TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags
[wireshark-sm.git] / epan / print.c
blob94d689111dcdd52cdf9c7634e299a3b61054a216
1 /* print.c
2 * Routines for printing packet analysis trees.
4 * Gilbert Ramirez <gram@alumni.rice.edu>
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
13 #include "config.h"
15 #include <stdio.h>
16 #include <string.h>
18 #include <epan/epan.h>
19 #include <epan/epan_dissect.h>
20 #include <epan/to_str.h>
21 #include <epan/to_str.h>
22 #include <epan/expert.h>
23 #include <epan/column.h>
24 #include <epan/column-info.h>
25 #include <epan/color_filters.h>
26 #include <epan/dfilter/dfilter.h>
27 #include <epan/prefs.h>
28 #include <epan/print.h>
29 #include <epan/charsets.h>
30 #include <wsutil/array.h>
31 #include <wsutil/json_dumper.h>
32 #include <wsutil/filesystem.h>
33 #include <wsutil/utf8_entities.h>
34 #include <wsutil/str_util.h>
35 #include <wsutil/ws_assert.h>
36 #include <ftypes/ftypes.h>
38 #define PDML_VERSION "0"
39 #define PSML_VERSION "0"
41 typedef struct {
42 int level;
43 print_stream_t *stream;
44 bool success;
45 GSList *src_list;
46 print_dissections_e print_dissections;
47 bool print_hex_for_data;
48 packet_char_enc encoding;
49 GHashTable *output_only_tables; /* output only these protocols */
50 } print_data;
52 typedef struct {
53 int level;
54 FILE *fh;
55 GSList *src_list;
56 wmem_map_t *filter;
57 } write_pdml_data;
59 typedef struct {
60 GSList *src_list;
61 wmem_map_t *filter;
62 bool print_hex;
63 bool print_text;
64 proto_node_children_grouper_func node_children_grouper;
65 json_dumper *dumper;
66 } write_json_data;
68 typedef struct {
69 output_fields_t *fields;
70 epan_dissect_t *edt;
71 } write_field_data_t;
73 struct _output_fields {
74 bool print_bom;
75 bool print_header;
76 char separator;
77 char occurrence;
78 char aggregator;
79 GPtrArray *fields;
80 GPtrArray *field_dfilters;
81 GHashTable *field_indicies;
82 GPtrArray **field_values;
83 wmem_map_t *protocolfilter;
84 char quote;
85 bool escape;
86 bool includes_col_fields;
89 static char *get_field_hex_value(GSList *src_list, field_info *fi);
90 static void proto_tree_print_node(proto_node *node, void *data);
91 static void proto_tree_write_node_pdml(proto_node *node, void *data);
92 static void proto_tree_write_node_ek(proto_node *node, write_json_data *data);
93 static const uint8_t *get_field_data(GSList *src_list, field_info *fi);
94 static void pdml_write_field_hex_value(write_pdml_data *pdata, field_info *fi);
95 static void json_write_field_hex_value(write_json_data *pdata, field_info *fi);
96 static bool print_hex_data_buffer(print_stream_t *stream, const unsigned char *cp,
97 unsigned length, packet_char_enc encoding,
98 unsigned hexdump_options);
99 static void write_specified_fields(fields_format format,
100 output_fields_t *fields,
101 epan_dissect_t *edt, column_info *cinfo,
102 FILE *fh,
103 json_dumper *dumper);
104 static void print_escaped_xml(FILE *fh, const char *unescaped_string);
105 static void print_escaped_csv(FILE *fh, const char *unescaped_string, char delimiter, char quote_char, bool escape_wsp);
107 typedef void (*proto_node_value_writer)(proto_node *, write_json_data *);
108 static void write_json_index(json_dumper *dumper, epan_dissect_t *edt);
109 static void write_json_proto_node_list(GSList *proto_node_list_head, write_json_data *data);
110 static void write_json_proto_node(GSList *node_values_head,
111 const char *suffix,
112 proto_node_value_writer value_writer,
113 write_json_data *data);
114 static void write_json_proto_node_value_list(GSList *node_values_head,
115 proto_node_value_writer value_writer,
116 write_json_data *data);
117 static void write_json_proto_node_filtered(proto_node *node, write_json_data *data);
118 static void write_json_proto_node_hex_dump(proto_node *node, write_json_data *data);
119 static void write_json_proto_node_dynamic(proto_node *node, write_json_data *data);
120 static void write_json_proto_node_children(proto_node *node, write_json_data *data);
121 static void write_json_proto_node_value(proto_node *node, write_json_data *data);
122 static void write_json_proto_node_no_value(proto_node *node, write_json_data *data);
123 static const char *proto_node_to_json_key(proto_node *node);
125 static void print_pdml_geninfo(epan_dissect_t *edt, FILE *fh);
126 static void write_ek_summary(column_info *cinfo, write_json_data *pdata);
128 static void proto_tree_get_node_field_values(proto_node *node, void *data);
130 /* Cache the protocols and field handles that the print functionality needs
131 This helps break explicit dependency on the dissectors. */
132 static int proto_data;
133 static int proto_frame;
135 void print_cache_field_handles(void)
137 proto_data = proto_get_id_by_short_name("Data");
138 proto_frame = proto_get_id_by_short_name("Frame");
141 bool
142 proto_tree_print(print_dissections_e print_dissections, bool print_hex,
143 epan_dissect_t *edt, GHashTable *output_only_tables,
144 print_stream_t *stream)
146 print_data data;
148 /* Create the output */
149 data.level = 0;
150 data.stream = stream;
151 data.success = true;
152 data.src_list = edt->pi.data_src;
153 data.encoding = (packet_char_enc)edt->pi.fd->encoding;
154 data.print_dissections = print_dissections;
155 /* If we're printing the entire packet in hex, don't
156 print uninterpreted data fields in hex as well. */
157 data.print_hex_for_data = !print_hex;
158 data.output_only_tables = output_only_tables;
160 proto_tree_children_foreach(edt->tree, proto_tree_print_node, &data);
161 return data.success;
164 /* Print a tree's data, and any child nodes. */
165 static void
166 proto_tree_print_node(proto_node *node, void *data)
168 field_info *fi = PNODE_FINFO(node);
169 print_data *pdata = (print_data*) data;
170 const uint8_t *pd;
171 char label_str[ITEM_LABEL_LENGTH];
172 char *label_ptr;
174 /* dissection with an invisible proto tree? */
175 ws_assert(fi);
177 /* Don't print invisible entries. */
178 if (proto_item_is_hidden(node) && (prefs.display_hidden_proto_items == false))
179 return;
181 /* Give up if we've already gotten an error. */
182 if (!pdata->success)
183 return;
185 /* was a free format label produced? */
186 if (fi->rep) {
187 label_ptr = fi->rep->representation;
189 else { /* no, make a generic label */
190 label_ptr = label_str;
191 proto_item_fill_label(fi, label_str, NULL);
194 if (proto_item_is_generated(node))
195 label_ptr = g_strconcat("[", label_ptr, "]", NULL);
197 pdata->success = print_line(pdata->stream, pdata->level, label_ptr);
199 if (proto_item_is_generated(node))
200 g_free(label_ptr);
202 if (!pdata->success)
203 return;
206 * If -O is specified, only display the protocols which are in the
207 * lookup table. Only check on the first level: once we start printing
208 * a tree, print the rest of the subtree. Otherwise we won't print
209 * subitems whose abbreviation doesn't match the protocol--for example
210 * text items (whose abbreviation is simply "text").
212 if ((pdata->output_only_tables != NULL) && (pdata->level == 0)
213 && (g_hash_table_lookup(pdata->output_only_tables, fi->hfinfo->abbrev) == NULL)) {
214 return;
217 /* If it's uninterpreted data, dump it (unless our caller will
218 be printing the entire packet in hex). */
219 if ((fi->hfinfo->id == proto_data) && (pdata->print_hex_for_data)) {
221 * Find the data for this field.
223 pd = get_field_data(pdata->src_list, fi);
224 if (pd) {
225 if (!print_line(pdata->stream, 0, "")) {
226 pdata->success = false;
227 return;
229 if (!print_hex_data_buffer(pdata->stream, pd,
230 fi->length, pdata->encoding, HEXDUMP_ASCII_INCLUDE)) {
231 pdata->success = false;
232 return;
237 /* If we're printing all levels, or if this node is one with a
238 subtree and its subtree is expanded, recurse into the subtree,
239 if it exists. */
240 ws_assert((fi->tree_type >= -1) && (fi->tree_type < num_tree_types));
241 if ((pdata->print_dissections == print_dissections_expanded) ||
242 ((pdata->print_dissections == print_dissections_as_displayed) &&
243 (fi->tree_type >= 0) && tree_expanded(fi->tree_type))) {
244 if (node->first_child != NULL) {
245 pdata->level++;
246 proto_tree_children_foreach(node,
247 proto_tree_print_node, pdata);
248 pdata->level--;
249 if (!pdata->success)
250 return;
255 #define PDML2HTML_XSL "pdml2html.xsl"
256 #define PDML2HTML_URL "https://gitlab.com/wireshark/wireshark/-/tree/master/resources/share/doc/wireshark/"
257 void
258 write_pdml_preamble(FILE *fh, const char *filename)
260 time_t t = time(NULL);
261 struct tm * timeinfo;
262 char *fmt_ts;
263 const char *ts;
265 /* Create the output */
266 timeinfo = localtime(&t);
267 if (timeinfo != NULL) {
268 fmt_ts = asctime(timeinfo);
269 fmt_ts[strlen(fmt_ts)-1] = 0; /* overwrite \n */
270 ts = fmt_ts;
271 } else
272 ts = "Not representable";
274 fprintf(fh, "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n");
275 fprintf(fh, "<?xml-stylesheet type=\"text/xsl\" href=\"" PDML2HTML_XSL "\"?>\n");
276 fprintf(fh, "<!-- You can find " PDML2HTML_XSL " in %s or at "PDML2HTML_URL PDML2HTML_XSL ". -->\n", get_doc_dir());
277 fprintf(fh, "<pdml version=\"" PDML_VERSION "\" creator=\"%s/%s\" time=\"%s\" capture_file=\"", PACKAGE, VERSION, ts);
278 if (filename) {
279 /* \todo filename should be converted to UTF-8. */
280 print_escaped_xml(fh, filename);
282 fprintf(fh, "\">\n");
285 /* Check if the str matches the protocolfilter.
287 * @param[in] protocolfilter a map of field abbreviations that pass the filter
288 * to the flags for that field, or NULL if no filter (so all fields pass)
289 * @param[in] str the field abbreviation to lookup in the map.
290 * @param[out] flags if not NULL, gets set to the value in the map for
291 * the given key if found (undefined if return is false.)
292 * @return true if the filter passes the string, false if the filter
293 * filters out the string.
295 static bool check_protocolfilter(wmem_map_t *protocolfilter, const char *str, pf_flags *flags)
297 bool res = false;
298 void *value;
300 if (protocolfilter == NULL) {
301 if (flags) {
302 *flags = PF_NONE;
304 return true;
307 if (str == NULL) {
308 return false;
311 res = wmem_map_lookup_extended(protocolfilter, str, NULL, &value);
312 if (res && flags) {
313 *flags = GPOINTER_TO_UINT(value);
315 return res;
318 void
319 write_pdml_proto_tree(output_fields_t* fields, epan_dissect_t *edt, column_info *cinfo, FILE *fh, bool use_color)
321 write_pdml_data data;
322 const color_filter_t *cfp;
324 ws_assert(edt);
325 ws_assert(fh);
327 cfp = edt->pi.fd->color_filter;
329 /* Create the output */
330 if (use_color && (cfp != NULL)) {
331 fprintf(fh, "<packet foreground='#%06x' background='#%06x'>\n",
332 color_t_to_rgb(&cfp->fg_color),
333 color_t_to_rgb(&cfp->bg_color));
334 } else {
335 fprintf(fh, "<packet>\n");
338 /* Print a "geninfo" protocol as required by PDML */
339 print_pdml_geninfo(edt, fh);
341 if (fields == NULL || fields->fields == NULL) {
342 /* Write out all fields */
343 data.level = 0;
344 data.fh = fh;
345 data.src_list = edt->pi.data_src;
346 data.filter = fields ? fields->protocolfilter : NULL;
348 proto_tree_children_foreach(edt->tree, proto_tree_write_node_pdml,
349 &data);
350 } else {
351 /* Write out specified fields */
352 write_specified_fields(FORMAT_XML, fields, edt, cinfo, fh, NULL);
355 fprintf(fh, "</packet>\n\n");
358 void
359 write_ek_proto_tree(output_fields_t* fields,
360 bool print_summary, bool print_hex,
361 epan_dissect_t *edt,
362 column_info *cinfo,
363 FILE *fh)
365 ws_assert(edt);
366 ws_assert(fh);
368 write_json_data data;
370 json_dumper dumper = {
371 .output_file = fh,
372 .flags = JSON_DUMPER_DOT_TO_UNDERSCORE
375 data.dumper = &dumper;
377 json_dumper_begin_object(&dumper);
378 json_dumper_set_member_name(&dumper, "index");
379 json_dumper_begin_object(&dumper);
380 write_json_index(&dumper, edt);
381 json_dumper_set_member_name(&dumper, "_type");
382 json_dumper_value_string(&dumper, "doc");
383 json_dumper_end_object(&dumper);
384 json_dumper_end_object(&dumper);
385 json_dumper_finish(&dumper);
386 json_dumper_begin_object(&dumper);
388 /* Timestamp added for time indexing in Elasticsearch */
389 json_dumper_set_member_name(&dumper, "timestamp");
390 json_dumper_value_anyf(&dumper, "\"%" PRIu64 "%03d\"", (uint64_t)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000);
392 if (print_summary)
393 write_ek_summary(edt->pi.cinfo, &data);
395 if (edt->tree) {
396 json_dumper_set_member_name(&dumper, "layers");
397 json_dumper_begin_object(&dumper);
399 if (fields == NULL || fields->fields == NULL) {
400 /* Write out all fields */
401 data.src_list = edt->pi.data_src;
402 data.filter = fields ? fields->protocolfilter : NULL;
403 data.print_hex = print_hex;
404 proto_tree_write_node_ek(edt->tree, &data);
405 } else {
406 /* Write out specified fields */
407 write_specified_fields(FORMAT_EK, fields, edt, cinfo, NULL, data.dumper);
410 json_dumper_end_object(&dumper);
412 json_dumper_end_object(&dumper);
413 json_dumper_finish(&dumper);
416 void
417 write_fields_proto_tree(output_fields_t* fields, epan_dissect_t *edt, column_info *cinfo, FILE *fh)
419 ws_assert(edt);
420 ws_assert(fh);
422 /* Create the output */
423 write_specified_fields(FORMAT_CSV, fields, edt, cinfo, fh, NULL);
426 /* Indent to the correct level */
427 static void print_indent(int level, FILE *fh)
429 /* Use a buffer pre-filled with spaces */
430 #define MAX_INDENT 2048
431 static char spaces[MAX_INDENT];
432 static bool inited = false;
433 if (!inited) {
434 for (int n=0; n < MAX_INDENT; n++) {
435 spaces[n] = ' ';
437 inited = true;
440 if (fh == NULL) {
441 return;
444 /* Temp terminate at right length and write to fh. */
445 spaces[MIN(level*2, MAX_INDENT-1)] ='\0';
446 fputs(spaces, fh);
447 spaces[MIN(level*2, MAX_INDENT-1)] =' ';
450 /* Write out a tree's data, and any child nodes, as PDML */
451 static void
452 proto_tree_write_node_pdml(proto_node *node, void *data)
454 field_info *fi = PNODE_FINFO(node);
455 write_pdml_data *pdata = (write_pdml_data*) data;
456 const char *label_ptr;
457 char label_str[ITEM_LABEL_LENGTH];
458 char *dfilter_string;
459 bool wrap_in_fake_protocol;
461 /* dissection with an invisible proto tree? */
462 ws_assert(fi);
464 /* Will wrap up top-level field items inside a fake protocol wrapper to
465 preserve the PDML schema */
466 wrap_in_fake_protocol =
467 (((fi->hfinfo->type != FT_PROTOCOL) ||
468 (fi->hfinfo->id == proto_data)) &&
469 (pdata->level == 0));
471 print_indent(pdata->level + 1, pdata->fh);
473 if (wrap_in_fake_protocol) {
474 /* Open fake protocol wrapper */
475 fputs("<proto name=\"fake-field-wrapper\">\n", pdata->fh);
476 pdata->level++;
478 print_indent(pdata->level + 1, pdata->fh);
481 /* Text label. It's printed as a field with no name. */
482 if (fi->hfinfo->id == hf_text_only) {
483 /* Get the text */
484 if (fi->rep) {
485 label_ptr = fi->rep->representation;
486 } else {
487 label_ptr = "";
490 /* Show empty name since it is a required field */
491 fputs("<field name=\"", pdata->fh);
492 fputs("\" show=\"", pdata->fh);
493 print_escaped_xml(pdata->fh, label_ptr);
495 fprintf(pdata->fh, "\" size=\"%d", fi->length);
496 if (node->parent && node->parent->finfo && (fi->start < node->parent->finfo->start)) {
497 fprintf(pdata->fh, "\" pos=\"%d", node->parent->finfo->start + fi->start);
498 } else {
499 fprintf(pdata->fh, "\" pos=\"%d", fi->start);
502 if (fi->length > 0) {
503 fputs("\" value=\"", pdata->fh);
504 pdml_write_field_hex_value(pdata, fi);
507 if (node->first_child != NULL) {
508 fputs("\">\n", pdata->fh);
509 } else {
510 fputs("\"/>\n", pdata->fh);
514 /* Uninterpreted data, i.e., the "Data" protocol, is
515 * printed as a field instead of a protocol. */
516 else if (fi->hfinfo->id == proto_data) {
517 /* Write out field with data */
518 fputs("<field name=\"data\" value=\"", pdata->fh);
519 pdml_write_field_hex_value(pdata, fi);
520 fputs("\">\n", pdata->fh);
521 } else {
522 /* Normal protocols and fields */
523 if ((fi->hfinfo->type == FT_PROTOCOL) && (fi->hfinfo->id != proto_expert)) {
524 fputs("<proto name=\"", pdata->fh);
525 } else {
526 fputs("<field name=\"", pdata->fh);
528 print_escaped_xml(pdata->fh, fi->hfinfo->abbrev);
530 #if 0
531 /* PDML spec, see:
532 * https://wayback.archive.org/web/20150330045501/http://www.nbee.org/doku.php?id=netpdl:pdml_specification
534 * the show fields contains things in 'human readable' format
535 * showname: contains only the name of the field
536 * show: contains only the data of the field
537 * showdtl: contains additional details of the field data
538 * showmap: contains mappings of the field data (e.g. the hostname to an IP address)
540 * XXX - the showname shouldn't contain the field data itself
541 * (like it's contained in the fi->rep->representation).
542 * Unfortunately, we don't have the field data representation for
543 * all fields, so this isn't currently possible */
544 fputs("\" showname=\"", pdata->fh);
545 print_escaped_xml(pdata->fh, fi->hfinfo->name);
546 #endif
548 if (fi->rep) {
549 fputs("\" showname=\"", pdata->fh);
550 print_escaped_xml(pdata->fh, fi->rep->representation);
551 } else {
552 label_ptr = label_str;
553 proto_item_fill_label(fi, label_str, NULL);
554 fputs("\" showname=\"", pdata->fh);
555 print_escaped_xml(pdata->fh, label_ptr);
558 if (proto_item_is_hidden(node) && (prefs.display_hidden_proto_items == false))
559 fprintf(pdata->fh, "\" hide=\"yes");
561 fprintf(pdata->fh, "\" size=\"%d", fi->length);
562 if (node->parent && node->parent->finfo && (fi->start < node->parent->finfo->start)) {
563 fprintf(pdata->fh, "\" pos=\"%d", node->parent->finfo->start + fi->start);
564 } else {
565 fprintf(pdata->fh, "\" pos=\"%d", fi->start);
567 /* fprintf(pdata->fh, "\" id=\"%d", fi->hfinfo->id);*/
569 /* show, value, and unmaskedvalue attributes */
570 switch (fi->hfinfo->type)
572 case FT_PROTOCOL:
573 break;
574 case FT_NONE:
575 fputs("\" show=\"\" value=\"", pdata->fh);
576 break;
577 default:
578 dfilter_string = fvalue_to_string_repr(NULL, fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
579 if (dfilter_string != NULL) {
581 fputs("\" show=\"", pdata->fh);
582 print_escaped_xml(pdata->fh, dfilter_string);
584 wmem_free(NULL, dfilter_string);
587 * XXX - should we omit "value" for any fields?
588 * What should we do for fields whose length is 0?
589 * They might come from a pseudo-header or from
590 * the capture header (e.g., time stamps), or
591 * they might be generated fields.
593 if (fi->length > 0) {
594 fputs("\" value=\"", pdata->fh);
596 if (fi->hfinfo->bitmask!=0) {
597 switch (fvalue_type_ftenum(fi->value)) {
598 case FT_INT8:
599 case FT_INT16:
600 case FT_INT24:
601 case FT_INT32:
602 fprintf(pdata->fh, "%X", (unsigned) fvalue_get_sinteger(fi->value));
603 break;
604 case FT_CHAR:
605 case FT_UINT8:
606 case FT_UINT16:
607 case FT_UINT24:
608 case FT_UINT32:
609 fprintf(pdata->fh, "%X", fvalue_get_uinteger(fi->value));
610 break;
611 case FT_INT40:
612 case FT_INT48:
613 case FT_INT56:
614 case FT_INT64:
615 fprintf(pdata->fh, "%" PRIX64, fvalue_get_sinteger64(fi->value));
616 break;
617 case FT_UINT40:
618 case FT_UINT48:
619 case FT_UINT56:
620 case FT_UINT64:
621 case FT_BOOLEAN:
622 fprintf(pdata->fh, "%" PRIX64, fvalue_get_uinteger64(fi->value));
623 break;
624 default:
625 ws_assert_not_reached();
627 fputs("\" unmaskedvalue=\"", pdata->fh);
628 pdml_write_field_hex_value(pdata, fi);
629 } else {
630 pdml_write_field_hex_value(pdata, fi);
635 if (node->first_child != NULL) {
636 fputs("\">\n", pdata->fh);
637 } else if (fi->hfinfo->id == proto_data) {
638 fputs("\">\n", pdata->fh);
639 } else {
640 fputs("\"/>\n", pdata->fh);
644 /* We print some levels for PDML. Recurse here. */
645 if (node->first_child != NULL) {
646 pf_flags filter_flags = PF_NONE;
647 if (pdata->filter == NULL || check_protocolfilter(pdata->filter, fi->hfinfo->abbrev, &filter_flags)) {
648 wmem_map_t *_filter = NULL;
649 /* Remove protocol filter for children, if children should be included */
650 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
651 _filter = pdata->filter;
652 pdata->filter = NULL;
655 pdata->level++;
656 proto_tree_children_foreach(node,
657 proto_tree_write_node_pdml, pdata);
658 pdata->level--;
660 /* Put protocol filter back */
661 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
662 pdata->filter = _filter;
664 } else {
665 print_indent(pdata->level + 2, pdata->fh);
667 /* print dummy field */
668 fputs("<field name=\"filtered\" value=\"", pdata->fh);
669 print_escaped_xml(pdata->fh, fi->hfinfo->abbrev);
670 fputs("\" />\n", pdata->fh);
674 /* Take back the extra level we added for fake wrapper protocol */
675 if (wrap_in_fake_protocol) {
676 pdata->level--;
679 if (node->first_child != NULL) {
680 print_indent(pdata->level + 1, pdata->fh);
682 /* Close off current element */
683 /* Data and expert "protocols" use simple tags */
684 if ((fi->hfinfo->id != proto_data) && (fi->hfinfo->id != proto_expert)) {
685 if (fi->hfinfo->type == FT_PROTOCOL) {
686 fputs("</proto>\n", pdata->fh);
687 } else {
688 fputs("</field>\n", pdata->fh);
690 } else {
691 fputs("</field>\n", pdata->fh);
695 /* Close off fake wrapper protocol */
696 if (wrap_in_fake_protocol) {
697 print_indent(pdata->level + 1, pdata->fh);
698 fputs("</proto>\n", pdata->fh);
702 json_dumper
703 write_json_preamble(FILE *fh)
705 json_dumper dumper = {
706 .output_file = fh,
707 .flags = JSON_DUMPER_FLAGS_PRETTY_PRINT
709 json_dumper_begin_array(&dumper);
710 return dumper;
713 void
714 write_json_finale(json_dumper *dumper)
716 json_dumper_end_array(dumper);
717 json_dumper_finish(dumper);
720 static void
721 write_json_index(json_dumper *dumper, epan_dissect_t *edt)
723 char ts[30];
724 struct tm * timeinfo;
725 char* str;
727 timeinfo = localtime(&edt->pi.abs_ts.secs);
728 if (timeinfo != NULL) {
729 strftime(ts, sizeof(ts), "%Y-%m-%d", timeinfo);
730 } else {
731 (void) g_strlcpy(ts, "XXXX-XX-XX", sizeof(ts)); /* XXX - better way of saying "Not representable"? */
733 json_dumper_set_member_name(dumper, "_index");
734 str = ws_strdup_printf("packets-%s", ts);
735 json_dumper_value_string(dumper, str);
736 g_free(str);
739 void
740 write_json_proto_tree(output_fields_t* fields,
741 print_dissections_e print_dissections,
742 bool print_hex,
743 epan_dissect_t *edt, column_info *cinfo,
744 proto_node_children_grouper_func node_children_grouper,
745 json_dumper *dumper)
747 write_json_data data;
749 data.dumper = dumper;
751 json_dumper_begin_object(dumper);
752 write_json_index(dumper, edt);
753 json_dumper_set_member_name(dumper, "_type");
754 json_dumper_value_string(dumper, "doc");
755 json_dumper_set_member_name(dumper, "_score");
756 json_dumper_value_string(dumper, NULL);
757 json_dumper_set_member_name(dumper, "_source");
758 json_dumper_begin_object(dumper);
759 json_dumper_set_member_name(dumper, "layers");
761 if (fields == NULL || fields->fields == NULL) {
762 /* Write out all fields */
763 data.src_list = edt->pi.data_src;
764 data.filter = fields ? fields->protocolfilter : NULL;
765 data.print_hex = print_hex;
766 data.print_text = true;
767 if (print_dissections == print_dissections_none) {
768 data.print_text = false;
770 data.node_children_grouper = node_children_grouper;
772 write_json_proto_node_children(edt->tree, &data);
773 } else {
774 write_specified_fields(FORMAT_JSON, fields, edt, cinfo, NULL, dumper);
777 json_dumper_end_object(dumper);
778 json_dumper_end_object(dumper);
782 * Returns a boolean telling us whether that node list contains any node which has children
784 static bool
785 any_has_children(GSList *node_values_list)
787 GSList *current_node = node_values_list;
788 while (current_node != NULL) {
789 proto_node *current_value = (proto_node *) current_node->data;
790 if (current_value->first_child != NULL) {
791 return true;
793 current_node = current_node->next;
795 return false;
799 * Write a json object containing a list of key:value pairs where each key:value pair corresponds to a different json
800 * key and its associated nodes in the proto_tree.
801 * @param proto_node_list_head A 2-dimensional list containing a list of values for each different node json key. The
802 * elements themselves are a linked list of values associated with the same json key.
803 * @param pdata json writing metadata
805 static void
806 write_json_proto_node_list(GSList *proto_node_list_head, write_json_data *pdata)
808 GSList *current_node = proto_node_list_head;
810 json_dumper_begin_object(pdata->dumper);
812 // Loop over each list of nodes (differentiated by json key) and write the associated json key:value pair in the
813 // output.
814 while (current_node != NULL) {
815 // Get the list of values for the current json key.
816 GSList *node_values_list = (GSList *) current_node->data;
818 // Retrieve the json key from the first value.
819 proto_node *first_value = (proto_node *) node_values_list->data;
820 const char *json_key = proto_node_to_json_key(first_value);
821 // Check if the current json key is filtered from the output with the "-j" cli option.
822 pf_flags filter_flags = PF_NONE;
823 bool is_filtered = pdata->filter != NULL && !check_protocolfilter(pdata->filter, json_key, &filter_flags);
825 field_info *fi = first_value->finfo;
826 char *value_string_repr = fvalue_to_string_repr(NULL, fi->value, FTREPR_JSON, fi->hfinfo->display);
827 bool has_children = any_has_children(node_values_list);
829 // We assume all values of a json key have roughly the same layout. Thus we can use the first value to derive
830 // attributes of all the values.
831 bool has_value = value_string_repr != NULL;
832 bool is_pseudo_text_field = fi->hfinfo->id == hf_text_only;
834 wmem_free(NULL, value_string_repr); // fvalue_to_string_repr returns allocated buffer
836 // "-x" command line option. A "_raw" suffix is added to the json key so the textual value can be printed
837 // with the original json key. If both hex and text writing are enabled the raw information of fields whose
838 // length is equal to 0 is not written to the output. If the field is a special text pseudo field no raw
839 // information is written either.
840 if (pdata->print_hex && (!pdata->print_text || fi->length > 0) && !is_pseudo_text_field) {
841 write_json_proto_node(node_values_list, "_raw", write_json_proto_node_hex_dump, pdata);
844 if (pdata->print_text && has_value) {
845 write_json_proto_node(node_values_list, "", write_json_proto_node_value, pdata);
848 if (has_children) {
849 // If a node has both a value and a set of children we print the value and the children in separate
850 // key:value pairs. These can't have the same key so whenever a value is already printed with the node
851 // json key we print the children with the same key with a "_tree" suffix added.
852 char *suffix = has_value ? "_tree": "";
854 if (is_filtered) {
855 write_json_proto_node(node_values_list, suffix, write_json_proto_node_filtered, pdata);
856 } else {
857 // Remove protocol filter for children, if children should be included. This functionality is enabled
858 // with the "-J" command line option. We save the filter so it can be reenabled when we are done with
859 // the current key:value pair.
860 wmem_map_t *_filter = NULL;
861 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
862 _filter = pdata->filter;
863 pdata->filter = NULL;
866 // has_children is true if any of the nodes have children. So we're not 100% sure whether this
867 // particular node has children or not => use the 'dynamic' version of 'write_json_proto_node'
868 write_json_proto_node(node_values_list, suffix, write_json_proto_node_dynamic, pdata);
870 // Put protocol filter back
871 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
872 pdata->filter = _filter;
877 if (!has_value && !has_children && (pdata->print_text || (pdata->print_hex && is_pseudo_text_field))) {
878 write_json_proto_node(node_values_list, "", write_json_proto_node_no_value, pdata);
881 current_node = current_node->next;
883 json_dumper_end_object(pdata->dumper);
887 * Writes a single node as a key:value pair. The value_writer param can be used to specify how the node's value should
888 * be written.
889 * @param node_values_head Linked list containing all nodes associated with the same json key in this object.
890 * @param suffix Suffix that should be added to the json key.
891 * @param value_writer A function which writes the actual values of the node json key.
892 * @param pdata json writing metadata
894 static void
895 write_json_proto_node(GSList *node_values_head,
896 const char *suffix,
897 proto_node_value_writer value_writer,
898 write_json_data *pdata)
900 // Retrieve json key from first value.
901 proto_node *first_value = (proto_node *) node_values_head->data;
902 const char *json_key = proto_node_to_json_key(first_value);
903 char* json_key_suffix = ws_strdup_printf("%s%s", json_key, suffix);
904 json_dumper_set_member_name(pdata->dumper, json_key_suffix);
905 g_free(json_key_suffix);
906 write_json_proto_node_value_list(node_values_head, value_writer, pdata);
910 * Writes a list of values of a single json key. If multiple values are passed they are wrapped in a json array.
911 * @param node_values_head Linked list containing all values that should be written.
912 * @param value_writer Function which writes the separate values.
913 * @param pdata json writing metadata
915 static void
916 write_json_proto_node_value_list(GSList *node_values_head, proto_node_value_writer value_writer, write_json_data *pdata)
918 GSList *current_value = node_values_head;
920 // Write directly if only a single value is passed. Wrap in json array otherwise.
921 if (current_value->next == NULL) {
922 value_writer((proto_node *) current_value->data, pdata);
923 } else {
924 json_dumper_begin_array(pdata->dumper);
926 while (current_value != NULL) {
927 value_writer((proto_node *) current_value->data, pdata);
928 current_value = current_value->next;
930 json_dumper_end_array(pdata->dumper);
935 * Writes the value for a node that's filtered from the output.
937 static void
938 write_json_proto_node_filtered(proto_node *node, write_json_data *pdata)
940 const char *json_key = proto_node_to_json_key(node);
942 json_dumper_begin_object(pdata->dumper);
943 json_dumper_set_member_name(pdata->dumper, "filtered");
944 json_dumper_value_string(pdata->dumper, json_key);
945 json_dumper_end_object(pdata->dumper);
949 * Writes the hex dump of a node. A json array is written containing the hex dump, position, length, bitmask and type of
950 * the node.
952 static void
953 write_json_proto_node_hex_dump(proto_node *node, write_json_data *pdata)
955 field_info *fi = node->finfo;
957 json_dumper_begin_array(pdata->dumper);
959 if (fi->hfinfo->bitmask!=0) {
960 switch (fvalue_type_ftenum(fi->value)) {
961 case FT_INT8:
962 case FT_INT16:
963 case FT_INT24:
964 case FT_INT32:
965 json_dumper_value_anyf(pdata->dumper, "\"%X\"", (unsigned) fvalue_get_sinteger(fi->value));
966 break;
967 case FT_CHAR:
968 case FT_UINT8:
969 case FT_UINT16:
970 case FT_UINT24:
971 case FT_UINT32:
972 json_dumper_value_anyf(pdata->dumper, "\"%X\"", fvalue_get_uinteger(fi->value));
973 break;
974 case FT_INT40:
975 case FT_INT48:
976 case FT_INT56:
977 case FT_INT64:
978 json_dumper_value_anyf(pdata->dumper, "\"%" PRIX64 "\"", fvalue_get_sinteger64(fi->value));
979 break;
980 case FT_UINT40:
981 case FT_UINT48:
982 case FT_UINT56:
983 case FT_UINT64:
984 case FT_BOOLEAN:
985 json_dumper_value_anyf(pdata->dumper, "\"%" PRIX64 "\"", fvalue_get_uinteger64(fi->value));
986 break;
987 default:
988 ws_assert_not_reached();
990 } else {
991 json_write_field_hex_value(pdata, fi);
994 /* Dump raw hex-encoded dissected information including position, length, bitmask, type */
995 json_dumper_value_anyf(pdata->dumper, "%" PRId32, fi->start);
996 json_dumper_value_anyf(pdata->dumper, "%" PRId32, fi->length);
997 json_dumper_value_anyf(pdata->dumper, "%" PRIu64, fi->hfinfo->bitmask);
998 json_dumper_value_anyf(pdata->dumper, "%" PRId32, (int32_t)fvalue_type_ftenum(fi->value));
1000 json_dumper_end_array(pdata->dumper);
1004 * Writes the value of a node, which may be a simple node with no value and no children,
1005 * or a node with children -- this will be determined dynamically
1007 static void
1008 write_json_proto_node_dynamic(proto_node *node, write_json_data *data)
1010 if (node->first_child == NULL) {
1011 write_json_proto_node_no_value(node, data);
1012 } else {
1013 write_json_proto_node_children(node, data);
1018 * Writes the children of a node. Calls write_json_proto_node_list internally which recursively writes children of nodes
1019 * to the output.
1021 static void
1022 write_json_proto_node_children(proto_node *node, write_json_data *data)
1024 GSList *grouped_children_list = data->node_children_grouper(node);
1025 write_json_proto_node_list(grouped_children_list, data);
1026 g_slist_free_full(grouped_children_list, (GDestroyNotify) g_slist_free);
1030 * Writes the value of a node to the output.
1032 static void
1033 write_json_proto_node_value(proto_node *node, write_json_data *pdata)
1035 field_info *fi = node->finfo;
1036 // Get the actual value of the node as a string.
1037 char *value_string_repr = fvalue_to_string_repr(NULL, fi->value, FTREPR_JSON, fi->hfinfo->display);
1039 //TODO: Have FTREPR_JSON include quotes where appropriate and use json_dumper_value_anyf() here,
1040 // so we can output booleans and numbers and not only strings.
1041 json_dumper_value_string(pdata->dumper, value_string_repr);
1043 wmem_free(NULL, value_string_repr);
1047 * Write the value for a node that has no value and no children. This is the empty string for all nodes except those of
1048 * type FT_PROTOCOL for which the full name is written instead.
1050 static void
1051 write_json_proto_node_no_value(proto_node *node, write_json_data *pdata)
1053 field_info *fi = node->finfo;
1055 if (fi->hfinfo->type == FT_PROTOCOL) {
1056 if (fi->rep) {
1057 json_dumper_value_string(pdata->dumper, fi->rep->representation);
1058 } else {
1059 char label_str[ITEM_LABEL_LENGTH];
1060 proto_item_fill_label(fi, label_str, NULL);
1061 json_dumper_value_string(pdata->dumper, label_str);
1063 } else {
1064 json_dumper_value_string(pdata->dumper, "");
1069 * Groups each child of the node separately.
1070 * @return Linked list where each element is another linked list containing a single node.
1072 GSList *
1073 proto_node_group_children_by_unique(proto_node *node) {
1074 GSList *unique_nodes_list = NULL;
1075 proto_node *current_child = node->first_child;
1077 while (current_child != NULL) {
1078 GSList *unique_node = g_slist_prepend(NULL, current_child);
1079 unique_nodes_list = g_slist_prepend(unique_nodes_list, unique_node);
1080 current_child = current_child->next;
1083 return g_slist_reverse(unique_nodes_list);
1087 * Groups the children of a node by their json key. Children are put in the same group if they have the same json key.
1088 * @return Linked list where each element is another linked list of nodes associated with the same json key.
1090 GSList *
1091 proto_node_group_children_by_json_key(proto_node *node)
1094 * For each different json key we store a linked list of values corresponding to that json key. These lists are kept
1095 * in both a linked list and a hashmap. The hashmap is used to quickly retrieve the values of a json key. The linked
1096 * list is used to preserve the ordering of keys as they are encountered which is not guaranteed when only using a
1097 * hashmap.
1099 GSList *same_key_nodes_list = NULL;
1100 GHashTable *lookup_by_json_key = g_hash_table_new(g_str_hash, g_str_equal);
1101 proto_node *current_child = node->first_child;
1104 * For each child of the node get the key and get the list of values already associated with that key from the
1105 * hashmap. If no list exist yet for that key create a new one and add it to both the linked list and hashmap. If a
1106 * list already exists add the node to that list.
1108 while (current_child != NULL) {
1109 char *json_key = (char *) proto_node_to_json_key(current_child);
1110 GSList *json_key_nodes = (GSList *) g_hash_table_lookup(lookup_by_json_key, json_key);
1112 if (json_key_nodes == NULL) {
1113 json_key_nodes = g_slist_append(json_key_nodes, current_child);
1114 // Prepending in single linked list is O(1), appending is O(n). Better to prepend here and reverse at the
1115 // end than potentially looping to the end of the linked list for each child.
1116 same_key_nodes_list = g_slist_prepend(same_key_nodes_list, json_key_nodes);
1117 g_hash_table_insert(lookup_by_json_key, json_key, json_key_nodes);
1118 } else {
1119 // Store and insert value again to circumvent unused_variable warning.
1120 // Append in this case since most value lists will only have a single value.
1121 json_key_nodes = g_slist_append(json_key_nodes, current_child);
1122 g_hash_table_insert(lookup_by_json_key, json_key, json_key_nodes);
1125 current_child = current_child->next;
1128 // Hash table is not needed anymore since the linked list with the correct ordering is returned.
1129 g_hash_table_destroy(lookup_by_json_key);
1131 return g_slist_reverse(same_key_nodes_list);
1135 * Returns the json key of a node. Tries to use the node's abbreviated name.
1136 * If the abbreviated name is not available the representation is used instead.
1138 * XXX: The representation can have spaces or differ depending on the content,
1139 * which makes it difficult to match text-only fields with a -j/-J filter in tshark.
1140 * (Issue #17125).
1142 static const char *
1143 proto_node_to_json_key(proto_node *node)
1145 const char *json_key;
1146 // Check if node has abbreviated name.
1147 if (node->finfo->hfinfo->id != hf_text_only) {
1148 json_key = node->finfo->hfinfo->abbrev;
1149 } else if (node->finfo->rep != NULL) {
1150 json_key = node->finfo->rep->representation;
1151 } else {
1152 json_key = "";
1155 return json_key;
1158 static bool
1159 ek_check_protocolfilter(wmem_map_t *protocolfilter, const char *str, pf_flags *filter_flags)
1161 char *str_escaped = NULL;
1162 bool check;
1163 int i;
1165 if (check_protocolfilter(protocolfilter, str, filter_flags))
1166 return true;
1168 /* to to thread the '.' and '_' equally. The '.' is replace by print_escaped_ek for '_' */
1169 if (str != NULL && strlen(str) > 0) {
1170 str_escaped = g_strdup(str);
1172 i = 0;
1173 while (str_escaped[i] != '\0') {
1174 if (str_escaped[i] == '.') {
1175 str_escaped[i] = '_';
1177 i++;
1181 check = check_protocolfilter(protocolfilter, str_escaped, filter_flags);
1182 g_free(str_escaped);
1183 return check;
1187 * Finds a node's descendants to be printed as EK/JSON attributes.
1189 static void
1190 write_ek_summary(column_info *cinfo, write_json_data* pdata)
1192 int i;
1194 for (i = 0; i < cinfo->num_cols; i++) {
1195 if (!get_column_visible(i))
1196 continue;
1197 json_dumper_set_member_name(pdata->dumper, g_ascii_strdown(cinfo->columns[i].col_title, -1));
1198 json_dumper_value_string(pdata->dumper, get_column_text(cinfo, i));
1202 /* Write out a tree's data, and any child nodes, as JSON for EK */
1203 static void
1204 // NOLINTNEXTLINE(misc-no-recursion)
1205 ek_fill_attr(proto_node *node, GHashTable *attr_table, write_json_data *pdata)
1207 field_info *fi = NULL;
1208 GSList *attr_instances = NULL;
1210 proto_node *current_node = node->first_child;
1211 while (current_node != NULL) {
1212 fi = PNODE_FINFO(current_node);
1214 /* dissection with an invisible proto tree? */
1215 ws_assert(fi);
1217 attr_instances = (GSList *) g_hash_table_lookup(attr_table, fi->hfinfo->abbrev);
1218 attr_instances = g_slist_append(attr_instances, current_node);
1219 // Update instance list for this attr in hash table
1220 g_hash_table_insert(attr_table, g_strdup(fi->hfinfo->abbrev), attr_instances);
1222 /* Field, recurse through children*/
1223 if (fi->hfinfo->type != FT_PROTOCOL && current_node->first_child != NULL) {
1224 if (pdata->filter != NULL) {
1225 pf_flags filter_flags = PF_NONE;
1226 if (ek_check_protocolfilter(pdata->filter, fi->hfinfo->abbrev, &filter_flags)) {
1227 wmem_map_t *_filter = NULL;
1228 /* Remove protocol filter for children, if children should be included */
1229 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
1230 _filter = pdata->filter;
1231 pdata->filter = NULL;
1234 // We recurse here, but we're limited by our tree depth checks in proto.c
1235 ek_fill_attr(current_node, attr_table, pdata);
1237 /* Put protocol filter back */
1238 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
1239 pdata->filter = _filter;
1241 } else {
1242 // Don't traverse children if filtered out
1244 } else {
1245 // We recurse here, but we're limited by our tree depth checks in proto.c
1246 ek_fill_attr(current_node, attr_table, pdata);
1248 } else {
1249 // Will descend into object at another point
1252 current_node = current_node->next;
1256 static void
1257 ek_write_name(proto_node *pnode, char* suffix, write_json_data* pdata)
1259 field_info *fi = PNODE_FINFO(pnode);
1260 char *str;
1262 if (fi->hfinfo->parent != -1) {
1263 header_field_info* parent = proto_registrar_get_nth(fi->hfinfo->parent);
1264 str = ws_strdup_printf("%s_%s%s", parent->abbrev, fi->hfinfo->abbrev, suffix ? suffix : "");
1265 json_dumper_set_member_name(pdata->dumper, str);
1266 } else {
1267 str = ws_strdup_printf("%s%s", fi->hfinfo->abbrev, suffix ? suffix : "");
1268 json_dumper_set_member_name(pdata->dumper, str);
1270 g_free(str);
1273 static void
1274 ek_write_hex(field_info *fi, write_json_data *pdata)
1276 if (fi->hfinfo->bitmask != 0) {
1277 switch (fvalue_type_ftenum(fi->value)) {
1278 case FT_INT8:
1279 case FT_INT16:
1280 case FT_INT24:
1281 case FT_INT32:
1282 json_dumper_value_anyf(pdata->dumper, "\"%X\"", (unsigned) fvalue_get_sinteger(fi->value));
1283 break;
1284 case FT_CHAR:
1285 case FT_UINT8:
1286 case FT_UINT16:
1287 case FT_UINT24:
1288 case FT_UINT32:
1289 json_dumper_value_anyf(pdata->dumper, "\"%X\"", fvalue_get_uinteger(fi->value));
1290 break;
1291 case FT_INT40:
1292 case FT_INT48:
1293 case FT_INT56:
1294 case FT_INT64:
1295 json_dumper_value_anyf(pdata->dumper, "\"%" PRIX64 "\"", fvalue_get_sinteger64(fi->value));
1296 break;
1297 case FT_UINT40:
1298 case FT_UINT48:
1299 case FT_UINT56:
1300 case FT_UINT64:
1301 case FT_BOOLEAN:
1302 json_dumper_value_anyf(pdata->dumper, "\"%" PRIX64 "\"", fvalue_get_uinteger64(fi->value));
1303 break;
1304 default:
1305 ws_assert_not_reached();
1307 } else {
1308 json_write_field_hex_value(pdata, fi);
1312 static void
1313 ek_write_field_value(field_info *fi, write_json_data* pdata)
1315 char label_str[ITEM_LABEL_LENGTH];
1316 char *dfilter_string;
1317 char time_buf[NSTIME_ISO8601_BUFSIZE];
1318 size_t time_len;
1320 /* Text label */
1321 if (fi->hfinfo->id == hf_text_only && fi->rep) {
1322 json_dumper_value_string(pdata->dumper, fi->rep->representation);
1323 } else {
1324 /* show, value, and unmaskedvalue attributes */
1325 switch(fi->hfinfo->type) {
1326 case FT_PROTOCOL:
1327 if (fi->rep) {
1328 json_dumper_value_string(pdata->dumper, fi->rep->representation);
1330 else {
1331 proto_item_fill_label(fi, label_str, NULL);
1332 json_dumper_value_string(pdata->dumper, label_str);
1334 break;
1335 case FT_NONE:
1336 json_dumper_value_string(pdata->dumper, NULL);
1337 break;
1338 case FT_BOOLEAN:
1339 if (fvalue_get_uinteger64(fi->value))
1340 json_dumper_value_anyf(pdata->dumper, "true");
1341 else
1342 json_dumper_value_anyf(pdata->dumper, "false");
1343 break;
1344 case FT_ABSOLUTE_TIME:
1345 time_len = nstime_to_iso8601(time_buf, sizeof(time_buf), fvalue_get_time(fi->value));
1346 if (time_len != 0) {
1347 json_dumper_value_anyf(pdata->dumper, "\"%s\"", time_buf);
1348 } else {
1349 json_dumper_value_anyf(pdata->dumper, "\"Not representable\"");
1351 break;
1352 default:
1353 dfilter_string = fvalue_to_string_repr(NULL, fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
1354 if (dfilter_string != NULL) {
1355 json_dumper_value_string(pdata->dumper, dfilter_string);
1357 wmem_free(NULL, dfilter_string);
1358 break;
1363 static void
1364 ek_write_attr_hex(GSList *attr_instances, write_json_data *pdata)
1366 GSList *current_node = attr_instances;
1367 proto_node *pnode = (proto_node *) current_node->data;
1368 field_info *fi = NULL;
1370 // Raw name
1371 ek_write_name(pnode, "_raw", pdata);
1373 if (g_slist_length(attr_instances) > 1) {
1374 json_dumper_begin_array(pdata->dumper);
1377 // Raw value(s)
1378 while (current_node != NULL) {
1379 pnode = (proto_node *) current_node->data;
1380 fi = PNODE_FINFO(pnode);
1382 ek_write_hex(fi, pdata);
1384 current_node = current_node->next;
1387 if (g_slist_length(attr_instances) > 1) {
1388 json_dumper_end_array(pdata->dumper);
1392 static void
1393 // NOLINTNEXTLINE(misc-no-recursion)
1394 ek_write_attr(GSList *attr_instances, write_json_data *pdata)
1396 GSList *current_node = attr_instances;
1397 proto_node *pnode = (proto_node *) current_node->data;
1398 field_info *fi = PNODE_FINFO(pnode);
1399 pf_flags filter_flags = PF_NONE;
1401 // Hex dump -x
1402 if (pdata->print_hex && fi && fi->length > 0 && fi->hfinfo->id != hf_text_only) {
1403 ek_write_attr_hex(attr_instances, pdata);
1406 // Print attr name
1407 ek_write_name(pnode, NULL, pdata);
1409 if (g_slist_length(attr_instances) > 1) {
1410 json_dumper_begin_array(pdata->dumper);
1413 while (current_node != NULL) {
1414 pnode = (proto_node *) current_node->data;
1415 fi = PNODE_FINFO(pnode);
1417 /* Field */
1418 if (fi->hfinfo->type != FT_PROTOCOL) {
1419 if (pdata->filter != NULL
1420 && !ek_check_protocolfilter(pdata->filter, fi->hfinfo->abbrev, &filter_flags)) {
1422 /* print dummy field */
1423 json_dumper_begin_object(pdata->dumper);
1424 json_dumper_set_member_name(pdata->dumper, "filtered");
1425 json_dumper_value_string(pdata->dumper, fi->hfinfo->abbrev);
1426 json_dumper_end_object(pdata->dumper);
1427 } else {
1428 ek_write_field_value(fi, pdata);
1430 } else {
1431 /* Object */
1432 json_dumper_begin_object(pdata->dumper);
1434 if (pdata->filter != NULL) {
1435 if (ek_check_protocolfilter(pdata->filter, fi->hfinfo->abbrev, &filter_flags)) {
1436 wmem_map_t *_filter = NULL;
1437 /* Remove protocol filter for children, if children should be included */
1438 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
1439 _filter = pdata->filter;
1440 pdata->filter = NULL;
1443 proto_tree_write_node_ek(pnode, pdata);
1445 /* Put protocol filter back */
1446 if ((filter_flags&PF_INCLUDE_CHILDREN) == PF_INCLUDE_CHILDREN) {
1447 pdata->filter = _filter;
1449 } else {
1450 /* print dummy field */
1451 json_dumper_set_member_name(pdata->dumper, "filtered");
1452 json_dumper_value_string(pdata->dumper, fi->hfinfo->abbrev);
1454 } else {
1455 proto_tree_write_node_ek(pnode, pdata);
1458 json_dumper_end_object(pdata->dumper);
1461 current_node = current_node->next;
1464 if (g_slist_length(attr_instances) > 1) {
1465 json_dumper_end_array(pdata->dumper);
1469 // NOLINTNEXTLINE(misc-no-recursion)
1470 void process_ek_attrs(gpointer key _U_, gpointer value, gpointer pdata)
1472 GSList *attr_instances = (GSList *) value;
1473 ek_write_attr(attr_instances, pdata);
1476 /* Write out a tree's data, and any child nodes, as JSON for EK */
1477 static void
1478 // NOLINTNEXTLINE(misc-no-recursion)
1479 proto_tree_write_node_ek(proto_node *node, write_json_data *pdata)
1481 GHashTable *attr_table = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL);
1482 GHashTableIter iter;
1483 gpointer key, value;
1484 ek_fill_attr(node, attr_table, pdata);
1486 // Print attributes
1487 g_hash_table_iter_init(&iter, attr_table);
1488 while (g_hash_table_iter_next (&iter, &key, &value)) {
1489 process_ek_attrs(key, value, pdata);
1490 g_hash_table_iter_remove(&iter);
1491 /* We lookup a list in the table, append to it, and re-insert it; as
1492 * g_slist_append() can change the start pointer of the list we can't
1493 * just append to the list without replacing the old value. In turn,
1494 * that means we can't set the value_destroy_func when creating
1495 * the hash table, because on re-insertion that would destroy the
1496 * nodes of the old list, which are still being used by the new list.
1497 * So free it here.
1499 g_slist_free((GSList*)value);
1501 g_hash_table_destroy(attr_table);
1504 /* Print info for a 'geninfo' pseudo-protocol. This is required by
1505 * the PDML spec. The information is contained in Wireshark's 'frame' protocol,
1506 * but we produce a 'geninfo' protocol in the PDML to conform to spec.
1507 * The 'frame' protocol follows the 'geninfo' protocol in the PDML. */
1508 static void
1509 print_pdml_geninfo(epan_dissect_t *edt, FILE *fh)
1511 uint32_t num, len, caplen;
1512 GPtrArray *finfo_array;
1513 field_info *frame_finfo;
1514 char *tmp;
1516 /* Get frame protocol's finfo. */
1517 finfo_array = proto_find_first_finfo(edt->tree, proto_frame);
1518 if (g_ptr_array_len(finfo_array) < 1) {
1519 return;
1521 frame_finfo = (field_info *)finfo_array->pdata[0];
1522 g_ptr_array_free(finfo_array, true);
1524 /* frame.number, packet_info.num */
1525 num = edt->pi.num;
1527 /* frame.frame_len, packet_info.frame_data->pkt_len */
1528 len = edt->pi.fd->pkt_len;
1530 /* frame.cap_len --> packet_info.frame_data->cap_len */
1531 caplen = edt->pi.fd->cap_len;
1533 /* Print geninfo start */
1534 fprintf(fh,
1535 " <proto name=\"geninfo\" pos=\"0\" showname=\"General information\" size=\"%d\">\n",
1536 frame_finfo->length);
1538 /* Print geninfo.num */
1539 fprintf(fh,
1540 " <field name=\"num\" pos=\"0\" show=\"%u\" showname=\"Number\" value=\"%x\" size=\"%d\"/>\n",
1541 num, num, frame_finfo->length);
1543 /* Print geninfo.len */
1544 fprintf(fh,
1545 " <field name=\"len\" pos=\"0\" show=\"%u\" showname=\"Frame Length\" value=\"%x\" size=\"%d\"/>\n",
1546 len, len, frame_finfo->length);
1548 /* Print geninfo.caplen */
1549 fprintf(fh,
1550 " <field name=\"caplen\" pos=\"0\" show=\"%u\" showname=\"Captured Length\" value=\"%x\" size=\"%d\"/>\n",
1551 caplen, caplen, frame_finfo->length);
1553 tmp = abs_time_to_str(NULL, &edt->pi.abs_ts, ABSOLUTE_TIME_LOCAL, true);
1555 /* Print geninfo.timestamp */
1556 fprintf(fh,
1557 " <field name=\"timestamp\" pos=\"0\" show=\"%s\" showname=\"Captured Time\" value=\"%d.%09d\" size=\"%d\"/>\n",
1558 tmp, (int)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs, frame_finfo->length);
1560 wmem_free(NULL, tmp);
1562 /* Print geninfo end */
1563 fprintf(fh,
1564 " </proto>\n");
1567 void
1568 write_pdml_finale(FILE *fh)
1570 fputs("</pdml>\n", fh);
1573 void
1574 write_psml_preamble(column_info *cinfo, FILE *fh)
1576 int i;
1578 fprintf(fh, "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n");
1579 fprintf(fh, "<psml version=\"" PSML_VERSION "\" creator=\"%s/%s\">\n", PACKAGE, VERSION);
1580 fprintf(fh, "<structure>\n");
1582 for (i = 0; i < cinfo->num_cols; i++) {
1583 if (!get_column_visible(i))
1584 continue;
1585 fprintf(fh, "<section>");
1586 print_escaped_xml(fh, cinfo->columns[i].col_title);
1587 fprintf(fh, "</section>\n");
1590 fprintf(fh, "</structure>\n\n");
1593 void
1594 write_psml_columns(epan_dissect_t *edt, FILE *fh, bool use_color)
1596 int i;
1597 const color_filter_t *cfp = edt->pi.fd->color_filter;
1599 if (use_color && (cfp != NULL)) {
1600 fprintf(fh, "<packet foreground='#%06x' background='#%06x'>\n",
1601 color_t_to_rgb(&cfp->fg_color),
1602 color_t_to_rgb(&cfp->bg_color));
1603 } else {
1604 fprintf(fh, "<packet>\n");
1607 for (i = 0; i < edt->pi.cinfo->num_cols; i++) {
1608 if (!get_column_visible(i))
1609 continue;
1610 fprintf(fh, "<section>");
1611 print_escaped_xml(fh, get_column_text(edt->pi.cinfo, i));
1612 fprintf(fh, "</section>\n");
1615 fprintf(fh, "</packet>\n\n");
1618 void
1619 write_psml_finale(FILE *fh)
1621 fputs("</psml>\n", fh);
1624 static char *csv_massage_str(const char *source, const char *exceptions)
1626 char *csv_str;
1627 char *tmp_str;
1629 /* In general, our output for any field can contain Unicode characters,
1630 so g_strescape (which escapes any non-ASCII) is the wrong thing to do.
1631 Unfortunately glib doesn't appear to provide g_unicode_strescape()... */
1632 csv_str = g_strescape(source, exceptions);
1633 tmp_str = csv_str;
1634 /* Locate the UTF-8 right arrow character and replace it by an ASCII equivalent */
1635 while ( (tmp_str = strstr(tmp_str, UTF8_RIGHTWARDS_ARROW)) != NULL ) {
1636 tmp_str[0] = ' ';
1637 tmp_str[1] = '>';
1638 tmp_str[2] = ' ';
1640 tmp_str = csv_str;
1641 while ( (tmp_str = strstr(tmp_str, "\\\"")) != NULL )
1642 *tmp_str = '\"';
1643 return csv_str;
1646 static void csv_write_str(const char *str, char sep, FILE *fh, bool print_separator)
1648 char *csv_str;
1650 /* Do not escape the UTF-8 right arrow character */
1651 csv_str = csv_massage_str(str, UTF8_RIGHTWARDS_ARROW);
1652 if (print_separator) {
1653 fprintf(fh, "%c\"%s\"", sep, csv_str);
1654 } else {
1655 fprintf(fh, "\"%s\"", csv_str);
1657 g_free(csv_str);
1660 void
1661 write_csv_column_titles(column_info *cinfo, FILE *fh)
1663 int i;
1664 bool print_separator = false;
1665 // Avoid printing separator for first column
1667 for (i = 0; i < cinfo->num_cols; i++) {
1668 if (!get_column_visible(i))
1669 continue;
1670 csv_write_str(cinfo->columns[i].col_title, ',', fh, print_separator);
1671 print_separator = true;
1673 if (print_separator) { // Only add line break if anything was output
1674 fprintf(fh, "\n");
1678 void
1679 write_csv_columns(epan_dissect_t *edt, FILE *fh)
1681 int i;
1682 bool print_separator = false;
1683 // Avoid printing separator for first column
1685 for (i = 0; i < edt->pi.cinfo->num_cols; i++) {
1686 if (!get_column_visible(i))
1687 continue;
1688 csv_write_str(get_column_text(edt->pi.cinfo, i), ',', fh, print_separator);
1689 print_separator = true;
1691 if (print_separator) { // Only add line break if anything was output
1692 fprintf(fh, "\n");
1696 void
1697 write_carrays_hex_data(uint32_t num, FILE *fh, epan_dissect_t *edt)
1699 uint32_t i = 0, src_num = 0;
1700 GSList *src_le;
1701 tvbuff_t *tvb;
1702 char *name;
1703 const unsigned char *cp;
1704 unsigned length;
1705 char ascii[9];
1706 struct data_source *src;
1708 for (src_le = edt->pi.data_src; src_le != NULL; src_le = src_le->next) {
1709 memset(ascii, 0, sizeof(ascii));
1710 src = (struct data_source *)src_le->data;
1711 tvb = get_data_source_tvb(src);
1712 length = tvb_captured_length(tvb);
1713 if (length == 0)
1714 continue;
1716 cp = tvb_get_ptr(tvb, 0, length);
1718 name = get_data_source_name(src);
1719 if (name) {
1720 fprintf(fh, "// %s\n", name);
1721 wmem_free(NULL, name);
1723 if (src_num) {
1724 fprintf(fh, "static const unsigned char pkt%u_%u[%u] = {\n",
1725 num, src_num, length);
1726 } else {
1727 fprintf(fh, "static const unsigned char pkt%u[%u] = {\n",
1728 num, length);
1730 src_num++;
1732 for (i = 0; i < length; i++) {
1733 fprintf(fh, "0x%02x", *(cp + i));
1734 ascii[i % 8] = g_ascii_isprint(*(cp + i)) ? *(cp + i) : '.';
1736 if (i == (length - 1)) {
1737 unsigned rem;
1738 rem = length % 8;
1739 if (rem) {
1740 unsigned j;
1741 for ( j = 0; j < 8 - rem; j++ )
1742 fprintf(fh, " ");
1744 fprintf(fh, " // |%s|\n};\n\n", ascii);
1745 break;
1748 if (!((i + 1) % 8)) {
1749 fprintf(fh, ", // |%s|\n", ascii);
1750 memset(ascii, 0, sizeof(ascii));
1751 } else {
1752 fprintf(fh, ", ");
1759 * Find the data source for a specified field, and return a pointer
1760 * to the data in it. Returns NULL if the data is out of bounds.
1762 /* XXX: What am I missing ?
1763 * Why bother searching for fi->ds_tvb for the matching tvb
1764 * in the data_source list ?
1765 * IOW: Why not just use fi->ds_tvb for the arg to tvb_get_ptr() ?
1768 static const uint8_t *
1769 get_field_data(GSList *src_list, field_info *fi)
1771 GSList *src_le;
1772 tvbuff_t *src_tvb;
1773 int length, tvbuff_length;
1774 struct data_source *src;
1776 for (src_le = src_list; src_le != NULL; src_le = src_le->next) {
1777 src = (struct data_source *)src_le->data;
1778 src_tvb = get_data_source_tvb(src);
1779 if (fi->ds_tvb == src_tvb) {
1781 * Found it.
1783 * XXX - a field can have a length that runs past
1784 * the end of the tvbuff. Ideally, that should
1785 * be fixed when adding an item to the protocol
1786 * tree, but checking the length when doing
1787 * that could be expensive. Until we fix that,
1788 * we'll do the check here.
1790 tvbuff_length = tvb_captured_length_remaining(src_tvb,
1791 fi->start);
1792 if (tvbuff_length < 0) {
1793 return NULL;
1795 length = fi->length;
1796 if (length > tvbuff_length)
1797 length = tvbuff_length;
1798 return tvb_get_ptr(src_tvb, fi->start, length);
1801 return NULL; /* not found */
1804 /* Print a string, escaping out certain characters that need to
1805 * escaped out for XML. */
1806 static void
1807 print_escaped_xml(FILE *fh, const char *unescaped_string)
1809 const char *p;
1811 #define ESCAPED_BUFFER_SIZE 256
1812 #define ESCAPED_BUFFER_LIMIT (ESCAPED_BUFFER_SIZE - (int)sizeof("&quot;"))
1813 static char temp_buffer[ESCAPED_BUFFER_SIZE];
1814 int offset = 0;
1816 if (fh == NULL || unescaped_string == NULL) {
1817 return;
1820 /* XXX: Why not use xml_escape() from epan/strutil.h ? */
1821 for (p = unescaped_string; *p != '\0' && (offset <= ESCAPED_BUFFER_LIMIT); p++) {
1822 switch (*p) {
1823 case '&':
1824 (void) g_strlcpy(&temp_buffer[offset], "&amp;", ESCAPED_BUFFER_SIZE-offset);
1825 offset += 5;
1826 break;
1827 case '<':
1828 (void) g_strlcpy(&temp_buffer[offset], "&lt;", ESCAPED_BUFFER_SIZE-offset);
1829 offset += 4;
1830 break;
1831 case '>':
1832 (void) g_strlcpy(&temp_buffer[offset], "&gt;", ESCAPED_BUFFER_SIZE-offset);
1833 offset += 4;
1834 break;
1835 case '"':
1836 (void) g_strlcpy(&temp_buffer[offset], "&quot;", ESCAPED_BUFFER_SIZE-offset);
1837 offset += 6;
1838 break;
1839 case '\'':
1840 (void) g_strlcpy(&temp_buffer[offset], "&#x27;", ESCAPED_BUFFER_SIZE-offset);
1841 offset += 6;
1842 break;
1843 case '\t':
1844 case '\n':
1845 case '\r':
1846 temp_buffer[offset++] = *p;
1847 break;
1848 default:
1849 /* XML 1.0 doesn't allow ASCII control characters, except
1850 * for the three whitespace ones above (which do *not*
1851 * include '\v' and '\f', so not the same group as isspace),
1852 * even as character references.
1853 * There's no official way to escape them, so we'll do this. */
1854 if (g_ascii_iscntrl(*p)) {
1855 offset += snprintf(&temp_buffer[offset], ESCAPED_BUFFER_SIZE-offset, "\\x%x", (uint8_t)*p);
1856 } else {
1857 /* Just copy character */
1858 temp_buffer[offset++] = *p;
1861 if (offset > ESCAPED_BUFFER_LIMIT) {
1862 /* Getting close to end of buffer so flush to fh */
1863 temp_buffer[offset] = '\0';
1864 fputs(temp_buffer, fh);
1865 offset = 0;
1868 if (offset) {
1869 /* Flush any outstanding data */
1870 temp_buffer[offset] = '\0';
1871 fputs(temp_buffer, fh);
1875 static void
1876 print_escaped_csv(FILE *fh, const char *unescaped_string, char delimiter, char quote_char, bool escape_wsp)
1878 if (fh == NULL || unescaped_string == NULL) {
1879 return;
1882 /* XXX: What about the field aggregator? Should that be escaped?
1883 * Should there be an "escape all non-printable" option?
1884 * (Instead of or in addition to escape wsp?)
1885 * Should there be a "escape all non ASCII?" option, similar
1886 * to the Wireshark output?
1888 char *escaped_string;
1889 if (quote_char == '\0') {
1890 /* Not quoting, so we must escape the delimiter */
1891 escaped_string = ws_escape_csv(NULL, unescaped_string, false, delimiter, false, escape_wsp);
1892 } else {
1893 escaped_string = ws_escape_csv(NULL, unescaped_string, true, quote_char, true, escape_wsp);
1895 fputs(escaped_string, fh);
1896 wmem_free(NULL, escaped_string);
1899 static void
1900 pdml_write_field_hex_value(write_pdml_data *pdata, field_info *fi)
1902 int i;
1903 const uint8_t *pd;
1905 if (!fi->ds_tvb)
1906 return;
1908 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
1909 fprintf(pdata->fh, "field length invalid!");
1910 return;
1913 /* Find the data for this field. */
1914 pd = get_field_data(pdata->src_list, fi);
1916 if (pd) {
1917 /* Used fixed buffer where can, otherwise temp malloc */
1918 static char str_static[513];
1919 char *str = str_static;
1920 char* str_heap = NULL;
1921 if (fi->length > 256) {
1922 str_heap = (char*)g_malloc(fi->length*2 + 1); /* no need to zero */
1923 str = str_heap;
1926 static const char hex[] = "0123456789abcdef";
1928 /* Print a simple hex dump */
1929 for (i = 0 ; i < fi->length; i++) {
1930 str[2*i] = hex[pd[i] >> 4];
1931 str[2*i+1] = hex[pd[i] & 0xf];
1933 str[2 * fi->length] = '\0';
1934 fputs(str, pdata->fh);
1935 g_free(str_heap); /* harmless/fast if NULL */
1939 static void
1940 json_write_field_hex_value(write_json_data *pdata, field_info *fi)
1942 const uint8_t *pd;
1944 if (!fi->ds_tvb)
1945 return;
1947 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
1948 json_dumper_value_string(pdata->dumper, "field length invalid!");
1949 return;
1952 /* Find the data for this field. */
1953 pd = get_field_data(pdata->src_list, fi);
1955 if (pd) {
1956 int i;
1957 char* str = (char*)g_malloc(fi->length*2 + 1); /* no need to zero */
1958 static const char hex[] = "0123456789abcdef";
1959 /* Print a simple hex dump */
1960 for (i = 0; i < fi->length; i++) {
1961 uint8_t c = pd[i];
1962 str[2 * i] = hex[c >> 4];
1963 str[2 * i + 1] = hex[c & 0xf];
1965 str[2 * fi->length] = '\0';
1966 json_dumper_value_string(pdata->dumper, str);
1967 g_free(str);
1968 } else {
1969 json_dumper_value_string(pdata->dumper, "");
1973 bool
1974 print_hex_data(print_stream_t *stream, epan_dissect_t *edt, unsigned hexdump_options)
1976 bool multiple_sources;
1977 GSList *src_le;
1978 tvbuff_t *tvb;
1979 char *line, *name;
1980 const unsigned char *cp;
1981 unsigned length;
1982 struct data_source *src;
1985 * Set "multiple_sources" iff this frame has more than one
1986 * data source; if it does, we need to print the name of
1987 * the data source before printing the data from the
1988 * data source.
1990 multiple_sources = (edt->pi.data_src->next != NULL);
1992 for (src_le = edt->pi.data_src; src_le != NULL;
1993 src_le = src_le->next) {
1994 src = (struct data_source *)src_le->data;
1995 tvb = get_data_source_tvb(src);
1996 if (multiple_sources && (HEXDUMP_SOURCE_OPTION(hexdump_options) == HEXDUMP_SOURCE_MULTI)) {
1997 name = get_data_source_name(src);
1998 line = ws_strdup_printf("%s:", name);
1999 wmem_free(NULL, name);
2000 print_line(stream, 0, line);
2001 g_free(line);
2003 length = tvb_captured_length(tvb);
2004 if (length == 0)
2005 return true;
2006 cp = tvb_get_ptr(tvb, 0, length);
2007 if (!print_hex_data_buffer(stream, cp, length,
2008 (packet_char_enc)edt->pi.fd->encoding,
2009 HEXDUMP_ASCII_OPTION(hexdump_options)))
2010 return false;
2011 if (HEXDUMP_SOURCE_OPTION(hexdump_options) == HEXDUMP_SOURCE_PRIMARY) {
2012 return true;
2015 return true;
2018 static bool print_hex_data_line(void *stream, const char *line)
2020 return print_line(stream, 0, line);
2023 static bool print_hex_data_buffer(print_stream_t *stream, const unsigned char *cp,
2024 unsigned length, packet_char_enc encoding,
2025 unsigned hexdump_options)
2027 return hex_dump_buffer(print_hex_data_line, stream, cp, length,
2028 encoding == PACKET_CHAR_ENC_CHAR_EBCDIC ? HEXDUMP_ENC_EBCDIC : HEXDUMP_ENC_ASCII,
2029 hexdump_options);
2032 size_t output_fields_num_fields(output_fields_t* fields)
2034 ws_assert(fields);
2036 if (NULL == fields->fields) {
2037 return 0;
2038 } else {
2039 return fields->fields->len;
2043 void output_fields_free(output_fields_t* fields)
2045 ws_assert(fields);
2047 if (NULL != fields->fields) {
2048 size_t i;
2050 if (NULL != fields->field_indicies) {
2051 /* Keys are stored in fields->fields, values are
2052 * integers.
2054 g_hash_table_destroy(fields->field_indicies);
2057 if (NULL != fields->field_dfilters) {
2058 g_ptr_array_unref(fields->field_dfilters);
2061 if (NULL != fields->field_values) {
2062 g_free(fields->field_values);
2065 for (i = 0; i < fields->fields->len; ++i) {
2066 char* field = (char *)g_ptr_array_index(fields->fields,i);
2067 g_free(field);
2069 g_ptr_array_free(fields->fields, true);
2072 g_free(fields);
2075 void output_fields_add(output_fields_t *fields, const char *field)
2077 char *field_copy;
2079 ws_assert(fields);
2080 ws_assert(field);
2083 if (NULL == fields->fields) {
2084 fields->fields = g_ptr_array_new();
2087 field_copy = g_strdup(field);
2089 g_ptr_array_add(fields->fields, field_copy);
2091 /* See if we have a column as a field entry */
2092 if (!strncmp(field, COLUMN_FIELD_FILTER, strlen(COLUMN_FIELD_FILTER)))
2093 fields->includes_col_fields = true;
2098 * Returns true if the field did not exist yet (or existed with the same
2099 * filter_flags value), false if the field was in the protocolfilter with
2100 * a different flag.
2102 bool
2103 output_fields_add_protocolfilter(output_fields_t* fields, const char* field, pf_flags filter_flags)
2105 void* value;
2106 bool ret = true;
2107 if (!fields->protocolfilter) {
2108 fields->protocolfilter = wmem_map_new(wmem_epan_scope(), wmem_str_hash, g_str_equal);
2110 if (wmem_map_lookup_extended(fields->protocolfilter, field, NULL, &value)) {
2111 if (GPOINTER_TO_UINT(value) != (unsigned)filter_flags) {
2112 ret = false;
2115 wmem_map_insert(fields->protocolfilter, field, GINT_TO_POINTER(filter_flags));
2117 /* See if we have a column as a field entry */
2118 if (!strncmp(field, COLUMN_FIELD_FILTER, strlen(COLUMN_FIELD_FILTER)))
2119 fields->includes_col_fields = true;
2121 return ret;
2124 static void
2125 output_field_check(void *data, void *user_data)
2127 char *field = (char *)data;
2128 GSList **invalid_fields = (GSList **)user_data;
2130 dfilter_t *dfilter;
2131 if (dfilter_compile(field, &dfilter, NULL)) {
2132 dfilter_free(dfilter);
2133 } else {
2134 *invalid_fields = g_slist_prepend(*invalid_fields, field);
2139 static void
2140 output_field_check_protocolfilter(void* key, void* value _U_, void* user_data)
2142 output_field_check(key, user_data);
2145 GSList *
2146 output_fields_valid(output_fields_t *fields)
2148 GSList *invalid_fields = NULL;
2149 if (fields->fields != NULL) {
2150 g_ptr_array_foreach(fields->fields, output_field_check, &invalid_fields);
2153 if (fields->protocolfilter != NULL) {
2154 wmem_map_foreach(fields->protocolfilter, output_field_check_protocolfilter, &invalid_fields);
2157 return invalid_fields;
2160 bool output_fields_set_option(output_fields_t *info, char *option)
2162 const char *option_name;
2163 const char *option_value;
2165 ws_assert(info);
2166 ws_assert(option);
2168 if ('\0' == *option) {
2169 return false; /* this happens if we're called from tshark -E '' */
2171 option_name = strtok(option, "=");
2172 if (!option_name) {
2173 return false;
2175 option_value = option + strlen(option_name) + 1;
2176 if (*option_value == '\0') {
2177 return false;
2180 if (0 == strcmp(option_name, "header")) {
2181 switch (*option_value) {
2182 case 'n':
2183 info->print_header = false;
2184 break;
2185 case 'y':
2186 info->print_header = true;
2187 break;
2188 default:
2189 return false;
2191 return true;
2193 else if (0 == strcmp(option_name, "separator")) {
2194 switch (*option_value) {
2195 case '/':
2196 switch (*++option_value) {
2197 case 't':
2198 info->separator = '\t';
2199 break;
2200 case 's':
2201 info->separator = ' ';
2202 break;
2203 default:
2204 info->separator = '\\';
2206 break;
2207 default:
2208 info->separator = *option_value;
2209 break;
2211 return true;
2213 else if (0 == strcmp(option_name, "occurrence")) {
2214 switch (*option_value) {
2215 case 'f':
2216 case 'l':
2217 case 'a':
2218 info->occurrence = *option_value;
2219 break;
2220 default:
2221 return false;
2223 return true;
2225 else if (0 == strcmp(option_name, "aggregator")) {
2226 switch (*option_value) {
2227 case '/':
2228 switch (*++option_value) {
2229 case 's':
2230 info->aggregator = ' ';
2231 break;
2232 default:
2233 info->aggregator = '\\';
2235 break;
2236 default:
2237 info->aggregator = *option_value;
2238 break;
2240 return true;
2242 else if (0 == strcmp(option_name, "quote")) {
2243 switch (*option_value) {
2244 case 'd':
2245 info->quote = '"';
2246 break;
2247 case 's':
2248 info->quote = '\'';
2249 break;
2250 case 'n':
2251 info->quote = '\0';
2252 break;
2253 default:
2254 info->quote = '\0';
2255 return false;
2257 return true;
2259 else if (0 == strcmp(option_name, "bom")) {
2260 switch (*option_value) {
2261 case 'n':
2262 info->print_bom = false;
2263 break;
2264 case 'y':
2265 info->print_bom = true;
2266 break;
2267 default:
2268 return false;
2270 return true;
2272 else if (0 == strcmp(option_name, "escape")) {
2273 switch (*option_value) {
2274 case 'n':
2275 info->escape = false;
2276 break;
2277 case 'y':
2278 info->escape = true;
2279 break;
2280 default:
2281 return false;
2283 return true;
2286 return false;
2289 void output_fields_list_options(FILE *fh)
2291 fprintf(fh, "TShark: The available options for field output \"E\" are:\n");
2292 fputs("bom=y|n Prepend output with the UTF-8 BOM (def: N: no)\n", fh);
2293 fputs("header=y|n Print field abbreviations as first line of output (def: N: no)\n", fh);
2294 fputs("separator=/t|/s|<character> Set the separator to use;\n \"/t\" = tab, \"/s\" = space (def: /t: tab)\n", fh);
2295 fputs("occurrence=f|l|a Select the occurrence of a field to use;\n \"f\" = first, \"l\" = last, \"a\" = all (def: a: all)\n", fh);
2296 fputs("aggregator=,|/s|<character> Set the aggregator to use;\n \",\" = comma, \"/s\" = space (def: ,: comma)\n", fh);
2297 fputs("quote=d|s|n Print either d: double-quotes, s: single quotes or \n n: no quotes around field values (def: n: none)\n", fh);
2300 bool output_fields_has_cols(output_fields_t* fields)
2302 ws_assert(fields);
2303 return fields->includes_col_fields;
2306 static void
2307 output_field_prime_edt(void *data, void *user_data)
2309 char *field = (char *)data;
2310 epan_dissect_t *edt = (epan_dissect_t*)user_data;
2312 /* Find a hf. Note in tshark we already converted the protocol from
2313 * its alias, if any.
2315 header_field_info *hfinfo = proto_registrar_get_byname(field);
2316 if (hfinfo) {
2317 /* Rewind to the first hf of that name. */
2318 while (hfinfo->same_name_prev_id != -1) {
2319 hfinfo = proto_registrar_get_nth(hfinfo->same_name_prev_id);
2322 /* Prime all hf's with that name. */
2323 while (hfinfo) {
2324 proto_tree_prime_with_hfid_print(edt->tree, hfinfo->id);
2325 hfinfo = hfinfo->same_name_next;
2330 static void
2331 output_field_dfilter_prime_edt(void *data, void *user_data)
2333 dfilter_t *dfilter = (dfilter_t *)data;
2334 epan_dissect_t *edt = (epan_dissect_t*)user_data;
2336 if (dfilter) {
2337 epan_dissect_prime_with_dfilter(edt, dfilter);
2341 static void
2342 dfilter_free_cb(void *data)
2344 dfilter_t *dcode = (dfilter_t*)data;
2346 dfilter_free(dcode);
2349 void output_fields_prime_edt(epan_dissect_t *edt, output_fields_t* fields)
2351 if (fields->fields != NULL) {
2352 g_ptr_array_foreach(fields->fields, output_field_prime_edt, edt);
2354 if (fields->field_dfilters == NULL) {
2355 fields->field_dfilters = g_ptr_array_new_full(fields->fields->len, dfilter_free_cb);
2357 for (size_t i = 0; i < fields->fields->len; ++i) {
2358 char *field = (char *)g_ptr_array_index(fields->fields, i);
2359 dfilter_t *dfilter = NULL;
2361 /* For now, we only compile a filter for complex expressions.
2362 * If it's just a field name, use the previous method.
2364 if (!proto_registrar_get_byname(field)) {
2365 dfilter_compile_full(field, &dfilter, NULL, DF_EXPAND_MACROS|DF_OPTIMIZE|DF_RETURN_VALUES, __func__);
2367 g_ptr_array_add(fields->field_dfilters, dfilter);
2371 g_ptr_array_foreach(fields->field_dfilters, output_field_dfilter_prime_edt, edt);
2375 void write_fields_preamble(output_fields_t* fields, FILE *fh)
2377 size_t i;
2379 ws_assert(fields);
2380 ws_assert(fh);
2381 ws_assert(fields->fields);
2383 if (fields->print_bom) {
2384 fputs(UTF8_BOM, fh);
2388 if (!fields->print_header) {
2389 return;
2392 for(i = 0; i < fields->fields->len; ++i) {
2393 const char* field = (const char *)g_ptr_array_index(fields->fields,i);
2394 if (i != 0 ) {
2395 fputc(fields->separator, fh);
2397 fputs(field, fh);
2399 fputc('\n', fh);
2402 static void format_field_values(output_fields_t* fields, void *field_index, char* value)
2404 unsigned indx;
2405 GPtrArray* fv_p;
2407 if (NULL == value)
2408 return;
2410 /* Unwrap change made to disambiguate zero / null */
2411 indx = GPOINTER_TO_UINT(field_index) - 1;
2413 if (fields->field_values[indx] == NULL) {
2414 fields->field_values[indx] = g_ptr_array_new_with_free_func(g_free);
2417 /* Essentially: fieldvalues[indx] is a 'GPtrArray *' with each array entry */
2418 /* pointing to a string which is (part of) the final output string. */
2420 fv_p = fields->field_values[indx];
2422 switch (fields->occurrence) {
2423 case 'f':
2424 /* print the value of only the first occurrence of the field */
2425 if (g_ptr_array_len(fv_p) != 0) {
2427 * This isn't the first occurrence, so the value won't be used;
2428 * free it.
2430 g_free(value);
2431 return;
2433 break;
2434 case 'l':
2435 /* print the value of only the last occurrence of the field */
2436 if (g_ptr_array_len(fv_p) != 0) {
2438 * This isn't the first occurrence, so there's already a
2439 * value in the array, which won't be used; remove the
2440 * first (only) element in the array (which will free it,
2441 * as we created the GPtrArray with a free func) -
2442 * this value will replace it.
2444 g_ptr_array_set_size(fv_p, 0);
2446 break;
2447 case 'a':
2448 /* print the value of all occurrences of the field */
2449 break;
2450 default:
2451 ws_assert_not_reached();
2452 break;
2455 g_ptr_array_add(fv_p, (void *)value);
2458 static void proto_tree_get_node_field_values(proto_node *node, void *data)
2460 write_field_data_t *call_data;
2461 field_info *fi;
2462 void * field_index;
2464 call_data = (write_field_data_t *)data;
2465 fi = PNODE_FINFO(node);
2467 /* check for a faked item with an invisible tree */
2468 if (fi) {
2469 field_index = g_hash_table_lookup(call_data->fields->field_indicies, fi->hfinfo->abbrev);
2470 if (NULL != field_index) {
2471 format_field_values(call_data->fields, field_index,
2472 get_node_field_value(fi, call_data->edt) /* g_ alloc'd string */
2477 /* Recurse here. */
2478 if (node->first_child != NULL) {
2479 proto_tree_children_foreach(node, proto_tree_get_node_field_values,
2480 call_data);
2484 static void write_specified_fields(fields_format format, output_fields_t *fields, epan_dissect_t *edt, column_info *cinfo _U_, FILE *fh, json_dumper *dumper)
2486 size_t i;
2488 write_field_data_t data;
2490 ws_assert(fields);
2491 ws_assert(fields->fields);
2492 ws_assert(edt);
2493 /* JSON formats must go through json_dumper */
2494 if (format == FORMAT_JSON || format == FORMAT_EK) {
2495 ws_assert(!fh && dumper);
2496 } else {
2497 ws_assert(fh && !dumper);
2500 data.fields = fields;
2501 data.edt = edt;
2503 if (NULL == fields->field_indicies) {
2504 /* Prepare a lookup table from string abbreviation for field to its index. */
2505 fields->field_indicies = g_hash_table_new(g_str_hash, g_str_equal);
2507 i = 0;
2508 while (i < fields->fields->len) {
2509 char *field = (char *)g_ptr_array_index(fields->fields, i);
2510 /* Store field indicies +1 so that zero is not a valid value,
2511 * and can be distinguished from NULL as a pointer.
