| blob | f632db05792f3bd96da2ae5150f1926b631fdeca |
1 /* file.c
2 * File I/O routines
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
11 #include <config.h>
12 #define WS_LOG_DOMAIN LOG_DOMAIN_CAPTURE
14 #include <time.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <errno.h>
22 #include <wsutil/file_util.h>
23 #include <wsutil/filesystem.h>
24 #include <wsutil/json_dumper.h>
25 #include <wsutil/wslog.h>
26 #include <wsutil/ws_assert.h>
27 #include <wsutil/version_info.h>
28 #include <wsutil/report_message.h>
30 #include <wiretap/merge.h>
32 #include <epan/exceptions.h>
33 #include <epan/epan.h>
34 #include <epan/column.h>
35 #include <epan/packet.h>
36 #include <epan/column-utils.h>
37 #include <epan/expert.h>
38 #include <epan/prefs.h>
39 #include <epan/dfilter/dfilter.h>
40 #include <epan/epan_dissect.h>
41 #include <epan/tap.h>
42 #include <epan/timestamp.h>
43 #include <epan/strutil.h>
44 #include <epan/addr_resolv.h>
45 #include <epan/color_filters.h>
46 #include <epan/secrets.h>
59 /* Needed for addrinfo */
60 #include <sys/types.h>
62 #ifdef HAVE_SYS_SOCKET_H
63 #include <sys/socket.h>
64 #endif
66 #ifdef HAVE_NETINET_IN_H
67 # include <netinet/in.h>
68 #endif
70 #ifdef _WIN32
71 # include <winsock2.h>
72 # include <ws2tcpip.h>
73 #endif
79 static void rescan_packets(capture_file *cf, const char *action, const char *action_item, bool redissect);
82 MR_NOTMATCHED,
83 MR_MATCHED,
84 MR_ERROR
131 /* Seconds spent processing packets between pushing UI updates. */
132 #define PROGBAR_UPDATE_INTERVAL 0.150
134 /* Show the progress bar after this many seconds. */
135 #define PROGBAR_SHOW_DELAY 0.5
137 /*
138 * Maximum number of records we support in a file.
139 *
140 * It is, at most, the maximum value of a uint32_t, as we use a uint32_t
141 * for the frame number.
142 *
143 * We allow it to be set to a lower value; see issue #16908 for why
144 * we're doing this. Thanks, Qt!
145 */
148 void
150 {
152 }
154 /*
155 * We could probably use g_signal_...() instead of the callbacks below but that
156 * would require linking our CLI programs to libgobject and creating an object
157 * instance for the signals.
158 */
160 cf_callback_t cb_fct;
166 static void
168 {
172 /* there should be at least one interested */
179 }
180 }
182 void
184 {
192 }
194 void
196 {
206 }
208 }
211 }
213 unsigned long
215 {
217 }
219 static void
221 {
225 }
229 {
231 cap_file_provider_get_frame_ts,
232 cap_file_provider_get_interface_name,
233 cap_file_provider_get_interface_description,
234 cap_file_provider_get_modified_block
235 };
238 }
240 cf_status_t
242 {
250 /* The open succeeded. Close whatever capture file we had open,
251 and fill in the information for this file. */
254 /* Initialize the record metadata. */
257 /* XXX - we really want to initialize this after we've read all
258 the packets, so we know how much we'll ultimately need. */
261 /* We're about to start reading the file. */
264 /* If there was a pending redissection for the old file (there
265 * shouldn't be), clear it. cf_close() should have failed if the
266 * old file's read lock was held, but it doesn't hurt to clear it. */
273 /* Set the file name because we need it to set the follow stream filter.
274 XXX - is that still true? We need it for other reasons, though,
275 in any case. */
278 /* Indicate whether it's a permanent or temporary file. */
281 /* No user changes yet. */
299 /* Allocate a frame_data_sequence for the frames in this file */
308 /* Create new epan session for dissection.
309 * (The old one was freed in cf_close().)
310 */
322 fail:
325 }
327 /*
328 * Add an encapsulation type to cf->linktypes.
329 */
330 static void
332 {
338 }
339 /* It's not already there - add it. */
341 }
343 /* Reset everything to a pristine state */
344 void
346 {
351 /* Die if we're in the middle of reading a file. */
357 /* close things, if not already closed before */
363 }
364 /* We have no file open... */
366 /* If it's a temporary file, remove it. */
371 }
372 /* ...which means we have no changes to that file to save. */
375 /* no open_routine type */
378 /* Clean up the record metadata. */
381 /* Clear the packet list. */
386 /* Free up the packet buffer. */
394 }
398 }
403 /* No frames, no frame selected, no field in that frame selected. */
408 /* No frame link-layer types, either. */
412 }
422 /* We have no file open. */
426 }
428 /*
429 * true if the progress dialog doesn't exist and it looks like we'll
430 * take > PROGBAR_SHOW_DELAY (500ms) to load, false otherwise.
431 */
434 {
439 /* This only gets checked between reading records, which doesn't help if
440 * a single record takes a very long time, e.g., the first TLS packet if
441 * the SSLKEYLOGFILE is very large. (#17051) */
442 if ((elapsed * 2 > PROGBAR_SHOW_DELAY && (size / pos) >= 2) /* It looks like we're going to be slow. */
445 }
447 }
449 static float
450 calc_progbar_val(capture_file *cf, int64_t size, int64_t file_pos, char *status_str, unsigned long status_size)
451 {
457 /* The file probably grew while we were reading it.
458 * Update file size, and try again.
459 */
465 /* If it's still > 1, either "wtap_file_size()" failed (in which
466 * case there's not much we can do about it), or the file
467 * *shrank* (in which case there's not much we can do about
468 * it); just clip the progress value at 1.0.
469 */
472 }
479 }
481 cf_read_status_t
483 {
492 epan_dissect_t edt;
493 wtap_rec rec;
494 Buffer buf;
502 /* The update_progress_dlg call below might end up accepting a user request to
503 * trigger redissection/rescans which can modify/destroy the dissection
504 * context ("cf->epan"). That condition should be prevented by callers, but in
505 * case it occurs let's fail gracefully.
506 */
511 }
512 /* This is a full dissection, so clear any pending request for one. */
516 /* Compile the current display filter.
517 * The code it compiles to might have changed, e.g. if a display
518 * filter macro used has changed.
519 *
520 * We assume this will not fail since cf->dfilter is only set in
521 * cf_filter IFF the filter was valid.
522 * XXX - This is not necessarily true, if the filter has a FT_IPv4
523 * or FT_IPv6 field compared to a resolved hostname in it, because
524 * we do a new host lookup, and that *could* timeout this time
525 * (though with the read lock above we shouldn't have many lookups at
526 * once, reducing the chances of that)... (#19612)
527 */
531 }
536 /* The compiled dfilter might have a field reference; recompiling it
537 * means that the field references won't match anything. That's what
538 * we want since this is a new sequential read and we don't have
539 * a selected frame with a tree. (Will taps with filters with display
540 * references also have cleared display references?)
541 */
543 /* Get the union of the flags for all tap listeners. */
546 /*
547 * Determine whether we need to create a protocol tree.
548 * We do if:
549 *
550 * we're going to apply a display filter;
551 *
552 * one of the tap listeners is going to apply a filter;
553 *
554 * one of the tap listeners requires a protocol tree;
555 *
556 * a postdissector wants field values or protocols on
557 * the first pass.
558 */
559 create_proto_tree =
569 else
572 /* Record the file's compression type.
573 XXX - do we know this at open time? */
576 /* The packet list window will be empty until the file is completely loaded */
584 /* If the display filter or any tap listeners require the columns,
585 * construct them. */
589 /* Find the size of the file. */
592 /* If we are to ignore duplicate frames, we need a container to store
593 * hashes frame contents */
594 fifo_string_cache_t frame_dup_cache;
600 }
607 TRY {
618 /*
619 * Quit if we've already read the maximum number of
620 * records allowed.
621 */
624 }
627 /* Create the progress bar if necessary. */
632 }
634 /*
635 * Update the progress bar, but do it only after
636 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
637 * and packets_bar_update will likely trigger UI paint events, which
638 * might take a while depending on the platform and display. Reset
639 * our timer *after* painting.
640 */
643 /* update the packet bar content on the first run or frequently on very large files */
648 }
649 /*
650 * The previous GUI triggers should not have destroyed the running
651 * session. If that did happen, it could blow up when read_record tries
652 * to use the destroyed edt.session, so detect it right here.
653 */
655 }
658 /* Well, the user decided to exit Wireshark. Break out of the
659 loop, and let the code below (which is called even if there
660 aren't any packets left to read) exit. */
663 }
665 /* Well, the user decided to abort the read. He/She will be warned and
666 it might be enough for him/her to work with the already loaded
667 packets.
668 This is especially true for very large capture files, where you don't
669 want to wait loading the whole file (which may last minutes or even
670 hours even on fast machines) just to see that it was the wrong file. */
672 }
675 }
676 }
682 #if 0
683 /* Could we close the current capture and free up memory from that? */
684 #else
685 /* we have to terminate, as we cannot recover from the memory error */
687 #endif
688 }
689 ENDTRY;
691 // If we're ignoring duplicate frames, clear the data structures.
692 // We really could look at prefs.ignore_dup_frames here, but it's even
693 // safer to check if we had allocated 'cksum'.
697 }
699 /* We're done reading sequentially through the file. */
702 /* Destroy the progress bar if it was created. */
707 /* Free the display name */
714 /* Close the sequential I/O side, to free up memory it requires. */
717 /* Allow the protocol dissectors to free up memory that they
718 * don't need after the sequential run-through of the packets. */
721 /* compute the time it took to load the file */
724 /* Set the file encapsulation type now; we don't know what it is until
725 we've looked at all the packets, as we don't know until then whether
726 there's more than one type (and thus whether it's
727 WTAP_ENCAP_PER_PACKET). */
734 /* It is safe again to execute redissections or sort. */
740 else
743 /* If we have any displayed packets to select, select the first of those
744 packets by making the first row the selected row. */
747 }
750 /*
751 * Well, the user decided to exit Wireshark while reading this *offline*
752 * capture file (Live captures are handled by something like
753 * cf_continue_tail). Clean up accordingly.
