| blob | 7a43db503ac247c6ebe74329a5703b55b1b302f4 |
1 /* file.c
2 * File I/O routines
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
11 #include <config.h>
12 #define WS_LOG_DOMAIN LOG_DOMAIN_CAPTURE
14 #include <time.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <errno.h>
22 #include <wsutil/file_util.h>
23 #include <wsutil/filesystem.h>
24 #include <wsutil/json_dumper.h>
25 #include <wsutil/wslog.h>
26 #include <wsutil/ws_assert.h>
27 #include <wsutil/version_info.h>
28 #include <wsutil/report_message.h>
30 #include <wiretap/merge.h>
32 #include <epan/exceptions.h>
33 #include <epan/epan.h>
34 #include <epan/column.h>
35 #include <epan/packet.h>
36 #include <epan/column-utils.h>
37 #include <epan/expert.h>
38 #include <epan/prefs.h>
39 #include <epan/dfilter/dfilter.h>
40 #include <epan/epan_dissect.h>
41 #include <epan/tap.h>
42 #include <epan/timestamp.h>
43 #include <epan/strutil.h>
44 #include <epan/addr_resolv.h>
45 #include <epan/color_filters.h>
46 #include <epan/secrets.h>
59 /* Needed for addrinfo */
60 #include <sys/types.h>
62 #ifdef HAVE_SYS_SOCKET_H
63 #include <sys/socket.h>
64 #endif
66 #ifdef HAVE_NETINET_IN_H
67 # include <netinet/in.h>
68 #endif
70 #ifdef _WIN32
71 # include <winsock2.h>
72 # include <ws2tcpip.h>
73 #endif
79 static void rescan_packets(capture_file *cf, const char *action, const char *action_item, bool redissect);
82 MR_NOTMATCHED,
83 MR_MATCHED,
84 MR_ERROR
131 /* Seconds spent processing packets between pushing UI updates. */
132 #define PROGBAR_UPDATE_INTERVAL 0.150
134 /* Show the progress bar after this many seconds. */
135 #define PROGBAR_SHOW_DELAY 0.5
137 /*
138 * Maximum number of records we support in a file.
139 *
140 * It is, at most, the maximum value of a uint32_t, as we use a uint32_t
141 * for the frame number.
142 *
143 * We allow it to be set to a lower value; see issue #16908 for why
144 * we're doing this. Thanks, Qt!
145 */
148 void
150 {
152 }
154 /*
155 * We could probably use g_signal_...() instead of the callbacks below but that
156 * would require linking our CLI programs to libgobject and creating an object
157 * instance for the signals.
158 */
160 cf_callback_t cb_fct;
166 static void
168 {
172 /* there should be at least one interested */
179 }
180 }
182 void
184 {
192 }
194 void
196 {
206 }
208 }
211 }
213 unsigned long
215 {
217 }
219 static void
221 {
225 }
229 {
231 cap_file_provider_get_frame_ts,
232 cap_file_provider_get_interface_name,
233 cap_file_provider_get_interface_description,
234 cap_file_provider_get_modified_block
235 };
238 }
240 cf_status_t
242 {
250 /* The open succeeded. Close whatever capture file we had open,
251 and fill in the information for this file. */
254 /* Initialize the record information.
255 XXX - we really want to initialize this after we've read all
256 the packets, so we know how much we'll ultimately need. */
259 /* We're about to start reading the file. */
262 /* If there was a pending redissection for the old file (there
263 * shouldn't be), clear it. cf_close() should have failed if the
264 * old file's read lock was held, but it doesn't hurt to clear it. */
271 /* Set the file name because we need it to set the follow stream filter.
272 XXX - is that still true? We need it for other reasons, though,
273 in any case. */
276 /* Indicate whether it's a permanent or temporary file. */
279 /* No user changes yet. */
284 /* Record the file's type and compression type. */
300 /* Allocate a frame_data_sequence for the frames in this file */
309 /* Create new epan session for dissection.
310 * (The old one was freed in cf_close().)
311 */
323 fail:
326 }
328 /*
329 * Add an encapsulation type to cf->linktypes.
330 */
331 static void
333 {
339 }
340 /* It's not already there - add it. */
342 }
344 /* Reset everything to a pristine state */
345 void
347 {
352 /* Die if we're in the middle of reading a file. */
358 /* close things, if not already closed before */
364 }
365 /* We have no file open... */
367 /* If it's a temporary file, remove it. */
372 }
373 /* ...which means we have no changes to that file to save. */
376 /* no open_routine type */
379 /* Clean up the record information. */
382 /* Clear the packet list. */
392 }
396 }
401 /* No frames, no frame selected, no field in that frame selected. */
406 /* No frame link-layer types, either. */
410 }
420 /* We have no file open. */
424 }
426 /*
427 * true if the progress dialog doesn't exist and it looks like we'll
428 * take > PROGBAR_SHOW_DELAY (500ms) to load, false otherwise.
429 */
432 {
437 /* This only gets checked between reading records, which doesn't help if
438 * a single record takes a very long time, e.g., the first TLS packet if
439 * the SSLKEYLOGFILE is very large. (#17051) */
440 if ((elapsed * 2 > PROGBAR_SHOW_DELAY && (size / pos) >= 2) /* It looks like we're going to be slow. */
443 }
445 }
447 static float
448 calc_progbar_val(capture_file *cf, int64_t size, int64_t file_pos, char *status_str, unsigned long status_size)
449 {
455 /* The file probably grew while we were reading it.
456 * Update file size, and try again.
457 */
463 /* If it's still > 1, either "wtap_file_size()" failed (in which
464 * case there's not much we can do about it), or the file
465 * *shrank* (in which case there's not much we can do about
466 * it); just clip the progress value at 1.0.
467 */
470 }
477 }
479 cf_read_status_t
481 {
490 epan_dissect_t edt;
491 wtap_rec rec;
499 /* The update_progress_dlg call below might end up accepting a user request to
500 * trigger redissection/rescans which can modify/destroy the dissection
501 * context ("cf->epan"). That condition should be prevented by callers, but in
502 * case it occurs let's fail gracefully.
503 */
508 }
509 /* This is a full dissection, so clear any pending request for one. */
513 /* Compile the current display filter.
514 * The code it compiles to might have changed, e.g. if a display
515 * filter macro used has changed.
516 *
517 * We assume this will not fail since cf->dfilter is only set in
518 * cf_filter IFF the filter was valid.
519 * XXX - This is not necessarily true, if the filter has a FT_IPv4
520 * or FT_IPv6 field compared to a resolved hostname in it, because
521 * we do a new host lookup, and that *could* timeout this time
522 * (though with the read lock above we shouldn't have many lookups at
523 * once, reducing the chances of that)... (#19612)
524 */
528 }
533 /* The compiled dfilter might have a field reference; recompiling it
534 * means that the field references won't match anything. That's what
535 * we want since this is a new sequential read and we don't have
536 * a selected frame with a tree. (Will taps with filters with display
537 * references also have cleared display references?)
538 */
540 /* Get the union of the flags for all tap listeners. */
543 /*
544 * Determine whether we need to create a protocol tree.
545 * We do if:
546 *
547 * we're going to apply a display filter;
548 *
549 * one of the tap listeners is going to apply a filter;
550 *
551 * one of the tap listeners requires a protocol tree;
552 *
553 * a postdissector wants field values or protocols on
554 * the first pass.
555 */
556 create_proto_tree =
566 else
569 /* The packet list window will be empty until the file is completely loaded */
577 /* If the display filter or any tap listeners require the columns,
578 * construct them. */
582 /* Find the size of the file. */
585 /* If we are to ignore duplicate frames, we need a container to store
586 * hashes frame contents */
587 fifo_string_cache_t frame_dup_cache;
593 }
599 TRY {
610 /*
611 * Quit if we've already read the maximum number of
612 * records allowed.
613 */
616 }
619 /* Create the progress bar if necessary. */
624 }
626 /*
627 * Update the progress bar, but do it only after
628 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
629 * and packets_bar_update will likely trigger UI paint events, which
630 * might take a while depending on the platform and display. Reset
631 * our timer *after* painting.
632 */
635 /* update the packet bar content on the first run or frequently on very large files */
640 }
641 /*
642 * The previous GUI triggers should not have destroyed the running
643 * session. If that did happen, it could blow up when read_record tries
644 * to use the destroyed edt.session, so detect it right here.
645 */
647 }
650 /* Well, the user decided to exit Wireshark. Break out of the
651 loop, and let the code below (which is called even if there
652 aren't any packets left to read) exit. */
655 }
657 /* Well, the user decided to abort the read. He/She will be warned and
658 it might be enough for him/her to work with the already loaded
659 packets.
660 This is especially true for very large capture files, where you don't
661 want to wait loading the whole file (which may last minutes or even
662 hours even on fast machines) just to see that it was the wrong file. */
664 }
667 }
668 }
674 #if 0
675 /* Could we close the current capture and free up memory from that? */
676 #else
677 /* we have to terminate, as we cannot recover from the memory error */
679 #endif
680 }
681 ENDTRY;
683 // If we're ignoring duplicate frames, clear the data structures.
684 // We really could look at prefs.ignore_dup_frames here, but it's even
685 // safer to check if we had allocated 'cksum'.
689 }
691 /* We're done reading sequentially through the file. */
694 /* Destroy the progress bar if it was created. */
699 /* Free the display name */
705 /* Close the sequential I/O side, to free up memory it requires. */
708 /* Allow the protocol dissectors to free up memory that they
709 * don't need after the sequential run-through of the packets. */
712 /* compute the time it took to load the file */
715 /* Set the file encapsulation type now; we don't know what it is until
716 we've looked at all the packets, as we don't know until then whether
717 there's more than one type (and thus whether it's
718 WTAP_ENCAP_PER_PACKET). */
725 /* It is safe again to execute redissections or sort. */
731 else
734 /* If we have any displayed packets to select, select the first of those
735 packets by making the first row the selected row. */
738 }
741 /*
742 * Well, the user decided to exit Wireshark while reading this *offline*
743 * capture file (Live captures are handled by something like
744 * cf_continue_tail). Clean up accordingly.
