My modified tshark fails with "file type short name already exists"

tshark

asked 2019-03-02 17:53:51 +0000

updated 2019-03-03 04:10:14 +0000

Guy Harris
19890 ●3 ●659 ●207

I want to run Tshark dissector from the source file (i.e. tshark.c which is writen in C language) instead of using terminal and the following command:

tshark -r my.pcap ...

So I changed tshark.c main funtion from:

int
main(int argc, char *argv[])
{
  return real_main(argc, argv);
}

to:

int
tshark_main(char arg0[],char arg1[],char arg2[],char arg3[],char arg4[],char arg5[],char arg6[],char arg7[])
{
    int argc=8;
    char* const  argv[] = {arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7,NULL};
    return (real_main(argc, argv));
}

in order to call the main function from another functions. After that I created a lib consist of tshark.c and other dependecies and made the required include file as follows:

#ifndef __TSHARK_H__
#define __TSHARK_H__

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

#ifdef _WIN32
int
wmain(int argc, wchar_t *wc_argv[]);
#else
int
tshark_main(char arg0[], char arg1[], char arg2[], char arg3[], char arg4[], char arg5[], char arg6[], char arg7[]);
#endif


#ifdef __cplusplus
}
#endif /* __cplusplus */

#endif /* tshark.h */

In the next step, I added the mentioned lib and *.h file to my C++ project and call the tshark_main function as follows:

char arg0[]="";
char arg1[]="-o";
char arg2[]="uat:user_dlts:\"User 0 (DLT=147)\",\"RRC.SI.SIB1\",\"0\",\"\",\"0\",\"\"";
char arg3[]="-r";
char arg4[]="my1.pcap";
char arg5[]="-V";
char arg6[]="";
char arg7[]="";
tshark_main(arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7);
char arg4[]="my2.pcap";
tshark_main(arg0,arg1,arg2,arg3,arg4,arg5,arg6,arg7);

But, in tshark_main(...) second call (last line) a fatal error appears like this:

** (process:8445): ERROR **: 18:05:33.070: file type short name already exists

I think this error is because of the static variables that is defined in the source file(s) and when I call the tshark_main(...) for the first time every thing is OK and when I call that in second or more times, the variables have changed. As Wireshark can dissect the packets and files over and over, So I need an initialization method or some thing like that which wireshark uses to reset the static variables but I don't know where it is. Also, There may be a second way to reset every thing before calling tshark_main(...) for the second time which I don't know how to do it. Can every one tell me the solution?

edit retag flag offensive close merge delete

add a comment

Comments

Thanks, but how Wireshark calls Tshark (i.e main function) for every packet?

morteza ali ahmadi ( 2019-03-03 08:20:47 +0000 )edit

It doesn't. What both programs use is called epan, the dissection engine core. What they both do at startup is create the context in which the dissection can run. Wireshark maintains that context and cleans it when a capture file is closed. The Tshark process is expected to run to completion, after which the context is destroyed.

What happens with your repeated invocation of tshark_main() is that the context is created again. Hence the error file type short name already exists. File type registrations are part of that context.

Jaap ( 2019-03-03 08:43:23 +0000 )edit

@jeep Thanks for your reply. OK, I got it. I want to use Wireshark or Tshark API in my C++ projects in which that the user can select a pcap file (or a byte array) to dissect and can do this several times. What is your suggestion? Can I destroy the context of Tshark for each invoking or should I use another way?

morteza ali ahmadi ( 2019-03-03 10:12:13 +0000 )edit

I want to use Wireshark or Tshark API

Neither Wireshark nor TShark have an API. The libwireshark library (the library that Jaap referred to as "epan", which is a historical name for it, and is the name of the directory in the Wireshark source tree that contains the library source) offers APIs that are used by both Wireshark and TShark. That library doesn't read in capture files; there's another library in Wireshark, named libwiretap, that reads and writes capture files.

Can I destroy the context of Tshark for each invoking

TShark is a program, not a library, so you can only invoke it by running it from a script or a program.

The initialization of the libwireshark library is done by calling, among other things, calling epan_init(). You would only do that once in your program, even if your program reads and dissects multiple files or raw byte ...(more)

Guy Harris ( 2019-03-03 10:36:26 +0000 )edit

@Harris Thanks again for your help. I have to create a pcap file in feed to tshark because I don't know how can I dissect a byte array with wireshark. So my propose is to dissect a byte array. Can you tell me a link or a tutorial which in it's sources uses libwireshark or libwiretap to dissect a packet?

morteza ali ahmadi ( 2019-03-03 13:15:39 +0000 )edit

see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

My modified tshark fails with "file type short name already exists"

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

My modified tshark fails with "file type short name already exists" edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

My modified tshark fails with "file type short name already exists"