search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO: smb2: simplify preauth_hash calculation..."
[wireshark-sm.git] / tshark.c
blob049f0b2c4fd73f943e479bf013bd608ca5dc4192
1 /* tshark.c
2 *
3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include <config.h>
14
15 #define WS_LOG_DOMAIN LOG_DOMAIN_MAIN
16
17 #include <stdlib.h>
18 #include <stdio.h>
19 #include <string.h>
20 #include <locale.h>
21 #include <limits.h>
22
23 #include <wsutil/ws_getopt.h>
24
25 #include <errno.h>
26
27 #ifdef _WIN32
28 # include <winsock2.h>
29 #endif
30
31 #ifndef _WIN32
32 #include <signal.h>
33 #endif
34
35 #include <glib.h>
36
37 #include <epan/exceptions.h>
38 #include <epan/epan.h>
39
40 #include <ws_exit_codes.h>
41 #include <wsutil/clopts_common.h>
42 #include <wsutil/cmdarg_err.h>
43 #include <ui/urls.h>
44 #include <wsutil/filesystem.h>
45 #include <wsutil/file_util.h>
46 #include <wsutil/time_util.h>
47 #include <wsutil/socket.h>
48 #include <wsutil/privileges.h>
49 #include <wsutil/report_message.h>
50 #include <wsutil/please_report_bug.h>
51 #include <wsutil/wslog.h>
52 #include <wsutil/ws_assert.h>
53 #include <wsutil/strtoi.h>
54 #include <cli_main.h>
55 #include <wsutil/version_info.h>
56 #include <wiretap/wtap_opttypes.h>
57
58 #include "globals.h"
59 #include <epan/timestamp.h>
60 #include <epan/packet.h>
61 #ifdef HAVE_LUA
62 #include <epan/wslua/init_wslua.h>
63 #endif
64 #include "frame_tvbuff.h"
65 #include <epan/disabled_protos.h>
66 #include <epan/prefs.h>
67 #include <epan/column.h>
68 #include <epan/decode_as.h>
69 #include <epan/print.h>
70 #include <epan/addr_resolv.h>
71 #include <epan/enterprises.h>
72 #include <epan/manuf.h>
73 #include <epan/services.h>
74 #ifdef HAVE_LIBPCAP
75 #include "ui/capture_ui_utils.h"
76 #endif
77 #include "ui/taps.h"
78 #include "ui/util.h"
79 #include "ui/ws_ui_util.h"
80 #include "ui/decode_as_utils.h"
81 #include "wsutil/filter_files.h"
82 #include "ui/cli/tshark-tap.h"
83 #include "ui/cli/tap-exportobject.h"
84 #include "ui/tap_export_pdu.h"
85 #include "ui/dissect_opts.h"
86 #include "ui/ssl_key_export.h"
87 #include "ui/failure_message.h"
88 #if defined(HAVE_LIBSMI)
89 #include "epan/oids.h"
90 #endif
91 #include "epan/maxmind_db.h"
92 #include <epan/epan_dissect.h>
93 #include <epan/tap.h>
94 #include <epan/stat_tap_ui.h>
95 #include <epan/conversation_table.h>
96 #include <epan/srt_table.h>
97 #include <epan/rtd_table.h>
98 #include <epan/ex-opt.h>
99 #include <epan/exported_pdu.h>
100 #include <epan/secrets.h>
101
102 #include "capture_opts.h"
103
104 #include "capture/capture-pcap-util.h"
105
106 #ifdef HAVE_LIBPCAP
107 #include "capture/capture_ifinfo.h"
108 #ifdef _WIN32
109 #include "capture/capture-wpcap.h"
110 #endif /* _WIN32 */
111 #include <capture/capture_session.h>
112 #include <capture/capture_sync.h>
113 #include <ui/capture_info.h>
114 #endif /* HAVE_LIBPCAP */
115 #include <epan/funnel.h>
116
117 #include <wsutil/str_util.h>
118 #include <wsutil/utf8_entities.h>
119 #include <wsutil/json_dumper.h>
120 #include <wsutil/wslog.h>
121 #ifdef _WIN32
122 #include <wsutil/win32-utils.h>
123 #endif
124
125 #include "extcap.h"
126
127 #ifdef HAVE_PLUGINS
128 #include <wsutil/codecs.h>
129 #include <wsutil/plugins.h>
130 #endif
131
132 /* Additional exit codes */
133 #define INVALID_EXPORT 2
134 #define INVALID_TAP 2
135 #define INVALID_CAPTURE 2
136
137 #define LONGOPT_EXPORT_OBJECTS LONGOPT_BASE_APPLICATION+1
138 #define LONGOPT_COLOR LONGOPT_BASE_APPLICATION+2
139 #define LONGOPT_NO_DUPLICATE_KEYS LONGOPT_BASE_APPLICATION+3
140 #define LONGOPT_ELASTIC_MAPPING_FILTER LONGOPT_BASE_APPLICATION+4
141 #define LONGOPT_EXPORT_TLS_SESSION_KEYS LONGOPT_BASE_APPLICATION+5
142 #define LONGOPT_CAPTURE_COMMENT LONGOPT_BASE_APPLICATION+6
143 #define LONGOPT_HEXDUMP LONGOPT_BASE_APPLICATION+7
144 #define LONGOPT_SELECTED_FRAME LONGOPT_BASE_APPLICATION+8
145 #define LONGOPT_PRINT_TIMERS LONGOPT_BASE_APPLICATION+9
146
147 capture_file cfile;
148
149 static guint32 cum_bytes;
150 static frame_data ref_frame;
151 static frame_data prev_dis_frame;
152 static frame_data prev_cap_frame;
153
154 static gboolean perform_two_pass_analysis;
155 static guint32 epan_auto_reset_count;
156 static gboolean epan_auto_reset;
157
158 static guint32 selected_frame_number;
159
160 /*
161 * The way the packet decode is to be written.
162 */
163 typedef enum {
164 WRITE_NONE, /* dummy initial state */
165 WRITE_TEXT, /* summary or detail text */
166 WRITE_XML, /* PDML or PSML */
167 WRITE_FIELDS, /* User defined list of fields */
168 WRITE_JSON, /* JSON */
169 WRITE_JSON_RAW, /* JSON only raw hex */
170 WRITE_EK /* JSON bulk insert to Elasticsearch */
171 /* Add CSV and the like here */
172 } output_action_e;
173
174 static output_action_e output_action;
175 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
176 static gboolean print_packet_info; /* TRUE if we're to print packet information */
177 static gboolean print_summary; /* TRUE if we're to print packet summary information */
178 static gboolean print_details; /* TRUE if we're to print packet details information */
179 static gboolean print_hex; /* TRUE if we're to print hex/ascii information */
180 static gboolean line_buffered;
181 static gboolean quiet;
182 static gboolean really_quiet;
183 static gchar* delimiter_char = " ";
184 static gboolean dissect_color;
185 static guint hexdump_source_option = HEXDUMP_SOURCE_MULTI; /* Default - Enable legacy multi-source mode */
186 static guint hexdump_ascii_option = HEXDUMP_ASCII_INCLUDE; /* Default - Enable legacy undelimited ASCII dump */
187
188 static print_format_e print_format = PR_FMT_TEXT;
189 static print_stream_t *print_stream;
190
191 static char *output_file_name;
192
193 static output_fields_t* output_fields;
194
195 static gboolean no_duplicate_keys;
196 static proto_node_children_grouper_func node_children_grouper = proto_node_group_children_by_unique;
197
198 static json_dumper jdumper;
199
200 /* The line separator used between packets, changeable via the -S option */
201 static const char *separator = "";
202
203 /* Per-file comments to be added to the output file. */
204 static GPtrArray *capture_comments;
205
206 static gboolean prefs_loaded;
207
208 #ifdef HAVE_LIBPCAP
209 /*
210 * TRUE if we're to print packet counts to keep track of captured packets.
211 */
212 static gboolean print_packet_counts;
213
214 static capture_options global_capture_opts;
215 static capture_session global_capture_session;
216 static info_data_t global_info_data;
217
218 #ifdef SIGINFO
219 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
220 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
221 #endif /* SIGINFO */
222
223 static gboolean capture(void);
224 static bool capture_input_new_file(capture_session *cap_session,
225 gchar *new_file);
226 static void capture_input_new_packets(capture_session *cap_session,
227 int to_read);
228 static void capture_input_drops(capture_session *cap_session, guint32 dropped,
229 const char* interface_name);
230 static void capture_input_error(capture_session *cap_session,
231 char *error_msg, char *secondary_error_msg);
232 static void capture_input_cfilter_error(capture_session *cap_session,
233 guint i, const char *error_message);
234 static void capture_input_closed(capture_session *cap_session, gchar *msg);
235
236 static void report_counts(void);
237 #ifdef _WIN32
238 static BOOL WINAPI capture_cleanup(DWORD);
239 #else /* _WIN32 */
240 static void capture_cleanup(int);
241 #ifdef SIGINFO
242 static void report_counts_siginfo(int);
243 #endif /* SIGINFO */
244 #endif /* _WIN32 */
245 #endif /* HAVE_LIBPCAP */
246
247 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
248
249 typedef enum {
250 PROCESS_FILE_SUCCEEDED,
251 PROCESS_FILE_NO_FILE_PROCESSED,
252 PROCESS_FILE_ERROR,
253 PROCESS_FILE_INTERRUPTED
254 } process_file_status_t;
255 static process_file_status_t process_cap_file(capture_file *, char *, int, gboolean, int, gint64, int);
256
257 static gboolean process_packet_single_pass(capture_file *cf,
258 epan_dissect_t *edt, gint64 offset, wtap_rec *rec, Buffer *buf,
259 guint tap_flags);
260 static void show_print_file_io_error(void);
261 static gboolean write_preamble(capture_file *cf);
262 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
263 static gboolean write_finale(void);
264
265 static void tshark_cmdarg_err(const char *msg_format, va_list ap);
266 static void tshark_cmdarg_err_cont(const char *msg_format, va_list ap);
267
268 static GHashTable *output_only_tables;
269
270 static gboolean opt_print_timers;
271 struct elapsed_pass_s {
272 gint64 dissect;
273 gint64 dfilter_read;
274 gint64 dfilter_filter;
275 };
276 static struct {
277 gint64 dfilter_expand;
278 gint64 dfilter_compile;
279 struct elapsed_pass_s first_pass;
280 gint64 elapsed_first_pass;
281 struct elapsed_pass_s second_pass;
282 gint64 elapsed_second_pass;
283 }
284 tshark_elapsed;
285
286 static void
287 print_elapsed_json(const char *cf_name, const char *dfilter)
288 {
289 json_dumper dumper = {
290 .output_file = stderr,
291 .flags = JSON_DUMPER_FLAGS_PRETTY_PRINT,
292 };
293
294 if (tshark_elapsed.elapsed_first_pass == 0) {
295 // Should not happen
296 ws_warning("Print timers requested but no timing info provided");
297 return;
298 }
299
300 #define DUMP(name, val) \
301 json_dumper_set_member_name(&dumper, name); \
302 json_dumper_value_anyf(&dumper, "%"PRId64, val)
303
304 json_dumper_begin_object(&dumper);
305 json_dumper_set_member_name(&dumper, "version");
306 json_dumper_value_string(&dumper, get_ws_vcs_version_info_short());
307 if (cf_name) {
308 json_dumper_set_member_name(&dumper, "path");
309 json_dumper_value_string(&dumper, cf_name);
310 }
311 if (dfilter) {
312 json_dumper_set_member_name(&dumper, "filter");
313 json_dumper_value_string(&dumper, dfilter);
314 }
315 json_dumper_set_member_name(&dumper, "time_unit");
316 json_dumper_value_string(&dumper, "microseconds");
317 DUMP("elapsed", tshark_elapsed.elapsed_first_pass +
318 tshark_elapsed.elapsed_second_pass);
319 DUMP("dfilter_expand", tshark_elapsed.dfilter_expand);
320 DUMP("dfilter_compile", tshark_elapsed.dfilter_compile);
321 json_dumper_begin_array(&dumper);
322 json_dumper_begin_object(&dumper);
323 DUMP("elapsed", tshark_elapsed.elapsed_first_pass);
324 DUMP("dissect", tshark_elapsed.first_pass.dissect);
325 DUMP("display_filter", tshark_elapsed.first_pass.dfilter_filter);
326 DUMP("read_filter", tshark_elapsed.first_pass.dfilter_read);
327 json_dumper_end_object(&dumper);
328 if (tshark_elapsed.elapsed_second_pass) {
329 json_dumper_begin_object(&dumper);
330 DUMP("elapsed", tshark_elapsed.elapsed_second_pass);
331 DUMP("dissect", tshark_elapsed.second_pass.dissect);
332 DUMP("display_filter", tshark_elapsed.second_pass.dfilter_filter);
333 DUMP("read_filter", tshark_elapsed.second_pass.dfilter_read);
334 json_dumper_end_object(&dumper);
335 }
336 json_dumper_end_array(&dumper);
337 json_dumper_end_object(&dumper);
338 json_dumper_finish(&dumper);
339 }
340
341 static void
342 list_capture_types(void)
343 {
344 GArray *writable_type_subtypes;
345
346 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
347 writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME);
348 for (guint i = 0; i < writable_type_subtypes->len; i++) {
349 int ft = g_array_index(writable_type_subtypes, int, i);
350 fprintf(stderr, " %s - %s\n", wtap_file_type_subtype_name(ft),
351 wtap_file_type_subtype_description(ft));
352 }
353 g_array_free(writable_type_subtypes, TRUE);
354 }
355
356 struct string_elem {
357 const char *sstr; /* The short string */
358 const char *lstr; /* The long string */
359 };
360
361 static gint
362 string_compare(gconstpointer a, gconstpointer b)
363 {
364 return strcmp(((const struct string_elem *)a)->sstr,
365 ((const struct string_elem *)b)->sstr);
366 }
367
368 static void
369 string_elem_print(gpointer data)
370 {
371 fprintf(stderr, " %s - %s\n",
372 ((struct string_elem *)data)->sstr,
373 ((struct string_elem *)data)->lstr);
374 }
375
376 static void
377 list_read_capture_types(void)
378 {
379 guint i;
380 size_t num_file_types;
381 struct string_elem *captypes;
382 GSList *list = NULL;
383 const char *magic = "Magic-value-based";
384 const char *heuristic = "Heuristics-based";
385
386 /* How many readable file types are there? */
387 num_file_types = 0;
388 for (i = 0; open_routines[i].name != NULL; i++)
389 num_file_types++;
390 captypes = g_new(struct string_elem, num_file_types);
391
392 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
393 for (i = 0; i < num_file_types && open_routines[i].name != NULL; i++) {
394 captypes[i].sstr = open_routines[i].name;
395 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
396 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
397 }
398 g_slist_free_full(list, string_elem_print);
399 g_free(captypes);
400 }
401
402 static void
403 list_export_pdu_taps(void)
404 {
405 fprintf(stderr, "tshark: The available export tap names and the encapsulation types they produce for the \"-U tap_name\" option are:\n");
406 for (GSList *export_pdu_tap_name_list = get_export_pdu_tap_list();
407 export_pdu_tap_name_list != NULL;
408 export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
409 fprintf(stderr, " %s - %s\n", (const char*)(export_pdu_tap_name_list->data), wtap_encap_description(export_pdu_tap_get_encap((const char*)export_pdu_tap_name_list->data)));
410 }
411 }
412
413 static void
414 print_usage(FILE *output)
415 {
416 fprintf(output, "\n");
417 fprintf(output, "Usage: tshark [options] ...\n");
418 fprintf(output, "\n");
419
420 #ifdef HAVE_LIBPCAP
421 fprintf(output, "Capture interface:\n");
422 fprintf(output, " -i <interface>, --interface <interface>\n");
423 fprintf(output, " name or idx of interface (def: first non-loopback)\n");
424 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
425 fprintf(output, " -s <snaplen>, --snapshot-length <snaplen>\n");
426 #ifdef HAVE_PCAP_CREATE
427 fprintf(output, " packet snapshot length (def: appropriate maximum)\n");
428 #else
429 fprintf(output, " packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
430 #endif
431 fprintf(output, " -p, --no-promiscuous-mode\n");
432 fprintf(output, " don't capture in promiscuous mode\n");
433 #ifdef HAVE_PCAP_CREATE
434 fprintf(output, " -I, --monitor-mode capture in monitor mode, if available\n");
435 #endif
436 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
437 fprintf(output, " -B <buffer size>, --buffer-size <buffer size>\n");
438 fprintf(output, " size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
439 #endif
440 fprintf(output, " -y <link type>, --linktype <link type>\n");
441 fprintf(output, " link layer type (def: first appropriate)\n");
442 fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
443 fprintf(output, " -D, --list-interfaces print list of interfaces and exit\n");
444 fprintf(output, " -L, --list-data-link-types\n");
445 fprintf(output, " print list of link-layer types of iface and exit\n");
446 fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
447 fprintf(output, " --update-interval interval between updates with new packets (def: %dms)\n", DEFAULT_UPDATE_INTERVAL);
448 fprintf(output, "\n");
449 fprintf(output, "Capture stop conditions:\n");
450 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
451 fprintf(output, " -a <autostop cond.> ..., --autostop <autostop cond.> ...\n");
452 fprintf(output, " duration:NUM - stop after NUM seconds\n");
453 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
454 fprintf(output, " files:NUM - stop after NUM files\n");
455 fprintf(output, " packets:NUM - stop after NUM packets\n");
456 /*fprintf(output, "\n");*/
457 fprintf(output, "Capture output:\n");
458 fprintf(output, " -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\n");
459 fprintf(output, " duration:NUM - switch to next file after NUM secs\n");
460 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
461 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
462 fprintf(output, " packets:NUM - switch to next file after NUM packets\n");
463 fprintf(output, " interval:NUM - switch to next file when the time is\n");
464 fprintf(output, " an exact multiple of NUM secs\n");
465 fprintf(output, " printname:FILE - print filename to FILE when written\n");
466 fprintf(output, " (can use 'stdout' or 'stderr')\n");
467 #endif /* HAVE_LIBPCAP */
468 #ifdef HAVE_PCAP_REMOTE
469 fprintf(output, "RPCAP options:\n");
470 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
471 #endif
472 /*fprintf(output, "\n");*/
473 fprintf(output, "Input file:\n");
474 fprintf(output, " -r <infile>, --read-file <infile>\n");
475 fprintf(output, " set the filename to read from (or '-' for stdin)\n");
476
477 fprintf(output, "\n");
478 fprintf(output, "Processing:\n");
479 fprintf(output, " -2 perform a two-pass analysis\n");
480 fprintf(output, " -M <packet count> perform session auto reset\n");
481 fprintf(output, " -R <read filter>, --read-filter <read filter>\n");
482 fprintf(output, " packet Read filter in Wireshark display filter syntax\n");
483 fprintf(output, " (requires -2)\n");
484 fprintf(output, " -Y <display filter>, --display-filter <display filter>\n");
485 fprintf(output, " packet displaY filter in Wireshark display filter\n");
486 fprintf(output, " syntax\n");
487 fprintf(output, " -n disable all name resolutions (def: \"mNd\" enabled, or\n");
488 fprintf(output, " as set in preferences)\n");
489 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtdv\"\n");
490 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
491 fprintf(output, " \"Decode As\", see the man page for details\n");
492 fprintf(output, " Example: tcp.port==8888,http\n");
493 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
494 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
495 fprintf(output, " --enable-protocol <proto_name>\n");
496 fprintf(output, " enable dissection of proto_name\n");
497 fprintf(output, " --disable-protocol <proto_name>\n");
498 fprintf(output, " disable dissection of proto_name\n");
499 fprintf(output, " --only-protocols <protocols>\n");
500 fprintf(output, " Only enable dissection of these protocols, comma\n");
501 fprintf(output, " separated. Disable everything else\n");
502 fprintf(output, " --disable-all-protocols\n");
503 fprintf(output, " Disable dissection of all protocols\n");
504 fprintf(output, " --enable-heuristic <short_name>\n");
505 fprintf(output, " enable dissection of heuristic protocol\n");
506 fprintf(output, " --disable-heuristic <short_name>\n");
507 fprintf(output, " disable dissection of heuristic protocol\n");
508
509 /*fprintf(output, "\n");*/
510 fprintf(output, "Output:\n");
511 fprintf(output, " -w <outfile|-> write packets to a pcapng-format file named \"outfile\"\n");
512 fprintf(output, " (or '-' for stdout)\n");
513 fprintf(output, " --capture-comment <comment>\n");
514 fprintf(output, " add a capture file comment, if supported\n");
515 fprintf(output, " -C <config profile> start with specified configuration profile\n");
516 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
517 fprintf(output, " an empty \"-F\" option will list the file types\n");
518 fprintf(output, " -V add output of packet tree (Packet Details)\n");
519 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
520 fprintf(output, " separated\n");
521 fprintf(output, " -P, --print print packet summary even when writing to a file\n");
522 fprintf(output, " -S <separator> the line separator to print between packets\n");
523 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
524 fprintf(output, " --hexdump <hexoption> add hexdump, set options for data source and ASCII dump\n");
525 fprintf(output, " all dump all data sources (-x default)\n");
526 fprintf(output, " frames dump only frame data source\n");
527 fprintf(output, " ascii include ASCII dump text (-x default)\n");
528 fprintf(output, " delimit delimit ASCII dump text with '|' characters\n");
529 fprintf(output, " noascii exclude ASCII dump text\n");
530 fprintf(output, " help display help for --hexdump and exit\n");
531 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
532 fprintf(output, " format of text output (def: text)\n");
533 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
534 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
535 fprintf(output, " nodes, unless child is specified also in the filter)\n");
536 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
537 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
538 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
539 fprintf(output, " _ws.col.info)\n");
540 fprintf(output, " this option can be repeated to print multiple fields\n");
541 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
542 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
543 fprintf(output, " header=y|n switch headers on and off\n");
544 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
545 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
546 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
547 fprintf(output, " aggregator\n");
548 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
549 fprintf(output, " -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]\n");
550 fprintf(output, " output format of time stamps (def: r: rel. to first)\n");
551 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
552 fprintf(output, " -l flush standard output after each packet\n");
