| blob | 263d342fc34ed8c2957e7485fd4dd35b0cc756c3 |
1 /* file.c
2 * File I/O routines
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
11 #include <config.h>
12 #define WS_LOG_DOMAIN LOG_DOMAIN_CAPTURE
14 #include <time.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <errno.h>
22 #include <wsutil/file_util.h>
23 #include <wsutil/filesystem.h>
24 #include <wsutil/json_dumper.h>
25 #include <wsutil/wslog.h>
26 #include <wsutil/ws_assert.h>
27 #include <wsutil/version_info.h>
29 #include <wiretap/merge.h>
31 #include <epan/exceptions.h>
32 #include <epan/epan.h>
33 #include <epan/column.h>
34 #include <epan/packet.h>
35 #include <epan/column-utils.h>
36 #include <epan/expert.h>
37 #include <epan/prefs.h>
38 #include <epan/dfilter/dfilter.h>
39 #include <epan/epan_dissect.h>
40 #include <epan/tap.h>
41 #include <epan/timestamp.h>
42 #include <epan/strutil.h>
43 #include <epan/addr_resolv.h>
44 #include <epan/color_filters.h>
45 #include <epan/secrets.h>
60 /* Needed for addrinfo */
61 #include <sys/types.h>
63 #ifdef HAVE_SYS_SOCKET_H
64 #include <sys/socket.h>
65 #endif
67 #ifdef HAVE_NETINET_IN_H
68 # include <netinet/in.h>
69 #endif
71 #ifdef _WIN32
72 # include <winsock2.h>
73 # include <ws2tcpip.h>
74 #endif
80 static void rescan_packets(capture_file *cf, const char *action, const char *action_item, gboolean redissect);
83 MR_NOTMATCHED,
84 MR_MATCHED,
85 MR_ERROR
134 /* Seconds spent processing packets between pushing UI updates. */
135 #define PROGBAR_UPDATE_INTERVAL 0.150
137 /* Show the progress bar after this many seconds. */
138 #define PROGBAR_SHOW_DELAY 0.5
140 /*
141 * Maximum number of records we support in a file.
142 *
143 * It is, at most, the maximum value of a guint32, as we use a guint32
144 * for the frame number.
145 *
146 * We allow it to be set to a lower value; see issue #16908 for why
147 * we're doing this. Thanks, Qt!
148 */
151 void
153 {
155 }
157 /*
158 * We could probably use g_signal_...() instead of the callbacks below but that
159 * would require linking our CLI programs to libgobject and creating an object
160 * instance for the signals.
161 */
163 cf_callback_t cb_fct;
164 gpointer user_data;
169 static void
171 {
175 /* there should be at least one interested */
182 }
183 }
185 void
187 {
195 }
197 void
199 {
209 }
211 }
214 }
216 gulong
218 {
220 }
222 static void
224 {
228 }
232 {
234 cap_file_provider_get_frame_ts,
235 cap_file_provider_get_interface_name,
236 cap_file_provider_get_interface_description,
237 cap_file_provider_get_modified_block
238 };
241 }
243 cf_status_t
245 {
253 /* The open succeeded. Close whatever capture file we had open,
254 and fill in the information for this file. */
257 /* Initialize the record metadata. */
260 /* XXX - we really want to initialize this after we've read all
261 the packets, so we know how much we'll ultimately need. */
264 /* We're about to start reading the file. */
267 /* If there was a pending redissection for the old file (there
268 * shouldn't be), clear it. cf_close() should have failed if the
269 * old file's read lock was held, but it doesn't hurt to clear it. */
276 /* Set the file name because we need it to set the follow stream filter.
277 XXX - is that still true? We need it for other reasons, though,
278 in any case. */
281 /* Indicate whether it's a permanent or temporary file. */
284 /* No user changes yet. */
302 /* Allocate a frame_data_sequence for the frames in this file */
311 /* Create new epan session for dissection.
312 * (The old one was freed in cf_close().)
313 */
325 fail:
328 }
330 /*
331 * Add an encapsulation type to cf->linktypes.
332 */
333 static void
335 {
336 guint i;
341 }
342 /* It's not already there - add it. */
344 }
346 /* Reset everything to a pristine state */
347 void
349 {
354 /* Die if we're in the middle of reading a file. */
360 /* close things, if not already closed before */
366 }
367 /* We have no file open... */
369 /* If it's a temporary file, remove it. */
374 }
375 /* ...which means we have no changes to that file to save. */
378 /* no open_routine type */
381 /* Clean up the record metadata. */
384 /* Clear the packet list. */
389 /* Free up the packet buffer. */
397 }
401 }
406 /* No frames, no frame selected, no field in that frame selected. */
411 /* No frame link-layer types, either. */
415 }
425 /* We have no file open. */
429 }
431 /*
432 * TRUE if the progress dialog doesn't exist and it looks like we'll
433 * take > PROGBAR_SHOW_DELAY (500ms) to load, FALSE otherwise.
434 */
437 {
442 /* This only gets checked between reading records, which doesn't help if
443 * a single record takes a very long time, e.g., the first TLS packet if
444 * the SSLKEYLOGFILE is very large. (#17051) */
445 if ((elapsed * 2 > PROGBAR_SHOW_DELAY && (size / pos) >= 2) /* It looks like we're going to be slow. */
448 }
450 }
452 static float
453 calc_progbar_val(capture_file *cf, gint64 size, gint64 file_pos, gchar *status_str, gulong status_size)
454 {
460 /* The file probably grew while we were reading it.
461 * Update file size, and try again.
462 */
468 /* If it's still > 1, either "wtap_file_size()" failed (in which
469 * case there's not much we can do about it), or the file
470 * *shrank* (in which case there's not much we can do about
471 * it); just clip the progress value at 1.0.
472 */
475 }
482 }
484 cf_read_status_t
486 {
493 gint64 size;
494 gint64 start_time;
495 epan_dissect_t edt;
496 wtap_rec rec;
497 Buffer buf;
501 guint tap_flags;
502 gboolean compiled _U_;
505 /* The update_progress_dlg call below might end up accepting a user request to
506 * trigger redissection/rescans which can modify/destroy the dissection
507 * context ("cf->epan"). That condition should be prevented by callers, but in
508 * case it occurs let's fail gracefully.
509 */
514 }
515 /* This is a full dissection, so clear any pending request for one. */
519 /* Compile the current display filter.
520 * The code it compiles to might have changed, e.g. if a display
521 * filter macro used has changed.
522 *
523 * We assume this will not fail since cf->dfilter is only set in
524 * cf_filter IFF the filter was valid.
525 * XXX - This is not necessarily true, if the filter has a FT_IPv4
526 * or FT_IPv6 field compared to a resolved hostname in it, because
527 * we do a new host lookup, and that *could* timeout this time
528 * (though with the read lock above we shouldn't have many lookups at
529 * once, reducing the chances of that)... (#19612)
530 */
534 }
539 /* The compiled dfilter might have a field reference; recompiling it
540 * means that the field references won't match anything. That's what
541 * we want since this is a new sequential read and we don't have
542 * a selected frame with a tree. (Will taps with filters with display
543 * references also have cleared display references?)
544 */
546 /* Get the union of the flags for all tap listeners. */
549 /*
550 * Determine whether we need to create a protocol tree.
551 * We do if:
552 *
553 * we're going to apply a display filter;
554 *
555 * one of the tap listeners is going to apply a filter;
556 *
557 * one of the tap listeners requires a protocol tree;
558 *
559 * a postdissector wants field values or protocols on
560 * the first pass.
561 */
562 create_proto_tree =
572 else
575 /* Record the file's compression type.
576 XXX - do we know this at open time? */
579 /* The packet list window will be empty until the file is completely loaded */
587 /* If the display filter or any tap listeners require the columns,
588 * construct them. */
592 /* Find the size of the file. */
595 /* If we are to ignore duplicate frames, we need a container to store
596 * hashes frame contents */
597 fifo_string_cache_t frame_dup_cache;
603 }
610 TRY {
611 gint64 file_pos;
612 gint64 data_offset;
621 /*
622 * Quit if we've already read the maximum number of
623 * records allowed.
624 */
627 }
630 /* Create the progress bar if necessary. */
635 }
637 /*
638 * Update the progress bar, but do it only after
639 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
640 * and packets_bar_update will likely trigger UI paint events, which
641 * might take a while depending on the platform and display. Reset
642 * our timer *after* painting.
643 */
646 /* update the packet bar content on the first run or frequently on very large files */
651 }
652 /*
653 * The previous GUI triggers should not have destroyed the running
654 * session. If that did happen, it could blow up when read_record tries
655 * to use the destroyed edt.session, so detect it right here.
656 */
658 }
661 /* Well, the user decided to exit Wireshark. Break out of the
662 loop, and let the code below (which is called even if there
663 aren't any packets left to read) exit. */
666 }
668 /* Well, the user decided to abort the read. He/She will be warned and
669 it might be enough for him/her to work with the already loaded
670 packets.
671 This is especially true for very large capture files, where you don't
672 want to wait loading the whole file (which may last minutes or even
673 hours even on fast machines) just to see that it was the wrong file. */
675 }
678 }
679 }
685 #if 0
686 /* Could we close the current capture and free up memory from that? */
687 #else
688 /* we have to terminate, as we cannot recover from the memory error */
690 #endif
691 }
692 ENDTRY;
694 // If we're ignoring duplicate frames, clear the data structures.
695 // We really could look at prefs.ignore_dup_frames here, but it's even
696 // safer to check if we had allocated 'cksum'.
700 }
702 /* We're done reading sequentially through the file. */
705 /* Destroy the progress bar if it was created. */
710 /* Free the display name */
717 /* Close the sequential I/O side, to free up memory it requires. */
720 /* Allow the protocol dissectors to free up memory that they
721 * don't need after the sequential run-through of the packets. */
724 /* compute the time it took to load the file */
727 /* Set the file encapsulation type now; we don't know what it is until
728 we've looked at all the packets, as we don't know until then whether
729 there's more than one type (and thus whether it's
730 WTAP_ENCAP_PER_PACKET). */
737 /* It is safe again to execute redissections or sort. */
743 else
746 /* If we have any displayed packets to select, select the first of those
747 packets by making the first row the selected row. */
750 }
753 /*
754 * Well, the user decided to exit Wireshark while reading this *offline*
755 * capture file (Live captures are handled by something like
756 * cf_continue_tail). Clean up accordingly.