754 */
758 }
761 /* Redissection was queued up. Clear the request and perform it now. */
764 }
774 }
777 /* Put up a message box noting that the read failed somewhere along
778 the line. Don't throw out the stuff we managed to read, though,
779 if any. */
789 "The command-line utility editcap can be used to split "
791 "The file contains more records than the maximum "
796 }
798 #ifdef HAVE_LIBPCAP
799 cf_read_status_t
802 {
805 epan_dissect_t edt;
809 /* Don't compile the current display filter. The current display filter
810 * text might compile to different code than when the capture started:
811 *
812 * If it has a IP address resolved name, calling get_host_ipaddr every
813 * time new packets arrive can mean a *lot* of gethostbyname calls
814 * in flight at once, eventually leading to a timeout (#19612).
815 * addr_resolv.c says that ares_gethostbyname is "usually interactive",
816 * unlike ares_gethostbyaddr (used in dissection), and violating that
817 * expectation is bad.
818 *
819 * If it has a display filter macro, the definition might have changed.
820 *
821 * If it has a field reference, the selected frame / current proto tree
822 * might have changed, and we don't have the old one. If we recompile,
823 * we can't set the field references to the old values.
824 *
825 * For a rescan, redissection, reload, retap, or opening a new file, we
826 * want to compile. What about here, when new frames have arrived in a live
827 * capture? We might be able to cache the host lookup, and a user might want
828 * the new display filter macro definition, but the user almost surely wants
829 * the field references to refer to values from the proto tree when the
830 * filter was applied, not whatever it happens to be now if the user has
831 * clicked on a different packet.
832 *
833 * To get the new compiled filter, the user should refilter.
834 */
836 /* Get the union of the flags for all tap listeners. */
839 /*
840 * Determine whether we need to create a protocol tree.
841 * We do if:
842 *
843 * we're going to apply a display filter;
844 *
845 * one of the tap listeners is going to apply a filter;
846 *
847 * one of the tap listeners requires a protocol tree;
848 *
849 * a postdissector wants field values or protocols on
850 * the first pass.
851 */
852 create_proto_tree =
858 /* Don't freeze/thaw the list when doing live capture */
859 /*packet_list_freeze();*/
863 TRY {
867 /* If the display filter or any tap listeners require the columns,
868 * construct them. */
877 }
879 /* Well, the user decided to exit Wireshark. Break out of the
880 loop, and let the code below (which is called even if there
881 aren't any packets left to read) exit. */
883 }
884 if (read_record(cf, rec, buf, cf->dfcode, &edt, cinfo, data_offset, frame_dup_cache, frame_cksum)) {
885 newly_displayed_packets++;
886 }
887 to_read--;
888 }
890 }
896 #if 0
897 /* Could we close the current capture and free up memory from that? */
899 #else
900 /* we have to terminate, as we cannot recover from the memory error */
902 #endif
903 }
904 ENDTRY;
906 /* Update the file encapsulation; it might have changed based on the
907 packets we've read. */
912 /* Don't freeze/thaw the list when doing live capture */
913 /*packet_list_thaw();*/
914 /* With the new packet list the first packet
915 * isn't automatically selected.
916 */
921 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
922 so that our caller can kill off the capture child process;
923 this will cause an EOF on the pipe from the child, so
924 "cf_finish_tail()" will be called, and it will clean up
925 and exit. */
928 /* We got an error reading the capture file.
929 XXX - pop up a dialog box instead? */
937 }
941 }
943 void
945 {
948 }
949 }
951 cf_read_status_t
954 {
958 epan_dissect_t edt;
962 /* All the comments above in cf_continue_tail apply regarding the
963 * current display filter.
964 */
966 /* Get the union of the flags for all tap listeners. */
969 /* If the display filter or any tap listeners require the columns,
970 * construct them. */
974 /*
975 * Determine whether we need to create a protocol tree.
976 * We do if:
977 *
978 * we're going to apply a display filter;
979 *
980 * one of the tap listeners is going to apply a filter;
981 *
982 * one of the tap listeners requires a protocol tree;
983 *
984 * a postdissector wants field values or protocols on
985 * the first pass.
986 */
987 create_proto_tree =
994 }
996 /* Don't freeze/thaw the list when doing live capture */
997 /*packet_list_freeze();*/
1003 /* Well, the user decided to abort the read. Break out of the
1004 loop, and let the code below (which is called even if there
1005 aren't any packets left to read) exit. */
1007 }
1010 }
1014 /* Don't freeze/thaw the list when doing live capture */
1015 /*packet_list_thaw();*/
1018 /* Well, the user decided to abort the read. We're only called
1019 when the child capture process closes the pipe to us (meaning
1020 it's probably exited), so we can just close the capture
1021 file; we return CF_READ_ABORTED so our caller can do whatever
1022 is appropriate when that happens. */
1025 }
1027 /* We're done reading sequentially through the file. */
1030 /* We're done reading sequentially through the file; close the
1031 sequential I/O side, to free up memory it requires. */
1034 /* Allow the protocol dissectors to free up memory that they
1035 * don't need after the sequential run-through of the packets. */
1038 /* Update the file encapsulation; it might have changed based on the
1039 packets we've read. */
1042 /* Update the details in the file-set dialog, as the capture file
1043 * has likely grown since we first stat-ed it */
1047 /* We got an error reading the capture file.
1048 XXX - pop up a dialog box? */
1056 }
1060 }
1061 }
1066 {
1069 /* Return a name to use in displays */
1071 /* Get the last component of the file name, and use that. */
1076 }
1078 /* The file we read is a temporary file from a live capture or
1079 a merge operation; we don't mention its name, but, if it's
1080 from a capture, give the source of the capture. */
1085 }
1086 }
1088 }
1092 {
1095 /* Return a name to use in the GUI for the basename for files to
1096 which we save statistics */
1098 /* Get the last component of the file name, and use that. */
1102 /* If the file name ends with any extension that corresponds
1103 to a file type we support - including compressed versions
1104 of those files - strip it off. */
1109 /* Does the file name end with that extension? */
1115 /* Yes. Strip the extension off, and return the result. */
1118 }
1119 }
1123 }
1125 /* The file we read is a temporary file from a live capture or
1126 a merge operation; we don't mention its name, but, if it's
1127 from a capture, give the source of the capture. */
1132 }
1133 }
1135 }
1137 void
1139 {
1142 }
1148 }
1149 }
1153 {
1156 }
1159 }
1161 /* XXX - use a macro instead? */
1162 int
1164 {
1166 }
1168 /* XXX - use a macro instead? */
1169 bool
1171 {
1173 }
1175 void
1177 {
1179 }
1182 /* XXX - use a macro instead? */
1183 void
1185 {
1187 }
1189 /* XXX - use a macro instead? */
1190 void
1192 {
1194 }
1196 /* XXX - use a macro instead? */
1197 bool
1199 {
1201 }
1203 /* XXX - use a macro instead? */
1204 uint32_t
1206 {
1208 }
1210 void
1212 {
1214 }
1216 static void
1220 {
1227 }
1228 #if 0
1229 /* Prepare coloring rules, this ensures that display filter rules containing
1230 * frame.color_rule references are still processed.
1231 * TODO: actually detect that situation or maybe apply other optimizations? */
1235 }
1236 #endif
1239 /* This is the first pass, so prime the epan_dissect_t with the
1240 hfids postdissectors want on the first pass. */
1242 }
1244 /* Initialize passed_dfilter here so that dissectors can hide packets. */
1245 /* XXX We might want to add a separate "visible" bit to frame_data instead. */
1248 /* Dissect the frame. */
1257 /* This frame passed the display filter but it may depend on other
1258 * (potentially not displayed) frames. Find those frames and mark them
1259 * as depended upon.
1260 */
1261 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
1262 }
1263 }
1268 }
1271 /* We fill the needed columns from new_packet_list */
1273 }
1276 {
1278 /* The only way we use prev_dis is to get the time stamp of
1279 * the previous displayed frame, so ignore it if it doesn't
1280 * have a time stamp, because we're presumably interested in
1281 * the timestamp of the previously displayed frame with a
1282 * time. XXX: What if in the future we want to use the previously
1283 * displayed frame for something else, too?
1284 */
1287 }
1289 /* If we haven't yet seen the first frame, this is it. */
1293 /* This is the last frame we've seen so far. */
1295 }
1298 }
1300 /*
1301 * Read in a new record.
1302 * Returns true if the packet was added to the packet (record) list,
1303 * false otherwise.
1304 */
1305 static bool
1309 {
1310 frame_data fdlocal;
1317 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
1318 it's not already there.
1319 XXX - yes, this is O(N), so if every packet had a different
1320 link-layer encapsulation type, it'd be O(N^2) to read the file, but
1321 there are probably going to be a small number of encapsulation types
1322 in a file. */
1325 }
1327 /* The frame number of this packet, if we add it to the set of frames,
1328 would be one more than the count of frames in the file so far. */
1332 epan_dissect_t rf_edt;
1339 }
1345 }
1350 /* This does a shallow copy of fdlocal, which is good enough. */
1358 // Should we check if the frame data is a duplicate, and thus, ignore
1359 // this frame?
1369 }
1370 }
1372 /* When a redissection is in progress (or queued), do not process packets.
1373 * This will be done once all (new) packets have been scanned. */
1376 }
1377 }
1380 }
1392 static bool
1396 {
1405 /* do nothing */
1409 /* do nothing */
1413 /* Get the sum of the sizes of all the files. */
1422 {
1423 /* Create the progress bar if necessary.
1424 We check on every iteration of the loop, so that it takes no
1425 longer than the standard time to create it (otherwise, for a
1426 large file, we might take considerably longer than that standard
1427 time in order to get to the next progress bar step). */
1431 }
1433 /*
1434 * Update the progress bar, but do it only after
1435 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
1436 * and packets_bar_update will likely trigger UI paint events, which
1437 * might take a while depending on the platform and display. Reset
1438 * our timer *after* painting.
1439 */
1443 /* Get the sum of the seek positions in all of the files. */
1449 /* Some file probably grew while we were reading it.
