| blob | 2c77edfee8b4c2dfe33047fb2e41baad15ebaf30 |
1 /* tshark.c
2 *
3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
13 #include <config.h>
15 #define WS_LOG_DOMAIN LOG_DOMAIN_MAIN
17 #include <stdlib.h>
18 #include <stdio.h>
19 #include <string.h>
20 #include <locale.h>
21 #include <limits.h>
23 #include <wsutil/ws_getopt.h>
25 #include <errno.h>
27 #ifdef _WIN32
28 # include <winsock2.h>
29 #endif
31 #ifndef _WIN32
32 #include <signal.h>
33 #endif
35 #include <glib.h>
37 #include <epan/exceptions.h>
38 #include <epan/epan.h>
40 #include <ws_exit_codes.h>
41 #include <wsutil/clopts_common.h>
42 #include <wsutil/cmdarg_err.h>
43 #include <ui/urls.h>
44 #include <wsutil/filesystem.h>
45 #include <wsutil/file_util.h>
46 #include <wsutil/time_util.h>
47 #include <wsutil/socket.h>
48 #include <wsutil/privileges.h>
49 #include <wsutil/report_message.h>
50 #include <wsutil/please_report_bug.h>
51 #include <wsutil/wslog.h>
52 #include <wsutil/ws_assert.h>
53 #include <wsutil/strtoi.h>
54 #include <cli_main.h>
55 #include <wsutil/version_info.h>
56 #include <wiretap/wtap_opttypes.h>
59 #include <epan/timestamp.h>
60 #include <epan/packet.h>
61 #ifdef HAVE_LUA
62 #include <epan/wslua/init_wslua.h>
63 #endif
65 #include <epan/disabled_protos.h>
66 #include <epan/prefs.h>
67 #include <epan/column.h>
68 #include <epan/decode_as.h>
69 #include <epan/print.h>
70 #include <epan/addr_resolv.h>
71 #include <epan/enterprises.h>
72 #include <epan/manuf.h>
73 #include <epan/services.h>
74 #ifdef HAVE_LIBPCAP
76 #endif
88 #if defined(HAVE_LIBSMI)
90 #endif
92 #include <epan/epan_dissect.h>
93 #include <epan/tap.h>
94 #include <epan/stat_tap_ui.h>
95 #include <epan/conversation_table.h>
96 #include <epan/srt_table.h>
97 #include <epan/rtd_table.h>
98 #include <epan/ex-opt.h>
99 #include <epan/exported_pdu.h>
100 #include <epan/secrets.h>
106 #ifdef HAVE_LIBPCAP
108 #ifdef _WIN32
111 #include <capture/capture_session.h>
112 #include <capture/capture_sync.h>
113 #include <ui/capture_info.h>
115 #include <epan/funnel.h>
117 #include <wsutil/str_util.h>
118 #include <wsutil/utf8_entities.h>
119 #include <wsutil/json_dumper.h>
120 #include <wsutil/wslog.h>
121 #ifdef _WIN32
122 #include <wsutil/win32-utils.h>
123 #endif
127 #ifdef HAVE_PLUGINS
128 #include <wsutil/codecs_priv.h>
129 #include <wsutil/plugins.h>
130 #endif
132 /* Additional exit codes */
133 #define INVALID_EXPORT 2
134 #define INVALID_TAP 2
135 #define INVALID_CAPTURE 2
137 #define LONGOPT_EXPORT_OBJECTS LONGOPT_BASE_APPLICATION+1
138 #define LONGOPT_COLOR LONGOPT_BASE_APPLICATION+2
139 #define LONGOPT_NO_DUPLICATE_KEYS LONGOPT_BASE_APPLICATION+3
140 #define LONGOPT_ELASTIC_MAPPING_FILTER LONGOPT_BASE_APPLICATION+4
141 #define LONGOPT_EXPORT_TLS_SESSION_KEYS LONGOPT_BASE_APPLICATION+5
142 #define LONGOPT_CAPTURE_COMMENT LONGOPT_BASE_APPLICATION+6
143 #define LONGOPT_HEXDUMP LONGOPT_BASE_APPLICATION+7
144 #define LONGOPT_SELECTED_FRAME LONGOPT_BASE_APPLICATION+8
145 #define LONGOPT_PRINT_TIMERS LONGOPT_BASE_APPLICATION+9
147 capture_file cfile;
160 /*
161 * The way the packet decode is to be written.
162 */
170 WRITE_EK /* JSON bulk insert to Elasticsearch */
171 /* Add CSV and the like here */
185 static guint hexdump_source_option = HEXDUMP_SOURCE_MULTI; /* Default - Enable legacy multi-source mode */
186 static guint hexdump_ascii_option = HEXDUMP_ASCII_INCLUDE; /* Default - Enable legacy undelimited ASCII dump */
196 static proto_node_children_grouper_func node_children_grouper = proto_node_group_children_by_unique;
200 /* The line separator used between packets, changeable via the -S option */
203 /* Per-file comments to be added to the output file. */
208 #ifdef HAVE_LIBPCAP
209 /*
210 * TRUE if we're to print packet counts to keep track of captured packets.
211 */
218 #ifdef SIGINFO
237 #ifdef _WIN32
241 #ifdef SIGINFO
247 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
250 PROCESS_FILE_SUCCEEDED,
251 PROCESS_FILE_NO_FILE_PROCESSED,
252 PROCESS_FILE_ERROR,
253 PROCESS_FILE_INTERRUPTED
255 static process_file_status_t process_cap_file(capture_file *, char *, int, gboolean, int, gint64, int);
259 guint tap_flags);
272 gint64 dissect;
273 gint64 dfilter_read;
274 gint64 dfilter_filter;
275 };
277 gint64 dfilter_expand;
278 gint64 dfilter_compile;
280 gint64 elapsed_first_pass;
282 gint64 elapsed_second_pass;
283 }
284 tshark_elapsed;
286 static void
288 {
289 json_dumper dumper = {
292 };
295 // Should not happen
298 }
300 #define DUMP(name, val) \
301 json_dumper_set_member_name(&dumper, name); \
310 }
314 }
335 }
339 }
341 static void
343 {
352 }
354 }
359 };
361 static gint
363 {
366 }
368 static void
370 {
374 }
376 static void
378 {
379 guint i;
386 /* How many readable file types are there? */
389 num_file_types++;
392 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
397 }
400 }
402 static void
404 {
405 fprintf(stderr, "tshark: The available export tap names and the encapsulation types they produce for the \"-U tap_name\" option are:\n");
409 fprintf(stderr, " %s - %s\n", (const char*)(export_pdu_tap_name_list->data), wtap_encap_description(export_pdu_tap_get_encap((const char*)export_pdu_tap_name_list->data)));
410 }
411 }
413 static void
415 {
420 #ifdef HAVE_LIBPCAP
426 #ifdef HAVE_PCAP_CREATE
428 #else
430 #endif
433 #ifdef HAVE_PCAP_CREATE
435 #endif
436 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
439 #endif
447 fprintf(output, " --update-interval interval between updates with new packets (def: %dms)\n", DEFAULT_UPDATE_INTERVAL);
456 /*fprintf(output, "\n");*/
468 #ifdef HAVE_PCAP_REMOTE
471 #endif
472 /*fprintf(output, "\n");*/
509 /*fprintf(output, "\n");*/
524 fprintf(output, " --hexdump <hexoption> add hexdump, set options for data source and ASCII dump\n");
536 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
544 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
570 fprintf(output, " --no-duplicate-keys If -T json is specified, merge duplicate keys in an object\n");
573 fprintf(output, " --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the\n");
590 #ifdef __linux__
596 #endif
598 }
600 static void
602 {
634 }
636 static void
638 {
659 }
661 static void
663 {
675 }
677 }
678 }
680 static void
682 {
683 /* Capture libraries */
686 }
688 static void
690 {
691 #ifdef HAVE_LIBPCAP
693 #endif
695 /* stuff used by libwireshark */
697 }
699 static gboolean
701 {
702 gboolean ok;
706 gint64 elapsed_start;
714 }
727 }
729 }
734 }
736 #define compile_dfilter(text, dfp) _compile_dfilter(text, dfp, __func__)
738 static gboolean
740 {
744 /* Don't treat the empty string as an intended field abbreviation
745 * to output, consecutive spaces on the command line probably
746 * aren't intentional.
747 */
749 }
751 cmdarg_err("%s was already specified with different filter flags. Overwriting previous protocol filter.", *newfilter);
752 }
753 }
755 }
757 static void
759 {
762 gint i;
765 /* "file open" */
767 /*
768 * Fetching the "File" dialogs folder not implemented.
769 * This is arguably just a pwd for a ui/cli .
770 */
772 /* temp */
774 #ifdef HAVE_LIBPCAP
775 /* global_capture_opts only exists in this case */
778 #endif
781 /* pers conf */
786 /* global conf */
790 }
792 /* system */
796 /* program */
801 /* pers plugins */
804 /* global plugins */
806 }
808 #ifdef HAVE_LUA
809 /* pers lua plugins */
812 /* global lua plugins */
814 #endif
816 /* Personal Extcap */
825 /* Global Extcap */
834 /* MaxMindDB */
845 #ifdef HAVE_LIBSMI
846 /* SMI MIBs/PIBs */
856 #endif
858 }
860 static gboolean
863 {
864 /* We have to dissect each packet if:
866 we're printing information about each packet;
868 we're using a read filter on the packets;
870 we're using a display filter on the packets;
872 we're exporting PDUs;
874 we're using any taps that need dissection. */
877 }
879 #ifdef HAVE_LIBPCAP
880 /*
881 * Check whether a purported *shark packet-matching expression (display
882 * or read filter) looks like a capture filter and, if so, print a
883 * warning.
884 *
885 * Used, for example, if the string in question isn't a valid packet-
886 * matching expression.
887 */
888 static void
890 {
901 }
903 }
904 }
905 #endif
907 #ifdef HAVE_LIBPCAP
912 {
914 /*
915 * This isn't a GUI tool, so no need for a callback.
916 */
918 }
919 /*
920 * Routines expect to free the returned interface list, so return
921 * a deep copy.
922 */
924 }
925 #endif
927 int
929 {
932 failure_message,
933 failure_message,
934 open_failure_message,
935 read_failure_message,
936 write_failure_message,
937 cfile_open_failure_message,
938 cfile_dump_open_failure_message,
939 cfile_read_failure_message,
940 cfile_write_failure_message,
941 cfile_close_failure_message
942 };
947 LONGOPT_CAPTURE_COMMON
948 LONGOPT_DISSECT_COMMON
949 LONGOPT_READ_CAPTURE_COMMON
961 };
968 gboolean exp_pdu_status;
972 #ifdef HAVE_LIBPCAP
976 #else
979 #endif
993 exp_pdu_t exp_pdu_tap_data;
996 /*
997 * The leading + ensures that getopt_long() does not permute the argv[]
998 * entries.
999 *
1000 * We have to make sure that the first getopt_long() preserves the content
1001 * of argv[] for the subsequent getopt_long() call.
1002 *
1003 * We use getopt_long() in both cases to ensure that we're using a routine
1004 * whose permutation behavior we can control in the same fashion on all
1005 * platforms, and so that, if we ever need to process a long argument before
1006 * doing further initialization, we can do so.
1007 *
1008 * Glibc and Solaris libc document that a leading + disables permutation
1009 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1010 * and macOS don't document it, but do so anyway.
1011 *
1012 * We do *not* use a leading - because the behavior of a leading - is
1013 * platform-dependent.
1014 */
1015 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON OPTSTRING_READ_CAPTURE_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQS:T:U:vVw:W:xX:z:"
1019 /*
1020 * Set the C-language locale to the native environment and set the
1021 * code page to UTF-8 on Windows.
1022 */
1023 #ifdef _WIN32
1025 #else
1027 #endif
1033 /* Initialize log handler early so we can have proper logging during startup. */
1036 /* Early logging command-line initialization. */
1042 #ifdef _WIN32
1046 /*
1047 * Get credential information for later use, and drop privileges
1048 * before doing anything else.
1049 * Let the user know if anything happened.
1050 */
1055 /*
1056 * Attempt to get the pathname of the directory containing the
1057 * executable file.
1058 */
1065 err_msg);
1067 }
1071 #ifdef _WIN32
1073 #ifdef HAVE_LIBPCAP
1074 /* Load wpcap if possible. Do this before collecting the run-time version information */
1079 /* Initialize the version information. */
1083 /* Fail sometimes. Useful for testing fuzz scripts. */
1084 /* if (g_random_int_range(0, 100) < 5) abort(); */
1086 /*
1087 * In order to have the -X opts assigned before the wslua machine starts
1088 * we need to call getopt_long before epan_init() gets called.
1089 *
1090 * In order to handle, for example, -o options, we also need to call it
1091 * *after* epan_init() gets called, so that the dissectors have had a
1092 * chance to register their preferences.
1093 *
1094 * Spawning a bunch of extcap processes can delay program startup,
1095 * particularly on Windows. Check to see if we have any options that
1096 * might require extcap and set has_extcap_options = TRUE if that's
1097 * the case.
1098 *
1099 * XXX - can we do this all with one getopt_long() call, saving the
1100 * arguments we can't handle until after initializing libwireshark,
1101 * and then process them after initializing libwireshark?
1102 */
1112 /* Copy from global profile */
1120 }
1131 }
1137 }
1142 }
1151 }
1163 /* FALLTHROUGH */
1170 /* The user asked for hex output, so let's ensure they get it,
1171 * even if they're writing to a file.
1172 */
1187 }
1188 }
1190 #ifndef HAVE_LUA
1195 }
1200 #ifdef HAVE_LIBPCAP
1206 #endif
1212 /*
1213 * Libwiretap must be initialized before libwireshark is, so that
1214 * dissection-time handlers for file-type-dependent blocks can
1215 * register using the file type/subtype value for the file type.
1216 */
1219 /* Register all dissectors; we must do this before checking for the
1220 "-G" flag, as the "-G" flag dumps information registered by the
1221 dissectors, and we must do it before we read the preferences, in
1222 case any dissectors register preferences. */
1226 }
1228 /* Register all tap listeners; we do this before we parse the arguments,
1229 as the "-z" argument can specify a registered tap. */
1233 /* Register extcap preferences only when needed. */
1236 }
1244 /* If invoked with the "-G" flag, we dump out information based on
1245 the argument to the "-G" flag; if no argument is specified,
1246 for backwards compatibility we dump out a glossary of display
1247 filter symbols.
1249 XXX - we do this here, for now, to support "-G" with no arguments.
1250 If none of our build or other processes uses "-G" with no arguments,
1251 we can just process it with the other arguments. */
1253 /* NOTE: This is before the preferences are loaded with
1254 * epan_load_settings() below, so if you add a new report
1255 * and it depends on the profile settings, call epan_load_settings()
1256 * first.
1257 *
1258 * It is after addr_resolv_init() is called (done by epan_init()),
1259 * so "manuf", "enterprises", and "services" have the values from
1260 * the global and personal profile files already loaded.
1261 */
1275 }
1288 /* return value for the test suite */
1291 }
1299 }
1300 }
1303 }
1304 }
1320 #ifdef HAVE_PLUGINS
1323 #endif
1324 #ifdef HAVE_LUA
1326 #endif
1329 }
1337 /* These are supported only for backwards compatibility and may or may not work
1338 * for a given user in a given directory on a given operating system with a given
1339 * command-line interpreter.
1340 */
1349 }
1350 }
1353 }
1357 /* Load libwireshark settings from the current profile. */
1363 /* Print format defaults to this. */
1369 /*
1370 * To reset the options parser, set ws_optreset to 1 and set ws_optind to 1.
1371 *
1372 * Also reset ws_opterr to 1, so that error messages are printed by
1373 * getopt_long().
1374 */
1379 /* Now get our args */
1386 }
1393 }
1404 #ifdef HAVE_PCAP_REMOTE
1406 #endif
1407 #ifdef HAVE_PCAP_CREATE
1409 #endif
1412 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1414 #endif
1418 /* These are options only for packet capture. */
1419 #ifdef HAVE_LIBPCAP
1423 }
1424 #else
1427 #endif
1430 #ifdef HAVE_LIBPCAP
1434 }
1435 #else
1437 #endif
1441 #ifdef HAVE_LIBPCAP
1445 }
1446 #endif
1449 /* already processed; just ignore it now */
1452 #ifdef HAVE_LIBPCAP
1456 /*
1457 * An error occurred when fetching the local
1458 * interfaces. Report it.
1459 */
1463 }
1465 /*
1466 * No interfaces were found. If that's not the
1467 * result of an error when fetching the local
1468 * interfaces, let the user know.
1469 */
1473 }
1475 }
1479 #else
1482 #endif
1485 /* Field entry */
1486 {
1494 else
1496 }
1497 }
1500 /* Field option */
1506 }
1515 }
1526 }
1532 }
1535 /* This is patterned after the -N flag which may not be the best idea. */
1543 }
1547 {
1551 }
1562 /* The ANSI C standard does not appear to *require* that a line-buffered
1563 stream be flushed to the host environment whenever a newline is
1564 written, it just says that, on such a stream, characters "are
1565 intended to be transmitted to or from the host environment as a
1566 block when a new-line character is encountered".
1568 The Visual C++ 6.0 C implementation doesn't do what is intended;
1569 even if you set a stream to be line-buffered, it still doesn't
1570 flush the buffer at the end of every line.
1572 The whole reason for the "-l" flag in either tcpdump or TShark
1573 is to allow the output of a live capture to be piped to a program
1574 or script and to have that script see the information for the
1575 packet as soon as it's printed, rather than having to wait until
1576 a standard I/O buffer fills up.
1578 So, if the "-l" flag is specified, we flush the standard output
1579 at the end of a packet. This will do the right thing if we're
1580 printing packet summary lines, and, as we print the entire protocol
1581 tree for a single packet without waiting for anything to happen,
1582 it should be as good as line-buffered mode if we're printing
1583 protocol trees - arguably even better, as it may do fewer
1584 writes. */
1588 #ifdef HAVE_LIBPCAP
1590 #else
1593 #endif
1596 #ifdef HAVE_LIBPCAP
1598 #else
1601 #endif
1604 {
1631 }
1633 }
1642 /* already processed; just ignore it now */
1648 /* already processed; just ignore it now */
1654 /* output_action has been already set. It means multiple -T. */
1659 }
1695 }
1728 }
1735 }
1740 /* We don't really have to cleanup here, but it's a convenient way to test
1741 * start-up and shut-down of the epan library without any UI-specific
1742 * cruft getting in the way. Makes the results of running
1743 * $ ./tools/valgrind-wireshark -n
1744 * much more useful. */
1750 /* already processed; just ignore it now */
1753 /* already processed; just ignore it now */
1756 /* already processed; just ignore it now */
1759 /* already processed; just ignore it now */
1765 /* We won't call the init function for the stat this soon
1766 as it would disallow MATE's fields (which are registered
1767 by the preferences set callback) from being used as
1768 part of a tap filter. Instead, we just add the argument
1769 to a list of stat arguments. */
1775 }
1781 }
1792 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1793 case LONGOPT_ONLY_PROTOCOLS: /* enable dissection of only this comma separated list of protocols */
1794 case LONGOPT_DISABLE_ALL_PROTOCOLS: /* enable dissection of protocol (that is disabled by default) */
1798 }
1802 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1806 }
1810 }
1817 /* This has no effect if we don't print packet info or filter
1818 (we can filter on the coloring rules). Should we warn or
1819 error later if so, instead of silently ignoring it? */
1828 }
1853 }
1856 /* Hidden option to mark a frame as "selected". Used for testing and debugging.
1857 * Only active in two-pass mode. */
1862 }
1875 }
1879 }
1880 }
1882 /* set the default output action to TEXT */
1886 /* set the default file type to pcapng */
1890 /*
1891 * Print packet summary information is the default if neither -V or -x
1892 * were specified. Note that this is new behavior, which allows for the
1893 * possibility of printing only hex/ascii output without necessarily
1894 * requiring that either the summary or details be printed too.
1895 */
1903 }
1905 /* If we specified output fields, but not the output field type... */
1906 /* XXX: If we specfied both output fields with -e *and* protocol filters
1907 * with -j/-J, only the former are used. Should we warn or abort?
1908 * This also doesn't distinguish PDML from PSML, but shouldn't allow the
1909 * latter.
1910 */
1911 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1922 }
1928 }
1929 }
1931 /* If no capture filter or display filter has been specified, and there are
1932 still command-line arguments, treat them as the tokens of a capture
1933 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1934 flag was specified. */
1942 }
1945 #ifdef HAVE_LIBPCAP
1946 guint i;
1953 }
1964 }
1965 }
1967 #else
1969 #endif
1970 }
1971 }
1974 /* We're not saving the capture to a file; if "-q" wasn't specified,
1975 we should print packet information */
1980 /* We're saving to a file; if we're writing to the standard output.
1981 and we'll also be writing dissected packets to the standard
1982 output, reject the request. At best, we could redirect that
1983 to the standard error; we *can't* write both to the standard
1984 output and have either of them be useful. */
1990 }
1991 }
1993 #ifndef HAVE_LIBPCAP
1996 #endif
2001 }
2004 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
2005 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
2008 }
2009 }
2018 }
2026 }
2028 }
2029 }
2035 }
2037 #ifdef HAVE_LIBPCAP
2039 /* We're supposed to list the link-layer/timestamp types for an interface;
2040 did the user also specify a capture file to be read? */
2042 /* Yes - that's bogus. */
2047 }
2048 /* No - did they specify a ring buffer option? */
2053 }
2056 /*
2057 * "-r" was specified, so we're reading a capture file.
2058 * Capture options don't apply here.
2059 */
2061 /* We don't support capture filters when reading from a capture file
2062 (the BPF compiler doesn't support all link-layer types that we
2063 support in capture files we read). */
2069 }
2075 }
2081 }
2087 }
2093 }
2099 }
2101 /* Note: TShark now allows the restriction of a _read_ file by packet count
2102 * and byte count as well as a write file. Other autostop options remain valid
2103 * only for a write file.
2104 */
2110 }
2112 /*
2113 * "-r" wasn't specified, so we're doing a live capture.
2114 */
2118 /* Two-pass analysis doesn't work with live capture since it requires us
2119 * to buffer packets until we've read all of them, but a live capture
2120 * has no useful/meaningful definition of "all" */
2124 }
2127 /* They specified a "-w" flag, so we'll be saving to a capture file. */
2129 /* When capturing, we only support writing pcap or pcapng format. */
2138 }
2143 }
2145 /* Multiple-file mode doesn't work under certain conditions:
2146 a) it doesn't work if you're writing to the standard output;
2147 b) it doesn't work if you're writing to a pipe;
2148 */
2154 }
2160 }
2169 }
2170 }
2171 /* Currently, we don't support read or display filters when capturing
2172 and saving the packets. */
2177 }
2179 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
2182 }
2185 /* They didn't specify a "-w" flag, so we won't be saving to a
2186 capture file. Check for options that only make sense if
2187 we're saving to a file. */
2193 }
2199 }
2205 }
2206 }
2207 }
2208 }
2209 #endif
2211 /*
2212 * If capture comments were specified, -w also has to have been specified.
2213 */
2216 /* They specified a "-w" flag, so we'll be saving to a capture file.
2217 * This is fine if they're writing in a format that supports
2218 * section block comments.
2219 */
2221 WTAP_BLOCK_SECTION,
2234 }
2237 }
2238 }
2243 }
2244 }
2248 {
2254 }
2256 /* Notify all registered modules that have had any of their preferences
2257 changed either from one of the preferences file or from the command
2258 line that their preferences have changed. */
2261 /* We can also enable specified taps for export object */
2264 /* At this point MATE will have registered its field array so we can
2265 check if the fields specified by the user are all good.
2266 */
2267 {
2275 }
2279 }
2280 }
2290 }
2291 }
2298 /*
2299 * Enabled and disabled protocols and heuristic dissectors as per
2300 * command-line options.
2301 */
2305 }
2307 /* Build the column format array */
2310 #ifdef HAVE_LIBPCAP
2313 #endif
2321 #ifdef HAVE_LIBPCAP
2323 #endif
2327 }
2328 }
2337 #ifdef HAVE_LIBPCAP
2339 #endif
2343 }
2344 }
2348 /* If we're printing as text or PostScript, we have
2349 to create a print stream. */
2363 }
2364 }
2365 }
2367 /* PDU export requested. Take the ownership of the '-w' file, apply tap
2368 * filters and start tapping. */
2380 }
2381 /* Take ownership of the '-w' output file. */
2384 #ifdef HAVE_LIBPCAP
2386 #endif
2391 }
2401 }
2404 /* Write to the standard output. */
2412 }
2413 }
2415 /* Activate the export PDU tap */
2416 /* Write to our output file with this comment (if the type supports it,
2417 * otherwise exp_pdu_open() will ignore the comment) */
2425 out_file_type);
2428 }
2429 }
2433 /*
2434 * We're reading a capture file.
2435 */
2441 }
2443 /* Start statistics taps; we do so after successfully opening the
2444 capture file, so we know we have something to compute stats
2445 on, and after registering all dissectors, so that MATE will
2446 have registered its field array so we can have a tap filter
2447 with one of MATE's late-registered fields as part of the
2448 filter. */
2451 /* Do we need to do dissection of packets? That depends on, among
2452 other things, what taps are listening, so determine that after
2453 starting the statistics taps. */
2457 /* Process the packets in the file */
2459 TRY {
2461 #ifdef HAVE_LIBPCAP
2464 global_capture_opts.has_autostop_written_packets ? global_capture_opts.autostop_written_packets : 0);
2465 #else
2466 max_packet_count,
2469 #endif
2470 }
2480 }
2481 ENDTRY;
2486 /* Everything worked OK; draw the taps. */
2491 /* We never got to try to read the file, so there are no tap
2492 results to dump. Exit with an error status. */
2497 /* We still dump out the results of taps, etc., as we might have
2498 read some packets; however, we exit with an error status. */
2504 /* The user interrupted the read process; Don't dump out the
2505 result of taps, etc., and exit with an error status. */
2508 }
2514 }
2517 }
2520 /* No capture file specified, so we're supposed to do a live capture
2521 or get a list of link-layer types for a live capture device;
2522 do we have support for live captures? */
2523 #ifdef HAVE_LIBPCAP
2524 #ifdef _WIN32
2525 /* Warn the user if npf.sys isn't loaded. */
2529 }
2532 /* if no interface was specified, pick a default */
2534 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2537 }
2539 /*
2540 * If requested, list the link layer types and/or time stamp types
2541 * and exit.
2542 */
2544 guint i;
2546 /* Get the list of link-layer types for the capture devices. */
2559 #ifdef HAVE_PCAP_REMOTE
2563 }
2564 #endif
2566 }
2568 capability_hash = capture_get_if_list_capabilities(if_cap_queries, &err_str, &err_str_secondary, NULL);
2576 cmdarg_err("%s%s%s", err_str, err_str_secondary ? "\n" : "", err_str_secondary ? err_str_secondary : "");
2581 }
2583 caps_queries);
2586 }
2587 }
2590 }
2592 /*
2593 * If the standard error isn't a terminal, don't print packet counts,
2594 * as they won't show up on the user's terminal and they'll get in
2595 * the way of error messages in the file (to which we assume the
2596 * standard error was redirected; if it's redirected to the null
2597 * device, there's no point in printing packet counts anyway).
2598 *
2599 * Otherwise, if we're printing packet information and the standard
2600 * output is a terminal (which we assume means the standard output and
2601 * error are going to the same terminal), don't print packet counts,
2602 * as they'll get in the way of the packet information.
2603 *
2604 * Otherwise, if the user specified -q, don't print packet counts.
2605 *
2606 * Otherwise, print packet counts.
2607 *
2608 * XXX - what if the user wants to do a live capture, doesn't want
2609 * to save it to a file, doesn't want information printed for each
2610 * packet, does want some "-z" statistic, and wants packet counts
2611 * so they know whether they're seeing any packets? -q will
2612 * suppress the information printed for each packet, but it'll
2613 * also suppress the packet counts.
2614 */
2621 else
2626 /* Start statistics taps; we should only do so after the capture
2627 started successfully, so we know we have something to compute
2628 stats, but we currently don't check for that - see below.
2630 We do so after registering all dissectors, so that MATE will
2631 have registered its field array so we can have a tap filter
2632 with one of MATE's late-registered fields as part of the
2633 filter. */
2636 /* Do we need to do dissection of packets? That depends on, among
2637 other things, what taps are listening, so determine that after
2638 starting the statistics taps. */
2642 /* We're doing live capture; if the capture child is writing to a pipe,
2643 we can't do dissection, because that would mean two readers for
2644 the pipe, tshark and whatever else. */
2650 }
2655 }
2656 /* We already checked the next three reasons for supersets of
2657 capturing and saving to a pipe, but this doesn't hurt. */
2662 }
2667 }
2672 }
2673 /* There's some other reason we're dissecting. */
2677 }
2679 /* Write a preamble if we're printing one. Do this after all checking
2680 * for invalid options, so we don't print just a preamble and quit. */
2686 }
2687 }
2689 /*
2690 * XXX - this returns FALSE if an error occurred, but it also
2691 * returns FALSE if the capture stops because a time limit
2692 * was reached (and possibly other limits), so we can't assume
2693 * it means an error.
2694 *
2695 * The capture code is a bit twisty, so it doesn't appear to
2696 * be an easy fix. We just ignore the return value for now.
2697 * Instead, pass on the exit status from the capture child.
2698 */
2705 }
2706 }
2708 /*
2709 * If we never got a capture file, don't draw the taps; we not only
2710 * didn't capture any packets, we never even did any capturing.
2711 */
2714 #else
2715 /* No - complain. */
2719 #endif
2720 }
2725 }
2731 gsize keylist_length;
2735 }
2739 /* We're doind a live capture. That isn't currently supported
2740 * with timers. */
2742 }
2745 }
2746 }
2748 /* Memory cleanup */
2758 clean_exit:
2763 #ifdef HAVE_LIBPCAP
2767 }
2768 #endif
2775 }
2782 {
2784 cap_file_provider_get_frame_ts,
2785 cap_file_provider_get_interface_name,
2786 cap_file_provider_get_interface_description,
2787 NULL,
2788 };
2791 }
2793 #ifdef HAVE_LIBPCAP
2794 static gboolean
2796 {
2800 #ifndef _WIN32
2802 #endif
2804 /* Create new dissection section. */
2808 #ifdef _WIN32
2809 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2812 /* Catch SIGINT and SIGTERM and, if we get either of them,
2813 clean up and exit. If SIGHUP isn't being ignored, catch
2814 it too and, if we get it, clean up and exit.
2816 We restart any read that was in progress, so that it doesn't
2817 disrupt reading from the sync pipe. The signal handler tells
2818 the capture child to finish; it will report that it finished,
2819 or will exit abnormally, so we'll stop reading from the sync
2820 pipe, pick up the exit status, and quit. */
2831 #ifdef SIGINFO
2832 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2833 quiet mode, report the number of packets we've captured.
2835 Again, restart any read that was in progress, so that it doesn't
2836 disrupt reading from the sync pipe. */
2846 /* Let the user know which interfaces were chosen. */
2859 /*
2860 * Force synchronous resolution of IP addresses; we're doing only
2861 * one pass, so we can't do it in the background and fix up past
2862 * dissections.
2863 */
2866 /* the actual capture loop */
2870 TRY
2871 {
2873 {
2875 }
2876 }
2886 }
2887 ENDTRY;
2889 }
2891 /* capture child detected an error */
2892 static void
2893 capture_input_error(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2894 {
2895 /* The primary message might be an empty string, e.g. when the error was
2896 * from extcap. (The extcap stderr is gathered when the session closes
2897 * and printed in capture_input_closed below.) */
2901 /* We have both primary and secondary messages. */
2903 }
2904 }
2905 }
2908 /* capture child detected an capture filter related error */
2909 static void
2911 {
2939 }
2940 }
2943 /* capture child tells us we have a new (or the first) capture file */
2944 static bool
2946 {
2949 gboolean is_tempfile;
2955 }
2957 }
2961 /* free the old filename */
2964 /* we start a new capture file, close the old one (if we had one before) */
2967 }
2975 /* we didn't had a save_file before, must be a tempfile */
2977 }
2979 /* save the new filename */
2982 /* if we are in real-time mode, open the new file now */
2984 /* this is probably unnecessary, but better safe than sorry */
2986 /* Attempt to open the capture file and set up to read from it. */
2991 /* Don't unlink (delete) the save file - leave it around,
2992 for debugging purposes. */
2996 }
3001 }
3006 }
3009 /* capture child tells us we have new packets to read */
3010 static void
3012 {
3013 gboolean ret;
3016 gint64 data_offset;
3018 gboolean filtering_tap_listeners;
3019 guint tap_flags;
3021 #ifdef SIGINFO
3022 /*
3023 * Prevent a SIGINFO handler from writing to the standard error while
3024 * we're doing so or writing to the standard output; instead, have it
3025 * just set a flag telling us to print that information when we're done.
3026 */
3030 /* Do we have any tap listeners with filters? */
3033 /* Get the union of the flags for all tap listeners. */
3037 gboolean create_proto_tree;
3039 wtap_rec rec;
3040 Buffer buf;
3042 /*
3043 * Determine whether we need to create a protocol tree.
3044 * We do if:
3045 *
3046 * we're going to apply a read filter;
3047 *
3048 * we're going to apply a display filter;
3049 *
3050 * we're going to print the protocol tree;
3051 *
3052 * one of the tap listeners is going to apply a filter;
3053 *
3054 * one of the tap listeners requires a protocol tree;
3055 *
3056 * a postdissector wants field values or protocols
3057 * on the first pass;
3058 *
3059 * we have custom columns (which require field values, which
3060 * currently requires that we build a protocol tree).
3061 */
3062 create_proto_tree =
3067 /* The protocol tree will be "visible", i.e., nothing faked, only if
3068 we're printing packet details, which is true if we're printing stuff
3069 ("print_packet_info" is true) and we're in verbose mode
3070 ("packet_details" is true). But if we specified certain fields with
3071 "-e", we'll prime those directly later. */
3072 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3083 /* read from file failed, tell the capture child to stop */
3089 tap_flags);
3090 }
3092 /* packet successfully read and gone through the "Read Filter" */
3093 packet_count++;
3094 }
3096 }
3104 /*
3105 * Dumpcap's doing all the work; we're not doing any dissection.
3106 * Count all the packets it wrote.
3107 */
3109 }
3112 /* We're printing packet counts. */
3115 /* stderr could be line buffered */
3117 }
3118 }
3120 #ifdef SIGINFO
3121 /*
3122 * Allow SIGINFO handlers to write.
3123 */
3126 /*
3127 * If a SIGINFO handler asked us to write out capture counts, do so.
3128 */
3132 }
3134 static void
3136 {
3138 /* Report the count only if we aren't printing a packet count
3139 as packets arrive. */
3142 }
3143 #ifdef SIGINFO
3146 }
3148 #ifdef SIGINFO
3149 static void
3151 {
3153 /* If we've been told to delay printing, just set a flag asking
3154 that we print counts (if we're supposed to), otherwise print
3155 the count of packets captured (if we're supposed to). */
3158 else
3161 }
3165 /* capture child detected any packet drops? */
3166 static void
3167 capture_input_drops(capture_session *cap_session _U_, guint32 dropped, const char* interface_name)
3168 {
3170 /* We're printing packet counts to stderr.
3171 Send a newline so that we move to the line after the packet count. */
3173 }
3176 /* We're printing packet counts to stderr.
3177 Send a newline so that we move to the line after the packet count. */
3179 fprintf(stderr, "%u packet%s dropped from %s\n", dropped, plurality(dropped, "", "s"), interface_name);
3182 }
3183 }
3184 }
3187 /*
3188 * Capture child closed its side of the pipe, report any error and
3189 * do the required cleanup.
3190 */
3191 static void
3193 {
3200 }
3202 #ifdef _WIN32
3203 static BOOL WINAPI
3205 {
3206 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3207 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3208 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3209 like SIGTERM at least when the machine's shutting down.
3211 For now, we handle them all as indications that we should clean up
3212 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3213 way on UNIX.
3215 We must return TRUE so that no other handler - such as one that would
3216 terminate the process - gets called.
3218 XXX - for some reason, typing ^C to TShark, if you run this in
3219 a Cygwin console window in at least some versions of Cygwin,
3220 causes TShark to terminate immediately; this routine gets
3221 called, but the main loop doesn't get a chance to run and
3222 exit cleanly, at least if this is compiled with Microsoft Visual
3223 C++ (i.e., it's a property of the Cygwin console window or Bash;
3224 it happens if TShark is not built with Cygwin - for all I know,
3225 building it with Cygwin may make the problem go away). */
3227 /* tell the capture child to stop */
3230 /* don't stop our own loop already here, otherwise status messages and
3231 * cleanup wouldn't be done properly. The child will indicate the stop of
3232 * everything by calling capture_input_closed() later */
3235 }
3236 #else
3237 static void
3239 {
3240 /* tell the capture child to stop */
3243 /* don't stop our own loop already here, otherwise status messages and
3244 * cleanup wouldn't be done properly. The child will indicate the stop of
3245 * everything by calling capture_input_closed() later */
3246 }
3250 static gboolean
3253 {
3254 frame_data fdlocal;
3255 guint32 framenum;
3256 gboolean passed;
3257 gint64 elapsed_start;
3259 /* The frame number of this packet is one more than the count of
3260 frames in this packet. */
3263 /* If we're not running a display filter and we're not printing any
3264 packet information, we don't need to do a dissection. This means
3265 that all packets can be marked as 'passed'. */
3270 /* If we're going to run a read filter or a display filter, set up to
3271 do a dissection and do so. (This is the first pass of two passes
3272 over the packets, so we will not be printing any information
3273 from the dissection or running taps on the packet; if we're doing
3274 any of that, we'll do it in the second pass.) */
3277 /* If we're doing async lookups, send any that are queued and
3278 * retrieve results.
3279 *
3280 * Ideally we'd force any lookups that need to happen on the second pass
3281 * to be sent asynchronously on this pass so the results would be ready.
3282 * That will happen if they're involved in a filter (because we prime the
3283 * tree below), but not currently for taps, if we're printing packet
3284 * summaries or details, etc.
3285 *
3286 * XXX - If we're running a read filter that depends on a resolved
3287 * name, we should be doing synchronous lookups in that case. Also
3288 * marking the dependent frames below might not work with a display
3289 * filter that depends on a resolved name.
3290 */
3292 }
3296 /* If we're running a read filter, prime the epan_dissect_t with that
3297 filter. */
3304 /* This is the first pass, so prime the epan_dissect_t with the
3305 hfids postdissectors want on the first pass. */
3313 }
3315 /* If we're applying a filter that needs the columns, construct them. */
3318 }
3326 /* Run the read filter if we have one. */
3331 }
3332 }
3336 cf->provider.prev_cap = cf->provider.prev_dis = frame_data_sequence_add(cf->provider.frames, &fdlocal);
3338 /* If we're not doing dissection then there won't be any dependent frames.
3339 * More importantly, edt.pi.fd.dependent_frames won't be initialized because
3340 * epan hasn't been initialized.
3341 * if we *are* doing dissection, then mark the dependent frames, but only
3342 * if a display filter was given and it matches this packet.
3343 */
3347 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
3348 }
3351 /* If we are doing dissection and we have a "selected frame"
3352 * then load that frame's references (if any) onto the compiled
3353 * display filter. Selected frame number is ordinal, count is cardinal. */
3355 }
3357 }
3361 /* if we don't add it to the frame_data_sequence, clean it up right now
3362 * to avoid leaks */
3364 }
3370 }
3372 /*
3373 * Set if reading a file was interrupted by a CTRL_ event on Windows or
3374 * a signal on UN*X.
3375 */
3378 #ifdef _WIN32
3379 static BOOL WINAPI
3381 {
3382 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
3383 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
3384 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
3385 like SIGTERM at least when the machine's shutting down.
3387 For now, we handle them all as indications that we should clean up
3388 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
3389 way on UNIX.
3391 We must return TRUE so that no other handler - such as one that would
3392 terminate the process - gets called.
3394 XXX - for some reason, typing ^C to TShark, if you run this in
3395 a Cygwin console window in at least some versions of Cygwin,
3396 causes TShark to terminate immediately; this routine gets
3397 called, but the main loop doesn't get a chance to run and
3398 exit cleanly, at least if this is compiled with Microsoft Visual
3399 C++ (i.e., it's a property of the Cygwin console window or Bash;
3400 it happens if TShark is not built with Cygwin - for all I know,
3401 building it with Cygwin may make the problem go away). */
3403 /* tell the read to stop */
3407 }
3408 #else
3409 static void
3411 {
3412 /* tell the read to stop */
3414 }
3418 PASS_SUCCEEDED,
3419 PASS_READ_ERROR,
3420 PASS_WRITE_ERROR,
3421 PASS_INTERRUPTED
3424 static pass_status_t
3427 {
3428 wtap_rec rec;
3429 Buffer buf;
3431 gint64 data_offset;
3438 /* Allocate a frame_data_sequence for all the frames. */
3442 gboolean create_proto_tree;
3444 /*
3445 * Determine whether we need to create a protocol tree.
3446 * We do if:
3447 *
3448 * we're going to apply a read filter;
3449 *
3450 * we're going to apply a display filter;
3451 *
3452 * a postdissector wants field values or protocols
3453 * on the first pass.
3454 */
3455 create_proto_tree =
3460 /* We're not going to display the protocol tree on this pass,
3461 so it's not going to be "visible". */
3463 }
3471 }
3472 framenum++;
3475 /* Stop reading if we hit a stop condition */
3480 }
3486 }
3487 }
3489 }
3496 /* Close the sequential I/O side, to free up memory it requires. */
3499 /* Allow the protocol dissectors to free up memory that they
3500 * don't need after the sequential run-through of the packets. */
3510 }
3512 static gboolean
3516 {
3518 gboolean passed;
3520 gint64 elapsed_start;
3522 /* If we're not running a display filter and we're not printing any
3523 packet information, we don't need to do a dissection. This means
3524 that all packets can be marked as 'passed'. */
3527 /* If we're going to print packet information, or we're going to
3528 run a read filter, or we're going to process taps, set up to
3529 do a dissection and do so. (This is the second pass of two
3530 passes over the packets; that's the pass where we print
3531 packet information or run taps.) */
3533 /* If we're running a display filter, prime the epan_dissect_t with that
3534 filter. */
3541 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
3542 * information from our 'frame' protocol.
3543 */
3547 }
3549 /* We only need the columns if either
3550 1) some tap or filter needs the columns
3551 or
3552 2) we're printing packet info but we're *not* verbose; in verbose
3553 mode, we print the protocol tree, not the protocol summary.
3554 or
3555 3) there is a column mapped to an individual field
3556 */
3557 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
3559 else
3567 }
3572 }
3574 /* epan_dissect_run (and epan_dissect_reset) unref the block.
3575 * We need it later, e.g. in order to copy the options. */
3583 /* Run the display filter if we have one. */
3588 }
3589 }
3593 /* Process this packet. */
3595 /* We're printing packet information; print the information for
3596 this packet. */
3599 /* If we're doing "line-buffering", flush the standard output
3600 after every packet. See the comment above, for the "-l"
3601 option, for an explanation of why we do that. */
3608 }
3609 }
3611 }
3617 }
3619 }
3621 static gboolean
3623 {
3624 wtap_block_t if_data;
3627 /*
3628 * Only add interface blocks if the output file supports (meaning
3629 * *requires*) them.
3630 *
3631 * That mean that the abstract interface provided by libwiretap
3632 * involves WTAP_BLOCK_IF_ID_AND_INFO blocks.
3633 */
3635 if (wtap_file_type_subtype_supports_block(wtap_dump_file_type_subtype(pdh), WTAP_BLOCK_IF_ID_AND_INFO) != BLOCK_NOT_SUPPORTED) {
3638 }
3639 }
3640 }
3642 }
3644 static pass_status_t
3649 {
3650 wtap_rec rec;
3651 Buffer buf;
3655 gboolean filtering_tap_listeners;
3656 guint tap_flags;
3660 /*
3661 * Process whatever IDBs we haven't seen yet. This will be all
3662 * the IDBs in the file, as we've finished reading it; they'll
3663 * all be at the beginning of the output file.
3664 */
3668 }
3673 /* Do we have any tap listeners with filters? */
3676 /* Get the union of the flags for all tap listeners. */
3680 gboolean create_proto_tree;
3682 /*
3683 * Determine whether we need to create a protocol tree.
3684 * We do if:
3685 *
3686 * we're going to apply a display filter;
3687 *
3688 * we're going to print the protocol tree;
3689 *
3690 * one of the tap listeners requires a protocol tree;
3691 *
3692 * we have custom columns (which require field values, which
3693 * currently requires that we build a protocol tree).
3694 */
3695 create_proto_tree =
3701 /* The protocol tree will be "visible", i.e., nothing faked, only if
3702 we're printing packet details, which is true if we're printing stuff
3703 ("print_packet_info" is true) and we're in verbose mode
3704 ("packet_details" is true). But if we specified certain fields with
3705 "-e", we'll prime those directly later. */
3706 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3708 }
3710 /*
3711 * Force synchronous resolution of IP addresses; in this pass, we
3712 * can't do it in the background and fix up past dissections.
3713 */
3720 }
3723 err_info)) {
3724 /* Error reading from the input file. */
3727 }
3730 /* Either there's no read filtering or this packet passed the
3731 filter, so, if we're writing to a capture file, write
3732 this packet out. */
3733 write_framenum++;
3737 /* Error writing to the output file. */
3742 }
3743 /* Stop reading if we hit a stop condition */
3748 }
3749 }
3750 }
3752 }
3761 }
3763 static pass_status_t
3769 {
3770 wtap_rec rec;
3771 Buffer buf;
3773 gboolean filtering_tap_listeners;
3774 guint tap_flags;
3778 gint64 data_offset;
3784 /* Do we have any tap listeners with filters? */
3787 /* Get the union of the flags for all tap listeners. */
3791 /*
3792 * Determine whether we need to create a protocol tree.
3793 * We do if:
3794 *
3795 * we're going to apply a read filter;
3796 *
3797 * we're going to apply a display filter;
3798 *
3799 * we're going to print the protocol tree;
3800 *
3801 * one of the tap listeners is going to apply a filter;
3802 *
3803 * one of the tap listeners requires a protocol tree;
3804 *
3805 * a postdissector wants field values or protocols
3806 * on the first pass;
3807 *
3808 * we have custom columns (which require field values, which
3809 * currently requires that we build a protocol tree).
3810 */
3811 create_proto_tree =
3818 /* The protocol tree will be "visible", i.e., nothing faked, only if
3819 we're printing packet details, which is true if we're printing stuff
3820 ("print_packet_info" is true) and we're in verbose mode
3821 ("packet_details" is true). But if we specified certain fields with
3822 "-e", we'll prime those directly later. */
3823 bool visible = print_packet_info && print_details && output_fields_num_fields(output_fields) == 0;
3825 }
3827 /*
3828 * Force synchronous resolution of IP addresses; we're doing only
3829 * one pass, so we can't do it in the background and fix up past
3830 * dissections.
3831 */
3839 }
3840 framenum++;
3842 /*
3843 * Process whatever IDBs we haven't seen yet.
3844 */
3849 }
3856 /* Either there's no read filtering or this packet passed the
3857 filter, so, if we're writing to a capture file, write
3858 this packet out. */
3859 write_framenum++;
3864 /* Error writing to the output file. */
3869 }
3870 }
3871 }
3872 /* Stop reading if we hit a stop condition */
3877 }
3882 }
3888 }
3890 }
3893 /* Error reading from the input file. */
3896 /*
3897 * Process whatever IDBs we haven't seen yet.
3898 */
3902 }
3903 }
3904 }
3913 }
3915 static process_file_status_t
3919 {
3922 #ifndef _WIN32
3924 #endif
3931 gint64 elapsed_start;
3934 /* Set up to write to the capture file. */
3937 /* If we don't have an application name add TShark */
3938 if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3939 /* this is free'd by wtap_block_unref() later */
3940 wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "%s", get_appname_and_version());
3941 }
3947 }
3948 }
3952 /* Write to the standard output. */
3958 }
3964 /* We couldn't set up to write to the capture file. */
3966 out_file_type);
3969 }
3971 /* Set up to print packet information. */
3977 }
3978 }
3980 }
3982 #ifdef _WIN32
3983 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
3986 /* Catch SIGINT and SIGTERM and, if we get either of them,
3987 clean up and exit. If SIGHUP isn't being ignored, catch
3988 it too and, if we get it, clean up and exit.
3990 We restart any read that was in progress, so that it doesn't
3991 disrupt reading from the sync pipe. The signal handler tells
3992 the capture child to finish; it will report that it finished,
3993 or will exit abnormally, so we'll stop reading from the sync
3994 pipe, pick up the exit status, and quit. */
4007 ws_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4011 max_byte_count,
4019 /* The first pass was interrupted; skip the second pass.
4020 It won't be run, so it won't get an error. */
4023 /*
4024 * If we got a read error on the first pass, we still do the second
4025 * pass, so we can at least process the packets we read, and then
4026 * report the first-pass error after the second pass (and before
4027 * we report any second-pass errors), so all the errors show up
4028 * at the end.
4029 */
4033 max_write_packet_count);
4037 }
4038 }
4040 /* !perform_two_pass_analysis */
4041 ws_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
4047 max_packet_count,
4048 max_byte_count,
4049 max_write_packet_count,
4055 }
4059 /*
4060 * At least one of the passes didn't succeed; either it got a failure
4061 * or it was interrupted.
4062 */
4065 /* At least one of the passes got an error. */
4067 /*
4068 * If we're printing packet data, and the standard output and error
4069 * are going to the same place, flush the standard output, so everything
4070 * buffered up is written, and then print a newline to the standard
4071 * error before printing the error message, to separate it from the
4072 * packet data. (Alas, that only works on UN*X; st_dev is meaningless,
4073 * and the _fstat() documentation at Microsoft doesn't indicate whether
4074 * st_ino is even supported.)
4075 */
4076 #ifndef _WIN32
4085 }
4086 }
4087 }
4088 #endif
4089 }
4090 /* Report status of pass 1 of two-pass processing. */
4094 /* No problem. */
4098 /* Read error. */
4104 /* Won't happen on the first pass. */
4108 /* Not an error, so nothing to report. */
4111 }
4113 /* Report status of pass 2 of two-pass processing or the only pass
4114 of one-pass processing. */
4118 /* No problem. */
4122 /* Read error. */
4128 /* Write error.