757 */
761 }
764 /* Redissection was queued up. Clear the request and perform it now. */
767 }
777 }
780 /* Put up a message box noting that the read failed somewhere along
781 the line. Don't throw out the stuff we managed to read, though,
782 if any. */
792 "The command-line utility editcap can be used to split "
794 "The file contains more records than the maximum "
799 }
801 #ifdef HAVE_LIBPCAP
802 cf_read_status_t
805 {
808 epan_dissect_t edt;
809 gboolean create_proto_tree;
810 guint tap_flags;
812 /* Don't compile the current display filter. The current display filter
813 * text might compile to different code than when the capture started:
814 *
815 * If it has a IP address resolved name, calling get_host_ipaddr every
816 * time new packets arrive can mean a *lot* of gethostbyname calls
817 * in flight at once, eventually leading to a timeout (#19612).
818 * addr_resolv.c says that ares_gethostbyname is "usually interactive",
819 * unlike ares_gethostbyaddr (used in dissection), and violating that
820 * expectation is bad.
821 *
822 * If it has a display filter macro, the definition might have changed.
823 *
824 * If it has a field reference, the selected frame / current proto tree
825 * might have changed, and we don't have the old one. If we recompile,
826 * we can't set the field references to the old values.
827 *
828 * For a rescan, redissection, reload, retap, or opening a new file, we
829 * want to compile. What about here, when new frames have arrived in a live
830 * capture? We might be able to cache the host lookup, and a user might want
831 * the new display filter macro definition, but the user almost surely wants
832 * the field references to refer to values from the proto tree when the
833 * filter was applied, not whatever it happens to be now if the user has
834 * clicked on a different packet.
835 *
836 * To get the new compiled filter, the user should refilter.
837 */
839 /* Get the union of the flags for all tap listeners. */
842 /*
843 * Determine whether we need to create a protocol tree.
844 * We do if:
845 *
846 * we're going to apply a display filter;
847 *
848 * one of the tap listeners is going to apply a filter;
849 *
850 * one of the tap listeners requires a protocol tree;
851 *
852 * a postdissector wants field values or protocols on
853 * the first pass.
854 */
855 create_proto_tree =
861 /* Don't freeze/thaw the list when doing live capture */
862 /*packet_list_freeze();*/
866 TRY {
870 /* If the display filter or any tap listeners require the columns,
871 * construct them. */
880 }
882 /* Well, the user decided to exit Wireshark. Break out of the
883 loop, and let the code below (which is called even if there
884 aren't any packets left to read) exit. */
886 }
887 if (read_record(cf, rec, buf, cf->dfcode, &edt, cinfo, data_offset, frame_dup_cache, frame_cksum)) {
888 newly_displayed_packets++;
889 }
890 to_read--;
891 }
893 }
899 #if 0
900 /* Could we close the current capture and free up memory from that? */
902 #else
903 /* we have to terminate, as we cannot recover from the memory error */
905 #endif
906 }
907 ENDTRY;
909 /* Update the file encapsulation; it might have changed based on the
910 packets we've read. */
915 /* Don't freeze/thaw the list when doing live capture */
916 /*packet_list_thaw();*/
917 /* With the new packet list the first packet
918 * isn't automatically selected.
919 */
924 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
925 so that our caller can kill off the capture child process;
926 this will cause an EOF on the pipe from the child, so
927 "cf_finish_tail()" will be called, and it will clean up
928 and exit. */
931 /* We got an error reading the capture file.
932 XXX - pop up a dialog box instead? */
940 }
944 }
946 void
948 {
951 }
952 }
954 cf_read_status_t
957 {
959 gint64 data_offset;
961 epan_dissect_t edt;
962 gboolean create_proto_tree;
963 guint tap_flags;
965 /* All the comments above in cf_continue_tail apply regarding the
966 * current display filter.
967 */
969 /* Get the union of the flags for all tap listeners. */
972 /* If the display filter or any tap listeners require the columns,
973 * construct them. */
977 /*
978 * Determine whether we need to create a protocol tree.
979 * We do if:
980 *
981 * we're going to apply a display filter;
982 *
983 * one of the tap listeners is going to apply a filter;
984 *
985 * one of the tap listeners requires a protocol tree;
986 *
987 * a postdissector wants field values or protocols on
988 * the first pass.
989 */
990 create_proto_tree =
997 }
999 /* Don't freeze/thaw the list when doing live capture */
1000 /*packet_list_freeze();*/
1006 /* Well, the user decided to abort the read. Break out of the
1007 loop, and let the code below (which is called even if there
1008 aren't any packets left to read) exit. */
1010 }
1013 }
1017 /* Don't freeze/thaw the list when doing live capture */
1018 /*packet_list_thaw();*/
1021 /* Well, the user decided to abort the read. We're only called
1022 when the child capture process closes the pipe to us (meaning
1023 it's probably exited), so we can just close the capture
1024 file; we return CF_READ_ABORTED so our caller can do whatever
1025 is appropriate when that happens. */
1028 }
1030 /* We're done reading sequentially through the file. */
1033 /* We're done reading sequentially through the file; close the
1034 sequential I/O side, to free up memory it requires. */
1037 /* Allow the protocol dissectors to free up memory that they
1038 * don't need after the sequential run-through of the packets. */
1041 /* Update the file encapsulation; it might have changed based on the
1042 packets we've read. */
1045 /* Update the details in the file-set dialog, as the capture file
1046 * has likely grown since we first stat-ed it */
1050 /* We got an error reading the capture file.
1051 XXX - pop up a dialog box? */
1059 }
1063 }
1064 }
1067 gchar *
1069 {
1072 /* Return a name to use in displays */
1074 /* Get the last component of the file name, and use that. */
1079 }
1081 /* The file we read is a temporary file from a live capture or
1082 a merge operation; we don't mention its name, but, if it's
1083 from a capture, give the source of the capture. */
1088 }
1089 }
1091 }
1093 gchar *
1095 {
1098 /* Return a name to use in the GUI for the basename for files to
1099 which we save statistics */
1101 /* Get the last component of the file name, and use that. */
1105 /* If the file name ends with any extension that corresponds
1106 to a file type we support - including compressed versions
1107 of those files - strip it off. */
1112 /* Does the file name end with that extension? */
1118 /* Yes. Strip the extension off, and return the result. */
1121 }
1122 }
1126 }
1128 /* The file we read is a temporary file from a live capture or
1129 a merge operation; we don't mention its name, but, if it's
1130 from a capture, give the source of the capture. */
1135 }
1136 }
1138 }
1140 void
1142 {
1145 }
1151 }
1152 }
1156 {
1159 }
1162 }
1164 /* XXX - use a macro instead? */
1165 int
1167 {
1169 }
1171 /* XXX - use a macro instead? */
1172 gboolean
1174 {
1176 }
1178 void
1180 {
1182 }
1185 /* XXX - use a macro instead? */
1186 void
1188 {
1190 }
1192 /* XXX - use a macro instead? */
1193 void
1195 {
1197 }
1199 /* XXX - use a macro instead? */
1200 gboolean
1202 {
1204 }
1206 /* XXX - use a macro instead? */
1207 guint32
1209 {
1211 }
1213 void
1215 {
1217 }
1219 static void
1223 {
1230 }
1231 #if 0
1232 /* Prepare coloring rules, this ensures that display filter rules containing
1233 * frame.color_rule references are still processed.
1234 * TODO: actually detect that situation or maybe apply other optimizations? */
1238 }
1239 #endif
1242 /* This is the first pass, so prime the epan_dissect_t with the
1243 hfids postdissectors want on the first pass. */
1245 }
1247 /* Initialize passed_dfilter here so that dissectors can hide packets. */
1248 /* XXX We might want to add a separate "visible" bit to frame_data instead. */
1251 /* Dissect the frame. */
1260 /* This frame passed the display filter but it may depend on other
1261 * (potentially not displayed) frames. Find those frames and mark them
1262 * as depended upon.
1263 */
1264 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
1265 }
1266 }
1272 /* We fill the needed columns from new_packet_list */
1274 }
1277 {
1279 /* The only way we use prev_dis is to get the time stamp of
1280 * the previous displayed frame, so ignore it if it doesn't
1281 * have a time stamp, because we're presumably interested in
1282 * the timestamp of the previously displayed frame with a
1283 * time. XXX: What if in the future we want to use the previously
1284 * displayed frame for something else, too?
1285 */
1288 }
1290 /* If we haven't yet seen the first frame, this is it. */
1294 /* This is the last frame we've seen so far. */
1296 }
1299 }
1301 /*
1302 * Read in a new record.
1303 * Returns TRUE if the packet was added to the packet (record) list,
1304 * FALSE otherwise.
1305 */
1306 static gboolean
1310 {
1311 frame_data fdlocal;
1316 gboolean was_in_cache;
1318 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
1319 it's not already there.
1320 XXX - yes, this is O(N), so if every packet had a different
1321 link-layer encapsulation type, it'd be O(N^2) to read the file, but
1322 there are probably going to be a small number of encapsulation types
1323 in a file. */
1326 }
1328 /* The frame number of this packet, if we add it to the set of frames,
1329 would be one more than the count of frames in the file so far. */
1333 epan_dissect_t rf_edt;
1340 }
1346 }
1351 /* This does a shallow copy of fdlocal, which is good enough. */
1359 // Should we check if the frame data is a duplicate, and thus, ignore
1360 // this frame?
1370 }
1371 }
1373 /* When a redissection is in progress (or queued), do not process packets.
1374 * This will be done once all (new) packets have been scanned. */
1377 }
1378 }
1381 }
1385 gpointer pd_window;
1386 gint64 f_len;
1393 static bool
1397 {
1398 guint i;
1406 /* do nothing */
1410 /* do nothing */
1414 /* Get the sum of the sizes of all the files. */
1423 {
1424 /* Create the progress bar if necessary.
1425 We check on every iteration of the loop, so that it takes no
1426 longer than the standard time to create it (otherwise, for a
1427 large file, we might take considerably longer than that standard
1428 time in order to get to the next progress bar step). */
1432 }
1434 /*
1435 * Update the progress bar, but do it only after
1436 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
1437 * and packets_bar_update will likely trigger UI paint events, which
1438 * might take a while depending on the platform and display. Reset
1439 * our timer *after* painting.
1440 */
1444 /* Get the sum of the seek positions in all of the files. */
1450 /* Some file probably grew while we were reading it.
1451 That "shouldn't happen", so we'll just clip the progress
1452 value at 1.0. */
1454 }
1462 }
1464 }
1465 }
1469 /* We're done merging the files; destroy the progress bar if it was created. */
1474 }
1477 }
1481 cf_status_t
1485 {
1488 guint err_fileno;
1489 guint32 err_framenum;
1490 merge_result status;
1491 merge_progress_callback_t cb;
1494 /* prepare our callback routine */
1501 /* merge the files */
1503 in_filenames,
1516 /* this isn't really an error, though we will return CF_ERROR later */
1525 file_type);
1533 simple_error_message_box("Record %u of \"%s\" has an interface ID that does not match any IDB in its file.",
1550 }
1555 /* Callers aren't expected to treat an error or an explicit abort
1556 differently - we put up error dialogs ourselves, so they don't
1557 have to. */
1561 }
1563 cf_status_t
1565 {
1571 /* if new filter equals old one, do nothing unless told to do so */
1572 /* XXX - The text can be the same without compiling to the same code.