1450 That "shouldn't happen", so we'll just clip the progress
1451 value at 1.0. */
1453 }
1461 }
1463 }
1464 }
1468 /* We're done merging the files; destroy the progress bar if it was created. */
1473 }
1476 }
1480 cf_status_t
1484 {
1486 merge_progress_callback_t cb;
1489 /* prepare our callback routine */
1496 /* merge the files */
1498 in_filenames,
1508 /* Callers aren't expected to treat an error or an explicit abort
1509 differently - the merge code puts up error dialogs itself, so
1510 they don't have to. */
1514 }
1516 cf_status_t
1518 {
1524 /* if new filter equals old one, do nothing unless told to do so */
1525 /* XXX - The text can be the same without compiling to the same code.
1526 * (Macros, field references, etc.)
1527 */
1530 }
1535 /* The new filter is an empty filter (i.e., display all packets).
1536 * so leave dfcode==NULL
1537 */
1539 /*
1540 * We have a filter; make a copy of it (as we'll be saving it),
1541 * and try to compile it.
1542 */
1545 /* The attempt failed; report an error. */
1553 }
1555 /* Was it empty? */
1557 /* Yes - free the filter text, and set it to null. */
1560 }
1561 }
1563 /* We have a valid filter. Replace the current filter. */
1567 /* We'll recompile this when the rescan starts, or in cf_read()
1568 * if no file is open currently. However, if no file is open and
1569 * we start a new capture, we want to use this rather than
1570 * recompiling in cf_continue_tail() */
1574 /* Now rescan the packet list, applying the new filter, but not
1575 * throwing away information constructed on a previous pass.
1576 * If a dissection is already in progress, queue it.
1577 */
1586 }
1587 }
1588 }
1591 }
1593 void
1595 {
1597 /* Dissection in progress, signal redissection rather than rescanning. That
1598 * would destroy the current (in-progress) dissection in "cf_read" which
1599 * will cause issues when "cf_read" tries to add packets to the list.
1600 * If a previous rescan was requested, "upgrade" it to a full redissection.
1601 */
1603 }
1605 /* Redissection is (already) queued, wait for "cf_read" to finish. */
1606 /* XXX - what if whatever set and later clears read_lock is *not*
1607 * cf_read, e.g. process_specified_records ? We need to handle a
1608 * queued redissection there too like we do in cf_read.
1609 */
1611 }
1614 /* Restart dissection in case no cf_read is pending. */
1616 }
1617 }
1619 bool
1622 {
1629 }
1631 }
1633 bool
1636 {
1643 }
1645 }
1647 bool
1649 {
1651 }
1653 /* Rescan the list of packets, reconstructing the CList.
1655 "action" describes why we're doing this; it's used in the progress
1656 dialog box.
1658 "action_item" describes what we're doing; it's used in the progress
1659 dialog box.
1661 "redissect" is true if we need to make the dissectors reconstruct
1662 any state information they have (because a preference that affects
1663 some dissector has changed, meaning some dissector might construct
1664 its state differently from the way it was constructed the last time). */
1665 static void
1667 {
1668 /* Rescan packets new packet list */
1671 wtap_rec rec;
1672 Buffer buf;
1682 epan_dissect_t edt;
1695 }
1697 /* Rescan in progress, clear pending actions. */
1705 /* Compile the current display filter.
1706 * The code it compiles to might have changed, e.g. if a display
1707 * filter macro used has changed.
1708 *
1709 * We assume this will not fail since cf->dfilter is only set in
1710 * cf_filter IFF the filter was valid.
1711 * XXX - This is not necessarily true, if the filter has a FT_IPv4
1712 * or FT_IPv6 field compared to a resolved hostname in it, because
1713 * we do a new host lookup, and that *could* timeout this time
1714 * (though with the read lock above we shouldn't have many lookups at
1715 * once, reducing the chances of that)... (#19612)
1716 */
1720 }
1725 /* Do we have any tap listeners with filters? */
1728 /* Update references in filters (if any) for the protocol
1729 * tree corresponding to the currently selected frame in the GUI. */
1735 }
1740 }
1742 /* Get the union of the flags for all tap listeners. */
1745 /* If the display filter or any tap listeners require the columns,
1746 * construct them. */
1750 /*
1751 * Determine whether we need to create a protocol tree.
1752 * We do if:
1753 *
1754 * we're going to apply a display filter;
1755 *
1756 * one of the tap listeners is going to apply a filter;
1757 *
1758 * one of the tap listeners requires a protocol tree;
1759 *
1760 * we're redissecting and a postdissector wants field
1761 * values or protocols on the first pass.
1762 */
1763 create_proto_tree =
1769 /* Which frame, if any, is the currently selected frame?
1770 XXX - should the selected frame or the focus frame be the "current"
1771 frame, that frame being the one from which "Find Frame" searches
1772 start? */
1775 /* Mark frame num as not found */
1778 /* Freeze the packet list while we redo it, so we don't get any
1779 screen updates while it happens. */
1783 /* We need to re-initialize all the state information that protocols
1784 keep, because some preference that controls a dissector has changed,
1785 which might cause the state information to be constructed differently
1786 by that dissector. */
1788 /* We might receive new packets while redissecting, and we don't
1789 want to dissect those before their time. */
1792 /* 'reset' dissection session */
1795 /* All pointers in "per frame proto data" for the currently selected
1796 packet are allocated in wmem_file_scope() and deallocated in epan_free().
1797 Free them here to avoid unintended usage in packet_list_clear(). */
1799 }
1803 /* A new Lua tap listener may be registered in lua_prime_all_fields()
1804 called via epan_new() / init_dissection() when reloading Lua plugins. */
1807 }
1810 }
1812 /* We need to redissect the packets so we have to discard our old
1813 * packet list store. */
1816 }
1818 /* We don't yet know which will be the first and last frames displayed. */
1822 /* We currently don't display any packets */
1825 /* Iterate through the list of frames. Call a routine for each frame
1826 to check whether it should be displayed and, if so, add it to
1827 the display list. */
1836 /* Count of packets at which we've looked. */
1838 /* Progress so far. */
1844 /* no previous row yet */
1860 /*
1861 * Decryption secrets and name resolution blocks are read while
1862 * sequentially processing records and then passed to the dissector.
1863 * During redissection, the previous information is lost (see epan_free
1864 * above), but they are not read again from the file as only packet
1865 * records are re-read. Therefore reset the wtap secrets and name
1866 * resolution callbacks such that wtap resupplies the callbacks with
1867 * previously read information.
1868 */
1872 }
1877 /* Create the progress bar if necessary.
1878 We check on every iteration of the loop, so that it takes no
1879 longer than the standard time to create it (otherwise, for a
1880 large file, we might take considerably longer than that standard
1881 time in order to get to the next progress bar step). */
1885 progbar_val);
1887 /*
1888 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
1889 * has elapsed. Calling update_progress_dlg and packets_bar_update will
1890 * likely trigger UI paint events, which might take a while depending on
1891 * the platform and display. Reset our timer *after* painting.
1892 */
1894 /* let's not divide by zero. I should never be started
1895 * with count == 0, so let's assert that
1896 */
1904 }
1907 }
1911 /* A redissection was requested while an existing redissection was
1912 * pending. */
1914 }
1917 /* Well, the user decided to abort the filtering. Just stop.
1919 XXX - go back to the previous filter? Users probably just
1920 want not to wait for a filtering operation to finish;
1921 unless we cancel by having no filter, reverting to the
1922 previous filter will probably be even more expensive than
1923 continuing the filtering, as it involves going back to the
1924 beginning and filtering, and even with no filter we currently
1925 have to re-generate the entire clist, which is also expensive.
1927 I'm not sure what Network Monitor does, but it doesn't appear
1928 to give you an unfiltered display if you cancel. */
1930 }
1932 count++;
1935 /* Since all state for the frame was destroyed, mark the frame
1936 * as not visited, free the GSList referring to the state
1937 * data (the per-frame data itself was freed by
1938 * "init_dissection()"), and null out the GSList pointer. */
1941 }
1943 /* Frame dependencies from the previous dissection/filtering are no longer valid. */
1949 /* If the previous frame is displayed, and we haven't yet seen the
1950 selected frame, remember that frame - it's the closest one we've
1951 yet seen before the selected frame. */
1955 }
1959 add_to_packet_list);
1961 /* If this frame is displayed, and this is the first frame we've
1962 seen displayed after the selected frame, remember this frame -
1963 it's the closest one we've yet seen at or after the selected
1964 frame. */
1968 }
1973 }
1975 /* Remember this frame - it'll be the previous frame
1976 on the next pass through the loop. */
1980 }
1986 /* We are done redissecting the packet list. */
1991 /* Clear out what remains of the visited flags and per-frame data
1992 pointers.
1994 XXX - that may cause various forms of bogosity when dissecting
1995 these frames, as they won't have been seen by this sequential
1996 pass, but the only alternative I see is to keep scanning them
1997 even though the user requested that the scan stop, and that
1998 would leave the user stuck with an Wireshark grinding on
1999 until it finishes. Should we just stick them with that? */
2003 }
2004 }
2006 /* We're done filtering the packets; destroy the progress bar if it
2007 was created. */
2012 /* Unfreeze the packet list. */
2016 /* Compute the time it took to filter the file */
2021 /* It is safe again to execute redissections or sort. */
2028 /* The selected frame didn't pass the filter. */
2030 /* That's because there *was* no selected frame. Make the first
2031 displayed frame the current frame. */
2034 /* Find the nearest displayed frame to the selected frame (whether
2035 it's before or after that frame) and make that the current frame.
2036 If the next and previous displayed frames are equidistant from the
2037 selected frame, choose the next one. */
2043 /* No frame after the selected frame passed the filter, so we
2044 have to select the last displayed frame before the selected
2045 frame. */
2049 /* No frame before the selected frame passed the filter, so we
2050 have to select the first displayed frame after the selected
2051 frame. */
2055 /* Frames before and after the selected frame passed the filter, so
2056 we'll select the previous frame */
2059 }
2060 }
2061 }
2064 /* There are no frames displayed at all. */
2067 /* Either the frame that was selected passed the filter, or we've
2068 found the nearest displayed frame to that frame. Select it, make
2069 it the focus row, and make it visible. */
2070 /* Set to invalid to force update of packet list and packet details */
2075 /* We didn't find a row corresponding to this frame.
2076 This means that the frame isn't being displayed currently,
2077 so we can't select it. */
2081 }
2082 }
2083 }
2085 /* If another rescan (due to dfilter change) or redissection (due to profile
2086 * change) was requested, the rescan above is aborted and restarted here. */
2090 }
2091 }
2094 /*
2095 * Scan through all frame data and recalculate the ref time
2096 * without rereading the file.