553 fprintf(output, " (implies --update-interval 0)\n");
554 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
555 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
556 fprintf(output, " -g enable group read access on the output file(s)\n");
557 fprintf(output, " -W n Save extra information in the file, if supported.\n");
558 fprintf(output, " n = write network address resolution information\n");
559 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
560 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
561 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
562 fprintf(output, " --export-objects <protocol>,<destdir>\n");
563 fprintf(output, " save exported objects for a protocol to a directory\n");
564 fprintf(output, " named \"destdir\"\n");
565 fprintf(output, " --export-tls-session-keys <keyfile>\n");
566 fprintf(output, " export TLS Session Keys to a file named \"keyfile\"\n");
567 fprintf(output, " --color color output text similarly to the Wireshark GUI,\n");
568 fprintf(output, " requires a terminal with 24-bit color support\n");
569 fprintf(output, " Also supplies color attributes to pdml and psml formats\n");
570 fprintf(output, " (Note that attributes are nonstandard)\n");
571 fprintf(output, " --no-duplicate-keys If -T json is specified, merge duplicate keys in an object\n");
572 fprintf(output, " into a single key with as value a json array containing all\n");
573 fprintf(output, " values\n");
574 fprintf(output, " --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the\n");
575 fprintf(output, " specified protocols within the mapping file\n");
576 fprintf(output, " --temp-dir <directory> write temporary files to this directory\n");
577 fprintf(output, " (default: %s)\n", g_get_tmp_dir());
578 fprintf(output, "\n");
579
580 ws_log_print_usage(output);
581 fprintf(output, "\n");
582
583 fprintf(output, "Miscellaneous:\n");
584 fprintf(output, " -h, --help display this help and exit\n");
585 fprintf(output, " -v, --version display version info and exit\n");
586 fprintf(output, " -o <name>:<value> ... override preference setting\n");
587 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
588 fprintf(output, " -G [report] dump one of several available reports and exit\n");
589 fprintf(output, " default report=\"fields\"\n");
590 fprintf(output, " use \"-G help\" for more help\n");
591 #ifdef __linux__
592 fprintf(output, "\n");
593 fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
594 fprintf(output, "You might want to enable it by executing:\n");
595 fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
596 fprintf(output, "Note that this can make your system less secure!\n");
597 #endif
598
599 }
600
601 static void
602 glossary_option_help(void)
603 {
604 FILE *output;
605
606 output = stdout;
607
608 fprintf(output, "%s\n", get_appname_and_version());
609
610 fprintf(output, "\n");
611 fprintf(output, "Usage: tshark -G [report]\n");
612 fprintf(output, "\n");
613 fprintf(output, "Glossary table reports:\n");
614 fprintf(output, " -G column-formats dump column format codes and exit\n");
615 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
616 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
617 fprintf(output, " -G dissectors dump registered dissector names\n");
618 fprintf(output, " -G elastic-mapping dump ElasticSearch mapping file\n");
619 fprintf(output, " -G enterprises dump IANA Private Enterprise Number (PEN) table\n");
620 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
621 fprintf(output, " -G fields [prefix] dump fields glossary and exit\n");
622 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
623 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
624 fprintf(output, " -G manuf dump ethernet manufacturer tables\n");
625 fprintf(output, " -G plugins dump installed plugins and exit\n");
626 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
627 fprintf(output, " -G services dump transport service (port) names\n");
628 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
629 fprintf(output, "\n");
630 fprintf(output, "Preference reports:\n");
631 fprintf(output, " -G currentprefs dump current preferences and exit\n");
632 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
633 fprintf(output, " -G folders dump about:folders\n");
634 fprintf(output, "\n");
635 }
636
637 static void
638 hexdump_option_help(FILE *output)
639 {
640 fprintf(output, "%s\n", get_appname_and_version());
641 fprintf(output, "\n");
642 fprintf(output, "tshark: Valid --hexdump <hexoption> values include:\n");
643 fprintf(output, "\n");
644 fprintf(output, "Data source options:\n");
645 fprintf(output, " all add hexdump, dump all data sources (-x default)\n");
646 fprintf(output, " frames add hexdump, dump only frame data source\n");
647 fprintf(output, "\n");
648 fprintf(output, "ASCII options:\n");
649 fprintf(output, " ascii add hexdump, include ASCII dump text (-x default)\n");
650 fprintf(output, " delimit add hexdump, delimit ASCII dump text with '|' characters\n");
651 fprintf(output, " noascii add hexdump, exclude ASCII dump text\n");
652 fprintf(output, "\n");
653 fprintf(output, "Miscellaneous:\n");
654 fprintf(output, " help display this help and exit\n");
655 fprintf(output, "\n");
656 fprintf(output, "Example:\n");
657 fprintf(output, "\n");
658 fprintf(output, " $ tshark ... --hexdump frames --hexdump delimit ...\n");
659 fprintf(output, "\n");
660 }
661
662 static void
663 print_current_user(void)
664 {
665 gchar *cur_user, *cur_group;
666
667 if (started_with_special_privs()) {
668 cur_user = get_cur_username();
669 cur_group = get_cur_groupname();
670 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
671 cur_user, cur_group);
672 g_free(cur_user);
673 g_free(cur_group);
674 if (running_with_special_privs()) {
675 fprintf(stderr, " This could be dangerous.");
676 }
677 fprintf(stderr, "\n");
678 }
679 }
680
681 static void
682 gather_tshark_compile_info(feature_list l)
683 {
684 /* Capture libraries */
685 gather_caplibs_compile_info(l);
686 epan_gather_compile_info(l);
687 }
688
689 static void
690 gather_tshark_runtime_info(feature_list l)
691 {
692 #ifdef HAVE_LIBPCAP
693 gather_caplibs_runtime_info(l);
694 #endif
695
696 /* stuff used by libwireshark */
697 epan_gather_runtime_info(l);
698 }
699
700 static gboolean
701 _compile_dfilter(const char *text, dfilter_t **dfp, const char *caller)
702 {
703 gboolean ok;
704 df_error_t *df_err;
705 char *err_off;
706 char *expanded;
707 gint64 elapsed_start;
708
709 elapsed_start = g_get_monotonic_time();
710 expanded = dfilter_expand(text, &df_err);
711 if (expanded == NULL) {
712 cmdarg_err("%s", df_err->msg);
713 df_error_free(&df_err);
714 return FALSE;
715 }
716 tshark_elapsed.dfilter_expand = g_get_monotonic_time() - elapsed_start;
717
718 elapsed_start = g_get_monotonic_time();
719 ok = dfilter_compile_full(expanded, dfp, &df_err, DF_OPTIMIZE, caller);
720 if (!ok ) {
721 cmdarg_err("%s", df_err->msg);
722
723 if (df_err->loc.col_start >= 0) {
724 err_off = ws_strdup_underline(NULL, df_err->loc.col_start, df_err->loc.col_len);
725 cmdarg_err_cont(" %s", expanded);
726 cmdarg_err_cont(" %s", err_off);
727 g_free(err_off);
728 }
729 df_error_free(&df_err);
730 }
731 tshark_elapsed.dfilter_compile = g_get_monotonic_time() - elapsed_start;
732
733 g_free(expanded);
734 return ok;
735 }
736
737 #define compile_dfilter(text, dfp) _compile_dfilter(text, dfp, __func__)
738
739 static gboolean
740 protocolfilter_add_opt(const char* arg, pf_flags filter_flags)
741 {
742 gchar **newfilter = NULL;
743 for (newfilter = wmem_strsplit(wmem_epan_scope(), arg, " ", -1); *newfilter; newfilter++) {
744 if (strcmp(*newfilter, "") == 0) {
745 /* Don't treat the empty string as an intended field abbreviation
746 * to output, consecutive spaces on the command line probably
747 * aren't intentional.
748 */
749 continue;
750 }
751 if (!output_fields_add_protocolfilter(output_fields, *newfilter, filter_flags)) {
752 cmdarg_err("%s was already specified with different filter flags. Overwriting previous protocol filter.", *newfilter);
753 }
754 }
755 return TRUE;
756 }
757
758 static void
759 about_folders(void)
760 {
761 const char *constpath;
762 char *path;
763 gint i;
764 gchar **resultArray;
765
766 /* "file open" */
767
768 /*
769 * Fetching the "File" dialogs folder not implemented.
770 * This is arguably just a pwd for a ui/cli .
771 */
772
773 /* temp */
774 constpath = g_get_tmp_dir();
775 #ifdef HAVE_LIBPCAP
776 /* global_capture_opts only exists in this case */
777 if (global_capture_opts.temp_dir)
778 constpath = global_capture_opts.temp_dir;
779 #endif
780 printf("%-21s\t%s\n", "Temp:", constpath);
781
782 /* pers conf */
783 path = get_persconffile_path("", FALSE);
784 printf("%-21s\t%s\n", "Personal configuration:", path);
785 g_free(path);
786
787 /* global conf */
788 constpath = get_datafile_dir();
789 if (constpath != NULL) {
790 printf("%-21s\t%s\n", "Global configuration:", constpath);
791 }
792
793 /* system */
794 constpath = get_systemfile_dir();
795 printf("%-21s\t%s\n", "System:", constpath);
796
797 /* program */
798 constpath = get_progfile_dir();
799 printf("%-21s\t%s\n", "Program:", constpath);
800
801 #ifdef HAVE_PLUGINS
802 /* pers plugins */
803 printf("%-21s\t%s\n", "Personal Plugins:", get_plugins_pers_dir_with_version());
804
805 /* global plugins */
806 printf("%-21s\t%s\n", "Global Plugins:", get_plugins_dir_with_version());
807 #endif
808
809 #ifdef HAVE_LUA
810 /* pers lua plugins */
811 printf("%-21s\t%s\n", "Personal Lua Plugins:", get_plugins_pers_dir());
812
813 /* global lua plugins */
814 printf("%-21s\t%s\n", "Global Lua Plugins:", get_plugins_dir());
815 #endif
816
817 /* Personal Extcap */
818 constpath = get_extcap_pers_dir();
819
820 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
821 for(i = 0; resultArray[i]; i++)
822 printf("%-21s\t%s\n", "Personal Extcap path:", g_strstrip(resultArray[i]));
823
824 g_strfreev(resultArray);
825
826 /* Global Extcap */
827 constpath = get_extcap_dir();
828
829 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
830 for(i = 0; resultArray[i]; i++)
831 printf("%-21s\t%s\n", "Global Extcap path:", g_strstrip(resultArray[i]));
832
833 g_strfreev(resultArray);
834
835 /* MaxMindDB */
836 path = maxmind_db_get_paths();
837
838 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
839
840 for(i = 0; resultArray[i]; i++)
841 printf("%-21s\t%s\n", "MaxMind database path:", g_strstrip(resultArray[i]));
842
843 g_strfreev(resultArray);
844 g_free(path);
845
846 #ifdef HAVE_LIBSMI
847 /* SMI MIBs/PIBs */
848 path = oid_get_default_mib_path();
849
850 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 20);
851
852 for(i = 0; resultArray[i]; i++)
853 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
854
855 g_strfreev(resultArray);
856 g_free(path);
857 #endif
858
859 }
860
861 static gboolean
862 must_do_dissection(dfilter_t *rfcode, dfilter_t *dfcode,
863 gchar *volatile pdu_export_arg)
864 {
865 /* We have to dissect each packet if:
866
867 we're printing information about each packet;
868
869 we're using a read filter on the packets;
870
871 we're using a display filter on the packets;
872
873 we're exporting PDUs;
874
875 we're using any taps that need dissection. */
876 return print_packet_info || rfcode || dfcode || pdu_export_arg ||
877 tap_listeners_require_dissection();
878 }
879
880 #ifdef HAVE_LIBPCAP
881 /*
882 * Check whether a purported *shark packet-matching expression (display
883 * or read filter) looks like a capture filter and, if so, print a
884 * warning.
885 *
886 * Used, for example, if the string in question isn't a valid packet-
887 * matching expression.
888 */
889 static void
890 warn_about_capture_filter(const char *rfilter)
891 {
892 struct bpf_program fcode;
893 pcap_t *pc;
894
895 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
896 if (pc != NULL) {
897 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
898 pcap_freecode(&fcode);
899 cmdarg_err_cont(
900 " Note: That read filter code looks like a valid capture filter;\n"
901 " maybe you mixed them up?");
902 }
903 pcap_close(pc);
904 }
905 }
906 #endif
907
908 #ifdef HAVE_LIBPCAP
909 static GList *cached_if_list;
910
911 static GList *
912 capture_opts_get_interface_list(int *err, char **err_str)
913 {
914 if (cached_if_list == NULL) {
915 /*
916 * This isn't a GUI tool, so no need for a callback.
917 */
918 cached_if_list = capture_interface_list(err, err_str, NULL);
919 }
920 /*
921 * Routines expect to free the returned interface list, so return
922 * a deep copy.
923 */
924 return interface_list_copy(cached_if_list);
925 }
926 #endif
927
928 int
929 main(int argc, char *argv[])
930 {
931 char *err_msg;
932 static const struct report_message_routines tshark_report_routines = {
933 failure_message,
934 failure_message,
935 open_failure_message,
936 read_failure_message,
937 write_failure_message,
938 cfile_open_failure_message,
939 cfile_dump_open_failure_message,
940 cfile_read_failure_message,
941 cfile_write_failure_message,
942 cfile_close_failure_message
943 };
944 int opt;
945 static const struct ws_option long_options[] = {
946 {"help", ws_no_argument, NULL, 'h'},
947 {"version", ws_no_argument, NULL, 'v'},
948 LONGOPT_CAPTURE_COMMON
949 LONGOPT_DISSECT_COMMON
950 LONGOPT_READ_CAPTURE_COMMON
951 {"print", ws_no_argument, NULL, 'P'},
952 {"export-objects", ws_required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
953 {"export-tls-session-keys", ws_required_argument, NULL, LONGOPT_EXPORT_TLS_SESSION_KEYS},
954 {"color", ws_no_argument, NULL, LONGOPT_COLOR},
955 {"no-duplicate-keys", ws_no_argument, NULL, LONGOPT_NO_DUPLICATE_KEYS},
956 {"elastic-mapping-filter", ws_required_argument, NULL, LONGOPT_ELASTIC_MAPPING_FILTER},
957 {"capture-comment", ws_required_argument, NULL, LONGOPT_CAPTURE_COMMENT},
958 {"hexdump", ws_required_argument, NULL, LONGOPT_HEXDUMP},
959 {"selected-frame", ws_required_argument, NULL, LONGOPT_SELECTED_FRAME},
960 {"print-timers", ws_no_argument, NULL, LONGOPT_PRINT_TIMERS},
961 {0, 0, 0, 0}
962 };
963 gboolean arg_error = FALSE;
964 gboolean has_extcap_options = FALSE;
965 gboolean is_capturing = TRUE;
966
967 int err;
968 gchar *err_info;
969 gboolean exp_pdu_status;
970 volatile process_file_status_t status;
971 volatile gboolean draw_taps = FALSE;
972 volatile int exit_status = EXIT_SUCCESS;
973 #ifdef HAVE_LIBPCAP
974 int caps_queries = 0;
975 GList *if_list;
976 gchar *err_str, *err_str_secondary;
977 #else
978 gboolean capture_option_specified = FALSE;
979 volatile int max_packet_count = 0;
980 #endif
981 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_UNKNOWN;
982 volatile gboolean out_file_name_res = FALSE;
983 volatile int in_file_type = WTAP_TYPE_AUTO;
984 gchar *volatile cf_name = NULL;
985 gchar *rfilter = NULL;
986 gchar *volatile dfilter = NULL;
987 dfilter_t *rfcode = NULL;
988 dfilter_t *dfcode = NULL;
989 e_prefs *prefs_p;
990 gchar *output_only = NULL;
991 gchar *volatile pdu_export_arg = NULL;
992 char *volatile exp_pdu_filename = NULL;
993 const gchar *volatile tls_session_keys_file = NULL;
994 exp_pdu_t exp_pdu_tap_data;
995 const gchar* elastic_mapping_filter = NULL;
996
997 /*
998 * The leading + ensures that getopt_long() does not permute the argv[]
999 * entries.
1000 *
1001 * We have to make sure that the first getopt_long() preserves the content
1002 * of argv[] for the subsequent getopt_long() call.
1003 *
1004 * We use getopt_long() in both cases to ensure that we're using a routine
1005 * whose permutation behavior we can control in the same fashion on all
1006 * platforms, and so that, if we ever need to process a long argument before
1007 * doing further initialization, we can do so.
1008 *
1009 * Glibc and Solaris libc document that a leading + disables permutation
1010 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1011 * and macOS don't document it, but do so anyway.
1012 *
1013 * We do *not* use a leading - because the behavior of a leading - is
1014 * platform-dependent.
1015 */
1016 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON OPTSTRING_READ_CAPTURE_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQS:T:U:vVw:W:xX:z:"
1017
1018 static const char optstring[] = OPTSTRING;
1019
1020 /*
1021 * Set the C-language locale to the native environment and set the
1022 * code page to UTF-8 on Windows.
1023 */
1024 #ifdef _WIN32
1025 setlocale(LC_ALL, ".UTF-8");
1026 #else
1027 setlocale(LC_ALL, "");
1028 #endif
1029
1030 ws_tzset();
1031
1032 cmdarg_err_init(tshark_cmdarg_err, tshark_cmdarg_err_cont);
1033
1034 /* Initialize log handler early so we can have proper logging during startup. */
1035 ws_log_init("tshark", vcmdarg_err);
1036
1037 /* Early logging command-line initialization. */
1038 ws_log_parse_args(&argc, argv, vcmdarg_err, WS_EXIT_INVALID_OPTION);
1039
1040 ws_noisy("Finished log init and parsing command line log arguments");
1041 ws_debug("tshark started with %d args", argc);
1042
1043 #ifdef _WIN32
1044 create_app_running_mutex();
1045 #endif /* _WIN32 */
1046
1047 /*
1048 * Get credential information for later use, and drop privileges
1049 * before doing anything else.
1050 * Let the user know if anything happened.
1051 */
1052 init_process_policies();
1053 relinquish_special_privs_perm();
1054 print_current_user();
1055
1056 /*
1057 * Attempt to get the pathname of the directory containing the
1058 * executable file.
1059 */
1060 err_msg = configuration_init(argv[0], NULL);
1061 if (err_msg != NULL) {
1062 fprintf(stderr,
1063 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
1064 "It won't be possible to capture traffic.\n"
1065 "Report this to the Wireshark developers.",
1066 err_msg);
1067 g_free(err_msg);
1068 }
1069
1070 initialize_funnel_ops();
1071
1072 #ifdef _WIN32
1073 ws_init_dll_search_path();
1074 #ifdef HAVE_LIBPCAP
1075 /* Load wpcap if possible. Do this before collecting the run-time version information */
1076 load_wpcap();
1077 #endif /* HAVE_LIBPCAP */
1078 #endif /* _WIN32 */
1079
1080 /* Initialize the version information. */
1081 ws_init_version_info("TShark",
1082 gather_tshark_compile_info, gather_tshark_runtime_info);
1083
1084 /* Fail sometimes. Useful for testing fuzz scripts. */
1085 /* if (g_random_int_range(0, 100) < 5) abort(); */
1086
1087 /*
1088 * In order to have the -X opts assigned before the wslua machine starts
1089 * we need to call getopt_long before epan_init() gets called.
1090 *
1091 * In order to handle, for example, -o options, we also need to call it
1092 * *after* epan_init() gets called, so that the dissectors have had a
1093 * chance to register their preferences.
1094 *
1095 * Spawning a bunch of extcap processes can delay program startup,
1096 * particularly on Windows. Check to see if we have any options that
1097 * might require extcap and set has_extcap_options = TRUE if that's
1098 * the case.
1099 *
1100 * XXX - can we do this all with one getopt_long() call, saving the
1101 * arguments we can't handle until after initializing libwireshark,
1102 * and then process them after initializing libwireshark?
1103 */
1104 ws_opterr = 0;
1105
1106 while ((opt = ws_getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1107 switch (opt) {
1108 case 'C': /* Configuration Profile */
1109 if (profile_exists (ws_optarg, FALSE)) {
1110 set_profile_name (ws_optarg);
1111 } else if (profile_exists (ws_optarg, TRUE)) {
1112 char *pf_dir_path, *pf_dir_path2, *pf_filename;
1113 /* Copy from global profile */
1114 if (create_persconffile_profile(ws_optarg, &pf_dir_path) == -1) {
1115 cmdarg_err("Can't create directory\n\"%s\":\n%s.",
1116 pf_dir_path, g_strerror(errno));
1117
1118 g_free(pf_dir_path);
1119 exit_status = WS_EXIT_INVALID_FILE;
1120 goto clean_exit;
1121 }
1122 if (copy_persconffile_profile(ws_optarg, ws_optarg, TRUE, &pf_filename,
1123 &pf_dir_path, &pf_dir_path2) == -1) {
1124 cmdarg_err("Can't copy file \"%s\" in directory\n\"%s\" to\n\"%s\":\n%s.",
1125 pf_filename, pf_dir_path2, pf_dir_path, g_strerror(errno));
1126
1127 g_free(pf_filename);
1128 g_free(pf_dir_path);
1129 g_free(pf_dir_path2);
1130 exit_status = WS_EXIT_INVALID_FILE;
1131 goto clean_exit;
1132 }
1133 set_profile_name (ws_optarg);
1134 } else {
1135 cmdarg_err("Configuration Profile \"%s\" does not exist", ws_optarg);
1136 exit_status = WS_EXIT_INVALID_OPTION;
1137 goto clean_exit;
1138 }
1139 break;
1140 case 'G':
1141 if (g_str_has_suffix(ws_optarg, "prefs")) {
1142 has_extcap_options = TRUE;
1143 }
1144 is_capturing = FALSE;
1145 break;
1146 case 'i':
1147 has_extcap_options = TRUE;
1148 break;
1149 case 'o':
1150 if (g_str_has_prefix(ws_optarg, "extcap.")) {
1151 has_extcap_options = TRUE;
1152 }
1153 break;
1154 case 'P': /* Print packet summary info even when writing to a file */
1155 print_packet_info = TRUE;
1156 print_summary = TRUE;
1157 break;
1158 case 'r': /* Read capture file x */
1159 cf_name = g_strdup(ws_optarg);
1160 is_capturing = FALSE;
1161 break;
1162 case 'O': /* Only output these protocols */
1163 output_only = g_strdup(ws_optarg);
1164 /* FALLTHROUGH */
1165 case 'V': /* Verbose */
1166 print_details = TRUE;
1167 print_packet_info = TRUE;
1168 break;
1169 case 'x': /* Print packet data in hex (and ASCII) */
1170 print_hex = TRUE;
1171 /* The user asked for hex output, so let's ensure they get it,
1172 * even if they're writing to a file.
