintf(output, " disable dissection of heuristic protocol\n");
365 /*fprintf(output, "\n");*/
366 fprintf(output, "Output:\n");
367 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
368 fprintf(output, " (or to the standard output for \"-\")\n");
369 fprintf(output, " -C <config profile> start with specified configuration profile\n");
370 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
371 fprintf(output, " an empty \"-F\" option will list the file types\n");
372 fprintf(output, " -V add output of packet tree (Packet Details)\n");
373 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
374 fprintf(output, " separated\n");
375 fprintf(output, " -P print packet summary even when writing to a file\n");
376 fprintf(output, " -S <separator> the line separator to print between packets\n");
377 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
378 fprintf(output, " -T pdml|ps|psml|json|ek|text|fields\n");
379 fprintf(output, " format of text output (def: text)\n");
380 fprintf(output, " -j <jsonfilter> only protocols layers to include if -Tjson, -Tek selected,\n");
381 fprintf(output, " (e.g. \"http tcp ip\",\n");
382 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
383 fprintf(output, " _ws.col.Info)\n");
384 fprintf(output, " this option can be repeated to print multiple fields\n");
385 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
386 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
387 fprintf(output, " header=y|n switch headers on and off\n");
388 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
389 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
390 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
391 fprintf(output, " aggregator\n");
392 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
393 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
394 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
395 fprintf(output, " -l flush standard output after each packet\n");
396 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
397 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
398 fprintf(output, " -g enable group read access on the output file(s)\n");
399 fprintf(output, " -W n Save extra information in the file, if supported.\n");
400 fprintf(output, " n = write network address resolution information\n");
401 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
402 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
403 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
404 fprintf(output, " --capture-comment <comment>\n");
405 fprintf(output, " add a capture comment to the newly created\n");
406 fprintf(output, " output file (only for pcapng)\n");
408 fprintf(output, "\n");
409 fprintf(output, "Miscellaneous:\n");
410 fprintf(output, " -h display this help and exit\n");
411 fprintf(output, " -v display version info and exit\n");
412 fprintf(output, " -o <name>:<value> ... override preference setting\n");
413 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
414 fprintf(output, " -G [report] dump one of several available reports and exit\n");
415 fprintf(output, " default report=\"fields\"\n");
416 fprintf(output, " use \"-G ?\" for more help\n");
418 fprintf(output, "\n");
419 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
420 fprintf(output, "You might want to reset it\n");
421 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
422 fprintf(output, "\n");
428 glossary_option_help(void)
434 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
436 fprintf(output, "\n");
437 fprintf(output, "Usage: tshark -G [report]\n");
438 fprintf(output, "\n");
439 fprintf(output, "Glossary table reports:\n");
440 fprintf(output, " -G column-formats dump column format codes and exit\n");
441 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
442 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
443 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
444 fprintf(output, " -G fields dump fields glossary and exit\n");
445 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
446 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
447 fprintf(output, " -G plugins dump installed plugins and exit\n");
448 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
449 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
450 fprintf(output, "\n");
451 fprintf(output, "Preference reports:\n");
452 fprintf(output, " -G currentprefs dump current preferences and exit\n");
453 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
454 fprintf(output, "\n");
458 * For a dissector table, print on the stream described by output,
459 * its short name (which is what's used in the "-d" option) and its
463 display_dissector_table_names(const char *table_name, const char *ui_name,
466 if ((prev_display_dissector_name == NULL) ||
467 (strcmp(prev_display_dissector_name, table_name) != 0)) {
468 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
469 prev_display_dissector_name = table_name;
474 * For a dissector handle, print on the stream described by output,
475 * the filter name (which is what's used in the "-d" option) and the full
476 * name for the protocol that corresponds to this handle.
479 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
482 const gchar *proto_filter_name;
483 const gchar *proto_ui_name;
485 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
487 if (proto_id != -1) {
488 proto_filter_name = proto_get_protocol_filter_name(proto_id);
489 proto_ui_name = proto_get_protocol_name(proto_id);
490 g_assert(proto_filter_name != NULL);
491 g_assert(proto_ui_name != NULL);
493 if ((prev_display_dissector_name == NULL) ||
494 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
495 fprintf((FILE *)output, "\t%s (%s)\n",
498 prev_display_dissector_name = proto_filter_name;
504 * The protocol_name_search structure is used by find_protocol_name_func()
505 * to pass parameters and store results
507 struct protocol_name_search{
508 gchar *searched_name; /* Protocol filter name we are looking for */
509 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
510 guint nb_match; /* How many dissectors matched searched_name */
512 typedef struct protocol_name_search *protocol_name_search_t;
515 * This function parses all dissectors associated with a table to find the
516 * one whose protocol has the specified filter name. It is called
517 * as a reference function in a call to dissector_table_foreach_handle.
518 * The name we are looking for, as well as the results, are stored in the
519 * protocol_name_search struct pointed to by user_data.
520 * If called using dissector_table_foreach_handle, we actually parse the
521 * whole list of dissectors.
524 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
528 const gchar *protocol_filter_name;
529 protocol_name_search_t search_info;
533 search_info = (protocol_name_search_t)user_data;
535 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
536 if (proto_id != -1) {
537 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
538 g_assert(protocol_filter_name != NULL);
539 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
541 if (search_info->nb_match == 0) {
542 /* Record this handle only if this is the first match */
543 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
545 search_info->nb_match++;
551 * Allow dissector key names to be sorted alphabetically
555 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
557 return strcmp((const char*)dissector_a, (const char*)dissector_b);
561 * Print all layer type names supported.
562 * We send the output to the stream described by the handle output.
566 fprint_all_layer_types(FILE *output)
569 prev_display_dissector_name = NULL;
570 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
574 * Print all protocol names supported for a specific layer type.
575 * table_name contains the layer type name in which the search is performed.
576 * We send the output to the stream described by the handle output.
580 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
583 prev_display_dissector_name = NULL;
584 dissector_table_foreach_handle(table_name,
585 display_dissector_names,
590 * The function below parses the command-line parameters for the decode as
591 * feature (a string pointer by cl_param).
592 * It checks the format of the command-line, searches for a matching table
593 * and dissector. If a table/dissector match is not found, we display a
594 * summary of the available tables/dissectors (on stderr) and return FALSE.
595 * If everything is fine, we get the "Decode as" preference activated,
596 * then we return TRUE.
599 add_decode_as(const gchar *cl_param)
602 guint32 selector, selector2;
603 gchar *decoded_param;
604 gchar *remaining_param;
606 gchar *dissector_str;
607 dissector_handle_t dissector_matching;
608 dissector_table_t table_matching;
609 ftenum_t dissector_table_selector_type;
610 struct protocol_name_search user_protocol_name;
614 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
617 decoded_param = g_strdup(cl_param);
618 g_assert(decoded_param);
621 /* The lines below will parse this string (modifying it) to extract all
622 necessary information. Note that decoded_param is still needed since
623 strings are not copied - we just save pointers. */
625 /* This section extracts a layer type (table_name) from decoded_param */
626 table_name = decoded_param; /* Layer type string starts from beginning */
628 remaining_param = strchr(table_name, '=');
629 if (remaining_param == NULL) {
630 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
631 /* If the argument does not follow the template, carry on anyway to check
632 if the table name is at least correct. If remaining_param is NULL,
633 we'll exit anyway further down */
636 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
639 /* Remove leading and trailing spaces from the table name */
640 while ( table_name[0] == ' ' )
642 while ( table_name[strlen(table_name) - 1] == ' ' )
643 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
645 /* The following part searches a table matching with the layer type specified */
646 table_matching = NULL;
648 /* Look for the requested table */
649 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
650 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
653 table_matching = find_dissector_table(table_name);
654 if (!table_matching) {
655 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
659 if (!table_matching) {
660 /* Display a list of supported layer types to help the user, if the
661 specified layer type was not found */
662 cmdarg_err("Valid layer types are:");
663 fprint_all_layer_types(stderr);
665 if (remaining_param == NULL || !table_matching) {
666 /* Exit if the layer type was not found, or if no '=' separator was found
668 g_free(decoded_param);
672 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
673 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
676 remaining_param++; /* Move to the second '=' */
677 *remaining_param = '\0'; /* Remove the second '=' */
679 remaining_param++; /* Position after the layer type string */
681 /* This section extracts a selector value (selector_str) from decoded_param */
683 selector_str = remaining_param; /* Next part starts with the selector number */
685 remaining_param = strchr(selector_str, ',');
686 if (remaining_param == NULL) {
687 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
688 /* If the argument does not follow the template, carry on anyway to check
689 if the selector value is at least correct. If remaining_param is NULL,
690 we'll exit anyway further down */
693 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
696 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
698 switch (dissector_table_selector_type) {
704 /* The selector for this table is an unsigned number. Parse it as such.
705 There's no need to remove leading and trailing spaces from the
706 selector number string, because sscanf will do that for us. */
707 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
712 if (op != ':' && op != '-') {
713 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
714 g_free(decoded_param);
718 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
719 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
720 g_free(decoded_param);
724 else if (selector2 < selector) {
725 /* We could swap them for the user, but maybe it's better to call
726 * this out as an error in case it's not what was intended? */
727 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
728 g_free(decoded_param);
733 cmdarg_err("Invalid selector number \"%s\"", selector_str);
734 g_free(decoded_param);
743 /* The selector for this table is a string. */
747 /* There are currently no dissector tables with any types other
748 than the ones listed above. */
749 g_assert_not_reached();
752 if (remaining_param == NULL) {
753 /* Exit if no ',' separator was found (see above) */
754 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
755 fprint_all_protocols_for_layer_types(stderr, table_name);
756 g_free(decoded_param);
760 remaining_param++; /* Position after the selector number string */
762 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
764 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
766 /* Remove leading and trailing spaces from the dissector name */
767 while ( dissector_str[0] == ' ' )
769 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
770 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
772 dissector_matching = NULL;
774 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
775 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
776 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
779 user_protocol_name.nb_match = 0;
780 user_protocol_name.searched_name = dissector_str;
781 user_protocol_name.matched_handle = NULL;
783 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
785 if (user_protocol_name.nb_match != 0) {
786 dissector_matching = user_protocol_name.matched_handle;
787 if (user_protocol_name.nb_match > 1) {
788 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
792 /* OK, check whether the problem is that there isn't any such
793 protocol, or that there is but it's not specified as a protocol
794 that's valid for that dissector table.
795 Note, we don't exit here, but dissector_matching will remain NULL,
797 if (proto_get_id_by_filter_name(dissector_str) == -1) {
798 /* No such protocol */
799 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
801 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
802 dissector_str, table_name);
807 if (!dissector_matching) {
808 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
809 fprint_all_protocols_for_layer_types(stderr, table_name);
810 g_free(decoded_param);
814 /* This is the end of the code that parses the command-line options.
815 All information is now stored in the variables:
819 The above variables that are strings are still pointing to areas within
820 decoded_parm. decoded_parm thus still needs to be kept allocated in
821 until we stop needing these variables
822 decoded_param will be deallocated at each exit point of this function */
825 /* We now have a pointer to the handle for the requested dissector
826 (requested protocol) inside the variable dissector_matching */
827 switch (dissector_table_selector_type) {
833 /* The selector for this table is an unsigned number. */
835 dissector_change_uint(table_name, selector, dissector_matching);
836 } else if (op == ':') {
837 for (i = selector; i < (guint64)selector + selector2; i++) {
838 dissector_change_uint(table_name, (guint32)i, dissector_matching);
840 } else { /* op == '-' */
841 for (i = selector; i <= selector2; i++) {
842 dissector_change_uint(table_name, (guint32)i, dissector_matching);
851 /* The selector for this table is a string. */
852 dissector_change_string(table_name, selector_str, dissector_matching);
856 /* There are currently no dissector tables with any types other
857 than the ones listed above. */
858 g_assert_not_reached();
860 g_free(decoded_param); /* "Decode As" rule has been successfully added */
865 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
866 const gchar *message, gpointer user_data)
868 /* ignore log message, if log_level isn't interesting based
869 upon the console log preferences.
870 If the preferences haven't been loaded loaded yet, display the
873 The default console_log_level preference value is such that only
874 ERROR, CRITICAL and WARNING level messages are processed;
875 MESSAGE, INFO and DEBUG level messages are ignored.
877 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
878 ERROR and CRITICAL level messages so the current code is a behavioral
879 change. The current behavior is the same as in Wireshark.