1573 * (Macros, field references, etc.)
1574 */
1577 }
1582 /* The new filter is an empty filter (i.e., display all packets).
1583 * so leave dfcode==NULL
1584 */
1586 /*
1587 * We have a filter; make a copy of it (as we'll be saving it),
1588 * and try to compile it.
1589 */
1592 /* The attempt failed; report an error. */
1600 }
1602 /* Was it empty? */
1604 /* Yes - free the filter text, and set it to null. */
1607 }
1608 }
1610 /* We have a valid filter. Replace the current filter. */
1614 /* We'll recompile this when the rescan starts, or in cf_read()
1615 * if no file is open currently. However, if no file is open and
1616 * we start a new capture, we want to use this rather than
1617 * recompiling in cf_continue_tail() */
1621 /* Now rescan the packet list, applying the new filter, but not
1622 * throwing away information constructed on a previous pass.
1623 * If a dissection is already in progress, queue it.
1624 */
1633 }
1634 }
1635 }
1638 }
1640 void
1642 {
1644 /* Dissection in progress, signal redissection rather than rescanning. That
1645 * would destroy the current (in-progress) dissection in "cf_read" which
1646 * will cause issues when "cf_read" tries to add packets to the list.
1647 * If a previous rescan was requested, "upgrade" it to a full redissection.
1648 */
1650 }
1652 /* Redissection is (already) queued, wait for "cf_read" to finish. */
1653 /* XXX - what if whatever set and later clears read_lock is *not*
1654 * cf_read, e.g. process_specified_records ? We need to handle a
1655 * queued redissection there too like we do in cf_read.
1656 */
1658 }
1661 /* Restart dissection in case no cf_read is pending. */
1663 }
1664 }
1666 gboolean
1669 {
1676 }
1678 }
1680 gboolean
1683 {
1690 }
1692 }
1694 gboolean
1696 {
1698 }
1700 /* Rescan the list of packets, reconstructing the CList.
1702 "action" describes why we're doing this; it's used in the progress
1703 dialog box.
1705 "action_item" describes what we're doing; it's used in the progress
1706 dialog box.
1708 "redissect" is TRUE if we need to make the dissectors reconstruct
1709 any state information they have (because a preference that affects
1710 some dissector has changed, meaning some dissector might construct
1711 its state differently from the way it was constructed the last time). */
1712 static void
1713 rescan_packets(capture_file *cf, const char *action, const char *action_item, gboolean redissect)
1714 {
1715 /* Rescan packets new packet list */
1716 guint32 framenum;
1718 wtap_rec rec;
1719 Buffer buf;
1725 gboolean selected_frame_seen;
1727 gint64 start_time;
1729 epan_dissect_t edt;
1732 gboolean create_proto_tree;
1734 guint tap_flags;
1736 gboolean compiled _U_;
1737 guint32 frames_count;
1742 }
1744 /* Rescan in progress, clear pending actions. */
1752 /* Compile the current display filter.
1753 * The code it compiles to might have changed, e.g. if a display
1754 * filter macro used has changed.
1755 *
1756 * We assume this will not fail since cf->dfilter is only set in
1757 * cf_filter IFF the filter was valid.
1758 * XXX - This is not necessarily true, if the filter has a FT_IPv4
1759 * or FT_IPv6 field compared to a resolved hostname in it, because
1760 * we do a new host lookup, and that *could* timeout this time
1761 * (though with the read lock above we shouldn't have many lookups at
1762 * once, reducing the chances of that)... (#19612)
1763 */
1767 }
1772 /* Do we have any tap listeners with filters? */
1775 /* Update references in filters (if any) for the protocol
1776 * tree corresponding to the currently selected frame in the GUI. */
1782 }
1787 }
1789 /* Get the union of the flags for all tap listeners. */
1792 /* If the display filter or any tap listeners require the columns,
1793 * construct them. */
1797 /*
1798 * Determine whether we need to create a protocol tree.
1799 * We do if:
1800 *
1801 * we're going to apply a display filter;
1802 *
1803 * one of the tap listeners is going to apply a filter;
1804 *
1805 * one of the tap listeners requires a protocol tree;
1806 *
1807 * we're redissecting and a postdissector wants field
1808 * values or protocols on the first pass.
1809 */
1810 create_proto_tree =
1816 /* Which frame, if any, is the currently selected frame?
1817 XXX - should the selected frame or the focus frame be the "current"
1818 frame, that frame being the one from which "Find Frame" searches
1819 start? */
1822 /* Mark frame num as not found */
1825 /* Freeze the packet list while we redo it, so we don't get any
1826 screen updates while it happens. */
1830 /* We need to re-initialize all the state information that protocols
1831 keep, because some preference that controls a dissector has changed,
1832 which might cause the state information to be constructed differently
1833 by that dissector. */
1835 /* We might receive new packets while redissecting, and we don't
1836 want to dissect those before their time. */
1839 /* 'reset' dissection session */
1842 /* All pointers in "per frame proto data" for the currently selected
1843 packet are allocated in wmem_file_scope() and deallocated in epan_free().
1844 Free them here to avoid unintended usage in packet_list_clear(). */
1846 }
1850 /* A new Lua tap listener may be registered in lua_prime_all_fields()
1851 called via epan_new() / init_dissection() when reloading Lua plugins. */
1854 }
1857 }
1859 /* We need to redissect the packets so we have to discard our old
1860 * packet list store. */
1863 }
1865 /* We don't yet know which will be the first and last frames displayed. */
1869 /* We currently don't display any packets */
1872 /* Iterate through the list of frames. Call a routine for each frame
1873 to check whether it should be displayed and, if so, add it to
1874 the display list. */
1883 /* Count of packets at which we've looked. */
1885 /* Progress so far. */
1891 /* no previous row yet */
1907 /*
1908 * Decryption secrets and name resolution blocks are read while
1909 * sequentially processing records and then passed to the dissector.
1910 * During redissection, the previous information is lost (see epan_free
1911 * above), but they are not read again from the file as only packet
1912 * records are re-read. Therefore reset the wtap secrets and name
1913 * resolution callbacks such that wtap resupplies the callbacks with
1914 * previously read information.
1915 */
1919 }
1924 /* Create the progress bar if necessary.
1925 We check on every iteration of the loop, so that it takes no
1926 longer than the standard time to create it (otherwise, for a
1927 large file, we might take considerably longer than that standard
1928 time in order to get to the next progress bar step). */
1932 progbar_val);
1934 /*
1935 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
1936 * has elapsed. Calling update_progress_dlg and packets_bar_update will
1937 * likely trigger UI paint events, which might take a while depending on
1938 * the platform and display. Reset our timer *after* painting.
1939 */
1941 /* let's not divide by zero. I should never be started
1942 * with count == 0, so let's assert that
1943 */
1951 }
1954 }
1958 /* A redissection was requested while an existing redissection was
1959 * pending. */
1961 }
1964 /* Well, the user decided to abort the filtering. Just stop.
1966 XXX - go back to the previous filter? Users probably just
1967 want not to wait for a filtering operation to finish;
1968 unless we cancel by having no filter, reverting to the
1969 previous filter will probably be even more expensive than
1970 continuing the filtering, as it involves going back to the
1971 beginning and filtering, and even with no filter we currently
1972 have to re-generate the entire clist, which is also expensive.
1974 I'm not sure what Network Monitor does, but it doesn't appear
1975 to give you an unfiltered display if you cancel. */
1977 }
1979 count++;
1982 /* Since all state for the frame was destroyed, mark the frame
1983 * as not visited, free the GSList referring to the state
1984 * data (the per-frame data itself was freed by
1985 * "init_dissection()"), and null out the GSList pointer. */
1988 }
1990 /* Frame dependencies from the previous dissection/filtering are no longer valid. */
1996 /* If the previous frame is displayed, and we haven't yet seen the
1997 selected frame, remember that frame - it's the closest one we've
1998 yet seen before the selected frame. */
2002 }
2006 add_to_packet_list);
2008 /* If this frame is displayed, and this is the first frame we've
2009 seen displayed after the selected frame, remember this frame -
2010 it's the closest one we've yet seen at or after the selected
2011 frame. */
2015 }
2020 }
2022 /* Remember this frame - it'll be the previous frame
2023 on the next pass through the loop. */
2027 }
2033 /* We are done redissecting the packet list. */
2038 /* Clear out what remains of the visited flags and per-frame data
2039 pointers.
2041 XXX - that may cause various forms of bogosity when dissecting
2042 these frames, as they won't have been seen by this sequential
2043 pass, but the only alternative I see is to keep scanning them
2044 even though the user requested that the scan stop, and that
2045 would leave the user stuck with an Wireshark grinding on
2046 until it finishes. Should we just stick them with that? */
2050 }
2051 }
2053 /* We're done filtering the packets; destroy the progress bar if it
2054 was created. */
2059 /* Unfreeze the packet list. */
2063 /* Compute the time it took to filter the file */
2068 /* It is safe again to execute redissections or sort. */
2075 /* The selected frame didn't pass the filter. */
2077 /* That's because there *was* no selected frame. Make the first
2078 displayed frame the current frame. */
2081 /* Find the nearest displayed frame to the selected frame (whether
2082 it's before or after that frame) and make that the current frame.
2083 If the next and previous displayed frames are equidistant from the
2084 selected frame, choose the next one. */
2090 /* No frame after the selected frame passed the filter, so we
2091 have to select the last displayed frame before the selected
2092 frame. */
2096 /* No frame before the selected frame passed the filter, so we
2097 have to select the first displayed frame after the selected
2098 frame. */
2102 /* Frames before and after the selected frame passed the filter, so
2103 we'll select the previous frame */
2106 }
2107 }
2108 }
2111 /* There are no frames displayed at all. */
2114 /* Either the frame that was selected passed the filter, or we've
2115 found the nearest displayed frame to that frame. Select it, make
2116 it the focus row, and make it visible. */
2117 /* Set to invalid to force update of packet list and packet details */
2122 /* We didn't find a row corresponding to this frame.
2123 This means that the frame isn't being displayed currently,
2124 so we can't select it. */
2128 }
2129 }
2130 }
2132 /* If another rescan (due to dfilter change) or redissection (due to profile
2133 * change) was requested, the rescan above is aborted and restarted here. */
2137 }
2138 }
2141 /*
2142 * Scan through all frame data and recalculate the ref time
2143 * without rereading the file.