745 */
749 }
752 /* Redissection was queued up. Clear the request and perform it now. */
755 }
765 }
768 /* Put up a message box noting that the read failed somewhere along
769 the line. Don't throw out the stuff we managed to read, though,
770 if any. */
780 "The command-line utility editcap can be used to split "
782 "The file contains more records than the maximum "
787 }
789 #ifdef HAVE_LIBPCAP
790 cf_read_status_t
793 {
796 epan_dissect_t edt;
800 /* Don't compile the current display filter. The current display filter
801 * text might compile to different code than when the capture started:
802 *
803 * If it has a IP address resolved name, calling get_host_ipaddr every
804 * time new packets arrive can mean a *lot* of gethostbyname calls
805 * in flight at once, eventually leading to a timeout (#19612).
806 * addr_resolv.c says that ares_gethostbyname is "usually interactive",
807 * unlike ares_gethostbyaddr (used in dissection), and violating that
808 * expectation is bad.
809 *
810 * If it has a display filter macro, the definition might have changed.
811 *
812 * If it has a field reference, the selected frame / current proto tree
813 * might have changed, and we don't have the old one. If we recompile,
814 * we can't set the field references to the old values.
815 *
816 * For a rescan, redissection, reload, retap, or opening a new file, we
817 * want to compile. What about here, when new frames have arrived in a live
818 * capture? We might be able to cache the host lookup, and a user might want
819 * the new display filter macro definition, but the user almost surely wants
820 * the field references to refer to values from the proto tree when the
821 * filter was applied, not whatever it happens to be now if the user has
822 * clicked on a different packet.
823 *
824 * To get the new compiled filter, the user should refilter.
825 */
827 /* Get the union of the flags for all tap listeners. */
830 /*
831 * Determine whether we need to create a protocol tree.
832 * We do if:
833 *
834 * we're going to apply a display filter;
835 *
836 * one of the tap listeners is going to apply a filter;
837 *
838 * one of the tap listeners requires a protocol tree;
839 *
840 * a postdissector wants field values or protocols on
841 * the first pass.
842 */
843 create_proto_tree =
849 /* Don't freeze/thaw the list when doing live capture */
850 /*packet_list_freeze();*/
854 TRY {
858 /* If the display filter or any tap listeners require the columns,
859 * construct them. */
868 }
870 /* Well, the user decided to exit Wireshark. Break out of the
871 loop, and let the code below (which is called even if there
872 aren't any packets left to read) exit. */
874 }
876 newly_displayed_packets++;
877 }
878 to_read--;
879 }
881 }
887 #if 0
888 /* Could we close the current capture and free up memory from that? */
890 #else
891 /* we have to terminate, as we cannot recover from the memory error */
893 #endif
894 }
895 ENDTRY;
897 /* Update the file encapsulation; it might have changed based on the
898 packets we've read. */
903 /* Don't freeze/thaw the list when doing live capture */
904 /*packet_list_thaw();*/
905 /* With the new packet list the first packet
906 * isn't automatically selected.
907 */
912 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
913 so that our caller can kill off the capture child process;
914 this will cause an EOF on the pipe from the child, so
915 "cf_finish_tail()" will be called, and it will clean up
916 and exit. */
919 /* We got an error reading the capture file.
920 XXX - pop up a dialog box instead? */
928 }
932 }
934 void
936 {
939 }
940 }
942 cf_read_status_t
945 {
949 epan_dissect_t edt;
953 /* All the comments above in cf_continue_tail apply regarding the
954 * current display filter.
955 */
957 /* Get the union of the flags for all tap listeners. */
960 /* If the display filter or any tap listeners require the columns,
961 * construct them. */
965 /*
966 * Determine whether we need to create a protocol tree.
967 * We do if:
968 *
969 * we're going to apply a display filter;
970 *
971 * one of the tap listeners is going to apply a filter;
972 *
973 * one of the tap listeners requires a protocol tree;
974 *
975 * a postdissector wants field values or protocols on
976 * the first pass.
977 */
978 create_proto_tree =
985 }
987 /* Don't freeze/thaw the list when doing live capture */
988 /*packet_list_freeze();*/
994 /* Well, the user decided to abort the read. Break out of the
995 loop, and let the code below (which is called even if there
996 aren't any packets left to read) exit. */
998 }
1001 }
1005 /* Don't freeze/thaw the list when doing live capture */
1006 /*packet_list_thaw();*/
1009 /* Well, the user decided to abort the read. We're only called
1010 when the child capture process closes the pipe to us (meaning
1011 it's probably exited), so we can just close the capture
1012 file; we return CF_READ_ABORTED so our caller can do whatever
1013 is appropriate when that happens. */
1016 }
1018 /* We're done reading sequentially through the file. */
1021 /* We're done reading sequentially through the file; close the
1022 sequential I/O side, to free up memory it requires. */
1025 /* Allow the protocol dissectors to free up memory that they
1026 * don't need after the sequential run-through of the packets. */
1029 /* Update the file encapsulation; it might have changed based on the
1030 packets we've read. */
1033 /* Update the details in the file-set dialog, as the capture file
1034 * has likely grown since we first stat-ed it */
1038 /* We got an error reading the capture file.
1039 XXX - pop up a dialog box? */
1047 }
1051 }
1052 }
1057 {
1060 /* Return a name to use in displays */
1062 /* Get the last component of the file name, and use that. */
1067 }
1069 /* The file we read is a temporary file from a live capture or
1070 a merge operation; we don't mention its name, but, if it's
1071 from a capture, give the source of the capture. */
1076 }
1077 }
1079 }
1083 {
1086 /* Return a name to use in the GUI for the basename for files to
1087 which we save statistics */
1089 /* Get the last component of the file name, and use that. */
1093 /* If the file name ends with any extension that corresponds
1094 to a file type we support - including compressed versions
1095 of those files - strip it off. */
1100 /* Does the file name end with that extension? */
1106 /* Yes. Strip the extension off, and return the result. */
1109 }
1110 }
1114 }
1116 /* The file we read is a temporary file from a live capture or
1117 a merge operation; we don't mention its name, but, if it's
1118 from a capture, give the source of the capture. */
1123 }
1124 }
1126 }
1128 void
1130 {
1133 }
1139 }
1140 }
1144 {
1147 }
1150 }
1152 /* XXX - use a macro instead? */
1153 int
1155 {
1157 }
1159 /* XXX - use a macro instead? */
1160 bool
1162 {
1164 }
1166 void
1168 {
1170 }
1173 /* XXX - use a macro instead? */
1174 void
1176 {
1178 }
1180 /* XXX - use a macro instead? */
1181 void
1183 {
1185 }
1187 /* XXX - use a macro instead? */
1188 bool
1190 {
1192 }
1194 /* XXX - use a macro instead? */
1195 uint32_t
1197 {
1199 }
1201 void
1203 {
1205 }
1207 static void
1211 {
1218 }
1219 #if 0
1220 /* Prepare coloring rules, this ensures that display filter rules containing
1221 * frame.color_rule references are still processed.
1222 * TODO: actually detect that situation or maybe apply other optimizations? */
1226 }
1227 #endif
1230 /* This is the first pass, so prime the epan_dissect_t with the
1231 hfids postdissectors want on the first pass. */
1233 }
1235 /* Initialize passed_dfilter here so that dissectors can hide packets. */
1236 /* XXX We might want to add a separate "visible" bit to frame_data instead. */
1239 /* Dissect the frame. */
1246 /* This frame passed the display filter but it may depend on other
1247 * (potentially not displayed) frames. Find those frames and mark them
1248 * as depended upon.
1249 */
1250 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
1251 }
1252 }
1257 }
1260 /* We fill the needed columns from new_packet_list */
1262 }
1265 {
1267 /* The only way we use prev_dis is to get the time stamp of
1268 * the previous displayed frame, so ignore it if it doesn't
1269 * have a time stamp, because we're presumably interested in
1270 * the timestamp of the previously displayed frame with a
1271 * time. XXX: What if in the future we want to use the previously
1272 * displayed frame for something else, too?
1273 */
1276 }
1278 /* If we haven't yet seen the first frame, this is it. */
1282 /* This is the last frame we've seen so far. */
1284 }
1287 }
1289 /*
1290 * Read in a new record.
1291 * Returns true if the packet was added to the packet (record) list,
1292 * false otherwise.
1293 */
1294 static bool
1298 {
1299 frame_data fdlocal;
1306 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
1307 it's not already there.
1308 XXX - yes, this is O(N), so if every packet had a different
1309 link-layer encapsulation type, it'd be O(N^2) to read the file, but
1310 there are probably going to be a small number of encapsulation types
1311 in a file. */
1314 }
1316 /* The frame number of this packet, if we add it to the set of frames,
1317 would be one more than the count of frames in the file so far. */
1321 epan_dissect_t rf_edt;
1328 }
1332 }
1337 /* This does a shallow copy of fdlocal, which is good enough. */
1345 // Should we check if the frame data is a duplicate, and thus, ignore
1346 // this frame?
1356 }
1357 }
1359 /* When a redissection is in progress (or queued), do not process packets.
1360 * This will be done once all (new) packets have been scanned. */
1363 }
1364 }
1367 }
1379 static bool
1383 {
1392 /* do nothing */
1396 /* do nothing */
1400 /* Get the sum of the sizes of all the files. */
1409 {
1410 /* Create the progress bar if necessary.
1411 We check on every iteration of the loop, so that it takes no
1412 longer than the standard time to create it (otherwise, for a
1413 large file, we might take considerably longer than that standard
1414 time in order to get to the next progress bar step). */
1418 }
1420 /*
1421 * Update the progress bar, but do it only after
1422 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
1423 * and packets_bar_update will likely trigger UI paint events, which
1424 * might take a while depending on the platform and display. Reset
1425 * our timer *after* painting.
1426 */
1430 /* Get the sum of the seek positions in all of the files. */
1436 /* Some file probably grew while we were reading it.
1437 That "shouldn't happen", so we'll just clip the progress
1438 value at 1.0. */
1440 }
1448 }
1450 }
1451 }
1455 /* We're done merging the files; destroy the progress bar if it was created. */
1460 }
1463 }
1467 cf_status_t
1471 {
1473 merge_progress_callback_t cb;
1476 /* prepare our callback routine */
1483 /* merge the files */
1485 in_filenames,
1495 /* Callers aren't expected to treat an error or an explicit abort
1496 differently - the merge code puts up error dialogs itself, so
1497 they don't have to. */
1501 }
1503 cf_status_t
1505 {
1511 /* if new filter equals old one, do nothing unless told to do so */
1512 /* XXX - The text can be the same without compiling to the same code.
