3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
48 #ifdef HAVE_SYS_STAT_H
49 # include <sys/stat.h>
53 #include "wsutil/wsgetopt.h"
57 #include <epan/epan.h>
58 #include <epan/filesystem.h>
59 #include <wsutil/privileges.h>
60 #include <wsutil/file_util.h>
63 #include <epan/timestamp.h>
64 #include <epan/packet.h>
66 #include "disabled_protos.h"
67 #include <epan/prefs.h>
68 #include <epan/column.h>
70 #include <epan/addr_resolv.h>
72 #include "clopts_common.h"
73 #include "console_io.h"
74 #include "cmdarg_err.h"
75 #include "version_info.h"
76 #include <epan/plugins.h>
78 #include <epan/epan_dissect.h>
80 #include <epan/stat_cmd_args.h>
81 #include <epan/timestamp.h>
82 #include <epan/ex-opt.h>
85 #include "capture_ui_utils.h"
86 #include "capture_ifinfo.h"
87 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
92 #include "capture_sync.h"
93 #endif /* HAVE_LIBPCAP */
95 #include <epan/funnel.h>
96 #include "capture_opts.h"
99 * This is the template for the decode as option; it is shared between the
100 * various functions that output the usage for this parameter.
102 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
104 static guint32 cum_bytes;
105 static nstime_t first_ts;
106 static frame_data *prev_dis;
107 static frame_data prev_dis_frame;
108 static frame_data *prev_cap;
109 static frame_data prev_cap_frame;
111 static const char* prev_display_dissector_name = NULL;
113 static gboolean perform_two_pass_analysis;
116 * The way the packet decode is to be written.
119 WRITE_TEXT, /* summary or detail text */
120 WRITE_XML, /* PDML or PSML */
121 WRITE_FIELDS /* User defined list of fields */
122 /* Add CSV and the like here */
125 static output_action_e output_action;
126 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
127 static gboolean print_packet_info; /* TRUE if we're to print packet information */
128 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
129 static gboolean print_details; /* TRUE if we're to print packet details information */
130 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
131 static gboolean line_buffered;
133 static print_format_e print_format = PR_FMT_TEXT;
134 static print_stream_t *print_stream;
136 static output_fields_t* output_fields = NULL;
138 /* The line separator used between packets, changeable via the -S option */
139 static char *separator = "";
143 * TRUE if we're to print packet counts to keep track of captured packets.
145 static gboolean print_packet_counts = TRUE;
147 static capture_options global_capture_opts;
150 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
151 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
154 static gboolean capture(void);
155 static void report_counts(void);
157 static BOOL WINAPI capture_cleanup(DWORD);
159 static void capture_cleanup(int);
161 static void report_counts_siginfo(int);
164 #endif /* HAVE_LIBPCAP */
166 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
167 static gboolean process_packet(capture_file *cf, gint64 offset,
168 struct wtap_pkthdr *whdr,
169 const guchar *pd, gboolean filtering_tap_listeners, guint tap_flags);
170 static void show_capture_file_io_error(const char *, int, gboolean);
171 static void show_print_file_io_error(int err);
172 static gboolean write_preamble(capture_file *cf);
173 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
174 static gboolean write_finale(void);
175 static const char *cf_open_error_message(int err, gchar *err_info,
176 gboolean for_writing, int file_type);
178 static void open_failure_message(const char *filename, int err,
179 gboolean for_writing);
180 static void failure_message(const char *msg_format, va_list ap);
181 static void read_failure_message(const char *filename, int err);
182 static void write_failure_message(const char *filename, int err);
187 const char *sstr; /* The short string */
188 const char *lstr; /* The long string */
192 string_compare(gconstpointer a, gconstpointer b)
194 return strcmp(((const struct string_elem *)a)->sstr,
195 ((const struct string_elem *)b)->sstr);
199 string_elem_print(gpointer data, gpointer not_used _U_)
201 fprintf(stderr, " %s - %s\n",
202 ((struct string_elem *)data)->sstr,
203 ((struct string_elem *)data)->lstr);
207 list_capture_types(void) {
209 struct string_elem *captypes;
212 captypes = g_malloc(sizeof(struct string_elem) * WTAP_NUM_FILE_TYPES);
214 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
215 for (i = 0; i < WTAP_NUM_FILE_TYPES; i++) {
216 if (wtap_dump_can_open(i)) {
217 captypes[i].sstr = wtap_file_type_short_string(i);
218 captypes[i].lstr = wtap_file_type_string(i);
219 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
222 g_slist_foreach(list, string_elem_print, NULL);
228 print_usage(gboolean print_ver)
235 "TShark " VERSION "%s\n"
236 "Dump and analyze network traffic.\n"
237 "See http://www.wireshark.org for more information.\n"
240 wireshark_svnversion, get_copyright_info());
244 fprintf(output, "\n");
245 fprintf(output, "Usage: tshark [options] ...\n");
246 fprintf(output, "\n");
249 fprintf(output, "Capture interface:\n");
250 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
251 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
252 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
253 fprintf(output, " -p don't capture in promiscuous mode\n");
254 #ifdef HAVE_PCAP_CREATE
255 fprintf(output, " -I capture in monitor mode, if available\n");
257 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
258 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
260 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
261 fprintf(output, " -D print list of interfaces and exit\n");
262 fprintf(output, " -L print list of link-layer types of iface and exit\n");
263 fprintf(output, "\n");
264 fprintf(output, "Capture stop conditions:\n");
265 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
266 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
267 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
268 fprintf(output, " files:NUM - stop after NUM files\n");
269 /*fprintf(output, "\n");*/
270 fprintf(output, "Capture output:\n");
271 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
272 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
273 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
274 #endif /* HAVE_LIBPCAP */
275 #ifdef HAVE_PCAP_REMOTE
276 fprintf(output, "RPCAP options:\n");
277 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
279 /*fprintf(output, "\n");*/
280 fprintf(output, "Input file:\n");
281 fprintf(output, " -r <infile> set the filename to read from (no pipes or stdin!)\n");
283 fprintf(output, "\n");
284 fprintf(output, "Processing:\n");
285 fprintf(output, " -2 perform a two-pass analysis\n");
286 fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
287 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
288 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
289 fprintf(output, " -d %s ...\n", decode_as_arg_template);
290 fprintf(output, " \"Decode As\", see the man page for details\n");
291 fprintf(output, " Example: tcp.port==8888,http\n");
292 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
293 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
295 /*fprintf(output, "\n");*/
296 fprintf(output, "Output:\n");
297 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
298 fprintf(output, " (or to the standard output for \"-\")\n");
299 fprintf(output, " -C <config profile> start with specified configuration profile\n");
300 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
301 fprintf(output, " an empty \"-F\" option will list the file types\n");
302 fprintf(output, " -V add output of packet tree (Packet Details)\n");
303 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
304 fprintf(output, " separated\n");
305 fprintf(output, " -P print packet summary even when writing to a file\n");
306 fprintf(output, " -S <separator> the line separator to print between packets\n");
307 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
308 fprintf(output, " -T pdml|ps|psml|text|fields\n");
309 fprintf(output, " format of text output (def: text)\n");
310 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port, col.Info);\n");
311 fprintf(output, " this option can be repeated to print multiple fields\n");
312 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
313 fprintf(output, " header=y|n switch headers on and off\n");
314 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
315 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
316 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
317 fprintf(output, " aggregator\n");
318 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
319 fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
320 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
321 fprintf(output, " -l flush standard output after each packet\n");
322 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
323 fprintf(output, " -g enable group read access on the output file(s)\n");
324 fprintf(output, " -W n Save extra information in the file, if supported.\n");
325 fprintf(output, " n = write network address resolution information\n");
326 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
327 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
329 fprintf(output, "\n");
330 fprintf(output, "Miscellaneous:\n");
331 fprintf(output, " -h display this help and exit\n");
332 fprintf(output, " -v display version info and exit\n");
333 fprintf(output, " -o <name>:<value> ... override preference setting\n");
334 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
335 fprintf(output, " -G [report] dump one of several available reports and exit\n");
336 fprintf(output, " default report=\"fields\"\n");
337 fprintf(output, " use \"-G ?\" for more help\n");
341 glossary_option_help(void)
347 fprintf(output, "TShark " VERSION "%s\n", wireshark_svnversion);
349 fprintf(output, "\n");
350 fprintf(output, "Usage: tshark -G [report]\n");
351 fprintf(output, "\n");
352 fprintf(output, "Glossary table reports:\n");
353 fprintf(output, " -G [fields] dump glossary in original format and exit\n");
354 fprintf(output, " -G fields2 dump glossary in format 2 and exit\n");
355 fprintf(output, " -G fields3 dump glossary in format 3 and exit\n");
356 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
357 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
358 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
359 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
360 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
361 fprintf(output, "\n");
362 fprintf(output, "Preference reports:\n");
363 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
364 fprintf(output, " -G currentprefs dump current preferences and exit\n");
365 fprintf(output, "\n");
370 * For a dissector table, print on the stream described by output,
371 * its short name (which is what's used in the "-d" option) and its
375 display_dissector_table_names(const char *table_name, const char *ui_name,
378 if ((prev_display_dissector_name == NULL) ||
379 (strcmp(prev_display_dissector_name, table_name) != 0)) {
380 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
381 prev_display_dissector_name = table_name;
386 * For a dissector handle, print on the stream described by output,
387 * the filter name (which is what's used in the "-d" option) and the full
388 * name for the protocol that corresponds to this handle.
391 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
394 const gchar *proto_filter_name;
395 const gchar *proto_ui_name;
397 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
399 if (proto_id != -1) {
400 proto_filter_name = proto_get_protocol_filter_name(proto_id);
401 proto_ui_name = proto_get_protocol_name(proto_id);
402 g_assert(proto_filter_name != NULL);
403 g_assert(proto_ui_name != NULL);
405 if ((prev_display_dissector_name == NULL) ||
406 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
407 fprintf((FILE *)output, "\t%s (%s)\n",
410 prev_display_dissector_name = proto_filter_name;
416 * The protocol_name_search structure is used by find_protocol_name_func()
417 * to pass parameters and store results
419 struct protocol_name_search{
420 gchar *searched_name; /* Protocol filter name we are looking for */
421 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
422 guint nb_match; /* How many dissectors matched searched_name */
424 typedef struct protocol_name_search *protocol_name_search_t;
427 * This function parses all dissectors associated with a table to find the
428 * one whose protocol has the specified filter name. It is called
429 * as a reference function in a call to dissector_table_foreach_handle.
430 * The name we are looking for, as well as the results, are stored in the
431 * protocol_name_search struct pointed to by user_data.
432 * If called using dissector_table_foreach_handle, we actually parse the
433 * whole list of dissectors.
436 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
440 const gchar *protocol_filter_name;
441 protocol_name_search_t search_info;
445 search_info = (protocol_name_search_t)user_data;
447 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
448 if (proto_id != -1) {
449 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
450 g_assert(protocol_filter_name != NULL);
451 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
453 if (search_info->nb_match == 0) {
454 /* Record this handle only if this is the first match */
455 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
457 search_info->nb_match++;
463 * Allow dissector key names to be sorted alphabetically
467 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
469 return strcmp((const char*)dissector_a, (const char*)dissector_b);
473 * Print all layer type names supported.
474 * We send the output to the stream described by the handle output.
478 fprint_all_layer_types(FILE *output)
481 prev_display_dissector_name = NULL;
482 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
486 * Print all protocol names supported for a specific layer type.
487 * table_name contains the layer type name in which the search is performed.
488 * We send the output to the stream described by the handle output.
492 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
495 prev_display_dissector_name = NULL;
496 dissector_table_foreach_handle(table_name,
497 display_dissector_names,
502 * The function below parses the command-line parameters for the decode as
503 * feature (a string pointer by cl_param).