4129 XXX - framenum is not necessarily the frame number in
4130 the input file if there was a read filter. */
4137 /* Not an error, so nothing to report. */
4140 }
4141 }
4145 /* XXX: This doesn't work as expected. First, it should be
4146 * moved to between the first and second passes (if doing
4147 * two-pass mode), so that the new NRB appears before packets,
4148 * which is better for subsequent one-pass mode. It never works
4149 * well in one-pass mode.
4150 *
4151 * Second, it only writes hosts that we've done lookups for,
4152 * which means unless packet details are printed (or there's
4153 * a display filter that matches something that will do a host
4154 * lookup, e.g. -Y "ip") it doesn't actually have anything
4155 * in the list to save. Notably, that includes the case of
4156 * "tshark [-2] -H hosts.txt -r <infile> -w <outfile>",
4157 * which a user would certainly expect to dissect packets,
4158 * lookup hostnames, and add them to an NRB for later use.
4159 * A workaround is if "-V > /dev/null" is added, but who
4160 * expects that?
4161 *
4162 * A third issue is that name resolution blocks aren't
4163 * written for live captures.
4164 */
4168 }
4169 }
4170 /* Now close the capture file. */
4174 }
4176 /* We got a write error; it was reported, so just close the dump file
4177 without bothering to check for further errors. */
4181 }
4187 }
4188 }
4189 }
4191 out:
4198 }
4200 static gboolean
4203 {
4204 frame_data fdata;
4206 gboolean passed;
4208 gint64 elapsed_start;
4210 /* Count this packet. */
4213 /* If we're not running a display filter and we're not printing any
4214 packet information, we don't need to do a dissection. This means
4215 that all packets can be marked as 'passed'. */
4220 /* If we're going to print packet information, or we're going to
4221 run a read filter, or we're going to process taps, set up to
4222 do a dissection and do so. (This is the one and only pass
4223 over the packets, so, if we'll be printing packet information
4224 or running taps, we'll be doing it here.) */
4226 /* If we're running a filter, prime the epan_dissect_t with that
4227 filter. */
4231 /* This is the first and only pass, so prime the epan_dissect_t
4232 with the hfids postdissectors want on the first pass. */
4238 /* The PDML spec requires a 'geninfo' pseudo-protocol that needs
4239 * information from our 'frame' protocol.
4240 */
4244 }
4246 /* We only need the columns if either
4247 1) some tap or filter needs the columns
4248 or
4249 2) we're printing packet info but we're *not* verbose; in verbose
4250 mode, we print the protocol tree, not the protocol summary.
4251 or
4252 3) there is a column mapped as an individual field */
4253 if ((tap_listeners_require_columns()) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields) || dfilter_requires_columns(cf->dfcode))
4255 else
4263 }
4268 }
4270 /* epan_dissect_run (and epan_dissect_reset) unref the block.
4271 * We need it later, e.g. in order to copy the options. */
4279 /* Run the filter if we have it. */
4284 }
4285 }
4290 /* Process this packet. */
4292 /* We're printing packet information; print the information for
4293 this packet. */
4297 /* If we're doing "line-buffering", flush the standard output
4298 after every packet. See the comment above, for the "-l"
4299 option, for an explanation of why we do that. */
4306 }
4307 }
4309 /* this must be set after print_packet() [bug #8160] */
4312 }
4321 }
4323 }
4325 static gboolean
4327 {
4336 else
4355 }
4356 }
4360 {
4367 ;
4375 }
4376 }
4378 }
4382 {
4385 }
4389 {
4396 }
4400 {
4408 }
4410 static gboolean
4412 {
4431 /* Skip columns not marked as visible. */
4496 }
4499 /*
4500 * This isn't the last column, so we need to print a
4501 * separator between this column and the next.
4502 *
4503 * If we printed a network source and are printing a
4504 * network destination of the same type next, separate
4505 * them with a UTF-8 right arrow; if we printed a network
4506 * destination and are printing a network source of the same
4507 * type next, separate them with a UTF-8 left arrow;
4508 * otherwise separate them with a space.
4509 *
4510 * We add enough space to the buffer for " \xe2\x86\x90 "
4511 * or " \xe2\x86\x92 ", even if we're only adding " ".
4512 */
4524 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4533 }
4544 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4553 }
4564 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
4573 }
4584 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4593 }
4604 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4613 }
4624 snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
4633 }
4640 }
4641 }
4642 }
4645 return print_line_color(print_stream, 0, line_bufp, &color_filter->fg_color, &color_filter->bg_color);
4646 else
4648 }
4650 static gboolean
4652 {
4654 /* Just fill in the columns. */
4657 /* Print summary columns and/or protocol tree */
4670 }
4671 }
4678 }
4683 }
4688 /*No non-verbose "fields" format */
4690 }
4695 }
4705 }
4715 }
4725 }
4731 }
4736 }
4738 }
4740 static gboolean
4742 {
4751 else
4770 }
4771 }
4773 void
4775 {
4782 }
4783 /* We have no file open... */
4785 /* If it's a temporary file, remove it. */
4790 }
4792 /* We have no file open. */
4794 }
4796 cf_status_t
4797 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4798 {
4806 /* The open succeeded. Fill in the information for this file. */
4811 /* Set the file name because we need it to set the follow stream filter.
4812 XXX - is that still true? We need it for other reasons, though,
4813 in any case. */
4816 /* Indicate whether it's a permanent or temporary file. */
4819 /* No user changes yet. */
4835 /* Create new epan session for dissection. */
4845 fail:
4848 }
4850 static void
4852 {
4860 #ifdef EDQUOT
4865 #endif
4868 /*
4869 * This almost certainly means "the next program after us in
4870 * the pipeline exited before we were finished writing", so
4871 * this isn't a real error, it just means we're done. (We
4872 * don't get SIGPIPE because libwireshark ignores SIGPIPE
4873 * to avoid getting killed if writing to the MaxMind process
4874 * gets SIGPIPE because that process died.)
4875 *
4876 * Presumably either that program exited deliberately (for
4877 * example, "head -N" read N lines and printed them), in
4878 * which case there's no error to report, or it terminated
4879 * due to an error or a signal, in which case *that's* the
4880 * error and that error has been reported.
4881 */
4885 #ifdef _WIN32
4887 /*
4888 * XXX - on Windows, a write to a pipe where the read side
4889 * has been closed apparently may return the Windows error
4890 * ERROR_BROKEN_PIPE, which the Visual Studio C library maps
4891 * to EPIPE, or may return the Windows error ERROR_NO_DATA,
4892 * which the Visual Studio C library maps to EINVAL.
4893 *
4894 * Either of those almost certainly means "the next program
4895 * after us in the pipeline exited before we were finished
4896 * writing", so, if _doserrno is ERROR_NO_DATA, this isn't
4897 * a real error, it just means we're done. (Windows doesn't
4898 * SIGPIPE.)
4899 *
4900 * Presumably either that program exited deliberately (for
4901 * example, "head -N" read N lines and printed them), in
4902 * which case there's no error to report, or it terminated
4903 * due to an error or a signal, in which case *that's* the
4904 * error and that error has been reported.
4905 */
4907 }
4909 /*
4910 * It's a different error; report it, but with the error
4911 * message for _doserrno, which will give more detail
4912 * than just "Invalid argument".
4913 */
4916 #else
4919 #endif
4921 }
4922 }
4924 /*
4925 * Report an error in command-line arguments.
4926 */
4927 static void
4929 {
4933 }
4935 /*
4936 * Report additional information for an error in command-line arguments.
4937 */
4938 static void
4940 {
4943 }
4945 static void
4947 {
4959 }