This is used to select ringbuffer savefile name template. Choose one of two
savefile name templates:
If value is 1, make running file number part before start time part; this is
the original and default behaviour (e.g. log_00001_20210828164426.pcap).
If value is greater than 1, make start time part before running number part
(e.g. log_20210828164426_00001.pcap).
The latter makes alphabetical sortig order equal to creation time order, and
keeps related multiple file sets in same directory close to each other (e.g.
while browsing in wireshark "Open file" dialog).
Signed-off-by: Juha Takala <juha.takala+rauta@iki.fi>
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
Allows adding one or more capture comments to a new pcapng file when
tshark is reading from a file. Currently, tshark only allows setting one
capture comment, and that only when doing a live capture.
The use case for this feature is given in bug #15005.
I decided to allow multiple capture comments to match the same ability
in `editcap`.
To allow this change, I changed the function signature of
`process_cap_file()` so it takes a `capture_options` struct instead of
individual parameters that affect the capture.
This functionality has been added in d2a660d8, where its limitations
are described.
Improvements:
* the Substream index menu now properly filters for available stream numbers;
* Follow Stream selects the first stream in the current packet
Known issue (which is still there): if a packet contains multiple QUIC
streams, then we will show data also from streams other than the selected
one (see #16093)
Note that there is no way to follow a QUIC connection.
Close#17453
The tshark help and documentation has been incorrect for at least
eight years, claiming that by default all name resolutions are
performed. Fixes#11762
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
Allow "-U ?" as well as an empty argument; an empty argument is a bit
counterintuitive.
Simplify the introductory line of output - asking for a list of taps
isn't an error in which the user failed to supply a tap name, it's a
case where the user suplied a request for a list of tap names.
Just use fprintf() to print the list, and indent the elements of the
list, as we do with other lists of valid arguments.
List the valid arguments if the user specified an invalid argument as
well.
In each of our executables we were calling "setlocale(LC_ALL, "")" at
startup. This told Windows that output was encoded using the current
system code page. Unless the code page was 65001 (UTF-8), this was a lie.
We write UTF-8 to stdout and stderr, so call "setlocale(LC_ALL, ".UTF-8)"
at startup on Windows. This lets the CRT translate our output correctly
in more cases.
Clarify and expand the OUTPUT section in the tshark man page.
Bug: 16649
Change-Id: If93231fe5b332c292946c7f8e5e813e2f543e799
Reviewed-on: https://code.wireshark.org/review/37560
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Documentation of the Tshark and dumpcap command line options between
help text, manual page and user's guide diverged over time. One aspect
of this is the implementation of more long options. This change tries to
update all documentation to be complete and in sync again.
Change-Id: Ie8bee013df8d209080fcf288072774f18f9ff51f
Reviewed-on: https://code.wireshark.org/review/35261
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
The QUIC transport protocol provides a stream, similar to HTTP/2. Make
it possible to look at the stream contents. This can be helpful while
HTTP/3 support is not yet complete.
Known issues that will be addressed in the future:
- If a single packet contains multiple streams, then Follow QUIC Stream
will wrongly include data from streams other than the selected one.
This is tracked by bug 16093 and affects HTTP/2 as well.
- The Substream index menu does not properly filter for available
stream numbers. If a non-existing stream is selected, then changing
to another (potentially valid) index results in the "Capture file
invalid." error. As workaround, clear the display filter first.
- Follow Stream always selects Stream ID 0 instead of the first or
currently selected stream field in a packet. Users should manually
update the stream index as needed.
Change-Id: I5866be380d58c96f0a71a29abdbd1be20ae3534a
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/34694
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HTTP/2 protocol multiplexes a single TCP connection into multiple
independent streams. The Follow TCP output can interleave multiple
HTTP/2 streams, making it harder to analyze a single HTTP/2 stream.
Add the ability to select HTTP/2 Streams within a TCP stream.
Internally, the HTTP/2 dissector now stores the known Stream IDs in a
set for every TCP session which allows an amortized O(n) lookup time for
the previous/next/max Stream ID.
[Peter: make the dissector responsible for clamping the HTTP/2 Stream ID
instead of the Qt code, that should permit future optimizations.]
Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200
Reviewed-on: https://code.wireshark.org/review/32221
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Make it consistent with -z conv,ip and -z endpoints,ip
Bug: 15660
Change-Id: I9a3d2e95fed47231c0bab20e6cf069987eed142f
Reviewed-on: https://code.wireshark.org/review/34426
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add '-J' option to synopsis and reshuffle '-j' to correct place.
Change-Id: I351b3ce464fca3b52a75614e1e8f8c91f9a30df2
Reviewed-on: https://code.wireshark.org/review/34352
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
WIRESHARK_CONFIG_DIR was introduced with Wireshark 3.0 and is more
cross-platform than WIRESHARK_APPDATA. The latter was presumably created
for use by PortableApps. Let's consider that an internal, undocumented
detail that might be change, and document WIRESHARK_CONFIG_DIR instead.
Change-Id: I0042d607b282cc6dee4b017b1e80b44087bd62e9
Reviewed-on: https://code.wireshark.org/review/34113
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jeff Morriss <jeff.morriss.ws@gmail.com>
Remove some dead links or point them to archive.org while at it. All
updated links have been verified.
Change-Id: Icf02167a13d5fe9dfce39ea57525b3f185554c9d
Reviewed-on: https://code.wireshark.org/review/34028
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This new tap collects credentials (username and paassword)
from the dissectors.
So far, few dissectors have been instrumented:
- http (basic auth)
- http (header auth)
- ftp
Others can be instrumented as well using the same technique.
Tshark has a new option (-z credentials) and Wireshark a new
"tools" menu: the documentation has been updated accordingly.
Change-Id: I2d0d96598c85bb3ea4fb5ec090dd8dc28b481fc9
Reviewed-on: https://code.wireshark.org/review/33453
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Inspired by looking into
https://ask.wireshark.org/question/8009/wireshark-ring-buffer-settings-from-command-line/
... in which the user was confused because a duration set on the command
line was not reflected in the GUI. That's because
I0180c43843f5d2f0c2f50153c9ce42ac7fa5aeae added the `interval` ring-buffer
option and made the GUI use this rather than `duration`. This was not at all
clear in the GUI, though.
Since `duration` and `interval` have quite different use cases, expose both in
the GUI.
Try to clean up and unify the tooltips at the same time. I'm not entirely
convinced the tooltips need to be on the checkbox, the spinbox, and the
combobox but leave it that way for now.
Add some to the man page description of the interval option to hopefully make
it clearer what the option does.
Change-Id: I3b45fe71c33af64d980dffb5e5ba93e2a15a6b96
Reviewed-on: https://code.wireshark.org/review/32526
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
They're a capture filter if you're capturing live traffic; they're a
display (read) filter if you're reading a capture file.
Change-Id: Ia2f5bcdb0098bf3c2b4a3d99da5bfe768e09b5a0
Reviewed-on: https://code.wireshark.org/review/32207
Reviewed-by: Guy Harris <guy@alum.mit.edu>
1) The default build configuration is to select PCAPNG as
output format, but it can be selected as PCAP. Some of the
command line tools have the option to select the output
format and default towards the build configuration.
This has to be reflected in their help output also.
2) Various documentation files are still stating that PCAP is
the default format of various tools. With the default build
configuration being PCAPNG these have to be adjusted as well.
(with lack of dynamic content the documentation can only refer
to the default build configuration format).
Change-Id: I51d19642a7ed8c99817971c1f25d20972095021e
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/30951
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With the introduction of the ip command (from iproute2) on modern
Linux systems it becomes common to see this tool available,
gradually replacing tools like netstat and ifconfig.
Change-Id: I1fb309e741c07c93271b61a35c4833d36bcc5cb8
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/30924
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure the -i <pipe> documentation is consistent and correct.
Change-Id: I9019effb658f914ac754e4ae893eafbe7c4b4da1
Reviewed-on: https://code.wireshark.org/review/30675
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Previously 'tshark -z expert' was failing with abort when a packet
contains a comment
- Add a new comment parameter and update the tshark's manual page
- Add a new comment_level severity and change the default lavel to it.
- Add various 'tshark -z expert' tests
Change-Id: I188317da5e00019b8f2b725f0fe84942f774520f
Reviewed-on: https://code.wireshark.org/review/30610
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to rotate files after a specified number of packets (`-b
packets:NUM`). Move some condition checks to capture_loop_write_packet_cb.
Add `-a packets:NUM` in order to be consistent. It is functionally
equivalent to the `-c` flag.
Add a corresponding "packets" option to the Capture Interfaces dialog
Output tab.
Add initial tests for autostop and ringbuffer conditions.
Change-Id: I66eb968927ed287deb8edb96db96d7c73526c257
Reviewed-on: https://code.wireshark.org/review/30534
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add 'v' option for VLAN ID resolving and get rid of
deprecated 'C' option.
Bug: 14826
Change-Id: I63104f4a465d251048693ad02882ea7eb2c4d926
Reviewed-on: https://code.wireshark.org/review/30029
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Rename the "ssl" protocol to "tls" and add an "ssl" alias. Prefer "TLS"
over "SSL" in user interface text and in the documentation.
Fix the test_tls_master_secret test while we're here.
Bug: 14922
Change-Id: Iab6ba2c7c4c0f8f6dd0f6d5d90fac5e9486612f8
Reviewed-on: https://code.wireshark.org/review/29649
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
- It cannot support IPv6.
- Non-standard use (specifically recommended against in the RFCs)
of the IPv4 fragment ID field.
- Has a narrow and non-obvious use case, IMO.
- It is not supported in the Qt GUI.
- Significant maintenance burden for an obscure feature.
Change-Id: Icaf429269dc42f78c38b8d20001508132499faf8
Reviewed-on: https://code.wireshark.org/review/29239
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
We've set "=encoding utf8" in wireshark.pod for a long time. Do so in
the rest of our .pod files.
Change-Id: I3ef0fb3a88ed63275b4ff4362b6afbf13d79a0bc
Reviewed-on: https://code.wireshark.org/review/29182
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The doc has a mixed way of providing example, both without executable
name and with it. Add it to all the provided examples. Add highlight of
tshark in examples, too.
Change-Id: I99d83201cc897629f186aabd20c0add9c7c53b93
Reviewed-on: https://code.wireshark.org/review/27034
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The generated elastic mapping file is huge and it can hassle softwares
like Kibana. This change adds the ability to append desired filters
that will appear in the mapping file.
This change adds the option --elastic-mapping-filter <protocols> to tshark.
Example: tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
make only those 3 protocols to appear in the mapping file.
Change-Id: Ie2dcd6e44be2d084e8e50cd6554bd90178da4e38
Reviewed-on: https://code.wireshark.org/review/27001
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Try to do a better job of explaining the behavior with various
combination of options. There are a lot of different output options,
and combinations of those options, for TShark; try to cover more of them
- it's complicated.
Consistently refer to command-line "options" rather than "flags".
Change-Id: Idbe6d22a07920789b3d5ed46a700e654a5ac0ae3
Reviewed-on: https://code.wireshark.org/review/25902
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Juha Takala