504 * It checks the format of the command-line, searches for a matching table
505 * and dissector. If a table/dissector match is not found, we display a
506 * summary of the available tables/dissectors (on stderr) and return FALSE.
507 * If everything is fine, we get the "Decode as" preference activated,
508 * then we return TRUE.
511 add_decode_as(const gchar *cl_param)
514 guint32 selector, selector2;
515 gchar *decoded_param;
516 gchar *remaining_param;
518 gchar *dissector_str;
519 dissector_handle_t dissector_matching;
520 dissector_table_t table_matching;
521 ftenum_t dissector_table_selector_type;
522 struct protocol_name_search user_protocol_name;
526 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
529 decoded_param = g_strdup(cl_param);
530 g_assert(decoded_param);
533 /* The lines below will parse this string (modifying it) to extract all
534 necessary information. Note that decoded_param is still needed since
535 strings are not copied - we just save pointers. */
537 /* This section extracts a layer type (table_name) from decoded_param */
538 table_name = decoded_param; /* Layer type string starts from beginning */
540 remaining_param = strchr(table_name, '=');
541 if (remaining_param == NULL) {
542 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
543 /* If the argument does not follow the template, carry on anyway to check
544 if the table name is at least correct. If remaining_param is NULL,
545 we'll exit anyway further down */
548 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
551 /* Remove leading and trailing spaces from the table name */
552 while ( table_name[0] == ' ' )
554 while ( table_name[strlen(table_name) - 1] == ' ' )
555 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
557 /* The following part searches a table matching with the layer type specified */
558 table_matching = NULL;
560 /* Look for the requested table */
561 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
562 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
565 table_matching = find_dissector_table(table_name);
566 if (!table_matching) {
567 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
571 if (!table_matching) {
572 /* Display a list of supported layer types to help the user, if the
573 specified layer type was not found */
574 cmdarg_err("Valid layer types are:");
575 fprint_all_layer_types(stderr);
577 if (remaining_param == NULL || !table_matching) {
578 /* Exit if the layer type was not found, or if no '=' separator was found
580 g_free(decoded_param);
584 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
585 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
588 remaining_param++; /* Move to the second '=' */
589 *remaining_param = '\0'; /* Remove the second '=' */
591 remaining_param++; /* Position after the layer type string */
593 /* This section extracts a selector value (selector_str) from decoded_param */
595 selector_str = remaining_param; /* Next part starts with the selector number */
597 remaining_param = strchr(selector_str, ',');
598 if (remaining_param == NULL) {
599 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
600 /* If the argument does not follow the template, carry on anyway to check
601 if the selector value is at least correct. If remaining_param is NULL,
602 we'll exit anyway further down */
605 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
608 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
610 switch (dissector_table_selector_type) {
616 /* The selector for this table is an unsigned number. Parse it as such.
617 There's no need to remove leading and trailing spaces from the
618 selector number string, because sscanf will do that for us. */
619 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
624 if (op != ':' && op != '-') {
625 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
626 g_free(decoded_param);
630 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
631 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
632 g_free(decoded_param);
636 else if (selector2 < selector) {
637 /* We could swap them for the user, but maybe it's better to call
638 * this out as an error in case it's not what was intended? */
639 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
640 g_free(decoded_param);
645 cmdarg_err("Invalid selector number \"%s\"", selector_str);
646 g_free(decoded_param);
653 /* The selector for this table is a string. */
657 /* There are currently no dissector tables with any types other
658 than the ones listed above. */
659 g_assert_not_reached();
662 if (remaining_param == NULL) {
663 /* Exit if no ',' separator was found (see above) */
664 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
665 fprint_all_protocols_for_layer_types(stderr, table_name);
666 g_free(decoded_param);
670 remaining_param++; /* Position after the selector number string */
672 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
674 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
676 /* Remove leading and trailing spaces from the dissector name */
677 while ( dissector_str[0] == ' ' )
679 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
680 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
682 dissector_matching = NULL;
684 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
685 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
686 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
689 user_protocol_name.nb_match = 0;
690 user_protocol_name.searched_name = dissector_str;
691 user_protocol_name.matched_handle = NULL;
693 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
695 if (user_protocol_name.nb_match != 0) {
696 dissector_matching = user_protocol_name.matched_handle;
697 if (user_protocol_name.nb_match > 1) {
698 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
702 /* OK, check whether the problem is that there isn't any such
703 protocol, or that there is but it's not specified as a protocol
704 that's valid for that dissector table.
705 Note, we don't exit here, but dissector_matching will remain NULL,
707 if (proto_get_id_by_filter_name(dissector_str) == -1) {
708 /* No such protocol */
709 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
711 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
712 dissector_str, table_name);
717 if (!dissector_matching) {
718 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
719 fprint_all_protocols_for_layer_types(stderr, table_name);
720 g_free(decoded_param);
724 /* This is the end of the code that parses the command-line options.
725 All information is now stored in the variables:
729 The above variables that are strings are still pointing to areas within
730 decoded_parm. decoded_parm thus still needs to be kept allocated in
731 until we stop needing these variables
732 decoded_param will be deallocated at each exit point of this function */
735 /* We now have a pointer to the handle for the requested dissector
736 (requested protocol) inside the variable dissector_matching */
737 switch (dissector_table_selector_type) {
743 /* The selector for this table is an unsigned number. */
745 dissector_change_uint(table_name, selector, dissector_matching);
746 } else if (op == ':') {
747 for (i = selector; i < (guint64)selector + selector2; i++) {
748 dissector_change_uint(table_name, (guint32)i, dissector_matching);
750 } else { /* op == '-' */
751 for (i = selector; i <= selector2; i++) {
752 dissector_change_uint(table_name, (guint32)i, dissector_matching);
759 /* The selector for this table is a string. */
760 dissector_change_string(table_name, selector_str, dissector_matching);
764 /* There are currently no dissector tables with any types other
765 than the ones listed above. */
766 g_assert_not_reached();
768 g_free(decoded_param); /* "Decode As" rule has been successfully added */
773 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
774 const gchar *message, gpointer user_data)
776 /* ignore log message, if log_level isn't interesting based
777 upon the console log preferences.
778 If the preferences haven't been loaded loaded yet, display the
781 The default console_log_level preference value is such that only
782 ERROR, CRITICAL and WARNING level messages are processed;
783 MESSAGE, INFO and DEBUG level messages are ignored.
785 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
786 ERROR and CRITICAL level messages so the current code is a behavioral
787 change. The current behavior is the same as in Wireshark.
789 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
790 prefs.console_log_level != 0) {
794 g_log_default_handler(log_domain, log_level, message, user_data);
799 output_file_description(const char *fname)
801 char *save_file_string;
803 /* Get a string that describes what we're writing to */
804 if (strcmp(fname, "-") == 0) {
805 /* We're writing to the standard output */
806 save_file_string = g_strdup("standard output");
808 /* We're writing to a file with the name in save_file */
809 save_file_string = g_strdup_printf("file \"%s\"", fname);
811 return save_file_string;
815 print_current_user(void) {
816 gchar *cur_user, *cur_group;
818 if (started_with_special_privs()) {
819 cur_user = get_cur_username();
820 cur_group = get_cur_groupname();
821 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
822 cur_user, cur_group);
825 if (running_with_special_privs()) {
826 fprintf(stderr, " This could be dangerous.");
828 fprintf(stderr, "\n");
833 check_capture_privs(void) {
836 /* Warn the user if npf.sys isn't loaded. */
837 if (!npf_sys_is_running() && get_os_major_version() >= 6) {
838 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
839 "capturing or\nlisting interfaces.\n");
845 show_version(GString *comp_info_str, GString *runtime_info_str)
847 printf("TShark " VERSION "%s\n"
854 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
855 runtime_info_str->str);
859 main(int argc, char *argv[])
861 char *init_progfile_dir_error;
863 gboolean arg_error = FALSE;
869 char *gpf_path, *pf_path;
870 char *gdp_path, *dp_path;
871 int gpf_open_errno, gpf_read_errno;
872 int pf_open_errno, pf_read_errno;
873 int gdp_open_errno, gdp_read_errno;
874 int dp_open_errno, dp_read_errno;
876 volatile int exit_status = 0;
878 gboolean list_link_layer_types = FALSE;
879 gboolean start_capture = FALSE;
884 gboolean capture_option_specified = FALSE;
886 gboolean quiet = FALSE;
887 #ifdef PCAP_NG_DEFAULT
888 volatile int out_file_type = WTAP_FILE_PCAPNG;
890 volatile int out_file_type = WTAP_FILE_PCAP;
892 volatile gboolean out_file_name_res = FALSE;
893 gchar *volatile cf_name = NULL;
894 gchar *rfilter = NULL;
895 #ifdef HAVE_PCAP_OPEN_DEAD
896 struct bpf_program fcode;
898 dfilter_t *rfcode = NULL;
901 GLogLevelFlags log_flags;
903 gchar *output_only = NULL;
905 #ifdef HAVE_PCAP_REMOTE
906 #define OPTSTRING_A "A:"
908 #define OPTSTRING_A ""
911 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
912 #define OPTSTRING_B "B:"
914 #define OPTSTRING_B ""
915 #endif /* _WIN32 or HAVE_PCAP_CREATE */
916 #else /* HAVE_LIBPCAP */
917 #define OPTSTRING_B ""
918 #endif /* HAVE_LIBPCAP */
920 #ifdef HAVE_PCAP_CREATE
921 #define OPTSTRING_I "I"
923 #define OPTSTRING_I ""
926 #define OPTSTRING "2a:" OPTSTRING_A "b:" OPTSTRING_B "c:C:d:De:E:f:F:G:hH:i:" OPTSTRING_I "K:lLnN:o:O:pPqr:R:s:S:t:T:u:vVw:W:xX:y:z:"
928 static const char optstring[] = OPTSTRING;
931 arg_list_utf_16to8(argc, argv);
932 #if !GLIB_CHECK_VERSION(2,31,0)
938 * Get credential information for later use.
940 init_process_policies();
943 * Attempt to get the pathname of the executable file.
945 init_progfile_dir_error = init_progfile_dir(argv[0], main);
946 if (init_progfile_dir_error != NULL) {
947 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
948 init_progfile_dir_error);
952 * In order to have the -X opts assigned before the wslua machine starts
953 * we need to call getopts before epan_init() gets called.
956 optind_initial = optind;
958 while ((opt = getopt(argc, argv, optstring)) != -1) {
960 case 'C': /* Configuration Profile */
961 if (profile_exists (optarg, FALSE)) {
962 set_profile_name (optarg);
964 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
968 case 'P': /* Print packet summary info even when writing to a file */
969 print_packet_info = TRUE;
970 print_summary = TRUE;
972 case 'O': /* Only output these protocols */
973 output_only = g_strdup(optarg);
975 case 'V': /* Verbose */
976 print_details = TRUE;
977 print_packet_info = TRUE;
979 case 'x': /* Print packet data in hex (and ASCII) */
981 /* The user asked for hex output, so let's ensure they get it,
982 * even if they're writing to a file.
984 print_packet_info = TRUE;
995 * Print packet summary information is the default, unless either -V or -x
996 * were specified and -P was not. Note that this is new behavior, which
997 * allows for the possibility of printing only hex/ascii output without
998 * necessarily requiring that either the summary or details be printed too.
