docs/tshark: proper name is lopsided CamelCase (TShark)
This is a first pass that covers the WSDG, WSUG, man page, a code comment and a README. Plenty left to do in the Debian files, a few Lua examples and other misc files.
This commit is contained in:
parent
98c0b5ad62
commit
a541fcb528
|
@ -3,9 +3,9 @@ tapping with stats_tree
|
||||||
Let's suppose that you want to write a tap only to keep counters, and you
|
Let's suppose that you want to write a tap only to keep counters, and you
|
||||||
don't want to get involved with GUI programming or maybe you'd like to make
|
don't want to get involved with GUI programming or maybe you'd like to make
|
||||||
it a plugin. A stats_tree might be the way to go. The stats_tree module takes
|
it a plugin. A stats_tree might be the way to go. The stats_tree module takes
|
||||||
care of the representation (GUI for Wireshark and text for Tshark) of the
|
care of the representation (GUI for Wireshark and text for TShark) of the
|
||||||
tap data. So there's very little code to write to make a tap listener usable
|
tap data. So there's very little code to write to make a tap listener usable
|
||||||
from both Wireshark and Tshark.
|
from both Wireshark and TShark.
|
||||||
|
|
||||||
First, you should add the TAP to the dissector in question as described in
|
First, you should add the TAP to the dissector in question as described in
|
||||||
README.tapping .
|
README.tapping .
|
||||||
|
|
|
@ -32,7 +32,7 @@ data from a live network, or read packets from a previously saved
|
||||||
capture file, either printing a decoded form of those packets to the
|
capture file, either printing a decoded form of those packets to the
|
||||||
standard output or writing the packets to a file. *TShark*'s native
|
standard output or writing the packets to a file. *TShark*'s native
|
||||||
capture file format is *pcapng* format, which is also the format used
|
capture file format is *pcapng* format, which is also the format used
|
||||||
by *wireshark* and various other tools.
|
by *Wireshark* and various other tools.
|
||||||
|
|
||||||
Without any options set, *TShark* will work much like *tcpdump*. It
|
Without any options set, *TShark* will work much like *tcpdump*. It
|
||||||
will use the pcap library to capture traffic from the first available
|
will use the pcap library to capture traffic from the first available
|
||||||
|
@ -49,7 +49,7 @@ optional gzip, zstd or lz4 compression will be automatically detected. Near the
|
||||||
beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
|
beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
|
||||||
https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
|
https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
|
||||||
description of the way *Wireshark* handles this, which is the same way
|
description of the way *Wireshark* handles this, which is the same way
|
||||||
*Tshark* handles this.
|
*TShark* handles this.
|
||||||
|
|
||||||
Compressed file support uses (and therefore requires) the zlib library.
|
Compressed file support uses (and therefore requires) the zlib library.
|
||||||
If the zlib library is not present when compiling *TShark*, it will be
|
If the zlib library is not present when compiling *TShark*, it will be
|
||||||
|
@ -147,7 +147,7 @@ display of the packet summary or details; this would be used if *-z*
|
||||||
options are specified in order to display statistics, so that only the
|
options are specified in order to display statistics, so that only the
|
||||||
statistics, not the packet information, is displayed.
|
statistics, not the packet information, is displayed.
|
||||||
|
|
||||||
The *-G* option is a special mode that simply causes *Tshark*
|
The *-G* option is a special mode that simply causes *TShark*
|
||||||
to dump one of several types of internal glossaries and then exit.
|
to dump one of several types of internal glossaries and then exit.
|
||||||
|
|
||||||
== OPTIONS
|
== OPTIONS
|
||||||
|
@ -155,7 +155,7 @@ to dump one of several types of internal glossaries and then exit.
|
||||||
-2::
|
-2::
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
Perform a two-pass analysis. This causes tshark to buffer output until the
|
Perform a two-pass analysis. This causes *TShark* to buffer output until the
|
||||||
entire first pass is done, but allows it to fill in fields that require future
|
entire first pass is done, but allows it to fill in fields that require future
|
||||||
knowledge, such as 'response in frame #' fields. Also permits reassembly
|
knowledge, such as 'response in frame #' fields. Also permits reassembly
|
||||||
frame dependencies to be calculated correctly.
|
frame dependencies to be calculated correctly.