2144 * XXX - do we need a progress bar or is this fast enough?
2145 */
2146 void
2148 {
2149 guint32 framenum;
2151 nstime_t rel_ts;
2160 /* just add some value here until we know if it is being displayed or not */
2163 /*
2164 * Timestamps
2165 */
2168 /* If we don't have the time stamp of the first packet in the
2169 capture, it's because this is the first packet. Save the time
2170 stamp of this packet as the time stamp of the first packet. */
2173 /* if this frames is marked as a reference time frame, reset
2174 firstsec and firstusec to this frame */
2178 /* Get the time elapsed between the first packet and this one. */
2182 /* If it's greater than the current elapsed time, set the elapsed
2183 time to it (we check for "greater than" so as not to be
2184 confused by time moving backwards). */
2186 || ((gint32)cf->elapsed_time.secs == rel_ts.secs && (gint32)cf->elapsed_time.nsecs < rel_ts.nsecs)) {
2188 }
2190 /* If this frame is displayed, get the time elapsed between the
2191 previous displayed packet and this packet. */
2192 /* XXX: What if in the future we want to use the previously
2193 * displayed frame for something else, too? Then we'd want
2194 * to store this frame as prev_dis even if it doesn't have a
2195 * timestamp. */
2197 /* If we don't have the time stamp of the previous displayed
2198 packet, it's because this is the first displayed packet.
2199 Save the time stamp of this packet as the time stamp of
2200 the previous displayed packet. */
2203 }
2207 }
2209 /* If this frame doesn't have a timestamp, don't calculate
2210 anything with relative times. */
2211 /* However, if this frame is marked as a reference time frame,
2212 clear the reference frame so that the next frame with a
2213 timestamp becomes the reference frame. */
2216 }
2217 }
2219 /*
2220 * Byte counts
2221 */
2223 /* This frame either passed the display filter list or is marked as
2224 a time reference frame. All time reference frames are displayed
2225 even if they don't pass the display filter */
2227 /* if this was a TIME REF frame we should reset the cum_bytes field */
2231 /* increase cum_bytes with this packets length */
2233 }
2234 }
2235 }
2236 }
2239 PSP_FINISHED,
2240 PSP_STOPPED,
2241 PSP_FAILED
2244 static psp_return_t
2250 gboolean show_progress_bar)
2251 {
2252 guint32 framenum;
2254 wtap_rec rec;
2255 Buffer buf;
2263 range_process_e process_this;
2269 /* Count of packets at which we've looked. */
2271 /* Progress so far. */
2274 /* XXX - It should be ok to have multiple readers, so long as nothing
2275 * frees the epan context, e.g. rescan_packets with redissect true,
2276 * or anything that closes the file (including reload and certain forms
2277 * of saving.) This is mostly to stop cf_save_records but should probably
2278 * be handled by callers in order to allow multiple readers (e.g.,
2279 * restarting taps after adding or changing one.) We should probably
2280 * make this a real reader-writer lock.
2281 */
2285 }
2293 /* Iterate through all the packets, printing the packets that
2294 were selected by the current display filter. */
2298 /* Create the progress bar if necessary.
2299 We check on every iteration of the loop, so that it takes no
2300 longer than the standard time to create it (otherwise, for a
2301 large file, we might take considerably longer than that standard
2302 time in order to get to the next progress bar step). */
2305 terminate_is_stop,
2307 progbar_val);
2309 /*
2310 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
2311 * has elapsed. Calling update_progress_dlg and packets_bar_update will
2312 * likely trigger UI paint events, which might take a while depending on
2313 * the platform and display. Reset our timer *after* painting.
2314 */
2316 /* let's not divide by zero. I should never be started
2317 * with count == 0, so let's assert that
2318 */
2327 }
2330 /* Well, the user decided to abort the operation. Just stop,
2331 and arrange to return PSP_STOPPED to our caller, so they know
2332 it was stopped explicitly. */
2335 }
2337 progbar_count++;
2340 /* do we have to process this packet? */
2343 /* this packet uninteresting, continue with next one */
2346 /* all interesting packets processed, stop the loop */
2348 }
2349 }
2351 /* Get the packet */
2353 /* Attempt to get the packet failed. */
2356 }
2357 /* Process the packet */
2359 /* Callback failed. We assume it reported the error appropriately. */
2362 }
2364 }
2366 /* We're done printing the packets; destroy the progress bar if
2367 it was created. */
2379 }
2382 epan_dissect_t edt;
2386 static bool
2389 {
2398 }
2400 cf_read_status_t
2402 {
2403 packet_range_t range;
2404 retap_callback_args_t callback_args;
2405 gboolean create_proto_tree;
2406 gboolean filtering_tap_listeners;
2407 guint tap_flags;
2408 psp_return_t ret;
2410 /* Presumably the user closed the capture file. */
2413 }
2415 /* XXX - If cf->read_lock is true, process_specified_records will fail
2416 * due to a nested call. We fail here so that we don't reset the tap
2417 * listeners if this tap isn't going to succeed.
2418 */
2422 }
2426 /* Do we have any tap listeners with filters? */
2429 /* Update references in filters (if any) for the protocol
2430 * tree corresponding to the currently selected frame in the GUI. */
2431 /* XXX - What if we *don't* have a currently selected frame in the GUI,
2432 * but we did the last time we loaded field references? Then they'll
2433 * match something instead of nothing (unless they've been recompiled).
2434 * Should we have a way to clear the field references even with a NULL tree?
2435 */
2439 }
2441 /* Get the union of the flags for all tap listeners. */
2444 /* If any tap listeners require the columns, construct them. */
2447 /*
2448 * Determine whether we need to create a protocol tree.
2449 * We do if:
2450 *
2451 * one of the tap listeners is going to apply a filter;
2452 *
2453 * one of the tap listeners requires a protocol tree.
2454 */
2455 create_proto_tree =
2458 /* Reset the tap listeners. */
2464 /* Iterate through the list of packets, dissecting all packets and
2465 re-running the taps. */
2470 /* We're not done with the sequential read of the file and might
2471 * add more frames while process_specified_records is going. We
2472 * don't want to tap new frames twice, so limit the range to the
2473 * frames already here.
2474 *
2475 * cf_read sets read_lock so we don't tap in case of an offline
2476 * file, but cf_continue_tail and cf_finish_tail don't, and we
2477 * don't want them to, because tapping new packets in a live
2478 * capture is a common use case.
2479 *
2480 * Note that most other users of process_specified_records (saving,
2481 * printing) do want to process new packets, unlike taps.
2482 */
2488 /* range_t treats a missing number as meaning 1, not 0, and
2489 * reverses the order if backwards; thus the syntax -0 means
2490 * 0-1, so to only take zero packets we do this.
2491 */
2493 }
2495 }
2508 /* Completed successfully. */
2512 /* Well, the user decided to abort the refiltering.
2513 Return CF_READ_ABORTED so our caller knows they did that. */
2517 /* Error while retapping. */
2519 }
2523 }
2527 gboolean print_header_line;
2530 gboolean print_formfeed;
2531 gboolean print_separator;
2537 epan_dissect_t edt;
2540 static bool
2543 {
2555 /* Fill in the column information if we're printing the summary
2556 information. */
2572 /*
2573 * Print another header line if we print a packet summary on the
2574 * new page.
2575 */
2582 }
2583 }
2585 /*
2586 * We generate bookmarks, if the output format supports them.
2587 * The name is "__frameN__".
2588 */
2598 }
2604 /* Find the length of the string for this column. */
2609 /* Make sure there's room in the line buffer for the column; if not,
2610 double its length. */
2617 }
2619 /* Right-justify the packet number column. */
2622 else
2627 }
2630 /*
2631 * Generate a bookmark, using the summary line as the title.
2632 */
2640 /*
2641 * Generate a bookmark, using "Frame N" as the title, as we're not
2642 * printing the summary line.
2643 */
2646 bookmark_title))
2652 /* Separate the summary line from the tree with a blank line. */
2655 }
2657 /* Print the information in that tree. */
2663 /* Print a blank line if we print anything after this (aka more than one packet). */
2666 /* Print a header line if we print any more packet summaries */
2669 }
2672 if (args->print_args->print_summary || (args->print_args->print_dissections != print_dissections_none)) {
2675 }
2676 /* Print the full packet data as hex. */
2680 /* Print a blank line if we print anything after this (aka more than one packet). */
2683 /* Print a header line if we print any more packet summaries */
2690 /* do we want to have a formfeed between each packet from now on? */
2693 }
2697 fail:
2700 }
2702 cf_print_status_t
2704 gboolean show_progress_bar)
2705 {
2706 print_callback_args_t callback_args;
2707 gint data_width;
2711 psp_return_t ret;
2714 gboolean proto_tree_needed;
2731 }
2734 /* We're printing packet summaries. Allocate the header line buffer
2735 and get the column widths. */
2738 /* Find the number of visible columns and the last visible column */
2747 num_visible_col++;
2749 }
2750 }
2752 /* if num_visible_col is 0, we are done */
2756 }
2758 /* Find the widths for each of the columns - maximum of the
2759 width of the title and the width of the data - and construct
2760 a buffer with a line containing the column titles. */
2777 /* Save the order of visible columns */
2780 /* Don't pad the last column. */
2788 }
2790 /* Find the length of the string for this column. */
2795 /* Make sure there's room in the line buffer for the column; if not,
2796 double its length. */
2804 }
2806 /* Right-justify the packet number column. */
2807 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER)
2808 snprintf(cp, column_len+1, "%*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2809 else*/
2810 snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2815 visible_col_count++;
2816 }
2819 /* Now start out the main line buffer with the same length as the
2820 header line buffer. */
2825 /* Create the protocol tree, and make it visible, if we're printing
2826 the dissection or the hex data.
2827 XXX - do we need it if we're just printing the hex data? */
2828 proto_tree_needed =
2834 /* Iterate through the list of packets, printing the packets we were
2835 told to print. */
2848 /* Completed successfully. */
2852 /* Well, the user decided to abort the printing.
2854 XXX - note that what got generated before they did that
2855 will get printed if we're piping to a print program; we'd
2856 have to write to a file and then hand that to the print
2857 program to make it actually not print anything. */
2861 /* Error while printing.