1000 if (print_summary == -1)
1001 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1003 optind = optind_initial;
1008 /** Send All g_log messages to our own handler **/
1012 G_LOG_LEVEL_CRITICAL|
1013 G_LOG_LEVEL_WARNING|
1014 G_LOG_LEVEL_MESSAGE|
1017 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1019 g_log_set_handler(NULL,
1021 tshark_log_handler, NULL /* user_data */);
1022 g_log_set_handler(LOG_DOMAIN_MAIN,
1024 tshark_log_handler, NULL /* user_data */);
1027 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1029 tshark_log_handler, NULL /* user_data */);
1030 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1032 tshark_log_handler, NULL /* user_data */);
1035 initialize_funnel_ops();
1038 capture_opts_init(&global_capture_opts, &cfile);
1041 timestamp_set_type(TS_RELATIVE);
1042 timestamp_set_precision(TS_PREC_AUTO);
1043 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1045 /* Register all dissectors; we must do this before checking for the
1046 "-G" flag, as the "-G" flag dumps information registered by the
1047 dissectors, and we must do it before we read the preferences, in
1048 case any dissectors register preferences. */
1049 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
1050 failure_message, open_failure_message, read_failure_message,
1051 write_failure_message);
1053 /* Register all tap listeners; we do this before we parse the arguments,
1054 as the "-z" argument can specify a registered tap. */
1056 /* we register the plugin taps before the other taps because
1057 stats_tree taps plugins will be registered as tap listeners
1058 by stats_tree_stat.c and need to registered before that */
1060 register_all_plugin_tap_listeners();
1062 register_all_tap_listeners();
1064 /* If invoked with the "-G" flag, we dump out information based on
1065 the argument to the "-G" flag; if no argument is specified,
1066 for backwards compatibility we dump out a glossary of display
1069 XXX - we do this here, for now, to support "-G" with no arguments.
1070 If none of our build or other processes uses "-G" with no arguments,
1071 we can just process it with the other arguments. */
1072 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1073 proto_initialize_all_prefixes();
1076 proto_registrar_dump_fields(1);
1078 if (strcmp(argv[2], "fields") == 0)
1079 proto_registrar_dump_fields(1);
1080 else if (strcmp(argv[2], "fields2") == 0)
1081 proto_registrar_dump_fields(2);
1082 else if (strcmp(argv[2], "fields3") == 0)
1083 proto_registrar_dump_fields(3);
1084 else if (strcmp(argv[2], "protocols") == 0)
1085 proto_registrar_dump_protocols();
1086 else if (strcmp(argv[2], "values") == 0)
1087 proto_registrar_dump_values();
1088 else if (strcmp(argv[2], "ftypes") == 0)
1089 proto_registrar_dump_ftypes();
1090 else if (strcmp(argv[2], "decodes") == 0)
1091 dissector_dump_decodes();
1092 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1093 dissector_dump_heur_decodes();
1094 else if (strcmp(argv[2], "defaultprefs") == 0)
1096 else if (strcmp(argv[2], "plugins") == 0)
1098 else if (strcmp(argv[2], "?") == 0)
1099 glossary_option_help();
1100 else if (strcmp(argv[2], "-?") == 0)
1101 glossary_option_help();
1102 else if (strcmp(argv[2], "currentprefs") == 0) {
1103 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1104 &pf_open_errno, &pf_read_errno, &pf_path);
1107 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1114 /* Set the C-language locale to the native environment. */
1115 setlocale(LC_ALL, "");
1117 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1118 &pf_open_errno, &pf_read_errno, &pf_path);
1119 if (gpf_path != NULL) {
1120 if (gpf_open_errno != 0) {
1121 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1122 pf_path, g_strerror(gpf_open_errno));
1124 if (gpf_read_errno != 0) {
1125 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1126 pf_path, g_strerror(gpf_read_errno));
1129 if (pf_path != NULL) {
1130 if (pf_open_errno != 0) {
1131 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1132 g_strerror(pf_open_errno));
1134 if (pf_read_errno != 0) {
1135 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1136 pf_path, g_strerror(pf_read_errno));
1142 /* Read the disabled protocols file. */
1143 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1144 &dp_path, &dp_open_errno, &dp_read_errno);
1145 if (gdp_path != NULL) {
1146 if (gdp_open_errno != 0) {
1147 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1148 gdp_path, g_strerror(gdp_open_errno));
1150 if (gdp_read_errno != 0) {
1151 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1152 gdp_path, g_strerror(gdp_read_errno));
1156 if (dp_path != NULL) {
1157 if (dp_open_errno != 0) {
1159 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1160 g_strerror(dp_open_errno));
1162 if (dp_read_errno != 0) {
1164 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1165 g_strerror(dp_read_errno));
1170 check_capture_privs();
1172 cap_file_init(&cfile);
1174 /* Print format defaults to this. */
1175 print_format = PR_FMT_TEXT;
1177 output_fields = output_fields_new();
1179 /* Now get our args */
1180 while ((opt = getopt(argc, argv, optstring)) != -1) {
1182 case '2': /* Perform two pass analysis */
1183 perform_two_pass_analysis = TRUE;
1185 case 'a': /* autostop criteria */
1186 case 'b': /* Ringbuffer option */
1187 case 'c': /* Capture x packets */
1188 case 'f': /* capture filter */
1189 case 'g': /* enable group read accesson file(s) */
1190 case 'i': /* Use interface x */
1191 case 'p': /* Don't capture in promiscuous mode */
1192 #ifdef HAVE_PCAP_REMOTE
1193 case 'A': /* Authentication */
1195 #ifdef HAVE_PCAP_CREATE
1196 case 'I': /* Capture in monitor mode, if available */
1198 case 's': /* Set the snapshot (capture) length */
1199 case 'w': /* Write to capture file x */
1200 case 'y': /* Set the pcap data link type */
1201 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1202 case 'B': /* Buffer size */
1203 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1205 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1210 capture_option_specified = TRUE;
1215 /* Configuration profile settings were already processed just ignore them this time*/
1217 case 'd': /* Decode as rule */
1218 if (!add_decode_as(optarg))
1221 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1222 case 'K': /* Kerberos keytab file */
1223 read_keytab_file(optarg);
1226 case 'D': /* Print a list of capture devices and exit */
1228 if_list = capture_interface_list(&err, &err_str);
1229 if (if_list == NULL) {
1231 case CANT_GET_INTERFACE_LIST:
1232 case DONT_HAVE_PCAP:
1233 cmdarg_err("%s", err_str);
1237 case NO_INTERFACES_FOUND:
1238 cmdarg_err("There are no interfaces on which a capture can be done");
1243 capture_opts_print_interfaces(if_list);
1244 free_interface_list(if_list);
1247 capture_option_specified = TRUE;
1253 output_fields_add(output_fields, optarg);
1257 if (!output_fields_set_option(output_fields, optarg)) {
1258 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1259 output_fields_list_options(stderr);
1264 out_file_type = wtap_short_string_to_file_type(optarg);
1265 if (out_file_type < 0) {
1266 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1267 list_capture_types();
1271 case 'W': /* Select extra information to save in our capture file */
1272 /* This is patterned after the -N flag which may not be the best idea. */
1273 if (strchr(optarg, 'n')) {
1274 out_file_name_res = TRUE;
1276 cmdarg_err("Invalid -W argument \"%s\"", optarg);
1280 case 'H': /* Read address to name mappings from a hosts file */
1281 if (! add_hosts_file(optarg))
1283 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1286 out_file_name_res = TRUE;
1289 case 'h': /* Print help and exit */
1293 case 'l': /* "Line-buffer" standard output */
1294 /* This isn't line-buffering, strictly speaking, it's just
1295 flushing the standard output after the information for
1296 each packet is printed; however, that should be good
1297 enough for all the purposes to which "-l" is put (and
1298 is probably actually better for "-V", as it does fewer
1301 See the comment in "process_packet()" for an explanation of
1302 why we do that, and why we don't just use "setvbuf()" to
1303 make the standard output line-buffered (short version: in
1304 Windows, "line-buffered" is the same as "fully-buffered",
1305 and the output buffer is only flushed when it fills up). */
1306 line_buffered = TRUE;
1308 case 'L': /* Print list of link-layer types and exit */
1310 list_link_layer_types = TRUE;
1312 capture_option_specified = TRUE;
1316 case 'n': /* No name resolution */
1317 gbl_resolv_flags.mac_name = FALSE;
1318 gbl_resolv_flags.network_name = FALSE;
1319 gbl_resolv_flags.transport_name = FALSE;
1320 gbl_resolv_flags.concurrent_dns = FALSE;
1322 case 'N': /* Select what types of addresses/port #s to resolve */
1323 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1324 if (badopt != '\0') {
1325 cmdarg_err("-N specifies unknown resolving option '%c';",
1327 cmdarg_err_cont( " Valid options are 'm', 'n', 't', and 'C'");
1331 case 'o': /* Override preference from command line */
1332 switch (prefs_set_pref(optarg)) {
1337 case PREFS_SET_SYNTAX_ERR:
1338 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1342 case PREFS_SET_NO_SUCH_PREF:
1343 case PREFS_SET_OBSOLETE:
1344 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1349 case 'q': /* Quiet */
1352 case 'r': /* Read capture file x */
1353 cf_name = g_strdup(optarg);
1355 case 'R': /* Read file filter */
1359 /* already processed; just ignore it now */
1361 case 'S': /* Set the line Separator to be printed between packets */
1362 separator = strdup(optarg);
1364 case 't': /* Time stamp type */
1365 if (strcmp(optarg, "r") == 0)
1366 timestamp_set_type(TS_RELATIVE);
1367 else if (strcmp(optarg, "a") == 0)
1368 timestamp_set_type(TS_ABSOLUTE);
1369 else if (strcmp(optarg, "ad") == 0)
1370 timestamp_set_type(TS_ABSOLUTE_WITH_DATE);
1371 else if (strcmp(optarg, "d") == 0)
1372 timestamp_set_type(TS_DELTA);
1373 else if (strcmp(optarg, "dd") == 0)
1374 timestamp_set_type(TS_DELTA_DIS);
1375 else if (strcmp(optarg, "e") == 0)
1376 timestamp_set_type(TS_EPOCH);
1377 else if (strcmp(optarg, "u") == 0)
1378 timestamp_set_type(TS_UTC);
1379 else if (strcmp(optarg, "ud") == 0)
1380 timestamp_set_type(TS_UTC_WITH_DATE);
1382 cmdarg_err("Invalid time stamp type \"%s\"",
1384 cmdarg_err_cont("It must be \"r\" for relative, \"a\" for absolute,");
1385 cmdarg_err_cont("\"ad\" for absolute with date, or \"d\" for delta.");
1389 case 'T': /* printing Type */
1390 if (strcmp(optarg, "text") == 0) {
1391 output_action = WRITE_TEXT;
1392 print_format = PR_FMT_TEXT;
1393 } else if (strcmp(optarg, "ps") == 0) {
1394 output_action = WRITE_TEXT;
1395 print_format = PR_FMT_PS;
1396 } else if (strcmp(optarg, "pdml") == 0) {
1397 output_action = WRITE_XML;
1398 print_details = TRUE; /* Need details */
1399 print_summary = FALSE; /* Don't allow summary */
1400 } else if (strcmp(optarg, "psml") == 0) {
1401 output_action = WRITE_XML;
1402 print_details = FALSE; /* Don't allow details */
1403 print_summary = TRUE; /* Need summary */
1404 } else if (strcmp(optarg, "fields") == 0) {
1405 output_action = WRITE_FIELDS;
1406 print_details = TRUE; /* Need full tree info */
1407 print_summary = FALSE; /* Don't allow summary */
1409 cmdarg_err("Invalid -T parameter.");
1410 cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
1414 case 'u': /* Seconds type */
1415 if (strcmp(optarg, "s") == 0)
1416 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1417 else if (strcmp(optarg, "hms") == 0)
1418 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1420 cmdarg_err("Invalid seconds type \"%s\"", optarg);
1421 cmdarg_err_cont("It must be \"s\" for seconds or \"hms\" for hours, minutes and seconds.");
1425 case 'v': /* Show version and exit */
1427 GString *comp_info_str;
1428 GString *runtime_info_str;
1429 /* Assemble the compile-time version information string */
1430 comp_info_str = g_string_new("Compiled ");
1431 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
1433 /* Assemble the run-time version information string */
1434 runtime_info_str = g_string_new("Running ");
1435 get_runtime_version_info(runtime_info_str, NULL);
1436 show_version(comp_info_str, runtime_info_str);
1437 g_string_free(comp_info_str, TRUE);
1438 g_string_free(runtime_info_str, TRUE);
1441 case 'O': /* Only output these protocols */
1442 /* already processed; just ignore it now */
1444 case 'V': /* Verbose */
1445 /* already processed; just ignore it now */
1447 case 'x': /* Print packet data in hex (and ASCII) */
1448 /* already processed; just ignore it now */
1453 /* We won't call the init function for the stat this soon
1454 as it would disallow MATE's fields (which are registered
1455 by the preferences set callback) from being used as
1456 part of a tap filter. Instead, we just add the argument
1457 to a list of stat arguments. */
1458 if (!process_stat_cmd_arg(optarg)) {
1459 cmdarg_err("Invalid -z argument \"%s\".", optarg);
1460 cmdarg_err_cont(" -z argument must be one of :");
1461 list_stat_cmd_args();
1466 case '?': /* Bad flag - print usage message */
1469 list_capture_types();
1479 /* If we specified output fields, but not the output field type... */
1480 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1481 cmdarg_err("Output fields were specified with \"-e\", "
1482 "but \"-Tfields\" was not specified.");
1484 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1485 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1486 "specified with \"-e\".");
1491 /* If no capture filter or read filter has been specified, and there are
1492 still command-line arguments, treat them as the tokens of a capture
1493 filter (if no "-r" flag was specified) or a read filter (if a "-r"
1494 flag was specified. */
1495 if (optind < argc) {
1496 if (cf_name != NULL) {
1497 if (rfilter != NULL) {
1498 cmdarg_err("Read filters were specified both with \"-R\" "
1499 "and with additional command-line arguments.");
1502 rfilter = get_args_as_string(argc, argv, optind);
1507 if (global_capture_opts.default_options.cfilter) {
1508 cmdarg_err("A default capture filter was specified both with \"-f\""
1509 " and with additional command-line arguments.");
1512 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1513 interface_options interface_opts;
1514 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1515 if (interface_opts.cfilter == NULL) {
1516 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1517 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1518 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1520 cmdarg_err("A capture filter was specified both with \"-f\""
1521 " and with additional command-line arguments.");
1525 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1527 capture_option_specified = TRUE;
1533 if (!global_capture_opts.saving_to_file) {
1534 /* We're not saving the capture to a file; if "-q" wasn't specified,
1535 we should print packet information */
1537 print_packet_info = TRUE;
1539 /* We're saving to a file; if we're writing to the standard output.