|
||||||
|
@ -257,7 +257,7 @@ files of size one megabyte each.
|
||||||
Set capture buffer size (in MiB, default is 2 MiB). This is used by
|
Set capture buffer size (in MiB, default is 2 MiB). This is used by
|
||||||
the capture driver to buffer packet data until that data can be written
|
the capture driver to buffer packet data until that data can be written
|
||||||
to disk. If you encounter packet drops while capturing, try to increase
|
to disk. If you encounter packet drops while capturing, try to increase
|
||||||
this size. Note that, while *Tshark* attempts to set the buffer size
|
this size. Note that, while *TShark* attempts to set the buffer size
|
||||||
to 2 MiB by default, and can be told to set it to a larger value, the
|
to 2 MiB by default, and can be told to set it to a larger value, the
|
||||||
system or interface on which you're capturing might silently limit the
|
system or interface on which you're capturing might silently limit the
|
||||||
capture buffer size to a lower value or raise it to a higher value.
|
capture buffer size to a lower value or raise it to a higher value.
|
||||||
|
@ -330,7 +330,7 @@ the interface name might be a long name or a GUID.
|
||||||
|
|
||||||
Note that "can capture" means that *TShark* was able to open that
|
Note that "can capture" means that *TShark* was able to open that
|
||||||
device to do a live capture. Depending on your system you may need to
|
device to do a live capture. Depending on your system you may need to
|
||||||
run tshark from an account with special privileges (for example, as
|
run *TShark* from an account with special privileges (for example, as
|
||||||
root) to be able to capture network traffic. If *tshark -D* is not run
|
root) to be able to capture network traffic. If *tshark -D* is not run
|
||||||
from such an account, it will not list any interfaces.
|
from such an account, it will not list any interfaces.
|
||||||
--
|
--
|
||||||
|
@ -423,14 +423,14 @@ user's group).
|
||||||
-G [ <report type> ]::
|
-G [ <report type> ]::
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
The *-G* option will cause *Tshark* to dump one of several types of glossaries
|
The *-G* option will cause *TShark* to dump one of several types of glossaries
|
||||||
and then exit. If no specific glossary type is specified, then the *fields*
|
and then exit. If no specific glossary type is specified, then the *fields*
|
||||||
report will be generated by default.
|
report will be generated by default.
|
||||||
Using the report type of *help* lists all the current report types.
|
Using the report type of *help* lists all the current report types.
|
||||||
|
|
||||||
The available report types include:
|
The available report types include:
|
||||||
|
|
||||||
*column-formats* Dumps the column formats understood by tshark.
|
*column-formats* Dumps the column formats understood by *TShark*.
|
||||||
There is one record per line. The fields are tab-delimited.
|
There is one record per line. The fields are tab-delimited.
|
||||||
|
|
||||||
[horizontal]
|
[horizontal]
|
||||||
|
@ -487,7 +487,7 @@ Field 6:: base for display (for integer types); "parent bitfield width" for FT_B
|
||||||
Field 7:: bitmask: format: hex: 0x....
|
Field 7:: bitmask: format: hex: 0x....
|
||||||
Field 8:: blurb describing field
|
Field 8:: blurb describing field
|
||||||
|
|
||||||
*folders* Dumps various folders used by tshark. This is essentially the
|
*folders* Dumps various folders used by *TShark*. This is essentially the
|
||||||
same data reported in Wireshark's About | Folders tab.
|
same data reported in Wireshark's About | Folders tab.
|
||||||
There is one record per line. The fields are tab-delimited.
|
There is one record per line. The fields are tab-delimited.
|
||||||
|
|
||||||
|
@ -495,7 +495,7 @@ There is one record per line. The fields are tab-delimited.
|
||||||
Field 1:: Folder type (e.g "Personal configuration:")
|
Field 1:: Folder type (e.g "Personal configuration:")
|
||||||
Field 2:: Folder location (e.g. "/home/vagrant/.config/wireshark/")
|
Field 2:: Folder location (e.g. "/home/vagrant/.config/wireshark/")
|
||||||
|
|
||||||
*ftypes* Dumps the "ftypes" (fundamental types) understood by tshark.
|
*ftypes* Dumps the "ftypes" (fundamental types) understood by *TShark*.
|
||||||
There is one record per line. The fields are tab-delimited.
|
There is one record per line. The fields are tab-delimited.
|
||||||
|
|
||||||
[horizontal]
|
[horizontal]
|
||||||
|
@ -1010,7 +1010,7 @@ example,
|
||||||
|
|
||||||
will save host name resolution records along with captured packets.
|
will save host name resolution records along with captured packets.
|
||||||
|
|
||||||
Future versions of *Tshark* may automatically change the capture format
|
Future versions of *TShark* may automatically change the capture format
|
||||||
to *pcapng* as needed.
|
to *pcapng* as needed.
|
||||||
|
|
||||||
The argument is a string that may contain the following letter:
|
The argument is a string that may contain the following letter:
|
||||||
|
@ -1231,7 +1231,7 @@ Multiple diameter messages in one frame are supported.
|
||||||
Several fields with same name within one diameter message are supported, e.g.
|
Several fields with same name within one diameter message are supported, e.g.
|
||||||
__diameter.Subscription-Id-Data__ or __diameter.Rating-Group__.
|
__diameter.Subscription-Id-Data__ or __diameter.Rating-Group__.
|
||||||
|
|
||||||
Note: *tshark -q* option is recommended to suppress default *tshark* output.
|
Note: *tshark -q* option is recommended to suppress default *TShark* output.
|
||||||
--
|
--
|
||||||
|
|
||||||
*-z* dns,tree[,__filter__]::
|
*-z* dns,tree[,__filter__]::
|
||||||
|
|
|
@ -404,7 +404,7 @@ stamp type to use while capturing packets. The values reported by
|
||||||
`--list-time-stamp-types` are the values that can be used.
|
`--list-time-stamp-types` are the values that can be used.
|
||||||
|
|
||||||
-X <eXtension option>::
|
-X <eXtension option>::
|
||||||
Specify an option to be passed to a Wireshark/Tshark module. The eXtension
|
Specify an option to be passed to a Wireshark/TShark module. The eXtension
|
||||||
option is in the form extension_key:value, where extension_key can be:
|
option is in the form extension_key:value, where extension_key can be:
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
|
|
|
@ -756,7 +756,7 @@ The btn:[Close] button will, well, close the dialog box.
|
||||||
|
|
||||||
Wireshark provides a variety of options for exporting packet data.
|
Wireshark provides a variety of options for exporting packet data.
|
||||||
This section describes general ways to export data from the main Wireshark application.
|
This section describes general ways to export data from the main Wireshark application.
|
||||||
There are many other ways to export or extract data from capture files, including processing <<AppToolstshark,tshark>> output and customizing Wireshark and tshark using Lua scripts.
|
There are many other ways to export or extract data from capture files, including processing <<AppToolstshark,tshark>> output and customizing Wireshark and TShark using Lua scripts.
|
||||||
|
|
||||||
[[ChIOExportSpecifiedPacketsDialog]]
|
[[ChIOExportSpecifiedPacketsDialog]]
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ WSLUA_CLASS_DEFINE(CaptureInfo,FAIL_ON_NULL_OR_EXPIRED("CaptureInfo"));
|
||||||
A `CaptureInfo` object, passed into Lua as an argument by `FileHandler` callback
|
A `CaptureInfo` object, passed into Lua as an argument by `FileHandler` callback
|
||||||
function `read_open()`, `read()`, `seek_read()`, `seq_read_close()`, and `read_close()`.
|
function `read_open()`, `read()`, `seek_read()`, `seq_read_close()`, and `read_close()`.
|
||||||
This object represents capture file data and meta-data (data about the
|
This object represents capture file data and meta-data (data about the
|
||||||
capture file) being read into Wireshark/Tshark.
|
capture file) being read into Wireshark/TShark.
|
||||||
|
|
||||||
This object's fields can be written-to by Lua during the read-based function callbacks.
|
This object's fields can be written-to by Lua during the read-based function callbacks.
|
||||||
In other words, when the Lua plugin's `FileHandler.read_open()` function is invoked, a
|
In other words, when the Lua plugin's `FileHandler.read_open()` function is invoked, a
|
||||||
|
@ -303,7 +303,7 @@ WSLUA_CLASS_DEFINE(CaptureInfoConst,FAIL_ON_NULL_OR_EXPIRED("CaptureInfoConst"))
|
||||||
function `write_open()`.
|
function `write_open()`.
|
||||||
|
|
||||||
This object represents capture file data and meta-data (data about the
|
This object represents capture file data and meta-data (data about the
|
||||||
capture file) for the current capture in Wireshark/Tshark.
|
capture file) for the current capture in Wireshark/TShark.
|
||||||
|
|
||||||
This object's fields are read-from when used by `write_open` function callback.
|
This object's fields are read-from when used by `write_open` function callback.
|
||||||
In other words, when the Lua plugin's FileHandler `write_open` function is invoked, a
|
In other words, when the Lua plugin's FileHandler `write_open` function is invoked, a
|
||||||
|
|
|
@ -36,7 +36,7 @@ WSLUA_CLASS_DEFINE(File,FAIL_ON_NULL_OR_EXPIRED("File"));
|
||||||
functions (e.g., `read_open`, `read`, `write`, etc.). This behaves similarly to the
|
functions (e.g., `read_open`, `read`, `write`, etc.). This behaves similarly to the
|
||||||
Lua `io` library's `file` object, returned when calling `io.open()`, *except*
|
Lua `io` library's `file` object, returned when calling `io.open()`, *except*
|
||||||
in this case you cannot call `file:close()`, `file:open()`, nor `file:setvbuf()`,
|
in this case you cannot call `file:close()`, `file:open()`, nor `file:setvbuf()`,
|
||||||
since Wireshark/tshark manages the opening and closing of files.
|
since Wireshark/TShark manages the opening and closing of files.
|
||||||
You also cannot use the '`io`' library itself on this object, i.e. you cannot
|
You also cannot use the '`io`' library itself on this object, i.e. you cannot
|
||||||
do `io.read(file, 4)`. Instead, use this `File` with the object-oriented style
|
do `io.read(file, 4)`. Instead, use this `File` with the object-oriented style
|
||||||
calling its methods, i.e. `myfile:read(4)`. (see later example)
|
calling its methods, i.e. `myfile:read(4)`. (see later example)
|
||||||
|
|
|
@ -788,7 +788,7 @@ static gboolean verify_filehandler_complete(FileHandler fh) {
|
||||||
|
|
||||||
|
|
||||||
WSLUA_FUNCTION wslua_register_filehandler(lua_State* L) {
|
WSLUA_FUNCTION wslua_register_filehandler(lua_State* L) {
|
||||||
/* Register the FileHandler into Wireshark/tshark, so they can read/write this new format.
|
/* Register the FileHandler into Wireshark/TShark, so they can read/write this new format.
|
||||||
All functions and settings must be complete before calling this registration function.
|
All functions and settings must be complete before calling this registration function.
|
||||||
This function cannot be called inside the reading/writing callback functions. */
|
This function cannot be called inside the reading/writing callback functions. */
|
||||||
#define WSLUA_ARG_register_filehandler_FILEHANDLER 1 /* the FileHandler object to be registered */
|
#define WSLUA_ARG_register_filehandler_FILEHANDLER 1 /* the FileHandler object to be registered */
|
||||||
|
@ -873,7 +873,7 @@ wslua_deregister_filehandler_work(FileHandler fh)
|
||||||
}
|
}
|
||||||
|
|
||||||
WSLUA_FUNCTION wslua_deregister_filehandler(lua_State* L) {
|
WSLUA_FUNCTION wslua_deregister_filehandler(lua_State* L) {
|
||||||
/* Deregister the FileHandler from Wireshark/tshark, so it no longer gets used for reading/writing/display.
|
/* Deregister the FileHandler from Wireshark/TShark, so it no longer gets used for reading/writing/display.
|
||||||
This function cannot be called inside the reading/writing callback functions. */
|
This function cannot be called inside the reading/writing callback functions. */
|
||||||
#define WSLUA_ARG_register_filehandler_FILEHANDLER 1 /* the FileHandler object to be deregistered */
|
#define WSLUA_ARG_register_filehandler_FILEHANDLER 1 /* the FileHandler object to be deregistered */
|
||||||
FileHandler fh = checkFileHandler(L,WSLUA_ARG_register_filehandler_FILEHANDLER);
|
FileHandler fh = checkFileHandler(L,WSLUA_ARG_register_filehandler_FILEHANDLER);
|
||||||
|
|
|
@ -352,7 +352,7 @@ WSLUA_ATTRIBUTE_FUNC_SETTER(Listener,packet);
|
||||||
|
|
||||||
|
|
||||||
/* WSLUA_ATTRIBUTE Listener_draw WO A function that will be called once every few seconds to redraw the GUI objects;
|
/* WSLUA_ATTRIBUTE Listener_draw WO A function that will be called once every few seconds to redraw the GUI objects;
|
||||||
in Tshark this funtion is called only at the very end of the capture file.
|
in TShark this funtion is called only at the very end of the capture file.
|
||||||
|
|
||||||
When later called by Wireshark, the `draw` function will not be given any arguments.
|
When later called by Wireshark, the `draw` function will not be given any arguments.
|
||||||
|
|
||||||
|
|
|
@ -53,7 +53,7 @@ TreeItem create_TreeItem(proto_tree* tree, proto_item* item)
|
||||||
CLEAR_OUTSTANDING(TreeItem, expired, TRUE)
|
CLEAR_OUTSTANDING(TreeItem, expired, TRUE)
|
||||||
|
|
||||||
WSLUA_CLASS_DEFINE(TreeItem,FAIL_ON_NULL_OR_EXPIRED("TreeItem"));
|
WSLUA_CLASS_DEFINE(TreeItem,FAIL_ON_NULL_OR_EXPIRED("TreeItem"));
|
||||||
/* <lua_class_TreeItem,`TreeItem`>>s represent information in the https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html[packet details] pane of Wireshark, and the packet details view of Tshark.
|
/* <lua_class_TreeItem,`TreeItem`>>s represent information in the https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html[packet details] pane of Wireshark, and the packet details view of TShark.
|
||||||
A <<lua_class_TreeItem,`TreeItem`>> represents a node in the tree, which might also be a subtree and have a list of children.
|
A <<lua_class_TreeItem,`TreeItem`>> represents a node in the tree, which might also be a subtree and have a list of children.
|
||||||
The children of a subtree have zero or more siblings which are other children of the same <<lua_class_TreeItem,`TreeItem`>> subtree.
|
The children of a subtree have zero or more siblings which are other children of the same <<lua_class_TreeItem,`TreeItem`>> subtree.
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ WSLUA_CLASS_DEFINE(TreeItem,FAIL_ON_NULL_OR_EXPIRED("TreeItem"));
|
||||||
|
|
||||||
In some cases the tree is not truly added to, in order to improve performance.
|
In some cases the tree is not truly added to, in order to improve performance.
|
||||||
For example for packets not currently displayed/selected in Wireshark's visible
|
For example for packets not currently displayed/selected in Wireshark's visible
|
||||||
window pane, or if Tshark isn't invoked with the `-V` switch. However the
|
window pane, or if TShark isn't invoked with the `-V` switch. However the
|
||||||
"add" type <<lua_class_TreeItem,`TreeItem`>> functions can still be called, and still return <<lua_class_TreeItem,`TreeItem`>>
|
"add" type <<lua_class_TreeItem,`TreeItem`>> functions can still be called, and still return <<lua_class_TreeItem,`TreeItem`>>
|
||||||
objects - but the info isn't really added to the tree. Therefore you do not
|
objects - but the info isn't really added to the tree. Therefore you do not
|
||||||
typically need to worry about whether there's a real tree or not. If, for some
|
typically need to worry about whether there's a real tree or not. If, for some
|
||||||
|
|
2
tshark.c
2
tshark.c
|
@ -3564,7 +3564,7 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type,
|
||||||
/* Set up to write to the capture file. */
|
/* Set up to write to the capture file. */
|
||||||
wtap_dump_params_init_no_idbs(¶ms, cf->provider.wth);
|
wtap_dump_params_init_no_idbs(¶ms, cf->provider.wth);
|
||||||
|
|
||||||
/* If we don't have an application name add Tshark */
|
/* If we don't have an application name add TShark */
|
||||||
if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
|
if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
|
||||||
/* this is free'd by wtap_block_unref() later */
|
/* this is free'd by wtap_block_unref() later */
|
||||||
wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "%s", get_appname_and_version());
|
wtap_block_add_string_option_format(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "%s", get_appname_and_version());
|
||||||
|
|
Loading…
Reference in New Issue