2097 * XXX - do we need a progress bar or is this fast enough?
2098 */
2099 void
2101 {
2104 nstime_t rel_ts;
2113 /* just add some value here until we know if it is being displayed or not */
2116 /*
2117 * Timestamps
2118 */
2121 /* If we don't have the time stamp of the first packet in the
2122 capture, it's because this is the first packet. Save the time
2123 stamp of this packet as the time stamp of the first packet. */
2126 /* if this frames is marked as a reference time frame, reset
2127 firstsec and firstusec to this frame */
2131 /* Get the time elapsed between the first packet and this one. */
2135 /* If it's greater than the current elapsed time, set the elapsed
2136 time to it (we check for "greater than" so as not to be
2137 confused by time moving backwards). */
2139 || ((int32_t)cf->elapsed_time.secs == rel_ts.secs && (int32_t)cf->elapsed_time.nsecs < rel_ts.nsecs)) {
2141 }
2143 /* If this frame is displayed, get the time elapsed between the
2144 previous displayed packet and this packet. */
2145 /* XXX: What if in the future we want to use the previously
2146 * displayed frame for something else, too? Then we'd want
2147 * to store this frame as prev_dis even if it doesn't have a
2148 * timestamp. */
2150 /* If we don't have the time stamp of the previous displayed
2151 packet, it's because this is the first displayed packet.
2152 Save the time stamp of this packet as the time stamp of
2153 the previous displayed packet. */
2156 }
2160 }
2162 /* If this frame doesn't have a timestamp, don't calculate
2163 anything with relative times. */
2164 /* However, if this frame is marked as a reference time frame,
2165 clear the reference frame so that the next frame with a
2166 timestamp becomes the reference frame. */
2169 }
2170 }
2172 /*
2173 * Byte counts
2174 */
2176 /* This frame either passed the display filter list or is marked as
2177 a time reference frame. All time reference frames are displayed
2178 even if they don't pass the display filter */
2180 /* if this was a TIME REF frame we should reset the cum_bytes field */
2184 /* increase cum_bytes with this packets length */
2186 }
2187 }
2188 }
2189 }
2192 PSP_FINISHED,
2193 PSP_STOPPED,
2194 PSP_FAILED
2197 static psp_return_t
2204 {
2207 wtap_rec rec;
2208 Buffer buf;
2216 range_process_e process_this;
2222 /* Count of packets at which we've looked. */
2224 /* Progress so far. */
2227 /* XXX - It should be ok to have multiple readers, so long as nothing
2228 * frees the epan context, e.g. rescan_packets with redissect true,
2229 * or anything that closes the file (including reload and certain forms
2230 * of saving.) This is mostly to stop cf_save_records but should probably
2231 * be handled by callers in order to allow multiple readers (e.g.,
2232 * restarting taps after adding or changing one.) We should probably
2233 * make this a real reader-writer lock.
2234 */
2238 }
2246 /* Iterate through all the packets, printing the packets that
2247 were selected by the current display filter. */
2251 /* Create the progress bar if necessary.
2252 We check on every iteration of the loop, so that it takes no
2253 longer than the standard time to create it (otherwise, for a
2254 large file, we might take considerably longer than that standard
2255 time in order to get to the next progress bar step). */
2258 terminate_is_stop,
2260 progbar_val);
2262 /*
2263 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
2264 * has elapsed. Calling update_progress_dlg and packets_bar_update will
2265 * likely trigger UI paint events, which might take a while depending on
2266 * the platform and display. Reset our timer *after* painting.
2267 */
2269 /* let's not divide by zero. I should never be started
2270 * with count == 0, so let's assert that
2271 */
2280 }
2283 /* Well, the user decided to abort the operation. Just stop,
2284 and arrange to return PSP_STOPPED to our caller, so they know
2285 it was stopped explicitly. */
2288 }
2290 progbar_count++;
2293 /* do we have to process this packet? */
2296 /* this packet uninteresting, continue with next one */
2299 /* all interesting packets processed, stop the loop */
2301 }
2302 }
2304 /* Get the packet */
2306 /* Attempt to get the packet failed. */
2309 }
2310 /* Process the packet */
2312 /* Callback failed. We assume it reported the error appropriately. */
2315 }
2317 }
2319 /* We're done printing the packets; destroy the progress bar if
2320 it was created. */
2332 }
2335 epan_dissect_t edt;
2339 static bool
2342 {
2351 }
2353 cf_read_status_t
2355 {
2356 packet_range_t range;
2357 retap_callback_args_t callback_args;
2361 psp_return_t ret;
2363 /* Presumably the user closed the capture file. */
2366 }
2368 /* XXX - If cf->read_lock is true, process_specified_records will fail
2369 * due to a nested call. We fail here so that we don't reset the tap
2370 * listeners if this tap isn't going to succeed.
2371 */
2375 }
2379 /* Do we have any tap listeners with filters? */
2382 /* Update references in filters (if any) for the protocol
2383 * tree corresponding to the currently selected frame in the GUI. */
2384 /* XXX - What if we *don't* have a currently selected frame in the GUI,
2385 * but we did the last time we loaded field references? Then they'll
2386 * match something instead of nothing (unless they've been recompiled).
2387 * Should we have a way to clear the field references even with a NULL tree?
2388 */
2392 }
2394 /* Get the union of the flags for all tap listeners. */
2397 /* If any tap listeners require the columns, construct them. */
2400 /*
2401 * Determine whether we need to create a protocol tree.
2402 * We do if:
2403 *
2404 * one of the tap listeners is going to apply a filter;
2405 *
2406 * one of the tap listeners requires a protocol tree.
2407 */
2408 create_proto_tree =
2411 /* Reset the tap listeners. */
2417 /* Iterate through the list of packets, dissecting all packets and
2418 re-running the taps. */
2423 /* We're not done with the sequential read of the file and might
2424 * add more frames while process_specified_records is going. We
2425 * don't want to tap new frames twice, so limit the range to the
2426 * frames already here.
2427 *
2428 * cf_read sets read_lock so we don't tap in case of an offline
2429 * file, but cf_continue_tail and cf_finish_tail don't, and we
2430 * don't want them to, because tapping new packets in a live
2431 * capture is a common use case.
2432 *
2433 * Note that most other users of process_specified_records (saving,
2434 * printing) do want to process new packets, unlike taps.
2435 */
2441 /* range_t treats a missing number as meaning 1, not 0, and
2442 * reverses the order if backwards; thus the syntax -0 means
2443 * 0-1, so to only take zero packets we do this.
2444 */
2446 }
2448 }
2461 /* Completed successfully. */
2465 /* Well, the user decided to abort the refiltering.
2466 Return CF_READ_ABORTED so our caller knows they did that. */
2470 /* Error while retapping. */
2472 }
2476 }
2490 epan_dissect_t edt;
2493 static bool
2496 {
2508 /* Fill in the column information if we're printing the summary
2509 information. */
2525 /*
2526 * Print another header line if we print a packet summary on the
2527 * new page.
2528 */
2535 }
2536 }
2538 /*
2539 * We generate bookmarks, if the output format supports them.
2540 * The name is "__frameN__".
2541 */
2551 }
2557 /* Find the length of the string for this column. */
2562 /* Make sure there's room in the line buffer for the column; if not,
2563 double its length. */
2570 }
2572 /* Right-justify the packet number column. */
2575 else
2580 }
2583 /*
2584 * Generate a bookmark, using the summary line as the title.
2585 */
2593 /*
2594 * Generate a bookmark, using "Frame N" as the title, as we're not
2595 * printing the summary line.
2596 */
2599 bookmark_title))
2605 /* Separate the summary line from the tree with a blank line. */
2608 }
2610 /* Print the information in that tree. */
2616 /* Print a blank line if we print anything after this (aka more than one packet). */
2619 /* Print a header line if we print any more packet summaries */
2622 }
2625 if (args->print_args->print_summary || (args->print_args->print_dissections != print_dissections_none)) {
2628 }
2629 /* Print the full packet data as hex. */
2633 /* Print a blank line if we print anything after this (aka more than one packet). */
2636 /* Print a header line if we print any more packet summaries */
2643 /* do we want to have a formfeed between each packet from now on? */
2646 }
2650 fail:
2653 }
2655 cf_print_status_t
2658 {
2659 print_callback_args_t callback_args;
2664 psp_return_t ret;
2684 }
2687 /* We're printing packet summaries. Allocate the header line buffer
2688 and get the column widths. */
2691 /* Find the number of visible columns and the last visible column */
2700 num_visible_col++;
2702 }
2703 }
2705 /* if num_visible_col is 0, we are done */
2709 }
2711 /* Find the widths for each of the columns - maximum of the
2712 width of the title and the width of the data - and construct
2713 a buffer with a line containing the column titles. */
2730 /* Save the order of visible columns */
2733 /* Don't pad the last column. */
2741 }
2743 /* Find the length of the string for this column. */
2748 /* Make sure there's room in the line buffer for the column; if not,
2749 double its length. */
2757 }
2759 /* Right-justify the packet number column. */
2760 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER || cf->cinfo.col_fmt[i] == COL_NUMBER_DIS)
2761 snprintf(cp, column_len+1, "%*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2762 else*/
2763 snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2768 visible_col_count++;
2769 }
2772 /* Now start out the main line buffer with the same length as the
2773 header line buffer. */
2778 /* Create the protocol tree, and make it visible, if we're printing
2779 the dissection or the hex data.
2780 XXX - do we need it if we're just printing the hex data? */
2781 proto_tree_needed =
2787 /* Iterate through the list of packets, printing the packets we were
2788 told to print. */
2801 /* Completed successfully. */
2805 /* Well, the user decided to abort the printing.
2807 XXX - note that what got generated before they did that
2808 will get printed if we're piping to a print program; we'd
2809 have to write to a file and then hand that to the print
2810 program to make it actually not print anything. */
2814 /* Error while printing.