1540 and we'll also be writing dissected packets to the standard
1541 output, reject the request. At best, we could redirect that
1542 to the standard error; we *can't* write both to the standard
1543 output and have either of them be useful. */
1544 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1545 cmdarg_err("You can't write both raw packet data and dissected packets"
1546 " to the standard output.");
1551 /* We're not saving the capture to a file; if "-q" wasn't specified,
1552 we should print packet information */
1554 print_packet_info = TRUE;
1557 #ifndef HAVE_LIBPCAP
1558 if (capture_option_specified)
1559 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1566 /* We don't support capture filters when reading from a capture file
1567 (the BPF compiler doesn't support all link-layer types that we
1568 support in capture files we read). */
1570 if (cf_name != NULL) {
1571 if (global_capture_opts.default_options.cfilter) {
1572 cmdarg_err("Only read filters, not capture filters, "
1573 "can be specified when reading a capture file.");
1580 if (output_action != WRITE_TEXT) {
1581 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1586 if (output_only != NULL) {
1589 if (!print_details) {
1590 cmdarg_err("-O requires -V");
1594 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1595 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1596 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1601 if (list_link_layer_types) {
1602 /* We're supposed to list the link-layer types for an interface;
1603 did the user also specify a capture file to be read? */
1605 /* Yes - that's bogus. */
1606 cmdarg_err("You can't specify -L and a capture file to be read.");
1609 /* No - did they specify a ring buffer option? */
1610 if (global_capture_opts.multi_files_on) {
1611 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1617 * "-r" was specified, so we're reading a capture file.
1618 * Capture options don't apply here.
1620 if (global_capture_opts.multi_files_on) {
1621 cmdarg_err("Multiple capture files requested, but "
1622 "a capture isn't being done.");
1625 if (global_capture_opts.has_file_duration) {
1626 cmdarg_err("Switching capture files after a time interval was specified, but "
1627 "a capture isn't being done.");
1630 if (global_capture_opts.has_ring_num_files) {
1631 cmdarg_err("A ring buffer of capture files was specified, but "
1632 "a capture isn't being done.");
1635 if (global_capture_opts.has_autostop_files) {
1636 cmdarg_err("A maximum number of capture files was specified, but "
1637 "a capture isn't being done.");
1641 /* Note: TShark now allows the restriction of a _read_ file by packet count
1642 * and byte count as well as a write file. Other autostop options remain valid
1643 * only for a write file.
1645 if (global_capture_opts.has_autostop_duration) {
1646 cmdarg_err("A maximum capture time was specified, but "
1647 "a capture isn't being done.");
1652 * "-r" wasn't specified, so we're doing a live capture.
1654 if (global_capture_opts.saving_to_file) {
1655 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1657 /* When capturing, we only support writing pcap or pcap-ng format. */
1658 if (out_file_type != WTAP_FILE_PCAP && out_file_type != WTAP_FILE_PCAPNG) {
1659 cmdarg_err("Live captures can only be saved in libpcap format.");
1662 if (global_capture_opts.multi_files_on) {
1663 /* Multiple-file mode doesn't work under certain conditions:
1664 a) it doesn't work if you're writing to the standard output;
1665 b) it doesn't work if you're writing to a pipe;
1667 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1668 cmdarg_err("Multiple capture files requested, but "
1669 "the capture is being written to the standard output.");
1672 if (global_capture_opts.output_to_pipe) {
1673 cmdarg_err("Multiple capture files requested, but "
1674 "the capture file is a pipe.");
1677 if (!global_capture_opts.has_autostop_filesize &&
1678 !global_capture_opts.has_file_duration) {
1679 cmdarg_err("Multiple capture files requested, but "
1680 "no maximum capture file size or duration was specified.");
1684 /* Currently, we don't support read filters when capturing
1685 and saving the packets. */
1686 if (rfilter != NULL) {
1687 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1691 /* They didn't specify a "-w" flag, so we won't be saving to a
1692 capture file. Check for options that only make sense if
1693 we're saving to a file. */
1694 if (global_capture_opts.has_autostop_filesize) {
1695 cmdarg_err("Maximum capture file size specified, but "
1696 "capture isn't being saved to a file.");
1699 if (global_capture_opts.multi_files_on) {
1700 cmdarg_err("Multiple capture files requested, but "
1701 "the capture isn't being saved to a file.");
1710 /* Start windows sockets */
1711 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1714 /* Notify all registered modules that have had any of their preferences
1715 changed either from one of the preferences file or from the command
1716 line that their preferences have changed. */
1719 /* At this point MATE will have registered its field array so we can
1720 have a tap filter with one of MATE's late-registered fields as part
1721 of the filter. We can now process all the "-z" arguments. */
1722 start_requested_stats();
1725 /* We currently don't support taps, or printing dissected packets,
1726 if we're writing to a pipe. */
1727 if (global_capture_opts.saving_to_file &&
1728 global_capture_opts.output_to_pipe) {
1729 if (tap_listeners_require_dissection()) {
1730 cmdarg_err("Taps aren't supported when saving to a pipe.");
1733 if (print_packet_info) {
1734 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1740 /* disabled protocols as per configuration file */
1741 if (gdp_path == NULL && dp_path == NULL) {
1742 set_disabled_protos_list();
1745 /* Build the column format array */
1746 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1749 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1750 capture_opts_trim_ring_num_files(&global_capture_opts);
1753 if (rfilter != NULL) {
1754 if (!dfilter_compile(rfilter, &rfcode)) {
1755 cmdarg_err("%s", dfilter_error_msg);
1757 #ifdef HAVE_PCAP_OPEN_DEAD
1761 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1763 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1765 " Note: That display filter code looks like a valid capture filter;");
1767 " maybe you mixed them up?");
1776 cfile.rfcode = rfcode;
1778 if (print_packet_info) {
1779 /* If we're printing as text or PostScript, we have
1780 to create a print stream. */
1781 if (output_action == WRITE_TEXT) {
1782 switch (print_format) {
1785 print_stream = print_stream_text_stdio_new(stdout);
1789 print_stream = print_stream_ps_stdio_new(stdout);
1793 g_assert_not_reached();
1798 /* We have to dissect each packet if:
1800 we're printing information about each packet;
1802 we're using a read filter on the packets;
1804 we're using any taps that need dissection. */
1805 do_dissection = print_packet_info || rfcode || tap_listeners_require_dissection();
1809 * We're reading a capture file.
1813 * Immediately relinquish any special privileges we have; we must not
1814 * be allowed to read any capture files the user running TShark
1817 relinquish_special_privs_perm();
1818 print_current_user();
1820 if (cf_open(&cfile, cf_name, FALSE, &err) != CF_OK) {
1825 /* Set timestamp precision; there should arguably be a command-line
1826 option to let the user set this. */
1827 switch(wtap_file_tsprecision(cfile.wth)) {
1828 case(WTAP_FILE_TSPREC_SEC):
1829 timestamp_set_precision(TS_PREC_AUTO_SEC);
1831 case(WTAP_FILE_TSPREC_DSEC):
1832 timestamp_set_precision(TS_PREC_AUTO_DSEC);
1834 case(WTAP_FILE_TSPREC_CSEC):
1835 timestamp_set_precision(TS_PREC_AUTO_CSEC);
1837 case(WTAP_FILE_TSPREC_MSEC):
1838 timestamp_set_precision(TS_PREC_AUTO_MSEC);
1840 case(WTAP_FILE_TSPREC_USEC):
1841 timestamp_set_precision(TS_PREC_AUTO_USEC);
1843 case(WTAP_FILE_TSPREC_NSEC):
1844 timestamp_set_precision(TS_PREC_AUTO_NSEC);
1847 g_assert_not_reached();
1850 /* Process the packets in the file */
1853 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
1854 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
1855 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
1857 err = load_cap_file(&cfile, NULL, out_file_type, out_file_name_res, 0, 0);
1860 CATCH(OutOfMemoryError) {
1864 "Sorry, but TShark has to terminate now!\n"
1866 "Some infos / workarounds can be found at:\n"
1867 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
1872 /* We still dump out the results of taps, etc., as we might have
1873 read some packets; however, we exit with an error status. */
1877 /* No capture file specified, so we're supposed to do a live capture
1878 (or get a list of link-layer types for a live capture device);
1879 do we have support for live captures? */
1881 /* trim the interface name and exit if that failed */
1882 exit_status = capture_opts_trim_iface(&global_capture_opts,
1883 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
1884 if (exit_status != 0)
1887 /* if requested, list the link layer types and exit */
1888 if (list_link_layer_types) {
1891 /* Get the list of link-layer types for the capture devices. */
1892 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1893 interface_options interface_opts;
1894 if_capabilities_t *caps;
1896 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1897 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str);
1899 cmdarg_err("%s", err_str);
1903 if (caps->data_link_types == NULL) {
1904 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
1907 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
1908 free_if_capabilities(caps);
1913 if (print_packet_info) {
1914 if (!write_preamble(NULL)) {
1915 show_print_file_io_error(errno);
1918 } else if (!quiet) {
1920 * We're not printing information for each packet, and the user
1921 * didn't ask us not to print a count of packets as they arrive,
1922 * so print that count so the user knows that packets are arriving.
1924 * XXX - what if the user wants to do a live capture, doesn't want
1925 * to save it to a file, doesn't want information printed for each
1926 * packet, does want some "-z" statistic, and wants packet counts
1927 * so they know whether they're seeing any packets?
1929 print_packet_counts = TRUE;
1932 /* For now, assume libpcap gives microsecond precision. */
1933 timestamp_set_precision(TS_PREC_AUTO_USEC);
1936 * XXX - this returns FALSE if an error occurred, but it also
1937 * returns FALSE if the capture stops because a time limit
1938 * was reached (and possibly other limits), so we can't assume
1939 * it means an error.
1941 * The capture code is a bit twisty, so it doesn't appear to
1942 * be an easy fix. We just ignore the return value for now.
1943 * Instead, pass on the exit status from the capture child.
1946 exit_status = global_capture_opts.fork_child_status;
1948 if (print_packet_info) {
1949 if (!write_finale()) {
1951 show_print_file_io_error(err);
1955 /* No - complain. */
1956 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1963 if (cfile.frames != NULL) {
1964 free_frame_data_sequence(cfile.frames);
1965 cfile.frames = NULL;
1968 draw_tap_listeners(TRUE);
1969 funnel_dump_all_text_windows();
1972 output_fields_free(output_fields);
1973 output_fields = NULL;
1978 /*#define USE_BROKEN_G_MAIN_LOOP*/
1980 #ifdef USE_BROKEN_G_MAIN_LOOP
1983 gboolean loop_running = FALSE;
1985 guint32 packet_count = 0;
1988 /* XXX - move to the right position / file */
1989 /* read from a pipe (callback) */
1990 typedef gboolean (*pipe_input_cb_t) (gint source, gpointer user_data);
1992 typedef struct pipe_input_tag {
1996 pipe_input_cb_t input_cb;
1997 guint pipe_input_id;
1999 GMutex *callback_running;
2003 static pipe_input_t pipe_input;
2006 /* The timer has expired, see if there's stuff to read from the pipe,
2007 if so, do the callback */
2009 pipe_timer_cb(gpointer data)
2015 pipe_input_t *pipe_input_p = data;
2016 gint iterations = 0;
2018 g_mutex_lock (pipe_input_p->callback_running);
2020 /* try to read data from the pipe only 5 times, to avoid blocking */
2021 while(iterations < 5) {
2022 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2024 /* Oddly enough although Named pipes don't work on win9x,
2025 PeekNamedPipe does !!! */
2026 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2027 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2029 /* Get the child process exit status */
2030 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2033 /* If the Peek returned an error, or there are bytes to be read
2034 or the childwatcher thread has terminated then call the normal
2036 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2038 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2040 /* And call the real handler */
2041 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2042 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2043 /* pipe closed, return false so that the timer is stopped */
2044 g_mutex_unlock (pipe_input_p->callback_running);
2049 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2050 /* No data, stop now */
2057 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2059 g_mutex_unlock (pipe_input_p->callback_running);
2061 /* we didn't stopped the timer, so let it run */
2068 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2071 pipe_input.source = source;
2072 pipe_input.child_process = child_process;
2073 pipe_input.user_data = user_data;
2074 pipe_input.input_cb = input_cb;
2077 #if GLIB_CHECK_VERSION(2,31,0)
2078 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2079 g_mutex_init(pipe_input.callback_running);
2081 pipe_input.callback_running = g_mutex_new();
2083 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2084 do this but that doesn't cover all win32 platforms. GTK can do
2085 this but doesn't seem to work over processes. Attempt to do
2086 something similar here, start a timer and check for data on every
2088 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2089 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2100 GString *str = g_string_new("");
2101 #ifdef USE_TSHARK_SELECT
2105 struct sigaction action, oldaction;
2109 * XXX - dropping privileges is still required, until code cleanup is done
2111 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2112 * when it's done, we don't need special privileges to run tshark at all,
2113 * therefore we don't need to drop these privileges
2114 * The only thing we might want to keep is a warning if tshark is run as root,
2115 * as it's no longer necessary and potentially dangerous.
2117 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2118 * We've opened the capture device, so we shouldn't need any special
2119 * privileges any more; relinquish those privileges.
2121 * XXX - if we have saved set-user-ID support, we should give up those
2122 * privileges immediately, and then reclaim them long enough to get
2123 * a list of network interfaces and to open one, and then give them
2124 * up again, so that stuff we do while processing the argument list,
2125 * reading the user's preferences, loading and starting plugins
2126 * (especially *user* plugins), etc. is done with the user's privileges,
2127 * not special privileges.
2129 relinquish_special_privs_perm();
2130 print_current_user();
2132 /* Cleanup all data structures used for dissection. */
2133 cleanup_dissection();
2134 /* Initialize all data structures used for dissection. */
2138 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2139 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2141 /* Catch SIGINT and SIGTERM and, if we get either of them,
2142 clean up and exit. If SIGHUP isn't being ignored, catch
2143 it too and, if we get it, clean up and exit.
2145 We restart any read that was in progress, so that it doesn't
2146 disrupt reading from the sync pipe. The signal handler tells
2147 the capture child to finish; it will report that it finished,
2148 or will exit abnormally, so we'll stop reading from the sync
2149 pipe, pick up the exit status, and quit. */
2150 memset(&action, 0, sizeof(action));
2151 action.sa_handler = capture_cleanup;
2152 action.sa_flags = SA_RESTART;
2153 sigemptyset(&action.sa_mask);
2154 sigaction(SIGTERM, &action, NULL);
2155 sigaction(SIGINT, &action, NULL);
2156 sigaction(SIGHUP, NULL, &oldaction);
2157 if (oldaction.sa_handler == SIG_DFL)
2158 sigaction(SIGHUP, &action, NULL);
2161 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2162 quiet mode, report the number of packets we've captured.
2164 Again, restart any read that was in progress, so that it doesn't
2165 disrupt reading from the sync pipe. */
2166 action.sa_handler = report_counts_siginfo;
2167 action.sa_flags = SA_RESTART;
2168 sigemptyset(&action.sa_mask);
2169 sigaction(SIGINFO, &action, NULL);
2170 #endif /* SIGINFO */
2173 global_capture_opts.state = CAPTURE_PREPARING;
2175 /* Let the user know which interfaces were chosen. */
2176 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2177 interface_options interface_opts;
2179 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2180 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2181 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2182 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2185 if (global_capture_opts.ifaces->len < 2) {
2187 if (global_capture_opts.ifaces->len < 4) {
2189 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2190 interface_options interface_opts;
2192 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2194 if (global_capture_opts.ifaces->len > 2) {
2195 g_string_append_printf(str, ",");
2197 g_string_append_printf(str, " ");
2198 if (i == global_capture_opts.ifaces->len - 1) {
2199 g_string_append_printf(str, "and ");
2202 g_string_append_printf(str, "'%s'", interface_opts.descr);
2205 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2207 fprintf(stderr, "Capturing on %s\n", str->str);
2209 g_string_free(str, TRUE);
2211 ret = sync_pipe_start(&global_capture_opts);
2216 /* the actual capture loop
2218 * XXX - glib doesn't seem to provide any event based loop handling.
2220 * XXX - for whatever reason,
2221 * calling g_main_loop_new() ends up in 100% cpu load.
2223 * But that doesn't matter: in UNIX we can use select() to find an input
2224 * source with something to do.
2226 * But that doesn't matter because we're in a CLI (that doesn't need to
2227 * update a GUI or something at the same time) so it's OK if we block
2228 * trying to read from the pipe.
2230 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2231 * wrong (but I leave it there in case I am...).
2234 #ifdef USE_TSHARK_SELECT
2236 FD_SET(pipe_input.source, &readfds);
2239 loop_running = TRUE;
2243 while (loop_running)
2245 #ifdef USE_TSHARK_SELECT
2246 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2252 } else if (ret == 1) {
2254 /* Call the real handler */
2255 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2256 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2259 #ifdef USE_TSHARK_SELECT
2264 CATCH(OutOfMemoryError) {
2268 "Sorry, but TShark has to terminate now!\n"
2270 "Some infos / workarounds can be found at:\n"
2271 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2279 /* XXX - move the call to main_window_update() out of capture_sync.c */
2280 /* dummy for capture_sync.c to make linker happy */
2281 void main_window_update(void)
2285 /* capture child detected an error */
2287 capture_input_error_message(capture_options *capture_opts _U_, char *error_msg, char *secondary_error_msg)
2289 cmdarg_err("%s", error_msg);
2290 cmdarg_err_cont("%s", secondary_error_msg);
2294 /* capture child detected an capture filter related error */
2296 capture_input_cfilter_error_message(capture_options *capture_opts, guint i, char *error_message)
2298 dfilter_t *rfcode = NULL;
2299 interface_options interface_opts;
2301 g_assert(i < capture_opts->ifaces->len);
2302 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2304 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2306 "Invalid capture filter \"%s\" for interface %s!\n"
2308 "That string looks like a valid display filter; however, it isn't a valid\n"
2309 "capture filter (%s).\n"
2311 "Note that display filters and capture filters don't have the same syntax,\n"
2312 "so you can't use most display filter expressions as capture filters.\n"
2314 "See the User's Guide for a description of the capture filter syntax.",
2315 interface_opts.cfilter, interface_opts.descr, error_message);
2316 dfilter_free(rfcode);
2319 "Invalid capture filter \"%s\" for interface %s!\n"
2321 "That string isn't a valid capture filter (%s).\n"
2322 "See the User's Guide for a description of the capture filter syntax.",
2323 interface_opts.cfilter, interface_opts.descr, error_message);
2328 /* capture child tells us we have a new (or the first) capture file */
2330 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
2332 gboolean is_tempfile;
2335 if (capture_opts->state == CAPTURE_PREPARING) {
2336 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2338 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2340 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
2342 /* free the old filename */
2343 if (capture_opts->save_file != NULL) {
2345 /* we start a new capture file, close the old one (if we had one before) */
2346 if ( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
2347 if ( ((capture_file *) capture_opts->cf)->wth != NULL) {
2348 wtap_close(((capture_file *) capture_opts->cf)->wth);
2350 ((capture_file *) capture_opts->cf)->state = FILE_CLOSED;
2353 g_free(capture_opts->save_file);
2354 is_tempfile = FALSE;
2356 /* we didn't had a save_file before, must be a tempfile */
2360 /* save the new filename */
2361 capture_opts->save_file = g_strdup(new_file);
2363 /* if we are in real-time mode, open the new file now */
2364 if (do_dissection) {
2365 /* Attempt to open the capture file and set up to read from it. */
2366 switch(cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
2370 /* Don't unlink (delete) the save file - leave it around,
2371 for debugging purposes. */
2372 g_free(capture_opts->save_file);
2373 capture_opts->save_file = NULL;
2378 capture_opts->state = CAPTURE_RUNNING;
2384 /* capture child tells us we have new packets to read */
2386 capture_input_new_packets(capture_options *capture_opts, int to_read)
2392 capture_file *cf = capture_opts->cf;
2393 gboolean filtering_tap_listeners;
2398 * Prevent a SIGINFO handler from writing to the standard error while
2399 * we're doing so or writing to the standard output; instead, have it
2400 * just set a flag telling us to print that information when we're done.
2403 #endif /* SIGINFO */
2405 /* Do we have any tap listeners with filters? */
2406 filtering_tap_listeners = have_filtering_tap_listeners();
2408 /* Get the union of the flags for all tap listeners. */
2409 tap_flags = union_of_tap_listener_flags();
2411 if (do_dissection) {
2412 while (to_read-- && cf->wth) {
2413 wtap_cleareof(cf->wth);
2414 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2416 /* read from file failed, tell the capture child to stop */
2417 sync_pipe_stop(capture_opts);
2418 wtap_close(cf->wth);
2421 ret = process_packet(cf, data_offset, wtap_phdr(cf->wth),
2422 wtap_buf_ptr(cf->wth),
2423 filtering_tap_listeners, tap_flags);
2426 /* packet successfully read and gone through the "Read Filter" */
2432 * Dumpcap's doing all the work; we're not doing any dissection.
2433 * Count all the packets it wrote.
2435 packet_count += to_read;
2438 if (print_packet_counts) {
2439 /* We're printing packet counts. */
2440 if (packet_count != 0) {
2441 fprintf(stderr, "\r%u ", packet_count);
2442 /* stderr could be line buffered */
2449 * Allow SIGINFO handlers to write.
2454 * If a SIGINFO handler asked us to write out capture counts, do so.
2458 #endif /* SIGINFO */
2464 if (!print_packet_counts) {
2465 /* Report the count only if we aren't printing a packet count
2466 as packets arrive. */
2467 fprintf(stderr, "%u packet%s captured\n", packet_count,
2468 plurality(packet_count, "", "s"));
2471 infoprint = FALSE; /* we just reported it */
2472 #endif /* SIGINFO */
2477 report_counts_siginfo(int signum _U_)
2479 int sav_errno = errno;
2480 /* If we've been told to delay printing, just set a flag asking
2481 that we print counts (if we're supposed to), otherwise print
2482 the count of packets captured (if we're supposed to). */
2489 #endif /* SIGINFO */
2492 /* capture child detected any packet drops? */
2494 capture_input_drops(capture_options *capture_opts _U_, guint32 dropped)
2496 if (print_packet_counts) {
2497 /* We're printing packet counts to stderr.
2498 Send a newline so that we move to the line after the packet count. */
2499 fprintf(stderr, "\n");
2503 /* We're printing packet counts to stderr.
2504 Send a newline so that we move to the line after the packet count. */
2505 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2511 * Capture child closed its side of the pipe, report any error and
2512 * do the required cleanup.
2515 capture_input_closed(capture_options *capture_opts, gchar *msg)
2517 capture_file *cf = (capture_file *) capture_opts->cf;
2520 fprintf(stderr, "tshark: %s\n", msg);
2524 if (cf != NULL && cf->wth != NULL) {
2525 wtap_close(cf->wth);
2526 if (cf->is_tempfile) {
2527 ws_unlink(cf->filename);
2530 #ifdef USE_BROKEN_G_MAIN_LOOP
2531 /*g_main_loop_quit(loop);*/
2534 loop_running = FALSE;
2543 capture_cleanup(DWORD ctrltype _U_)
2545 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2546 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2547 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2548 like SIGTERM at least when the machine's shutting down.
2550 For now, we handle them all as indications that we should clean up
2551 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2554 We must return TRUE so that no other handler - such as one that would
2555 terminate the process - gets called.
2557 XXX - for some reason, typing ^C to TShark, if you run this in
2558 a Cygwin console window in at least some versions of Cygwin,
2559 causes TShark to terminate immediately; this routine gets
2560 called, but the main loop doesn't get a chance to run and
2561 exit cleanly, at least if this is compiled with Microsoft Visual
2562 C++ (i.e., it's a property of the Cygwin console window or Bash;
2563 it happens if TShark is not built with Cygwin - for all I know,
2564 building it with Cygwin may make the problem go away). */
2566 /* tell the capture child to stop */
2567 sync_pipe_stop(&global_capture_opts);
2569 /* don't stop our own loop already here, otherwise status messages and
2570 * cleanup wouldn't be done properly. The child will indicate the stop of
2571 * everything by calling capture_input_closed() later */
2577 capture_cleanup(int signum _U_)
2579 /* tell the capture child to stop */
2580 sync_pipe_stop(&global_capture_opts);
2582 /* don't stop our own loop already here, otherwise status messages and
2583 * cleanup wouldn't be done properly. The child will indicate the stop of
2584 * everything by calling capture_input_closed() later */
2587 #endif /* HAVE_LIBPCAP */
2590 process_packet_first_pass(capture_file *cf,
2591 gint64 offset, struct wtap_pkthdr *whdr,
2596 gboolean create_proto_tree = FALSE;
2600 /* The frame number of this packet is one more than the count of
2601 frames in this packet. */
2602 framenum = cf->count + 1;
2604 /* If we're not running a display filter and we're not printing any
2605 packet information, we don't need to do a dissection. This means
2606 that all packets can be marked as 'passed'. */
2609 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2611 /* If we're going to print packet information, or we're going to
2612 run a read filter, or we're going to process taps, set up to
2613 do a dissection and do so. */
2614 if (do_dissection) {
2615 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2616 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2617 /* Grab any resolved addresses */
2618 host_name_lookup_process();
2620 /* If we're going to be applying a read filter, we'll need to
2621 create a protocol tree against which to apply the filter. */
2623 create_proto_tree = TRUE;
2625 /* We're not going to display the protocol tree on this pass,
2626 so it's not going to be "visible". */
2627 epan_dissect_init(&edt, create_proto_tree, FALSE);
2629 /* If we're running a read filter, prime the epan_dissect_t with that
2632 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2634 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2635 &first_ts, prev_dis, prev_cap);
2637 epan_dissect_run(&edt, whdr, pd, &fdlocal, NULL);
2639 /* Run the read filter if we have one. */
2641 passed = dfilter_apply_edt(cf->rfcode, &edt);
2645 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2646 prev_dis_frame = fdlocal;
2647 prev_dis = &prev_dis_frame;
2648 frame_data_sequence_add(cf->frames, &fdlocal);
2652 prev_cap_frame = fdlocal;
2653 prev_cap = &prev_cap_frame;
2656 epan_dissect_cleanup(&edt);
2662 process_packet_second_pass(capture_file *cf, frame_data *fdata,
2663 struct wtap_pkthdr *phdr, const guchar *pd,
2664 gboolean filtering_tap_listeners, guint tap_flags)
2666 gboolean create_proto_tree;
2671 /* If we're not running a display filter and we're not printing any
2672 packet information, we don't need to do a dissection. This means
2673 that all packets can be marked as 'passed'. */
2676 /* If we're going to print packet information, or we're going to
2677 run a read filter, or we're going to process taps, set up to
2678 do a dissection and do so. */
2679 if (do_dissection) {
2680 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2681 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2682 /* Grab any resolved addresses */
2683 host_name_lookup_process();
2685 if (cf->rfcode || print_details || filtering_tap_listeners ||
2686 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2687 create_proto_tree = TRUE;
2689 create_proto_tree = FALSE;
2691 /* The protocol tree will be "visible", i.e., printed, only if we're
2692 printing packet details, which is true if we're printing stuff
2693 ("print_packet_info" is true) and we're in verbose mode
2694 ("packet_details" is true). */
2695 epan_dissect_init(&edt, create_proto_tree, print_packet_info && print_details);
2697 /* If we're running a read filter, prime the epan_dissect_t with that
2700 epan_dissect_prime_dfilter(&edt, cf->rfcode);
2702 col_custom_prime_edt(&edt, &cf->cinfo);
2704 /* We only need the columns if either
2705 1) some tap needs the columns
2707 2) we're printing packet info but we're *not* verbose; in verbose
2708 mode, we print the protocol tree, not the protocol summary.
2710 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
2715 epan_dissect_run_with_taps(&edt, phdr, pd, fdata, cinfo);
2717 /* Run the read filter if we have one. */
2719 passed = dfilter_apply_edt(cf->rfcode, &edt);
2723 /* Process this packet. */
2724 if (print_packet_info) {
2725 /* We're printing packet information; print the information for
2728 print_packet(cf, &edt);
2730 print_packet(cf, NULL);
2732 /* The ANSI C standard does not appear to *require* that a line-buffered
2733 stream be flushed to the host environment whenever a newline is
2734 written, it just says that, on such a stream, characters "are
2735 intended to be transmitted to or from the host environment as a
2736 block when a new-line character is encountered".
2738 The Visual C++ 6.0 C implementation doesn't do what is intended;
2739 even if you set a stream to be line-buffered, it still doesn't
2740 flush the buffer at the end of every line.
2742 So, if the "-l" flag was specified, we flush the standard output
2743 at the end of a packet. This will do the right thing if we're
2744 printing packet summary lines, and, as we print the entire protocol
2745 tree for a single packet without waiting for anything to happen,
2746 it should be as good as line-buffered mode if we're printing
2747 protocol trees. (The whole reason for the "-l" flag in either
2748 tcpdump or TShark is to allow the output of a live capture to
2749 be piped to a program or script and to have that script see the
2750 information for the packet as soon as it's printed, rather than
2751 having to wait until a standard I/O buffer fills up. */
2755 if (ferror(stdout)) {
2756 show_print_file_io_error(errno);
2762 if (do_dissection) {
2763 epan_dissect_cleanup(&edt);
2769 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
2770 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2773 int snapshot_length;
2777 gchar *err_info = NULL;
2779 char *save_file_string = NULL;
2780 gboolean filtering_tap_listeners;
2782 wtapng_section_t *shb_hdr;
2783 wtapng_iface_descriptions_t *idb_inf;
2786 shb_hdr = wtap_file_get_shb_info(cf->wth);
2787 idb_inf = wtap_file_get_idb_info(cf->wth);
2788 #ifdef PCAP_NG_DEFAULT
2789 if (idb_inf->number_of_interfaces > 0) {
2790 linktype = WTAP_ENCAP_PER_PACKET;
2792 linktype = wtap_file_encap(cf->wth);
2795 linktype = wtap_file_encap(cf->wth);
2797 if (save_file != NULL) {
2798 /* Get a string that describes what we're writing to */
2799 save_file_string = output_file_description(save_file);
2801 /* Set up to write to the capture file. */
2802 snapshot_length = wtap_snapshot_length(cf->wth);
2803 if (snapshot_length == 0) {
2804 /* Snapshot length of input file not known. */
2805 snapshot_length = WTAP_MAX_PACKET_SIZE;
2807 /* If we don't have an application name add Tshark */
2808 if (shb_hdr->shb_user_appl == NULL) {
2809 g_snprintf(appname, sizeof(appname), "TShark " VERSION "%s", wireshark_svnversion);
2810 shb_hdr->shb_user_appl = appname;
2813 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype, snapshot_length,
2814 FALSE /* compressed */, shb_hdr, idb_inf, &err);
2820 /* We couldn't set up to write to the capture file. */
2823 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
2824 cmdarg_err("Capture files can't be written in that format.");
2827 case WTAP_ERR_UNSUPPORTED_ENCAP:
2828 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
2829 cmdarg_err("The capture file being read can't be written as a "
2830 "\"%s\" file.", wtap_file_type_short_string(out_file_type));
2833 case WTAP_ERR_CANT_OPEN:
2834 cmdarg_err("The %s couldn't be created for some "
2835 "unknown reason.", save_file_string);
2838 case WTAP_ERR_SHORT_WRITE:
2839 cmdarg_err("A full header couldn't be written to the %s.",
2844 cmdarg_err("The %s could not be created: %s.", save_file_string,
2845 wtap_strerror(err));
2851 if (print_packet_info) {
2852 if (!write_preamble(cf)) {
2854 show_print_file_io_error(err);
2861 if (pdh && out_file_name_res) {
2862 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
2863 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
2864 wtap_file_type_short_string(out_file_type));
2868 /* Do we have any tap listeners with filters? */
2869 filtering_tap_listeners = have_filtering_tap_listeners();
2871 /* Get the union of the flags for all tap listeners. */
2872 tap_flags = union_of_tap_listener_flags();
2874 if (perform_two_pass_analysis) {
2876 int old_max_packet_count = max_packet_count;
2878 /* Allocate a frame_data_sequence for all the frames. */
2879 cf->frames = new_frame_data_sequence();
2881 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2882 if (process_packet_first_pass(cf, data_offset, wtap_phdr(cf->wth),
2883 wtap_buf_ptr(cf->wth))) {
2884 /* Stop reading if we have the maximum number of packets;
2885 * When the -c option has not been used, max_packet_count
2886 * starts at 0, which practically means, never stop reading.