881 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
882 prefs.console_log_level != 0) {
886 g_log_default_handler(log_domain, log_level, message, user_data);
891 output_file_description(const char *fname)
893 char *save_file_string;
895 /* Get a string that describes what we're writing to */
896 if (strcmp(fname, "-") == 0) {
897 /* We're writing to the standard output */
898 save_file_string = g_strdup("standard output");
900 /* We're writing to a file with the name in save_file */
901 save_file_string = g_strdup_printf("file \"%s\"", fname);
903 return save_file_string;
907 print_current_user(void) {
908 gchar *cur_user, *cur_group;
910 if (started_with_special_privs()) {
911 cur_user = get_cur_username();
912 cur_group = get_cur_groupname();
913 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
914 cur_user, cur_group);
917 if (running_with_special_privs()) {
918 fprintf(stderr, " This could be dangerous.");
920 fprintf(stderr, "\n");
925 get_tshark_compiled_version_info(GString *str)
927 /* Capture libraries */
928 get_compiled_caplibs_version(str);
932 get_tshark_runtime_version_info(GString *str)
935 /* Capture libraries */
936 g_string_append(str, ", ");
937 get_runtime_caplibs_version(str);
940 /* stuff used by libwireshark */
941 epan_get_runtime_version_info(str);
945 main(int argc, char *argv[])
947 GString *comp_info_str;
948 GString *runtime_info_str;
949 char *init_progfile_dir_error;
951 static const struct option long_options[] = {
952 {"help", no_argument, NULL, 'h'},
953 {"version", no_argument, NULL, 'v'},
954 LONGOPT_CAPTURE_COMMON
957 gboolean arg_error = FALSE;
963 char *gpf_path, *pf_path;
964 char *gdp_path, *dp_path;
966 int gpf_open_errno, gpf_read_errno;
967 int pf_open_errno, pf_read_errno;
968 int gdp_open_errno, gdp_read_errno;
969 int dp_open_errno, dp_read_errno;
972 volatile int exit_status = 0;
974 gboolean list_link_layer_types = FALSE;
975 gboolean start_capture = FALSE;
980 gboolean capture_option_specified = FALSE;
982 gboolean quiet = FALSE;
983 #ifdef PCAP_NG_DEFAULT
984 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
986 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
988 volatile gboolean out_file_name_res = FALSE;
989 volatile int in_file_type = WTAP_TYPE_AUTO;
990 gchar *volatile cf_name = NULL;
991 gchar *rfilter = NULL;
992 gchar *dfilter = NULL;
993 #ifdef HAVE_PCAP_OPEN_DEAD
994 struct bpf_program fcode;
996 dfilter_t *rfcode = NULL;
997 dfilter_t *dfcode = NULL;
1002 gchar *output_only = NULL;
1003 GSList *disable_protocol_slist = NULL;
1004 GSList *enable_heur_slist = NULL;
1005 GSList *disable_heur_slist = NULL;
1006 gchar *volatile pdu_export_arg = NULL;
1007 exp_pdu_t exp_pdu_tap_data;
1010 * The leading + ensures that getopt_long() does not permute the argv[]
1013 * We have to make sure that the first getopt_long() preserves the content
1014 * of argv[] for the subsequent getopt_long() call.
1016 * We use getopt_long() in both cases to ensure that we're using a routine
1017 * whose permutation behavior we can control in the same fashion on all
1018 * platforms, and so that, if we ever need to process a long argument before
1019 * doing further initialization, we can do so.
1021 * Glibc and Solaris libc document that a leading + disables permutation
1022 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1023 * and OS X don't document it, but do so anyway.
1025 * We do *not* use a leading - because the behavior of a leading - is
1026 * platform-dependent.
1028 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:j:" "K:lnN:o:O:PqQr:R:S:t:T:u:U:vVw:W:xX:Y:z:"
1030 static const char optstring[] = OPTSTRING;
1032 tshark_debug("tshark started with %d args", argc);
1034 /* Set the C-language locale to the native environment. */
1035 setlocale(LC_ALL, "");
1037 cmdarg_err_init(failure_message, failure_message_cont);
1040 arg_list_utf_16to8(argc, argv);
1041 create_app_running_mutex();
1042 #if !GLIB_CHECK_VERSION(2,31,0)
1043 g_thread_init(NULL);
1048 * Get credential information for later use, and drop privileges
1049 * before doing anything else.
1050 * Let the user know if anything happened.
1052 init_process_policies();
1053 relinquish_special_privs_perm();
1054 print_current_user();
1057 * Attempt to get the pathname of the executable file.
1059 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1060 if (init_progfile_dir_error != NULL) {
1061 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1062 init_progfile_dir_error);
1065 initialize_funnel_ops();
1068 /* Load wpcap if possible. Do this before collecting the run-time version information */
1071 /* Warn the user if npf.sys isn't loaded. */
1072 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1073 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1074 "capturing or\nlisting interfaces.\n");
1078 /* Get the compile-time version information string */
1079 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1080 epan_get_compiled_version_info);
1082 /* Get the run-time version information string */
1083 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1085 /* Add it to the information to be reported on a crash. */
1086 ws_add_crash_info("TShark (Wireshark) %s\n"
1091 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1092 g_string_free(comp_info_str, TRUE);
1093 g_string_free(runtime_info_str, TRUE);
1095 /* Fail sometimes. Useful for testing fuzz scripts. */
1096 /* if (g_random_int_range(0, 100) < 5) abort(); */
1099 * In order to have the -X opts assigned before the wslua machine starts
1100 * we need to call getopt_long before epan_init() gets called.
1102 * In order to handle, for example, -o options, we also need to call it
1103 * *after* epan_init() gets called, so that the dissectors have had a
1104 * chance to register their preferences.
1106 * XXX - can we do this all with one getopt_long() call, saving the
1107 * arguments we can't handle until after initializing libwireshark,
1108 * and then process them after initializing libwireshark?
1112 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1114 case 'C': /* Configuration Profile */
1115 if (profile_exists (optarg, FALSE)) {
1116 set_profile_name (optarg);
1118 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1122 case 'P': /* Print packet summary info even when writing to a file */
1123 print_packet_info = TRUE;
1124 print_summary = TRUE;
1126 case 'O': /* Only output these protocols */
1127 output_only = g_strdup(optarg);
1129 case 'V': /* Verbose */
1130 print_details = TRUE;
1131 print_packet_info = TRUE;
1133 case 'x': /* Print packet data in hex (and ASCII) */
1135 /* The user asked for hex output, so let's ensure they get it,
1136 * even if they're writing to a file.
1138 print_packet_info = TRUE;
1149 * Print packet summary information is the default, unless either -V or -x
1150 * were specified and -P was not. Note that this is new behavior, which
1151 * allows for the possibility of printing only hex/ascii output without
1152 * necessarily requiring that either the summary or details be printed too.
1154 if (print_summary == -1)
1155 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1157 /** Send All g_log messages to our own handler **/
1161 G_LOG_LEVEL_CRITICAL|
1162 G_LOG_LEVEL_WARNING|
1163 G_LOG_LEVEL_MESSAGE|
1166 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1168 g_log_set_handler(NULL,
1169 (GLogLevelFlags)log_flags,
1170 tshark_log_handler, NULL /* user_data */);
1171 g_log_set_handler(LOG_DOMAIN_MAIN,
1172 (GLogLevelFlags)log_flags,
1173 tshark_log_handler, NULL /* user_data */);
1176 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1177 (GLogLevelFlags)log_flags,
1178 tshark_log_handler, NULL /* user_data */);
1179 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1180 (GLogLevelFlags)log_flags,
1181 tshark_log_handler, NULL /* user_data */);
1184 init_report_err(failure_message, open_failure_message, read_failure_message,
1185 write_failure_message);
1188 capture_opts_init(&global_capture_opts);
1189 capture_session_init(&global_capture_session, &cfile);
1192 timestamp_set_type(TS_RELATIVE);
1193 timestamp_set_precision(TS_PREC_AUTO);
1194 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1196 init_open_routines();
1199 /* Register all the plugin types we have. */
1200 epan_register_plugin_types(); /* Types known to libwireshark */
1201 wtap_register_plugin_types(); /* Types known to libwiretap */
1203 /* Scan for plugins. This does *not* call their registration routines;
1204 that's done later. */
1207 /* Register all libwiretap plugin modules. */
1208 register_all_wiretap_modules();
1211 /* Register all dissectors; we must do this before checking for the
1212 "-G" flag, as the "-G" flag dumps information registered by the
1213 dissectors, and we must do it before we read the preferences, in
1214 case any dissectors register preferences. */
1215 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
1219 /* Register all tap listeners; we do this before we parse the arguments,
1220 as the "-z" argument can specify a registered tap. */
1222 /* we register the plugin taps before the other taps because
1223 stats_tree taps plugins will be registered as tap listeners
1224 by stats_tree_stat.c and need to registered before that */
1226 register_all_plugin_tap_listeners();
1228 register_all_tap_listeners();
1229 conversation_table_set_gui_info(init_iousers);
1230 hostlist_table_set_gui_info(init_hostlists);
1231 srt_table_iterate_tables(register_srt_tables, NULL);
1232 rtd_table_iterate_tables(register_rtd_tables, NULL);
1233 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1235 /* If invoked with the "-G" flag, we dump out information based on
1236 the argument to the "-G" flag; if no argument is specified,
1237 for backwards compatibility we dump out a glossary of display
1240 XXX - we do this here, for now, to support "-G" with no arguments.
1241 If none of our build or other processes uses "-G" with no arguments,
1242 we can just process it with the other arguments. */
1243 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1244 proto_initialize_all_prefixes();
1247 proto_registrar_dump_fields();
1249 if (strcmp(argv[2], "column-formats") == 0)
1250 column_dump_column_formats();
1251 else if (strcmp(argv[2], "currentprefs") == 0) {
1252 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1253 &pf_open_errno, &pf_read_errno, &pf_path);
1256 else if (strcmp(argv[2], "decodes") == 0)
1257 dissector_dump_decodes();
1258 else if (strcmp(argv[2], "defaultprefs") == 0)
1260 else if (strcmp(argv[2], "dissector-tables") == 0)
1261 dissector_dump_dissector_tables();
1262 else if (strcmp(argv[2], "fieldcount") == 0) {
1263 /* return value for the test suite */
1264 return proto_registrar_dump_fieldcount();
1265 } else if (strcmp(argv[2], "fields") == 0)
1266 proto_registrar_dump_fields();
1267 else if (strcmp(argv[2], "ftypes") == 0)
1268 proto_registrar_dump_ftypes();
1269 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1270 dissector_dump_heur_decodes();
1271 else if (strcmp(argv[2], "plugins") == 0) {
1276 wslua_plugins_dump_all();
1279 else if (strcmp(argv[2], "protocols") == 0)
1280 proto_registrar_dump_protocols();
1281 else if (strcmp(argv[2], "values") == 0)
1282 proto_registrar_dump_values();
1283 else if (strcmp(argv[2], "?") == 0)
1284 glossary_option_help();
1285 else if (strcmp(argv[2], "-?") == 0)
1286 glossary_option_help();
1288 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1295 /* load the decode as entries of this profile */
1296 load_decode_as_entries();
1298 tshark_debug("tshark reading preferences");
1300 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1301 &pf_open_errno, &pf_read_errno, &pf_path);
1302 if (gpf_path != NULL) {
1303 if (gpf_open_errno != 0) {
1304 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1305 pf_path, g_strerror(gpf_open_errno));
1307 if (gpf_read_errno != 0) {
1308 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1309 pf_path, g_strerror(gpf_read_errno));
1312 if (pf_path != NULL) {
1313 if (pf_open_errno != 0) {
1314 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1315 g_strerror(pf_open_errno));
1317 if (pf_read_errno != 0) {
1318 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1319 pf_path, g_strerror(pf_read_errno));
1325 read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno);
1326 if (cf_path != NULL) {
1327 cmdarg_err("Could not open your capture filter file\n\"%s\": %s.",
1328 cf_path, g_strerror(cf_open_errno));
1332 /* Read the disabled protocols file. */
1333 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1334 &dp_path, &dp_open_errno, &dp_read_errno);
1335 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1336 &dp_path, &dp_open_errno, &dp_read_errno);
1337 if (gdp_path != NULL) {
1338 if (gdp_open_errno != 0) {
1339 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1340 gdp_path, g_strerror(gdp_open_errno));
1342 if (gdp_read_errno != 0) {
1343 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1344 gdp_path, g_strerror(gdp_read_errno));
1348 if (dp_path != NULL) {
1349 if (dp_open_errno != 0) {
1351 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1352 g_strerror(dp_open_errno));
1354 if (dp_read_errno != 0) {
1356 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1357 g_strerror(dp_read_errno));
1362 cap_file_init(&cfile);
1364 /* Print format defaults to this. */
1365 print_format = PR_FMT_TEXT;
1367 output_fields = output_fields_new();
1370 * To reset the options parser, set optreset to 1 on platforms that
1371 * have optreset (documented in *BSD and OS X, apparently present but
1372 * not documented in Solaris - the Illumos repository seems to
1373 * suggest that the first Solaris getopt_long(), at least as of 2004,
1374 * was based on the NetBSD one, it had optreset) and set optind to 1,
1375 * and set optind to 0 otherwise (documented as working in the GNU
1376 * getopt_long(). Setting optind to 0 didn't originally work in the
1377 * NetBSD one, but that was added later - we don't want to depend on
1378 * it if we have optreset).
1380 * Also reset opterr to 1, so that error messages are printed by
1383 #ifdef HAVE_OPTRESET
1391 /* Now get our args */
1392 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1394 case '2': /* Perform two pass analysis */
1395 perform_two_pass_analysis = TRUE;
1397 case 'a': /* autostop criteria */
1398 case 'b': /* Ringbuffer option */
1399 case 'c': /* Capture x packets */
1400 case 'f': /* capture filter */
1401 case 'g': /* enable group read access on file(s) */
1402 case 'i': /* Use interface x */
1403 case 'p': /* Don't capture in promiscuous mode */
1404 #ifdef HAVE_PCAP_REMOTE
1405 case 'A': /* Authentication */
1407 #ifdef HAVE_PCAP_CREATE
1408 case 'I': /* Capture in monitor mode, if available */
1410 case 's': /* Set the snapshot (capture) length */
1411 case 'w': /* Write to capture file x */
1412 case 'y': /* Set the pcap data link type */
1413 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1414 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1415 case 'B': /* Buffer size */
1418 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1425 * Output file name, if we're reading a file and writing to another
1428 output_file_name = optarg;
1430 capture_option_specified = TRUE;
1436 /* already processed; just ignore it now */
1438 case 'd': /* Decode as rule */
1439 if (!add_decode_as(optarg))
1442 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1443 case 'K': /* Kerberos keytab file */
1444 read_keytab_file(optarg);
1447 case 'D': /* Print a list of capture devices and exit */
1449 if_list = capture_interface_list(&err, &err_str,NULL);
1450 if (if_list == NULL) {
1452 cmdarg_err("There are no interfaces on which a capture can be done");
1454 cmdarg_err("%s", err_str);
1459 capture_opts_print_interfaces(if_list);
1460 free_interface_list(if_list);
1463 capture_option_specified = TRUE;
1469 output_fields_add(output_fields, optarg);
1473 if (!output_fields_set_option(output_fields, optarg)) {
1474 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1475 output_fields_list_options(stderr);
1480 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1481 if (out_file_type < 0) {
1482 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1483 list_capture_types();
1488 jsonfilter = optarg;
1490 case 'W': /* Select extra information to save in our capture file */
1491 /* This is patterned after the -N flag which may not be the best idea. */
1492 if (strchr(optarg, 'n')) {
1493 out_file_name_res = TRUE;
1495 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1496 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1500 case 'H': /* Read address to name mappings from a hosts file */
1501 if (! add_hosts_file(optarg))
1503 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1506 out_file_name_res = TRUE;
1509 case 'h': /* Print help and exit */
1510 printf("TShark (Wireshark) %s\n"
1511 "Dump and analyze network traffic.\n"
1512 "See https://www.wireshark.org for more information.\n",
1513 get_ws_vcs_version_info());
1514 print_usage(stdout);
1517 case 'l': /* "Line-buffer" standard output */
1518 /* This isn't line-buffering, strictly speaking, it's just
1519 flushing the standard output after the information for
1520 each packet is printed; however, that should be good
1521 enough for all the purposes to which "-l" is put (and
1522 is probably actually better for "-V", as it does fewer
1525 See the comment in "process_packet()" for an explanation of
1526 why we do that, and why we don't just use "setvbuf()" to
1527 make the standard output line-buffered (short version: in
1528 Windows, "line-buffered" is the same as "fully-buffered",
1529 and the output buffer is only flushed when it fills up). */
1530 line_buffered = TRUE;
1532 case 'L': /* Print list of link-layer types and exit */
1534 list_link_layer_types = TRUE;
1536 capture_option_specified = TRUE;
1540 case 'n': /* No name resolution */
1541 disable_name_resolution();
1543 case 'N': /* Select what types of addresses/port #s to resolve */
1544 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1545 if (badopt != '\0') {
1546 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1548 cmdarg_err_cont("\t'd' to enable address resolution from captured DNS packets\n"
1549 "\t'm' to enable MAC address resolution\n"
1550 "\t'n' to enable network address resolution\n"
1551 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1552 "\t for network address resolution\n"
1553 "\t't' to enable transport-layer port number resolution");
1557 case 'o': /* Override preference from command line */
1558 switch (prefs_set_pref(optarg)) {
1563 case PREFS_SET_SYNTAX_ERR:
1564 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1568 case PREFS_SET_NO_SUCH_PREF:
1569 case PREFS_SET_OBSOLETE:
1570 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1575 case 'q': /* Quiet */
1578 case 'Q': /* Really quiet */
1580 really_quiet = TRUE;
1582 case 'r': /* Read capture file x */
1583 cf_name = g_strdup(optarg);
1585 case 'R': /* Read file filter */
1589 /* already processed; just ignore it now */
1591 case 'S': /* Set the line Separator to be printed between packets */
1594 case 't': /* Time stamp type */
1595 if (strcmp(optarg, "r") == 0)
1596 timestamp_set_type(TS_RELATIVE);
1597 else if (strcmp(optarg, "a") == 0)
1598 timestamp_set_type(TS_ABSOLUTE);
1599 else if (strcmp(optarg, "ad") == 0)
1600 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1601 else if (strcmp(optarg, "adoy") == 0)
1602 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1603 else if (strcmp(optarg, "d") == 0)
1604 timestamp_set_type(TS_DELTA);
1605 else if (strcmp(optarg, "dd") == 0)
1606 timestamp_set_type(TS_DELTA_DIS);
1607 else if (strcmp(optarg, "e") == 0)
1608 timestamp_set_type(TS_EPOCH);
1609 else if (strcmp(optarg, "u") == 0)
1610 timestamp_set_type(TS_UTC);
1611 else if (strcmp(optarg, "ud") == 0)
1612 timestamp_set_type(TS_UTC_WITH_YMD);
1613 else if (strcmp(optarg, "udoy") == 0)
1614 timestamp_set_type(TS_UTC_WITH_YDOY);
1616 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1617 cmdarg_err_cont("\t\"a\" for absolute\n"
1618 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1619 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1620 "\t\"d\" for delta\n"
1621 "\t\"dd\" for delta displayed\n"
1622 "\t\"e\" for epoch\n"
1623 "\t\"r\" for relative\n"
1624 "\t\"u\" for absolute UTC\n"
1625 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1626 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1630 case 'T': /* printing Type */
1631 print_packet_info = TRUE;
1632 if (strcmp(optarg, "text") == 0) {
1633 output_action = WRITE_TEXT;
1634 print_format = PR_FMT_TEXT;
1635 } else if (strcmp(optarg, "ps") == 0) {
1636 output_action = WRITE_TEXT;
1637 print_format = PR_FMT_PS;
1638 } else if (strcmp(optarg, "pdml") == 0) {
1639 output_action = WRITE_XML;
1640 print_details = TRUE; /* Need details */
1641 print_summary = FALSE; /* Don't allow summary */
1642 } else if (strcmp(optarg, "psml") == 0) {
1643 output_action = WRITE_XML;
1644 print_details = FALSE; /* Don't allow details */
1645 print_summary = TRUE; /* Need summary */
1646 } else if (strcmp(optarg, "fields") == 0) {
1647 output_action = WRITE_FIELDS;
1648 print_details = TRUE; /* Need full tree info */
1649 print_summary = FALSE; /* Don't allow summary */
1650 } else if (strcmp(optarg, "json") == 0) {
1651 output_action = WRITE_JSON;
1652 print_details = TRUE; /* Need details */
1653 print_summary = FALSE; /* Don't allow summary */
1654 } else if (strcmp(optarg, "ek") == 0) {
1655 output_action = WRITE_EK;
1656 print_details = TRUE; /* Need details */
1657 print_summary = FALSE; /* Don't allow summary */
1660 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1661 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1662 "\t specified by the -E option.\n"
1663 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1664 "\t details of a decoded packet. This information is equivalent to\n"
1665 "\t the packet details printed with the -V flag.\n"
1666 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1667 "\t the packets, or a multi-line view of the details of each of\n"
1668 "\t the packets, depending on whether the -V flag was specified.\n"
1669 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1670 "\t summary information of a decoded packet. This information is\n"
1671 "\t equivalent to the information shown in the one-line summary\n"
1672 "\t printed by default.\n"
1673 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1674 "\t summary information of a decoded packet. This information is \n"
1675 "\t equivalent to the packet details printed with the -V flag.\n"
1676 "\t\"ek\" Packet Summary, an EK JSON-based format for the bulk insert \n"
1677 "\t into elastic search cluster. This information is \n"
1678 "\t equivalent to the packet details printed with the -V flag.\n"
1679 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1680 "\t packets, or a multi-line view of the details of each of the\n"
1681 "\t packets, depending on whether the -V flag was specified.\n"
1682 "\t This is the default.");
1686 case 'u': /* Seconds type */
1687 if (strcmp(optarg, "s") == 0)
1688 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1689 else if (strcmp(optarg, "hms") == 0)
1690 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1692 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1693 cmdarg_err_cont("\t\"s\" for seconds\n"
1694 "\t\"hms\" for hours, minutes and seconds");
1698 case 'U': /* Export PDUs to file */
1700 GSList *export_pdu_tap_name_list = NULL;
1703 cmdarg_err("Tap name is required! Valid names are:");
1704 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1705 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1709 pdu_export_arg = g_strdup(optarg);
1712 case 'v': /* Show version and exit */
1713 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1714 epan_get_compiled_version_info);
1715 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1716 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1717 g_string_free(comp_info_str, TRUE);
1718 g_string_free(runtime_info_str, TRUE);
1719 /* We don't really have to cleanup here, but it's a convenient way to test
1720 * start-up and shut-down of the epan library without any UI-specific
1721 * cruft getting in the way. Makes the results of running
1722 * $ ./tools/valgrind-wireshark -n
1723 * much more useful. */
1726 case 'O': /* Only output these protocols */
1727 /* already processed; just ignore it now */
1729 case 'V': /* Verbose */
1730 /* already processed; just ignore it now */
1732 case 'x': /* Print packet data in hex (and ASCII) */
1733 /* already processed; just ignore it now */
1736 /* already processed; just ignore it now */
1742 /* We won't call the init function for the stat this soon
1743 as it would disallow MATE's fields (which are registered
1744 by the preferences set callback) from being used as
1745 part of a tap filter. Instead, we just add the argument
1746 to a list of stat arguments. */
1747 if (strcmp("help", optarg) == 0) {
1748 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1749 list_stat_cmd_args();
1752 if (!process_stat_cmd_arg(optarg)) {
1753 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1754 list_stat_cmd_args();
1758 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1759 disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg);
1761 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1762 enable_heur_slist = g_slist_append(enable_heur_slist, optarg);
1764 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1765 disable_heur_slist = g_slist_append(disable_heur_slist, optarg);
1769 case '?': /* Bad flag - print usage message */
1772 list_capture_types();
1775 print_usage(stderr);
1782 /* If we specified output fields, but not the output field type... */
1783 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1784 cmdarg_err("Output fields were specified with \"-e\", "
1785 "but \"-Tfields\" was not specified.");
1787 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1788 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1789 "specified with \"-e\".");
1794 /* If no capture filter or display filter has been specified, and there are
1795 still command-line arguments, treat them as the tokens of a capture
1796 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1797 flag was specified. */
1798 if (optind < argc) {
1799 if (cf_name != NULL) {
1800 if (dfilter != NULL) {
1801 cmdarg_err("Display filters were specified both with \"-d\" "
1802 "and with additional command-line arguments.");
1805 dfilter = get_args_as_string(argc, argv, optind);
1810 if (global_capture_opts.default_options.cfilter) {
1811 cmdarg_err("A default capture filter was specified both with \"-f\""
1812 " and with additional command-line arguments.");
1815 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1816 interface_options interface_opts;
1817 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1818 if (interface_opts.cfilter == NULL) {
1819 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1820 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1821 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1823 cmdarg_err("A capture filter was specified both with \"-f\""
1824 " and with additional command-line arguments.");
1828 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1830 capture_option_specified = TRUE;
1836 if (!global_capture_opts.saving_to_file) {
1837 /* We're not saving the capture to a file; if "-q" wasn't specified,
1838 we should print packet information */
1840 print_packet_info = TRUE;
1842 /* We're saving to a file; if we're writing to the standard output.