1173 */
1174 print_packet_info = TRUE;
1175 break;
1176 case 'X':
1177 ex_opt_add(ws_optarg);
1178 break;
1179 case 'h':
1180 case 'v':
1181 is_capturing = FALSE;
1182 break;
1183 case LONGOPT_ELASTIC_MAPPING_FILTER:
1184 elastic_mapping_filter = ws_optarg;
1185 break;
1186 default:
1187 break;
1188 }
1189 }
1190
1191 #ifndef HAVE_LUA
1192 if (ex_opt_count("lua_script") > 0) {
1193 cmdarg_err("This version of TShark was not built with support for Lua scripting.");
1194 exit_status = WS_EXIT_INIT_FAILED;
1195 goto clean_exit;
1196 }
1197 #endif /* HAVE_LUA */
1198
1199 init_report_message("TShark", &tshark_report_routines);
1200
1201 #ifdef HAVE_LIBPCAP
1202 capture_opts_init(&global_capture_opts, capture_opts_get_interface_list);
1203 capture_session_init(&global_capture_session, &cfile,
1204 capture_input_new_file, capture_input_new_packets,
1205 capture_input_drops, capture_input_error,
1206 capture_input_cfilter_error, capture_input_closed);
1207 #endif
1208
1209 timestamp_set_type(TS_RELATIVE);
1210 timestamp_set_precision(TS_PREC_AUTO);
1211 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1212
1213 /*
1214 * Libwiretap must be initialized before libwireshark is, so that
1215 * dissection-time handlers for file-type-dependent blocks can
1216 * register using the file type/subtype value for the file type.
1217 */
1218 wtap_init(TRUE);
1219
1220 /* Register all dissectors; we must do this before checking for the
1221 "-G" flag, as the "-G" flag dumps information registered by the
1222 dissectors, and we must do it before we read the preferences, in
1223 case any dissectors register preferences. */
1224 if (!epan_init(NULL, NULL, TRUE)) {
1225 exit_status = WS_EXIT_INIT_FAILED;
1226 goto clean_exit;
1227 }
1228
1229 /* Register all tap listeners; we do this before we parse the arguments,
1230 as the "-z" argument can specify a registered tap. */
1231
1232 register_all_tap_listeners(tap_reg_listener);
1233
1234 /* Register extcap preferences only when needed. */
1235 if (has_extcap_options || is_capturing) {
1236 extcap_register_preferences();
1237 }
1238
1239 conversation_table_set_gui_info(init_iousers);
1240 endpoint_table_set_gui_info(init_endpoints);
1241 srt_table_iterate_tables(register_srt_tables, NULL);
1242 rtd_table_iterate_tables(register_rtd_tables, NULL);
1243 stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1244
1245 /* If invoked with the "-G" flag, we dump out information based on
1246 the argument to the "-G" flag; if no argument is specified,
1247 for backwards compatibility we dump out a glossary of display
1248 filter symbols.
1249
1250 XXX - we do this here, for now, to support "-G" with no arguments.
1251 If none of our build or other processes uses "-G" with no arguments,
1252 we can just process it with the other arguments. */
1253
1254 /* NOTE: This is before the preferences are loaded with
1255 * epan_load_settings() below, so if you add a new report
1256 * and it depends on the profile settings, call epan_load_settings()
1257 * first.
1258 *
1259 * It is after addr_resolv_init() is called (done by epan_init()),
1260 * so "manuf", "enterprises", and "services" have the values from
1261 * the global and personal profile files already loaded.
1262 */
1263 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1264 proto_initialize_all_prefixes();
1265
1266 if (argc == 2) {
1267 cmdarg_err("-G with no argument is deprecated and will removed in a future version.");
1268 cmdarg_err_cont("Generating fields glossary.");
1269 proto_registrar_dump_fields();
1270 } else {
1271 if (strcmp(argv[2], "column-formats") == 0)
1272 column_dump_column_formats();
1273 else if (strcmp(argv[2], "currentprefs") == 0) {
1274 epan_load_settings();
1275 write_prefs(NULL);
1276 }
1277 else if (strcmp(argv[2], "decodes") == 0) {
1278 epan_load_settings();
1279 dissector_dump_decodes();
1280 } else if (strcmp(argv[2], "defaultprefs") == 0)
1281 write_prefs(NULL);
1282 else if (strcmp(argv[2], "dissector-tables") == 0)
1283 dissector_dump_dissector_tables();
1284 else if (strcmp(argv[2], "dissectors") == 0)
1285 dissector_dump_dissectors();
1286 else if (strcmp(argv[2], "elastic-mapping") == 0)
1287 proto_registrar_dump_elastic(elastic_mapping_filter);
1288 else if (strcmp(argv[2], "fieldcount") == 0) {
1289 /* return value for the test suite */
1290 exit_status = proto_registrar_dump_fieldcount();
1291 goto clean_exit;
1292 }
1293 else if (strcmp(argv[2], "fields") == 0) {
1294 if (argc >= 4) {
1295 gboolean matched = proto_registrar_dump_field_completions(argv[3]);
1296 if (!matched) {
1297 cmdarg_err("No field or protocol begins with \"%s\"", argv[3]);
1298 exit_status = EXIT_FAILURE;
1299 goto clean_exit;
1300 }
1301 }
1302 else {
1303 proto_registrar_dump_fields();
1304 }
1305 }
1306 else if (strcmp(argv[2], "folders") == 0) {
1307 epan_load_settings();
1308 about_folders();
1309 } else if (strcmp(argv[2], "ftypes") == 0)
1310 proto_registrar_dump_ftypes();
1311 else if (strcmp(argv[2], "heuristic-decodes") == 0) {
1312 epan_load_settings();
1313 dissector_dump_heur_decodes();
1314 } else if (strcmp(argv[2], "manuf") == 0)
1315 ws_manuf_dump(stdout);
1316 else if (strcmp(argv[2], "enterprises") == 0)
1317 global_enterprises_dump(stdout);
1318 else if (strcmp(argv[2], "services") == 0)
1319 global_services_dump(stdout);
1320 else if (strcmp(argv[2], "plugins") == 0) {
1321 #ifdef HAVE_PLUGINS
1322 codecs_init();
1323 plugins_dump_all();
1324 #endif
1325 #ifdef HAVE_LUA
1326 wslua_plugins_dump_all();
1327 #endif
1328 extcap_dump_all();
1329 }
1330 else if (strcmp(argv[2], "protocols") == 0) {
1331 epan_load_settings();
1332 proto_registrar_dump_protocols();
1333 } else if (strcmp(argv[2], "values") == 0)
1334 proto_registrar_dump_values();
1335 else if (strcmp(argv[2], "help") == 0)
1336 glossary_option_help();
1337 /* These are supported only for backwards compatibility and may or may not work
1338 * for a given user in a given directory on a given operating system with a given
1339 * command-line interpreter.
1340 */
1341 else if (strcmp(argv[2], "?") == 0)
1342 glossary_option_help();
1343 else if (strcmp(argv[2], "-?") == 0)
1344 glossary_option_help();
1345 else {
1346 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G help for more help.", argv[2]);
1347 exit_status = WS_EXIT_INVALID_OPTION;
1348 goto clean_exit;
1349 }
1350 }
1351 exit_status = EXIT_SUCCESS;
1352 goto clean_exit;
1353 }
1354
1355 ws_debug("tshark reading settings");
1356
1357 /* Load libwireshark settings from the current profile. */
1358 prefs_p = epan_load_settings();
1359 prefs_loaded = TRUE;
1360
1361 cap_file_init(&cfile);
1362
1363 /* Print format defaults to this. */
1364 print_format = PR_FMT_TEXT;
1365 delimiter_char = " ";
1366
1367 output_fields = output_fields_new();
1368
1369 /*
1370 * To reset the options parser, set ws_optreset to 1 and set ws_optind to 1.
1371 *
1372 * Also reset ws_opterr to 1, so that error messages are printed by
1373 * getopt_long().
1374 */
1375 ws_optreset = 1;
1376 ws_optind = 1;
1377 ws_opterr = 1;
1378
1379 /* Now get our args */
1380 while ((opt = ws_getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1381 switch (opt) {
1382 case '2': /* Perform two-pass analysis */
1383 if(epan_auto_reset){
1384 cmdarg_err("-2 does not support auto session reset.");
1385 arg_error=TRUE;
1386 }
1387 perform_two_pass_analysis = TRUE;
1388 break;
1389 case 'M':
1390 if(perform_two_pass_analysis){
1391 cmdarg_err("-M does not support two-pass analysis.");
1392 arg_error=TRUE;
1393 }
1394 epan_auto_reset_count = get_positive_int(ws_optarg, "epan reset count");
1395 epan_auto_reset = TRUE;
1396 break;
1397 case 'a': /* autostop criteria */
1398 case 'b': /* Ringbuffer option */
1399 case 'f': /* capture filter */
1400 case 'g': /* enable group read access on file(s) */
1401 case 'i': /* Use interface x */
1402 case LONGOPT_SET_TSTAMP_TYPE: /* Set capture timestamp type */
1403 case 'p': /* Don't capture in promiscuous mode */
1404 #ifdef HAVE_PCAP_REMOTE
1405 case 'A': /* Authentication */
1406 #endif
1407 #ifdef HAVE_PCAP_CREATE
1408 case 'I': /* Capture in monitor mode, if available */
1409 #endif
1410 case 's': /* Set the snapshot (capture) length */
1411 case 'y': /* Set the pcap data link type */
1412 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1413 case 'B': /* Buffer size */
1414 #endif
1415 case LONGOPT_COMPRESS_TYPE: /* compress type */
1416 case LONGOPT_CAPTURE_TMPDIR: /* capture temp directory */
1417 case LONGOPT_UPDATE_INTERVAL: /* sync pipe update interval */
1418 /* These are options only for packet capture. */
1419 #ifdef HAVE_LIBPCAP
1420 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1421 if (exit_status != 0) {
1422 goto clean_exit;
1423 }
1424 #else
1425 capture_option_specified = TRUE;
1426 arg_error = TRUE;
1427 #endif
1428 break;
1429 case 'c': /* Stop after x packets */
1430 #ifdef HAVE_LIBPCAP
1431 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1432 if (exit_status != 0) {
1433 goto clean_exit;
1434 }
1435 #else
1436 max_packet_count = get_positive_int(ws_optarg, "packet count");
1437 #endif
1438 break;
1439 case 'w': /* Write to file x */
1440 output_file_name = g_strdup(ws_optarg);
1441 #ifdef HAVE_LIBPCAP
1442 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1443 if (exit_status != 0) {
1444 goto clean_exit;
1445 }
1446 #endif
1447 break;
1448 case 'C':
1449 /* already processed; just ignore it now */
1450 break;
1451 case 'D': /* Print a list of capture devices and exit */
1452 #ifdef HAVE_LIBPCAP
1453 exit_status = EXIT_SUCCESS;
1454 if_list = capture_interface_list(&err, &err_str,NULL);
1455 if (err != 0) {
1456 /*
1457 * An error occurred when fetching the local
1458 * interfaces. Report it.
1459 */
1460 cmdarg_err("%s", err_str);
1461 g_free(err_str);
1462 exit_status = WS_EXIT_PCAP_ERROR;
1463 }
1464 if (if_list == NULL) {
1465 /*
1466 * No interfaces were found. If that's not the
1467 * result of an error when fetching the local
1468 * interfaces, let the user know.
1469 */
1470 if (err == 0) {
1471 cmdarg_err("There are no interfaces on which a capture can be done");
1472 exit_status = WS_EXIT_NO_INTERFACES;
1473 }
1474 goto clean_exit;
1475 }
1476 capture_opts_print_interfaces(if_list);
1477 free_interface_list(if_list);
1478 goto clean_exit;
1479 #else
1480 capture_option_specified = TRUE;
1481 arg_error = TRUE;
1482 #endif
1483 break;
1484 case 'e':
1485 /* Field entry */
1486 {
1487 const char* col_field = try_convert_to_column_field(ws_optarg);
1488 if (col_field) {
1489 output_fields_add(output_fields, col_field);
1490 } else {
1491 header_field_info *hfi = proto_registrar_get_byalias(ws_optarg);
1492 if (hfi)
1493 output_fields_add(output_fields, hfi->abbrev);
1494 else
1495 output_fields_add(output_fields, ws_optarg);
1496 }
1497 }
1498 break;
1499 case 'E':
1500 /* Field option */
1501 if (!output_fields_set_option(output_fields, ws_optarg)) {
1502 cmdarg_err("\"%s\" is not a valid field output option=value pair.", ws_optarg);
1503 output_fields_list_options(stderr);
1504 exit_status = WS_EXIT_INVALID_OPTION;
1505 goto clean_exit;
1506 }
1507 break;
1508 case 'F':
1509 out_file_type = wtap_name_to_file_type_subtype(ws_optarg);
1510 if (out_file_type < 0) {
1511 cmdarg_err("\"%s\" isn't a valid capture file type", ws_optarg);
1512 list_capture_types();
1513 exit_status = WS_EXIT_INVALID_OPTION;
1514 goto clean_exit;
1515 }
1516 break;
1517 case 'G':
1518 cmdarg_err("-G only valid as first option");
1519 exit_status = WS_EXIT_INVALID_OPTION;
1520 goto clean_exit;
1521 break;
1522 case 'j':
1523 if (!protocolfilter_add_opt(ws_optarg, PF_NONE)) {
1524 exit_status = WS_EXIT_INVALID_OPTION;
1525 goto clean_exit;
1526 }
1527 break;
1528 case 'J':
1529 if (!protocolfilter_add_opt(ws_optarg, PF_INCLUDE_CHILDREN)) {
1530 exit_status = WS_EXIT_INVALID_OPTION;
1531 goto clean_exit;
1532 }
1533 break;
1534 case 'W': /* Select extra information to save in our capture file */
1535 /* This is patterned after the -N flag which may not be the best idea. */
1536 if (strchr(ws_optarg, 'n')) {
1537 out_file_name_res = TRUE;
1538 } else {
1539 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", ws_optarg);
1540 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1541 exit_status = WS_EXIT_INVALID_OPTION;
1542 goto clean_exit;
1543 }
1544 break;
1545 case 'H': /* Read address to name mappings from a hosts file */
1546 if (! add_hosts_file(ws_optarg))
1547 {
1548 cmdarg_err("Can't read host entries from \"%s\"", ws_optarg);
1549 exit_status = WS_EXIT_INVALID_OPTION;
1550 goto clean_exit;
1551 }
1552 out_file_name_res = TRUE;
1553 break;
1554
1555 case 'h': /* Print help and exit */
1556 show_help_header("Dump and analyze network traffic.");
1557 print_usage(stdout);
1558 exit_status = EXIT_SUCCESS;
1559 goto clean_exit;
1560 break;
1561 case 'l': /* "Line-buffer" standard output */
1562 /* The ANSI C standard does not appear to *require* that a line-buffered
1563 stream be flushed to the host environment whenever a newline is
1564 written, it just says that, on such a stream, characters "are
1565 intended to be transmitted to or from the host environment as a
1566 block when a new-line character is encountered".
1567
1568 The Visual C++ 6.0 C implementation doesn't do what is intended;
1569 even if you set a stream to be line-buffered, it still doesn't
1570 flush the buffer at the end of every line.
1571
1572 The whole reason for the "-l" flag in either tcpdump or TShark
1573 is to allow the output of a live capture to be piped to a program
1574 or script and to have that script see the information for the
1575 packet as soon as it's printed, rather than having to wait until
1576 a standard I/O buffer fills up.
1577
1578 So, if the "-l" flag is specified, we flush the standard output
1579 at the end of a packet. This will do the right thing if we're
1580 printing packet summary lines, and, as we print the entire protocol
1581 tree for a single packet without waiting for anything to happen,
1582 it should be as good as line-buffered mode if we're printing
1583 protocol trees - arguably even better, as it may do fewer
1584 writes. */
1585 line_buffered = TRUE;
1586 #ifdef HAVE_LIBPCAP
1587 /* Set the update-interval to 0 so that dumpcap reports packets
1588 * as soon as available instead of buffering them.
1589 */
1590 exit_status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
1591 if (exit_status != 0) {
1592 goto clean_exit;
1593 }
1594 #endif
1595 break;
1596 case 'L': /* Print list of link-layer types and exit */
1597 #ifdef HAVE_LIBPCAP
1598 caps_queries |= CAPS_QUERY_LINK_TYPES;
1599 #else
1600 capture_option_specified = TRUE;
1601 arg_error = TRUE;
1602 #endif
1603 break;
1604 case LONGOPT_LIST_TSTAMP_TYPES: /* List possible timestamp types */
1605 #ifdef HAVE_LIBPCAP
1606 caps_queries |= CAPS_QUERY_TIMESTAMP_TYPES;
1607 #else
1608 capture_option_specified = TRUE;
1609 arg_error = TRUE;
1610 #endif
1611 break;
1612 case 'o': /* Override preference from command line */
1613 {
1614 char *errmsg = NULL;
1615
1616 switch (prefs_set_pref(ws_optarg, &errmsg)) {
1617
1618 case PREFS_SET_OK:
1619 break;
1620
1621 case PREFS_SET_SYNTAX_ERR:
1622 cmdarg_err("Invalid -o flag \"%s\"%s%s", ws_optarg,
1623 errmsg ? ": " : "", errmsg ? errmsg : "");
1624 g_free(errmsg);
1625 exit_status = WS_EXIT_INVALID_OPTION;
1626 goto clean_exit;
1627 break;
1628
1629 case PREFS_SET_NO_SUCH_PREF:
1630 cmdarg_err("-o flag \"%s\" specifies unknown preference", ws_optarg);
1631 exit_status = WS_EXIT_INVALID_OPTION;
1632 goto clean_exit;
1633 break;
1634
1635 case PREFS_SET_OBSOLETE:
1636 cmdarg_err("-o flag \"%s\" specifies obsolete preference", ws_optarg);
1637 exit_status = WS_EXIT_INVALID_OPTION;
1638 goto clean_exit;
1639 break;
1640 }
1641 break;
1642 }
1643 case 'q': /* Quiet */
1644 quiet = TRUE;
1645 break;
1646 case 'Q': /* Really quiet */
1647 quiet = TRUE;
1648 really_quiet = TRUE;
1649 break;
1650 case 'r':
1651 /* already processed; just ignore it now */
1652 break;
1653 case 'R': /* Read file filter */
1654 rfilter = ws_optarg;
1655 break;
1656 case 'P':
1657 /* already processed; just ignore it now */
1658 break;
1659 case 'S': /* Set the line Separator to be printed between packets */
1660 separator = ws_optarg;
1661 break;
1662 case 'T': /* printing Type */
1663 /* output_action has been already set. It means multiple -T. */
1664 if (output_action > WRITE_NONE) {
1665 cmdarg_err("Multiple -T parameters are unsupported");
1666 exit_status = WS_EXIT_INVALID_OPTION;
1667 goto clean_exit;
1668 }
1669 print_packet_info = TRUE;
1670 if (strcmp(ws_optarg, "text") == 0) {
1671 output_action = WRITE_TEXT;
1672 print_format = PR_FMT_TEXT;
1673 } else if (strcmp(ws_optarg, "tabs") == 0) {
1674 output_action = WRITE_TEXT;
1675 print_format = PR_FMT_TEXT;
1676 delimiter_char = "\t";
1677 } else if (strcmp(ws_optarg, "ps") == 0) {
1678 output_action = WRITE_TEXT;
1679 print_format = PR_FMT_PS;
1680 } else if (strcmp(ws_optarg, "pdml") == 0) {
1681 output_action = WRITE_XML;
1682 print_details = TRUE; /* Need details */
1683 print_summary = FALSE; /* Don't allow summary */
1684 } else if (strcmp(ws_optarg, "psml") == 0) {
1685 output_action = WRITE_XML;
1686 print_details = FALSE; /* Don't allow details */
1687 print_summary = TRUE; /* Need summary */
1688 } else if (strcmp(ws_optarg, "fields") == 0) {
1689 output_action = WRITE_FIELDS;
1690 print_details = TRUE; /* Need full tree info */
1691 print_summary = FALSE; /* Don't allow summary */
1692 } else if (strcmp(ws_optarg, "json") == 0) {
1693 output_action = WRITE_JSON;
1694 print_details = TRUE; /* Need details */
1695 print_summary = FALSE; /* Don't allow summary */
1696 } else if (strcmp(ws_optarg, "ek") == 0) {
1697 output_action = WRITE_EK;
1698 if (!print_summary)
1699 print_details = TRUE;
1700 } else if (strcmp(ws_optarg, "jsonraw") == 0) {
1701 output_action = WRITE_JSON_RAW;
1702 print_details = TRUE; /* Need details */
1703 print_summary = FALSE; /* Don't allow summary */
1704 }
1705 else {
1706 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", ws_optarg); /* x */
1707 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1708 "\t specified by the -E option.\n"
1709 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1710 "\t details of a decoded packet. This information is equivalent to\n"
1711 "\t the packet details printed with the -V flag.\n"
1712 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1713 "\t the packets, or a multi-line view of the details of each of\n"
1714 "\t the packets, depending on whether the -V flag was specified.\n"
1715 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1716 "\t summary information of a decoded packet. This information is\n"
1717 "\t equivalent to the information shown in the one-line summary\n"
1718 "\t printed by default.\n"
1719 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1720 "\t summary information of a decoded packet. This information is \n"
1721 "\t equivalent to the packet details printed with the -V flag.\n"
1722 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1723 "\t including only raw hex decoded fields (same as -T json -x but\n"
1724 "\t without text decoding, only raw fields included). \n"
1725 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1726 "\t into elastic search cluster. This information is \n"
1727 "\t equivalent to the packet details printed with the -V flag.\n"
1728 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1729 "\t packets, or a multi-line view of the details of each of the\n"
1730 "\t packets, depending on whether the -V flag was specified.\n"
1731 "\t This is the default.\n"
1732 "\t\"tabs\" Similar to the text report except that each column of the\n"
1733 "\t human-readable one-line summary is delimited with an ASCII\n"
1734 "\t horizontal tab character.");
1735 exit_status = WS_EXIT_INVALID_OPTION;
1736 goto clean_exit;
1737 }
1738 break;
1739 case 'U': /* Export PDUs to file */
1740 if (strcmp(ws_optarg, "") == 0 || strcmp(ws_optarg, "?") == 0) {
1741 list_export_pdu_taps();
1742 exit_status = WS_EXIT_INVALID_OPTION;
1743 goto clean_exit;
1744 }
1745 pdu_export_arg = g_strdup(ws_optarg);
1746 break;
1747 case 'v': /* Show version and exit */
1748 show_version();
1749 /* We don't really have to cleanup here, but it's a convenient way to test
1750 * start-up and shut-down of the epan library without any UI-specific
1751 * cruft getting in the way. Makes the results of running
1752 * $ ./tools/valgrind-wireshark -n
1753 * much more useful. */
1754 epan_cleanup();
1755 extcap_cleanup();
1756 exit_status = EXIT_SUCCESS;
1757 goto clean_exit;
1758 case 'O': /* Only output these protocols */
1759 /* already processed; just ignore it now */
1760 break;
1761 case 'V': /* Verbose */
1762 /* already processed; just ignore it now */
1763 break;
1764 case 'x': /* Print packet data in hex (and ASCII) */
1765 /* already processed; just ignore it now */
1766 break;
1767 case 'X':
1768 /* already processed; just ignore it now */
1769 break;
1770 case 'Y':
1771 dfilter = g_strdup(ws_optarg);
1772 break;
1773 case 'z':
1774 /* We won't call the init function for the stat this soon
1775 as it would disallow MATE's fields (which are registered
1776 by the preferences set callback) from being used as
1777 part of a tap filter. Instead, we just add the argument
1778 to a list of stat arguments. */
1779 if (strcmp("help", ws_optarg) == 0) {
1780 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1781 list_stat_cmd_args();
1782 exit_status = EXIT_SUCCESS;
1783 goto clean_exit;
1784 }
1785 if (!process_stat_cmd_arg(ws_optarg)) {
1786 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", ws_optarg);
1787 list_stat_cmd_args();
1788 exit_status = WS_EXIT_INVALID_OPTION;
1789 goto clean_exit;
1790 }
1791 break;
1792 case 'd': /* Decode as rule */
1793 case 'K': /* Kerberos keytab file */
1794 case 'n': /* No name resolution */
1795 case 'N': /* Select what types of addresses/port #s to resolve */
1796 case 't': /* Time stamp type */
1797 case 'u': /* Seconds type */
1798 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1799 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1800 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1801 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1802 case LONGOPT_ONLY_PROTOCOLS: /* enable dissection of only this comma separated list of protocols */
1803 case LONGOPT_DISABLE_ALL_PROTOCOLS: /* enable dissection of protocol (that is disabled by default) */
1804 if (!dissect_opts_handle_opt(opt, ws_optarg)) {
1805 exit_status = WS_EXIT_INVALID_OPTION;
1806 goto clean_exit;
1807 }
1808 break;
1809 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1810 if (strcmp("help", ws_optarg) == 0) {
1811 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1812 eo_list_object_types();
1813 exit_status = EXIT_SUCCESS;
1814 goto clean_exit;
1815 }
1816 if (!eo_tap_opt_add(ws_optarg)) {
1817 exit_status = WS_EXIT_INVALID_OPTION;
1818 goto clean_exit;
1819 }
1820 break;
1821 case LONGOPT_EXPORT_TLS_SESSION_KEYS: /* --export-tls-session-keys */
1822 tls_session_keys_file = ws_optarg;
1823 break;
1824 case LONGOPT_COLOR: /* print in color where appropriate */
1825 dissect_color = TRUE;
1826 /* This has no effect if we don't print packet info or filter
1827 (we can filter on the coloring rules). Should we warn or
1828 error later if so, instead of silently ignoring it? */
1829 break;
1830 case LONGOPT_NO_DUPLICATE_KEYS:
1831 no_duplicate_keys = TRUE;
1832 node_children_grouper = proto_node_group_children_by_json_key;
1833 break;
1834 case LONGOPT_CAPTURE_COMMENT: /* capture comment */
1835 if (capture_comments == NULL) {
1836 capture_comments = g_ptr_array_new_with_free_func(g_free);
1837 }
1838 g_ptr_array_add(capture_comments, g_strdup(ws_optarg));
1839 break;
1840 case LONGOPT_HEXDUMP:
1841 print_hex = TRUE;
1842 print_packet_info = TRUE;
1843 if (strcmp(ws_optarg, "all") == 0)
1844 hexdump_source_option = HEXDUMP_SOURCE_MULTI;
1845 else if (strcmp(ws_optarg, "frames") == 0)
1846 hexdump_source_option = HEXDUMP_SOURCE_PRIMARY;
1847 else if (strcmp(ws_optarg, "ascii") == 0)
1848 hexdump_ascii_option = HEXDUMP_ASCII_INCLUDE;
1849 else if (strcmp(ws_optarg, "delimit") == 0)
1850 hexdump_ascii_option = HEXDUMP_ASCII_DELIMIT;
1851 else if (strcmp(ws_optarg, "noascii") == 0)
1852 hexdump_ascii_option = HEXDUMP_ASCII_EXCLUDE;
1853 else if (strcmp("help", ws_optarg) == 0) {
1854 hexdump_option_help(stdout);
1855 exit_status = EXIT_SUCCESS;
1856 goto clean_exit;
1857 } else {
1858 fprintf(stderr, "tshark: \"%s\" is an invalid value for --hexdump <hexoption>\n", ws_optarg);
1859 fprintf(stderr, "For valid <hexoption> values enter: tshark --hexdump help\n");
1860 exit_status = WS_EXIT_INVALID_OPTION;
1861 goto clean_exit;
1862 }
1863 break;
1864 case LONGOPT_SELECTED_FRAME:
1865 /* Hidden option to mark a frame as "selected". Used for testing and debugging.
1866 * Only active in two-pass mode. */
1867 if (!ws_strtou32(ws_optarg, NULL, &selected_frame_number)) {
1868 fprintf(stderr, "tshark: \"%s\" is not a valid frame number\n", ws_optarg);
1869 exit_status = WS_EXIT_INVALID_OPTION;
1870 goto clean_exit;
1871 }
1872 break;
1873 case LONGOPT_PRINT_TIMERS:
1874 opt_print_timers = TRUE;
1875 break;
1876 default:
1877 case '?': /* Bad flag - print usage message */
1878 switch(ws_optopt) {
1879 case 'F':
1880 list_capture_types();
1881 break;
1882 default:
1883 print_usage(stderr);
1884 }
1885 exit_status = WS_EXIT_INVALID_OPTION;
1886 goto clean_exit;
1887 break;
1888 }
1889 }
1890
1891 /* set the default output action to TEXT */
1892 if (output_action == WRITE_NONE)
1893 output_action = WRITE_TEXT;
1894
1895 /* set the default file type to pcapng */
1896 if (out_file_type == WTAP_FILE_TYPE_SUBTYPE_UNKNOWN)
1897 out_file_type = wtap_pcapng_file_type_subtype();
1898
1899 /*
1900 * Print packet summary information is the default if neither -V or -x
1901 * were specified. Note that this is new behavior, which allows for the
1902 * possibility of printing only hex/ascii output without necessarily
1903 * requiring that either the summary or details be printed too.
1904 */
1905 if (!print_summary && !print_details && !print_hex)
1906 print_summary = TRUE;
1907
1908 if (no_duplicate_keys && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW) {
1909 cmdarg_err("--no-duplicate-keys can only be used with \"-T json\" and \"-T jsonraw\"");
1910 exit_status = WS_EXIT_INVALID_OPTION;
1911 goto clean_exit;
1912 }
1913
1914 /* If we specified output fields, but not the output field type... */
1915 /* XXX: If we specfied both output fields with -e *and* protocol filters
1916 * with -j/-J, only the former are used. Should we warn or abort?
1917 * This also doesn't distinguish PDML from PSML, but shouldn't allow the
1918 * latter.
1919 */
1920 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1921 cmdarg_err("Output fields were specified with \"-e\", "
1922 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1923 exit_status = WS_EXIT_INVALID_OPTION;
1924 goto clean_exit;
1925 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1926 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1927 "specified with \"-e\".");
1928
1929 exit_status = WS_EXIT_INVALID_OPTION;
1930 goto clean_exit;
1931 }
1932
1933 if (dissect_color) {
1934 if (!color_filters_init(&err_msg, NULL)) {
1935 fprintf(stderr, "%s\n", err_msg);
1936 g_free(err_msg);
1937 }
1938 }
1939
1940 /* If no capture filter or display filter has been specified, and there are
1941 still command-line arguments, treat them as the tokens of a capture
1942 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1943 flag was specified. */
1944 if (ws_optind < argc) {
1945 if (cf_name != NULL) {
1946 if (dfilter != NULL) {
1947 cmdarg_err("Display filters were specified both with \"-Y\" "
1948 "and with additional command-line arguments.");
1949 exit_status = WS_EXIT_INVALID_OPTION;
1950 goto clean_exit;
1951 }
1952 dfilter = get_args_as_string(argc, argv, ws_optind);
1953 } else {
1954 #ifdef HAVE_LIBPCAP
1955 guint i;
1956
1957 if (global_capture_opts.default_options.cfilter) {
1958 cmdarg_err("A default capture filter was specified both with \"-f\""
1959 " and with additional command-line arguments.");
1960 exit_status = WS_EXIT_INVALID_OPTION;
1961 goto clean_exit;
1962 }
1963 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1964 interface_options *interface_opts;
1965 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
1966 if (interface_opts->cfilter == NULL) {
1967 interface_opts->cfilter = get_args_as_string(argc, argv, ws_optind);
1968 } else {
1969 cmdarg_err("A capture filter was specified both with \"-f\""
1970 " and with additional command-line arguments.");
1971 exit_status = WS_EXIT_INVALID_OPTION;
1972 goto clean_exit;
1973 }
1974 }
1975 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, ws_optind);
1976 #else
1977 capture_option_specified = TRUE;
1978 #endif
1979 }
1980 }
1981
1982 if (!output_file_name) {
1983 /* We're not saving the capture to a file; if "-q" wasn't specified,
1984 we should print packet information */
1985 if (!quiet)
1986 print_packet_info = TRUE;
1987 } else {
1988 const char *save_file = output_file_name;
1989 /* We're saving to a file; if we're writing to the standard output.
1990 and we'll also be writing dissected packets to the standard
1991 output, reject the request. At best, we could redirect that
1992 to the standard error; we *can't* write both to the standard
1993 output and have either of them be useful. */
1994 if (strcmp(save_file, "-") == 0 && print_packet_info) {
1995 cmdarg_err("You can't write both raw packet data and dissected packets"
1996 " to the standard output.");
1997 exit_status = WS_EXIT_INVALID_OPTION;
1998 goto clean_exit;
1999 }
2000 }
2001
2002 #ifndef HAVE_LIBPCAP
2003 if (capture_option_specified)
2004 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2005 #endif
2006 if (arg_error) {
2007 print_usage(stderr);
2008 exit_status = WS_EXIT_INVALID_OPTION;
2009 goto clean_exit;
2010 }
2011
2012 if (print_hex) {
2013 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
2014 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
2015 exit_status = WS_EXIT_INVALID_OPTION;
2016 goto clean_exit;
2017 }
2018 }
2019
2020 if (output_only != NULL) {
2021 char *ps;
2022
2023 if (!print_details) {
2024 cmdarg_err("-O requires -V");
2025 exit_status = WS_EXIT_INVALID_OPTION;
2026 goto clean_exit;
2027 }
2028
2029 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
2030 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
2031 const char *name = ps;
2032 header_field_info *hfi = proto_registrar_get_byalias(name);
2033 if (hfi) {
2034 name = hfi->abbrev;
2035 }
2036 g_hash_table_insert(output_only_tables, (gpointer)name, (gpointer)name);
2037 }
2038 }
2039
2040 if (rfilter != NULL && !perform_two_pass_analysis) {
2041 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
2042 exit_status = WS_EXIT_INVALID_OPTION;
2043 goto clean_exit;
2044 }
2045
2046 #ifdef HAVE_LIBPCAP
2047 if (caps_queries) {
2048 /* We're supposed to list the link-layer/timestamp types for an interface;
2049 did the user also specify a capture file to be read? */
2050 if (cf_name) {
2051 /* Yes - that's bogus. */
2052 cmdarg_err("You can't specify %s and a capture file to be read.",
2053 caps_queries & CAPS_QUERY_LINK_TYPES ? "-L" : "--list-time-stamp-types");
2054 exit_status = WS_EXIT_INVALID_OPTION;
2055 goto clean_exit;
2056 }
2057 /* No - did they specify a ring buffer option? */
2058 if (global_capture_opts.multi_files_on) {
2059 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
2060 exit_status = WS_EXIT_INVALID_OPTION;
2061 goto clean_exit;
2062 }
2063 } else {
2064 if (cf_name) {
2065 /*
2066 * "-r" was specified, so we're reading a capture file.
2067 * Capture options don't apply here.
2068 */
2069
2070 /* We don't support capture filters when reading from a capture file
2071 (the BPF compiler doesn't support all link-layer types that we
2072 support in capture files we read). */
2073 if (global_capture_opts.default_options.cfilter) {
2074 cmdarg_err("Only read filters, not capture filters, "
2075 "can be specified when reading a capture file.");
2076 exit_status = WS_EXIT_INVALID_OPTION;
2077 goto clean_exit;
2078 }
2079 if (global_capture_opts.multi_files_on) {
2080 cmdarg_err("Multiple capture files requested, but "
2081 "a capture isn't being done.");
2082 exit_status = WS_EXIT_INVALID_OPTION;
2083 goto clean_exit;
2084 }
2085 if (global_capture_opts.has_file_duration) {
2086 cmdarg_err("Switching capture files after a time period was specified, but "
2087 "a capture isn't being done.");
2088 exit_status = WS_EXIT_INVALID_OPTION;
2089 goto clean_exit;
2090 }
2091 if (global_capture_opts.has_file_interval) {
2092 cmdarg_err("Switching capture files after a time interval was specified, but "
2093 "a capture isn't being done.");
2094 exit_status = WS_EXIT_INVALID_OPTION;
2095 goto clean_exit;
2096 }
2097 if (global_capture_opts.has_ring_num_files) {
2098 cmdarg_err("A ring buffer of capture files was specified, but "
2099 "a capture isn't being done.");
2100 exit_status = WS_EXIT_INVALID_OPTION;
2101 goto clean_exit;
2102 }
2103 if (global_capture_opts.has_autostop_files) {
2104 cmdarg_err("A maximum number of capture files was specified, but "
2105 "a capture isn't being done.");
2106 exit_status = WS_EXIT_INVALID_OPTION;
2107 goto clean_exit;
2108 }
2109
2110 /* Note: TShark now allows the restriction of a _read_ file by packet count
2111 * and byte count as well as a write file. Other autostop options remain valid
2112 * only for a write file.
2113 */
2114 if (global_capture_opts.has_autostop_duration) {
2115 cmdarg_err("A maximum capture time was specified, but "
2116 "a capture isn't being done.");
2117 exit_status = WS_EXIT_INVALID_OPTION;
2118 goto clean_exit;
2119 }
2120 } else {
2121 /*
2122 * "-r" wasn't specified, so we're doing a live capture.
2123 */
2124 gboolean use_pcapng = TRUE;
2125
2126 if (perform_two_pass_analysis) {
2127 /* Two-pass analysis doesn't work with live capture since it requires us
2128 * to buffer packets until we've read all of them, but a live capture
2129 * has no useful/meaningful definition of "all" */
2130 cmdarg_err("Live captures do not support two-pass analysis.");
2131 exit_status = WS_EXIT_INVALID_OPTION;
2132 goto clean_exit;
2133 }
2134
2135 if (global_capture_opts.saving_to_file) {
2136 /* They specified a "-w" flag, so we'll be saving to a capture file. */
2137
2138 /* When capturing, we only support writing pcap or pcapng format. */
2139 if (out_file_type == wtap_pcapng_file_type_subtype()) {
2140 use_pcapng = TRUE;
2141 } else if (out_file_type == wtap_pcap_file_type_subtype()) {
2142 use_pcapng = FALSE;
2143 } else {
2144 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
2145 exit_status = WS_EXIT_INVALID_OPTION;
2146 goto clean_exit;
2147 }
2148 if (capture_comments != NULL && !use_pcapng) {
2149 cmdarg_err("Capture comments can only be written to a pcapng file.");
2150 exit_status = WS_EXIT_INVALID_OPTION;
2151 goto clean_exit;
2152 }
2153 if (global_capture_opts.multi_files_on) {
2154 /* Multiple-file mode doesn't work under certain conditions:
2155 a) it doesn't work if you're writing to the standard output;
2156 b) it doesn't work if you're writing to a pipe;
2157 */
2158 if (strcmp(global_capture_opts.save_file, "-") == 0) {
2159 cmdarg_err("Multiple capture files requested, but "
2160 "the capture is being written to the standard output.");
2161 exit_status = WS_EXIT_INVALID_OPTION;
2162 goto clean_exit;
2163 }
2164 if (global_capture_opts.output_to_pipe) {
2165 cmdarg_err("Multiple capture files requested, but "
2166 "the capture file is a pipe.");
2167 exit_status = WS_EXIT_INVALID_OPTION;
2168 goto clean_exit;
2169 }
2170 if (!global_capture_opts.has_autostop_filesize &&
2171 !global_capture_opts.has_file_duration &&
2172 !global_capture_opts.has_file_interval &&
2173 !global_capture_opts.has_file_packets) {
2174 cmdarg_err("Multiple capture files requested, but "
2175 "no maximum capture file size, duration, interval or packets were specified.");
2176 exit_status = WS_EXIT_INVALID_OPTION;
2177 goto clean_exit;
2178 }
2179 }
2180 /* Currently, we don't support read or display filters when capturing
2181 and saving the packets. */
2182 if (rfilter != NULL) {
2183 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
2184 exit_status = WS_EXIT_INVALID_OPTION;
2185 goto clean_exit;
2186 }
2187 if (dfilter != NULL) {
2188 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
2189 exit_status = WS_EXIT_INVALID_OPTION;
2190 goto clean_exit;
2191 }
2192 global_capture_opts.use_pcapng = use_pcapng;
2193 } else {
2194 /* They didn't specify a "-w" flag, so we won't be saving to a
2195 capture file. Check for options that only make sense if
2196 we're saving to a file. */
2197 if (global_capture_opts.has_autostop_filesize) {
2198 cmdarg_err("Maximum capture file size specified, but "
2199 "capture isn't being saved to a file.");
2200 exit_status = WS_EXIT_INVALID_OPTION;
2201 goto clean_exit;
2202 }
2203 if (global_capture_opts.multi_files_on) {
2204 cmdarg_err("Multiple capture files requested, but "
2205 "the capture isn't being saved to a file.");
2206 exit_status = WS_EXIT_INVALID_OPTION;
2207 goto clean_exit;
2208 }
2209 if (capture_comments != NULL) {
2210 cmdarg_err("Capture comments were specified, but "
2211 "the capture isn't being saved to a file.");
2212 exit_status = WS_EXIT_INVALID_OPTION;
2213 goto clean_exit;
2214 }
2215 }
2216 }
2217 }
2218 #endif
2219
2220 /*
2221 * If capture comments were specified, -w also has to have been specified.
2222 */
2223 if (capture_comments != NULL) {
2224 if (output_file_name) {
2225 /* They specified a "-w" flag, so we'll be saving to a capture file.
2226 * This is fine if they're writing in a format that supports
2227 * section block comments.
2228 */
2229 if (wtap_file_type_subtype_supports_option(out_file_type,
2230 WTAP_BLOCK_SECTION,
2231 OPT_COMMENT) == OPTION_NOT_SUPPORTED) {
2232 GArray *writable_type_subtypes;
2233
2234 cmdarg_err("Capture comments can only be written to files of the following types:");
2235 writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME);
2236 for (guint i = 0; i < writable_type_subtypes->len; i++) {
2237 int ft = g_array_index(writable_type_subtypes, int, i);
2238
2239 if (wtap_file_type_subtype_supports_option(ft, WTAP_BLOCK_SECTION,
2240 OPT_COMMENT) != OPTION_NOT_SUPPORTED)
2241 cmdarg_err_cont(" %s - %s", wtap_file_type_subtype_name(ft),
2242 wtap_file_type_subtype_description(ft));
2243 }
2244 exit_status = WS_EXIT_INVALID_OPTION;
2245 goto clean_exit;
2246 }
2247 }
2248 else {
2249 cmdarg_err("Capture comments were specified, but you aren't writing a capture file.");
2250 exit_status = WS_EXIT_INVALID_OPTION;
2251 goto clean_exit;
2252 }
2253 }
2254
2255 err_msg = ws_init_sockets();
2256 if (err_msg != NULL)
2257 {
2258 cmdarg_err("%s", err_msg);
2259 g_free(err_msg);
2260 cmdarg_err_cont("%s", please_report_bug());
2261 exit_status = WS_EXIT_INIT_FAILED;
2262 goto clean_exit;
2263 }
2264
2265 /* Notify all registered modules that have had any of their preferences
2266 changed either from one of the preferences file or from the command
2267 line that their preferences have changed. */
2268 prefs_apply_all();
2269
2270 /* We can also enable specified taps for export object */
2271 start_exportobjects();
2272
2273 /* At this point MATE will have registered its field array so we can
2274 check if the fields specified by the user are all good.
2275 */
2276 {
2277 GSList* it = NULL;
2278 GSList *invalid_fields = output_fields_valid(output_fields);
2279 if (invalid_fields != NULL) {
2280
2281 cmdarg_err("Some fields aren't valid:");
2282 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2283 cmdarg_err_cont("\t%s", (gchar *)it->data);
2284 }
2285 g_slist_free(invalid_fields);
2286 exit_status = WS_EXIT_INVALID_OPTION;
2287 goto clean_exit;
2288 }
2289 }
2290
2291 if (ex_opt_count("read_format") > 0) {
2292 const gchar* name = ex_opt_get_next("read_format");
2293 in_file_type = open_info_name_to_type(name);
2294 if (in_file_type == WTAP_TYPE_AUTO) {
2295 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2296 list_read_capture_types();
2297 exit_status = WS_EXIT_INVALID_OPTION;
2298 goto clean_exit;
2299 }
2300 }
2301
2302 if (global_dissect_options.time_format != TS_NOT_SET)
2303 timestamp_set_type(global_dissect_options.time_format);
2304 if (global_dissect_options.time_precision != TS_PREC_NOT_SET)
2305 timestamp_set_precision(global_dissect_options.time_precision);
2306
2307 /*
2308 * Enabled and disabled protocols and heuristic dissectors as per
2309 * command-line options.
2310 */
2311 if (!setup_enabled_and_disabled_protocols()) {
2312 exit_status = WS_EXIT_INVALID_OPTION;
2313 goto clean_exit;
2314 }
2315
2316 /* Build the column format array */
2317 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2318
2319 #ifdef HAVE_LIBPCAP
2320 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2321 capture_opts_trim_ring_num_files(&global_capture_opts);
2322 #endif
2323
2324 if (rfilter != NULL) {
2325 ws_debug("Compiling read filter: '%s'", rfilter);
2326 if (!compile_dfilter(rfilter, &rfcode)) {
2327 epan_cleanup();
2328 extcap_cleanup();
2329
2330 #ifdef HAVE_LIBPCAP
2331 warn_about_capture_filter(rfilter);
2332 #endif
2333
2334 exit_status = WS_EXIT_INVALID_INTERFACE;
2335 goto clean_exit;
2336 }
2337 }
2338 cfile.rfcode = rfcode;
2339
2340 if (dfilter != NULL) {
2341 ws_debug("Compiling display filter: '%s'", dfilter);
2342 if (!compile_dfilter(dfilter, &dfcode)) {
2343 epan_cleanup();
2344 extcap_cleanup();
2345
2346 #ifdef HAVE_LIBPCAP
2347 warn_about_capture_filter(dfilter);
2348 #endif
2349
2350 exit_status = WS_EXIT_INVALID_FILTER;
2351 goto clean_exit;
2352 }
2353 }
2354 cfile.dfcode = dfcode;
2355
2356 if (print_packet_info) {
2357 /* If we're printing as text or PostScript, we have
2358 to create a print stream. */
2359 if (output_action == WRITE_TEXT) {
2360 switch (print_format) {
2361
2362 case PR_FMT_TEXT:
2363 print_stream = print_stream_text_stdio_new(stdout);
2364 break;
2365
2366 case PR_FMT_PS:
2367 print_stream = print_stream_ps_stdio_new(stdout);
2368 break;
2369
2370 default:
2371 ws_assert_not_reached();
2372 }
2373 }
2374 }
2375
2376 /* PDU export requested. Take the ownership of the '-w' file, apply tap
2377 * filters and start tapping. */
2378 if (pdu_export_arg) {
2379 const char *exp_pdu_tap_name = pdu_export_arg;
2380 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
2381 char *exp_pdu_error;
2382 int exp_fd;
2383 char *comment;
2384
2385 if (!cf_name) {
2386 cmdarg_err("PDUs export requires a capture file (specify with -r).");
2387 exit_status = WS_EXIT_INVALID_OPTION;
2388 goto clean_exit;
2389 }
2390 /* Take ownership of the '-w' output file. */
2391 exp_pdu_filename = output_file_name;
2392 output_file_name = NULL;
2393 #ifdef HAVE_LIBPCAP
2394 global_capture_opts.save_file = NULL;
2395 #endif
2396 if (exp_pdu_filename == NULL) {
2397 cmdarg_err("PDUs export requires an output file (-w).");
2398 exit_status = WS_EXIT_INVALID_OPTION;
2399 goto clean_exit;
2400 }
2401
2402 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
2403 &exp_pdu_tap_data);
2404 if (exp_pdu_error) {
2405 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
2406 g_free(exp_pdu_error);
2407 list_export_pdu_taps();
2408 exit_status = INVALID_TAP;
2409 goto clean_exit;
2410 }
2411
2412 if (strcmp(exp_pdu_filename, "-") == 0) {
2413 /* Write to the standard output. */
2414 exp_fd = 1;
2415 } else {
2416 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2417 if (exp_fd == -1) {
2418 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2419 exit_status = WS_EXIT_INVALID_FILE;
2420 goto clean_exit;
2421 }
2422 }
2423
2424 /* Activate the export PDU tap */
2425 /* Write to our output file with this comment (if the type supports it,
2426 * otherwise exp_pdu_open() will ignore the comment) */
2427 comment = ws_strdup_printf("Dump of PDUs from %s", cf_name);
2428 exp_pdu_status = exp_pdu_open(&exp_pdu_tap_data, exp_pdu_filename,
2429 out_file_type, exp_fd, comment,
2430 &err, &err_info);
2431 g_free(comment);
2432 if (!exp_pdu_status) {
2433 cfile_dump_open_failure_message(exp_pdu_filename, err, err_info,
2434 out_file_type);
2435 exit_status = INVALID_EXPORT;
2436 goto clean_exit;
2437 }
2438 }
2439
2440 if (cf_name) {
2441 ws_debug("tshark: Opening capture file: %s", cf_name);
2442 /*
2443 * We're reading a capture file.
2444 */
2445 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2446 epan_cleanup();
2447 extcap_cleanup();
2448 exit_status = WS_EXIT_INVALID_FILE;
2449 goto clean_exit;
2450 }
2451
2452 /* Start statistics taps; we do so after successfully opening the
2453 capture file, so we know we have something to compute stats
2454 on, and after registering all dissectors, so that MATE will
2455 have registered its field array so we can have a tap filter
2456 with one of MATE's late-registered fields as part of the
2457 filter. */
2458 start_requested_stats();
2459
2460 /* Do we need to do dissection of packets? That depends on, among
2461 other things, what taps are listening, so determine that after
2462 starting the statistics taps. */
2463 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2464 ws_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2465
2466 /* Process the packets in the file */
2467 ws_debug("tshark: invoking process_cap_file() to process the packets");
2468 TRY {
2469 status = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res,
2470 #ifdef HAVE_LIBPCAP
2471 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2472 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0,
2473 global_capture_opts.has_autostop_written_packets ? global_capture_opts.autostop_written_packets : 0);
2474 #else
2475 max_packet_count,
2476 0,
2477 0);
2478 #endif
2479 }
2480 CATCH(OutOfMemoryError) {
2481 fprintf(stderr,
2482 "Out Of Memory.\n"
2483 "\n"
2484 "Sorry, but TShark has to terminate now.\n"
2485 "\n"
2486 "More information and workarounds can be found at\n"
2487 WS_WIKI_URL("KnownBugs/OutOfMemory") "\n");
2488 status = PROCESS_FILE_ERROR;
2489 }
2490 ENDTRY;
2491
2492 switch (status) {
2493
2494 case PROCESS_FILE_SUCCEEDED:
2495 /* Everything worked OK; draw the taps. */
2496 draw_taps = TRUE;
2497 break;
2498
2499 case PROCESS_FILE_NO_FILE_PROCESSED:
2500 /* We never got to try to read the file, so there are no tap
2501 results to dump. Exit with an error status. */
2502 exit_status = 2;
2503 break;
2504
2505 case PROCESS_FILE_ERROR:
2506 /* We still dump out the results of taps, etc., as we might have
2507 read some packets; however, we exit with an error status. */
2508 draw_taps = TRUE;
2509 exit_status = 2;
2510 break;
2511
2512 case PROCESS_FILE_INTERRUPTED:
2513 /* The user interrupted the read process; Don't dump out the
2514 result of taps, etc., and exit with an error status. */
2515 exit_status = 2;
2516 break;
2517 }
2518
2519 if (pdu_export_arg) {
2520 if (!exp_pdu_close(&exp_pdu_tap_data, &err, &err_info)) {
2521 cfile_close_failure_message(exp_pdu_filename, err, err_info);
2522 exit_status = 2;
2523 }
2524 g_free(pdu_export_arg);
2525 g_free(exp_pdu_filename);
2526 }
2527 } else {
2528 ws_debug("tshark: no capture file specified");
2529 /* No capture file specified, so we're supposed to do a live capture
2530 or get a list of link-layer types for a live capture device;
2531 do we have support for live captures? */
2532 #ifdef HAVE_LIBPCAP
2533 #ifdef _WIN32
2534 /* Warn the user if npf.sys isn't loaded. */
2535 if (!npf_sys_is_running()) {
2536 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
2537 "capturing or\nlisting interfaces.\n");
2538 }
2539 #endif /* _WIN32 */
2540
2541 /* if no interface was specified, pick a default */
2542 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2543 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2544 if (exit_status != 0) {
2545 goto clean_exit;
2546 }
2547
2548 /*
2549 * If requested, list the link layer types and/or time stamp types
2550 * and exit.
2551 */
2552 if (caps_queries) {
2553 guint i;
2554
2555 /* Get the list of link-layer types for the capture devices. */
2556 exit_status = EXIT_SUCCESS;
2557 GList *if_cap_queries = NULL;
2558 if_cap_query_t *if_cap_query;
2559 GHashTable *capability_hash;
2560 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2561 interface_options *interface_opts;
2562 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2563 if_cap_query = g_new(if_cap_query_t, 1);
2564 if_cap_query->name = interface_opts->name;
2565 if_cap_query->monitor_mode = interface_opts->monitor_mode;
2566 if_cap_query->auth_username = NULL;
2567 if_cap_query->auth_password = NULL;
2568 #ifdef HAVE_PCAP_REMOTE
2569 if (interface_opts->auth_type == CAPTURE_AUTH_PWD) {
2570 if_cap_query->auth_username = interface_opts->auth_username;
2571 if_cap_query->auth_password = interface_opts->auth_password;
2572 }
2573 #endif
2574 if_cap_queries = g_list_prepend(if_cap_queries, if_cap_query);
2575 }
2576 if_cap_queries = g_list_reverse(if_cap_queries);
2577 capability_hash = capture_get_if_list_capabilities(if_cap_queries, &err_str, &err_str_secondary, NULL);
2578 g_list_free_full(if_cap_queries, g_free);
2579 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2580 interface_options *interface_opts;
2581 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2582 if_capabilities_t *caps;
2583 caps = g_hash_table_lookup(capability_hash, interface_opts->name);
2584 if (caps == NULL) {
2585 cmdarg_err("%s%s%s", err_str, err_str_secondary ? "\n" : "", err_str_secondary ? err_str_secondary : "");
2586 g_free(err_str);
2587 g_free(err_str_secondary);
2588 exit_status = WS_EXIT_INVALID_CAPABILITY;
2589 break;
2590 }
2591 exit_status = capture_opts_print_if_capabilities(caps, interface_opts,
2592 caps_queries);
2593 if (exit_status != EXIT_SUCCESS) {
2594 break;
2595 }
2596 }
2597 g_hash_table_destroy(capability_hash);
2598 goto clean_exit;
2599 }
2600
2601 /*
2602 * If the standard error isn't a terminal, don't print packet counts,
2603 * as they won't show up on the user's terminal and they'll get in
2604 * the way of error messages in the file (to which we assume the
2605 * standard error was redirected; if it's redirected to the null
2606 * device, there's no point in printing packet counts anyway).
2607 *
2608 * Otherwise, if we're printing packet information and the standard
2609 * output is a terminal (which we assume means the standard output and
2610 * error are going to the same terminal), don't print packet counts,
2611 * as they'll get in the way of the packet information.
2612 *
2613 * Otherwise, if the user specified -q, don't print packet counts.
2614 *
2615 * Otherwise, print packet counts.
2616 *
2617 * XXX - what if the user wants to do a live capture, doesn't want
2618 * to save it to a file, doesn't want information printed for each
2619 * packet, does want some "-z" statistic, and wants packet counts
2620 * so they know whether they're seeing any packets? -q will
2621 * suppress the information printed for each packet, but it'll
2622 * also suppress the packet counts.
2623 */
2624 if (!ws_isatty(ws_fileno(stderr)))
2625 print_packet_counts = FALSE;
2626 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2627 print_packet_counts = FALSE;
2628 else if (quiet)
2629 print_packet_counts = FALSE;
2630 else
2631 print_packet_counts = TRUE;
2632
2633 ws_debug("tshark: performing live capture");
2634
2635 /* Start statistics taps; we should only do so after the capture
2636 started successfully, so we know we have something to compute
2637 stats, but we currently don't check for that - see below.
2638
2639 We do so after registering all dissectors, so that MATE will
2640 have registered its field array so we can have a tap filter
2641 with one of MATE's late-registered fields as part of the
2642 filter. */
2643 start_requested_stats();
2644
2645 /* Do we need to do dissection of packets? That depends on, among
2646 other things, what taps are listening, so determine that after
2647 starting the statistics taps. */
2648 do_dissection = must_do_dissection(rfcode, dfcode, pdu_export_arg);
2649 ws_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2650
2651 /* We're doing live capture; if the capture child is writing to a pipe,
2652 we can't do dissection, because that would mean two readers for
2653 the pipe, tshark and whatever else. */
2654 if (do_dissection && global_capture_opts.output_to_pipe) {
2655 if (tap_listeners_require_dissection()) {
2656 cmdarg_err("Taps aren't supported when capturing and saving to a pipe.");
2657 exit_status = WS_EXIT_INVALID_OPTION;
2658 goto clean_exit;
2659 }
2660 if (print_packet_info) {
2661 cmdarg_err("Printing dissected packets isn't supported when capturing and saving to a pipe.");
2662 exit_status = WS_EXIT_INVALID_OPTION;
2663 goto clean_exit;
2664 }
2665 /* We already checked the next three reasons for supersets of
2666 capturing and saving to a pipe, but this doesn't hurt. */
2667 if (pdu_export_arg) {
2668 cmdarg_err("PDUs export isn't supported when capturing and saving to a pipe.");
2669 exit_status = WS_EXIT_INVALID_OPTION;
2670 goto clean_exit;
2671 }
2672 if (rfcode != NULL) {
2673 cmdarg_err("Read filters aren't supported when capturing and saving to a pipe.");
2674 exit_status = WS_EXIT_INVALID_OPTION;
2675 goto clean_exit;
2676 }
2677 if (dfcode != NULL) {
2678 cmdarg_err("Display filters aren't supported when capturing and saving to a pipe.");
2679 exit_status = WS_EXIT_INVALID_OPTION;
2680 goto clean_exit;
2681 }
2682 /* There's some other reason we're dissecting. */
2683 cmdarg_err("Dissection isn't supported when capturing and saving to a pipe.");
2684 exit_status = WS_EXIT_INVALID_OPTION;
2685 goto clean_exit;
2686 }
2687
2688 /* Write a preamble if we're printing one. Do this after all checking
2689 * for invalid options, so we don't print just a preamble and quit. */
2690 if (print_packet_info) {
2691 if (!write_preamble(&cfile)) {
2692 show_print_file_io_error();
2693 exit_status = WS_EXIT_INVALID_FILE;
2694 goto clean_exit;
2695 }
2696 }
2697
2698 /*
2699 * XXX - this returns FALSE if an error occurred, but it also
2700 * returns FALSE if the capture stops because a time limit
2701 * was reached (and possibly other limits), so we can't assume
2702 * it means an error.
2703 *
2704 * The capture code is a bit twisty, so it doesn't appear to
2705 * be an easy fix. We just ignore the return value for now.
2706 * Instead, pass on the exit status from the capture child.
2707 */
2708 capture();
2709 exit_status = global_capture_session.fork_child_status;
2710
2711 if (print_packet_info) {
2712 if (!write_finale()) {
2713 show_print_file_io_error();
2714 }
2715 }
2716
2717 /*
2718 * If we never got a capture file, don't draw the taps; we not only
2719 * didn't capture any packets, we never even did any capturing.
2720 */
2721 if (cfile.filename != NULL)
2722 draw_taps = TRUE;
2723 #else
2724 /* No - complain. */
2725 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2726 exit_status = INVALID_CAPTURE;
2727 goto clean_exit;
2728 #endif
2729 }
2730
2731 if (cfile.provider.frames != NULL) {
2732 free_frame_data_sequence(cfile.provider.frames);
2733 cfile.provider.frames = NULL;
2734 }
2735
2736 if (draw_taps)
2737 draw_tap_listeners(TRUE);
2738
2739 if (tls_session_keys_file) {
2740 gsize keylist_length;
2741 gchar *keylist = ssl_export_sessions(&keylist_length);
2742 write_file_binary_mode(tls_session_keys_file, keylist, keylist_length);
2743 g_free(keylist);
2744 }
2745
2746 if (opt_print_timers) {
2747 if (cf_name == NULL) {
2748 /* We're doind a live capture. That isn't currently supported
2749 * with timers. */
2750 ws_message("Ignoring option --print-timers because we are doing a live capture");
2751 }
2752 else {
2753 print_elapsed_json(cf_name, dfilter);
2754 }
2755 }
2756
2757 /* Memory cleanup */
2758 reset_tap_listeners();
2759 funnel_dump_all_text_windows();
2760 epan_free(cfile.epan);
2761 epan_cleanup();
2762 extcap_cleanup();
2763
2764 output_fields_free(output_fields);
2765 output_fields = NULL;
2766
2767 clean_exit:
2768 cf_close(&cfile);
2769 g_free(cf_name);
2770 destroy_print_stream(print_stream);
2771 g_free(output_file_name);
2772 #ifdef HAVE_LIBPCAP
2773 capture_opts_cleanup(&global_capture_opts);
2774 if (cached_if_list) {
2775 free_interface_list(cached_if_list);
2776 }
2777 #endif
2778 col_cleanup(&cfile.cinfo);
2779 wtap_cleanup();
2780 free_progdirs();
2781 dfilter_free(dfcode);
2782 g_free(dfilter);
2783 return exit_status;
2784 }
2785
2786 gboolean loop_running;
2787 guint32 packet_count;
2788
2789 static epan_t *
2790 tshark_epan_new(capture_file *cf)
2791 {
2792 static const struct packet_provider_funcs funcs = {
2793 cap_file_provider_get_frame_ts,
2794 cap_file_provider_get_interface_name,
2795 cap_file_provider_get_interface_description,
2796 NULL,
2797 };
2798
2799 return epan_new(&cf->provider, &funcs);
2800 }
2801
2802 #ifdef HAVE_LIBPCAP
2803 static gboolean
2804 capture(void)
2805 {
2806 volatile gboolean ret = TRUE;
2807 GString *str;
2808 GMainContext *ctx;
2809 #ifndef _WIN32
2810 struct sigaction action, oldaction;
2811 #endif
2812
2813 /* Create new dissection section. */
2814 epan_free(cfile.epan);
2815 cfile.epan = tshark_epan_new(&cfile);
2816
2817 #ifdef _WIN32
2818 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2819 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2820 #else /* _WIN32 */
2821 /* Catch SIGINT and SIGTERM and, if we get either of them,
2822 clean up and exit. If SIGHUP isn't being ignored, catch
2823 it too and, if we get it, clean up and exit.
2824
2825 We restart any read that was in progress, so that it doesn't
2826 disrupt reading from the sync pipe. The signal handler tells
2827 the capture child to finish; it will report that it finished,
2828 or will exit abnormally, so we'll stop reading from the sync
2829 pipe, pick up the exit status, and quit. */
2830 memset(&action, 0, sizeof(action));
2831 action.sa_handler = capture_cleanup;
2832 action.sa_flags = SA_RESTART;
2833 sigemptyset(&action.sa_mask);
2834 sigaction(SIGTERM, &action, NULL);
2835 sigaction(SIGINT, &action, NULL);
2836 sigaction(SIGHUP, NULL, &oldaction);
2837 if (oldaction.sa_handler == SIG_DFL)
2838 sigaction(SIGHUP, &action, NULL);
2839
2840 #ifdef SIGINFO
2841 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2842 quiet mode, report the number of packets we've captured.
2843
2844 Again, restart any read that was in progress, so that it doesn't
2845 disrupt reading from the sync pipe. */
2846 action.sa_handler = report_counts_siginfo;
2847 action.sa_flags = SA_RESTART;
2848 sigemptyset(&action.sa_mask);
2849 sigaction(SIGINFO, &action, NULL);
2850 #endif /* SIGINFO */
2851 #endif /* _WIN32 */
2852
2853 global_capture_session.state = CAPTURE_PREPARING;
2854
2855 /* Let the user know which interfaces were chosen. */
2856 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2857 if (really_quiet == FALSE)
2858 fprintf(stderr, "Capturing on %s\n", str->str);
2859 fflush(stderr);
2860 g_string_free(str, TRUE);
2861
2862 ret = sync_pipe_start(&global_capture_opts, capture_comments,
2863 &global_capture_session, &global_info_data, NULL);
2864
2865 if (!ret)
2866 return FALSE;
2867
2868 /*
2869 * Force synchronous resolution of IP addresses; we're doing only
2870 * one pass, so we can't do it in the background and fix up past
2871 * dissections.
2872 */
2873 set_resolution_synchrony(TRUE);
2874
2875 /* the actual capture loop */
2876 ctx = g_main_context_default();
2877 loop_running = TRUE;
2878
2879 TRY
2880 {
2881 while (loop_running)
2882 {
2883 g_main_context_iteration(ctx, TRUE);
2884 }
2885 }
2886 CATCH(OutOfMemoryError) {
2887 fprintf(stderr,
2888 "Out Of Memory.\n"
2889 "\n"
2890 "Sorry, but TShark has to terminate now.\n"
2891 "\n"
2892 "More information and workarounds can be found at\n"
2893 WS_WIKI_URL("KnownBugs/OutOfMemory") "\n");
2894 abort();
2895 }
2896 ENDTRY;
2897 return ret;
2898 }
2899
2900 /* capture child detected an error */
2901 static void
2902 capture_input_error(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2903 {
2904 /* The primary message might be an empty string, e.g. when the error was
2905 * from extcap. (The extcap stderr is gathered when the session closes
2906 * and printed in capture_input_closed below.) */
2907 if (*error_msg != '\0') {
2908 cmdarg_err("%s", error_msg);
2909 if (secondary_error_msg != NULL && *secondary_error_msg != '\0') {
2910 /* We have both primary and secondary messages. */
2911 cmdarg_err_cont("%s", secondary_error_msg);
2912 }
2913 }
2914 }
2915
2916
2917 /* capture child detected an capture filter related error */
2918 static void
2919 capture_input_cfilter_error(capture_session *cap_session, guint i, const char *error_message)
2920 {
2921 capture_options *capture_opts = cap_session->capture_opts;
2922 dfilter_t *rfcode = NULL;
2923 interface_options *interface_opts;
2924
2925 ws_assert(i < capture_opts->ifaces->len);
2926 interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
2927
2928 if (dfilter_compile(interface_opts->cfilter, &rfcode, NULL) && rfcode != NULL) {
2929 cmdarg_err(
2930 "Invalid capture filter \"%s\" for interface '%s'.\n"
2931 "\n"
2932 "That string looks like a valid display filter; however, it isn't a valid\n"
2933 "capture filter (%s).\n"
2934 "\n"
2935 "Note that display filters and capture filters don't have the same syntax,\n"
2936 "so you can't use most display filter expressions as capture filters.\n"
2937 "\n"
2938 "See the User's Guide for a description of the capture filter syntax.",
2939 interface_opts->cfilter, interface_opts->descr, error_message);
2940 dfilter_free(rfcode);
2941 } else {
2942 cmdarg_err(
2943 "Invalid capture filter \"%s\" for interface '%s'.\n"
2944 "\n"
2945 "That string isn't a valid capture filter (%s).\n"
2946 "See the User's Guide for a description of the capture filter syntax.",
2947 interface_opts->cfilter, interface_opts->descr, error_message);
2948 }
2949 }
2950
2951
2952 /* capture child tells us we have a new (or the first) capture file */
2953 static bool
2954 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2955 {
2956 capture_options *capture_opts = cap_session->capture_opts;
2957 capture_file *cf = cap_session->cf;
2958 gboolean is_tempfile;
2959 int err;
2960
2961 if (really_quiet == FALSE) {
2962 if (cap_session->state == CAPTURE_PREPARING) {
2963 ws_info("Capture started.");
2964 }
2965 ws_info("File: \"%s\"", new_file);
2966 }
2967
2968 ws_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2969
2970 /* free the old filename */
2971 if (capture_opts->save_file != NULL) {
2972
2973 /* we start a new capture file, close the old one (if we had one before) */
2974 if (cf->state != FILE_CLOSED) {
2975 cf_close(cf);
2976 }
2977
2978 g_free(capture_opts->save_file);
2979 is_tempfile = FALSE;
2980
2981 epan_free(cf->epan);
2982 cf->epan = tshark_epan_new(cf);
2983 } else {
2984 /* we didn't had a save_file before, must be a tempfile */
2985 is_tempfile = TRUE;
2986 }
2987
2988 /* save the new filename */
2989 capture_opts->save_file = g_strdup(new_file);
2990
2991 /* if we are in real-time mode, open the new file now */
2992 if (do_dissection) {
2993 /* this is probably unnecessary, but better safe than sorry */
2994 cap_session->cf->open_type = WTAP_TYPE_AUTO;
2995 /* Attempt to open the capture file and set up to read from it. */
2996 switch(cf_open(cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2997 case CF_OK:
2998 break;
2999 case CF_ERROR:
3000 /* Don't unlink (delete) the save file - leave it around,
3001 for debugging purposes. */
3002 g_free(capture_opts->save_file);
3003 capture_opts->save_file = NULL;
3004 return FALSE;
3005 }
3006 } else if (quiet && is_tempfile) {
3007 cf->state = FILE_READ_ABORTED;
3008 cf->filename = g_strdup(new_file);
3009 cf->is_tempfile = is_tempfile;
3010 }
3011
3012 cap_session->state = CAPTURE_RUNNING;
3013
3014 return TRUE;
3015 }
3016
3017
3018 /* capture child tells us we have new packets to read */
3019 static void
3020 capture_input_new_packets(capture_session *cap_session, int to_read)
3021 {
3022 gboolean ret;
3023 int err;
3024 gchar *err_info;
3025 gint64 data_offset;
3026 capture_file *cf = cap_session->cf;
3027 gboolean filtering_tap_listeners;
3028 guint tap_flags;
3029
3030 #ifdef SIGINFO
3031 /*
3032 * Prevent a SIGINFO handler from writing to the standard error while
3033 * we're doing so or writing to the standard output; instead, have it
3034 * just set a flag telling us to print that information when we're done.
3035 */
3036 infodelay = TRUE;
3037 #endif /* SIGINFO */
3038
3039 /* Do we have any tap listeners with filters? */
3040 filtering_tap_listeners = have_filtering_tap_listeners();
3041
3042 /* Get the union of the flags for all tap listeners. */
3043 tap_flags = union_of_tap_listener_flags();
3044
3045 if (do_dissection) {
3046 gboolean create_proto_tree;
3047 epan_dissect_t *edt;
3048 wtap_rec rec;
3049 Buffer buf;
3050
3051 /*
3052 * Determine whether we need to create a protocol tree.
3053 * We do if:
3054 *
3055 * we're going to apply a read filter;
3056 *
3057 * we're going to apply a display filter;
3058 *
3059 * we're going to print the protocol tree;
3060 *
3061 * one of the tap listeners is going to apply a filter;
3062 *
3063 * one of the tap listeners requires a protocol tree;
3064 *
3065 * a postdissector wants field values or protocols
3066 * on the first pass;
3067 *
3068 * we have custom columns (which require field values, which
3069 * currently requires that we build a protocol tree).
3070 */
3071 create_proto_tree =
3072 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3073 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3074 have_custom_cols(&cf->cinfo) || dissect_color);
3075
3076 /* The protocol tree will be "visible", i.e., nothing faked, only if
3077 we're printing packet details, which is true if we're printing stuff
3078 ("print_packet_info" is true) and we're in verbose mode
3079 ("packet_details" is true). But if we specified certain fields with
3080 "-e", we'll prime those directly later. */
3081 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3082 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3083
3084 wtap_rec_init(&rec);
3085 ws_buffer_init(&buf, 1514);
3086
3087 while (to_read-- && cf->provider.wth) {
3088 wtap_cleareof(cf->provider.wth);
3089 ret = wtap_read(cf->provider.wth, &rec, &buf, &err, &err_info, &data_offset);
3090 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3091 if (ret == FALSE) {
3092 /* read from file failed, tell the capture child to stop */
3093 sync_pipe_stop(cap_session);
3094 wtap_close(cf->provider.wth);
3095 cf->provider.wth = NULL;
3096 } else {
3097 ret = process_packet_single_pass(cf, edt, data_offset, &rec, &buf,
3098 tap_flags);
3099 }
3100 if (ret != FALSE) {
3101 /* packet successfully read and gone through the "Read Filter" */
3102 packet_count++;
3103 }
3104 wtap_rec_reset(&rec);
3105 }
3106
3107 epan_dissect_free(edt);
3108
3109 wtap_rec_cleanup(&rec);
3110 ws_buffer_free(&buf);
3111
3112 } else {
3113 /*
3114 * Dumpcap's doing all the work; we're not doing any dissection.
3115 * Count all the packets it wrote.
3116 */
3117 packet_count += to_read;
3118 }
3119
3120 if (print_packet_counts) {
3121 /* We're printing packet counts. */
3122 if (packet_count != 0) {
3123 fprintf(stderr, "\r%u ", packet_count);
3124 /* stderr could be line buffered */
3125 fflush(stderr);
3126 }
3127 }
3128
3129 #ifdef SIGINFO
3130 /*
3131 * Allow SIGINFO handlers to write.
3132 */
3133 infodelay = FALSE;
3134
3135 /*
3136 * If a SIGINFO handler asked us to write out capture counts, do so.
3137 */
3138 if (infoprint)
3139 report_counts();
3140 #endif /* SIGINFO */
3141 }
3142
3143 static void
3144 report_counts(void)
3145 {
3146 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
3147 /* Report the count only if we aren't printing a packet count
3148 as packets arrive. */
3149 fprintf(stderr, "%u packet%s captured\n", packet_count,
3150 plurality(packet_count, "", "s"));
3151 }
3152 #ifdef SIGINFO
3153 infoprint = FALSE; /* we just reported it */
3154 #endif /* SIGINFO */
3155 }
3156
3157 #ifdef SIGINFO
3158 static void
3159 report_counts_siginfo(int signum _U_)
3160 {
3161 int sav_errno = errno;
3162 /* If we've been told to delay printing, just set a flag asking
3163 that we print counts (if we're supposed to), otherwise print
3164 the count of packets captured (if we're supposed to). */
3165 if (infodelay)
3166 infoprint = TRUE;
3167 else
3168 report_counts();
3169 errno = sav_errno;
3170 }
3171 #endif /* SIGINFO */
3172
3173
3174 /* capture child detected any packet drops? */
3175 static void
3176 capture_input_drops(capture_session *cap_session _U_, guint32 dropped, const char* interface_name)
3177 {
3178 if (print_packet_counts) {
3179 /* We're printing packet counts to stderr.
3180 Send a newline so that we move to the line after the packet count. */
3181 fprintf(stderr, "\n");
3182 }
3183
3184 if (dropped != 0) {
3185 /* We're printing packet counts to stderr.
3186 Send a newline so that we move to the line after the packet count. */
3187 if (interface_name != NULL) {
3188 fprintf(stderr, "%u packet%s dropped from %s\n", dropped, plurality(dropped, "", "s"), interface_name);
3189 } else {
3190 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
3191 }
3192 }
3193 }
3194
3195
3196 /*
3197 * Capture child closed its side of the pipe, report any error and
3198 * do the required cleanup.
3199 */
3200 static void
3201 capture_input_closed(capture_session *cap_session _U_, gchar *msg)
3202 {
3203 if (msg != NULL && *msg != '\0')
3204 fprintf(stderr, "tshark: %s\n", msg);
3205
3206 report_counts();
3207
3208 loop_running = FALSE;
3209 }
3210
3211 #ifdef _WIN32
3212 static BOOL WINAPI
3213 capture_cleanup(DWORD ctrltype _U_)
3214 {
3215 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3216 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3217 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3218 like SIGTERM at least when the machine's shutting down.
3219
3220 For now, we handle them all as indications that we should clean up
3221 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3222 way on UNIX.
3223
3224 We must return TRUE so that no other handler - such as one that would
3225 terminate the process - gets called.
3226
3227 XXX - for some reason, typing ^C to TShark, if you run this in
3228 a Cygwin console window in at least some versions of Cygwin,
3229 causes TShark to terminate immediately; this routine gets
3230 called, but the main loop doesn't get a chance to run and
3231 exit cleanly, at least if this is compiled with Microsoft Visual
3232 C++ (i.e., it's a property of the Cygwin console window or Bash;
3233 it happens if TShark is not built with Cygwin - for all I know,
3234 building it with Cygwin may make the problem go away). */
3235
3236 /* tell the capture child to stop */
3237 sync_pipe_stop(&global_capture_session);
3238
3239 /* don't stop our own loop already here, otherwise status messages and
3240 * cleanup wouldn't be done properly. The child will indicate the stop of
3241 * everything by calling capture_input_closed() later */
3242
3243 return TRUE;
3244 }
3245 #else
3246 static void
3247 capture_cleanup(int signum _U_)
3248 {
3249 /* tell the capture child to stop */
3250 sync_pipe_stop(&global_capture_session);
3251
3252 /* don't stop our own loop already here, otherwise status messages and
3253 * cleanup wouldn't be done properly. The child will indicate the stop of
3254 * everything by calling capture_input_closed() later */
3255 }
3256 #endif /* _WIN32 */
3257 #endif /* HAVE_LIBPCAP */
3258
3259 static gboolean
3260 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
3261 gint64 offset, wtap_rec *rec, Buffer *buf)
3262 {
3263 frame_data fdlocal;
3264 guint32 framenum;
3265 gboolean passed;
3266 gint64 elapsed_start;
3267
3268 /* The frame number of this packet is one more than the count of
3269 frames in this packet. */
3270 framenum = cf->count + 1;
3271
3272 /* If we're not running a display filter and we're not printing any
3273 packet information, we don't need to do a dissection. This means
3274 that all packets can be marked as 'passed'. */
3275 passed = TRUE;
3276
3277 frame_data_init(&fdlocal, framenum, rec, offset, cum_bytes);
3278
3279 /* If we're going to run a read filter or a display filter, set up to
3280 do a dissection and do so. (This is the first pass of two passes
3281 over the packets, so we will not be printing any information
3282 from the dissection or running taps on the packet; if we're doing
3283 any of that, we'll do it in the second pass.) */
3284 if (edt) {
3285 if (gbl_resolv_flags.network_name || gbl_resolv_flags.maxmind_geoip) {
3286 /* If we're doing async lookups, send any that are queued and
3287 * retrieve results.
3288 *
3289 * Ideally we'd force any lookups that need to happen on the second pass
3290 * to be sent asynchronously on this pass so the results would be ready.
3291 * That will happen if they're involved in a filter (because we prime the
3292 * tree below), but not currently for taps, if we're printing packet
3293 * summaries or details, etc.
3294 *
3295 * XXX - If we're running a read filter that depends on a resolved
3296 * name, we should be doing synchronous lookups in that case. Also
3297 * marking the dependent frames below might not work with a display
3298 * filter that depends on a resolved name.
3299 */
3300 host_name_lookup_process();
3301 }
3302
3303 column_info *cinfo = NULL;
3304
3305 /* If we're running a read filter, prime the epan_dissect_t with that
3306 filter. */
3307 if (cf->rfcode)
3308 epan_dissect_prime_with_dfilter(edt, cf->rfcode);
3309
3310 if (cf->dfcode)
3311 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3312
3313 /* This is the first pass, so prime the epan_dissect_t with the
3314 hfids postdissectors want on the first pass. */
3315 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
3316
3317 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3318 &cf->provider.ref, cf->provider.prev_dis);
3319 if (cf->provider.ref == &fdlocal) {
3320 ref_frame = fdlocal;
3321 cf->provider.ref = &ref_frame;
3322 }
3323
3324 /* If we're applying a filter that needs the columns, construct them. */
3325 if (dfilter_requires_columns(cf->rfcode) || dfilter_requires_columns(cf->dfcode)) {
3326 cinfo = &cf->cinfo;
3327 }
3328
3329 elapsed_start = g_get_monotonic_time();
3330 epan_dissect_run(edt, cf->cd_t, rec,
3331 frame_tvbuff_new_buffer(&cf->provider, &fdlocal, buf),
3332 &fdlocal, cinfo);
3333 tshark_elapsed.first_pass.dissect += g_get_monotonic_time() - elapsed_start;
3334
3335 /* Run the read filter if we have one. */
3336 if (cf->rfcode) {
3337 elapsed_start = g_get_monotonic_time();
3338 passed = dfilter_apply_edt(cf->rfcode, edt);
3339 tshark_elapsed.first_pass.dfilter_read += g_get_monotonic_time() - elapsed_start;
3340 }
3341 }
3342
3343 if (passed) {
3344 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3345 cf->provider.prev_cap = cf->provider.prev_dis = frame_data_sequence_add(cf->provider.frames, &fdlocal);
3346
3347 /* If we're not doing dissection then there won't be any dependent frames.
3348 * More importantly, edt.pi.fd.dependent_frames won't be initialized because
3349 * epan hasn't been initialized.
3350 * if we *are* doing dissection, then mark the dependent frames, but only
3351 * if a display filter was given and it matches this packet.
3352 */
3353 if (edt && cf->dfcode) {
3354 elapsed_start = g_get_monotonic_time();
3355 if (dfilter_apply_edt(cf->dfcode, edt) && edt->pi.fd->dependent_frames) {
3356 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
3357 }
3358
3359 if (selected_frame_number != 0 && selected_frame_number == cf->count + 1) {
3360 /* If we are doing dissection and we have a "selected frame"
3361 * then load that frame's references (if any) onto the compiled
3362 * display filter. Selected frame number is ordinal, count is cardinal. */
3363 dfilter_load_field_references(cf->dfcode, edt->tree);
3364 }
3365 tshark_elapsed.first_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
3366 }
3367
3368 cf->count++;
3369 } else {
3370 /* if we don't add it to the frame_data_sequence, clean it up right now
3371 * to avoid leaks */
3372 frame_data_destroy(&fdlocal);
3373 }
3374
3375 if (edt)
3376 epan_dissect_reset(edt);
3377
3378 return passed;
3379 }
3380
3381 /*
3382 * Set if reading a file was interrupted by a CTRL_ event on Windows or
3383 * a signal on UN*X.
3384 */
3385 static gboolean read_interrupted;
3386
3387 #ifdef _WIN32
3388 static BOOL WINAPI
3389 read_cleanup(DWORD ctrltype _U_)
3390 {
3391 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3392 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3393 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3394 like SIGTERM at least when the machine's shutting down.
3395
3396 For now, we handle them all as indications that we should clean up
3397 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3398 way on UNIX.
3399
3400 We must return TRUE so that no other handler - such as one that would
3401 terminate the process - gets called.
3402
3403 XXX - for some reason, typing ^C to TShark, if you run this in
3404 a Cygwin console window in at least some versions of Cygwin,
3405 causes TShark to terminate immediately; this routine gets
3406 called, but the main loop doesn't get a chance to run and
3407 exit cleanly, at least if this is compiled with Microsoft Visual
3408 C++ (i.e., it's a property of the Cygwin console window or Bash;
3409 it happens if TShark is not built with Cygwin - for all I know,
3410 building it with Cygwin may make the problem go away). */
3411
3412 /* tell the read to stop */
3413 read_interrupted = TRUE;
3414
3415 return TRUE;
3416 }
3417 #else
3418 static void
3419 read_cleanup(int signum _U_)
3420 {
3421 /* tell the read to stop */
3422 read_interrupted = TRUE;
3423 }
3424 #endif /* _WIN32 */
3425
3426 typedef enum {
3427 PASS_SUCCEEDED,
3428 PASS_READ_ERROR,
3429 PASS_WRITE_ERROR,
3430 PASS_INTERRUPTED
3431 } pass_status_t;
3432
3433 static pass_status_t
3434 process_cap_file_first_pass(capture_file *cf, int max_packet_count,
3435 gint64 max_byte_count, int *err, gchar **err_info)
3436 {
3437 wtap_rec rec;
3438 Buffer buf;
3439 epan_dissect_t *edt = NULL;
3440 gint64 data_offset;
3441 pass_status_t status = PASS_SUCCEEDED;
3442 int framenum = 0;
3443
3444 wtap_rec_init(&rec);
3445 ws_buffer_init(&buf, 1514);
3446
3447 /* Allocate a frame_data_sequence for all the frames. */
3448 cf->provider.frames = new_frame_data_sequence();
3449
3450 if (do_dissection) {
3451 gboolean create_proto_tree;
3452
3453 /*
3454 * Determine whether we need to create a protocol tree.
3455 * We do if:
3456 *
3457 * we're going to apply a read filter;
3458 *
3459 * we're going to apply a display filter;
3460 *
3461 * a postdissector wants field values or protocols
3462 * on the first pass.
3463 */
3464 create_proto_tree =
3465 (cf->rfcode != NULL || cf->dfcode != NULL || postdissectors_want_hfids() || dissect_color);
3466
3467 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3468
3469 /* We're not going to display the protocol tree on this pass,
3470 so it's not going to be "visible". */
3471 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3472 }
3473
3474 ws_debug("tshark: reading records for first pass");
3475 *err = 0;
3476 while (wtap_read(cf->provider.wth, &rec, &buf, err, err_info, &data_offset)) {
3477 if (read_interrupted) {
3478 status = PASS_INTERRUPTED;
3479 break;
3480 }
3481 framenum++;
3482
3483 if (process_packet_first_pass(cf, edt, data_offset, &rec, &buf)) {
3484 /* Stop reading if we hit a stop condition */
3485 if (max_packet_count > 0 && framenum >= max_packet_count) {
3486 ws_debug("tshark: max_packet_count (%d) reached", max_packet_count);
3487 *err = 0; /* This is not an error */
3488 break;
3489 }
3490 if (max_byte_count != 0 && data_offset >= max_byte_count) {
3491 ws_debug("tshark: max_byte_count (%" PRId64 "/%" PRId64 ") reached",
3492 data_offset, max_byte_count);
3493 *err = 0; /* This is not an error */
3494 break;
3495 }
3496 }
3497 wtap_rec_reset(&rec);
3498 }
3499 if (*err != 0)
3500 status = PASS_READ_ERROR;
3501
3502 if (edt)
3503 epan_dissect_free(edt);
3504
3505 /* Close the sequential I/O side, to free up memory it requires. */
3506 wtap_sequential_close(cf->provider.wth);
3507
3508 /* Allow the protocol dissectors to free up memory that they
3509 * don't need after the sequential run-through of the packets. */
3510 postseq_cleanup_all_protocols();
3511
3512 cf->provider.prev_dis = NULL;
3513 cf->provider.prev_cap = NULL;
3514
3515 ws_buffer_free(&buf);
3516 wtap_rec_cleanup(&rec);
3517
3518 return status;
3519 }
3520
3521 static gboolean
3522 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt,
3523 frame_data *fdata, wtap_rec *rec,
3524 Buffer *buf, guint tap_flags _U_)
3525 {
3526 column_info *cinfo;
3527 gboolean passed;
3528 wtap_block_t block = NULL;
3529 gint64 elapsed_start;
3530
3531 /* If we're not running a display filter and we're not printing any
3532 packet information, we don't need to do a dissection. This means
3533 that all packets can be marked as 'passed'. */
3534 passed = TRUE;
3535
3536 /* If we're going to print packet information, or we're going to
3537 run a read filter, or we're going to process taps, set up to
3538 do a dissection and do so. (This is the second pass of two
3539 passes over the packets; that's the pass where we print
3540 packet information or run taps.) */
3541 if (edt) {
3542 /* If we're running a display filter, prime the epan_dissect_t with that
3543 filter. */
3544 if (cf->dfcode)
3545 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3546
3547 col_custom_prime_edt(edt, &cf->cinfo);
3548
3549 output_fields_prime_edt(edt, output_fields);
3550 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
3551 * information from our 'frame' protocol.
3552 */
3553 if (output_fields_num_fields(output_fields) != 0 &&
3554 output_action == WRITE_XML) {
3555 epan_dissect_prime_with_hfid(edt, proto_registrar_get_id_byname("frame"));
3556 }
3557
3558 /* We only need the columns if either
3559 1) some tap or filter needs the columns
3560 or
3561 2) we're printing packet info but we're *not* verbose; in verbose
3562 mode, we print the protocol tree, not the protocol summary.
3563 or
3564 3) there is a column mapped to an individual field
3565 */
3566 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
3567 cinfo = &cf->cinfo;
3568 else
3569 cinfo = NULL;
3570
3571 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3572 &cf->provider.ref, cf->provider.prev_dis);
3573 if (cf->provider.ref == fdata) {
3574 ref_frame = *fdata;
3575 cf->provider.ref = &ref_frame;
3576 }
3577
3578 if (dissect_color) {
3579 color_filters_prime_edt(edt);
3580 fdata->need_colorize = 1;
3581 }
3582
3583 /* epan_dissect_run (and epan_dissect_reset) unref the block.
3584 * We need it later, e.g. in order to copy the options. */
3585 block = wtap_block_ref(rec->block);
3586 elapsed_start = g_get_monotonic_time();
3587 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
3588 frame_tvbuff_new_buffer(&cf->provider, fdata, buf),
3589 fdata, cinfo);
3590 tshark_elapsed.second_pass.dissect += g_get_monotonic_time() - elapsed_start;
3591
3592 /* Run the display filter if we have one. */
3593 if (cf->dfcode) {
3594 elapsed_start = g_get_monotonic_time();
3595 passed = dfilter_apply_edt(cf->dfcode, edt);
3596 tshark_elapsed.second_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
3597 }
3598 }
3599
3600 if (passed) {
3601 frame_data_set_after_dissect(fdata, &cum_bytes);
3602 /* Process this packet. */
3603 if (print_packet_info) {
3604 /* We're printing packet information; print the information for
3605 this packet. */
3606 print_packet(cf, edt);
3607
3608 /* If we're doing "line-buffering", flush the standard output
3609 after every packet. See the comment above, for the "-l"
3610 option, for an explanation of why we do that. */
3611 if (line_buffered)
3612 fflush(stdout);
3613
3614 if (ferror(stdout)) {
3615 show_print_file_io_error();
3616 exit(2);
3617 }
3618 }
3619 cf->provider.prev_dis = fdata;
3620 }
3621 cf->provider.prev_cap = fdata;
3622
3623 if (edt) {
3624 epan_dissect_reset(edt);
3625 rec->block = block;
3626 }
3627 return passed || fdata->dependent_of_displayed;
3628 }
3629
3630 static gboolean
3631 process_new_idbs(wtap *wth, wtap_dumper *pdh, int *err, gchar **err_info)
3632 {
3633 wtap_block_t if_data;
3634
3635 while ((if_data = wtap_get_next_interface_description(wth)) != NULL) {
3636 /*
3637 * Only add interface blocks if the output file supports (meaning
3638 * *requires*) them.
3639 *
3640 * That mean that the abstract interface provided by libwiretap
3641 * involves WTAP_BLOCK_IF_ID_AND_INFO blocks.
3642 */
3643 if (pdh != NULL) {
3644 if (wtap_file_type_subtype_supports_block(wtap_dump_file_type_subtype(pdh), WTAP_BLOCK_IF_ID_AND_INFO) != BLOCK_NOT_SUPPORTED) {
3645 if (!wtap_dump_add_idb(pdh, if_data, err, err_info))
3646 return FALSE;
3647 }
3648 }
3649 }
3650 return TRUE;
3651 }
3652
3653 static pass_status_t
3654 process_cap_file_second_pass(capture_file *cf, wtap_dumper *pdh,
3655 int *err, gchar **err_info,
3656 volatile guint32 *err_framenum,
3657 int max_write_packet_count)
3658 {
3659 wtap_rec rec;
3660 Buffer buf;
3661 int framenum = 0;
3662 int write_framenum = 0;
3663 frame_data *fdata;
3664 gboolean filtering_tap_listeners;
3665 guint tap_flags;
3666 epan_dissect_t *edt = NULL;
3667 pass_status_t status = PASS_SUCCEEDED;
3668
3669 /*
3670 * Process whatever IDBs we haven't seen yet. This will be all
3671 * the IDBs in the file, as we've finished reading it; they'll
3672 * all be at the beginning of the output file.
3673 */
3674 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3675 *err_framenum = 0;
3676 return PASS_WRITE_ERROR;
3677 }
3678
3679 wtap_rec_init(&rec);
3680 ws_buffer_init(&buf, 1514);
3681
3682 /* Do we have any tap listeners with filters? */
3683 filtering_tap_listeners = have_filtering_tap_listeners();
3684
3685 /* Get the union of the flags for all tap listeners. */
3686 tap_flags = union_of_tap_listener_flags();
3687
3688 if (do_dissection) {
3689 gboolean create_proto_tree;
3690
3691 /*
3692 * Determine whether we need to create a protocol tree.
3693 * We do if:
3694 *
3695 * we're going to apply a display filter;
3696 *
3697 * we're going to print the protocol tree;
3698 *
3699 * one of the tap listeners requires a protocol tree;
3700 *
3701 * we have custom columns (which require field values, which
3702 * currently requires that we build a protocol tree).
3703 */
3704 create_proto_tree =
3705 (cf->dfcode || print_details || filtering_tap_listeners ||
3706 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo) || dissect_color);
3707
3708 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3709
3710 /* The protocol tree will be "visible", i.e., nothing faked, only if
3711 we're printing packet details, which is true if we're printing stuff
3712 ("print_packet_info" is true) and we're in verbose mode
3713 ("packet_details" is true). But if we specified certain fields with
3714 "-e", we'll prime those directly later. */
3715 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3716 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3717 }
3718
3719 /*
3720 * Force synchronous resolution of IP addresses; in this pass, we
3721 * can't do it in the background and fix up past dissections.
3722 */
3723 set_resolution_synchrony(TRUE);
3724
3725 for (framenum = 1; framenum <= (int)cf->count; framenum++) {
3726 if (read_interrupted) {
3727 status = PASS_INTERRUPTED;
3728 break;
3729 }
3730 fdata = frame_data_sequence_find(cf->provider.frames, framenum);
3731 if (!wtap_seek_read(cf->provider.wth, fdata->file_off, &rec, &buf, err,
3732 err_info)) {
3733 /* Error reading from the input file. */
3734 status = PASS_READ_ERROR;
3735 break;
3736 }
3737 ws_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3738 if (process_packet_second_pass(cf, edt, fdata, &rec, &buf, tap_flags)) {
3739 /* Either there's no read filtering or this packet passed the
3740 filter, so, if we're writing to a capture file, write
3741 this packet out. */
3742 write_framenum++;
3743 if (pdh != NULL) {
3744 ws_debug("tshark: writing packet #%d to outfile packet #%d", framenum, write_framenum);
3745 if (!wtap_dump(pdh, &rec, ws_buffer_start_ptr(&buf), err, err_info)) {
3746 /* Error writing to the output file. */
3747 ws_debug("tshark: error writing to a capture file (%d)", *err);
3748 *err_framenum = framenum;
3749 status = PASS_WRITE_ERROR;
3750 break;
3751 }
3752 /* Stop reading if we hit a stop condition */
3753 if (max_write_packet_count > 0 && write_framenum >= max_write_packet_count) {
3754 ws_debug("tshark: max_write_packet_count (%d) reached", max_write_packet_count);
3755 *err = 0; /* This is not an error */
3756 break;
3757 }
3758 }
3759 }
3760 wtap_rec_reset(&rec);
3761 }
3762
3763 if (edt)
3764 epan_dissect_free(edt);
3765
3766 ws_buffer_free(&buf);
3767 wtap_rec_cleanup(&rec);
3768
3769 return status;
3770 }
3771
3772 static pass_status_t
3773 process_cap_file_single_pass(capture_file *cf, wtap_dumper *pdh,
3774 int max_packet_count, gint64 max_byte_count,
3775 int max_write_packet_count,
3776 int *err, gchar **err_info,
3777 volatile guint32 *err_framenum)
3778 {
3779 wtap_rec rec;
3780 Buffer buf;
3781 gboolean create_proto_tree = FALSE;
3782 gboolean filtering_tap_listeners;
3783 guint tap_flags;
3784 int framenum = 0;
3785 int write_framenum = 0;
3786 epan_dissect_t *edt = NULL;
3787 gint64 data_offset;
3788 pass_status_t status = PASS_SUCCEEDED;
3789
3790 wtap_rec_init(&rec);
3791 ws_buffer_init(&buf, 1514);
3792
3793 /* Do we have any tap listeners with filters? */
3794 filtering_tap_listeners = have_filtering_tap_listeners();
3795
3796 /* Get the union of the flags for all tap listeners. */
3797 tap_flags = union_of_tap_listener_flags();
3798
3799 if (do_dissection) {
3800 /*
3801 * Determine whether we need to create a protocol tree.
3802 * We do if:
3803 *
3804 * we're going to apply a read filter;
3805 *
3806 * we're going to apply a display filter;
3807 *
3808 * we're going to print the protocol tree;
3809 *
3810 * one of the tap listeners is going to apply a filter;
3811 *
3812 * one of the tap listeners requires a protocol tree;
3813 *
3814 * a postdissector wants field values or protocols
3815 * on the first pass;
3816 *
3817 * we have custom columns (which require field values, which
3818 * currently requires that we build a protocol tree).
3819 */
3820 create_proto_tree =
3821 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3822 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3823 have_custom_cols(&cf->cinfo) || dissect_color);
3824
3825 ws_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3826
3827 /* The protocol tree will be "visible", i.e., nothing faked, only if
3828 we're printing packet details, which is true if we're printing stuff
3829 ("print_packet_info" is true) and we're in verbose mode
3830 ("packet_details" is true). But if we specified certain fields with
3831 "-e", we'll prime those directly later. */
3832 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3833 edt = epan_dissect_new(cf->epan, create_proto_tree, visible);
3834 }
3835
3836 /*
3837 * Force synchronous resolution of IP addresses; we're doing only
3838 * one pass, so we can't do it in the background and fix up past
3839 * dissections.
3840 */
3841 set_resolution_synchrony(TRUE);
3842
3843 *err = 0;
3844 while (wtap_read(cf->provider.wth, &rec, &buf, err, err_info, &data_offset)) {
3845 if (read_interrupted) {
3846 status = PASS_INTERRUPTED;
3847 break;
3848 }
3849 framenum++;
3850
3851 /*
3852 * Process whatever IDBs we haven't seen yet.
3853 */
3854 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3855 *err_framenum = framenum;
3856 status = PASS_WRITE_ERROR;
3857 break;
3858 }
3859
3860 ws_debug("tshark: processing packet #%d", framenum);
3861
3862 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3863
3864 if (process_packet_single_pass(cf, edt, data_offset, &rec, &buf, tap_flags)) {
3865 /* Either there's no read filtering or this packet passed the
3866 filter, so, if we're writing to a capture file, write
3867 this packet out. */
3868 write_framenum++;
3869 if (pdh != NULL) {
3870 ws_debug("tshark: writing packet #%d to outfile as #%d",
3871 framenum, write_framenum);
3872 if (!wtap_dump(pdh, &rec, ws_buffer_start_ptr(&buf), err, err_info)) {
3873 /* Error writing to the output file. */
3874 ws_debug("tshark: error writing to a capture file (%d)", *err);
3875 *err_framenum = framenum;
3876 status = PASS_WRITE_ERROR;
3877 break;
3878 }
3879 }
3880 }
3881 /* Stop reading if we hit a stop condition */
3882 if (max_packet_count > 0 && framenum >= max_packet_count) {
3883 ws_debug("tshark: max_packet_count (%d) reached", max_packet_count);
3884 *err = 0; /* This is not an error */
3885 break;
3886 }
3887 if (max_write_packet_count > 0 && write_framenum >= max_write_packet_count) {
3888 ws_debug("tshark: max_write_packet_count (%d) reached", max_write_packet_count);
3889 *err = 0; /* This is not an error */
3890 break;
3891 }
3892 if (max_byte_count != 0 && data_offset >= max_byte_count) {
3893 ws_debug("tshark: max_byte_count (%" PRId64 "/%" PRId64 ") reached",
3894 data_offset, max_byte_count);
3895 *err = 0; /* This is not an error */
3896 break;
3897 }
3898 wtap_rec_reset(&rec);
3899 }
3900 if (status == PASS_SUCCEEDED) {
3901 if (*err != 0) {
3902 /* Error reading from the input file. */
3903 status = PASS_READ_ERROR;
3904 } else {
3905 /*
3906 * Process whatever IDBs we haven't seen yet.
3907 */
3908 if (!process_new_idbs(cf->provider.wth, pdh, err, err_info)) {
3909 *err_framenum = framenum;
3910 status = PASS_WRITE_ERROR;
3911 }
3912 }
3913 }
3914
3915 if (edt)
3916 epan_dissect_free(edt);
3917
3918 ws_buffer_free(&buf);
3919 wtap_rec_cleanup(&rec);
3920
3921 return status;
3922 }
3923
3924 static process_file_status_t
3925 process_cap_file(capture_file *cf, char *save_file, int out_file_type,
3926 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count,
3927 int max_write_packet_count)
3928 {
3929 process_file_status_t status = PROCESS_FILE_SUCCEEDED;
3930 wtap_dumper *pdh;
3931 #ifndef _WIN32
3932 struct sigaction action, oldaction;
3933 #endif
3934 int err = 0, err_pass1 = 0;
3935 gchar *err_info = NULL, *err_info_pass1 = NULL;
3936 volatile guint32 err_framenum;
3937 wtap_dump_params params = WTAP_DUMP_PARAMS_INIT;
3938 char *shb_user_appl;
3939 pass_status_t first_pass_status, second_pass_status;
3940 gint64 elapsed_start;
3941
3942 if (save_file != NULL) {
3943 /* Set up to write to the capture file. */
3944 wtap_dump_params_init_no_idbs(&params, cf->provider.wth);
3945
3946 /* If we don't have an application name add TShark */
3947 if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3948 /* this is free'd by wtap_block_unref() later */
3949 wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "%s", get_appname_and_version());
3950 }
3951 if (capture_comments != NULL) {
3952 for (guint i = 0; i < capture_comments->len; i++) {
3953 wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0),
3954 OPT_COMMENT, "%s",
3955 (char *)g_ptr_array_index(capture_comments, i));
3956 }
3957 }
3958
3959 ws_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3960 if (strcmp(save_file, "-") == 0) {
3961 /* Write to the standard output. */
3962 pdh = wtap_dump_open_stdout(out_file_type, WTAP_UNCOMPRESSED, &params,
3963 &err, &err_info);
3964 } else {
3965 pdh = wtap_dump_open(save_file, out_file_type, WTAP_UNCOMPRESSED, &params,
3966 &err, &err_info);
3967 }
3968
3969 g_free(params.idb_inf);
3970 params.idb_inf = NULL;
3971
3972 if (pdh == NULL) {
3973 /* We couldn't set up to write to the capture file. */
3974 cfile_dump_open_failure_message(save_file, err, err_info,
3975 out_file_type);
3976 status = PROCESS_FILE_NO_FILE_PROCESSED;
3977 goto out;
3978 }
3979 } else {
3980 /* Set up to print packet information. */
3981 if (print_packet_info) {
3982 if (!write_preamble(cf)) {
3983 show_print_file_io_error();
3984 status = PROCESS_FILE_NO_FILE_PROCESSED;
3985 goto out;
3986 }
3987 }
3988 pdh = NULL;
3989 }
3990
3991 #ifdef _WIN32
3992 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
3993 SetConsoleCtrlHandler(read_cleanup, TRUE);
3994 #else /* _WIN32 */
3995 /* Catch SIGINT and SIGTERM and, if we get either of them,
3996 clean up and exit. If SIGHUP isn't being ignored, catch
3997 it too and, if we get it, clean up and exit.
3998
3999 We restart any read that was in progress, so that it doesn't
4000 disrupt reading from the sync pipe. The signal handler tells
4001 the capture child to finish; it will report that it finished,
4002 or will exit abnormally, so we'll stop reading from the sync
4003 pipe, pick up the exit status, and quit. */
4004 memset(&action, 0, sizeof(action));
4005 action.sa_handler = read_cleanup;
4006 action.sa_flags = SA_RESTART;
4007 sigemptyset(&action.sa_mask);
4008 sigaction(SIGTERM, &action, NULL);
4009 sigaction(SIGINT, &action, NULL);
4010 sigaction(SIGHUP, NULL, &oldaction);
4011 if (oldaction.sa_handler == SIG_DFL)
4012 sigaction(SIGHUP, &action, NULL);
4013 #endif /* _WIN32 */
4014
4015 if (perform_two_pass_analysis) {
4016 ws_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4017
4018 elapsed_start = g_get_monotonic_time();
4019 first_pass_status = process_cap_file_first_pass(cf, max_packet_count,
4020 max_byte_count,
4021 &err_pass1,
4022 &err_info_pass1);
4023 tshark_elapsed.elapsed_first_pass = g_get_monotonic_time() - elapsed_start;
4024
4025 ws_debug("tshark: done with first pass");
4026
4027 if (first_pass_status == PASS_INTERRUPTED) {
4028 /* The first pass was interrupted; skip the second pass.
4029 It won't be run, so it won't get an error. */
4030 second_pass_status = PASS_SUCCEEDED;
4031 } else {
4032 /*
4033 * If we got a read error on the first pass, we still do the second
4034 * pass, so we can at least process the packets we read, and then
4035 * report the first-pass error after the second pass (and before
4036 * we report any second-pass errors), so all the errors show up
4037 * at the end.
4038 */
4039 elapsed_start = g_get_monotonic_time();
4040 second_pass_status = process_cap_file_second_pass(cf, pdh, &err, &err_info,
4041 &err_framenum,
4042 max_write_packet_count);
4043 tshark_elapsed.elapsed_second_pass = g_get_monotonic_time() - elapsed_start;
4044
4045 ws_debug("tshark: done with second pass");
4046 }
4047 }
4048 else {
4049 /* !perform_two_pass_analysis */
4050 ws_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4051
4052 first_pass_status = PASS_SUCCEEDED; /* There is no first pass */
4053
4054 elapsed_start = g_get_monotonic_time();
4055 second_pass_status = process_cap_file_single_pass(cf, pdh,
4056 max_packet_count,
4057 max_byte_count,
4058 max_write_packet_count,
4059 &err, &err_info,
4060 &err_framenum);
4061 tshark_elapsed.elapsed_first_pass = g_get_monotonic_time() - elapsed_start;
4062
4063 ws_debug("tshark: done with single pass");
4064 }
4065
4066 if (first_pass_status != PASS_SUCCEEDED ||
4067 second_pass_status != PASS_SUCCEEDED) {
4068 /*
4069 * At least one of the passes didn't succeed; either it got a failure
4070 * or it was interrupted.
4071 */
4072 if (first_pass_status != PASS_INTERRUPTED ||
4073 second_pass_status != PASS_INTERRUPTED) {
4074 /* At least one of the passes got an error. */
4075 ws_debug("tshark: something failed along the line (%d)", err);
4076 /*
4077 * If we're printing packet data, and the standard output and error
4078 * are going to the same place, flush the standard output, so everything
4079 * buffered up is written, and then print a newline to the standard
4080 * error before printing the error message, to separate it from the
4081 * packet data. (Alas, that only works on UN*X; st_dev is meaningless,
4082 * and the _fstat() documentation at Microsoft doesn't indicate whether
4083 * st_ino is even supported.)
4084 */
4085 #ifndef _WIN32
4086 if (print_packet_info) {
4087 ws_statb64 stat_stdout, stat_stderr;
4088
4089 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
4090 if (stat_stdout.st_dev == stat_stderr.st_dev &&
4091 stat_stdout.st_ino == stat_stderr.st_ino) {
4092 fflush(stdout);
4093 fprintf(stderr, "\n");
4094 }
4095 }
4096 }
4097 #endif
4098 }
4099 /* Report status of pass 1 of two-pass processing. */
4100 switch (first_pass_status) {
4101
4102 case PASS_SUCCEEDED:
4103 /* No problem. */
4104 break;
4105
4106 case PASS_READ_ERROR:
4107 /* Read error. */
4108 cfile_read_failure_message(cf->filename, err_pass1, err_info_pass1);
4109 status = PROCESS_FILE_ERROR;
4110 break;
4111
4112 case PASS_WRITE_ERROR:
4113 /* Won't happen on the first pass. */
4114 break;
4115
4116 case PASS_INTERRUPTED:
4117 /* Not an error, so nothing to report. */
4118 status = PROCESS_FILE_INTERRUPTED;
4119 break;
4120 }
4121
4122 /* Report status of pass 2 of two-pass processing or the only pass
4123 of one-pass processing. */
4124 switch (second_pass_status) {
4125
4126 case PASS_SUCCEEDED:
4127 /* No problem. */
4128 break;
4129
4130 case PASS_READ_ERROR:
4131 /* Read error. */
4132 cfile_read_failure_message(cf->filename, err, err_info);
4133 status = PROCESS_FILE_ERROR;
4134 break;
4135
4136 case PASS_WRITE_ERROR:
4137 /* Write error.
4138 XXX - framenum is not necessarily the frame number in
4139 the input file if there was a read filter. */
4140 cfile_write_failure_message(cf->filename, save_file, err, err_info,
4141 err_framenum, out_file_type);
4142 status = PROCESS_FILE_ERROR;
4143 break;
4144
4145 case PASS_INTERRUPTED:
4146 /* Not an error, so nothing to report. */
4147 status = PROCESS_FILE_INTERRUPTED;
4148 break;
4149 }
4150 }
4151 if (save_file != NULL) {
4152 if (second_pass_status != PASS_WRITE_ERROR) {
4153 if (pdh && out_file_name_res) {
4154 /* XXX: This doesn't work as expected. First, it should be
4155 * moved to between the first and second passes (if doing
4156 * two-pass mode), so that the new NRB appears before packets,
4157 * which is better for subsequent one-pass mode. It never works
4158 * well in one-pass mode.
4159 *
4160 * Second, it only writes hosts that we've done lookups for,
4161 * which means unless packet details are printed (or there's
4162 * a display filter that matches something that will do a host
4163 * lookup, e.g. -Y "ip") it doesn't actually have anything
4164 * in the list to save. Notably, that includes the case of
4165 * "tshark [-2] -H hosts.txt -r <infile> -w <outfile>",
4166 * which a user would certainly expect to dissect packets,
4167 * lookup hostnames, and add them to an NRB for later use.
4168 * A workaround is if "-V > /dev/null" is added, but who
4169 * expects that?
4170 *
4171 * A third issue is that name resolution blocks aren't
4172 * written for live captures.
4173 */
4174 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
4175 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
4176 wtap_file_type_subtype_name(out_file_type));
4177 }
4178 }
4179 /* Now close the capture file. */
4180 if (!wtap_dump_close(pdh, NULL, &err, &err_info)) {
4181 cfile_close_failure_message(save_file, err, err_info);
4182 status = PROCESS_FILE_ERROR;
4183 }
4184 } else {
4185 /* We got a write error; it was reported, so just close the dump file
4186 without bothering to check for further errors. */
4187 wtap_dump_close(pdh, NULL, &err, &err_info);
4188 g_free(err_info);
4189 status = PROCESS_FILE_ERROR;
4190 }
4191 } else {
4192 if (print_packet_info) {
4193 if (!write_finale()) {
4194 show_print_file_io_error();
4195 status = PROCESS_FILE_ERROR;
4196 }
4197 }
4198 }
4199
4200 out:
4201 wtap_close(cf->provider.wth);
4202 cf->provider.wth = NULL;
4203
4204 wtap_dump_params_cleanup(&params);
4205
4206 return status;
4207 }
4208
4209 static gboolean
4210 process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,
4211 wtap_rec *rec, Buffer *buf, guint tap_flags _U_)
4212 {
4213 frame_data fdata;
4214 column_info *cinfo;
4215 gboolean passed;
4216 wtap_block_t block = NULL;
4217 gint64 elapsed_start;
4218
4219 /* Count this packet. */
4220 cf->count++;
4221
4222 /* If we're not running a display filter and we're not printing any
4223 packet information, we don't need to do a dissection. This means
4224 that all packets can be marked as 'passed'. */
4225 passed = TRUE;
4226
4227 frame_data_init(&fdata, cf->count, rec, offset, cum_bytes);
4228
4229 /* If we're going to print packet information, or we're going to
4230 run a read filter, or we're going to process taps, set up to
4231 do a dissection and do so. (This is the one and only pass
4232 over the packets, so, if we'll be printing packet information
4233 or running taps, we'll be doing it here.) */
4234 if (edt) {
4235 /* If we're running a filter, prime the epan_dissect_t with that
4236 filter. */
4237 if (cf->dfcode)
4238 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
4239
4240 /* This is the first and only pass, so prime the epan_dissect_t
4241 with the hfids postdissectors want on the first pass. */
4242 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
4243
4244 col_custom_prime_edt(edt, &cf->cinfo);
4245
4246 output_fields_prime_edt(edt, output_fields);
4247 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
4248 * information from our 'frame' protocol.
4249 */
4250 if (output_fields_num_fields(output_fields) != 0 &&
4251 output_action == WRITE_XML) {
4252 epan_dissect_prime_with_hfid(edt, proto_registrar_get_id_byname("frame"));
4253 }
4254
4255 /* We only need the columns if either
4256 1) some tap or filter needs the columns
4257 or
4258 2) we're printing packet info but we're *not* verbose; in verbose
4259 mode, we print the protocol tree, not the protocol summary.
4260 or
4261 3) there is a column mapped as an individual field */
4262 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
4263 cinfo = &cf->cinfo;
4264 else
4265 cinfo = NULL;
4266
4267 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
4268 &cf->provider.ref, cf->provider.prev_dis);
4269 if (cf->provider.ref == &fdata) {
4270 ref_frame = fdata;
4271 cf->provider.ref = &ref_frame;
4272 }
4273
4274 if (dissect_color) {
4275 color_filters_prime_edt(edt);
4276 fdata.need_colorize = 1;
4277 }
4278
4279 /* epan_dissect_run (and epan_dissect_reset) unref the block.
4280 * We need it later, e.g. in order to copy the options. */
4281 block = wtap_block_ref(rec->block);
4282 elapsed_start = g_get_monotonic_time();
4283 epan_dissect_run_with_taps(edt, cf->cd_t, rec,
4284 frame_tvbuff_new_buffer(&cf->provider, &fdata, buf),
4285 &fdata, cinfo);
4286 tshark_elapsed.first_pass.dissect += g_get_monotonic_time() - elapsed_start;
4287
4288 /* Run the filter if we have it. */
4289 if (cf->dfcode) {
4290 elapsed_start = g_get_monotonic_time();
4291 passed = dfilter_apply_edt(cf->dfcode, edt);
4292 tshark_elapsed.first_pass.dfilter_filter += g_get_monotonic_time() - elapsed_start;
4293 }
4294 }
4295
4296 if (passed) {
4297 frame_data_set_after_dissect(&fdata, &cum_bytes);
4298
4299 /* Process this packet. */
4300 if (print_packet_info) {
4301 /* We're printing packet information; print the information for
4302 this packet. */
4303 ws_assert(edt);
4304 print_packet(cf, edt);
4305
4306 /* If we're doing "line-buffering", flush the standard output
4307 after every packet. See the comment above, for the "-l"
4308 option, for an explanation of why we do that. */
4309 if (line_buffered)
4310 fflush(stdout);
4311
4312 if (ferror(stdout)) {
4313 show_print_file_io_error();
4314 exit(2);
4315 }
4316 }
4317
4318 /* this must be set after print_packet() [bug #8160] */
4319 prev_dis_frame = fdata;
4320 cf->provider.prev_dis = &prev_dis_frame;
4321 }
4322
4323 prev_cap_frame = fdata;
4324 cf->provider.prev_cap = &prev_cap_frame;
4325
4326 if (edt) {
4327 epan_dissect_reset(edt);
4328 frame_data_destroy(&fdata);
4329 rec->block = block;
4330 }
4331 return passed;
4332 }
4333
4334 static gboolean
4335 write_preamble(capture_file *cf)
4336 {
4337 switch (output_action) {
4338
4339 case WRITE_TEXT:
4340 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
4341
4342 case WRITE_XML:
4343 if (print_details)
4344 write_pdml_preamble(stdout, cf->filename);
4345 else
4346 write_psml_preamble(&cf->cinfo, stdout);
4347 return !ferror(stdout);
4348
4349 case WRITE_FIELDS:
4350 write_fields_preamble(output_fields, stdout);
4351 return !ferror(stdout);
4352
4353 case WRITE_JSON:
4354 case WRITE_JSON_RAW:
4355 jdumper = write_json_preamble(stdout);
4356 return !ferror(stdout);
4357
4358 case WRITE_EK:
4359 return TRUE;
4360
4361 default:
4362 ws_assert_not_reached();
4363 return FALSE;
4364 }
4365 }
4366
4367 static char *
4368 get_line_buf(size_t len)
4369 {
4370 static char *line_bufp = NULL;
4371 static size_t line_buf_len = 256;
4372 size_t new_line_buf_len;
4373
4374 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
4375 new_line_buf_len *= 2)
4376 ;
4377 if (line_bufp == NULL) {
4378 line_buf_len = new_line_buf_len;
4379 line_bufp = (char *)g_malloc(line_buf_len + 1);
4380 } else {
4381 if (new_line_buf_len > line_buf_len) {
4382 line_buf_len = new_line_buf_len;
4383 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
4384 }
4385 }
4386 return line_bufp;
4387 }
4388
4389 static inline void
4390 put_string(char *dest, const char *str, size_t str_len)
4391 {
4392 memcpy(dest, str, str_len);
4393 dest[str_len] = '\0';
4394 }
4395
4396 static inline void
4397 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
4398 {
4399 size_t i;
4400
4401 for (i = str_len; i < str_with_spaces; i++)
4402 *dest++ = ' ';
4403
4404 put_string(dest, str, str_len);
4405 }
4406
4407 static inline void
4408 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
4409 {
4410 size_t i;
4411
4412 memcpy(dest, str, str_len);
4413 for (i = str_len; i < str_with_spaces; i++)
4414 dest[i] = ' ';
4415
4416 dest[str_with_spaces] = '\0';
4417 }
4418
4419 static gboolean
4420 print_columns(capture_file *cf, const epan_dissect_t *edt)
4421 {
4422 char *line_bufp;
4423 int i;
4424 size_t buf_offset;
4425 size_t column_len;
4426 size_t col_len;
4427 col_item_t* col_item;
4428 gchar str_format[11];
4429 const color_filter_t *color_filter = NULL;
4430
4431 line_bufp = get_line_buf(256);
4432 buf_offset = 0;
4433 *line_bufp = '\0';
4434
4435 if (dissect_color)
4436 color_filter = edt->pi.fd->color_filter;
4437
4438 for (i = 0; i < cf->cinfo.num_cols; i++) {
4439 col_item = &cf->cinfo.columns[i];
4440 /* Skip columns not marked as visible. */
4441 if (!get_column_visible(i))
4442 continue;
4443 const gchar* col_text = get_column_text(&cf->cinfo, i);
4444 switch (col_item->col_fmt) {
4445 case COL_NUMBER:
4446 column_len = col_len = strlen(col_text);
4447 if (column_len < 5)
4448 column_len = 5;
4449 line_bufp = get_line_buf(buf_offset + column_len);
4450 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4451 break;
4452
4453 case COL_CLS_TIME:
4454 case COL_REL_TIME:
4455 case COL_ABS_TIME:
4456 case COL_ABS_YMD_TIME: /* XXX - wider */
4457 case COL_ABS_YDOY_TIME: /* XXX - wider */
4458 case COL_UTC_TIME:
4459 case COL_UTC_YMD_TIME: /* XXX - wider */
4460 case COL_UTC_YDOY_TIME: /* XXX - wider */
4461 column_len = col_len = strlen(col_text);
4462 if (column_len < 10)
4463 column_len = 10;
4464 line_bufp = get_line_buf(buf_offset + column_len);
4465 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4466 break;
4467
4468 case COL_DEF_SRC:
4469 case COL_RES_SRC:
4470 case COL_UNRES_SRC:
4471 case COL_DEF_DL_SRC:
4472 case COL_RES_DL_SRC:
4473 case COL_UNRES_DL_SRC:
4474 case COL_DEF_NET_SRC:
4475 case COL_RES_NET_SRC:
4476 case COL_UNRES_NET_SRC:
4477 column_len = col_len = strlen(col_text);
4478 if (column_len < 12)
4479 column_len = 12;
4480 line_bufp = get_line_buf(buf_offset + column_len);
4481 put_spaces_string(line_bufp + buf_offset, col_text, col_len, column_len);
4482 break;
4483
4484 case COL_DEF_DST:
4485 case COL_RES_DST:
4486 case COL_UNRES_DST:
4487 case COL_DEF_DL_DST:
4488 case COL_RES_DL_DST:
4489 case COL_UNRES_DL_DST:
4490 case COL_DEF_NET_DST:
4491 case COL_RES_NET_DST:
4492 case COL_UNRES_NET_DST:
4493 column_len = col_len = strlen(col_text);
4494 if (column_len < 12)
4495 column_len = 12;
4496 line_bufp = get_line_buf(buf_offset + column_len);
4497 put_string_spaces(line_bufp + buf_offset, col_text, col_len, column_len);
4498 break;
4499
4500 default:
4501 column_len = strlen(col_text);
4502 line_bufp = get_line_buf(buf_offset + column_len);
4503 put_string(line_bufp + buf_offset, col_text, column_len);
4504 break;
4505 }
4506 buf_offset += column_len;
4507 if (i != cf->cinfo.num_cols - 1) {
4508 /*
4509 * This isn't the last column, so we need to print a
4510 * separator between this column and the next.
4511 *
4512 * If we printed a network source and are printing a
4513 * network destination of the same type next, separate
4514 * them with a UTF-8 right arrow; if we printed a network
4515 * destination and are printing a network source of the same
4516 * type next, separate them with a UTF-8 left arrow;
4517 * otherwise separate them with a space.
4518 *
4519 * We add enough space to the buffer for " \xe2\x86\x90 "
4520 * or " \xe2\x86\x92 ", even if we're only adding " ".
4521 */
4522 line_bufp = get_line_buf(buf_offset + 5);
4523 switch (col_item->col_fmt) {
4524
4525 case COL_DEF_SRC:
4526 case COL_RES_SRC:
4527 case COL_UNRES_SRC:
4528 switch (cf->cinfo.columns[i+1].col_fmt) {
4529
4530 case COL_DEF_DST:
4531 case COL_RES_DST:
4532 case COL_UNRES_DST:
4533 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4534 put_string(line_bufp + buf_offset, str_format, 5);
4535 buf_offset += 5;
4536 break;
4537
4538 default:
4539 put_string(line_bufp + buf_offset, delimiter_char, 1);
4540 buf_offset += 1;
4541 break;
4542 }
4543 break;
4544
4545 case COL_DEF_DL_SRC:
4546 case COL_RES_DL_SRC:
4547 case COL_UNRES_DL_SRC:
4548 switch (cf->cinfo.columns[i+1].col_fmt) {
4549
4550 case COL_DEF_DL_DST:
4551 case COL_RES_DL_DST:
4552 case COL_UNRES_DL_DST:
4553 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4554 put_string(line_bufp + buf_offset, str_format, 5);
4555 buf_offset += 5;
4556 break;
4557
4558 default:
4559 put_string(line_bufp + buf_offset, delimiter_char, 1);
4560 buf_offset += 1;
4561 break;
4562 }
4563 break;
4564
4565 case COL_DEF_NET_SRC:
4566 case COL_RES_NET_SRC:
4567 case COL_UNRES_NET_SRC:
4568 switch (cf->cinfo.columns[i+1].col_fmt) {
4569
4570 case COL_DEF_NET_DST:
4571 case COL_RES_NET_DST:
4572 case COL_UNRES_NET_DST:
4573 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4574 put_string(line_bufp + buf_offset, str_format, 5);
4575 buf_offset += 5;
4576 break;
4577
4578 default:
4579 put_string(line_bufp + buf_offset, delimiter_char, 1);
4580 buf_offset += 1;
4581 break;
4582 }
4583 break;
4584
4585 case COL_DEF_DST:
4586 case COL_RES_DST:
4587 case COL_UNRES_DST:
4588 switch (cf->cinfo.columns[i+1].col_fmt) {
4589
4590 case COL_DEF_SRC:
4591 case COL_RES_SRC:
4592 case COL_UNRES_SRC:
4593 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4594 put_string(line_bufp + buf_offset, str_format, 5);
4595 buf_offset += 5;
4596 break;
4597
4598 default:
4599 put_string(line_bufp + buf_offset, delimiter_char, 1);
4600 buf_offset += 1;
4601 break;
4602 }
4603 break;
4604
4605 case COL_DEF_DL_DST:
4606 case COL_RES_DL_DST:
4607 case COL_UNRES_DL_DST:
4608 switch (cf->cinfo.columns[i+1].col_fmt) {
4609
4610 case COL_DEF_DL_SRC:
4611 case COL_RES_DL_SRC:
4612 case COL_UNRES_DL_SRC:
4613 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4614 put_string(line_bufp + buf_offset, str_format, 5);
4615 buf_offset += 5;
4616 break;
4617
4618 default:
4619 put_string(line_bufp + buf_offset, delimiter_char, 1);
4620 buf_offset += 1;
4621 break;
4622 }
4623 break;
4624
4625 case COL_DEF_NET_DST:
4626 case COL_RES_NET_DST:
4627 case COL_UNRES_NET_DST:
4628 switch (cf->cinfo.columns[i+1].col_fmt) {
4629
4630 case COL_DEF_NET_SRC:
4631 case COL_RES_NET_SRC:
4632 case COL_UNRES_NET_SRC:
4633 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4634 put_string(line_bufp + buf_offset, str_format, 5);
4635 buf_offset += 5;
4636 break;
4637
4638 default:
4639 put_string(line_bufp + buf_offset, delimiter_char, 1);
4640 buf_offset += 1;
4641 break;
4642 }
4643 break;
4644
4645 default:
4646 put_string(line_bufp + buf_offset, delimiter_char, 1);
4647 buf_offset += 1;
4648 break;
4649 }
4650 }
4651 }
4652
4653 if (dissect_color && color_filter != NULL)
4654 return print_line_color(print_stream, 0, line_bufp, &color_filter->fg_color, &color_filter->bg_color);
4655 else
4656 return print_line(print_stream, 0, line_bufp);
4657 }
4658
4659 static gboolean
4660 print_packet(capture_file *cf, epan_dissect_t *edt)
4661 {
4662 if (print_summary || output_fields_has_cols(output_fields))
4663 /* Just fill in the columns. */
4664 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4665
4666 /* Print summary columns and/or protocol tree */
4667 switch (output_action) {
4668
4669 case WRITE_TEXT:
4670 if (print_summary && !print_columns(cf, edt))
4671 return FALSE;
4672 if (print_details) {
4673 if (!proto_tree_print(print_details ? print_dissections_expanded : print_dissections_none,
4674 print_hex, edt, output_only_tables, print_stream))
4675 return FALSE;
4676 if (!print_hex) {
4677 if (!print_line(print_stream, 0, separator))
4678 return FALSE;
4679 }
4680 }
4681 break;
4682
4683 case WRITE_XML:
4684 if (print_summary) {
4685 write_psml_columns(edt, stdout, dissect_color);
4686 return !ferror(stdout);
4687 }
4688 if (print_details) {
4689 write_pdml_proto_tree(output_fields, edt, &cf->cinfo, stdout, dissect_color);
4690 printf("\n");
4691 return !ferror(stdout);
4692 }
4693 break;
4694
4695 case WRITE_FIELDS:
4696 if (print_summary) {
4697 /*No non-verbose "fields" format */
4698 ws_assert_not_reached();
4699 }
4700 if (print_details) {
4701 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4702 printf("\n");
4703 return !ferror(stdout);
4704 }
4705 break;
4706
4707 case WRITE_JSON:
4708 if (print_summary)
4709 ws_assert_not_reached();
4710 if (print_details) {
4711 write_json_proto_tree(output_fields, print_dissections_expanded,
4712 print_hex, edt, &cf->cinfo, node_children_grouper, &jdumper);
4713 return !ferror(stdout);
4714 }
4715 break;
4716
4717 case WRITE_JSON_RAW:
4718 if (print_summary)
4719 ws_assert_not_reached();
4720 if (print_details) {
4721 write_json_proto_tree(output_fields, print_dissections_none,
4722 TRUE, edt, &cf->cinfo, node_children_grouper, &jdumper);
4723 return !ferror(stdout);
4724 }
4725 break;
4726
4727 case WRITE_EK:
4728 write_ek_proto_tree(output_fields, print_summary, print_hex,
4729 edt, &cf->cinfo, stdout);
4730 return !ferror(stdout);
4731
4732 default:
4733 ws_assert_not_reached();
4734 }
4735
4736 if (print_hex) {
4737 if (print_summary || print_details) {
4738 if (!print_line(print_stream, 0, ""))
4739 return FALSE;
4740 }
4741 if (!print_hex_data(print_stream, edt, hexdump_source_option | hexdump_ascii_option))
4742 return FALSE;
4743 if (!print_line(print_stream, 0, separator))
4744 return FALSE;
4745 }
4746 return TRUE;
4747 }
4748
4749 static gboolean
4750 write_finale(void)
4751 {
4752 switch (output_action) {
4753
4754 case WRITE_TEXT:
4755 return print_finale(print_stream);
4756
4757 case WRITE_XML:
4758 if (print_details)
4759 write_pdml_finale(stdout);
4760 else
4761 write_psml_finale(stdout);
4762 return !ferror(stdout);
4763
4764 case WRITE_FIELDS:
4765 write_fields_finale(output_fields, stdout);
4766 return !ferror(stdout);
4767
4768 case WRITE_JSON:
4769 case WRITE_JSON_RAW:
4770 write_json_finale(&jdumper);
4771 return !ferror(stdout);
4772
4773 case WRITE_EK:
4774 return TRUE;
4775
4776 default:
4777 ws_assert_not_reached();
4778 return FALSE;
4779 }
4780 }
4781
4782 void
4783 cf_close(capture_file *cf)
4784 {
4785 if (cf->state == FILE_CLOSED)
4786 return; /* Nothing to do */
4787
4788 if (cf->provider.wth != NULL) {
4789 wtap_close(cf->provider.wth);
4790 cf->provider.wth = NULL;
4791 }
4792 /* We have no file open... */
4793 if (cf->filename != NULL) {
4794 /* If it's a temporary file, remove it. */
4795 if (cf->is_tempfile)
4796 ws_unlink(cf->filename);
4797 g_free(cf->filename);
4798 cf->filename = NULL;
4799 }
4800
4801 /* We have no file open. */
4802 cf->state = FILE_CLOSED;
4803 }
4804
4805 cf_status_t
4806 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4807 {
4808 wtap *wth;
4809 gchar *err_info;
4810
4811 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4812 if (wth == NULL)
4813 goto fail;
4814
4815 /* The open succeeded. Fill in the information for this file. */
4816
4817 cf->provider.wth = wth;
4818 cf->f_datalen = 0; /* not used, but set it anyway */
4819
4820 /* Set the file name because we need it to set the follow stream filter.
4821 XXX - is that still true? We need it for other reasons, though,
4822 in any case. */
4823 cf->filename = g_strdup(fname);
4824
4825 /* Indicate whether it's a permanent or temporary file. */
4826 cf->is_tempfile = is_tempfile;
4827
4828 /* No user changes yet. */
4829 cf->unsaved_changes = FALSE;
4830
4831 cf->cd_t = wtap_file_type_subtype(cf->provider.wth);
4832 cf->open_type = type;
4833 cf->count = 0;
4834 cf->drops_known = FALSE;
4835 cf->drops = 0;
4836 cf->snap = wtap_snapshot_length(cf->provider.wth);
4837 nstime_set_zero(&cf->elapsed_time);
4838 cf->provider.ref = NULL;
4839 cf->provider.prev_dis = NULL;
4840 cf->provider.prev_cap = NULL;
4841
4842 cf->state = FILE_READ_IN_PROGRESS;
4843
4844 /* Create new epan session for dissection. */
4845 epan_free(cf->epan);
4846 cf->epan = tshark_epan_new(cf);
4847
4848 wtap_set_cb_new_ipv4(cf->provider.wth, add_ipv4_name);
4849 wtap_set_cb_new_ipv6(cf->provider.wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4850 wtap_set_cb_new_secrets(cf->provider.wth, secrets_wtap_callback);
4851
4852 return CF_OK;
4853
4854 fail:
4855 cfile_open_failure_message(fname, *err, err_info);
4856 return CF_ERROR;
4857 }
4858
4859 static void
4860 show_print_file_io_error(void)
4861 {
4862 switch (errno) {
4863
4864 case ENOSPC:
4865 cmdarg_err("Not all the packets could be printed because there is "
4866 "no space left on the file system.");
4867 break;
4868
4869 #ifdef EDQUOT
4870 case EDQUOT:
4871 cmdarg_err("Not all the packets could be printed because you are "
4872 "too close to, or over your disk quota.");
4873 break;
4874 #endif
4875
4876 case EPIPE:
4877 /*
4878 * This almost certainly means "the next program after us in
4879 * the pipeline exited before we were finished writing", so
4880 * this isn't a real error, it just means we're done. (We
4881 * don't get SIGPIPE because libwireshark ignores SIGPIPE
4882 * to avoid getting killed if writing to the MaxMind process
4883 * gets SIGPIPE because that process died.)
4884 *
4885 * Presumably either that program exited deliberately (for
4886 * example, "head -N" read N lines and printed them), in
4887 * which case there's no error to report, or it terminated
4888 * due to an error or a signal, in which case *that's* the
4889 * error and that error has been reported.
4890 */
4891 break;
4892
4893 default:
4894 #ifdef _WIN32
4895 if (errno == EINVAL && _doserrno == ERROR_NO_DATA) {
4896 /*
4897 * XXX - on Windows, a write to a pipe where the read side
4898 * has been closed apparently may return the Windows error
4899 * ERROR_BROKEN_PIPE, which the Visual Studio C library maps
4900 * to EPIPE, or may return the Windows error ERROR_NO_DATA,
4901 * which the Visual Studio C library maps to EINVAL.
4902 *
4903 * Either of those almost certainly means "the next program
4904 * after us in the pipeline exited before we were finished
4905 * writing", so, if _doserrno is ERROR_NO_DATA, this isn't
4906 * a real error, it just means we're done. (Windows doesn't
4907 * SIGPIPE.)
4908 *
4909 * Presumably either that program exited deliberately (for
4910 * example, "head -N" read N lines and printed them), in
4911 * which case there's no error to report, or it terminated
4912 * due to an error or a signal, in which case *that's* the
4913 * error and that error has been reported.
4914 */
4915 break;
4916 }
4917
4918 /*
4919 * It's a different error; report it, but with the error
4920 * message for _doserrno, which will give more detail
4921 * than just "Invalid argument".
4922 */
4923 cmdarg_err("An error occurred while printing packets: %s.",
4924 win32strerror(_doserrno));
4925 #else
4926 cmdarg_err("An error occurred while printing packets: %s.",
4927 g_strerror(errno));
4928 #endif
4929 break;
4930 }
4931 }
4932
4933 /*
4934 * Report an error in command-line arguments.
4935 */
4936 static void
4937 tshark_cmdarg_err(const char *msg_format, va_list ap)
4938 {
4939 fprintf(stderr, "tshark: ");
4940 vfprintf(stderr, msg_format, ap);
4941 fprintf(stderr, "\n");
4942 }
4943
4944 /*
4945 * Report additional information for an error in command-line arguments.
4946 */
4947 static void
4948 tshark_cmdarg_err_cont(const char *msg_format, va_list ap)
4949 {
4950 vfprintf(stderr, msg_format, ap);
4951 fprintf(stderr, "\n");
4952 }
4953
4954 static void
4955 reset_epan_mem(capture_file *cf,epan_dissect_t *edt, gboolean tree, gboolean visual)
4956 {
4957 if (!epan_auto_reset || (cf->count < epan_auto_reset_count))
4958 return;
4959
4960 fprintf(stderr, "resetting session.\n");
4961
4962 epan_dissect_cleanup(edt);
4963 epan_free(cf->epan);
4964
4965 cf->epan = tshark_epan_new(cf);
4966 epan_dissect_init(edt, cf->epan, tree, visual);
4967 cf->count = 0;
4968 }
Metzes wireshark repo