| blob | 2ebcefd779ed514809ada111b4e448a4a277f9a0 |
1 /* file.c
2 * File I/O routines
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
11 #include <config.h>
12 #define WS_LOG_DOMAIN LOG_DOMAIN_CAPTURE
14 #include <time.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <errno.h>
22 #include <wsutil/file_util.h>
23 #include <wsutil/filesystem.h>
24 #include <wsutil/json_dumper.h>
25 #include <wsutil/wslog.h>
26 #include <wsutil/ws_assert.h>
27 #include <wsutil/version_info.h>
28 #include <wsutil/report_message.h>
30 #include <wiretap/merge.h>
32 #include <epan/exceptions.h>
33 #include <epan/epan.h>
34 #include <epan/column.h>
35 #include <epan/packet.h>
36 #include <epan/column-utils.h>
37 #include <epan/expert.h>
38 #include <epan/prefs.h>
39 #include <epan/dfilter/dfilter.h>
40 #include <epan/epan_dissect.h>
41 #include <epan/tap.h>
42 #include <epan/timestamp.h>
43 #include <epan/strutil.h>
44 #include <epan/addr_resolv.h>
45 #include <epan/color_filters.h>
46 #include <epan/secrets.h>
60 /* Needed for addrinfo */
61 #include <sys/types.h>
63 #ifdef HAVE_SYS_SOCKET_H
64 #include <sys/socket.h>
65 #endif
67 #ifdef HAVE_NETINET_IN_H
68 # include <netinet/in.h>
69 #endif
71 #ifdef _WIN32
72 # include <winsock2.h>
73 # include <ws2tcpip.h>
74 #endif
80 static void rescan_packets(capture_file *cf, const char *action, const char *action_item, bool redissect);
83 MR_NOTMATCHED,
84 MR_MATCHED,
85 MR_ERROR
132 /* Seconds spent processing packets between pushing UI updates. */
133 #define PROGBAR_UPDATE_INTERVAL 0.150
135 /* Show the progress bar after this many seconds. */
136 #define PROGBAR_SHOW_DELAY 0.5
138 /*
139 * Maximum number of records we support in a file.
140 *
141 * It is, at most, the maximum value of a uint32_t, as we use a uint32_t
142 * for the frame number.
143 *
144 * We allow it to be set to a lower value; see issue #16908 for why
145 * we're doing this. Thanks, Qt!
146 */
149 void
151 {
153 }
155 /*
156 * We could probably use g_signal_...() instead of the callbacks below but that
157 * would require linking our CLI programs to libgobject and creating an object
158 * instance for the signals.
159 */
161 cf_callback_t cb_fct;
167 static void
169 {
173 /* there should be at least one interested */
180 }
181 }
183 void
185 {
193 }
195 void
197 {
207 }
209 }
212 }
214 unsigned long
216 {
218 }
220 static void
222 {
226 }
230 {
232 cap_file_provider_get_frame_ts,
233 cap_file_provider_get_interface_name,
234 cap_file_provider_get_interface_description,
235 cap_file_provider_get_modified_block
236 };
239 }
241 cf_status_t
243 {
251 /* The open succeeded. Close whatever capture file we had open,
252 and fill in the information for this file. */
255 /* Initialize the record metadata. */
258 /* XXX - we really want to initialize this after we've read all
259 the packets, so we know how much we'll ultimately need. */
262 /* We're about to start reading the file. */
265 /* If there was a pending redissection for the old file (there
266 * shouldn't be), clear it. cf_close() should have failed if the
267 * old file's read lock was held, but it doesn't hurt to clear it. */
274 /* Set the file name because we need it to set the follow stream filter.
275 XXX - is that still true? We need it for other reasons, though,
276 in any case. */
279 /* Indicate whether it's a permanent or temporary file. */
282 /* No user changes yet. */
300 /* Allocate a frame_data_sequence for the frames in this file */
309 /* Create new epan session for dissection.
310 * (The old one was freed in cf_close().)
311 */
323 fail:
326 }
328 /*
329 * Add an encapsulation type to cf->linktypes.