2863 XXX - note that what got generated before they did that
2864 will get printed if we're piping to a print program; we'd
2865 have to write to a file and then hand that to the print
2866 program to make it actually not print anything. */
2869 }
2874 }
2880 }
2884 epan_dissect_t edt;
2886 json_dumper jdumper;
2889 static bool
2892 {
2895 /* Create the protocol tree, but don't fill in the column information. */
2900 /* Write out the information in that tree. */
2906 }
2908 cf_print_status_t
2910 {
2911 write_packet_callback_args_t callback_args;
2913 psp_return_t ret;
2923 }
2929 /* Iterate through the list of packets, printing the packets we were
2930 told to print. */
2940 /* Completed successfully. */
2944 /* Well, the user decided to abort the printing. */
2948 /* Error while printing. */
2951 }
2957 }
2959 /* XXX - check for an error */
2963 }
2965 static bool
2968 {
2971 /* Fill in the column information */
2978 /* Write out the column information. */
2984 }
2986 cf_print_status_t
2988 {
2989 write_packet_callback_args_t callback_args;
2991 psp_return_t ret;
2993 gboolean proto_tree_needed;
3003 }
3008 /* Fill in the column information, only create the protocol tree
3009 if having custom columns or field extractors. */
3013 /* Iterate through the list of packets, printing the packets we were
3014 told to print. */
3024 /* Completed successfully. */
3028 /* Well, the user decided to abort the printing. */
3032 /* Error while printing. */
3035 }
3041 }
3043 /* XXX - check for an error */
3047 }
3049 static bool
3052 {
3055 /* Fill in the column information */
3062 /* Write out the column information. */
3068 }
3070 cf_print_status_t
3072 {
3073 write_packet_callback_args_t callback_args;
3074 gboolean proto_tree_needed;
3076 psp_return_t ret;
3086 }
3091 /* only create the protocol tree if having custom columns or field extractors. */
3095 /* Iterate through the list of packets, printing the packets we were
3096 told to print. */
3106 /* Completed successfully. */
3110 /* Well, the user decided to abort the printing. */
3114 /* Error while printing. */
3117 }
3119 /* XXX - check for an error */
3123 }
3125 static bool
3128 {
3138 }
3140 cf_print_status_t
3142 {
3143 write_packet_callback_args_t callback_args;
3145 psp_return_t ret;
3155 }
3161 /* Iterate through the list of packets, printing the packets we were
3162 told to print. */
3172 /* Completed successfully. */
3175 /* Well, the user decided to abort the printing. */
3178 /* Error while printing. */
3181 }
3185 }
3187 static bool
3190 {
3193 /* Create the protocol tree, but don't fill in the column information. */
3198 /* Write out the information in that tree. */
3207 }
3209 cf_print_status_t
3211 {
3212 write_packet_callback_args_t callback_args;
3214 psp_return_t ret;
3224 }
3230 /* Iterate through the list of packets, printing the packets we were
3231 told to print. */
3241 /* Completed successfully. */
3245 /* Well, the user decided to abort the printing. */
3249 /* Error while printing. */
3252 }
3258 }
3260 /* XXX - check for an error */
3264 }
3266 gboolean
3269 {
3270 match_data mdata;
3283 }
3287 }
3288 }
3290 }
3292 field_info*
3294 {
3295 match_data mdata;
3302 /* Iterate through all the nodes looking for matching text */
3307 }
3310 }
3312 static match_result
3315 {
3317 epan_dissect_t edt;
3319 /* Load the frame's data. */
3321 /* Attempt to get the packet failed. */
3323 }
3325 /* Construct the protocol tree, including the displayed text */
3327 /* We don't need the column information */
3332 /* Iterate through all the nodes, seeing if they have text that matches. */
3337 /* We don't care about the direction here, because we're just looking
3338 * for one match and we'll destroy this tree anyway. (We find the actual
3339 * field later in PacketList::selectionChanged().) Forwards is faster.
3340 */
3344 }
3346 static void
3348 {
3358 guint8 c_char;
3361 /* dissection with an invisible proto tree? */
3365 /* We already had a match; don't bother doing any more work. */
3367 }
3369 /* Don't match invisible entries. */
3374 /* Haven't found the old match, so don't match this node. */
3376 /* Found the old match, look for the next one after this. */
3378 }
3380 /* was a free format label produced? */
3384 /* no, make a generic label */
3387 }
3394 }
3396 /* Case insensitive match */
3404 /* If c_match is non-zero, save candidate for retrying full match. */
3408 c_match++;
3412 /* No need to look further; we have a match */
3414 }
3421 }
3423 /* Case sensitive match */
3427 }
3428 }
3430 /* Recurse into the subtree, if it exists */
3433 }
3435 static void
3437 {
3447 guint8 c_char;
3450 /* dissection with an invisible proto tree? */
3453 /* We don't have an easy way to search backwards in the tree
3454 * (see also, proto_find_field_from_offset()) because we don't
3455 * have a previous node pointer, so we search backwards by
3456 * searching forwards, only stopping if we see the old match
3457 * (if we have one).
3458 */
3462 }
3464 /* Don't match invisible entries. */
3469 /* Found the old match, use the previous match. */
3472 }
3474 /* was a free format label produced? */
3478 /* no, make a generic label */
3481 }
3487 }
3489 /* Case insensitive match */
3497 /* If c_match is non-zero, save candidate for retrying full match. */
3501 c_match++;
3506 }
3513 }
3515 /* Case sensitive match */
3518 }
3520 /* Recurse into the subtree, if it exists */
3523 }
3525 gboolean
3527 search_direction dir)
3528 {
3529 match_data mdata;
3534 }
3536 static match_result
3539 {
3543 epan_dissect_t edt;
3547 gint colx;
3549 guint8 c_char;
3552 /* Load the frame's data. */
3554 /* Attempt to get the packet failed. */
3556 }
3558 /* Don't bother constructing the protocol tree */
3560 /* Get the column information */
3565 /* Find the Info column */
3568 /* Found it. See if we match. */
3575 }
3577 /* Case insensitive match */
3584 /* If c_match is non-zero, save candidate for retrying full match. */
3588 c_match++;
3592 }
3599 }
3601 /* Case sensitive match */
3603 }
3605 }
3606 }
3609 }
3618 /*
3619 * The current match_* routines only support ASCII case insensitivity and don't
3620 * convert UTF-8 inputs to UTF-16 for matching. The UTF-16 support just
3621 * interleaves with \0 bytes, which works for 7 bit ASCII.
3622 *
3623 * We could modify them to use the GLib Unicode routines or the International
3624 * Components for Unicode library but it's not apparent that we could do so
3625 * without consuming a lot more CPU and memory or that searching would be
3626 * significantly better.
3627 *
3628 * XXX: We could test the search string to see if it's all ASCII, and if not
3629 * use Unicode aware routines for case insensitive searches or any UTF-16
3630 * search.
3631 */
3633 gboolean
3636 {
3637 cbs_t info;
3640 ws_match_function match_function;
3645 /* Regex, String or hex search? */
3647 /* Regular Expression search */
3650 /* String search - what type of string? */
3660 match_function = (cf->dir == SD_FORWARD) ? match_narrow_and_wide_case : match_narrow_and_wide_case_reverse;
3674 }
3680 match_function = (cf->dir == SD_FORWARD) ? match_narrow_and_wide : match_narrow_and_wide_reverse;
3684 /* Narrow, case-sensitive match is the same as looking
3685 * for a converted hexstring. */
3696 }
3697 }
3700 }
3703 /* Use the current frame (this will perform the equivalent of
3704 * cf_read_current_record() in match_function).
3705 */
3710 /* The regex match can match an empty string. */
3712 fi = proto_find_field_from_offset(cf->edt->tree, cf->search_pos + cf->search_len - 1, cf->edt->tvb);
3713 }
3717 }
3720 }
3721 }
3725 }
3727 static match_result
3730 {
3734 match_result result;
3735 guint32 buf_len;
3737 guint32 i;
3738 guint8 c_char;
3741 /* Load the frame's data. */
3743 /* Attempt to get the packet failed. */
3745 }
3753 /* we want to start searching one byte past the previous match start */
3755 }
3759 /* Try narrow match at this start location */
3764 c_match++;
3767 /* Save position and length for highlighting the field. */
3771 }
3774 }
3775 }
3777 /* Now try wide match at the same start location. */
3782 c_match++;
3785 /* Save position and length for highlighting the field. */
3789 }
3790 i++;
3794 }
3795 }
3796 }
3798 done:
3800 }
3802 static match_result
3805 {
3809 match_result result;
3810 guint32 buf_len;
3812 guint32 i;
3813 guint8 c_char;
3816 /* Load the frame's data. */
3818 /* Attempt to get the packet failed. */
3820 }
3823 /* Has to be room to hold the sought data. */
3826 }
3832 /* we want to start searching one byte before the previous match start */
3834 }
3838 /* Try narrow match at this start location */
3843 c_match++;
3846 /* Save position and length for highlighting the field. */
3850 }
3853 }
3854 }
3856 /* Now try wide match at the same start location. */
3861 c_match++;
3864 /* Save position and length for highlighting the field. */
3868 }
3869 i++;
3873 }
3874 }
3875 }
3877 done:
3879 }
3881 /* Case insensitive match */
3882 static match_result
3885 {
3890 match_result result;
3891 guint32 buf_len;
3893 guint32 i;
3894 guint8 c_char;
3897 /* Load the frame's data. */
3899 /* Attempt to get the packet failed. */
3901 }
3911 /* we want to start searching one byte past the previous match start */
3913 }
3917 /* Try narrow match at this start location */
3922 c_match++;
3925 /* Save position and length for highlighting the field. */
3929 }
3932 }
3933 }
3935 /* Now try wide match at the same start location. */
3940 c_match++;
3943 /* Save position and length for highlighting the field. */
3947 }
3948 i++;
3952 }
3953 }
3954 }
3956 done:
3958 }
3960 static match_result
3963 {
3968 match_result result;
3969 guint32 buf_len;
3971 guint32 i;
3972 guint8 c_char;
3975 /* Load the frame's data. */
3977 /* Attempt to get the packet failed. */
3979 }
3984 /* Has to be room to hold the sought data. */
3987 }
3993 /* we want to start searching one byte before the previous match start */
3995 }
3999 /* Try narrow match at this start location */
4004 c_match++;
4007 /* Save position and length for highlighting the field. */
4011 }
4014 }
4015 }
4017 /* Now try wide match at the same start location. */
4022 c_match++;
4025 /* Save position and length for highlighting the field. */
4029 }
4030 i++;
4034 }
4035 }
4036 }
4038 done:
4040 }
4042 /* Case insensitive match */
4043 static match_result
4046 {
4051 match_result result;
4052 guint32 buf_len;
4054 guint32 i;
4055 guint8 c_char;
4058 /* Load the frame's data. */
4060 /* Attempt to get the packet failed. */
4062 }
4072 /* we want to start searching one byte past the previous match start */
4074 }
4082 c_match++;
4084 /* Save position and length for highlighting the field. */
4089 }
4092 }
4093 }
4094 }
4096 done:
4098 }
4100 static match_result
4103 {
4108 match_result result;
4109 guint32 buf_len;
4111 guint32 i;
4112 guint8 c_char;
4115 /* Load the frame's data. */
4117 /* Attempt to get the packet failed. */
4119 }
4124 /* Has to be room to hold the sought data. */
4127 }
4133 /* we want to start searching one byte before the previous match start */
4135 }
4143 c_match++;
4145 /* Save position and length for highlighting the field. */
4150 }
4153 }
4154 }
4155 }
4157 done:
4159 }
4161 static match_result
4164 {
4168 match_result result;
4169 guint32 buf_len;
4171 guint32 i;
4172 guint8 c_char;
4175 /* Load the frame's data. */
4177 /* Attempt to get the packet failed. */
4179 }
4187 /* we want to start searching one byte past the previous match start */
4189 }
4197 c_match++;
4200 /* Save position and length for highlighting the field. */
4204 }
4205 i++;
4209 }
4210 }
4211 }
4213 done:
4215 }
4217 static match_result
4220 {
4224 match_result result;
4225 guint32 buf_len;
4227 guint32 i;
4228 guint8 c_char;
4231 /* Load the frame's data. */
4233 /* Attempt to get the packet failed. */
4235 }
4238 /* Has to be room to hold the sought data. */
4241 }
4247 /* we want to start searching one byte before the previous match start */
4249 }
4257 c_match++;
4260 /* Save position and length for highlighting the field. */
4264 }
4265 i++;
4269 }
4270 }
4271 }
4273 done:
4275 }
4277 /* Case insensitive match */
4278 static match_result
4281 {
4286 match_result result;
4287 guint32 buf_len;
4289 guint32 i;
4290 guint8 c_char;
4293 /* Load the frame's data. */
4295 /* Attempt to get the packet failed. */
4297 }
4307 /* we want to start searching one byte past the previous match start */
4309 }
4317 c_match++;
4320 /* Save position and length for highlighting the field. */
4324 }
4325 i++;
4329 }
4330 }
4331 }
4333 done:
4335 }
4337 /* Case insensitive match */
4338 static match_result
4341 {
4346 match_result result;
4347 guint32 buf_len;
4349 guint32 i;
4350 guint8 c_char;
4353 /* Load the frame's data. */
4355 /* Attempt to get the packet failed. */
4357 }
4362 /* Has to be room to hold the sought data. */
4365 }
4371 /* we want to start searching one byte before the previous match start */
4373 }
4381 c_match++;
4384 /* Save position and length for highlighting the field. */
4388 }
4389 i++;
4393 }
4394 }
4395 }
4397 done:
4399 }
4401 static match_result
4404 {
4407 match_result result;
4410 /* Load the frame's data. */
4412 /* Attempt to get the packet failed. */
4414 }
4420 /* we want to start searching one byte past the previous match start */
4422 }
4425 }
4428 /* Save position and length for highlighting the field. */
4431 }
4434 }
4436 static match_result
4439 {
4442 match_result result;
4445 /* Load the frame's data. */
4447 /* Attempt to get the packet failed. */
4449 }
4453 /* Has to be room to hold the sought data. */
4456 }
4459 /* we want to start searching one byte before the previous match start */
4461 }
4467 /* Save position and length for highlighting the field. */
4471 }
4472 }
4475 }
4477 static match_result
4480 {
4484 /* Load the frame's data. */
4486 /* Attempt to get the packet failed. */
4488 }
4492 /* we want to start searching one byte past the previous match start */
4494 }
4499 result_pos)) {
4500 //TODO: A chosen regex can match the empty string (zero length)
4501 // which doesn't make a lot of sense for searching the packet bytes.
4502 // Should we search with the PCRE2_NOTEMPTY option?
4503 //TODO: Fix cast.
4504 /* Save position and length for highlighting the field. */
4508 }
4509 }
4511 }
4513 static match_result
4516 {
4520 /* Load the frame's data. */
4522 /* Attempt to get the packet failed. */
4524 }
4528 /* we want to start searching one byte before the previous match */
4530 }
4535 result_pos)) {
4536 //TODO: A chosen regex can match the empty string (zero length)
4537 // which doesn't make a lot of sense for searching the packet bytes.
4538 // Should we search with the PCRE2_NOTEMPTY option?
4539 //TODO: Fix cast.
4540 /* Save position and length for highlighting the field. */
4545 }
4546 }
4548 }
4550 gboolean
4552 search_direction dir)
4553 {
4555 }
4557 gboolean
4559 search_direction dir)
4560 {
4562 gboolean result;
4565 /*
4566 * XXX - this shouldn't happen, as the filter string is machine
4567 * generated
4568 */
4570 }
4572 /*
4573 * XXX - this shouldn't happen, as the filter string is machine
4574 * generated.
4575 */
4577 }
4581 }
4583 static match_result
4586 {
4588 epan_dissect_t edt;
4589 match_result result;
4591 /* Load the frame's data. */
4593 /* Attempt to get the packet failed. */
4595 }
4605 }
4607 gboolean
4609 {
4611 }
4613 static match_result
4616 {
4618 }
4620 gboolean
4622 {
4624 }
4626 static match_result
4629 {
4631 }
4633 static gboolean
4636 {
4638 guint32 framenum;
4639 guint32 prev_framenum;
4641 wtap_rec rec;
4642 Buffer buf;
4647 gboolean succeeded;
4650 match_result result;
4660 }
4662 /* Iterate through the list of packets, starting at the packet we've
4663 picked, calling a routine to run the filter on the packet, see if
4664 it matches, and stop if so. */
4669 /* Progress so far. */
4675 /* Create the progress bar if necessary.
4676 We check on every iteration of the loop, so that it takes no
4677 longer than the standard time to create it (otherwise, for a
4678 large file, we might take considerably longer than that standard
4679 time in order to get to the next progress bar step). */
4684 /*
4685 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
4686 * has elapsed. Calling update_progress_dlg and packets_bar_update will
4687 * likely trigger UI paint events, which might take a while depending on
4688 * the platform and display. Reset our timer *after* painting.
4689 */
4691 /* let's not divide by zero. I should never be started
4692 * with count == 0, so let's assert that
4693 */
4703 }
4706 /* Well, the user decided to abort the search. Go back to the
4707 frame where we started. */
4710 }
4712 /* Go past the current frame. */
4714 /* Go on to the previous frame. */
4716 /*
4717 * XXX - other apps have a bit more of a detailed message
4718 * for this, and instead of offering "OK" and "Cancel",
4719 * they offer things such as "Continue" and "Cancel";
4720 * we need an API for popping up alert boxes with
4721 * {Verb} and "Cancel".
4722 */
4730 }
4732 framenum--;
4734 /* Go on to the next frame. */
4742 }
4744 framenum++;
4745 }
4748 count++;
4750 /* Is this packet in the display? */
4752 /* Yes. Does it match the search criterion? */
4755 /* Error; our caller has reported the error. Go back to the frame
4756 where we started. */
4760 /* Yes. Go to the new frame. */
4763 }
4765 }
4768 /* We're back to the frame we were on originally, and that frame
4769 doesn't match the search filter. The search failed. */
4771 }
4772 }
4774 /* We're done scanning the packets; destroy the progress bar if it
4775 was created. */
4781 /* We found a frame that's displayed and that matches.
4782 Try to find and select the packet summary list row for that frame. */
4783 gboolean found_row;
4789 /* We didn't find a row corresponding to this frame.
4790 This means that the frame isn't being displayed currently,
4791 so we can't select it. */
4805 }
4807 gboolean
4809 {
4813 /* we don't have a loaded capture file - fix for bugs 11810 & 11989 */
4816 }
4821 /* we didn't find a packet with that packet number */
4824 }
4826 /* that packet currently isn't displayed */
4827 /* XXX - add it to the set of displayed packets? */
4829 /* We only want that exact frame, or no frames are displayed. */
4832 }
4834 /* There is no previous displayed frame, so this frame is
4835 * before the first displayed frame. Go to the first line,
4836 * which is the closest frame.
4837 */
4839 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the first displayed packet, %u.", fnumber, cf->first_displayed);
4842 /* The next displayed frame might be closer, we can do an
4843 * O(log n) binary search for the earliest displayed frame
4844 * in the open interval (fnumber, fnumber + delta).
4845 *
4846 * This is possibly overkill, we could just go to the previous
4847 * displayed frame.
4848 */
4857 /* We don't have a frame of that number, so search before it. */
4860 }
4861 /* We have a frame of that number. What's the displayed
4862 * frame before it? */
4864 /* The previous frame that passed the filter is also after
4865 * our target, so our answer is no later than that.
4866 */
4869 /* The previous displayed frame is before fnumber.
4870 * (We already know fnumber itself is not displayed.)
4871 * Is this frame itself displayed?
4872 */
4874 /* Yes. So this is our answer. */
4877 }
4878 /* No. So our answer, if any, is after this frame. */
4880 }
4881 }
4884 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the next displayed packet, %u.", fnumber, fdata->num);
4886 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the previous displayed packet, %u.", fnumber, fdata->prev_dis_num);
4888 }
4889 }
4890 }
4893 /* We didn't find a row corresponding to this frame.
4894 This means that the frame isn't being displayed currently,
4895 so we can't select it. */
4900 }
4902 }
4904 /*
4905 * Go to frame specified by currently selected protocol tree item.
4906 */
4907 gboolean
4909 {
4911 guint32 framenum;
4919 /* We probably only want to go to the exact match,
4920 * even though "Go to Previous Packet in History" exists.
4921 */
4923 }
4924 }
4925 }
4928 }
4930 /* Select the packet on a given row. */
4931 void
4933 {
4936 /* check the frame data struct pointer for this frame */
4939 }
4941 /* Get the data in that frame. */
4944 }
4946 /* Record that this frame is the current frame. */
4949 /*
4950 * The change to defer freeing the current epan_dissect_t was in
4951 * commit a2bb94c3b33d53f42534aceb7cc67aab1d1fb1f9; to quote
4952 * that commit's comment:
4953 *
4954 * Clear GtkTreeStore before freeing edt
4955 *
4956 * When building current data for packet details treeview we store two
4957 * things.
4958 * - Generated string with item label
4959 * - Pointer to node field_info structure
4960 *
4961 * After epan_dissect_{free, cleanup} pointer to field_info node is no
4962 * longer valid so we should clear GtkTreeStore before freeing.
4963 *
4964 * XXX - we're no longer using GTK+; is there a way to ensure that
4965 * *nothing* refers to any of the current frame information before
4966 * we replace it?
4967 */
4969 /* Create the logical protocol tree. */
4970 /* We don't need the columns here. */
4980 }
4982 /* Unselect the selected packet, if any. */
4983 void
4985 {
4988 /*
4989 * See the comment in cf_select_packet() about deferring the freeing
4990 * of the old cf->edt.
4991 */
4994 /* No packet is selected. */
4997 /* Destroy the epan_dissect_t for the unselected packet. */
5000 }
5002 /*
5003 * Mark a particular frame.
5004 */
5005 void
5007 {
5012 }
5013 }
5015 /*
5016 * Unmark a particular frame.
5017 */
5018 void
5020 {
5025 }
5026 }
5028 /*
5029 * Ignore a particular frame.
5030 */
5031 void
5033 {
5038 }
5039 }
5041 /*
5042 * Un-ignore a particular frame.
5043 */
5044 void
5046 {
5051 }
5052 }
5054 /*
5055 * Modify the section comment.
5056 */
5057 void
5059 {
5060 wtap_block_t shb_inf;
5063 /* Get the first SHB. */
5064 /* XXX - support multiple SHBs */
5067 /* Get the first comment from the SHB. */
5068 /* XXX - support multiple comments */
5069 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, 0, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5070 /* There's no comment - add one. */
5073 /* See if the comment has changed or not */
5077 }
5079 /* The comment has changed, let's update it */
5081 }
5082 /* Mark the file as having unsaved changes */
5084 }
5086 /*
5087 * Modify the section comments for a given section.
5088 */
5089 void
5091 {
5092 wtap_block_t shb_inf;
5097 /* Shouldn't happen. XXX: Report it if it does? */
5099 }
5107 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, i, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5108 /* There's no comment - add one. */
5112 /* See if the comment has changed or not */
5114 /* The comment has changed, let's update it */
5117 }
5119 }
5120 }
5121 /* We either transferred ownership of the comments or freed them
5122 * above, so free the array of strings but not the strings themselves. */
5125 /* If there are extra old comments, remove them. Start at the end. */
5129 }
5130 }
5132 /*
5133 * Get the packet block for a packet (record).
5134 * If the block has been edited, it returns the result of the edit,
5135 * otherwise it returns the block from the file.
5136 * NB. Caller must wtap_block_unref() the result when done.
5137 */
5138 wtap_block_t
5140 {
5141 /* If this block has been modified, fetch the modified version */
5147 wtap_block_t block;
5149 /* fetch record block */
5156 /* rec.block is owned by the record, steal it before it is gone. */
5162 }
5163 }
5165 /*
5166 * Update(replace) the block on a capture from a frame
5167 */
5168 gboolean
5170 {
5173 /* It's possible to further modify the modified block "in place" by doing
5174 * a call to cf_get_packet_block() that returns an already created modified
5175 * block, modifying that, and calling this function.
5176 * If the caller did that, then the block pointers will be equal.
5177 */
5179 /* No need to save anything here, the caller changes went right
5180 * onto the block.
5181 * Unfortunately we don't have a way to know how many comments were
5182 * in the block before the caller modified it, so tell the caller
5183 * it is its responsibility to update the comment count.
5184 */
5186 }
5197 }
5199 /* Either way, we have unsaved changes. */
5203 }
5205 /*
5206 * What types of comments does this capture file have?
5207 */
5208 guint32
5210 {
5213 /*
5214 * Does this file have any sections with at least one comment?
5215 */
5218 section_number++) {
5219 wtap_block_t shb_inf;
5224 /* Try to get the first comment from that SHB. */
5227 /* We succeeded, so this file has at least one section comment. */
5230 /* We don't need to search any more. */
5232 }
5233 }
5237 }
5239 /*
5240 * Add a resolved address to this file's list of resolved addresses.
5241 */
5242 gboolean
5244 {
5245 /*
5246 * XXX - support multiple resolved address lists, and add to the one
5247 * attached to this file?
5248 */
5252 /* OK, we have unsaved changes. */
5255 }
5261 gboolean export;
5264 /*
5265 * Save a capture to a file, in a particular format, saving either
5266 * all packets, all currently-displayed packets, or all marked packets.
5267 *
5268 * Returns TRUE if it succeeds, FALSE otherwise; if it fails, it pops
5269 * up a message box for the failure.
5270 */
5271 static bool
5274 {
5276 wtap_rec new_rec;
5279 wtap_block_t pkt_block;
5281 /* Copy the record information from what was read in from the file. */
5284 /* Make changes based on anything that the user has done but that
5285 hasn't been saved yet. */
5288 else
5296 }
5297 }
5299 /* and save the packet */
5304 }
5306 /* If we are saving (i.e., replacing the current file with the one we're
5307 * writing), then update the frame data to clear the shift offset.
5308 * This keeps us from having to re-read the entire file.
5309 * We could do this in rescan_file(), but
5310 * 1) Ideally we shouldn't have to call rescan_file if all we're doing
5311 * is changing the timestamps, since that shouldn't change the offsets.
5312 * 2) The long term goal is to try to do the offset adjustment here
5313 * instead of using rescan_file, which should be faster (#1257).
5314 *
5315 * If we're exporting to a different file, then don't do that.
5316 */
5319 }
5322 }
5324 /*
5325 * Can this capture file be written out in any format using Wiretap
5326 * rather than by copying the raw data?
5327 */
5328 gboolean
5330 {
5331 /* We don't care whether we support the comments in this file or not;
5332 if we can't, we'll offer the user the option of discarding the
5333 comments. */
5335 }
5337 /*
5338 * Should we let the user do a save?
5339 *
5340 * We should if:
5341 *
5342 * the file has unsaved changes, and we can save it in some
5343 * format through Wiretap
5344 *
5345 * or
5346 *
5347 * the file is a temporary file and has no unsaved changes (so
5348 * that "saving" it just means copying it).
5349 *
5350 * XXX - we shouldn't allow files to be edited if they can't be saved,
5351 * so cf->unsaved_changes should be true only if the file can be saved.
5352 *
5353 * We don't care whether we support the comments in this file or not;
5354 * if we can't, we'll offer the user the option of discarding the
5355 * comments.
5356 */
5357 gboolean
5359 {
5361 /* Saved changes, and we can write it out with Wiretap. */
5363 }
5366 /*
5367 * Temporary file with no unsaved changes, so we can just do a
5368 * raw binary copy.
5369 */
5371 }
5373 /* Nothing to save. */
5375 }
5377 /*
5378 * Should we let the user do a "save as"?
5379 *
5380 * That's true if:
5381 *
5382 * we can save it in some format through Wiretap
5383 *
5384 * or
5385 *
5386 * the file is a temporary file and has no unsaved changes (so
5387 * that "saving" it just means copying it).
5388 *
5389 * XXX - we shouldn't allow files to be edited if they can't be saved,
5390 * so cf->unsaved_changes should be true only if the file can be saved.
5391 *
5392 * We don't care whether we support the comments in this file or not;
5393 * if we can't, we'll offer the user the option of discarding the
5394 * comments.
5395 */
5396 gboolean
5398 {
5400 /* We can write it out with Wiretap. */
5402 }
5405 /*
5406 * Temporary file with no unsaved changes, so we can just do a
5407 * raw binary copy.
5408 */
5410 }
5412 /* Nothing to save. */
5414 }
5416 /*
5417 * Does this file have unsaved data?
5418 */
5419 gboolean
5421 {
5422 /*
5423 * If this is a temporary file, or a file with unsaved changes, it
5424 * has unsaved data.
5425 */
5427 }
5429 /*
5430 * Quick scan to find packet offsets.
5431 */
5432 static cf_read_status_t
5434 {
5435 wtap_rec rec;
5436 Buffer buf;
5440 gint64 data_offset;
5443 gint64 size;
5445 gint64 start_time;
5447 guint32 framenum;
5450 /* Close the old handle. */
5453 /* Open the new file. */
5454 /* XXX: this will go through all open_routines for a matching one. But right
5455 now rescan_file() is only used when a file is being saved to a different
5456 format than the original, and the user is not given a choice of which
5457 reader to use (only which format to save it in), so doing this makes
5458 sense for now. (XXX: Now it is also used when saving a changed file,
5459 e.g. comments or time-shifted frames.) */
5464 }
5466 /* We're scanning a file whose contents should be the same as what
5467 we had before, so we don't discard dissection state etc.. */
5470 /* Set the file name because we need it to set the follow stream filter.
5471 XXX - is that still true? We need it for other reasons, though,
5472 in any case. */
5475 }
5478 /* Indicate whether it's a permanent or temporary file. */
5481 /* No user changes yet. */
5487 }
5496 /* Record the file's compression type.
5497 XXX - do we know this at open time? */
5500 /* Find the size of the file. */
5513 framenum++;
5517 }
5521 /* Create the progress bar if necessary. */
5526 }
5528 /*
5529 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
5530 * has elapsed. Calling update_progress_dlg and packets_bar_update will
5531 * likely trigger UI paint events, which might take a while depending on
5532 * the platform and display. Reset our timer *after* painting.
5533 */
5536 /* update the packet bar content on the first run or frequently on very large files */
5541 }
5542 }
5545 /* Well, the user decided to abort the rescan. Sadly, as this
5546 isn't a reread, recovering is difficult, so we'll just
5547 close the current capture. */
5549 }
5551 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
5552 it's not already there.
5553 XXX - yes, this is O(N), so if every packet had a different
5554 link-layer encapsulation type, it'd be O(N^2) to read the file, but
5555 there are probably going to be a small number of encapsulation types
5556 in a file. */
5559 }
5561 }
5565 /* Free the display name */
5568 /* We're done reading the file; destroy the progress bar if it was created. */
5573 /* We're done reading sequentially through the file. */
5576 /* Close the sequential I/O side, to free up memory it requires. */
5579 /* compute the time it took to load the file */
5582 /* Set the file encapsulation type now; we don't know what it is until
5583 we've looked at all the packets, as we don't know until then whether
5584 there's more than one type (and thus whether it's
5585 WTAP_ENCAP_PER_PACKET). */
5591 /* Our caller will give up at this point. */
5593 }
5596 /* Put up a message box noting that the read failed somewhere along
5597 the line. Don't throw out the stuff we managed to read, though,
5598 if any. */
5603 }
5605 cf_write_status_t
5607 wtap_compression_type compression_type,
5609 {
5615 guint framenum;
5617 #ifdef _WIN32
5619 #endif
5621 SAVE_WITH_MOVE,
5622 SAVE_WITH_COPY,
5623 SAVE_WITH_WTAP
5625 save_callback_args_t callback_args;
5629 /* XXX caller should avoid saving the file while a read is pending
5630 * (e.g. by delaying the save action) */
5632 ws_warning("cf_save_records(\"%s\") while the file is being read, potential crash ahead", fname);
5633 }
5641 && (wtap_addrinfo_list_empty(addr_lists) || wtap_file_type_subtype_supports_block(save_format, WTAP_BLOCK_NAME_RESOLUTION) == BLOCK_NOT_SUPPORTED)) {
5642 /* We're saving in the format it's already in, and we're not discarding
5643 comments, and there are no changes we have in memory that aren't saved
5644 to the file, and we have no name resolution information to write or
5645 the file format we're saving in doesn't support writing name
5646 resolution information, so we can just move or copy the raw data. */
5649 /* The file being saved is a temporary file from a live
5650 capture, so it doesn't need to stay around under that name;
5651 first, try renaming the capture buffer file to the new name.