2816 XXX - note that what got generated before they did that
2817 will get printed if we're piping to a print program; we'd
2818 have to write to a file and then hand that to the print
2819 program to make it actually not print anything. */
2822 }
2827 }
2833 }
2837 epan_dissect_t edt;
2839 json_dumper jdumper;
2842 static bool
2845 {
2848 /* Create the protocol tree, but don't fill in the column information. */
2853 /* Write out the information in that tree. */
2859 }
2861 cf_print_status_t
2863 {
2864 write_packet_callback_args_t callback_args;
2866 psp_return_t ret;
2876 }
2882 /* Iterate through the list of packets, printing the packets we were
2883 told to print. */
2893 /* Completed successfully. */
2897 /* Well, the user decided to abort the printing. */
2901 /* Error while printing. */
2904 }
2910 }
2912 /* XXX - check for an error */
2916 }
2918 static bool
2921 {
2924 /* Fill in the column information */
2931 /* Write out the column information. */
2937 }
2939 cf_print_status_t
2941 {
2942 write_packet_callback_args_t callback_args;
2944 psp_return_t ret;
2956 }
2961 /* Fill in the column information, only create the protocol tree
2962 if having custom columns or field extractors. */
2966 /* Iterate through the list of packets, printing the packets we were
2967 told to print. */
2977 /* Completed successfully. */
2981 /* Well, the user decided to abort the printing. */
2985 /* Error while printing. */
2988 }
2994 }
2996 /* XXX - check for an error */
3000 }
3002 static bool
3005 {
3008 /* Fill in the column information */
3015 /* Write out the column information. */
3021 }
3023 cf_print_status_t
3025 {
3026 write_packet_callback_args_t callback_args;
3029 psp_return_t ret;
3039 }
3044 /* only create the protocol tree if having custom columns or field extractors. */
3048 /* Iterate through the list of packets, printing the packets we were
3049 told to print. */
3059 /* Completed successfully. */
3063 /* Well, the user decided to abort the printing. */
3067 /* Error while printing. */
3070 }
3072 /* XXX - check for an error */
3076 }
3078 static bool
3081 {
3091 }
3093 cf_print_status_t
3095 {
3096 write_packet_callback_args_t callback_args;
3098 psp_return_t ret;
3108 }
3114 /* Iterate through the list of packets, printing the packets we were
3115 told to print. */
3125 /* Completed successfully. */
3128 /* Well, the user decided to abort the printing. */
3131 /* Error while printing. */
3134 }
3138 }
3140 static bool
3143 {
3146 /* Create the protocol tree, but don't fill in the column information. */
3151 /* Write out the information in that tree. */
3160 }
3162 cf_print_status_t
3164 {
3165 write_packet_callback_args_t callback_args;
3167 psp_return_t ret;
3177 }
3183 /* Iterate through the list of packets, printing the packets we were
3184 told to print. */
3194 /* Completed successfully. */
3198 /* Well, the user decided to abort the printing. */
3202 /* Error while printing. */
3205 }
3211 }
3213 /* XXX - check for an error */
3217 }
3219 bool
3222 {
3223 match_data mdata;
3236 }
3240 }
3241 }
3243 }
3245 field_info*
3247 {
3248 match_data mdata;
3255 /* Iterate through all the nodes looking for matching text */
3260 }
3263 }
3265 static match_result
3268 {
3270 epan_dissect_t edt;
3272 /* Load the frame's data. */
3274 /* Attempt to get the packet failed. */
3276 }
3278 /* Construct the protocol tree, including the displayed text */
3280 /* We don't need the column information */
3285 /* Iterate through all the nodes, seeing if they have text that matches. */
3290 /* We don't care about the direction here, because we're just looking
3291 * for one match and we'll destroy this tree anyway. (We find the actual
3292 * field later in PacketList::selectionChanged().) Forwards is faster.
3293 */
3297 }
3299 static void
3301 {
3314 /* dissection with an invisible proto tree? */
3318 /* We already had a match; don't bother doing any more work. */
3320 }
3322 /* Don't match invisible entries. */
3327 /* Haven't found the old match, so don't match this node. */
3329 /* Found the old match, look for the next one after this. */
3331 }
3333 /* was a free format label produced? */
3337 /* no, make a generic label */
3340 }
3347 }
3349 /* Case insensitive match */
3357 /* If c_match is non-zero, save candidate for retrying full match. */
3361 c_match++;
3365 /* No need to look further; we have a match */
3367 }
3374 }
3376 /* Case sensitive match */
3380 }
3381 }
3383 /* Recurse into the subtree, if it exists */
3386 }
3388 static void
3390 {
3403 /* dissection with an invisible proto tree? */
3406 /* We don't have an easy way to search backwards in the tree
3407 * (see also, proto_find_field_from_offset()) because we don't
3408 * have a previous node pointer, so we search backwards by
3409 * searching forwards, only stopping if we see the old match
3410 * (if we have one).
3411 */
3415 }
3417 /* Don't match invisible entries. */
3422 /* Found the old match, use the previous match. */
3425 }
3427 /* was a free format label produced? */
3431 /* no, make a generic label */
3434 }
3440 }
3442 /* Case insensitive match */
3450 /* If c_match is non-zero, save candidate for retrying full match. */
3454 c_match++;
3459 }
3466 }
3468 /* Case sensitive match */
3471 }
3473 /* Recurse into the subtree, if it exists */
3476 }
3478 bool
3480 search_direction dir)
3481 {
3482 match_data mdata;
3487 }
3489 static match_result
3492 {
3496 epan_dissect_t edt;
3505 /* Load the frame's data. */
3507 /* Attempt to get the packet failed. */
3509 }
3511 /* Don't bother constructing the protocol tree */
3513 /* Get the column information */
3518 /* Find the Info column */
3521 /* Found it. See if we match. */
3528 }
3530 /* Case insensitive match */
3537 /* If c_match is non-zero, save candidate for retrying full match. */
3541 c_match++;
3545 }
3552 }
3554 /* Case sensitive match */
3556 }
3558 }
3559 }
3562 }
3571 /*
3572 * The current match_* routines only support ASCII case insensitivity and don't
3573 * convert UTF-8 inputs to UTF-16 for matching. The UTF-16 support just
3574 * interleaves with \0 bytes, which works for 7 bit ASCII.
3575 *
3576 * We could modify them to use the GLib Unicode routines or the International
3577 * Components for Unicode library but it's not apparent that we could do so
3578 * without consuming a lot more CPU and memory or that searching would be
3579 * significantly better.
3580 *
3581 * XXX: We could test the search string to see if it's all ASCII, and if not
3582 * use Unicode aware routines for case insensitive searches or any UTF-16
3583 * search.
3584 */
3586 bool
3589 {
3590 cbs_t info;
3593 ws_match_function match_function;
3598 /* Regex, String or hex search? */
3600 /* Regular Expression search */
3603 /* String search - what type of string? */
3613 match_function = (dir == SD_FORWARD) ? match_narrow_and_wide_case : match_narrow_and_wide_case_reverse;
3627 }
3637 /* Narrow, case-sensitive match is the same as looking
3638 * for a converted hexstring. */
3649 }
3650 }
3653 }
3656 /* Use the current frame (this will perform the equivalent of
3657 * cf_read_current_record() in match_function).
3658 */
3663 /* The regex match can match an empty string. */
3665 fi = proto_find_field_from_offset(cf->edt->tree, cf->search_pos + cf->search_len - 1, cf->edt->tvb);
3666 }
3670 }
3673 }
3674 }
3678 }
3680 static match_result
3683 {
3687 match_result result;
3694 /* Load the frame's data. */
3696 /* Attempt to get the packet failed. */
3698 }
3706 /* we want to start searching one byte past the previous match start */
3708 }
3712 /* Try narrow match at this start location */
3717 c_match++;
3720 /* Save position and length for highlighting the field. */
3724 }
3727 }
3728 }
3730 /* Now try wide match at the same start location. */
3735 c_match++;
3738 /* Save position and length for highlighting the field. */
3742 }
3743 i++;
3747 }
3748 }
3749 }
3751 done:
3753 }
3755 static match_result
3758 {
3762 match_result result;
3769 /* Load the frame's data. */
3771 /* Attempt to get the packet failed. */
3773 }
3776 /* Has to be room to hold the sought data. */
3779 }
3785 /* we want to start searching one byte before the previous match start */
3787 }
3791 /* Try narrow match at this start location */
3796 c_match++;
3799 /* Save position and length for highlighting the field. */
3803 }
3806 }
3807 }
3809 /* Now try wide match at the same start location. */
3814 c_match++;
3817 /* Save position and length for highlighting the field. */
3821 }
3822 i++;
3826 }
3827 }
3828 }
3830 done:
3832 }
3834 /* Case insensitive match */
3835 static match_result
3838 {
3843 match_result result;
3850 /* Load the frame's data. */
3852 /* Attempt to get the packet failed. */
3854 }
3864 /* we want to start searching one byte past the previous match start */
3866 }
3870 /* Try narrow match at this start location */
3875 c_match++;
3878 /* Save position and length for highlighting the field. */
3882 }
3885 }
3886 }
3888 /* Now try wide match at the same start location. */
3893 c_match++;
3896 /* Save position and length for highlighting the field. */
3900 }
3901 i++;
3905 }
3906 }
3907 }
3909 done:
3911 }
3913 static match_result
3916 {
3921 match_result result;
3928 /* Load the frame's data. */
3930 /* Attempt to get the packet failed. */
3932 }
3937 /* Has to be room to hold the sought data. */
3940 }
3946 /* we want to start searching one byte before the previous match start */
3948 }
3952 /* Try narrow match at this start location */
3957 c_match++;
3960 /* Save position and length for highlighting the field. */
3964 }
3967 }
3968 }
3970 /* Now try wide match at the same start location. */
3975 c_match++;
3978 /* Save position and length for highlighting the field. */
3982 }
3983 i++;
3987 }
3988 }
3989 }
3991 done:
3993 }
3995 /* Case insensitive match */
3996 static match_result
3999 {
4004 match_result result;
4011 /* Load the frame's data. */
4013 /* Attempt to get the packet failed. */
4015 }
4025 /* we want to start searching one byte past the previous match start */
4027 }
4035 c_match++;
4037 /* Save position and length for highlighting the field. */
4042 }
4045 }
4046 }
4047 }
4049 done:
4051 }
4053 static match_result
4056 {
4061 match_result result;
4068 /* Load the frame's data. */
4070 /* Attempt to get the packet failed. */
4072 }
4077 /* Has to be room to hold the sought data. */
4080 }
4086 /* we want to start searching one byte before the previous match start */
4088 }
4096 c_match++;
4098 /* Save position and length for highlighting the field. */
4103 }
4106 }
4107 }
4108 }
4110 done:
4112 }
4114 static match_result
4117 {
4121 match_result result;
4128 /* Load the frame's data. */
4130 /* Attempt to get the packet failed. */
4132 }
4140 /* we want to start searching one byte past the previous match start */
4142 }
4150 c_match++;
4153 /* Save position and length for highlighting the field. */
4157 }
4158 i++;
4162 }
4163 }
4164 }
4166 done:
4168 }
4170 static match_result
4173 {
4177 match_result result;
4184 /* Load the frame's data. */
4186 /* Attempt to get the packet failed. */
4188 }
4191 /* Has to be room to hold the sought data. */
4194 }
4200 /* we want to start searching one byte before the previous match start */
4202 }
4210 c_match++;
4213 /* Save position and length for highlighting the field. */
4217 }
4218 i++;
4222 }
4223 }
4224 }
4226 done:
4228 }
4230 /* Case insensitive match */
4231 static match_result
4234 {
4239 match_result result;
4246 /* Load the frame's data. */
4248 /* Attempt to get the packet failed. */
4250 }
4260 /* we want to start searching one byte past the previous match start */
4262 }
4270 c_match++;
4273 /* Save position and length for highlighting the field. */
4277 }
4278 i++;
4282 }
4283 }
4284 }
4286 done:
4288 }
4290 /* Case insensitive match */
4291 static match_result
4294 {
4299 match_result result;
4306 /* Load the frame's data. */
4308 /* Attempt to get the packet failed. */
4310 }
4315 /* Has to be room to hold the sought data. */
4318 }
4324 /* we want to start searching one byte before the previous match start */
4326 }
4334 c_match++;
4337 /* Save position and length for highlighting the field. */
4341 }
4342 i++;
4346 }
4347 }
4348 }
4350 done:
4352 }
4354 static match_result
4357 {
4360 match_result result;
4363 /* Load the frame's data. */
4365 /* Attempt to get the packet failed. */
4367 }
4373 /* we want to start searching one byte past the previous match start */
4375 }
4378 }
4381 /* Save position and length for highlighting the field. */
4384 }
4387 }
4389 static match_result
4392 {
4395 match_result result;
4398 /* Load the frame's data. */
4400 /* Attempt to get the packet failed. */
4402 }
4406 /* Has to be room to hold the sought data. */
4409 }
4412 /* we want to start searching one byte before the previous match start */
4414 }
4420 /* Save position and length for highlighting the field. */
4424 }
4425 }
4428 }
4430 static match_result
4433 {
4437 /* Load the frame's data. */
4439 /* Attempt to get the packet failed. */
4441 }
4445 /* we want to start searching one byte past the previous match start */
4447 }
4452 result_pos)) {
4453 //TODO: A chosen regex can match the empty string (zero length)
4454 // which doesn't make a lot of sense for searching the packet bytes.
4455 // Should we search with the PCRE2_NOTEMPTY option?
4456 //TODO: Fix cast.
4457 /* Save position and length for highlighting the field. */
4461 }
4462 }
4464 }
4466 static match_result
4469 {
4473 /* Load the frame's data. */
4475 /* Attempt to get the packet failed. */
4477 }
4481 /* we want to start searching one byte before the previous match */
4483 }
4488 result_pos)) {
4489 //TODO: A chosen regex can match the empty string (zero length)
4490 // which doesn't make a lot of sense for searching the packet bytes.
4491 // Should we search with the PCRE2_NOTEMPTY option?
4492 //TODO: Fix cast.
4493 /* Save position and length for highlighting the field. */
4498 }
4499 }
4501 }
4503 bool
4506 {
4508 }
4510 bool
4512 search_direction dir)
4513 {
4518 /*
4519 * XXX - this shouldn't happen, as the filter string is machine
4520 * generated
4521 */
4523 }
4525 /*
4526 * XXX - this shouldn't happen, as the filter string is machine
4527 * generated.
4528 */
4530 }
4534 }
4536 static match_result
4539 {
4541 epan_dissect_t edt;
4542 match_result result;
4544 /* Load the frame's data. */
4546 /* Attempt to get the packet failed. */
4548 }
4558 }
4560 bool
4562 {
4564 }
4566 static match_result
4569 {
4571 }
4573 bool
4575 {
4577 }
4579 static match_result
4582 {
4584 }
4586 static bool
4589 {
4594 wtap_rec rec;
4595 Buffer buf;
4604 match_result result;
4615 }
4617 /* Iterate through the list of packets, starting at the packet we've
4618 picked, calling a routine to run the filter on the packet, see if
4619 it matches, and stop if so. */
4623 /* If we have no start packet selected, and we're going backwards,
4624 * start at the end (even if wrap is off.)
4625 */
4627 }
4630 /* Progress so far. */
4636 /* Create the progress bar if necessary.
4637 We check on every iteration of the loop, so that it takes no
4638 longer than the standard time to create it (otherwise, for a
4639 large file, we might take considerably longer than that standard
4640 time in order to get to the next progress bar step). */
4645 /*
4646 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
4647 * has elapsed. Calling update_progress_dlg and packets_bar_update will
4648 * likely trigger UI paint events, which might take a while depending on
4649 * the platform and display. Reset our timer *after* painting.
4650 */
4652 /* let's not divide by zero. I should never be started
4653 * with count == 0, so let's assert that
4654 */
4664 }
4667 /* Well, the user decided to abort the search. Go back to the
4668 frame where we started.
4669 XXX - This ends up selecting the start packet and reporting
4670 "success". Perhaps new_fd should stay NULL? */
4673 }
4675 /* Go past the current frame. */
4677 /* Go on to the previous frame. */
4679 /*
4680 * XXX - other apps have a bit more of a detailed message
4681 * for this, and instead of offering "OK" and "Cancel",
4682 * they offer things such as "Continue" and "Cancel";
4683 * we need an API for popping up alert boxes with
4684 * {Verb} and "Cancel".
4685 */
4694 }
4696 framenum--;
4698 /* Go on to the next frame. */
4707 }
4709 framenum++;
4710 }
4713 count++;
4715 /* Is this packet in the display? */
4717 /* Yes. Does it match the search criterion? */
4720 /* Error; our caller has reported the error. Go back to the frame
4721 where we started.
4722 XXX - This ends up selecting the start packet and reporting
4723 "success." Perhaps new_fd should stay NULL? */
4727 /* Yes. Go to the new frame. */
4730 }
4732 }
4735 /* We're back to the frame we were on originally, and that frame
4736 doesn't match the search filter. The search failed. */
4738 }
4739 }
4741 /* We're done scanning the packets; destroy the progress bar if it
4742 was created. */
4748 /* We found a frame that's displayed and that matches.
4749 Try to find and select the packet summary list row for that frame. */
4756 /* We didn't find a row corresponding to this frame.
4757 This means that the frame isn't being displayed currently,
4758 so we can't select it. */
4772 }
4774 bool
4776 {
4780 /* we don't have a loaded capture file - fix for bugs 11810 & 11989 */
4783 }
4788 /* we didn't find a packet with that packet number */
4791 }
4793 /* that packet currently isn't displayed */
4794 /* XXX - add it to the set of displayed packets? */
4796 /* We only want that exact frame, or no frames are displayed. */
4799 }
4801 /* There is no previous displayed frame, so this frame is
4802 * before the first displayed frame. Go to the first line,
4803 * which is the closest frame.
4804 */
4806 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the first displayed packet, %u.", fnumber, cf->first_displayed);
4809 /* The next displayed frame might be closer, we can do an
4810 * O(log n) binary search for the earliest displayed frame
4811 * in the open interval (fnumber, fnumber + delta).
4812 *
4813 * This is possibly overkill, we could just go to the previous
4814 * displayed frame.
4815 */
4824 /* We don't have a frame of that number, so search before it. */
4827 }
4828 /* We have a frame of that number. What's the displayed
4829 * frame before it? */
4831 /* The previous frame that passed the filter is also after
4832 * our target, so our answer is no later than that.
4833 */
4836 /* The previous displayed frame is before fnumber.
4837 * (We already know fnumber itself is not displayed.)
4838 * Is this frame itself displayed?
4839 */
4841 /* Yes. So this is our answer. */
4844 }
4845 /* No. So our answer, if any, is after this frame. */
4847 }
4848 }
4851 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the next displayed packet, %u.", fnumber, fdata->num);
4853 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the previous displayed packet, %u.", fnumber, fdata->prev_dis_num);
4855 }
4856 }
4857 }
4860 /* We didn't find a row corresponding to this frame.
4861 This means that the frame isn't being displayed currently,
4862 so we can't select it. */
4867 }
4869 }
4871 /*
4872 * Go to frame specified by currently selected protocol tree item.
4873 */
4874 bool
4876 {
4886 /* We probably only want to go to the exact match,
4887 * even though "Go to Previous Packet in History" exists.
4888 */
4890 }
4891 }
4892 }
4895 }
4897 /* Select the packet on a given row. */
4898 void
4900 {
4903 /* check the frame data struct pointer for this frame */
4906 }
4908 /* Get the data in that frame. */
4911 }
4913 /* Record that this frame is the current frame. */
4916 /*
4917 * The change to defer freeing the current epan_dissect_t was in
4918 * commit a2bb94c3b33d53f42534aceb7cc67aab1d1fb1f9; to quote
4919 * that commit's comment:
4920 *
4921 * Clear GtkTreeStore before freeing edt
4922 *
4923 * When building current data for packet details treeview we store two
4924 * things.
4925 * - Generated string with item label
4926 * - Pointer to node field_info structure
4927 *
4928 * After epan_dissect_{free, cleanup} pointer to field_info node is no
4929 * longer valid so we should clear GtkTreeStore before freeing.
4930 *
4931 * XXX - we're no longer using GTK+; is there a way to ensure that
4932 * *nothing* refers to any of the current frame information before
4933 * we replace it?
4934 */
4936 /* Create the logical protocol tree. */
4937 /* We don't need the columns here. */
4947 }
4949 /* Unselect the selected packet, if any. */
4950 void
4952 {
4955 /*
4956 * See the comment in cf_select_packet() about deferring the freeing
4957 * of the old cf->edt.
4958 */
4961 /* No packet is selected. */
4964 /* Destroy the epan_dissect_t for the unselected packet. */
4967 }
4969 /*
4970 * Mark a particular frame.
4971 */
4972 void
4974 {
4979 }
4980 }
4982 /*
4983 * Unmark a particular frame.
4984 */
4985 void
4987 {
4992 }
4993 }
4995 /*
4996 * Ignore a particular frame.
4997 */
4998 void
5000 {
5005 }
5006 }
5008 /*
5009 * Un-ignore a particular frame.
5010 */
5011 void
5013 {
5018 }
5019 }
5021 /*
5022 * Modify the section comment.
5023 */
5024 void
5026 {
5027 wtap_block_t shb_inf;
5030 /* Get the first SHB. */
5031 /* XXX - support multiple SHBs */
5034 /* Get the first comment from the SHB. */
5035 /* XXX - support multiple comments */
5036 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, 0, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5037 /* There's no comment - add one. */
5040 /* See if the comment has changed or not */
5044 }
5046 /* The comment has changed, let's update it */
5048 }
5049 /* Mark the file as having unsaved changes */
5051 }
5053 /*
5054 * Modify the section comments for a given section.
5055 */
5056 void
5058 {
5059 wtap_block_t shb_inf;
5064 /* Shouldn't happen. XXX: Report it if it does? */
5066 }
5074 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, i, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5075 /* There's no comment - add one. */
5079 /* See if the comment has changed or not */
5081 /* The comment has changed, let's update it */
5084 }
5086 }
5087 }
5088 /* We either transferred ownership of the comments or freed them
5089 * above, so free the array of strings but not the strings themselves. */
5092 /* If there are extra old comments, remove them. Start at the end. */
5096 }
5097 }
5099 /*
5100 * Get the packet block for a packet (record).
5101 * If the block has been edited, it returns the result of the edit,
5102 * otherwise it returns the block from the file.
5103 * NB. Caller must wtap_block_unref() the result when done.
5104 */
5105 wtap_block_t
5107 {
5108 /* If this block has been modified, fetch the modified version */
5114 wtap_block_t block;
5116 /* fetch record block */
5123 /* rec.block is owned by the record, steal it before it is gone. */
5129 }
5130 }
5132 /*
5133 * Update(replace) the block on a capture from a frame
5134 */
5135 bool
5137 {
5140 /* It's possible to further modify the modified block "in place" by doing
5141 * a call to cf_get_packet_block() that returns an already created modified
5142 * block, modifying that, and calling this function.
5143 * If the caller did that, then the block pointers will be equal.
5144 */
5146 /* No need to save anything here, the caller changes went right
5147 * onto the block.
5148 * Unfortunately we don't have a way to know how many comments were
5149 * in the block before the caller modified it, so tell the caller
5150 * it is its responsibility to update the comment count.
5151 */
5153 }
5164 }
5166 /* Either way, we have unsaved changes. */
5170 }
5172 /*
5173 * What types of comments does this capture file have?
5174 */
5175 uint32_t
5177 {
5180 /*
5181 * Does this file have any sections with at least one comment?
5182 */
5185 section_number++) {
5186 wtap_block_t shb_inf;
5191 /* Try to get the first comment from that SHB. */
5194 /* We succeeded, so this file has at least one section comment. */
5197 /* We don't need to search any more. */
5199 }
5200 }
5204 }
5206 /*
5207 * Add a resolved address to this file's list of resolved addresses.
5208 */
5209 bool
5211 {
5212 /*
5213 * XXX - support multiple resolved address lists, and add to the one
5214 * attached to this file?
5215 */
5219 /* OK, we have unsaved changes. */
5222 }
5231 /*
5232 * Save a capture to a file, in a particular format, saving either
5233 * all packets, all currently-displayed packets, or all marked packets.
5234 *
5235 * Returns true if it succeeds, false otherwise; if it fails, it pops
5236 * up a message box for the failure.
5237 */
5238 static bool
5241 {
5243 wtap_rec new_rec;
5246 wtap_block_t pkt_block;
5248 /* Copy the record information from what was read in from the file. */
5251 /* Make changes based on anything that the user has done but that
5252 hasn't been saved yet. */
5255 else
5263 }
5264 }
5266 /* and save the packet */
5271 }
5273 /* If we are saving (i.e., replacing the current file with the one we're
5274 * writing), then update the frame data to clear the shift offset.
5275 * This keeps us from having to re-read the entire file.
5276 * We could do this in rescan_file(), but
5277 * 1) Ideally we shouldn't have to call rescan_file if all we're doing
5278 * is changing the timestamps, since that shouldn't change the offsets.
5279 * 2) The long term goal is to try to do the offset adjustment here
5280 * instead of using rescan_file, which should be faster (#1257).
5281 *
5282 * If we're exporting to a different file, then don't do that.
5283 */
5286 }
5289 }
5291 /*
5292 * Can this capture file be written out in any format using Wiretap
5293 * rather than by copying the raw data?
5294 */
5295 bool
5297 {
5298 /* We don't care whether we support the comments in this file or not;
5299 if we can't, we'll offer the user the option of discarding the
5300 comments. */
5302 }
5304 /*
5305 * Should we let the user do a save?
5306 *
5307 * We should if:
5308 *
5309 * the file has unsaved changes, and we can save it in some
5310 * format through Wiretap
5311 *
5312 * or
5313 *
5314 * the file is a temporary file and has no unsaved changes (so
5315 * that "saving" it just means copying it).
5316 *
5317 * XXX - we shouldn't allow files to be edited if they can't be saved,
5318 * so cf->unsaved_changes should be true only if the file can be saved.
5319 *
5320 * We don't care whether we support the comments in this file or not;
5321 * if we can't, we'll offer the user the option of discarding the
5322 * comments.
5323 */
5324 bool
5326 {
5328 /* Saved changes, and we can write it out with Wiretap. */
5330 }
5333 /*
5334 * Temporary file with no unsaved changes, so we can just do a
5335 * raw binary copy.
5336 */
5338 }
5340 /* Nothing to save. */
5342 }
5344 /*
5345 * Should we let the user do a "save as"?
5346 *
5347 * That's true if:
5348 *
5349 * we can save it in some format through Wiretap
5350 *
5351 * or
5352 *
5353 * the file is a temporary file and has no unsaved changes (so
5354 * that "saving" it just means copying it).
5355 *
5356 * XXX - we shouldn't allow files to be edited if they can't be saved,
5357 * so cf->unsaved_changes should be true only if the file can be saved.
5358 *
5359 * We don't care whether we support the comments in this file or not;
5360 * if we can't, we'll offer the user the option of discarding the
5361 * comments.
5362 */
5363 bool
5365 {
5367 /* We can write it out with Wiretap. */
5369 }
5372 /*
5373 * Temporary file with no unsaved changes, so we can just do a
5374 * raw binary copy.
5375 */
5377 }
5379 /* Nothing to save. */
5381 }
5383 /*
5384 * Does this file have unsaved data?
5385 */
5386 bool
5388 {
5389 /*
5390 * If this is a temporary file, or a file with unsaved changes, it
5391 * has unsaved data.
5392 */
5394 }
5396 /*
5397 * Quick scan to find packet offsets.
5398 */
5399 static cf_read_status_t
5401 {
5402 wtap_rec rec;
5403 Buffer buf;
5417 /* Close the old handle. */
5420 /* Open the new file. */
5421 /* XXX: this will go through all open_routines for a matching one. But right
5422 now rescan_file() is only used when a file is being saved to a different
5423 format than the original, and the user is not given a choice of which
5424 reader to use (only which format to save it in), so doing this makes
5425 sense for now. (XXX: Now it is also used when saving a changed file,
5426 e.g. comments or time-shifted frames.) */
5431 }
5433 /* We're scanning a file whose contents should be the same as what
5434 we had before, so we don't discard dissection state etc.. */
5437 /* Set the file name because we need it to set the follow stream filter.
5438 XXX - is that still true? We need it for other reasons, though,
5439 in any case. */
5442 }
5445 /* Indicate whether it's a permanent or temporary file. */
5448 /* No user changes yet. */
5454 }
5463 /* Record the file's compression type.
5464 XXX - do we know this at open time? */
5467 /* Find the size of the file. */
5480 framenum++;
5484 }
5488 /* Create the progress bar if necessary. */
5493 }
5495 /*
5496 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
5497 * has elapsed. Calling update_progress_dlg and packets_bar_update will
5498 * likely trigger UI paint events, which might take a while depending on
5499 * the platform and display. Reset our timer *after* painting.
5500 */
5503 /* update the packet bar content on the first run or frequently on very large files */
5508 }
5509 }
5512 /* Well, the user decided to abort the rescan. Sadly, as this
5513 isn't a reread, recovering is difficult, so we'll just
5514 close the current capture. */
5516 }
5518 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
5519 it's not already there.
5520 XXX - yes, this is O(N), so if every packet had a different
5521 link-layer encapsulation type, it'd be O(N^2) to read the file, but
5522 there are probably going to be a small number of encapsulation types
5523 in a file. */
5526 }
5528 }
5532 /* Free the display name */
5535 /* We're done reading the file; destroy the progress bar if it was created. */
5540 /* We're done reading sequentially through the file. */
5543 /* Close the sequential I/O side, to free up memory it requires. */
5546 /* compute the time it took to load the file */
5549 /* Set the file encapsulation type now; we don't know what it is until
5550 we've looked at all the packets, as we don't know until then whether
5551 there's more than one type (and thus whether it's
5552 WTAP_ENCAP_PER_PACKET). */
5558 /* Our caller will give up at this point. */
5560 }
5563 /* Put up a message box noting that the read failed somewhere along
5564 the line. Don't throw out the stuff we managed to read, though,
5565 if any. */
5570 }
5572 cf_write_status_t
5574 wtap_compression_type compression_type,
5576 {
5585 SAVE_WITH_MOVE,
5586 SAVE_WITH_COPY,
5587 SAVE_WITH_WTAP
5589 save_callback_args_t callback_args;
5593 /* XXX caller should avoid saving the file while a read is pending
5594 * (e.g. by delaying the save action) */
5596 ws_warning("cf_save_records(\"%s\") while the file is being read, potential crash ahead", fname);
5597 }
5605 && (wtap_addrinfo_list_empty(addr_lists) || wtap_file_type_subtype_supports_block(save_format, WTAP_BLOCK_NAME_RESOLUTION) == BLOCK_NOT_SUPPORTED)) {
5606 /* We're saving in the format it's already in, and we're not discarding
5607 comments, and there are no changes we have in memory that aren't saved
5608 to the file, and we have no name resolution information to write or
5609 the file format we're saving in doesn't support writing name
5610 resolution information, so we can just move or copy the raw data. */
5613 /* The file being saved is a temporary file from a live
5614 capture, so it doesn't need to stay around under that name;
5615 first, try renaming the capture buffer file to the new name.