1513 * (Macros, field references, etc.)
1514 */
1517 }
1522 /* The new filter is an empty filter (i.e., display all packets).
1523 * so leave dfcode==NULL
1524 */
1526 /*
1527 * We have a filter; make a copy of it (as we'll be saving it),
1528 * and try to compile it.
1529 */
1532 /* The attempt failed; report an error. */
1540 }
1542 /* Was it empty? */
1544 /* Yes - free the filter text, and set it to null. */
1547 }
1548 }
1550 /* We have a valid filter. Replace the current filter. */
1554 /* We'll recompile this when the rescan starts, or in cf_read()
1555 * if no file is open currently. However, if no file is open and
1556 * we start a new capture, we want to use this rather than
1557 * recompiling in cf_continue_tail() */
1561 /* Now rescan the packet list, applying the new filter, but not
1562 * throwing away information constructed on a previous pass.
1563 * If a dissection is already in progress, queue it.
1564 */
1573 }
1574 }
1575 }
1578 }
1580 void
1582 {
1584 /* Dissection in progress, signal redissection rather than rescanning. That
1585 * would destroy the current (in-progress) dissection in "cf_read" which
1586 * will cause issues when "cf_read" tries to add packets to the list.
1587 * If a previous rescan was requested, "upgrade" it to a full redissection.
1588 */
1590 }
1592 /* Redissection is (already) queued, wait for "cf_read" to finish. */
1593 /* XXX - what if whatever set and later clears read_lock is *not*
1594 * cf_read, e.g. process_specified_records ? We need to handle a
1595 * queued redissection there too like we do in cf_read.
1596 */
1598 }
1601 /* Restart dissection in case no cf_read is pending. */
1603 }
1604 }
1606 bool
1608 {
1615 }
1617 }
1619 bool
1622 {
1629 }
1631 }
1633 bool
1635 {
1637 }
1639 /* Rescan the list of packets, reconstructing the CList.
1641 "action" describes why we're doing this; it's used in the progress
1642 dialog box.
1644 "action_item" describes what we're doing; it's used in the progress
1645 dialog box.
1647 "redissect" is true if we need to make the dissectors reconstruct
1648 any state information they have (because a preference that affects
1649 some dissector has changed, meaning some dissector might construct
1650 its state differently from the way it was constructed the last time). */
1651 static void
1653 {
1654 /* Rescan packets new packet list */
1657 wtap_rec rec;
1667 epan_dissect_t edt;
1680 }
1682 /* Rescan in progress, clear pending actions. */
1689 /* Compile the current display filter.
1690 * The code it compiles to might have changed, e.g. if a display
1691 * filter macro used has changed.
1692 *
1693 * We assume this will not fail since cf->dfilter is only set in
1694 * cf_filter IFF the filter was valid.
1695 * XXX - This is not necessarily true, if the filter has a FT_IPv4
1696 * or FT_IPv6 field compared to a resolved hostname in it, because
1697 * we do a new host lookup, and that *could* timeout this time
1698 * (though with the read lock above we shouldn't have many lookups at
1699 * once, reducing the chances of that)... (#19612)
1700 */
1704 }
1709 /* Do we have any tap listeners with filters? */
1712 /* Update references in filters (if any) for the protocol
1713 * tree corresponding to the currently selected frame in the GUI. */
1719 }
1724 }
1726 /* Get the union of the flags for all tap listeners. */
1729 /* If the display filter or any tap listeners require the columns,
1730 * construct them. */
1734 /*
1735 * Determine whether we need to create a protocol tree.
1736 * We do if:
1737 *
1738 * we're going to apply a display filter;
1739 *
1740 * one of the tap listeners is going to apply a filter;
1741 *
1742 * one of the tap listeners requires a protocol tree;
1743 *
1744 * we're redissecting and a postdissector wants field
1745 * values or protocols on the first pass.
1746 */
1747 create_proto_tree =
1753 /* Which frame, if any, is the currently selected frame?
1754 XXX - should the selected frame or the focus frame be the "current"
1755 frame, that frame being the one from which "Find Frame" searches
1756 start? */
1759 /* Mark frame num as not found */
1762 /* Freeze the packet list while we redo it, so we don't get any
1763 screen updates while it happens. */
1767 /* We need to re-initialize all the state information that protocols
1768 keep, because some preference that controls a dissector has changed,
1769 which might cause the state information to be constructed differently
1770 by that dissector. */
1772 /* We might receive new packets while redissecting, and we don't
1773 want to dissect those before their time. */
1776 /* 'reset' dissection session */
1779 /* All pointers in "per frame proto data" for the currently selected
1780 packet are allocated in wmem_file_scope() and deallocated in epan_free().
1781 Free them here to avoid unintended usage in packet_list_clear(). */
1783 }
1787 /* A new Lua tap listener may be registered in lua_prime_all_fields()
1788 called via epan_new() / init_dissection() when reloading Lua plugins. */
1791 }
1794 }
1796 /* We need to redissect the packets so we have to discard our old
1797 * packet list store. */
1800 }
1802 /* We don't yet know which will be the first and last frames displayed. */
1806 /* We currently don't display any packets */
1809 /* Iterate through the list of frames. Call a routine for each frame
1810 to check whether it should be displayed and, if so, add it to
1811 the display list. */
1820 /* Count of packets at which we've looked. */
1822 /* Progress so far. */
1828 /* no previous row yet */
1844 /*
1845 * Decryption secrets and name resolution blocks are read while
1846 * sequentially processing records and then passed to the dissector.
1847 * During redissection, the previous information is lost (see epan_free
1848 * above), but they are not read again from the file as only packet
1849 * records are re-read. Therefore reset the wtap secrets and name
1850 * resolution callbacks such that wtap resupplies the callbacks with
1851 * previously read information.
1852 */
1856 }
1861 /* Create the progress bar if necessary.
1862 We check on every iteration of the loop, so that it takes no
1863 longer than the standard time to create it (otherwise, for a
1864 large file, we might take considerably longer than that standard
1865 time in order to get to the next progress bar step). */
1869 progbar_val);
1871 /*
1872 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
1873 * has elapsed. Calling update_progress_dlg and packets_bar_update will
1874 * likely trigger UI paint events, which might take a while depending on
1875 * the platform and display. Reset our timer *after* painting.
1876 */
1878 /* let's not divide by zero. I should never be started
1879 * with count == 0, so let's assert that
1880 */
1888 }
1891 }
1895 /* A redissection was requested while an existing redissection was
1896 * pending. */
1898 }
1901 /* Well, the user decided to abort the filtering. Just stop.
1903 XXX - go back to the previous filter? Users probably just
1904 want not to wait for a filtering operation to finish;
1905 unless we cancel by having no filter, reverting to the
1906 previous filter will probably be even more expensive than
1907 continuing the filtering, as it involves going back to the
1908 beginning and filtering, and even with no filter we currently
1909 have to re-generate the entire clist, which is also expensive.
1911 I'm not sure what Network Monitor does, but it doesn't appear
1912 to give you an unfiltered display if you cancel. */
1914 }
1916 count++;
1919 /* Since all state for the frame was destroyed, mark the frame
1920 * as not visited, free the GSList referring to the state
1921 * data (the per-frame data itself was freed by
1922 * "init_dissection()"), and null out the GSList pointer. */
1925 }
1927 /* Frame dependencies from the previous dissection/filtering are no longer valid. */
1933 /* If the previous frame is displayed, and we haven't yet seen the
1934 selected frame, remember that frame - it's the closest one we've
1935 yet seen before the selected frame. */
1939 }
1942 add_to_packet_list);
1944 /* If this frame is displayed, and this is the first frame we've
1945 seen displayed after the selected frame, remember this frame -
1946 it's the closest one we've yet seen at or after the selected
1947 frame. */
1951 }
1956 }
1958 /* Remember this frame - it'll be the previous frame
1959 on the next pass through the loop. */
1963 }
1968 /* We are done redissecting the packet list. */
1973 /* Clear out what remains of the visited flags and per-frame data
1974 pointers.
1976 XXX - that may cause various forms of bogosity when dissecting
1977 these frames, as they won't have been seen by this sequential
1978 pass, but the only alternative I see is to keep scanning them
1979 even though the user requested that the scan stop, and that
1980 would leave the user stuck with an Wireshark grinding on
1981 until it finishes. Should we just stick them with that? */
1985 }
1986 }
1988 /* We're done filtering the packets; destroy the progress bar if it
1989 was created. */
1994 /* Unfreeze the packet list. */
1998 /* Compute the time it took to filter the file */
2003 /* It is safe again to execute redissections or sort. */
2010 /* The selected frame didn't pass the filter. */
2012 /* That's because there *was* no selected frame. Make the first
2013 displayed frame the current frame. */
2016 /* Find the nearest displayed frame to the selected frame (whether
2017 it's before or after that frame) and make that the current frame.
2018 If the next and previous displayed frames are equidistant from the
2019 selected frame, choose the next one. */
2025 /* No frame after the selected frame passed the filter, so we
2026 have to select the last displayed frame before the selected
2027 frame. */
2031 /* No frame before the selected frame passed the filter, so we
2032 have to select the first displayed frame after the selected
2033 frame. */
2037 /* Frames before and after the selected frame passed the filter, so
2038 we'll select the previous frame */
2041 }
2042 }
2043 }
2046 /* There are no frames displayed at all. */
2049 /* Either the frame that was selected passed the filter, or we've
2050 found the nearest displayed frame to that frame. Select it, make
2051 it the focus row, and make it visible. */
2052 /* Set to invalid to force update of packet list and packet details */
2057 /* We didn't find a row corresponding to this frame.
2058 This means that the frame isn't being displayed currently,
2059 so we can't select it. */
2063 }
2064 }
2065 }
2067 /* If another rescan (due to dfilter change) or redissection (due to profile
2068 * change) was requested, the rescan above is aborted and restarted here. */
2072 }
2073 }
2076 /*
2077 * Scan through all frame data and recalculate the ref time
2078 * without rereading the file.
2079 * XXX - do we need a progress bar or is this fast enough?
2080 */
2081 void
2083 {
2086 nstime_t rel_ts;
2095 /* just add some value here until we know if it is being displayed or not */
2098 /*
2099 * Timestamps
2100 */
2103 /* If we don't have the time stamp of the first packet in the
2104 capture, it's because this is the first packet. Save the time
2105 stamp of this packet as the time stamp of the first packet. */
2108 /* if this frames is marked as a reference time frame, reset
2109 firstsec and firstusec to this frame */
2113 /* Get the time elapsed between the first packet and this one. */
2117 /* If it's greater than the current elapsed time, set the elapsed
2118 time to it (we check for "greater than" so as not to be
2119 confused by time moving backwards). */
2121 || ((int32_t)cf->elapsed_time.secs == rel_ts.secs && (int32_t)cf->elapsed_time.nsecs < rel_ts.nsecs)) {
2123 }
2125 /* If this frame is displayed, get the time elapsed between the
2126 previous displayed packet and this packet. */
2127 /* XXX: What if in the future we want to use the previously
2128 * displayed frame for something else, too? Then we'd want
2129 * to store this frame as prev_dis even if it doesn't have a
2130 * timestamp. */
2132 /* If we don't have the time stamp of the previous displayed
2133 packet, it's because this is the first displayed packet.
2134 Save the time stamp of this packet as the time stamp of
2135 the previous displayed packet. */
2138 }
2142 }
2144 /* If this frame doesn't have a timestamp, don't calculate
2145 anything with relative times. */
2146 /* However, if this frame is marked as a reference time frame,
2147 clear the reference frame so that the next frame with a
2148 timestamp becomes the reference frame. */
2151 }
2152 }
2154 /*
2155 * Byte counts
2156 */
2158 /* This frame either passed the display filter list or is marked as
2159 a time reference frame. All time reference frames are displayed
2160 even if they don't pass the display filter */
2162 /* if this was a TIME REF frame we should reset the cum_bytes field */
2166 /* increase cum_bytes with this packets length */
2168 }
2169 }
2170 }
2171 }
2174 PSP_FINISHED,
2175 PSP_STOPPED,
2176 PSP_FAILED
2179 static psp_return_t
2186 {
2189 wtap_rec rec;
2197 range_process_e process_this;
2202 /* Count of packets at which we've looked. */
2204 /* Progress so far. */
2207 /* XXX - It should be ok to have multiple readers, so long as nothing
2208 * frees the epan context, e.g. rescan_packets with redissect true,
2209 * or anything that closes the file (including reload and certain forms
2210 * of saving.) This is mostly to stop cf_save_records but should probably
2211 * be handled by callers in order to allow multiple readers (e.g.,
2212 * restarting taps after adding or changing one.) We should probably
2213 * make this a real reader-writer lock.
2214 */
2218 }
2226 /* Iterate through all the packets, printing the packets that
2227 were selected by the current display filter. */
2231 /* Create the progress bar if necessary.
2232 We check on every iteration of the loop, so that it takes no
2233 longer than the standard time to create it (otherwise, for a
2234 large file, we might take considerably longer than that standard
2235 time in order to get to the next progress bar step). */
2238 terminate_is_stop,
2240 progbar_val);
2242 /*
2243 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
2244 * has elapsed. Calling update_progress_dlg and packets_bar_update will
2245 * likely trigger UI paint events, which might take a while depending on
2246 * the platform and display. Reset our timer *after* painting.
2247 */
2249 /* let's not divide by zero. I should never be started
2250 * with count == 0, so let's assert that
2251 */
2260 }
2263 /* Well, the user decided to abort the operation. Just stop,
2264 and arrange to return PSP_STOPPED to our caller, so they know
2265 it was stopped explicitly. */
2268 }
2270 progbar_count++;
2273 /* do we have to process this packet? */
2276 /* this packet uninteresting, continue with next one */
2279 /* all interesting packets processed, stop the loop */
2281 }
2282 }
2284 /* Get the packet */
2286 /* Attempt to get the packet failed. */
2289 }
2290 /* Process the packet */
2292 /* Callback failed. We assume it reported the error appropriately. */
2295 }
2297 }
2299 /* We're done printing the packets; destroy the progress bar if
2300 it was created. */
2311 }
2314 epan_dissect_t edt;
2318 static bool
2320 {
2327 }
2329 cf_read_status_t
2331 {
2332 packet_range_t range;
2333 retap_callback_args_t callback_args;
2337 psp_return_t ret;
2339 /* Presumably the user closed the capture file. */
2342 }
2344 /* XXX - If cf->read_lock is true, process_specified_records will fail
2345 * due to a nested call. We fail here so that we don't reset the tap
2346 * listeners if this tap isn't going to succeed.
2347 */
2351 }
2355 /* Do we have any tap listeners with filters? */
2358 /* Update references in filters (if any) for the protocol
2359 * tree corresponding to the currently selected frame in the GUI. */
2360 /* XXX - What if we *don't* have a currently selected frame in the GUI,
2361 * but we did the last time we loaded field references? Then they'll
2362 * match something instead of nothing (unless they've been recompiled).
2363 * Should we have a way to clear the field references even with a NULL tree?
2364 */
2368 }
2370 /* Get the union of the flags for all tap listeners. */
2373 /* If any tap listeners require the columns, construct them. */
2376 /*
2377 * Determine whether we need to create a protocol tree.
2378 * We do if:
2379 *
2380 * one of the tap listeners is going to apply a filter;
2381 *
2382 * one of the tap listeners requires a protocol tree.
2383 */
2384 create_proto_tree =
2387 /* Reset the tap listeners. */
2393 /* Iterate through the list of packets, dissecting all packets and
2394 re-running the taps. */
2399 /* We're not done with the sequential read of the file and might
2400 * add more frames while process_specified_records is going. We
2401 * don't want to tap new frames twice, so limit the range to the
2402 * frames already here.
2403 *
2404 * cf_read sets read_lock so we don't tap in case of an offline
2405 * file, but cf_continue_tail and cf_finish_tail don't, and we
2406 * don't want them to, because tapping new packets in a live
2407 * capture is a common use case.
2408 *
2409 * Note that most other users of process_specified_records (saving,
2410 * printing) do want to process new packets, unlike taps.
2411 */
2417 /* range_t treats a missing number as meaning 1, not 0, and
2418 * reverses the order if backwards; thus the syntax -0 means
2419 * 0-1, so to only take zero packets we do this.
2420 */
2422 }
2424 }
2437 /* Completed successfully. */
2441 /* Well, the user decided to abort the refiltering.
2442 Return CF_READ_ABORTED so our caller knows they did that. */
2446 /* Error while retapping. */
2448 }
2452 }
2466 epan_dissect_t edt;
2469 static bool
2471 {
2483 /* Fill in the column information if we're printing the summary
2484 information. */
2496 /*
2497 * Print another header line if we print a packet summary on the
2498 * new page.
2499 */
2506 }
2507 }
2509 /*
2510 * We generate bookmarks, if the output format supports them.
2511 * The name is "__frameN__".
2512 */
2522 }
2528 /* Find the length of the string for this column. */
2533 /* Make sure there's room in the line buffer for the column; if not,
2534 double its length. */
2541 }
2543 /* Right-justify the packet number column. */
2546 else
2551 }
2554 /*
2555 * Generate a bookmark, using the summary line as the title.
2556 */
2564 /*
2565 * Generate a bookmark, using "Frame N" as the title, as we're not
2566 * printing the summary line.
2567 */
2570 bookmark_title))
2576 /* Separate the summary line from the tree with a blank line. */
2579 }
2581 /* Print the information in that tree. */
2587 /* Print a blank line if we print anything after this (aka more than one packet). */
2590 /* Print a header line if we print any more packet summaries */
2593 }
2596 if (args->print_args->print_summary || (args->print_args->print_dissections != print_dissections_none)) {
2599 }
2600 /* Print the full packet data as hex. */
2604 /* Print a blank line if we print anything after this (aka more than one packet). */
2607 /* Print a header line if we print any more packet summaries */
2614 /* do we want to have a formfeed between each packet from now on? */
2617 }
2621 fail:
2624 }
2626 cf_print_status_t
2629 {
2630 print_callback_args_t callback_args;
2635 psp_return_t ret;
2655 }
2658 /* We're printing packet summaries. Allocate the header line buffer
2659 and get the column widths. */
2662 /* Find the number of visible columns and the last visible column */
2671 num_visible_col++;
2673 }
2674 }
2676 /* if num_visible_col is 0, we are done */
2680 }
2682 /* Find the widths for each of the columns - maximum of the
2683 width of the title and the width of the data - and construct
2684 a buffer with a line containing the column titles. */
2701 /* Save the order of visible columns */
2704 /* Don't pad the last column. */
2712 }
2714 /* Find the length of the string for this column. */
2719 /* Make sure there's room in the line buffer for the column; if not,
2720 double its length. */
2728 }
2730 /* Right-justify the packet number column. */
2731 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER || cf->cinfo.col_fmt[i] == COL_NUMBER_DIS)
2732 snprintf(cp, column_len+1, "%*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2733 else*/
2734 snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2739 visible_col_count++;
2740 }
2743 /* Now start out the main line buffer with the same length as the
2744 header line buffer. */
2749 /* Create the protocol tree, and make it visible, if we're printing
2750 the dissection or the hex data.
2751 XXX - do we need it if we're just printing the hex data? */
2752 proto_tree_needed =
2758 /* Iterate through the list of packets, printing the packets we were
2759 told to print. */
2772 /* Completed successfully. */
2776 /* Well, the user decided to abort the printing.
2778 XXX - note that what got generated before they did that
2779 will get printed if we're piping to a print program; we'd
2780 have to write to a file and then hand that to the print
2781 program to make it actually not print anything. */
2785 /* Error while printing.
2787 XXX - note that what got generated before they did that
2788 will get printed if we're piping to a print program; we'd
2789 have to write to a file and then hand that to the print
2790 program to make it actually not print anything. */
2793 }
2798 }
2804 }
2808 epan_dissect_t edt;
2810 json_dumper jdumper;
2813 static bool
2816 {
2819 /* Create the protocol tree, but don't fill in the column information. */
2822 /* Write out the information in that tree. */
2828 }
2830 cf_print_status_t
2832 {
2833 write_packet_callback_args_t callback_args;
2835 psp_return_t ret;
2845 }
2851 /* Iterate through the list of packets, printing the packets we were
2852 told to print. */
2862 /* Completed successfully. */
2866 /* Well, the user decided to abort the printing. */
2870 /* Error while printing. */
2873 }
2879 }
2881 /* XXX - check for an error */
2885 }
2887 static bool
2890 {
2893 /* Fill in the column information */
2898 /* Write out the column information. */
2904 }
2906 cf_print_status_t
2908 {
2909 write_packet_callback_args_t callback_args;
2911 psp_return_t ret;
2923 }
2928 /* Fill in the column information, only create the protocol tree
2929 if having custom columns or field extractors. */
2933 /* Iterate through the list of packets, printing the packets we were
2934 told to print. */
2944 /* Completed successfully. */
2948 /* Well, the user decided to abort the printing. */
2952 /* Error while printing. */
2955 }
2961 }
2963 /* XXX - check for an error */
2967 }
2969 static bool
2972 {
2979 /* Write out the column information. */
2985 }
2987 cf_print_status_t
2989 {
2990 write_packet_callback_args_t callback_args;
2993 psp_return_t ret;
3003 }
3008 /* only create the protocol tree if having custom columns or field extractors. */
3012 /* Iterate through the list of packets, printing the packets we were
3013 told to print. */
3023 /* Completed successfully. */
3027 /* Well, the user decided to abort the printing. */
3031 /* Error while printing. */
3034 }
3036 /* XXX - check for an error */
3040 }
3042 static bool
3045 {
3053 }
3055 cf_print_status_t
3057 {
3058 write_packet_callback_args_t callback_args;
3060 psp_return_t ret;
3070 }
3076 /* Iterate through the list of packets, printing the packets we were
3077 told to print. */
3087 /* Completed successfully. */
3090 /* Well, the user decided to abort the printing. */
3093 /* Error while printing. */
3096 }
3100 }
3102 static bool
3105 {
3108 /* Create the protocol tree, but don't fill in the column information. */
3111 /* Write out the information in that tree. */
3120 }
3122 cf_print_status_t
3124 {
3125 write_packet_callback_args_t callback_args;
3127 psp_return_t ret;
3137 }
3143 /* Iterate through the list of packets, printing the packets we were
3144 told to print. */
3154 /* Completed successfully. */
3158 /* Well, the user decided to abort the printing. */
3162 /* Error while printing. */
3165 }
3171 }
3173 /* XXX - check for an error */
3177 }
3179 bool
3182 {
3183 match_data mdata;
3196 }
3200 }
3201 }
3203 }
3205 field_info*
3207 {
3208 match_data mdata;
3215 /* Iterate through all the nodes looking for matching text */
3220 }
3223 }
3225 static match_result
3228 {
3230 epan_dissect_t edt;
3232 /* Load the frame's data. */
3234 /* Attempt to get the packet failed. */
3236 }
3238 /* Construct the protocol tree, including the displayed text */
3240 /* We don't need the column information */
3243 /* Iterate through all the nodes, seeing if they have text that matches. */
3248 /* We don't care about the direction here, because we're just looking
3249 * for one match and we'll destroy this tree anyway. (We find the actual
3250 * field later in PacketList::selectionChanged().) Forwards is faster.
3251 */
3255 }
3257 static void
3259 {
3272 /* dissection with an invisible proto tree? */
3276 /* We already had a match; don't bother doing any more work. */
3278 }
3280 /* Don't match invisible entries. */
3285 /* Haven't found the old match, so don't match this node. */
3287 /* Found the old match, look for the next one after this. */
3289 }
3291 /* was a free format label produced? */
3295 /* no, make a generic label */
3298 }
3305 }
3307 /* Case insensitive match */
3315 /* If c_match is non-zero, save candidate for retrying full match. */
3319 c_match++;
3323 /* No need to look further; we have a match */
3325 }
3332 }
3334 /* Case sensitive match */
3338 }
3339 }
3341 /* Recurse into the subtree, if it exists */
3344 }
3346 static void
3348 {
3361 /* dissection with an invisible proto tree? */
3364 /* We don't have an easy way to search backwards in the tree
3365 * (see also, proto_find_field_from_offset()) because we don't
3366 * have a previous node pointer, so we search backwards by
3367 * searching forwards, only stopping if we see the old match
3368 * (if we have one).
3369 */
3373 }
3375 /* Don't match invisible entries. */
3380 /* Found the old match, use the previous match. */
3383 }
3385 /* was a free format label produced? */
3389 /* no, make a generic label */
3392 }
3398 }
3400 /* Case insensitive match */
3408 /* If c_match is non-zero, save candidate for retrying full match. */
3412 c_match++;
3417 }
3424 }
3426 /* Case sensitive match */
3429 }
3431 /* Recurse into the subtree, if it exists */
3434 }
3436 bool
3438 search_direction dir)
3439 {
3440 match_data mdata;
3445 }
3447 static match_result
3450 {
3454 epan_dissect_t edt;
3463 /* Load the frame's data. */
3465 /* Attempt to get the packet failed. */
3467 }
3469 /* Don't bother constructing the protocol tree */
3471 /* Get the column information */
3474 /* Find the Info column */
3477 /* Found it. See if we match. */
3484 }
3486 /* Case insensitive match */
3493 /* If c_match is non-zero, save candidate for retrying full match. */
3497 c_match++;
3501 }
3508 }
3510 /* Case sensitive match */
3512 }
3514 }
3515 }
3518 }
3527 /*
3528 * The current match_* routines only support ASCII case insensitivity and don't
3529 * convert UTF-8 inputs to UTF-16 for matching. The UTF-16 support just
3530 * interleaves with \0 bytes, which works for 7 bit ASCII.
3531 *
3532 * We could modify them to use the GLib Unicode routines or the International
3533 * Components for Unicode library but it's not apparent that we could do so
3534 * without consuming a lot more CPU and memory or that searching would be
3535 * significantly better.
3536 *
3537 * XXX: We could test the search string to see if it's all ASCII, and if not
3538 * use Unicode aware routines for case insensitive searches or any UTF-16
3539 * search.
3540 */
3542 bool
3545 {
3546 cbs_t info;
3549 ws_match_function match_function;
3554 /* Regex, String or hex search? */
3556 /* Regular Expression search */
3559 /* String search - what type of string? */
3569 match_function = (dir == SD_FORWARD) ? match_narrow_and_wide_case : match_narrow_and_wide_case_reverse;
3583 }
3593 /* Narrow, case-sensitive match is the same as looking
3594 * for a converted hexstring. */
3605 }
3606 }
3609 }
3612 /* Use the current frame (this will perform the equivalent of
3613 * cf_read_current_record() in match_function).
3614 */
3619 /* The regex match can match an empty string. */
3621 fi = proto_find_field_from_offset(cf->edt->tree, cf->search_pos + cf->search_len - 1, cf->edt->tvb);
3622 }
3626 }
3629 }
3630 }
3634 }
3636 static match_result
3639 {
3643 match_result result;
3650 /* Load the frame's data. */
3652 /* Attempt to get the packet failed. */
3654 }
3662 /* we want to start searching one byte past the previous match start */
3664 }
3668 /* Try narrow match at this start location */
3673 c_match++;
3676 /* Save position and length for highlighting the field. */
3680 }
3683 }
3684 }
3686 /* Now try wide match at the same start location. */
3691 c_match++;
3694 /* Save position and length for highlighting the field. */
3698 }
3699 i++;
3703 }
3704 }
3705 }
3707 done:
3709 }
3711 static match_result
3714 {
3718 match_result result;
3725 /* Load the frame's data. */
3727 /* Attempt to get the packet failed. */
3729 }
3732 /* Has to be room to hold the sought data. */
3735 }
3741 /* we want to start searching one byte before the previous match start */
3743 }
3747 /* Try narrow match at this start location */
3752 c_match++;
3755 /* Save position and length for highlighting the field. */
3759 }
3762 }
3763 }
3765 /* Now try wide match at the same start location. */
3770 c_match++;
3773 /* Save position and length for highlighting the field. */
3777 }
3778 i++;
3782 }
3783 }
3784 }
3786 done:
3788 }
3790 /* Case insensitive match */
3791 static match_result
3794 {
3799 match_result result;
3806 /* Load the frame's data. */
3808 /* Attempt to get the packet failed. */
3810 }
3820 /* we want to start searching one byte past the previous match start */
3822 }
3826 /* Try narrow match at this start location */
3831 c_match++;
3834 /* Save position and length for highlighting the field. */
3838 }
3841 }
3842 }
3844 /* Now try wide match at the same start location. */
3849 c_match++;
3852 /* Save position and length for highlighting the field. */
3856 }
3857 i++;
3861 }
3862 }
3863 }
3865 done:
3867 }
3869 static match_result
3872 {
3877 match_result result;
3884 /* Load the frame's data. */
3886 /* Attempt to get the packet failed. */
3888 }
3893 /* Has to be room to hold the sought data. */
3896 }
3902 /* we want to start searching one byte before the previous match start */
3904 }
3908 /* Try narrow match at this start location */
3913 c_match++;
3916 /* Save position and length for highlighting the field. */
3920 }
3923 }
3924 }
3926 /* Now try wide match at the same start location. */
3931 c_match++;
3934 /* Save position and length for highlighting the field. */
3938 }
3939 i++;
3943 }
3944 }
3945 }
3947 done:
3949 }
3951 /* Case insensitive match */
3952 static match_result
3955 {
3960 match_result result;
3967 /* Load the frame's data. */
3969 /* Attempt to get the packet failed. */
3971 }
3981 /* we want to start searching one byte past the previous match start */
3983 }
3991 c_match++;
3993 /* Save position and length for highlighting the field. */
3998 }
4001 }
4002 }
4003 }
4005 done:
4007 }
4009 static match_result
4012 {
4017 match_result result;
4024 /* Load the frame's data. */
4026 /* Attempt to get the packet failed. */
4028 }
4033 /* Has to be room to hold the sought data. */
4036 }
4042 /* we want to start searching one byte before the previous match start */
4044 }
4052 c_match++;
4054 /* Save position and length for highlighting the field. */
4059 }
4062 }
4063 }
4064 }
4066 done:
4068 }
4070 static match_result
4073 {
4077 match_result result;
4084 /* Load the frame's data. */
4086 /* Attempt to get the packet failed. */
4088 }
4096 /* we want to start searching one byte past the previous match start */
4098 }
4106 c_match++;
4109 /* Save position and length for highlighting the field. */
4113 }
4114 i++;
4118 }
4119 }
4120 }
4122 done:
4124 }
4126 static match_result
4129 {
4133 match_result result;
4140 /* Load the frame's data. */
4142 /* Attempt to get the packet failed. */
4144 }
4147 /* Has to be room to hold the sought data. */
4150 }
4156 /* we want to start searching one byte before the previous match start */
4158 }
4166 c_match++;
4169 /* Save position and length for highlighting the field. */
4173 }
4174 i++;
4178 }
4179 }
4180 }
4182 done:
4184 }
4186 /* Case insensitive match */
4187 static match_result
4190 {
4195 match_result result;
4202 /* Load the frame's data. */
4204 /* Attempt to get the packet failed. */
4206 }
4216 /* we want to start searching one byte past the previous match start */
4218 }
4226 c_match++;
4229 /* Save position and length for highlighting the field. */
4233 }
4234 i++;
4238 }
4239 }
4240 }
4242 done:
4244 }
4246 /* Case insensitive match */
4247 static match_result
4250 {
4255 match_result result;
4262 /* Load the frame's data. */
4264 /* Attempt to get the packet failed. */
4266 }
4271 /* Has to be room to hold the sought data. */
4274 }
4280 /* we want to start searching one byte before the previous match start */
4282 }
4290 c_match++;
4293 /* Save position and length for highlighting the field. */
4297 }
4298 i++;
4302 }
4303 }
4304 }
4306 done:
4308 }
4310 static match_result
4313 {
4316 match_result result;
4319 /* Load the frame's data. */
4321 /* Attempt to get the packet failed. */
4323 }
4329 /* we want to start searching one byte past the previous match start */
4331 }
4334 }
4337 /* Save position and length for highlighting the field. */
4340 }
4343 }
4345 static match_result
4348 {
4351 match_result result;
4354 /* Load the frame's data. */
4356 /* Attempt to get the packet failed. */
4358 }
4362 /* Has to be room to hold the sought data. */
4365 }
4368 /* we want to start searching one byte before the previous match start */
4370 }
4376 /* Save position and length for highlighting the field. */
4380 }
4381 }
4384 }
4386 static match_result
4389 {
4393 /* Load the frame's data. */
4395 /* Attempt to get the packet failed. */
4397 }
4401 /* we want to start searching one byte past the previous match start */
4403 }
4408 result_pos)) {
4409 //TODO: A chosen regex can match the empty string (zero length)
4410 // which doesn't make a lot of sense for searching the packet bytes.