2887 * (unless we roll over max_packet_count ?)
2889 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2890 err = 0; /* This is not an error */
2896 /* Close the sequential I/O side, to free up memory it requires. */
2897 wtap_sequential_close(cf->wth);
2899 /* Allow the protocol dissectors to free up memory that they
2900 * don't need after the sequential run-through of the packets. */
2901 postseq_cleanup_all_protocols();
2903 max_packet_count = old_max_packet_count;
2905 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
2906 fdata = frame_data_sequence_find(cf->frames, framenum);
2907 if (wtap_seek_read(cf->wth, fdata->file_off, &cf->phdr,
2908 cf->pd, fdata->cap_len, &err, &err_info)) {
2909 if (process_packet_second_pass(cf, fdata,
2911 filtering_tap_listeners, tap_flags)) {
2912 /* Either there's no read filtering or this packet passed the
2913 filter, so, if we're writing to a capture file, write
2916 if (!wtap_dump(pdh, &cf->phdr, wtap_buf_ptr(cf->wth), &err)) {
2917 /* Error writing to a capture file */
2920 case WTAP_ERR_UNSUPPORTED_ENCAP:
2922 * This is a problem with the particular frame we're writing;
2923 * note that, and give the frame number.
2925 * XXX - framenum is not necessarily the frame number in
2926 * the input file if there was a read filter.
2929 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2930 framenum, cf->filename,
2931 wtap_file_type_short_string(out_file_type));
2935 show_capture_file_io_error(save_file, err, FALSE);
2938 wtap_dump_close(pdh, &err);
2943 /* Stop reading if we have the maximum number of packets;
2944 * When the -c option has not been used, max_packet_count
2945 * starts at 0, which practically means, never stop reading.
2946 * (unless we roll over max_packet_count ?)
2948 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2949 err = 0; /* This is not an error */
2958 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
2961 if (process_packet(cf, data_offset, wtap_phdr(cf->wth),
2962 wtap_buf_ptr(cf->wth),
2963 filtering_tap_listeners, tap_flags)) {
2964 /* Either there's no read filtering or this packet passed the
2965 filter, so, if we're writing to a capture file, write
2968 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
2969 /* Error writing to a capture file */
2972 case WTAP_ERR_UNSUPPORTED_ENCAP:
2974 * This is a problem with the particular frame we're writing;
2975 * note that, and give the frame number.
2978 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
2979 framenum, cf->filename,
2980 wtap_file_type_short_string(out_file_type));
2984 show_capture_file_io_error(save_file, err, FALSE);
2987 wtap_dump_close(pdh, &err);
2992 /* Stop reading if we have the maximum number of packets;
2993 * When the -c option has not been used, max_packet_count
2994 * starts at 0, which practically means, never stop reading.
2995 * (unless we roll over max_packet_count ?)
2997 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
2998 err = 0; /* This is not an error */
3007 * Print a message noting that the read failed somewhere along the line.
3009 * If we're printing packet data, and the standard output and error are
3010 * going to the same place, flush the standard output, so everything
3011 * buffered up is written, and then print a newline to the standard error
3012 * before printing the error message, to separate it from the packet
3013 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3014 * the _fstat() documentation at Microsoft doesn't indicate whether
3015 * st_ino is even supported.)
3018 if (print_packet_info) {
3019 struct stat stat_stdout, stat_stderr;
3021 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3022 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3023 stat_stdout.st_ino == stat_stderr.st_ino) {
3025 fprintf(stderr, "\n");
3032 case WTAP_ERR_UNSUPPORTED:
3033 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3034 cf->filename, err_info);
3038 case WTAP_ERR_UNSUPPORTED_ENCAP:
3039 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3040 cf->filename, err_info);
3044 case WTAP_ERR_CANT_READ:
3045 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3049 case WTAP_ERR_SHORT_READ:
3050 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3054 case WTAP_ERR_BAD_FILE:
3055 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3056 cf->filename, err_info);
3060 case WTAP_ERR_DECOMPRESS:
3061 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3062 "(%s)", cf->filename, err_info);
3066 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3067 cf->filename, wtap_strerror(err));
3070 if (save_file != NULL) {
3071 /* Now close the capture file. */
3072 if (!wtap_dump_close(pdh, &err))
3073 show_capture_file_io_error(save_file, err, TRUE);
3076 if (save_file != NULL) {
3077 /* Now close the capture file. */
3078 if (!wtap_dump_close(pdh, &err))
3079 show_capture_file_io_error(save_file, err, TRUE);
3081 if (print_packet_info) {
3082 if (!write_finale()) {
3084 show_print_file_io_error(err);
3091 wtap_close(cf->wth);
3094 g_free(save_file_string);
3101 process_packet(capture_file *cf, gint64 offset, struct wtap_pkthdr *whdr,
3103 gboolean filtering_tap_listeners, guint tap_flags)
3106 gboolean create_proto_tree;
3111 /* Count this packet. */
3114 /* If we're not running a display filter and we're not printing any
3115 packet information, we don't need to do a dissection. This means
3116 that all packets can be marked as 'passed'. */
3119 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3121 /* If we're going to print packet information, or we're going to
3122 run a read filter, or we're going to process taps, set up to
3123 do a dissection and do so. */
3124 if (do_dissection) {
3125 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3126 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3127 /* Grab any resolved addresses */
3128 host_name_lookup_process();
3130 if (cf->rfcode || print_details || filtering_tap_listeners ||
3131 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3132 create_proto_tree = TRUE;
3134 create_proto_tree = FALSE;
3136 /* The protocol tree will be "visible", i.e., printed, only if we're
3137 printing packet details, which is true if we're printing stuff
3138 ("print_packet_info" is true) and we're in verbose mode
3139 ("packet_details" is true). */
3140 epan_dissect_init(&edt, create_proto_tree, print_packet_info && print_details);
3142 /* If we're running a read filter, prime the epan_dissect_t with that
3145 epan_dissect_prime_dfilter(&edt, cf->rfcode);
3147 col_custom_prime_edt(&edt, &cf->cinfo);
3149 /* We only need the columns if either
3150 1) some tap needs the columns
3152 2) we're printing packet info but we're *not* verbose; in verbose
3153 mode, we print the protocol tree, not the protocol summary.
3155 3) there is a column mapped as an individual field */
3156 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3161 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3162 &first_ts, prev_dis, prev_cap);
3164 epan_dissect_run_with_taps(&edt, whdr, pd, &fdata, cinfo);
3166 /* Run the read filter if we have one. */
3168 passed = dfilter_apply_edt(cf->rfcode, &edt);
3172 frame_data_set_after_dissect(&fdata, &cum_bytes);
3173 prev_dis_frame = fdata;
3174 prev_dis = &prev_dis_frame;
3176 /* Process this packet. */
3177 if (print_packet_info) {
3178 /* We're printing packet information; print the information for
3181 print_packet(cf, &edt);
3183 print_packet(cf, NULL);
3185 /* The ANSI C standard does not appear to *require* that a line-buffered
3186 stream be flushed to the host environment whenever a newline is
3187 written, it just says that, on such a stream, characters "are
3188 intended to be transmitted to or from the host environment as a
3189 block when a new-line character is encountered".
3191 The Visual C++ 6.0 C implementation doesn't do what is intended;
3192 even if you set a stream to be line-buffered, it still doesn't
3193 flush the buffer at the end of every line.
3195 So, if the "-l" flag was specified, we flush the standard output
3196 at the end of a packet. This will do the right thing if we're
3197 printing packet summary lines, and, as we print the entire protocol
3198 tree for a single packet without waiting for anything to happen,
3199 it should be as good as line-buffered mode if we're printing
3200 protocol trees. (The whole reason for the "-l" flag in either
3201 tcpdump or TShark is to allow the output of a live capture to
3202 be piped to a program or script and to have that script see the
3203 information for the packet as soon as it's printed, rather than
3204 having to wait until a standard I/O buffer fills up. */
3208 if (ferror(stdout)) {
3209 show_print_file_io_error(errno);
3215 prev_cap_frame = fdata;
3216 prev_cap = &prev_cap_frame;
3218 if (do_dissection) {
3219 epan_dissect_cleanup(&edt);
3220 frame_data_cleanup(&fdata);
3226 write_preamble(capture_file *cf)
3228 switch (output_action) {
3231 return print_preamble(print_stream, cf ? cf->filename : NULL);
3235 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3237 write_psml_preamble(stdout);
3238 return !ferror(stdout);
3241 write_fields_preamble(output_fields, stdout);
3242 return !ferror(stdout);
3245 g_assert_not_reached();
3251 get_line_buf(size_t len)
3253 static char *line_bufp = NULL;
3254 static size_t line_buf_len = 256;
3255 size_t new_line_buf_len;
3257 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3258 new_line_buf_len *= 2)
3260 if (line_bufp == NULL) {
3261 line_buf_len = new_line_buf_len;
3262 line_bufp = g_malloc(line_buf_len + 1);
3264 if (new_line_buf_len > line_buf_len) {
3265 line_buf_len = new_line_buf_len;
3266 line_bufp = g_realloc(line_bufp, line_buf_len + 1);
3273 print_columns(capture_file *cf)
3280 line_bufp = get_line_buf(256);
3283 for (i = 0; i < cf->cinfo.num_cols; i++) {
3284 /* Skip columns not marked as visible. */
3285 if (!get_column_visible(i))
3287 switch (cf->cinfo.col_fmt[i]) {
3291 * Don't print this if we're doing a live capture from a network
3292 * interface - if we're doing a live capture, you won't be
3293 * able to look at the capture in the future (it's not being
3294 * saved anywhere), so the frame numbers are unlikely to be
3297 * (XXX - it might be nice to be able to save and print at
3298 * the same time, sort of like an "Update list of packets
3299 * in real time" capture in Wireshark.)
3301 if (global_capture_opts.ifaces->len > 0)
3304 column_len = strlen(cf->cinfo.col_data[i]);
3307 line_bufp = get_line_buf(buf_offset + column_len);
3308 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%3s", cf->cinfo.col_data[i]);
3314 case COL_ABS_DATE_TIME:
3316 case COL_UTC_DATE_TIME: /* XXX - wider */
3317 column_len = strlen(cf->cinfo.col_data[i]);
3318 if (column_len < 10)
3320 line_bufp = get_line_buf(buf_offset + column_len);
3321 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%10s", cf->cinfo.col_data[i]);
3327 case COL_DEF_DL_SRC:
3328 case COL_RES_DL_SRC:
3329 case COL_UNRES_DL_SRC:
3330 case COL_DEF_NET_SRC:
3331 case COL_RES_NET_SRC:
3332 case COL_UNRES_NET_SRC:
3333 column_len = strlen(cf->cinfo.col_data[i]);
3334 if (column_len < 12)
3336 line_bufp = get_line_buf(buf_offset + column_len);
3337 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%12s", cf->cinfo.col_data[i]);
3343 case COL_DEF_DL_DST:
3344 case COL_RES_DL_DST:
3345 case COL_UNRES_DL_DST:
3346 case COL_DEF_NET_DST:
3347 case COL_RES_NET_DST:
3348 case COL_UNRES_NET_DST:
3349 column_len = strlen(cf->cinfo.col_data[i]);
3350 if (column_len < 12)
3352 line_bufp = get_line_buf(buf_offset + column_len);
3353 g_snprintf(line_bufp + buf_offset, (int)column_len + 1, "%-12s", cf->cinfo.col_data[i]);
3357 column_len = strlen(cf->cinfo.col_data[i]);
3358 line_bufp = get_line_buf(buf_offset + column_len);
3359 g_strlcat(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len + 1);
3362 buf_offset += column_len;
3363 if (i != cf->cinfo.num_cols - 1) {
3365 * This isn't the last column, so we need to print a
3366 * separator between this column and the next.
3368 * If we printed a network source and are printing a
3369 * network destination of the same type next, separate
3370 * them with " -> "; if we printed a network destination
3371 * and are printing a network source of the same type
3372 * next, separate them with " <- "; otherwise separate them
3375 * We add enough space to the buffer for " <- " or " -> ",
3376 * even if we're only adding " ".
3378 line_bufp = get_line_buf(buf_offset + 4);
3379 switch (cf->cinfo.col_fmt[i]) {
3384 switch (cf->cinfo.col_fmt[i + 1]) {
3389 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3394 g_strlcat(line_bufp + buf_offset, " ", 5);
3400 case COL_DEF_DL_SRC:
3401 case COL_RES_DL_SRC:
3402 case COL_UNRES_DL_SRC:
3403 switch (cf->cinfo.col_fmt[i + 1]) {
3405 case COL_DEF_DL_DST:
3406 case COL_RES_DL_DST:
3407 case COL_UNRES_DL_DST:
3408 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3413 g_strlcat(line_bufp + buf_offset, " ", 5);
3419 case COL_DEF_NET_SRC:
3420 case COL_RES_NET_SRC:
3421 case COL_UNRES_NET_SRC:
3422 switch (cf->cinfo.col_fmt[i + 1]) {
3424 case COL_DEF_NET_DST:
3425 case COL_RES_NET_DST:
3426 case COL_UNRES_NET_DST:
3427 g_strlcat(line_bufp + buf_offset, " -> ", 5);
3432 g_strlcat(line_bufp + buf_offset, " ", 5);
3441 switch (cf->cinfo.col_fmt[i + 1]) {
3446 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3451 g_strlcat(line_bufp + buf_offset, " ", 5);
3457 case COL_DEF_DL_DST:
3458 case COL_RES_DL_DST:
3459 case COL_UNRES_DL_DST:
3460 switch (cf->cinfo.col_fmt[i + 1]) {
3462 case COL_DEF_DL_SRC:
3463 case COL_RES_DL_SRC:
3464 case COL_UNRES_DL_SRC:
3465 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3470 g_strlcat(line_bufp + buf_offset, " ", 5);
3476 case COL_DEF_NET_DST:
3477 case COL_RES_NET_DST:
3478 case COL_UNRES_NET_DST:
3479 switch (cf->cinfo.col_fmt[i + 1]) {
3481 case COL_DEF_NET_SRC:
3482 case COL_RES_NET_SRC:
3483 case COL_UNRES_NET_SRC:
3484 g_strlcat(line_bufp + buf_offset, " <- ", 5);
3489 g_strlcat(line_bufp + buf_offset, " ", 5);
3496 g_strlcat(line_bufp + buf_offset, " ", 5);
3502 return print_line(print_stream, 0, line_bufp);
3506 print_packet(capture_file *cf, epan_dissect_t *edt)
3508 print_args_t print_args;
3510 if (print_summary || output_fields_has_cols(output_fields)) {
3511 /* Just fill in the columns. */
3512 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3514 if (print_summary) {
3515 /* Now print them. */
3516 switch (output_action) {
3519 if (!print_columns(cf))
3524 proto_tree_write_psml(edt, stdout);
3525 return !ferror(stdout);
3526 case WRITE_FIELDS: /*No non-verbose "fields" format */
3527 g_assert_not_reached();
3532 if (print_details) {
3533 /* Print the information in the protocol tree. */
3534 switch (output_action) {
3537 /* Only initialize the fields that are actually used in proto_tree_print.
3538 * This is particularly important for .range, as that's heap memory which
3539 * we would otherwise have to g_free().
3540 print_args.to_file = TRUE;
3541 print_args.format = print_format;
3542 print_args.print_summary = print_summary;
3543 print_args.print_formfeed = FALSE;
3544 packet_range_init(&print_args.range, &cfile);
3546 print_args.print_hex = print_hex;
3547 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3549 if (!proto_tree_print(&print_args, edt, print_stream))
3552 if (!print_line(print_stream, 0, separator))
3558 proto_tree_write_pdml(edt, stdout);
3560 return !ferror(stdout);
3562 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3564 return !ferror(stdout);
3568 if (print_summary || print_details) {
3569 if (!print_line(print_stream, 0, ""))
3572 if (!print_hex_data(print_stream, edt))
3574 if (!print_line(print_stream, 0, separator))
3583 switch (output_action) {
3586 return print_finale(print_stream);
3590 write_pdml_finale(stdout);
3592 write_psml_finale(stdout);
3593 return !ferror(stdout);
3596 write_fields_finale(output_fields, stdout);
3597 return !ferror(stdout);
3600 g_assert_not_reached();
3606 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
3610 char err_msg[2048+1];
3612 wth = wtap_open_offline(fname, err, &err_info, perform_two_pass_analysis);
3616 /* The open succeeded. Fill in the information for this file. */
3618 /* Cleanup all data structures used for dissection. */
3619 cleanup_dissection();
3620 /* Initialize all data structures used for dissection. */
3624 cf->f_datalen = 0; /* not used, but set it anyway */
3626 /* Set the file name because we need it to set the follow stream filter.
3627 XXX - is that still true? We need it for other reasons, though,
3629 cf->filename = g_strdup(fname);
3631 /* Indicate whether it's a permanent or temporary file. */
3632 cf->is_tempfile = is_tempfile;
3634 /* No user changes yet. */
3635 cf->unsaved_changes = FALSE;
3637 cf->cd_t = wtap_file_type(cf->wth);
3639 cf->drops_known = FALSE;
3641 cf->snap = wtap_snapshot_length(cf->wth);
3642 if (cf->snap == 0) {
3643 /* Snapshot length not known. */
3644 cf->has_snap = FALSE;
3645 cf->snap = WTAP_MAX_PACKET_SIZE;
3647 cf->has_snap = TRUE;
3648 nstime_set_zero(&cf->elapsed_time);
3649 nstime_set_unset(&first_ts);
3653 cf->state = FILE_READ_IN_PROGRESS;
3655 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3656 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3661 g_snprintf(err_msg, sizeof err_msg,
3662 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
3663 cmdarg_err("%s", err_msg);
3668 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
3670 char *save_file_string;
3672 save_file_string = output_file_description(fname);
3677 cmdarg_err("Not all the packets could be written to the %s because there is "
3678 "no space left on the file system.",
3684 cmdarg_err("Not all the packets could be written to the %s because you are "
3685 "too close to, or over your disk quota.",
3690 case WTAP_ERR_CANT_CLOSE:
3691 cmdarg_err("The %s couldn't be closed for some unknown reason.",
3695 case WTAP_ERR_SHORT_WRITE:
3696 cmdarg_err("Not all the packets could be written to the %s.",
3702 cmdarg_err("The %s could not be closed: %s.", save_file_string,
3703 wtap_strerror(err));
3705 cmdarg_err("An error occurred while writing to the %s: %s.",
3706 save_file_string, wtap_strerror(err));
3710 g_free(save_file_string);
3714 show_print_file_io_error(int err)
3719 cmdarg_err("Not all the packets could be printed because there is "
3720 "no space left on the file system.");
3725 cmdarg_err("Not all the packets could be printed because you are "
3726 "too close to, or over your disk quota.");
3731 cmdarg_err("An error occurred while printing packets: %s.",
3738 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
3742 static char errmsg_errno[1024+1];
3745 /* Wiretap error. */
3748 case WTAP_ERR_NOT_REGULAR_FILE:
3749 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
3752 case WTAP_ERR_RANDOM_OPEN_PIPE:
3753 /* Seen only when opening a capture file for reading. */
3754 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
3757 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
3758 /* Seen only when opening a capture file for reading. */
3759 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
3762 case WTAP_ERR_UNSUPPORTED:
3763 /* Seen only when opening a capture file for reading. */
3764 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3765 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
3768 errmsg = errmsg_errno;
3771 case WTAP_ERR_CANT_WRITE_TO_PIPE:
3772 /* Seen only when opening a capture file for writing. */
3773 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3774 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
3775 "written to a pipe.", wtap_file_type_short_string(file_type));
3776 errmsg = errmsg_errno;
3779 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3780 /* Seen only when opening a capture file for writing. */
3781 errmsg = "TShark doesn't support writing capture files in that format.";
3784 case WTAP_ERR_UNSUPPORTED_ENCAP:
3786 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3787 "TShark can't save this capture as a \"%s\" file.",
3788 wtap_file_type_short_string(file_type));
3790 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3791 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
3795 errmsg = errmsg_errno;
3798 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3800 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3801 "TShark can't save this capture as a \"%s\" file.",
3802 wtap_file_type_short_string(file_type));
3803 errmsg = errmsg_errno;
3805 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
3808 case WTAP_ERR_BAD_FILE:
3809 /* Seen only when opening a capture file for reading. */
3810 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3811 "The file \"%%s\" appears to be damaged or corrupt.\n"
3814 errmsg = errmsg_errno;
3817 case WTAP_ERR_CANT_OPEN:
3819 errmsg = "The file \"%s\" could not be created for some unknown reason.";
3821 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
3824 case WTAP_ERR_SHORT_READ:
3825 errmsg = "The file \"%s\" appears to have been cut short"
3826 " in the middle of a packet or other data.";
3829 case WTAP_ERR_SHORT_WRITE:
3830 errmsg = "A full header couldn't be written to the file \"%s\".";
3833 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
3834 errmsg = "This file type cannot be written as a compressed file.";
3837 case WTAP_ERR_DECOMPRESS:
3838 /* Seen only when opening a capture file for reading. */
3839 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3840 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
3843 errmsg = errmsg_errno;
3847 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
3848 "The file \"%%s\" could not be %s: %s.",
3849 for_writing ? "created" : "opened",
3850 wtap_strerror(err));
3851 errmsg = errmsg_errno;
3855 errmsg = file_open_error_message(err, for_writing);
3860 * Open/create errors are reported with an console message in TShark.
3863 open_failure_message(const char *filename, int err, gboolean for_writing)
3865 fprintf(stderr, "tshark: ");
3866 fprintf(stderr, file_open_error_message(err, for_writing), filename);
3867 fprintf(stderr, "\n");
3872 * General errors are reported with an console message in TShark.
3875 failure_message(const char *msg_format, va_list ap)
3877 fprintf(stderr, "tshark: ");
3878 vfprintf(stderr, msg_format, ap);
3879 fprintf(stderr, "\n");
3883 * Read errors are reported with an console message in TShark.
3886 read_failure_message(const char *filename, int err)
3888 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
3889 filename, g_strerror(err));
3893 * Write errors are reported with an console message in TShark.
3896 write_failure_message(const char *filename, int err)
3898 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
3899 filename, g_strerror(err));
3903 * Print to the standard error. This is a command-line tool, so there's
3904 * no need to pop up a console.
3907 vfprintf_stderr(const char *fmt, va_list ap)
3909 vfprintf(stderr, fmt, ap);
3913 fprintf_stderr(const char *fmt, ...)
3918 vfprintf_stderr(fmt, ap);
3923 * Report an error in command-line arguments.
3926 cmdarg_err(const char *fmt, ...)
3931 failure_message(fmt, ap);
3936 * Report additional information for an error in command-line arguments.
3939 cmdarg_err_cont(const char *fmt, ...)
3944 vfprintf(stderr, fmt, ap);
3945 fprintf(stderr, "\n");
3951 * Editor modelines - http://www.wireshark.org/tools/modelines.html
3956 * indent-tabs-mode: nil
3959 * vi: set shiftwidth=2 tabstop=8 expandtab:
3960 * :indentSize=2:tabSize=8:noTabs=true: