捕获与tshark的标准的popen输出用C [英] Capturing tshark standard output with popen in C

问题描述

我试图捕获标准输出的 tshark的通过C.程序
对于这一点，我使用的的popen（）的通话打开tshark的过程，并从返回的文件流读取。

I'm trying to capture the standard output from tshark through a program in C. For that, I use popen() call to open tshark process and read from the returned FILE stream.

code样品：<​​/ P>

Code sample:

#include <stdio.h>
#include <stdlib.h>

int main() {

    FILE* pipe_fd = popen("tshark -i eth0 -R icmp -2 -T fields -e icmp.checksum -e icmp.seq", "r");
    //FILE* pipe_fd = popen("lsof", "r");

    if (!pipe_fd) {
        fprintf(stderr, "popen failed.\n");
        return EXIT_FAILURE;
    }

    char buffer[2048];
    while (NULL != fgets(buffer, sizeof(buffer), pipe_fd)) {
        fprintf(stdout, "SO: %s", buffer);
    }

    pclose(pipe_fd);
    printf("tdr FINISHED!\n");
    return 0;
}

---

当我运行它，我只得到数据包数计数，也就是说，我没有得到任何数据包字段的信息，只是数据包数，每个数字覆盖在同一个地方的previous（无线滚动发生）

---

When I run it, I get only the packet number count, i.e., I get no packet fields info, just the count of packets, with each number overriding the previous in the same place (no lines scroll happening).

这样的事情，我想4包：

Something like this, I guess for 4 packets:

tomas@ubuntu64:~$ sudo ./main
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
4 

但是，如果我用'lsof的'在C程序改变'tshark的'命令的说法​​，我得到的标准输出就好了。

But if I change in the C program the 'tshark' command argument by 'lsof', I get the standard output just fine.

tomas@ubuntu64:~$ sudo ./main
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
SO: COMMAND     PID   TID       USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
SO: init          1             root  cwd       DIR                8,1     4096          2 /
SO: init          1             root  rtd       DIR                8,1     4096          2 /
SO: init          1             root  txt       REG                8,1   265848     791529 /sbin/init
SO: init          1             root  mem       REG                8,1    47712     824514 /lib/x86_64-linux-gnu/libnss_files-2.19.so
...

通过这个结果，我假设，有一些特殊的方式 tshark的发送信息到标准输出。有谁知道这种行为？
我要去检查tshark的源$ C ​​$ C，看它是否能够澄清。

With this result, I'm assuming that there is something special with the way tshark sends the info to the standard output. Does anyone know about this behaviour? I'm gonna check tshark source code, to see if it can clarify it.

就在最后要注意的。

当我通过shell中运行tshark的，我经常收到丢失的数据包号码，如：

When I run tshark through the shell, I often get missing packet numbers like:

tomas@ubuntu64:~$ sudo tshark -i eth0 -R icmp -2 -T fields -e icmp.checksum -e icmp.seq
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
0x0ee5  63045
1 0x8ae3    63046
2 0xcfdf    63047
3 0xe4d9    63048
4 0x9db7    63049
5 0x6798    63050
6 0x0175    63051
7 0x9e54    63052
0xa654  63052
9 0xe050    63053
0xe850  63053
11 0x8389   63054
0x8b89  63054
13 0x9b81   63055
0xa381  63055

缺少印刷包号码8，10，12，14

Missing printed packet numbers 8, 10, 12, 14.

当我stdout重定向到文件，它不会发送计数数字：

And when I redirect stdout to file, it does not send the count numbers:

tomas@ubuntu64:~$ sudo tshark -i eth0 -R icmp -2 -T fields -e icmp.checksum -e icmp.seq > kk
tomas@ubuntu64:~$ cat kk 
0x2073  63321
0x2873  63321
0x7c6a  63322

这tshark的正在处理打印数据包数和信息不同的另一条线索。

Another clue that tshark is handling printed packet count and info differently.

问候，
汤姆

推荐答案

好吧，就算我终于不用跟tshark的这种工作方式，我想我找到了选项，以使用的的popen 的tshark的。从手册页，选项-l

Well, even if I finally don't use this way of working with tshark, I think I found the option to use in order to popen tshark. From the manual page, option -l:

冲洗标准输出打印每个包中的信息之后。 （这不，严格来说，行缓冲-V是
  规定;然而，它是相同的行缓冲如果-V不
  指定，只有一行打印每个分组，并且，作为-l是
  通常管道实时捕捉到程序或脚本时使用，所以
  该输出一个包只要分组被视为示出了与
  解剖，它应该工作一样好真行缓冲。我们的确是
  这是在微软的Visual C ++℃，缺乏一种解决方法
  库）。

Flush the standard output after the information for each packet is printed. (This is not, strictly speaking, line-buffered if -V was specified; however, it is the same as line-buffered if -V wasn't specified, as only one line is printed for each packet, and, as -l is normally used when piping a live capture to a program or script, so that output for a packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering. We do this as a workaround for a deficiency in the Microsoft Visual C++ C library.)

<强>管道tshark的输出到另一个时，这可能是有用的
  节目，因为这意味着该计划到输出管道
  将尽快看到解剖数据包作为tshark的看到
  包，并产生输出，而不是看到它只有当
  包含这些数据的标准输出缓冲区填满了。

This may be useful when piping the output of TShark to another program, as it means that the program to which the output is piped will see the dissected data for a packet as soon as TShark sees the packet and generates that output, rather than seeing it only when the standard output buffer containing that data fills up.

我测试过它，它似乎工作。
万一有人需要它。

I tested it, and it seems to work. Just in case anyone needs it.

这篇关于捕获与tshark的标准的popen输出用C的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！