330 */
331 static void
333 {
339 }
340 /* It's not already there - add it. */
342 }
344 /* Reset everything to a pristine state */
345 void
347 {
352 /* Die if we're in the middle of reading a file. */
358 /* close things, if not already closed before */
364 }
365 /* We have no file open... */
367 /* If it's a temporary file, remove it. */
372 }
373 /* ...which means we have no changes to that file to save. */
376 /* no open_routine type */
379 /* Clean up the record metadata. */
382 /* Clear the packet list. */
387 /* Free up the packet buffer. */
395 }
399 }
404 /* No frames, no frame selected, no field in that frame selected. */
409 /* No frame link-layer types, either. */
413 }
423 /* We have no file open. */
427 }
429 /*
430 * true if the progress dialog doesn't exist and it looks like we'll
431 * take > PROGBAR_SHOW_DELAY (500ms) to load, false otherwise.
432 */
435 {
440 /* This only gets checked between reading records, which doesn't help if
441 * a single record takes a very long time, e.g., the first TLS packet if
442 * the SSLKEYLOGFILE is very large. (#17051) */
443 if ((elapsed * 2 > PROGBAR_SHOW_DELAY && (size / pos) >= 2) /* It looks like we're going to be slow. */
446 }
448 }
450 static float
451 calc_progbar_val(capture_file *cf, int64_t size, int64_t file_pos, char *status_str, unsigned long status_size)
452 {
458 /* The file probably grew while we were reading it.
459 * Update file size, and try again.
460 */
466 /* If it's still > 1, either "wtap_file_size()" failed (in which
467 * case there's not much we can do about it), or the file
468 * *shrank* (in which case there's not much we can do about
469 * it); just clip the progress value at 1.0.
470 */
473 }
480 }
482 cf_read_status_t
484 {
493 epan_dissect_t edt;
494 wtap_rec rec;
495 Buffer buf;
503 /* The update_progress_dlg call below might end up accepting a user request to
504 * trigger redissection/rescans which can modify/destroy the dissection
505 * context ("cf->epan"). That condition should be prevented by callers, but in
506 * case it occurs let's fail gracefully.
507 */
512 }
513 /* This is a full dissection, so clear any pending request for one. */
517 /* Compile the current display filter.
518 * The code it compiles to might have changed, e.g. if a display
519 * filter macro used has changed.
520 *
521 * We assume this will not fail since cf->dfilter is only set in
522 * cf_filter IFF the filter was valid.
523 * XXX - This is not necessarily true, if the filter has a FT_IPv4
524 * or FT_IPv6 field compared to a resolved hostname in it, because
525 * we do a new host lookup, and that *could* timeout this time
526 * (though with the read lock above we shouldn't have many lookups at
527 * once, reducing the chances of that)... (#19612)
528 */
532 }
537 /* The compiled dfilter might have a field reference; recompiling it
538 * means that the field references won't match anything. That's what
539 * we want since this is a new sequential read and we don't have
540 * a selected frame with a tree. (Will taps with filters with display
541 * references also have cleared display references?)
542 */
544 /* Get the union of the flags for all tap listeners. */
547 /*
548 * Determine whether we need to create a protocol tree.
549 * We do if:
550 *
551 * we're going to apply a display filter;
552 *
553 * one of the tap listeners is going to apply a filter;
554 *
555 * one of the tap listeners requires a protocol tree;
556 *
557 * a postdissector wants field values or protocols on
558 * the first pass.
559 */
560 create_proto_tree =
570 else
573 /* Record the file's compression type.
574 XXX - do we know this at open time? */
577 /* The packet list window will be empty until the file is completely loaded */
585 /* If the display filter or any tap listeners require the columns,
586 * construct them. */
590 /* Find the size of the file. */
593 /* If we are to ignore duplicate frames, we need a container to store
594 * hashes frame contents */
595 fifo_string_cache_t frame_dup_cache;
601 }
608 TRY {
619 /*
620 * Quit if we've already read the maximum number of
621 * records allowed.
622 */
625 }
628 /* Create the progress bar if necessary. */
633 }
635 /*
636 * Update the progress bar, but do it only after
637 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
638 * and packets_bar_update will likely trigger UI paint events, which
639 * might take a while depending on the platform and display. Reset
640 * our timer *after* painting.
641 */
644 /* update the packet bar content on the first run or frequently on very large files */
649 }
650 /*
651 * The previous GUI triggers should not have destroyed the running
652 * session. If that did happen, it could blow up when read_record tries
653 * to use the destroyed edt.session, so detect it right here.
654 */
656 }
659 /* Well, the user decided to exit Wireshark. Break out of the
660 loop, and let the code below (which is called even if there
661 aren't any packets left to read) exit. */
664 }
666 /* Well, the user decided to abort the read. He/She will be warned and
667 it might be enough for him/her to work with the already loaded
668 packets.
669 This is especially true for very large capture files, where you don't
670 want to wait loading the whole file (which may last minutes or even
671 hours even on fast machines) just to see that it was the wrong file. */
673 }
676 }
677 }
683 #if 0
684 /* Could we close the current capture and free up memory from that? */
685 #else
686 /* we have to terminate, as we cannot recover from the memory error */
688 #endif
689 }
690 ENDTRY;
692 // If we're ignoring duplicate frames, clear the data structures.
693 // We really could look at prefs.ignore_dup_frames here, but it's even
694 // safer to check if we had allocated 'cksum'.
698 }
700 /* We're done reading sequentially through the file. */
703 /* Destroy the progress bar if it was created. */
708 /* Free the display name */
715 /* Close the sequential I/O side, to free up memory it requires. */
718 /* Allow the protocol dissectors to free up memory that they
719 * don't need after the sequential run-through of the packets. */
722 /* compute the time it took to load the file */
725 /* Set the file encapsulation type now; we don't know what it is until
726 we've looked at all the packets, as we don't know until then whether
727 there's more than one type (and thus whether it's
728 WTAP_ENCAP_PER_PACKET). */
735 /* It is safe again to execute redissections or sort. */
741 else
744 /* If we have any displayed packets to select, select the first of those
745 packets by making the first row the selected row. */
748 }
751 /*
752 * Well, the user decided to exit Wireshark while reading this *offline*
753 * capture file (Live captures are handled by something like
754 * cf_continue_tail). Clean up accordingly.
755 */
759 }
762 /* Redissection was queued up. Clear the request and perform it now. */
765 }
775 }
778 /* Put up a message box noting that the read failed somewhere along
779 the line. Don't throw out the stuff we managed to read, though,
780 if any. */
790 "The command-line utility editcap can be used to split "
792 "The file contains more records than the maximum "
797 }
799 #ifdef HAVE_LIBPCAP
800 cf_read_status_t
803 {
806 epan_dissect_t edt;
810 /* Don't compile the current display filter. The current display filter
811 * text might compile to different code than when the capture started:
812 *
813 * If it has a IP address resolved name, calling get_host_ipaddr every
814 * time new packets arrive can mean a *lot* of gethostbyname calls
815 * in flight at once, eventually leading to a timeout (#19612).
816 * addr_resolv.c says that ares_gethostbyname is "usually interactive",
817 * unlike ares_gethostbyaddr (used in dissection), and violating that
818 * expectation is bad.
819 *
820 * If it has a display filter macro, the definition might have changed.
821 *
822 * If it has a field reference, the selected frame / current proto tree
823 * might have changed, and we don't have the old one. If we recompile,
824 * we can't set the field references to the old values.
825 *
826 * For a rescan, redissection, reload, retap, or opening a new file, we
827 * want to compile. What about here, when new frames have arrived in a live
828 * capture? We might be able to cache the host lookup, and a user might want
829 * the new display filter macro definition, but the user almost surely wants
830 * the field references to refer to values from the proto tree when the
831 * filter was applied, not whatever it happens to be now if the user has
832 * clicked on a different packet.
833 *
834 * To get the new compiled filter, the user should refilter.
835 */
837 /* Get the union of the flags for all tap listeners. */
840 /*
841 * Determine whether we need to create a protocol tree.