5616 This acts as a "safe save", in that, if the file already
5617 exists, the existing file will be removed only if the rename
5618 succeeds.
5620 Sadly, on Windows, as we have the current capture file
5621 open, even MoveFileEx() with MOVEFILE_REPLACE_EXISTING
5622 (to cause the rename to remove an existing target), as
5623 done by ws_stdio_rename() (ws_rename() is #defined to
5624 be ws_stdio_rename() on Windows) will fail.
5626 According to the MSDN documentation for CreateFile(), if,
5627 when we open a capture file, we were to directly do a CreateFile(),
5628 opening with FILE_SHARE_DELETE|FILE_SHARE_READ, and then
5629 convert it to a file descriptor with _open_osfhandle(),
5630 that would allow the file to be renamed out from under us.
5632 However, that doesn't work in practice. Perhaps the problem
5633 is that the process doing the rename is the process that
5634 has the file open. */
5635 #ifndef _WIN32
5637 /* That succeeded - there's no need to copy the source file. */
5641 /* They're on different file systems, so we have to copy the
5642 file. */
5645 /* The rename failed, but not because they're on different
5646 file systems - put up an error message. (Or should we
5647 just punt and try to copy? The only reason why I'd
5648 expect the rename to fail and the copy to succeed would
5649 be if we didn't have permission to remove the file from
5650 the temporary directory, and that might be fixable - but
5651 is it worth requiring the user to go off and fix it?) */
5654 }
5655 }
5656 #else
5657 /* Windows - copy the file to its new location. */
5659 #endif
5661 /* It's a permanent file, so we should copy it, and not remove the
5662 original. */
5664 }
5667 /* Copy the file, if we haven't moved it. If we're overwriting
5668 an existing file, we do it with a "safe save", by writing
5669 to a new file and, if the write succeeds, renaming the
5670 new file on top of the old file. */
5678 }
5679 }
5681 /* Either we're saving in a different format or we're saving changes,
5682 such as added, modified, or removed comments, that haven't yet
5683 been written to the underlying file; we can't do that by copying
5684 or moving the capture file, we have to do it by writing the packets
5685 out in Wiretap. */
5687 wtap_dump_params params;
5693 /* Determine what file encapsulation type we should use. */
5697 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5701 /* We're overwriting an existing file; write out to a new file,
5702 and, if that succeeds, rename the new file on top of the
5703 old file. That makes this a "safe save", so that we don't
5704 lose the old file if we have a problem writing out the new
5705 file. (If the existing file is the current capture file,
5706 we *HAVE* to do that, otherwise we're overwriting the file
5707 from which we're reading the packets that we're writing!) */
5714 }
5715 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5722 }
5724 /* Add address resolution */
5727 /* Iterate through the list of packets, processing all the packets. */
5735 /* Completed successfully. */
5739 /* The user decided to abort the saving.
5740 If we're writing to a temporary file, remove it.
5741 XXX - should we do so even if we're not writing to a
5742 temporary file? */
5751 /* Error while saving.
5752 If we're writing to a temporary file, remove it. */
5758 }
5764 }
5767 }
5770 /* We wrote out to fname_new, and should rename it on top of
5771 fname. fname_new is now closed, so that should be possible even
5772 on Windows. However, on Windows, we first need to close whatever
5773 file descriptors we have open for fname. */
5774 #ifdef _WIN32
5776 #endif
5777 /* Now do the rename. */
5779 /* Well, the rename failed. */
5781 #ifdef _WIN32
5782 /* Attempt to reopen the random file descriptor using the
5783 current file's filename. (At this point, the sequential
5784 file descriptor is closed.) */
5786 /* Oh, well, we're screwed. */
5788 }
5789 #endif
5791 }
5793 }
5795 /* If this was a temporary file, and we didn't do the save by doing
5796 a move, so the tempoary file is still around under its old name,
5797 remove it. */
5799 /* If this fails, there's not much we can do, so just ignore errors. */
5801 }
5810 /* We just moved the file, so the wtap structure refers to the
5811 new file, and all the information other than the filename
5812 and the "is temporary" status applies to the new file; just
5813 update that. */
5821 /* We just copied the file, so all the information other than
5822 the file descriptors, the filename, and the "is temporary"
5823 status applies to the new file; just update that. */
5825 /* Attempt to reopen the random file descriptor using the
5826 new file's filename. (At this point, the sequential
5827 file descriptor is closed.) */
5835 }
5840 /* Open and read the file we saved to.
5842 XXX - this is somewhat of a waste; we already have the
5843 packets, all this gets us is updated file type information
5844 (which we could just stuff into "cf"), and having the new
5845 file be the one we have opened and from which we're reading
5846 the data, and it means we have to spend time opening and
5847 reading the file, which could be a significant amount of
5848 time if the file is large.
5850 If the capture-file-writing code were to return the
5851 seek offset of each packet it writes, we could save that
5852 in the frame_data structure for the frame, and just open
5853 the file without reading it again...
5855 ...as long as, for gzipped files, the process of writing
5856 out the file *also* generates the information needed to
5857 support fast random access to the compressed file. */
5858 /* rescan_file will cause us to try all open_routines, so
5859 reset cfile's open_type */
5861 /* There are cases when SAVE_WITH_WTAP can result in new packets
5862 being written to the file, e.g ERF records
5863 In that case, we need to reload the whole file */
5867 /* The rescan failed; just close the file. Either
5868 a dialog was popped up for the failure, so the
5869 user knows what happened, or they stopped the
5870 rescan, in which case they know what happened. */
5871 /* XXX: This is inconsistent with normal open/reload behaviour. */
5873 }
5874 }
5875 }
5878 /* The rescan failed; just close the file. Either
5879 a dialog was popped up for the failure, so the
5880 user knows what happened, or they stopped the
5881 rescan, in which case they know what happened. */
5883 }
5884 }
5886 }
5888 /* If we were told to discard the comments, do so. */
5890 /* Remove SHB comment, if any. */
5893 /* remove all user comments */
5897 // XXX: This also ignores non-comment options like verdict
5899 }
5904 }
5907 }
5908 }
5911 fail:
5913 /* We were trying to write to a temporary file; get rid of it if it
5914 exists. (We don't care whether this fails, as, if it fails,
5915 there's not much we can do about it. I guess if it failed for
5916 a reason other than "it doesn't exist", we could report an
5917 error, so the user knows there's a junk file that they might
5918 want to clean up.) */
5921 }
5924 }
5926 cf_write_status_t
5929 wtap_compression_type compression_type)
5930 {
5935 save_callback_args_t callback_args;
5936 wtap_dump_params params;
5942 /* We're writing out specified packets from the specified capture
5943 file to another file. Even if all captured packets are to be
5944 written, don't special-case the operation - read each packet
5945 and then write it out if it's one of the specified ones. */
5949 /* Determine what file encapsulation type we should use. */
5953 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5957 /* We're overwriting an existing file; write out to a new file,
5958 and, if that succeeds, rename the new file on top of the
5959 old file. That makes this a "safe save", so that we don't
5960 lose the old file if we have a problem writing out the new
5961 file. (If the existing file is the current capture file,
5962 we *HAVE* to do that, otherwise we're overwriting the file
5963 from which we're reading the packets that we're writing!) */
5970 }
5971 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5978 }
5980 /* Add address resolution */
5983 /* Iterate through the list of packets, processing the packets we were
5984 told to process.
5986 XXX - we've already called "packet_range_process_init(range)", but
5987 "process_specified_records()" will do it again. Fortunately,
5988 that's harmless in this case, as we haven't done anything to
5989 "range" since we initialized it. */
5997 /* Completed successfully. */
6001 /* The user decided to abort the saving.
6002 If we're writing to a temporary file, remove it.
6003 XXX - should we do so even if we're not writing to a
6004 temporary file? */
6009 }
6015 /* Error while saving. */
6017 /*
6018 * We don't report any error from closing; the error that caused
6019 * process_specified_records() to fail has already been reported.
6020 */
6022 }
6027 }
6030 /* We wrote out to fname_new, and should rename it on top of
6031 fname; fname is now closed, so that should be possible even
6032 on Windows. Do the rename. */
6034 /* Well, the rename failed. */
6037 }
6039 }
6044 fail:
6046 /* We were trying to write to a temporary file; get rid of it if it
6047 exists. (We don't care whether this fails, as, if it fails,
6048 there's not much we can do about it. I guess if it failed for
6049 a reason other than "it doesn't exist", we could report an
6050 error, so the user knows there's a junk file that they might
6051 want to clean up.) */
6054 }
6058 }
6060 /* Reload the current capture file. */
6061 cf_status_t
6063 {
6072 }
6074 /* If the file could be opened, "cf_open()" calls "cf_close()"
6075 to get rid of state for the old capture file before filling in state
6076 for the new capture file. "cf_close()" will remove the file if
6077 it's a temporary file; we don't want that to happen (for one thing,
6078 it'd prevent subsequent reopens from working). Remember whether it's
6079 a temporary file, mark it as not being a temporary file, and then
6080 reopen it as the type of file it was.
6082 Also, "cf_close()" will free "cf->filename", so we must make
6083 a copy of it first. */
6092 /* Just because we got an error, that doesn't mean we were unable
6093 to read any of the file; we handle what we could get from the
6094 file. */
6098 /* The user bailed out of re-reading the capture file; the
6099 capture file has been closed. */
6101 }
6103 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
6104 Instead, the file was left open, so we should restore "cf->is_tempfile"
6105 ourselves.
6107 XXX - change the menu? Presumably "cf_open()" will do that;
6108 make sure it does! */
6111 }
6112 /* "cf_open()" made a copy of the file name we handed it, so
6113 we should free up our copy. */
6116 }