5652 This acts as a "safe save", in that, if the file already
5653 exists, the existing file will be removed only if the rename
5654 succeeds.
5656 Sadly, on Windows, as we have the current capture file
5657 open, even MoveFileEx() with MOVEFILE_REPLACE_EXISTING
5658 (to cause the rename to remove an existing target), as
5659 done by ws_stdio_rename() (ws_rename() is #defined to
5660 be ws_stdio_rename() on Windows) will fail.
5662 According to the MSDN documentation for CreateFile(), if,
5663 when we open a capture file, we were to directly do a CreateFile(),
5664 opening with FILE_SHARE_DELETE|FILE_SHARE_READ, and then
5665 convert it to a file descriptor with _open_osfhandle(),
5666 that would allow the file to be renamed out from under us.
5668 However, that doesn't work in practice. Perhaps the problem
5669 is that the process doing the rename is the process that
5670 has the file open. */
5671 #ifndef _WIN32
5673 /* That succeeded - there's no need to copy the source file. */
5677 /* They're on different file systems, so we have to copy the
5678 file. */
5681 /* The rename failed, but not because they're on different
5682 file systems - put up an error message. (Or should we
5683 just punt and try to copy? The only reason why I'd
5684 expect the rename to fail and the copy to succeed would
5685 be if we didn't have permission to remove the file from
5686 the temporary directory, and that might be fixable - but
5687 is it worth requiring the user to go off and fix it?) */
5690 }
5691 }
5692 #else
5693 /* Windows - copy the file to its new location. */
5695 #endif
5697 /* It's a permanent file, so we should copy it, and not remove the
5698 original. */
5700 }
5703 /* Copy the file, if we haven't moved it. If we're overwriting
5704 an existing file, we do it with a "safe save", by writing
5705 to a new file and, if the write succeeds, renaming the
5706 new file on top of the old file. */
5714 }
5715 }
5717 /* Either we're saving in a different format or we're saving changes,
5718 such as added, modified, or removed comments, that haven't yet
5719 been written to the underlying file; we can't do that by copying
5720 or moving the capture file, we have to do it by writing the packets
5721 out in Wiretap. */
5723 wtap_dump_params params;
5729 /* Determine what file encapsulation type we should use. */
5733 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5737 /* We're overwriting an existing file; write out to a new file,
5738 and, if that succeeds, rename the new file on top of the
5739 old file. That makes this a "safe save", so that we don't
5740 lose the old file if we have a problem writing out the new
5741 file. (If the existing file is the current capture file,
5742 we *HAVE* to do that, otherwise we're overwriting the file
5743 from which we're reading the packets that we're writing!) */
5750 }
5751 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5758 }
5760 /* Add address resolution */
5763 /* Iterate through the list of packets, processing all the packets. */
5771 /* Completed successfully. */
5775 /* The user decided to abort the saving.
5776 If we're writing to a temporary file, remove it.
5777 XXX - should we do so even if we're not writing to a
5778 temporary file? */
5787 /* Error while saving.
5788 If we're writing to a temporary file, remove it. */
5794 }
5800 }
5803 }
5806 /* We wrote out to fname_new, and should rename it on top of
5807 fname. fname_new is now closed, so that should be possible even
5808 on Windows. However, on Windows, we first need to close whatever
5809 file descriptors we have open for fname. */
5810 #ifdef _WIN32
5812 #endif
5813 /* Now do the rename. */
5815 /* Well, the rename failed. */
5817 #ifdef _WIN32
5818 /* Attempt to reopen the random file descriptor using the
5819 current file's filename. (At this point, the sequential
5820 file descriptor is closed.) */
5822 /* Oh, well, we're screwed. */
5827 }
5828 #endif
5830 }
5832 }
5834 /* If this was a temporary file, and we didn't do the save by doing
5835 a move, so the tempoary file is still around under its old name,
5836 remove it. */
5838 /* If this fails, there's not much we can do, so just ignore errors. */
5840 }
5849 /* We just moved the file, so the wtap structure refers to the
5850 new file, and all the information other than the filename
5851 and the "is temporary" status applies to the new file; just
5852 update that. */
5860 /* We just copied the file, so all the information other than
5861 the file descriptors, the filename, and the "is temporary"
5862 status applies to the new file; just update that. */
5864 /* Attempt to reopen the random file descriptor using the
5865 new file's filename. (At this point, the sequential
5866 file descriptor is closed.) */
5874 }
5879 /* Open and read the file we saved to.
5881 XXX - this is somewhat of a waste; we already have the
5882 packets, all this gets us is updated file type information
5883 (which we could just stuff into "cf"), and having the new
5884 file be the one we have opened and from which we're reading
5885 the data, and it means we have to spend time opening and
5886 reading the file, which could be a significant amount of
5887 time if the file is large.
5889 If the capture-file-writing code were to return the
5890 seek offset of each packet it writes, we could save that
5891 in the frame_data structure for the frame, and just open
5892 the file without reading it again...
5894 ...as long as, for gzipped files, the process of writing
5895 out the file *also* generates the information needed to
5896 support fast random access to the compressed file. */
5897 /* rescan_file will cause us to try all open_routines, so
5898 reset cfile's open_type */
5900 /* There are cases when SAVE_WITH_WTAP can result in new packets
5901 being written to the file, e.g ERF records
5902 In that case, we need to reload the whole file */
5906 /* The rescan failed; just close the file. Either
5907 a dialog was popped up for the failure, so the
5908 user knows what happened, or they stopped the
5909 rescan, in which case they know what happened. */
5910 /* XXX: This is inconsistent with normal open/reload behaviour. */
5912 }
5913 }
5914 }
5917 /* The rescan failed; just close the file. Either
5918 a dialog was popped up for the failure, so the
5919 user knows what happened, or they stopped the
5920 rescan, in which case they know what happened. */
5922 }
5923 }
5925 }
5927 /* If we were told to discard the comments, do so. */
5929 /* Remove SHB comment, if any. */
5932 /* remove all user comments */
5936 // XXX: This also ignores non-comment options like verdict
5938 }
5943 }
5946 }
5947 }
5950 fail:
5952 /* We were trying to write to a temporary file; get rid of it if it
5953 exists. (We don't care whether this fails, as, if it fails,
5954 there's not much we can do about it. I guess if it failed for
5955 a reason other than "it doesn't exist", we could report an
5956 error, so the user knows there's a junk file that they might
5957 want to clean up.) */
5960 }
5963 }
5965 cf_write_status_t
5968 wtap_compression_type compression_type)
5969 {
5974 save_callback_args_t callback_args;
5975 wtap_dump_params params;
5981 /* We're writing out specified packets from the specified capture
5982 file to another file. Even if all captured packets are to be
5983 written, don't special-case the operation - read each packet
5984 and then write it out if it's one of the specified ones. */
5988 /* Determine what file encapsulation type we should use. */
5992 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5996 /* We're overwriting an existing file; write out to a new file,
5997 and, if that succeeds, rename the new file on top of the
5998 old file. That makes this a "safe save", so that we don't
5999 lose the old file if we have a problem writing out the new
6000 file. (If the existing file is the current capture file,
6001 we *HAVE* to do that, otherwise we're overwriting the file
6002 from which we're reading the packets that we're writing!) */
6009 }
6010 /* XXX idb_inf is documented to be used until wtap_dump_close. */
6017 }
6019 /* Add address resolution */
6022 /* Iterate through the list of packets, processing the packets we were
6023 told to process.
6025 XXX - we've already called "packet_range_process_init(range)", but
6026 "process_specified_records()" will do it again. Fortunately,
6027 that's harmless in this case, as we haven't done anything to
6028 "range" since we initialized it. */
6036 /* Completed successfully. */
6040 /* The user decided to abort the saving.
6041 If we're writing to a temporary file, remove it.
6042 XXX - should we do so even if we're not writing to a
6043 temporary file? */
6048 }
6055 /* Error while saving. */
6057 /*
6058 * We don't report any error from closing; the error that caused
6059 * process_specified_records() to fail has already been reported.
6060 */
6062 }
6067 }
6070 /* We wrote out to fname_new, and should rename it on top of
6071 fname; fname is now closed, so that should be possible even
6072 on Windows. Do the rename. */
6074 /* Well, the rename failed. */
6077 }
6079 }
6084 fail:
6086 /* We were trying to write to a temporary file; get rid of it if it
6087 exists. (We don't care whether this fails, as, if it fails,
6088 there's not much we can do about it. I guess if it failed for
6089 a reason other than "it doesn't exist", we could report an
6090 error, so the user knows there's a junk file that they might
6091 want to clean up.) */
6094 }
6098 }
6100 /*
6101 * XXX - whether we mention the source pathname, the target pathname,
6102 * or both depends on the error and on what we find if we look for
6103 * one or both of them.
6104 */
6105 static void
6107 {
6114 /* XXX - should check whether the source exists and, if not,
6115 report it as the problem and, if so, report the destination
6116 as the problem. */
6118 display_basename);
6122 /* XXX - if we're doing a rename after a safe save, we should
6123 probably say something else. */
6125 display_basename);
6129 /* XXX - this should probably mention both the source and destination
6130 pathnames. */
6134 }
6136 }
6138 /* Reload the current capture file. */
6139 cf_status_t
6141 {
6143 gboolean is_tempfile;
6150 }
6152 /* If the file could be opened, "cf_open()" calls "cf_close()"
6153 to get rid of state for the old capture file before filling in state
6154 for the new capture file. "cf_close()" will remove the file if
6155 it's a temporary file; we don't want that to happen (for one thing,
6156 it'd prevent subsequent reopens from working). Remember whether it's
6157 a temporary file, mark it as not being a temporary file, and then
6158 reopen it as the type of file it was.
6160 Also, "cf_close()" will free "cf->filename", so we must make
6161 a copy of it first. */
6170 /* Just because we got an error, that doesn't mean we were unable
6171 to read any of the file; we handle what we could get from the
6172 file. */
6176 /* The user bailed out of re-reading the capture file; the
6177 capture file has been closed. */
6179 }
6181 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
6182 Instead, the file was left open, so we should restore "cf->is_tempfile"
6183 ourselves.
6185 XXX - change the menu? Presumably "cf_open()" will do that;
6186 make sure it does! */
6189 }
6190 /* "cf_open()" made a copy of the file name we handed it, so
6191 we should free up our copy. */
6194 }