4411 // Should we search with the PCRE2_NOTEMPTY option?
4412 //TODO: Fix cast.
4413 /* Save position and length for highlighting the field. */
4417 }
4418 }
4420 }
4422 static match_result
4425 {
4429 /* Load the frame's data. */
4431 /* Attempt to get the packet failed. */
4433 }
4437 /* we want to start searching one byte before the previous match */
4439 }
4444 result_pos)) {
4445 //TODO: A chosen regex can match the empty string (zero length)
4446 // which doesn't make a lot of sense for searching the packet bytes.
4447 // Should we search with the PCRE2_NOTEMPTY option?
4448 //TODO: Fix cast.
4449 /* Save position and length for highlighting the field. */
4454 }
4455 }
4457 }
4459 bool
4462 {
4464 }
4466 bool
4468 search_direction dir)
4469 {
4474 /*
4475 * XXX - this shouldn't happen, as the filter string is machine
4476 * generated
4477 */
4479 }
4481 /*
4482 * XXX - this shouldn't happen, as the filter string is machine
4483 * generated.
4484 */
4486 }
4490 }
4492 static match_result
4495 {
4497 epan_dissect_t edt;
4498 match_result result;
4500 /* Load the frame's data. */
4502 /* Attempt to get the packet failed. */
4504 }
4512 }
4514 bool
4516 {
4518 }
4520 static match_result
4523 {
4525 }
4527 bool
4529 {
4531 }
4533 static match_result
4536 {
4538 }
4540 static bool
4543 {
4548 wtap_rec rec;
4557 match_result result;
4567 }
4569 /* Iterate through the list of packets, starting at the packet we've
4570 picked, calling a routine to run the filter on the packet, see if
4571 it matches, and stop if so. */
4575 /* If we have no start packet selected, and we're going backwards,
4576 * start at the end (even if wrap is off.)
4577 */
4579 }
4582 /* Progress so far. */
4588 /* Create the progress bar if necessary.
4589 We check on every iteration of the loop, so that it takes no
4590 longer than the standard time to create it (otherwise, for a
4591 large file, we might take considerably longer than that standard
4592 time in order to get to the next progress bar step). */
4597 /*
4598 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
4599 * has elapsed. Calling update_progress_dlg and packets_bar_update will
4600 * likely trigger UI paint events, which might take a while depending on
4601 * the platform and display. Reset our timer *after* painting.
4602 */
4604 /* let's not divide by zero. I should never be started
4605 * with count == 0, so let's assert that
4606 */
4616 }
4619 /* Well, the user decided to abort the search. Go back to the
4620 frame where we started.
4621 XXX - This ends up selecting the start packet and reporting
4622 "success". Perhaps new_fd should stay NULL? */
4625 }
4627 /* Go past the current frame. */
4629 /* Go on to the previous frame. */
4631 /*
4632 * XXX - other apps have a bit more of a detailed message
4633 * for this, and instead of offering "OK" and "Cancel",
4634 * they offer things such as "Continue" and "Cancel";
4635 * we need an API for popping up alert boxes with
4636 * {Verb} and "Cancel".
4637 */
4646 }
4648 framenum--;
4650 /* Go on to the next frame. */
4659 }
4661 framenum++;
4662 }
4665 count++;
4667 /* Is this packet in the display? */
4669 /* Yes. Does it match the search criterion? */
4672 /* Error; our caller has reported the error. Go back to the frame
4673 where we started.
4674 XXX - This ends up selecting the start packet and reporting
4675 "success." Perhaps new_fd should stay NULL? */
4679 /* Yes. Go to the new frame. */
4682 }
4684 }
4687 /* We're back to the frame we were on originally, and that frame
4688 doesn't match the search filter. The search failed. */
4690 }
4691 }
4693 /* We're done scanning the packets; destroy the progress bar if it
4694 was created. */
4700 /* We found a frame that's displayed and that matches.
4701 Try to find and select the packet summary list row for that frame. */
4708 /* We didn't find a row corresponding to this frame.
4709 This means that the frame isn't being displayed currently,
4710 so we can't select it. */
4723 }
4725 bool
4727 {
4731 /* we don't have a loaded capture file - fix for bugs 11810 & 11989 */
4734 }
4739 /* we didn't find a packet with that packet number */
4742 }
4744 /* that packet currently isn't displayed */
4745 /* XXX - add it to the set of displayed packets? */
4747 /* We only want that exact frame, or no frames are displayed. */
4750 }
4752 /* There is no previous displayed frame, so this frame is
4753 * before the first displayed frame. Go to the first line,
4754 * which is the closest frame.
4755 */
4757 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the first displayed packet, %u.", fnumber, cf->first_displayed);
4760 /* The next displayed frame might be closer, we can do an
4761 * O(log n) binary search for the earliest displayed frame
4762 * in the open interval (fnumber, fnumber + delta).
4763 *
4764 * This is possibly overkill, we could just go to the previous
4765 * displayed frame.
4766 */
4775 /* We don't have a frame of that number, so search before it. */
4778 }
4779 /* We have a frame of that number. What's the displayed
4780 * frame before it? */
4782 /* The previous frame that passed the filter is also after
4783 * our target, so our answer is no later than that.
4784 */
4787 /* The previous displayed frame is before fnumber.
4788 * (We already know fnumber itself is not displayed.)
4789 * Is this frame itself displayed?
4790 */
4792 /* Yes. So this is our answer. */
4795 }
4796 /* No. So our answer, if any, is after this frame. */
4798 }
4799 }
4802 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the next displayed packet, %u.", fnumber, fdata->num);
4804 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the previous displayed packet, %u.", fnumber, fdata->prev_dis_num);
4806 }
4807 }
4808 }
4811 /* We didn't find a row corresponding to this frame.
4812 This means that the frame isn't being displayed currently,
4813 so we can't select it. */
4818 }
4820 }
4822 /*
4823 * Go to frame specified by currently selected protocol tree item.
4824 */
4825 bool
4827 {
4837 /* We probably only want to go to the exact match,
4838 * even though "Go to Previous Packet in History" exists.
4839 */
4841 }
4842 }
4843 }
4846 }
4848 /* Select the packet on a given row. */
4849 void
4851 {
4854 /* check the frame data struct pointer for this frame */
4857 }
4859 /* Get the data in that frame. */
4862 }
4864 /* Record that this frame is the current frame. */
4867 /*
4868 * The change to defer freeing the current epan_dissect_t was in
4869 * commit a2bb94c3b33d53f42534aceb7cc67aab1d1fb1f9; to quote
4870 * that commit's comment:
4871 *
4872 * Clear GtkTreeStore before freeing edt
4873 *
4874 * When building current data for packet details treeview we store two
4875 * things.
4876 * - Generated string with item label
4877 * - Pointer to node field_info structure
4878 *
4879 * After epan_dissect_{free, cleanup} pointer to field_info node is no
4880 * longer valid so we should clear GtkTreeStore before freeing.
4881 *
4882 * XXX - we're no longer using GTK+; is there a way to ensure that
4883 * *nothing* refers to any of the current frame information before
4884 * we replace it?
4885 */
4887 /* Create the logical protocol tree. */
4888 /* We don't need the columns here. */
4896 }
4898 /* Unselect the selected packet, if any. */
4899 void
4901 {
4904 /*
4905 * See the comment in cf_select_packet() about deferring the freeing
4906 * of the old cf->edt.
4907 */
4910 /* No packet is selected. */
4913 /* Destroy the epan_dissect_t for the unselected packet. */
4916 }
4918 /*
4919 * Mark a particular frame.
4920 */
4921 void
4923 {
4928 }
4929 }
4931 /*
4932 * Unmark a particular frame.
4933 */
4934 void
4936 {
4941 }
4942 }
4944 /*
4945 * Ignore a particular frame.
4946 */
4947 void
4949 {
4954 }
4955 }
4957 /*
4958 * Un-ignore a particular frame.
4959 */
4960 void
4962 {
4967 }
4968 }
4970 /*
4971 * Modify the section comment.
4972 */
4973 void
4975 {
4976 wtap_block_t shb_inf;
4979 /* Get the first SHB. */
4980 /* XXX - support multiple SHBs */
4983 /* Get the first comment from the SHB. */
4984 /* XXX - support multiple comments */
4985 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, 0, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
4986 /* There's no comment - add one. */
4989 /* See if the comment has changed or not */
4993 }
4995 /* The comment has changed, let's update it */
4997 }
4998 /* Mark the file as having unsaved changes */
5000 }
5002 /*
5003 * Modify the section comments for a given section.
5004 */
5005 void
5007 {
5008 wtap_block_t shb_inf;
5013 /* Shouldn't happen. XXX: Report it if it does? */
5015 }
5023 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, i, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5024 /* There's no comment - add one. */
5028 /* See if the comment has changed or not */
5030 /* The comment has changed, let's update it */
5033 }
5035 }
5036 }
5037 /* We either transferred ownership of the comments or freed them
5038 * above, so free the array of strings but not the strings themselves. */
5041 /* If there are extra old comments, remove them. Start at the end. */
5045 }
5046 }
5048 /*
5049 * Get the packet block for a packet (record).
5050 * If the block has been edited, it returns the result of the edit,
5051 * otherwise it returns the block from the file.
5052 * NB. Caller must wtap_block_unref() the result when done.
5053 */
5054 wtap_block_t
5056 {
5057 /* If this block has been modified, fetch the modified version */
5062 wtap_block_t block;
5064 /* fetch record block */
5070 /* rec.block is owned by the record, steal it before it is gone. */
5075 }
5076 }
5078 /*
5079 * Update(replace) the block on a capture from a frame
5080 */
5081 bool
5083 {
5086 /* It's possible to further modify the modified block "in place" by doing
5087 * a call to cf_get_packet_block() that returns an already created modified
5088 * block, modifying that, and calling this function.
5089 * If the caller did that, then the block pointers will be equal.
5090 */
5092 /* No need to save anything here, the caller changes went right
5093 * onto the block.
5094 * Unfortunately we don't have a way to know how many comments were
5095 * in the block before the caller modified it, so tell the caller
5096 * it is its responsibility to update the comment count.
5097 */
5099 }
5110 }
5112 /* Either way, we have unsaved changes. */
5116 }
5118 /*
5119 * What types of comments does this capture file have?
5120 */
5121 uint32_t
5123 {
5126 /*
5127 * Does this file have any sections with at least one comment?
5128 */
5131 section_number++) {
5132 wtap_block_t shb_inf;
5137 /* Try to get the first comment from that SHB. */
5140 /* We succeeded, so this file has at least one section comment. */
5143 /* We don't need to search any more. */
5145 }
5146 }
5150 }
5152 /*
5153 * Add a resolved address to this file's list of resolved addresses.
5154 */
5155 bool
5157 {
5158 /*
5159 * XXX - support multiple resolved address lists, and add to the one
5160 * attached to this file?
5161 */
5165 /* OK, we have unsaved changes. */
5168 }
5177 /*
5178 * Save a capture to a file, in a particular format, saving either
5179 * all packets, all currently-displayed packets, or all marked packets.
5180 *
5181 * Returns true if it succeeds, false otherwise; if it fails, it pops
5182 * up a message box for the failure.
5183 */
5184 static bool
5186 {
5188 wtap_rec new_rec;
5191 wtap_block_t pkt_block;
5193 /* Copy the record information from what was read in from the file. */
5196 /* Make changes based on anything that the user has done but that
5197 hasn't been saved yet. */
5200 else
5208 }
5209 }
5211 /* and save the packet */
5216 }
5218 /* If we are saving (i.e., replacing the current file with the one we're
5219 * writing), then update the frame data to clear the shift offset.
5220 * This keeps us from having to re-read the entire file.
5221 * We could do this in rescan_file(), but
5222 * 1) Ideally we shouldn't have to call rescan_file if all we're doing
5223 * is changing the timestamps, since that shouldn't change the offsets.
5224 * 2) The long term goal is to try to do the offset adjustment here
5225 * instead of using rescan_file, which should be faster (#1257).
5226 *
5227 * If we're exporting to a different file, then don't do that.
5228 */
5231 }
5234 }
5236 /*
5237 * Can this capture file be written out in any format using Wiretap
5238 * rather than by copying the raw data?
5239 */
5240 bool
5242 {
5243 /* We don't care whether we support the comments in this file or not;
5244 if we can't, we'll offer the user the option of discarding the
5245 comments. */
5247 }
5249 /*
5250 * Should we let the user do a save?
5251 *
5252 * We should if:
5253 *
5254 * the file has unsaved changes, and we can save it in some
5255 * format through Wiretap
5256 *
5257 * or
5258 *
5259 * the file is a temporary file and has no unsaved changes (so
5260 * that "saving" it just means copying it).
5261 *
5262 * XXX - we shouldn't allow files to be edited if they can't be saved,
5263 * so cf->unsaved_changes should be true only if the file can be saved.
5264 *
5265 * We don't care whether we support the comments in this file or not;
5266 * if we can't, we'll offer the user the option of discarding the
5267 * comments.
5268 */
5269 bool
5271 {
5273 /* Saved changes, and we can write it out with Wiretap. */
5275 }
5278 /*
5279 * Temporary file with no unsaved changes, so we can just do a
5280 * raw binary copy.
5281 */
5283 }
5285 /* Nothing to save. */
5287 }
5289 /*
5290 * Should we let the user do a "save as"?
5291 *
5292 * That's true if:
5293 *
5294 * we can save it in some format through Wiretap
5295 *
5296 * or
5297 *
5298 * the file is a temporary file and has no unsaved changes (so
5299 * that "saving" it just means copying it).
5300 *
5301 * XXX - we shouldn't allow files to be edited if they can't be saved,
5302 * so cf->unsaved_changes should be true only if the file can be saved.
5303 *
5304 * We don't care whether we support the comments in this file or not;
5305 * if we can't, we'll offer the user the option of discarding the
5306 * comments.
5307 */
5308 bool
5310 {
5312 /* We can write it out with Wiretap. */
5314 }
5317 /*
5318 * Temporary file with no unsaved changes, so we can just do a
5319 * raw binary copy.
5320 */
5322 }
5324 /* Nothing to save. */
5326 }
5328 /*
5329 * Does this file have unsaved data?
5330 */
5331 bool
5333 {
5334 /*
5335 * If this is a temporary file, or a file with unsaved changes, it
5336 * has unsaved data.
5337 */
5339 }
5341 /*
5342 * Quick scan to find packet offsets.
5343 */
5344 static cf_read_status_t
5346 {
5347 wtap_rec rec;
5361 /* Close the old handle. */
5364 /* Open the new file. */
5365 /* XXX: this will go through all open_routines for a matching one. But right
5366 now rescan_file() is only used when a file is being saved to a different
5367 format than the original, and the user is not given a choice of which
5368 reader to use (only which format to save it in), so doing this makes
5369 sense for now. (XXX: Now it is also used when saving a changed file,
5370 e.g. comments or time-shifted frames.) */
5375 }
5377 /* We're scanning a file whose contents should be the same as what
5378 we had before, so we don't discard dissection state etc.. */
5381 /* Set the file name because we need it to set the follow stream filter.
5382 XXX - is that still true? We need it for other reasons, though,
5383 in any case. */
5386 }
5389 /* Indicate whether it's a permanent or temporary file. */
5392 /* No user changes yet. */
5395 /* Record the file's type and compression type. */
5400 }
5409 /* Find the size of the file. */
5421 framenum++;
5425 }
5429 /* Create the progress bar if necessary. */
5434 }
5436 /*
5437 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
5438 * has elapsed. Calling update_progress_dlg and packets_bar_update will
5439 * likely trigger UI paint events, which might take a while depending on
5440 * the platform and display. Reset our timer *after* painting.
5441 */
5444 /* update the packet bar content on the first run or frequently on very large files */
5449 }
5450 }
5453 /* Well, the user decided to abort the rescan. Sadly, as this
5454 isn't a reread, recovering is difficult, so we'll just
5455 close the current capture. */
5457 }
5459 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
5460 it's not already there.
5461 XXX - yes, this is O(N), so if every packet had a different
5462 link-layer encapsulation type, it'd be O(N^2) to read the file, but
5463 there are probably going to be a small number of encapsulation types
5464 in a file. */
5467 }
5469 }
5472 /* Free the display name */
5475 /* We're done reading the file; destroy the progress bar if it was created. */
5480 /* We're done reading sequentially through the file. */
5483 /* Close the sequential I/O side, to free up memory it requires. */
5486 /* compute the time it took to load the file */
5489 /* Set the file encapsulation type now; we don't know what it is until
5490 we've looked at all the packets, as we don't know until then whether
5491 there's more than one type (and thus whether it's
5492 WTAP_ENCAP_PER_PACKET). */
5498 /* Our caller will give up at this point. */
5500 }
5503 /* Put up a message box noting that the read failed somewhere along
5504 the line. Don't throw out the stuff we managed to read, though,
5505 if any. */
5510 }
5512 cf_write_status_t
5514 wtap_compression_type compression_type,
5516 {
5525 SAVE_WITH_MOVE,
5526 SAVE_WITH_COPY,
5527 SAVE_WITH_WTAP
5529 save_callback_args_t callback_args;
5533 /* XXX caller should avoid saving the file while a read is pending
5534 * (e.g. by delaying the save action) */
5536 ws_warning("cf_save_records(\"%s\") while the file is being read, potential crash ahead", fname);
5537 }
5545 && (wtap_addrinfo_list_empty(addr_lists) || wtap_file_type_subtype_supports_block(save_format, WTAP_BLOCK_NAME_RESOLUTION) == BLOCK_NOT_SUPPORTED)) {
5546 /* We're saving in the format it's already in, and we're not discarding
5547 comments, and there are no changes we have in memory that aren't saved
5548 to the file, and we have no name resolution information to write or
5549 the file format we're saving in doesn't support writing name
5550 resolution information, so we can just move or copy the raw data. */
5553 /* The file being saved is a temporary file from a live
5554 capture, so it doesn't need to stay around under that name;
5555 first, try renaming the capture buffer file to the new name.