2513 ++i;
2514 if (proto_registrar_get_byname(field)) {
2515 g_hash_table_insert(fields->field_indicies, field, GUINT_TO_POINTER(i));
2520 /* Array buffer to store values for this packet */
2521 /* Allocate an array for the 'GPtrarray *' the first time */
2522 /* ths function is invoked for a file; */
2523 /* Any and all 'GPtrArray *' are freed (after use) each */
2524 /* time (each packet) this function is invoked for a flle. */
2525 /* XXX: ToDo: use packet-scope'd memory & (if/when implemented) wmem ptr_array */
2526 if (NULL == fields->field_values)
2527 fields->field_values = g_new0(GPtrArray*, fields->fields->len); /* free'd in output_fields_free() */
2529 i = 0;
2530 while(i < fields->fields->len) {
2531 dfilter_t *dfilter = (dfilter_t *)g_ptr_array_index(fields->field_dfilters, i);
2533 /* Match how the field indices are treated. */
2534 ++i;
2536 if (dfilter != NULL) {
2537 GPtrArray *fvals = NULL;
2538 bool passed = dfilter_apply_full(dfilter, edt->tree, &fvals);
2539 char *str;
2540 if (fvals != NULL) {
2541 int len = g_ptr_array_len(fvals);
2542 for (int j = 0; j < len; ++j) {
2543 str = fvalue_to_string_repr(NULL, fvals->pdata[j], FTREPR_DISPLAY, BASE_NONE);
2544 format_field_values(fields, GUINT_TO_POINTER(i), str);
2546 g_ptr_array_unref(fvals);
2547 } else if (passed) {
2548 /* XXX - Should this be "1" (and "0" for !passed) like with
2549 * FT_NONE fields, or a check mark / nothing like the GUI ? */
2550 //str = g_strdup("1");
2551 str = g_strdup(UTF8_CHECK_MARK);
2552 format_field_values(fields, GUINT_TO_POINTER(i), str);
2557 proto_tree_children_foreach(edt->tree, proto_tree_get_node_field_values,
2558 &data);
2560 switch (format) {
2561 case FORMAT_CSV:
2562 for(i = 0; i < fields->fields->len; ++i) {
2563 if (0 != i) {
2564 fputc(fields->separator, fh);
2566 if (NULL != fields->field_values[i]) {
2567 GPtrArray *fv_p;
2568 size_t j;
2569 fv_p = fields->field_values[i];
2571 /* Output the array of (partial) field values */
2572 if (g_ptr_array_len(fv_p) != 0) {
2573 wmem_strbuf_t *buf = wmem_strbuf_new(NULL, g_ptr_array_index(fv_p, 0));
2574 for (j = 1; j < g_ptr_array_len(fv_p); j++ ) {
2575 wmem_strbuf_append_c(buf, fields->aggregator);
2576 wmem_strbuf_append(buf, (char *)g_ptr_array_index(fv_p, j));
2578 print_escaped_csv(fh, wmem_strbuf_get_str(buf), fields->separator, fields->quote, fields->escape);
2579 wmem_strbuf_destroy(buf);
2581 g_ptr_array_free(fv_p, true); /* get ready for the next packet */
2582 fields->field_values[i] = NULL;
2585 break;
2586 case FORMAT_XML:
2587 for(i = 0; i < fields->fields->len; ++i) {
2588 char *field = (char *)g_ptr_array_index(fields->fields, i);
2590 if (NULL != fields->field_values[i]) {
2591 GPtrArray *fv_p;
2592 char * str;
2593 size_t j;
2594 fv_p = fields->field_values[i];
2596 /* Output the array of (partial) field values */
2597 for (j = 0; j < (g_ptr_array_len(fv_p)); j++ ) {
2598 str = (char *)g_ptr_array_index(fv_p, j);
2600 fprintf(fh, " <field name=\"%s\" value=", field);
2601 fputs("\"", fh);
2602 print_escaped_xml(fh, str);
2603 fputs("\"/>\n", fh);
2605 g_ptr_array_free(fv_p, true); /* get ready for the next packet */
2606 fields->field_values[i] = NULL;
2609 break;
2610 case FORMAT_JSON:
2611 json_dumper_begin_object(dumper);
2612 for(i = 0; i < fields->fields->len; ++i) {
2613 char *field = (char *)g_ptr_array_index(fields->fields, i);
2615 if (NULL != fields->field_values[i]) {
2616 GPtrArray *fv_p;
2617 char * str;
2618 size_t j;
2619 fv_p = fields->field_values[i];
2621 json_dumper_set_member_name(dumper, field);
2622 json_dumper_begin_array(dumper);
2624 /* Output the array of (partial) field values */
2625 for (j = 0; j < (g_ptr_array_len(fv_p)); j++ ) {
2626 str = (char *) g_ptr_array_index(fv_p, j);
2627 json_dumper_value_string(dumper, str);
2630 json_dumper_end_array(dumper);
2632 g_ptr_array_free(fv_p, true); /* get ready for the next packet */
2633 fields->field_values[i] = NULL;
2636 json_dumper_end_object(dumper);
2637 break;
2638 case FORMAT_EK:
2639 for(i = 0; i < fields->fields->len; ++i) {
2640 char *field = (char *)g_ptr_array_index(fields->fields, i);
2642 if (NULL != fields->field_values[i]) {
2643 GPtrArray *fv_p;
2644 char * str;
2645 size_t j;
2646 fv_p = fields->field_values[i];
2648 json_dumper_set_member_name(dumper, field);
2649 json_dumper_begin_array(dumper);
2651 /* Output the array of (partial) field values */
2652 for (j = 0; j < (g_ptr_array_len(fv_p)); j++ ) {
2653 str = (char *)g_ptr_array_index(fv_p, j);
2654 json_dumper_value_string(dumper, str);
2657 json_dumper_end_array(dumper);
2659 g_ptr_array_free(fv_p, true); /* get ready for the next packet */
2660 fields->field_values[i] = NULL;
2663 break;
2665 default:
2666 fprintf(stderr, "Unknown fields format %d\n", format);
2667 ws_assert_not_reached();
2668 break;
2672 void write_fields_finale(output_fields_t* fields _U_ , FILE *fh _U_)
2674 /* Nothing to do */
2677 /* Returns an g_malloced string */
2678 char* get_node_field_value(field_info* fi, epan_dissect_t* edt)
2680 if (fi->hfinfo->id == hf_text_only) {
2681 /* Text label.
2682 * Get the text */
2683 if (fi->rep) {
2684 return g_strdup(fi->rep->representation);
2686 else {
2687 return get_field_hex_value(edt->pi.data_src, fi);
2690 else if (fi->hfinfo->id == proto_data) {
2691 /* Uninterpreted data, i.e., the "Data" protocol, is
2692 * printed as a field instead of a protocol. */
2693 return get_field_hex_value(edt->pi.data_src, fi);
2695 else {
2696 /* Normal protocols and fields */
2697 char *dfilter_string;
2699 switch (fi->hfinfo->type)
2701 case FT_PROTOCOL:
2702 /* Print out the full details for the protocol. */
2703 if (fi->rep) {
2704 return g_strdup(fi->rep->representation);
2705 } else {
2706 /* Just print out the protocol abbreviation */
2707 return g_strdup(fi->hfinfo->abbrev);
2709 case FT_NONE:
2710 /* Return "1" so that the presence of a field of type
2711 * FT_NONE can be checked when using -T fields */
2712 return g_strdup("1");
2713 case FT_UINT_BYTES:
2714 case FT_BYTES:
2716 char *ret;
2717 const uint8_t *bytes = fvalue_get_bytes_data(fi->value);
2718 if (bytes) {
2719 dfilter_string = (char *)wmem_alloc(NULL, 3*fvalue_length2(fi->value));
2720 switch (fi->hfinfo->display) {
2721 case SEP_DOT:
2722 ret = bytes_to_hexstr_punct(dfilter_string, bytes, fvalue_length2(fi->value), '.');
2723 break;
2724 case SEP_DASH:
2725 ret = bytes_to_hexstr_punct(dfilter_string, bytes, fvalue_length2(fi->value), '-');
2726 break;
2727 case SEP_COLON:
2728 ret = bytes_to_hexstr_punct(dfilter_string, bytes, fvalue_length2(fi->value), ':');
2729 break;
2730 case SEP_SPACE:
2731 ret = bytes_to_hexstr_punct(dfilter_string, bytes, fvalue_length2(fi->value), ' ');
2732 break;
2733 case BASE_NONE:
2734 default:
2735 ret = bytes_to_hexstr(dfilter_string, bytes, fvalue_length2(fi->value));
2736 break;
2738 *ret = '\0';
2739 ret = g_strdup(dfilter_string);
2740 wmem_free(NULL, dfilter_string);
2741 } else {
2742 if (fi->hfinfo->display & BASE_ALLOW_ZERO) {
2743 ret = g_strdup("<none>");
2744 } else {
2745 ret = g_strdup("<MISSING>");
2748 return ret;
2750 break;
2751 default:
2752 dfilter_string = fvalue_to_string_repr(NULL, fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
2753 if (dfilter_string != NULL) {
2754 char* ret = g_strdup(dfilter_string);
2755 wmem_free(NULL, dfilter_string);
2756 return ret;
2757 } else {
2758 return get_field_hex_value(edt->pi.data_src, fi);
2764 static char*
2765 get_field_hex_value(GSList *src_list, field_info *fi)
2767 const uint8_t *pd;
2769 if (!fi->ds_tvb)
2770 return NULL;
2772 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
2773 return g_strdup("field length invalid!");
2776 /* Find the data for this field. */
2777 pd = get_field_data(src_list, fi);
2779 if (pd) {
2780 int i;
2781 char *buffer;
2782 char *p;
2783 int len;
2784 const int chars_per_byte = 2;
2786 len = chars_per_byte * fi->length;
2787 buffer = (char *)g_malloc(sizeof(char)*(len + 1));
2788 buffer[len] = '\0'; /* Ensure NULL termination in bad cases */
2789 p = buffer;
2790 /* Print a simple hex dump */
2791 for (i = 0 ; i < fi->length; i++) {
2792 snprintf(p, chars_per_byte+1, "%02x", pd[i]);
2793 p += chars_per_byte;
2795 return buffer;
2796 } else {
2797 return NULL;
2801 output_fields_t* output_fields_new(void)
2803 output_fields_t* fields = g_new(output_fields_t, 1);
2804 fields->print_bom = false;
2805 fields->print_header = false;
2806 fields->separator = '\t';
2807 fields->occurrence = 'a';
2808 fields->aggregator = ',';
2809 fields->fields = NULL; /*Do lazy initialisation */
2810 fields->field_dfilters = NULL;
2811 fields->field_indicies = NULL;
2812 fields->field_values = NULL;
2813 fields->protocolfilter = NULL;
2814 fields->quote ='\0';
2815 fields->escape = true;
2816 fields->includes_col_fields = false;
2817 return fields;
2821 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2823 * Local variables:
2824 * c-basic-offset: 4
2825 * tab-width: 8
2826 * indent-tabs-mode: nil
2827 * End:
2829 * vi: set shiftwidth=4 tabstop=8 expandtab:
2830 * :indentSize=4:tabSize=8:noTabs=true: