Ask Your Question
0

My modified tshark fails with "file type short name already exists"

asked 2019-03-02 17:53:51 +0000

updated 2019-03-03 04:10:14 +0000

Guy Harris gravatar image

I want to run Tshark dissector from the source file (i.e. tshark.c which is writen in C language) instead of using terminal and the following command:

tshark -r my.pcap ...

So I changed tshark.c main funtion from:

int
main(int argc, char *argv[])
{
  return real_main(argc, argv);
}

to:

int
tshark_main(char arg0[],char arg1[],char arg2[],char arg3[],char arg4[],char arg5[],char arg6[],char arg7[])
{
    int argc=8;
    char* const  argv[] = {arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7,NULL};
    return (real_main(argc, argv));
}

in order to call the main function from another functions. After that I created a lib consist of tshark.c and other dependecies and made the required include file as follows:

#ifndef __TSHARK_H__
#define __TSHARK_H__

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

#ifdef _WIN32
int
wmain(int argc, wchar_t *wc_argv[]);
#else
int
tshark_main(char arg0[], char arg1[], char arg2[], char arg3[], char arg4[], char arg5[], char arg6[], char arg7[]);
#endif


#ifdef __cplusplus
}
#endif /* __cplusplus */

#endif /* tshark.h */

In the next step, I added the mentioned lib and *.h file to my C++ project and call the tshark_main function as follows:

char arg0[]="";
char arg1[]="-o";
char arg2[]="uat:user_dlts:\"User 0 (DLT=147)\",\"RRC.SI.SIB1\",\"0\",\"\",\"0\",\"\"";
char arg3[]="-r";
char arg4[]="my1.pcap";
char arg5[]="-V";
char arg6[]="";
char arg7[]="";
tshark_main(arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7);
char arg4[]="my2.pcap";
tshark_main(arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7);

But, in tshark_main(...) second call (last line) a fatal error appears like this:

** (process:8445): ERROR **: 18:05:33.070: file type short name already exists

I think this error is because of the static variables that is defined in the source file(s) and when I call the tshark_main(...) for the first time every thing is OK and when I call that in second or more times, the variables have changed. As Wireshark can dissect the packets and files over and over, So I need an initialization method or some thing like that which wireshark uses to reset the static variables but I don't know where it is. Also, There may be a second way to reset every thing before calling tshark_main(...) for the second time which I don't know how to do it. Can every one tell me the solution?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-03 04:27:29 +0000

Guy Harris gravatar image

We do not support calling the TShark main function more than once, and never will, so there is, no solution to make your program, as written, work, and there will never be such a solution.

If you want to process multiple capture files within one invocation of your program, you will need to modify TShark so that, for example, its version of cf_close() does all the necessary work that the Wireshark version, in file.c does, and probably other changes, and then take the part of the main function that reads and processes the file, make it into a subroutine, and call it twice.

That's going to be a lot of work. I have not looked into what you would have to do, and will not do so, so I, at least, will not be able to give you any more help on doing that.

You could, instead, just run TShark twice from a script. I would VERY STRONGLY suggest that you consider that rather than trying to do some MAJOR hacking on a program that's not simple.

edit flag offensive delete link more

Comments

Thanks, but how Wireshark calls Tshark (i.e main function) for every packet?

morteza ali ahmadi gravatar imagemorteza ali ahmadi ( 2019-03-03 08:20:47 +0000 )edit

It doesn't. What both programs use is called epan, the dissection engine core. What they both do at startup is create the context in which the dissection can run. Wireshark maintains that context and cleans it when a capture file is closed. The Tshark process is expected to run to completion, after which the context is destroyed.

What happens with your repeated invocation of tshark_main() is that the context is created again. Hence the error file type short name already exists. File type registrations are part of that context.

Jaap gravatar imageJaap ( 2019-03-03 08:43:23 +0000 )edit

@jeep Thanks for your reply. OK, I got it. I want to use Wireshark or Tshark API in my C++ projects in which that the user can select a pcap file (or a byte array) to dissect and can do this several times. What is your suggestion? Can I destroy the context of Tshark for each invoking or should I use another way?

morteza ali ahmadi gravatar imagemorteza ali ahmadi ( 2019-03-03 10:12:13 +0000 )edit

I want to use Wireshark or Tshark API

Neither Wireshark nor TShark have an API. The libwireshark library (the library that Jaap referred to as "epan", which is a historical name for it, and is the name of the directory in the Wireshark source tree that contains the library source) offers APIs that are used by both Wireshark and TShark. That library doesn't read in capture files; there's another library in Wireshark, named libwiretap, that reads and writes capture files.

Can I destroy the context of Tshark for each invoking

TShark is a program, not a library, so you can only invoke it by running it from a script or a program.

The initialization of the libwireshark library is done by calling, among other things, calling epan_init(). You would only do that once in your program, even if your program reads and dissects multiple files or raw byte ...(more)

Guy Harris gravatar imageGuy Harris ( 2019-03-03 10:36:26 +0000 )edit

@Harris Thanks again for your help. I have to create a pcap file in feed to tshark because I don't know how can I dissect a byte array with wireshark. So my propose is to dissect a byte array. Can you tell me a link or a tutorial which in it's sources uses libwireshark or libwiretap to dissect a packet?

morteza ali ahmadi gravatar imagemorteza ali ahmadi ( 2019-03-03 13:15:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-03-02 17:53:51 +0000

Seen: 700 times

Last updated: Mar 03 '19