1843 and we'll also be writing dissected packets to the standard
1844 output, reject the request. At best, we could redirect that
1845 to the standard error; we *can't* write both to the standard
1846 output and have either of them be useful. */
1847 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1848 cmdarg_err("You can't write both raw packet data and dissected packets"
1849 " to the standard output.");
1854 /* We're not saving the capture to a file; if "-q" wasn't specified,
1855 we should print packet information */
1857 print_packet_info = TRUE;
1860 #ifndef HAVE_LIBPCAP
1861 if (capture_option_specified)
1862 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1865 print_usage(stderr);
1870 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_EK) {
1871 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON or EK JSON");
1876 if (output_only != NULL) {
1879 if (!print_details) {
1880 cmdarg_err("-O requires -V");
1884 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1885 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1886 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1890 if (rfilter != NULL && !perform_two_pass_analysis) {
1891 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1896 if (list_link_layer_types) {
1897 /* We're supposed to list the link-layer types for an interface;
1898 did the user also specify a capture file to be read? */
1900 /* Yes - that's bogus. */
1901 cmdarg_err("You can't specify -L and a capture file to be read.");
1904 /* No - did they specify a ring buffer option? */
1905 if (global_capture_opts.multi_files_on) {
1906 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1912 * "-r" was specified, so we're reading a capture file.
1913 * Capture options don't apply here.
1916 /* We don't support capture filters when reading from a capture file
1917 (the BPF compiler doesn't support all link-layer types that we
1918 support in capture files we read). */
1919 if (global_capture_opts.default_options.cfilter) {
1920 cmdarg_err("Only read filters, not capture filters, "
1921 "can be specified when reading a capture file.");
1924 if (global_capture_opts.multi_files_on) {
1925 cmdarg_err("Multiple capture files requested, but "
1926 "a capture isn't being done.");
1929 if (global_capture_opts.has_file_duration) {
1930 cmdarg_err("Switching capture files after a time interval was specified, but "
1931 "a capture isn't being done.");
1934 if (global_capture_opts.has_ring_num_files) {
1935 cmdarg_err("A ring buffer of capture files was specified, but "
1936 "a capture isn't being done.");
1939 if (global_capture_opts.has_autostop_files) {
1940 cmdarg_err("A maximum number of capture files was specified, but "
1941 "a capture isn't being done.");
1944 if (global_capture_opts.capture_comment) {
1945 cmdarg_err("A capture comment was specified, but "
1946 "a capture isn't being done.\nThere's no support for adding "
1947 "a capture comment to an existing capture file.");
1951 /* Note: TShark now allows the restriction of a _read_ file by packet count
1952 * and byte count as well as a write file. Other autostop options remain valid
1953 * only for a write file.
1955 if (global_capture_opts.has_autostop_duration) {
1956 cmdarg_err("A maximum capture time was specified, but "
1957 "a capture isn't being done.");
1962 * "-r" wasn't specified, so we're doing a live capture.
1964 if (perform_two_pass_analysis) {
1965 /* Two-pass analysis doesn't work with live capture since it requires us
1966 * to buffer packets until we've read all of them, but a live capture
1967 * has no useful/meaningful definition of "all" */
1968 cmdarg_err("Live captures do not support two-pass analysis.");
1972 if (global_capture_opts.saving_to_file) {
1973 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1975 /* When capturing, we only support writing pcap or pcap-ng format. */
1976 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1977 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1978 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1981 if (global_capture_opts.capture_comment &&
1982 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1983 cmdarg_err("A capture comment can only be written to a pcapng file.");
1986 if (global_capture_opts.multi_files_on) {
1987 /* Multiple-file mode doesn't work under certain conditions:
1988 a) it doesn't work if you're writing to the standard output;
1989 b) it doesn't work if you're writing to a pipe;
1991 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1992 cmdarg_err("Multiple capture files requested, but "
1993 "the capture is being written to the standard output.");
1996 if (global_capture_opts.output_to_pipe) {
1997 cmdarg_err("Multiple capture files requested, but "
1998 "the capture file is a pipe.");
2001 if (!global_capture_opts.has_autostop_filesize &&
2002 !global_capture_opts.has_file_duration) {
2003 cmdarg_err("Multiple capture files requested, but "
2004 "no maximum capture file size or duration was specified.");
2008 /* Currently, we don't support read or display filters when capturing
2009 and saving the packets. */
2010 if (rfilter != NULL) {
2011 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
2014 if (dfilter != NULL) {
2015 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
2018 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
2020 /* They didn't specify a "-w" flag, so we won't be saving to a
2021 capture file. Check for options that only make sense if
2022 we're saving to a file. */
2023 if (global_capture_opts.has_autostop_filesize) {
2024 cmdarg_err("Maximum capture file size specified, but "
2025 "capture isn't being saved to a file.");
2028 if (global_capture_opts.multi_files_on) {
2029 cmdarg_err("Multiple capture files requested, but "
2030 "the capture isn't being saved to a file.");
2033 if (global_capture_opts.capture_comment) {
2034 cmdarg_err("A capture comment was specified, but "
2035 "the capture isn't being saved to a file.");
2044 /* Start windows sockets */
2045 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2048 /* Notify all registered modules that have had any of their preferences
2049 changed either from one of the preferences file or from the command
2050 line that their preferences have changed. */
2053 /* At this point MATE will have registered its field array so we can
2054 have a tap filter with one of MATE's late-registered fields as part
2055 of the filter. We can now process all the "-z" arguments. */
2056 start_requested_stats();
2058 /* At this point MATE will have registered its field array so we can
2059 check if the fields specified by the user are all good.
2063 GSList *invalid_fields = output_fields_valid(output_fields);
2064 if (invalid_fields != NULL) {
2066 cmdarg_err("Some fields aren't valid:");
2067 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2068 cmdarg_err_cont("\t%s", (gchar *)it->data);
2070 g_slist_free(invalid_fields);
2075 /* We currently don't support taps, or printing dissected packets,
2076 if we're writing to a pipe. */
2077 if (global_capture_opts.saving_to_file &&
2078 global_capture_opts.output_to_pipe) {
2079 if (tap_listeners_require_dissection()) {
2080 cmdarg_err("Taps aren't supported when saving to a pipe.");
2083 if (print_packet_info) {
2084 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2090 if (ex_opt_count("read_format") > 0) {
2091 const gchar* name = ex_opt_get_next("read_format");
2092 in_file_type = open_info_name_to_type(name);
2093 if (in_file_type == WTAP_TYPE_AUTO) {
2094 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2095 list_read_capture_types();
2100 /* disabled protocols as per configuration file */
2101 if (gdp_path == NULL && dp_path == NULL) {
2102 set_disabled_protos_list();
2103 set_disabled_heur_dissector_list();
2106 if(disable_protocol_slist) {
2107 GSList *proto_disable;
2108 for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
2110 proto_disable_proto_by_name((char*)proto_disable->data);
2114 if(enable_heur_slist) {
2115 GSList *heur_enable;
2116 for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
2118 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
2122 if(disable_heur_slist) {
2123 GSList *heur_disable;
2124 for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
2126 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
2130 /* Build the column format array */
2131 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2134 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2135 capture_opts_trim_ring_num_files(&global_capture_opts);
2138 if (rfilter != NULL) {
2139 tshark_debug("Compiling read filter: '%s'", rfilter);
2140 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2141 cmdarg_err("%s", err_msg);
2144 #ifdef HAVE_PCAP_OPEN_DEAD
2148 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2150 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2152 " Note: That read filter code looks like a valid capture filter;\n"
2153 " maybe you mixed them up?");
2162 cfile.rfcode = rfcode;
2164 if (dfilter != NULL) {
2165 tshark_debug("Compiling display filter: '%s'", dfilter);
2166 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2167 cmdarg_err("%s", err_msg);
2170 #ifdef HAVE_PCAP_OPEN_DEAD
2174 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2176 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2178 " Note: That display filter code looks like a valid capture filter;\n"
2179 " maybe you mixed them up?");
2188 cfile.dfcode = dfcode;
2190 if (print_packet_info) {
2191 /* If we're printing as text or PostScript, we have
2192 to create a print stream. */
2193 if (output_action == WRITE_TEXT) {
2194 switch (print_format) {
2197 print_stream = print_stream_text_stdio_new(stdout);
2201 print_stream = print_stream_ps_stdio_new(stdout);
2205 g_assert_not_reached();
2210 /* PDU export requested. Take the ownership of the '-w' file, apply tap
2211 * filters and start tapping. */
2212 if (pdu_export_arg) {
2213 const char *exp_pdu_filename;
2214 const char *exp_pdu_tap_name = pdu_export_arg;
2215 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
2216 char *exp_pdu_error;
2220 cmdarg_err("PDUs export requires a capture file (specify with -r).");
2223 /* Take ownership of the '-w' output file. */
2225 exp_pdu_filename = global_capture_opts.save_file;
2226 global_capture_opts.save_file = NULL;
2228 exp_pdu_filename = output_file_name;
2229 output_file_name = NULL;
2231 if (exp_pdu_filename == NULL) {
2232 cmdarg_err("PDUs export requires an output file (-w).");
2236 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
2238 if (exp_pdu_error) {
2239 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
2240 g_free(exp_pdu_error);
2244 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2246 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2250 /* Activate the export PDU tap */
2251 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd,
2252 g_strdup_printf("Dump of PDUs from %s", cf_name));
2254 cmdarg_err("Failed to start the PDU export: %s", g_strerror(err));
2259 /* We have to dissect each packet if:
2261 we're printing information about each packet;
2263 we're using a read filter on the packets;
2265 we're using a display filter on the packets;
2267 we're exporting PDUs;
2269 we're using any taps that need dissection. */
2270 do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg ||
2271 tap_listeners_require_dissection();
2272 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2275 tshark_debug("tshark: Opening capture file: %s", cf_name);
2277 * We're reading a capture file.
2279 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2284 /* Process the packets in the file */
2285 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2288 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2289 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2290 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2292 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2295 CATCH(OutOfMemoryError) {
2299 "Sorry, but TShark has to terminate now.\n"
2301 "More information and workarounds can be found at\n"
2302 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2307 /* We still dump out the results of taps, etc., as we might have
2308 read some packets; however, we exit with an error status. */
2312 if (pdu_export_arg) {
2313 err = exp_pdu_close(&exp_pdu_tap_data);
2315 cmdarg_err("%s", wtap_strerror(err));
2318 g_free(pdu_export_arg);
2321 tshark_debug("tshark: no capture file specified");
2322 /* No capture file specified, so we're supposed to do a live capture
2323 or get a list of link-layer types for a live capture device;
2324 do we have support for live captures? */
2326 /* if no interface was specified, pick a default */
2327 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2328 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2329 if (exit_status != 0)
2332 /* if requested, list the link layer types and exit */
2333 if (list_link_layer_types) {
2336 /* Get the list of link-layer types for the capture devices. */
2337 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2338 interface_options interface_opts;
2339 if_capabilities_t *caps;
2340 char *auth_str = NULL;
2342 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2343 #ifdef HAVE_PCAP_REMOTE
2344 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2345 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2348 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2351 cmdarg_err("%s", err_str);
2355 if (caps->data_link_types == NULL) {
2356 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2359 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2360 free_if_capabilities(caps);
2366 * If the standard error isn't a terminal, don't print packet counts,
2367 * as they won't show up on the user's terminal and they'll get in
2368 * the way of error messages in the file (to which we assume the
2369 * standard error was redirected; if it's redirected to the null
2370 * device, there's no point in printing packet counts anyway).
2372 * Otherwise, if we're printing packet information and the standard
2373 * output is a terminal (which we assume means the standard output and
2374 * error are going to the same terminal), don't print packet counts,
2375 * as they'll get in the way of the packet information.
2377 * Otherwise, if the user specified -q, don't print packet counts.
2379 * Otherwise, print packet counts.
2381 * XXX - what if the user wants to do a live capture, doesn't want
2382 * to save it to a file, doesn't want information printed for each
2383 * packet, does want some "-z" statistic, and wants packet counts
2384 * so they know whether they're seeing any packets? -q will
2385 * suppress the information printed for each packet, but it'll
2386 * also suppress the packet counts.
2388 if (!ws_isatty(ws_fileno(stderr)))
2389 print_packet_counts = FALSE;
2390 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2391 print_packet_counts = FALSE;
2393 print_packet_counts = FALSE;
2395 print_packet_counts = TRUE;
2397 if (print_packet_info) {
2398 if (!write_preamble(&cfile)) {
2399 show_print_file_io_error(errno);
2404 tshark_debug("tshark: performing live capture");
2406 * XXX - this returns FALSE if an error occurred, but it also
2407 * returns FALSE if the capture stops because a time limit
2408 * was reached (and possibly other limits), so we can't assume
2409 * it means an error.
2411 * The capture code is a bit twisty, so it doesn't appear to
2412 * be an easy fix. We just ignore the return value for now.
2413 * Instead, pass on the exit status from the capture child.
2416 exit_status = global_capture_session.fork_child_status;
2418 if (print_packet_info) {
2419 if (!write_finale()) {
2421 show_print_file_io_error(err);
2425 /* No - complain. */
2426 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2433 if (cfile.frames != NULL) {
2434 free_frame_data_sequence(cfile.frames);
2435 cfile.frames = NULL;
2438 draw_tap_listeners(TRUE);
2439 funnel_dump_all_text_windows();
2440 epan_free(cfile.epan);
2443 output_fields_free(output_fields);
2444 output_fields = NULL;
2449 /*#define USE_BROKEN_G_MAIN_LOOP*/
2451 #ifdef USE_BROKEN_G_MAIN_LOOP
2454 gboolean loop_running = FALSE;
2456 guint32 packet_count = 0;
2459 typedef struct pipe_input_tag {
2462 ws_process_id *child_process;
2463 pipe_input_cb_t input_cb;
2464 guint pipe_input_id;
2466 GMutex *callback_running;
2470 static pipe_input_t pipe_input;
2473 /* The timer has expired, see if there's stuff to read from the pipe,
2474 if so, do the callback */
2476 pipe_timer_cb(gpointer data)
2482 pipe_input_t *pipe_input_p = data;
2483 gint iterations = 0;
2485 g_mutex_lock (pipe_input_p->callback_running);
2487 /* try to read data from the pipe only 5 times, to avoid blocking */
2488 while(iterations < 5) {
2489 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2491 /* Oddly enough although Named pipes don't work on win9x,
2492 PeekNamedPipe does !!! */
2493 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2494 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2496 /* Get the child process exit status */
2497 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2500 /* If the Peek returned an error, or there are bytes to be read
2501 or the childwatcher thread has terminated then call the normal
2503 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2505 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2507 /* And call the real handler */
2508 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2509 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2510 /* pipe closed, return false so that the timer is stopped */
2511 g_mutex_unlock (pipe_input_p->callback_running);
2516 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2517 /* No data, stop now */
2524 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2526 g_mutex_unlock (pipe_input_p->callback_running);
2528 /* we didn't stopped the timer, so let it run */
2535 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2538 pipe_input.source = source;
2539 pipe_input.child_process = child_process;
2540 pipe_input.user_data = user_data;
2541 pipe_input.input_cb = input_cb;
2544 #if GLIB_CHECK_VERSION(2,31,0)
2545 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2546 g_mutex_init(pipe_input.callback_running);
2548 pipe_input.callback_running = g_mutex_new();
2550 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2551 do this but that doesn't cover all win32 platforms. GTK can do
2552 this but doesn't seem to work over processes. Attempt to do
2553 something similar here, start a timer and check for data on every
2555 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2556 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2560 static const nstime_t *
2561 tshark_get_frame_ts(void *data, guint32 frame_num)
2563 capture_file *cf = (capture_file *) data;
2565 if (ref && ref->num == frame_num)
2566 return &ref->abs_ts;
2568 if (prev_dis && prev_dis->num == frame_num)
2569 return &prev_dis->abs_ts;
2571 if (prev_cap && prev_cap->num == frame_num)
2572 return &prev_cap->abs_ts;
2575 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2577 return (fd) ? &fd->abs_ts : NULL;
2584 tshark_epan_new(capture_file *cf)
2586 epan_t *epan = epan_new();
2589 epan->get_frame_ts = tshark_get_frame_ts;
2590 epan->get_interface_name = cap_file_get_interface_name;
2591 epan->get_user_comment = NULL;
2603 #ifdef USE_TSHARK_SELECT
2607 struct sigaction action, oldaction;
2610 /* Create new dissection section. */
2611 epan_free(cfile.epan);
2612 cfile.epan = tshark_epan_new(&cfile);
2615 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2616 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2618 /* Catch SIGINT and SIGTERM and, if we get either of them,
2619 clean up and exit. If SIGHUP isn't being ignored, catch
2620 it too and, if we get it, clean up and exit.
2622 We restart any read that was in progress, so that it doesn't
2623 disrupt reading from the sync pipe. The signal handler tells
2624 the capture child to finish; it will report that it finished,
2625 or will exit abnormally, so we'll stop reading from the sync
2626 pipe, pick up the exit status, and quit. */
2627 memset(&action, 0, sizeof(action));
2628 action.sa_handler = capture_cleanup;
2629 action.sa_flags = SA_RESTART;
2630 sigemptyset(&action.sa_mask);
2631 sigaction(SIGTERM, &action, NULL);
2632 sigaction(SIGINT, &action, NULL);
2633 sigaction(SIGHUP, NULL, &oldaction);
2634 if (oldaction.sa_handler == SIG_DFL)
2635 sigaction(SIGHUP, &action, NULL);
2638 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2639 quiet mode, report the number of packets we've captured.
2641 Again, restart any read that was in progress, so that it doesn't
2642 disrupt reading from the sync pipe. */
2643 action.sa_handler = report_counts_siginfo;
2644 action.sa_flags = SA_RESTART;
2645 sigemptyset(&action.sa_mask);
2646 sigaction(SIGINFO, &action, NULL);
2647 #endif /* SIGINFO */
2650 global_capture_session.state = CAPTURE_PREPARING;
2652 /* Let the user know which interfaces were chosen. */
2653 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2654 interface_options interface_opts;
2656 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2657 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2658 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2659 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2661 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2662 if (really_quiet == FALSE)
2663 fprintf(stderr, "Capturing on %s\n", str->str);
2665 g_string_free(str, TRUE);
2667 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2672 /* the actual capture loop
2674 * XXX - glib doesn't seem to provide any event based loop handling.
2676 * XXX - for whatever reason,
2677 * calling g_main_loop_new() ends up in 100% cpu load.
2679 * But that doesn't matter: in UNIX we can use select() to find an input
2680 * source with something to do.
2682 * But that doesn't matter because we're in a CLI (that doesn't need to
2683 * update a GUI or something at the same time) so it's OK if we block
2684 * trying to read from the pipe.
2686 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2687 * wrong (but I leave it there in case I am...).
2690 #ifdef USE_TSHARK_SELECT
2692 FD_SET(pipe_input.source, &readfds);
2695 loop_running = TRUE;
2699 while (loop_running)
2701 #ifdef USE_TSHARK_SELECT
2702 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2706 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2708 } else if (ret == 1) {
2710 /* Call the real handler */
2711 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2712 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2715 #ifdef USE_TSHARK_SELECT
2720 CATCH(OutOfMemoryError) {
2724 "Sorry, but TShark has to terminate now.\n"
2726 "More information and workarounds can be found at\n"
2727 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2734 /* capture child detected an error */
2736 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2738 cmdarg_err("%s", error_msg);
2739 cmdarg_err_cont("%s", secondary_error_msg);
2743 /* capture child detected an capture filter related error */
2745 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2747 capture_options *capture_opts = cap_session->capture_opts;
2748 dfilter_t *rfcode = NULL;
2749 interface_options interface_opts;
2751 g_assert(i < capture_opts->ifaces->len);
2752 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2754 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2756 "Invalid capture filter \"%s\" for interface '%s'.\n"
2758 "That string looks like a valid display filter; however, it isn't a valid\n"
2759 "capture filter (%s).\n"
2761 "Note that display filters and capture filters don't have the same syntax,\n"
2762 "so you can't use most display filter expressions as capture filters.\n"
2764 "See the User's Guide for a description of the capture filter syntax.",
2765 interface_opts.cfilter, interface_opts.descr, error_message);
2766 dfilter_free(rfcode);
2769 "Invalid capture filter \"%s\" for interface '%s'.\n"
2771 "That string isn't a valid capture filter (%s).\n"
2772 "See the User's Guide for a description of the capture filter syntax.",
2773 interface_opts.cfilter, interface_opts.descr, error_message);
2778 /* capture child tells us we have a new (or the first) capture file */
2780 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2782 capture_options *capture_opts = cap_session->capture_opts;
2783 capture_file *cf = (capture_file *) cap_session->cf;
2784 gboolean is_tempfile;
2787 if (cap_session->state == CAPTURE_PREPARING) {
2788 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2790 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2792 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2794 /* free the old filename */
2795 if (capture_opts->save_file != NULL) {
2797 /* we start a new capture file, close the old one (if we had one before) */
2798 if (cf->state != FILE_CLOSED) {
2799 if (cf->wth != NULL) {
2800 wtap_close(cf->wth);
2803 cf->state = FILE_CLOSED;
2806 g_free(capture_opts->save_file);
2807 is_tempfile = FALSE;
2809 epan_free(cf->epan);
2810 cf->epan = tshark_epan_new(cf);
2812 /* we didn't had a save_file before, must be a tempfile */
2816 /* save the new filename */
2817 capture_opts->save_file = g_strdup(new_file);
2819 /* if we are in real-time mode, open the new file now */
2820 if (do_dissection) {
2821 /* this is probably unecessary, but better safe than sorry */
2822 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2823 /* Attempt to open the capture file and set up to read from it. */
2824 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2828 /* Don't unlink (delete) the save file - leave it around,
2829 for debugging purposes. */
2830 g_free(capture_opts->save_file);
2831 capture_opts->save_file = NULL;
2836 cap_session->state = CAPTURE_RUNNING;
2842 /* capture child tells us we have new packets to read */
2844 capture_input_new_packets(capture_session *cap_session, int to_read)
2850 capture_file *cf = (capture_file *)cap_session->cf;
2851 gboolean filtering_tap_listeners;
2856 * Prevent a SIGINFO handler from writing to the standard error while
2857 * we're doing so or writing to the standard output; instead, have it
2858 * just set a flag telling us to print that information when we're done.
2861 #endif /* SIGINFO */
2863 /* Do we have any tap listeners with filters? */
2864 filtering_tap_listeners = have_filtering_tap_listeners();
2866 /* Get the union of the flags for all tap listeners. */
2867 tap_flags = union_of_tap_listener_flags();
2869 if (do_dissection) {
2870 gboolean create_proto_tree;
2871 epan_dissect_t *edt;
2873 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2874 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2875 create_proto_tree = TRUE;
2877 create_proto_tree = FALSE;
2879 /* The protocol tree will be "visible", i.e., printed, only if we're
2880 printing packet details, which is true if we're printing stuff
2881 ("print_packet_info" is true) and we're in verbose mode
2882 ("packet_details" is true). */
2883 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2885 while (to_read-- && cf->wth) {
2886 wtap_cleareof(cf->wth);
2887 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2889 /* read from file failed, tell the capture child to stop */
2890 sync_pipe_stop(cap_session);
2891 wtap_close(cf->wth);
2894 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2895 wtap_buf_ptr(cf->wth),
2899 /* packet successfully read and gone through the "Read Filter" */
2904 epan_dissect_free(edt);
2908 * Dumpcap's doing all the work; we're not doing any dissection.
2909 * Count all the packets it wrote.
2911 packet_count += to_read;
2914 if (print_packet_counts) {
2915 /* We're printing packet counts. */
2916 if (packet_count != 0) {
2917 fprintf(stderr, "\r%u ", packet_count);
2918 /* stderr could be line buffered */
2925 * Allow SIGINFO handlers to write.
2930 * If a SIGINFO handler asked us to write out capture counts, do so.
2934 #endif /* SIGINFO */
2940 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2941 /* Report the count only if we aren't printing a packet count
2942 as packets arrive. */
2943 fprintf(stderr, "%u packet%s captured\n", packet_count,
2944 plurality(packet_count, "", "s"));
2947 infoprint = FALSE; /* we just reported it */
2948 #endif /* SIGINFO */
2953 report_counts_siginfo(int signum _U_)
2955 int sav_errno = errno;
2956 /* If we've been told to delay printing, just set a flag asking
2957 that we print counts (if we're supposed to), otherwise print
2958 the count of packets captured (if we're supposed to). */
2965 #endif /* SIGINFO */
2968 /* capture child detected any packet drops? */
2970 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2972 if (print_packet_counts) {
2973 /* We're printing packet counts to stderr.
2974 Send a newline so that we move to the line after the packet count. */
2975 fprintf(stderr, "\n");
2979 /* We're printing packet counts to stderr.
2980 Send a newline so that we move to the line after the packet count. */
2981 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2987 * Capture child closed its side of the pipe, report any error and
2988 * do the required cleanup.
2991 capture_input_closed(capture_session *cap_session, gchar *msg)
2993 capture_file *cf = (capture_file *) cap_session->cf;
2996 fprintf(stderr, "tshark: %s\n", msg);
3000 if (cf != NULL && cf->wth != NULL) {
3001 wtap_close(cf->wth);
3002 if (cf->is_tempfile) {
3003 ws_unlink(cf->filename);
3006 #ifdef USE_BROKEN_G_MAIN_LOOP
3007 /*g_main_loop_quit(loop);*/
3008 g_main_loop_quit(loop);
3010 loop_running = FALSE;
3019 capture_cleanup(DWORD ctrltype _U_)
3021 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3022 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3023 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3024 like SIGTERM at least when the machine's shutting down.
3026 For now, we handle them all as indications that we should clean up
3027 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3030 We must return TRUE so that no other handler - such as one that would
3031 terminate the process - gets called.
3033 XXX - for some reason, typing ^C to TShark, if you run this in
3034 a Cygwin console window in at least some versions of Cygwin,
3035 causes TShark to terminate immediately; this routine gets
3036 called, but the main loop doesn't get a chance to run and
3037 exit cleanly, at least if this is compiled with Microsoft Visual
3038 C++ (i.e., it's a property of the Cygwin console window or Bash;
3039 it happens if TShark is not built with Cygwin - for all I know,
3040 building it with Cygwin may make the problem go away). */
3042 /* tell the capture child to stop */
3043 sync_pipe_stop(&global_capture_session);
3045 /* don't stop our own loop already here, otherwise status messages and
3046 * cleanup wouldn't be done properly. The child will indicate the stop of
3047 * everything by calling capture_input_closed() later */
3053 capture_cleanup(int signum _U_)
3055 /* tell the capture child to stop */
3056 sync_pipe_stop(&global_capture_session);
3058 /* don't stop our own loop already here, otherwise status messages and
3059 * cleanup wouldn't be done properly. The child will indicate the stop of
3060 * everything by calling capture_input_closed() later */
3063 #endif /* HAVE_LIBPCAP */
3066 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
3067 gint64 offset, struct wtap_pkthdr *whdr,
3074 /* The frame number of this packet is one more than the count of
3075 frames in this packet. */
3076 framenum = cf->count + 1;
3078 /* If we're not running a display filter and we're not printing any
3079 packet information, we don't need to do a dissection. This means
3080 that all packets can be marked as 'passed'. */
3083 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
3085 /* If we're going to print packet information, or we're going to
3086 run a read filter, or display filter, or we're going to process taps, set up to
3087 do a dissection and do so. */
3089 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3090 gbl_resolv_flags.transport_name)
3091 /* Grab any resolved addresses */
3092 host_name_lookup_process();
3094 /* If we're running a read filter, prime the epan_dissect_t with that
3097 epan_dissect_prime_dfilter(edt, cf->rfcode);
3100 epan_dissect_prime_dfilter(edt, cf->dfcode);
3102 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3104 if (ref == &fdlocal) {
3105 ref_frame = fdlocal;
3109 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
3111 /* Run the read filter if we have one. */
3113 passed = dfilter_apply_edt(cf->rfcode, edt);
3117 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3118 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
3120 /* If we're not doing dissection then there won't be any dependent frames.
3121 * More importantly, edt.pi.dependent_frames won't be initialized because
3122 * epan hasn't been initialized.
3123 * if we *are* doing dissection, then mark the dependent frames, but only
3124 * if a display filter was given and it matches this packet.
3126 if (edt && cf->dfcode) {
3127 if (dfilter_apply_edt(cf->dfcode, edt)) {
3128 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
3134 /* if we don't add it to the frame_data_sequence, clean it up right now
3136 frame_data_destroy(&fdlocal);
3140 epan_dissect_reset(edt);
3146 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
3147 struct wtap_pkthdr *phdr, Buffer *buf,
3153 /* If we're not running a display filter and we're not printing any
3154 packet information, we don't need to do a dissection. This means
3155 that all packets can be marked as 'passed'. */
3158 /* If we're going to print packet information, or we're going to
3159 run a read filter, or we're going to process taps, set up to
3160 do a dissection and do so. */
3162 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3163 gbl_resolv_flags.transport_name)
3164 /* Grab any resolved addresses */
3165 host_name_lookup_process();
3167 /* If we're running a display filter, prime the epan_dissect_t with that
3170 epan_dissect_prime_dfilter(edt, cf->dfcode);
3172 col_custom_prime_edt(edt, &cf->cinfo);
3174 /* We only need the columns if either
3175 1) some tap needs the columns
3177 2) we're printing packet info but we're *not* verbose; in verbose
3178 mode, we print the protocol tree, not the protocol summary.
3180 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3185 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3192 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3194 /* Run the read/display filter if we have one. */
3196 passed = dfilter_apply_edt(cf->dfcode, edt);
3200 frame_data_set_after_dissect(fdata, &cum_bytes);
3201 /* Process this packet. */
3202 if (print_packet_info) {
3203 /* We're printing packet information; print the information for
3205 print_packet(cf, edt);
3207 /* The ANSI C standard does not appear to *require* that a line-buffered
3208 stream be flushed to the host environment whenever a newline is
3209 written, it just says that, on such a stream, characters "are
3210 intended to be transmitted to or from the host environment as a
3211 block when a new-line character is encountered".
3213 The Visual C++ 6.0 C implementation doesn't do what is intended;
3214 even if you set a stream to be line-buffered, it still doesn't
3215 flush the buffer at the end of every line.
3217 So, if the "-l" flag was specified, we flush the standard output
3218 at the end of a packet. This will do the right thing if we're
3219 printing packet summary lines, and, as we print the entire protocol
3220 tree for a single packet without waiting for anything to happen,
3221 it should be as good as line-buffered mode if we're printing
3222 protocol trees. (The whole reason for the "-l" flag in either
3223 tcpdump or TShark is to allow the output of a live capture to
3224 be piped to a program or script and to have that script see the
3225 information for the packet as soon as it's printed, rather than
3226 having to wait until a standard I/O buffer fills up. */
3230 if (ferror(stdout)) {
3231 show_print_file_io_error(errno);
3240 epan_dissect_reset(edt);
3242 return passed || fdata->flags.dependent_of_displayed;
3246 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3247 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3250 int snapshot_length;
3254 gchar *err_info = NULL;
3256 char *save_file_string = NULL;
3257 gboolean filtering_tap_listeners;
3259 GArray *shb_hdrs = NULL;
3260 wtapng_iface_descriptions_t *idb_inf = NULL;
3261 GArray *nrb_hdrs = NULL;
3262 struct wtap_pkthdr phdr;
3264 epan_dissect_t *edt = NULL;
3265 char *shb_user_appl;
3267 wtap_phdr_init(&phdr);
3269 idb_inf = wtap_file_get_idb_info(cf->wth);
3270 #ifdef PCAP_NG_DEFAULT
3271 if (idb_inf->interface_data->len > 1) {
3272 linktype = WTAP_ENCAP_PER_PACKET;
3274 linktype = wtap_file_encap(cf->wth);
3277 linktype = wtap_file_encap(cf->wth);
3279 if (save_file != NULL) {
3280 /* Get a string that describes what we're writing to */
3281 save_file_string = output_file_description(save_file);
3283 /* Set up to write to the capture file. */
3284 snapshot_length = wtap_snapshot_length(cf->wth);
3285 if (snapshot_length == 0) {
3286 /* Snapshot length of input file not known. */
3287 snapshot_length = WTAP_MAX_PACKET_SIZE;
3289 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3291 shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth);
3292 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth);
3294 /* If we don't have an application name add Tshark */
3295 wtap_optionblock_get_option_string(g_array_index(shb_hdrs, wtap_optionblock_t, 0), OPT_SHB_USERAPPL, &shb_user_appl);
3296 if (shb_user_appl == NULL) {
3297 /* this is free'd by wtap_optionblock_free() later */
3298 wtap_optionblock_set_option_string_format(g_array_index(shb_hdrs, wtap_optionblock_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3301 if (linktype != WTAP_ENCAP_PER_PACKET &&
3302 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3303 tshark_debug("tshark: writing PCAP format to %s", save_file);
3304 if (strcmp(save_file, "-") == 0) {
3305 /* Write to the standard output. */
3306 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3307 snapshot_length, FALSE /* compressed */, &err);
3309 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3310 snapshot_length, FALSE /* compressed */, &err);
3314 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3315 if (strcmp(save_file, "-") == 0) {
3316 /* Write to the standard output. */
3317 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3318 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3320 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3321 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3329 /* We couldn't set up to write to the capture file. */
3332 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3333 cmdarg_err("Capture files can't be written in that format.");
3336 case WTAP_ERR_UNWRITABLE_ENCAP:
3337 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3338 cmdarg_err("The capture file being read can't be written as a "
3339 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3342 case WTAP_ERR_CANT_OPEN:
3343 cmdarg_err("The %s couldn't be created for some "
3344 "unknown reason.", save_file_string);
3347 case WTAP_ERR_SHORT_WRITE:
3348 cmdarg_err("A full header couldn't be written to the %s.",
3353 cmdarg_err("The %s could not be created: %s.", save_file_string,
3354 wtap_strerror(err));
3360 if (print_packet_info) {
3361 if (!write_preamble(cf)) {
3363 show_print_file_io_error(err);
3372 /* Do we have any tap listeners with filters? */
3373 filtering_tap_listeners = have_filtering_tap_listeners();
3375 /* Get the union of the flags for all tap listeners. */
3376 tap_flags = union_of_tap_listener_flags();
3378 if (perform_two_pass_analysis) {
3381 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3383 /* Allocate a frame_data_sequence for all the frames. */
3384 cf->frames = new_frame_data_sequence();
3386 if (do_dissection) {
3387 gboolean create_proto_tree = FALSE;
3389 /* If we're going to be applying a filter, we'll need to
3390 create a protocol tree against which to apply the filter. */
3391 if (cf->rfcode || cf->dfcode)
3392 create_proto_tree = TRUE;
3394 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3396 /* We're not going to display the protocol tree on this pass,
3397 so it's not going to be "visible". */
3398 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3401 tshark_debug("tshark: reading records for first pass");
3402 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3403 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3404 wtap_buf_ptr(cf->wth))) {
3405 /* Stop reading if we have the maximum number of packets;
3406 * When the -c option has not been used, max_packet_count
3407 * starts at 0, which practically means, never stop reading.
3408 * (unless we roll over max_packet_count ?)
3410 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3411 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3412 max_packet_count, data_offset, max_byte_count);
3413 err = 0; /* This is not an error */
3420 epan_dissect_free(edt);
3424 /* Close the sequential I/O side, to free up memory it requires. */
3425 wtap_sequential_close(cf->wth);
3427 /* Allow the protocol dissectors to free up memory that they
3428 * don't need after the sequential run-through of the packets. */
3429 postseq_cleanup_all_protocols();
3433 ws_buffer_init(&buf, 1500);
3435 tshark_debug("tshark: done with first pass");
3437 if (do_dissection) {
3438 gboolean create_proto_tree;
3440 if (cf->dfcode || print_details || filtering_tap_listeners ||
3441 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3442 create_proto_tree = TRUE;
3444 create_proto_tree = FALSE;
3446 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3448 /* The protocol tree will be "visible", i.e., printed, only if we're
3449 printing packet details, which is true if we're printing stuff
3450 ("print_packet_info" is true) and we're in verbose mode
3451 ("packet_details" is true). */
3452 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3455 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3456 fdata = frame_data_sequence_find(cf->frames, framenum);
3457 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3459 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3460 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3462 /* Either there's no read filtering or this packet passed the
3463 filter, so, if we're writing to a capture file, write
3466 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3467 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3468 /* Error writing to a capture file */
3469 tshark_debug("tshark: error writing to a capture file (%d)", err);
3472 case WTAP_ERR_UNWRITABLE_ENCAP:
3474 * This is a problem with the particular frame we're writing
3475 * and the file type and subtype we're writing; note that,
3476 * and report the frame number and file type/subtype.
3478 * XXX - framenum is not necessarily the frame number in
3479 * the input file if there was a read filter.
3482 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3483 framenum, cf->filename,
3484 wtap_file_type_subtype_short_string(out_file_type));
3487 case WTAP_ERR_PACKET_TOO_LARGE:
3489 * This is a problem with the particular frame we're writing
3490 * and the file type and subtype we're writing; note that,
3491 * and report the frame number and file type/subtype.
3493 * XXX - framenum is not necessarily the frame number in
3494 * the input file if there was a read filter.
3497 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3498 framenum, cf->filename,
3499 wtap_file_type_subtype_short_string(out_file_type));
3502 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3504 * This is a problem with the particular record we're writing
3505 * and the file type and subtype we're writing; note that,
3506 * and report the record number and file type/subtype.
3508 * XXX - framenum is not necessarily the record number in
3509 * the input file if there was a read filter.
3512 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3513 framenum, cf->filename,
3514 wtap_file_type_subtype_short_string(out_file_type));
3517 case WTAP_ERR_UNWRITABLE_REC_DATA:
3519 * This is a problem with the particular record we're writing
3520 * and the file type and subtype we're writing; note that,
3521 * and report the record number and file type/subtype.
3523 * XXX - framenum is not necessarily the record number in
3524 * the input file if there was a read filter.
3527 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3528 framenum, cf->filename,
3529 wtap_file_type_subtype_short_string(out_file_type),
3530 err_info != NULL ? err_info : "no information supplied");
3535 show_capture_file_io_error(save_file, err, FALSE);
3538 wtap_dump_close(pdh, &err);
3539 wtap_optionblock_array_free(shb_hdrs);
3540 wtap_optionblock_array_free(nrb_hdrs);
3549 epan_dissect_free(edt);
3553 ws_buffer_free(&buf);
3555 tshark_debug("tshark: done with second pass");
3558 /* !perform_two_pass_analysis */
3561 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3563 if (do_dissection) {
3564 gboolean create_proto_tree;
3566 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3567 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3568 create_proto_tree = TRUE;
3570 create_proto_tree = FALSE;
3572 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3574 /* The protocol tree will be "visible", i.e., printed, only if we're
3575 printing packet details, which is true if we're printing stuff
3576 ("print_packet_info" is true) and we're in verbose mode
3577 ("packet_details" is true). */
3578 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3581 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3584 tshark_debug("tshark: processing packet #%d", framenum);
3586 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3587 wtap_buf_ptr(cf->wth),
3589 /* Either there's no read filtering or this packet passed the
3590 filter, so, if we're writing to a capture file, write
3593 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3594 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3595 /* Error writing to a capture file */
3596 tshark_debug("tshark: error writing to a capture file (%d)", err);
3599 case WTAP_ERR_UNWRITABLE_ENCAP:
3601 * This is a problem with the particular frame we're writing
3602 * and the file type and subtype we're writing; note that,
3603 * and report the frame number and file type/subtype.
3606 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3607 framenum, cf->filename,
3608 wtap_file_type_subtype_short_string(out_file_type));
3611 case WTAP_ERR_PACKET_TOO_LARGE:
3613 * This is a problem with the particular frame we're writing
3614 * and the file type and subtype we're writing; note that,
3615 * and report the frame number and file type/subtype.
3618 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3619 framenum, cf->filename,
3620 wtap_file_type_subtype_short_string(out_file_type));
3623 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3625 * This is a problem with the particular record we're writing
3626 * and the file type and subtype we're writing; note that,
3627 * and report the record number and file type/subtype.
3630 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3631 framenum, cf->filename,
3632 wtap_file_type_subtype_short_string(out_file_type));
3635 case WTAP_ERR_UNWRITABLE_REC_DATA:
3637 * This is a problem with the particular record we're writing
3638 * and the file type and subtype we're writing; note that,
3639 * and report the record number and file type/subtype.
3642 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3643 framenum, cf->filename,
3644 wtap_file_type_subtype_short_string(out_file_type),
3645 err_info != NULL ? err_info : "no information supplied");
3650 show_capture_file_io_error(save_file, err, FALSE);
3653 wtap_dump_close(pdh, &err);
3654 wtap_optionblock_array_free(shb_hdrs);
3655 wtap_optionblock_array_free(nrb_hdrs);
3660 /* Stop reading if we have the maximum number of packets;
3661 * When the -c option has not been used, max_packet_count
3662 * starts at 0, which practically means, never stop reading.
3663 * (unless we roll over max_packet_count ?)
3665 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3666 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3667 max_packet_count, data_offset, max_byte_count);
3668 err = 0; /* This is not an error */
3674 epan_dissect_free(edt);
3679 wtap_phdr_cleanup(&phdr);
3682 tshark_debug("tshark: something failed along the line (%d)", err);
3684 * Print a message noting that the read failed somewhere along the line.
3686 * If we're printing packet data, and the standard output and error are
3687 * going to the same place, flush the standard output, so everything
3688 * buffered up is written, and then print a newline to the standard error
3689 * before printing the error message, to separate it from the packet
3690 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3691 * the _fstat() documentation at Microsoft doesn't indicate whether
3692 * st_ino is even supported.)
3695 if (print_packet_info) {
3696 ws_statb64 stat_stdout, stat_stderr;
3698 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3699 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3700 stat_stdout.st_ino == stat_stderr.st_ino) {
3702 fprintf(stderr, "\n");
3709 case WTAP_ERR_UNSUPPORTED:
3710 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3712 err_info != NULL ? err_info : "no information supplied");
3716 case WTAP_ERR_SHORT_READ:
3717 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3721 case WTAP_ERR_BAD_FILE:
3722 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3724 err_info != NULL ? err_info : "no information supplied");
3728 case WTAP_ERR_DECOMPRESS:
3729 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3730 "(%s)", cf->filename,
3731 err_info != NULL ? err_info : "no information supplied");
3736 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3737 cf->filename, wtap_strerror(err));
3740 if (save_file != NULL) {
3741 /* Now close the capture file. */
3742 if (!wtap_dump_close(pdh, &err))
3743 show_capture_file_io_error(save_file, err, TRUE);
3746 if (save_file != NULL) {
3747 if (pdh && out_file_name_res) {
3748 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3749 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3750 wtap_file_type_subtype_short_string(out_file_type));
3753 /* Now close the capture file. */
3754 if (!wtap_dump_close(pdh, &err))
3755 show_capture_file_io_error(save_file, err, TRUE);
3757 if (print_packet_info) {
3758 if (!write_finale()) {
3760 show_print_file_io_error(err);
3767 wtap_close(cf->wth);
3770 g_free(save_file_string);
3771 wtap_optionblock_array_free(shb_hdrs);
3772 wtap_optionblock_array_free(nrb_hdrs);
3778 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3779 const guchar *pd, guint tap_flags)
3785 /* Count this packet. */
3788 /* If we're not running a display filter and we're not printing any
3789 packet information, we don't need to do a dissection. This means
3790 that all packets can be marked as 'passed'. */
3793 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3795 /* If we're going to print packet information, or we're going to
3796 run a read filter, or we're going to process taps, set up to
3797 do a dissection and do so. */
3799 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3800 gbl_resolv_flags.transport_name))
3801 /* Grab any resolved addresses */
3802 host_name_lookup_process();
3804 /* If we're running a filter, prime the epan_dissect_t with that
3807 epan_dissect_prime_dfilter(edt, cf->dfcode);
3809 col_custom_prime_edt(edt, &cf->cinfo);
3811 /* We only need the columns if either
3812 1) some tap needs the columns
3814 2) we're printing packet info but we're *not* verbose; in verbose
3815 mode, we print the protocol tree, not the protocol summary.
3817 3) there is a column mapped as an individual field */
3818 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3823 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3825 if (ref == &fdata) {
3830 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3832 /* Run the filter if we have it. */
3834 passed = dfilter_apply_edt(cf->dfcode, edt);
3838 frame_data_set_after_dissect(&fdata, &cum_bytes);
3840 /* Process this packet. */
3841 if (print_packet_info) {
3842 /* We're printing packet information; print the information for
3844 print_packet(cf, edt);
3846 /* The ANSI C standard does not appear to *require* that a line-buffered
3847 stream be flushed to the host environment whenever a newline is
3848 written, it just says that, on such a stream, characters "are
3849 intended to be transmitted to or from the host environment as a
3850 block when a new-line character is encountered".
3852 The Visual C++ 6.0 C implementation doesn't do what is intended;
3853 even if you set a stream to be line-buffered, it still doesn't
3854 flush the buffer at the end of every line.
3856 So, if the "-l" flag was specified, we flush the standard output
3857 at the end of a packet. This will do the right thing if we're
3858 printing packet summary lines, and, as we print the entire protocol
3859 tree for a single packet without waiting for anything to happen,
3860 it should be as good as line-buffered mode if we're printing
3861 protocol trees. (The whole reason for the "-l" flag in either
3862 tcpdump or TShark is to allow the output of a live capture to
3863 be piped to a program or script and to have that script see the
3864 information for the packet as soon as it's printed, rather than
3865 having to wait until a standard I/O buffer fills up. */
3869 if (ferror(stdout)) {
3870 show_print_file_io_error(errno);
3875 /* this must be set after print_packet() [bug #8160] */
3876 prev_dis_frame = fdata;
3877 prev_dis = &prev_dis_frame;
3880 prev_cap_frame = fdata;
3881 prev_cap = &prev_cap_frame;
3884 epan_dissect_reset(edt);
3885 frame_data_destroy(&fdata);
3891 write_preamble(capture_file *cf)
3893 switch (output_action) {
3896 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3900 write_pdml_preamble(stdout, cf->filename);
3902 write_psml_preamble(&cf->cinfo, stdout);
3903 return !ferror(stdout);
3906 write_fields_preamble(output_fields, stdout);
3907 return !ferror(stdout);
3910 write_json_preamble(stdout);
3911 return !ferror(stdout);
3914 return !ferror(stdout);
3917 g_assert_not_reached();
3923 get_line_buf(size_t len)
3925 static char *line_bufp = NULL;
3926 static size_t line_buf_len = 256;
3927 size_t new_line_buf_len;
3929 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3930 new_line_buf_len *= 2)
3932 if (line_bufp == NULL) {
3933 line_buf_len = new_line_buf_len;
3934 line_bufp = (char *)g_malloc(line_buf_len + 1);
3936 if (new_line_buf_len > line_buf_len) {
3937 line_buf_len = new_line_buf_len;
3938 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3945 put_string(char *dest, const char *str, size_t str_len)
3947 memcpy(dest, str, str_len);
3948 dest[str_len] = '\0';
3952 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3956 for (i = str_len; i < str_with_spaces; i++)
3959 put_string(dest, str, str_len);
3963 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3967 memcpy(dest, str, str_len);
3968 for (i = str_len; i < str_with_spaces; i++)
3971 dest[str_with_spaces] = '\0';
3975 print_columns(capture_file *cf)
3982 col_item_t* col_item;
3984 line_bufp = get_line_buf(256);
3987 for (i = 0; i < cf->cinfo.num_cols; i++) {
3988 col_item = &cf->cinfo.columns[i];
3989 /* Skip columns not marked as visible. */
3990 if (!get_column_visible(i))
3992 switch (col_item->col_fmt) {
3994 column_len = col_len = strlen(col_item->col_data);
3997 line_bufp = get_line_buf(buf_offset + column_len);
3998 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
4004 case COL_ABS_YMD_TIME: /* XXX - wider */
4005 case COL_ABS_YDOY_TIME: /* XXX - wider */
4007 case COL_UTC_YMD_TIME: /* XXX - wider */
4008 case COL_UTC_YDOY_TIME: /* XXX - wider */
4009 column_len = col_len = strlen(col_item->col_data);
4010 if (column_len < 10)
4012 line_bufp = get_line_buf(buf_offset + column_len);
4013 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
4019 case COL_DEF_DL_SRC:
4020 case COL_RES_DL_SRC:
4021 case COL_UNRES_DL_SRC:
4022 case COL_DEF_NET_SRC:
4023 case COL_RES_NET_SRC:
4024 case COL_UNRES_NET_SRC:
4025 column_len = col_len = strlen(col_item->col_data);
4026 if (column_len < 12)
4028 line_bufp = get_line_buf(buf_offset + column_len);
4029 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
4035 case COL_DEF_DL_DST:
4036 case COL_RES_DL_DST:
4037 case COL_UNRES_DL_DST:
4038 case COL_DEF_NET_DST:
4039 case COL_RES_NET_DST:
4040 case COL_UNRES_NET_DST:
4041 column_len = col_len = strlen(col_item->col_data);
4042 if (column_len < 12)
4044 line_bufp = get_line_buf(buf_offset + column_len);
4045 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
4049 column_len = strlen(col_item->col_data);
4050 line_bufp = get_line_buf(buf_offset + column_len);
4051 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
4054 buf_offset += column_len;
4055 if (i != cf->cinfo.num_cols - 1) {
4057 * This isn't the last column, so we need to print a
4058 * separator between this column and the next.
4060 * If we printed a network source and are printing a
4061 * network destination of the same type next, separate
4062 * them with a UTF-8 right arrow; if we printed a network
4063 * destination and are printing a network source of the same
4064 * type next, separate them with a UTF-8 left arrow;
4065 * otherwise separate them with a space.
4067 * We add enough space to the buffer for " \xe2\x86\x90 "
4068 * or " \xe2\x86\x92 ", even if we're only adding " ".
4070 line_bufp = get_line_buf(buf_offset + 5);
4071 switch (col_item->col_fmt) {
4076 switch (cf->cinfo.columns[i+1].col_fmt) {
4081 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
4086 put_string(line_bufp + buf_offset, " ", 1);
4092 case COL_DEF_DL_SRC:
4093 case COL_RES_DL_SRC:
4094 case COL_UNRES_DL_SRC:
4095 switch (cf->cinfo.columns[i+1].col_fmt) {
4097 case COL_DEF_DL_DST:
4098 case COL_RES_DL_DST:
4099 case COL_UNRES_DL_DST:
4100 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
4105 put_string(line_bufp + buf_offset, " ", 1);
4111 case COL_DEF_NET_SRC:
4112 case COL_RES_NET_SRC:
4113 case COL_UNRES_NET_SRC:
4114 switch (cf->cinfo.columns[i+1].col_fmt) {
4116 case COL_DEF_NET_DST:
4117 case COL_RES_NET_DST:
4118 case COL_UNRES_NET_DST:
4119 put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5);
4124 put_string(line_bufp + buf_offset, " ", 1);
4133 switch (cf->cinfo.columns[i+1].col_fmt) {
4138 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
4143 put_string(line_bufp + buf_offset, " ", 1);
4149 case COL_DEF_DL_DST:
4150 case COL_RES_DL_DST:
4151 case COL_UNRES_DL_DST:
4152 switch (cf->cinfo.columns[i+1].col_fmt) {
4154 case COL_DEF_DL_SRC:
4155 case COL_RES_DL_SRC:
4156 case COL_UNRES_DL_SRC:
4157 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
4162 put_string(line_bufp + buf_offset, " ", 1);
4168 case COL_DEF_NET_DST:
4169 case COL_RES_NET_DST:
4170 case COL_UNRES_NET_DST:
4171 switch (cf->cinfo.columns[i+1].col_fmt) {
4173 case COL_DEF_NET_SRC:
4174 case COL_RES_NET_SRC:
4175 case COL_UNRES_NET_SRC:
4176 put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5);
4181 put_string(line_bufp + buf_offset, " ", 1);
4188 put_string(line_bufp + buf_offset, " ", 1);
4194 return print_line(print_stream, 0, line_bufp);
4198 print_packet(capture_file *cf, epan_dissect_t *edt)
4200 print_args_t print_args;
4202 if (print_summary || output_fields_has_cols(output_fields)) {
4203 /* Just fill in the columns. */
4204 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4206 if (print_summary) {
4207 /* Now print them. */
4208 switch (output_action) {
4211 if (!print_columns(cf))
4216 write_psml_columns(edt, stdout);
4217 return !ferror(stdout);
4218 case WRITE_FIELDS: /*No non-verbose "fields" format */
4221 g_assert_not_reached();
4226 if (print_details) {
4227 /* Print the information in the protocol tree. */
4228 switch (output_action) {
4231 /* Only initialize the fields that are actually used in proto_tree_print.
4232 * This is particularly important for .range, as that's heap memory which
4233 * we would otherwise have to g_free().
4234 print_args.to_file = TRUE;
4235 print_args.format = print_format;
4236 print_args.print_summary = print_summary;
4237 print_args.print_formfeed = FALSE;
4238 packet_range_init(&print_args.range, &cfile);
4240 print_args.print_hex = print_hex;
4241 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4243 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4246 if (!print_line(print_stream, 0, separator))
4252 write_pdml_proto_tree(edt, stdout);
4254 return !ferror(stdout);
4256 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4258 return !ferror(stdout);
4260 print_args.print_hex = print_hex;
4261 write_json_proto_tree(&print_args, jsonfilter, edt, stdout);
4263 return !ferror(stdout);
4265 print_args.print_hex = print_hex;
4266 write_ek_proto_tree(&print_args, jsonfilter, edt, stdout);
4268 return !ferror(stdout);
4272 if (print_summary || print_details) {
4273 if (!print_line(print_stream, 0, ""))
4276 if (!print_hex_data(print_stream, edt))
4278 if (!print_line(print_stream, 0, separator))
4287 switch (output_action) {
4290 return print_finale(print_stream);
4294 write_pdml_finale(stdout);
4296 write_psml_finale(stdout);
4297 return !ferror(stdout);
4300 write_fields_finale(output_fields, stdout);
4301 return !ferror(stdout);
4304 write_json_finale(stdout);
4305 return !ferror(stdout);
4308 return !ferror(stdout);
4311 g_assert_not_reached();
4317 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4321 char err_msg[2048+1];
4323 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4327 /* The open succeeded. Fill in the information for this file. */
4329 /* Create new epan session for dissection. */
4330 epan_free(cf->epan);
4331 cf->epan = tshark_epan_new(cf);
4334 cf->f_datalen = 0; /* not used, but set it anyway */
4336 /* Set the file name because we need it to set the follow stream filter.
4337 XXX - is that still true? We need it for other reasons, though,
4339 cf->filename = g_strdup(fname);
4341 /* Indicate whether it's a permanent or temporary file. */
4342 cf->is_tempfile = is_tempfile;
4344 /* No user changes yet. */
4345 cf->unsaved_changes = FALSE;
4347 cf->cd_t = wtap_file_type_subtype(cf->wth);
4348 cf->open_type = type;
4350 cf->drops_known = FALSE;
4352 cf->snap = wtap_snapshot_length(cf->wth);
4353 if (cf->snap == 0) {
4354 /* Snapshot length not known. */
4355 cf->has_snap = FALSE;
4356 cf->snap = WTAP_MAX_PACKET_SIZE;
4358 cf->has_snap = TRUE;
4359 nstime_set_zero(&cf->elapsed_time);
4364 cf->state = FILE_READ_IN_PROGRESS;
4366 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4367 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4372 g_snprintf(err_msg, sizeof err_msg,
4373 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4374 cmdarg_err("%s", err_msg);
4379 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4381 char *save_file_string;
4383 save_file_string = output_file_description(fname);
4388 cmdarg_err("Not all the packets could be written to the %s because there is "
4389 "no space left on the file system.",
4395 cmdarg_err("Not all the packets could be written to the %s because you are "
4396 "too close to, or over your disk quota.",
4401 case WTAP_ERR_CANT_CLOSE:
4402 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4406 case WTAP_ERR_SHORT_WRITE:
4407 cmdarg_err("Not all the packets could be written to the %s.",
4413 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4414 wtap_strerror(err));
4416 cmdarg_err("An error occurred while writing to the %s: %s.",
4417 save_file_string, wtap_strerror(err));
4421 g_free(save_file_string);
4425 show_print_file_io_error(int err)
4430 cmdarg_err("Not all the packets could be printed because there is "
4431 "no space left on the file system.");
4436 cmdarg_err("Not all the packets could be printed because you are "
4437 "too close to, or over your disk quota.");
4442 cmdarg_err("An error occurred while printing packets: %s.",
4449 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4453 static char errmsg_errno[1024+1];
4456 /* Wiretap error. */
4459 case WTAP_ERR_NOT_REGULAR_FILE:
4460 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4463 case WTAP_ERR_RANDOM_OPEN_PIPE:
4464 /* Seen only when opening a capture file for reading. */
4465 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4468 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4469 /* Seen only when opening a capture file for reading. */
4470 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4473 case WTAP_ERR_UNSUPPORTED:
4474 /* Seen only when opening a capture file for reading. */
4475 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4476 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4478 err_info != NULL ? err_info : "no information supplied");
4480 errmsg = errmsg_errno;
4483 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4484 /* Seen only when opening a capture file for writing. */
4485 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4486 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4487 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4488 errmsg = errmsg_errno;
4491 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4492 /* Seen only when opening a capture file for writing. */
4493 errmsg = "TShark doesn't support writing capture files in that format.";
4496 case WTAP_ERR_UNWRITABLE_ENCAP:
4497 /* Seen only when opening a capture file for writing. */
4498 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4499 "TShark can't save this capture as a \"%s\" file.",
4500 wtap_file_type_subtype_short_string(file_type));
4501 errmsg = errmsg_errno;
4504 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4506 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4507 "TShark can't save this capture as a \"%s\" file.",
4508 wtap_file_type_subtype_short_string(file_type));
4509 errmsg = errmsg_errno;
4511 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4514 case WTAP_ERR_BAD_FILE:
4515 /* Seen only when opening a capture file for reading. */
4516 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4517 "The file \"%%s\" appears to be damaged or corrupt.\n"
4519 err_info != NULL ? err_info : "no information supplied");
4521 errmsg = errmsg_errno;
4524 case WTAP_ERR_CANT_OPEN:
4526 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4528 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4531 case WTAP_ERR_SHORT_READ:
4532 errmsg = "The file \"%s\" appears to have been cut short"
4533 " in the middle of a packet or other data.";
4536 case WTAP_ERR_SHORT_WRITE:
4537 errmsg = "A full header couldn't be written to the file \"%s\".";
4540 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4541 errmsg = "This file type cannot be written as a compressed file.";
4544 case WTAP_ERR_DECOMPRESS:
4545 /* Seen only when opening a capture file for reading. */
4546 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4547 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4549 err_info != NULL ? err_info : "no information supplied");
4551 errmsg = errmsg_errno;
4555 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4556 "The file \"%%s\" could not be %s: %s.",
4557 for_writing ? "created" : "opened",
4558 wtap_strerror(err));
4559 errmsg = errmsg_errno;
4563 errmsg = file_open_error_message(err, for_writing);
4568 * Open/create errors are reported with an console message in TShark.
4571 open_failure_message(const char *filename, int err, gboolean for_writing)
4573 fprintf(stderr, "tshark: ");
4574 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4575 fprintf(stderr, "\n");
4579 * General errors are reported with an console message in TShark.
4582 failure_message(const char *msg_format, va_list ap)
4584 fprintf(stderr, "tshark: ");
4585 vfprintf(stderr, msg_format, ap);
4586 fprintf(stderr, "\n");
4590 * Read errors are reported with an console message in TShark.
4593 read_failure_message(const char *filename, int err)
4595 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4596 filename, g_strerror(err));
4600 * Write errors are reported with an console message in TShark.
4603 write_failure_message(const char *filename, int err)
4605 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4606 filename, g_strerror(err));
4610 * Report additional information for an error in command-line arguments.
4613 failure_message_cont(const char *msg_format, va_list ap)
4615 vfprintf(stderr, msg_format, ap);
4616 fprintf(stderr, "\n");
4620 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4625 * indent-tabs-mode: nil
4628 * vi: set shiftwidth=2 tabstop=8 expandtab:
4629 * :indentSize=2:tabSize=8:noTabs=true:
git.samba.org / jlayton / wireshark.git / blob