5556 This acts as a "safe save", in that, if the file already
5557 exists, the existing file will be removed only if the rename
5558 succeeds.
5560 Sadly, on Windows, as we have the current capture file
5561 open, even MoveFileEx() with MOVEFILE_REPLACE_EXISTING
5562 (to cause the rename to remove an existing target), as
5563 done by ws_stdio_rename() (ws_rename() is #defined to
5564 be ws_stdio_rename() on Windows) will fail.
5566 According to the MSDN documentation for CreateFile(), if,
5567 when we open a capture file, we were to directly do a CreateFile(),
5568 opening with FILE_SHARE_DELETE|FILE_SHARE_READ, and then
5569 convert it to a file descriptor with _open_osfhandle(),
5570 that would allow the file to be renamed out from under us.
5572 However, that doesn't work in practice. Perhaps the problem
5573 is that the process doing the rename is the process that
5574 has the file open. */
5575 #ifndef _WIN32
5577 /* That succeeded - there's no need to copy the source file. */
5581 /* They're on different file systems, so we have to copy the
5582 file. */
5585 /* The rename failed, but not because they're on different
5586 file systems - put up an error message. (Or should we
5587 just punt and try to copy? The only reason why I'd
5588 expect the rename to fail and the copy to succeed would
5589 be if we didn't have permission to remove the file from
5590 the temporary directory, and that might be fixable - but
5591 is it worth requiring the user to go off and fix it?) */
5594 }
5595 }
5596 #else
5597 /* Windows - copy the file to its new location. */
5599 #endif
5601 /* It's a permanent file, so we should copy it, and not remove the
5602 original. */
5604 }
5607 /* Copy the file, if we haven't moved it. If we're overwriting
5608 an existing file, we do it with a "safe save", by writing
5609 to a new file and, if the write succeeds, renaming the
5610 new file on top of the old file. */
5618 }
5619 }
5621 /* Either we're saving in a different format or we're saving changes,
5622 such as added, modified, or removed comments, that haven't yet
5623 been written to the underlying file; we can't do that by copying
5624 or moving the capture file, we have to do it by writing the packets
5625 out in Wiretap. */
5627 wtap_dump_params params;
5633 /* Determine what file encapsulation type we should use. */
5637 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5641 /* We're overwriting an existing file; write out to a new file,
5642 and, if that succeeds, rename the new file on top of the
5643 old file. That makes this a "safe save", so that we don't
5644 lose the old file if we have a problem writing out the new
5645 file. (If the existing file is the current capture file,
5646 we *HAVE* to do that, otherwise we're overwriting the file
5647 from which we're reading the packets that we're writing!) */
5654 }
5655 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5662 }
5664 /* Add address resolution */
5667 /* Iterate through the list of packets, processing all the packets. */
5675 /* Completed successfully. */
5679 /* The user decided to abort the saving.
5680 If we're writing to a temporary file, remove it.
5681 XXX - should we do so even if we're not writing to a
5682 temporary file? */
5691 /* Error while saving.
5692 If we're writing to a temporary file, remove it. */
5698 }
5704 }
5707 }
5710 /* We wrote out to fname_new, and should rename it on top of
5711 fname. fname_new is now closed, so that should be possible even
5712 on Windows. However, on Windows, we first need to close whatever
5713 file descriptors we have open for fname. */
5714 #ifdef _WIN32
5716 #endif
5717 /* Now do the rename. */
5719 /* Well, the rename failed. */
5721 #ifdef _WIN32
5722 /* Attempt to reopen the random file descriptor using the
5723 current file's filename. (At this point, the sequential
5724 file descriptor is closed.) */
5726 /* Oh, well, we're screwed. */
5728 }
5729 #endif
5731 }
5733 }
5735 /* If this was a temporary file, and we didn't do the save by doing
5736 a move, so the tempoary file is still around under its old name,
5737 remove it. */
5739 /* If this fails, there's not much we can do, so just ignore errors. */
5741 }
5750 /* We just moved the file, so the wtap structure refers to the
5751 new file, and all the information other than the filename
5752 and the "is temporary" status applies to the new file; just
5753 update that. */
5761 /* We just copied the file, so all the information other than
5762 the file descriptors, the filename, and the "is temporary"
5763 status applies to the new file; just update that. */
5765 /* Attempt to reopen the random file descriptor using the
5766 new file's filename. (At this point, the sequential
5767 file descriptor is closed.) */
5775 }
5780 /* Open and read the file we saved to.
5782 XXX - this is somewhat of a waste; we already have the
5783 packets, all this gets us is updated file type information
5784 (which we could just stuff into "cf"), and having the new
5785 file be the one we have opened and from which we're reading
5786 the data, and it means we have to spend time opening and
5787 reading the file, which could be a significant amount of
5788 time if the file is large.
5790 If the capture-file-writing code were to return the
5791 seek offset of each packet it writes, we could save that
5792 in the frame_data structure for the frame, and just open
5793 the file without reading it again...
5795 ...as long as, for gzipped files, the process of writing
5796 out the file *also* generates the information needed to
5797 support fast random access to the compressed file. */
5798 /* rescan_file will cause us to try all open_routines, so
5799 reset cfile's open_type */
5801 /* There are cases when SAVE_WITH_WTAP can result in new packets
5802 being written to the file, e.g ERF records
5803 In that case, we need to reload the whole file */
5807 /* The rescan failed; just close the file. Either
5808 a dialog was popped up for the failure, so the
5809 user knows what happened, or they stopped the
5810 rescan, in which case they know what happened. */
5811 /* XXX: This is inconsistent with normal open/reload behaviour. */
5813 }
5814 }
5815 }
5818 /* The rescan failed; just close the file. Either
5819 a dialog was popped up for the failure, so the
5820 user knows what happened, or they stopped the
5821 rescan, in which case they know what happened. */
5823 }
5824 }
5826 }
5828 /* If we were told to discard the comments, do so. */
5830 /* Remove SHB comment, if any. */
5833 /* remove all user comments */
5837 // XXX: This also ignores non-comment options like verdict
5839 }
5844 }
5847 }
5848 }
5851 fail:
5853 /* We were trying to write to a temporary file; get rid of it if it
5854 exists. (We don't care whether this fails, as, if it fails,
5855 there's not much we can do about it. I guess if it failed for
5856 a reason other than "it doesn't exist", we could report an
5857 error, so the user knows there's a junk file that they might
5858 want to clean up.) */
5861 }
5864 }
5866 cf_write_status_t
5869 wtap_compression_type compression_type)
5870 {
5875 save_callback_args_t callback_args;
5876 wtap_dump_params params;
5882 /* We're writing out specified packets from the specified capture
5883 file to another file. Even if all captured packets are to be
5884 written, don't special-case the operation - read each packet
5885 and then write it out if it's one of the specified ones. */
5889 /* Determine what file encapsulation type we should use. */
5893 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5897 /* We're overwriting an existing file; write out to a new file,
5898 and, if that succeeds, rename the new file on top of the
5899 old file. That makes this a "safe save", so that we don't
5900 lose the old file if we have a problem writing out the new
5901 file. (If the existing file is the current capture file,
5902 we *HAVE* to do that, otherwise we're overwriting the file
5903 from which we're reading the packets that we're writing!) */
5910 }
5911 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5918 }
5920 /* Add address resolution */
5923 /* Iterate through the list of packets, processing the packets we were
5924 told to process.
5926 XXX - we've already called "packet_range_process_init(range)", but
5927 "process_specified_records()" will do it again. Fortunately,
5928 that's harmless in this case, as we haven't done anything to
5929 "range" since we initialized it. */
5937 /* Completed successfully. */
5941 /* The user decided to abort the saving.
5942 If we're writing to a temporary file, remove it.
5943 XXX - should we do so even if we're not writing to a
5944 temporary file? */
5949 }
5955 /* Error while saving. */
5957 /*
5958 * We don't report any error from closing; the error that caused
5959 * process_specified_records() to fail has already been reported.
5960 */
5962 }
5967 }
5970 /* We wrote out to fname_new, and should rename it on top of
5971 fname; fname is now closed, so that should be possible even
5972 on Windows. Do the rename. */
5974 /* Well, the rename failed. */
5977 }
5979 }
5984 fail:
5986 /* We were trying to write to a temporary file; get rid of it if it
5987 exists. (We don't care whether this fails, as, if it fails,
5988 there's not much we can do about it. I guess if it failed for
5989 a reason other than "it doesn't exist", we could report an
5990 error, so the user knows there's a junk file that they might
5991 want to clean up.) */
5994 }
5998 }
6000 /* Reload the current capture file. */
6001 cf_status_t
6003 {
6012 }
6014 /* If the file could be opened, "cf_open()" calls "cf_close()"
6015 to get rid of state for the old capture file before filling in state
6016 for the new capture file. "cf_close()" will remove the file if
6017 it's a temporary file; we don't want that to happen (for one thing,
6018 it'd prevent subsequent reopens from working). Remember whether it's
6019 a temporary file, mark it as not being a temporary file, and then
6020 reopen it as the type of file it was.
6022 Also, "cf_close()" will free "cf->filename", so we must make
6023 a copy of it first. */
6032 /* Just because we got an error, that doesn't mean we were unable
6033 to read any of the file; we handle what we could get from the
6034 file. */
6038 /* The user bailed out of re-reading the capture file; the
6039 capture file has been closed. */
6041 }
6043 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
6044 Instead, the file was left open, so we should restore "cf->is_tempfile"
6045 ourselves.
6047 XXX - change the menu? Presumably "cf_open()" will do that;
6048 make sure it does! */
6051 }
6052 /* "cf_open()" made a copy of the file name we handed it, so
6053 we should free up our copy. */
6056 }