842 * We do if:
843 *
844 * we're going to apply a display filter;
845 *
846 * one of the tap listeners is going to apply a filter;
847 *
848 * one of the tap listeners requires a protocol tree;
849 *
850 * a postdissector wants field values or protocols on
851 * the first pass.
852 */
853 create_proto_tree =
859 /* Don't freeze/thaw the list when doing live capture */
860 /*packet_list_freeze();*/
864 TRY {
868 /* If the display filter or any tap listeners require the columns,
869 * construct them. */
878 }
880 /* Well, the user decided to exit Wireshark. Break out of the
881 loop, and let the code below (which is called even if there
882 aren't any packets left to read) exit. */
884 }
885 if (read_record(cf, rec, buf, cf->dfcode, &edt, cinfo, data_offset, frame_dup_cache, frame_cksum)) {
886 newly_displayed_packets++;
887 }
888 to_read--;
889 }
891 }
897 #if 0
898 /* Could we close the current capture and free up memory from that? */
900 #else
901 /* we have to terminate, as we cannot recover from the memory error */
903 #endif
904 }
905 ENDTRY;
907 /* Update the file encapsulation; it might have changed based on the
908 packets we've read. */
913 /* Don't freeze/thaw the list when doing live capture */
914 /*packet_list_thaw();*/
915 /* With the new packet list the first packet
916 * isn't automatically selected.
917 */
922 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
923 so that our caller can kill off the capture child process;
924 this will cause an EOF on the pipe from the child, so
925 "cf_finish_tail()" will be called, and it will clean up
926 and exit. */
929 /* We got an error reading the capture file.
930 XXX - pop up a dialog box instead? */
938 }
942 }
944 void
946 {
949 }
950 }
952 cf_read_status_t
955 {
959 epan_dissect_t edt;
963 /* All the comments above in cf_continue_tail apply regarding the
964 * current display filter.
965 */
967 /* Get the union of the flags for all tap listeners. */
970 /* If the display filter or any tap listeners require the columns,
971 * construct them. */
975 /*
976 * Determine whether we need to create a protocol tree.
977 * We do if:
978 *
979 * we're going to apply a display filter;
980 *
981 * one of the tap listeners is going to apply a filter;
982 *
983 * one of the tap listeners requires a protocol tree;
984 *
985 * a postdissector wants field values or protocols on
986 * the first pass.
987 */
988 create_proto_tree =
995 }
997 /* Don't freeze/thaw the list when doing live capture */
998 /*packet_list_freeze();*/
1004 /* Well, the user decided to abort the read. Break out of the
1005 loop, and let the code below (which is called even if there
1006 aren't any packets left to read) exit. */
1008 }
1011 }
1015 /* Don't freeze/thaw the list when doing live capture */
1016 /*packet_list_thaw();*/
1019 /* Well, the user decided to abort the read. We're only called
1020 when the child capture process closes the pipe to us (meaning
1021 it's probably exited), so we can just close the capture
1022 file; we return CF_READ_ABORTED so our caller can do whatever
1023 is appropriate when that happens. */
1026 }
1028 /* We're done reading sequentially through the file. */
1031 /* We're done reading sequentially through the file; close the
1032 sequential I/O side, to free up memory it requires. */
1035 /* Allow the protocol dissectors to free up memory that they
1036 * don't need after the sequential run-through of the packets. */
1039 /* Update the file encapsulation; it might have changed based on the
1040 packets we've read. */
1043 /* Update the details in the file-set dialog, as the capture file
1044 * has likely grown since we first stat-ed it */
1048 /* We got an error reading the capture file.
1049 XXX - pop up a dialog box? */
1057 }
1061 }
1062 }
1067 {
1070 /* Return a name to use in displays */
1072 /* Get the last component of the file name, and use that. */
1077 }
1079 /* The file we read is a temporary file from a live capture or
1080 a merge operation; we don't mention its name, but, if it's
1081 from a capture, give the source of the capture. */
1086 }
1087 }
1089 }
1093 {
1096 /* Return a name to use in the GUI for the basename for files to
1097 which we save statistics */
1099 /* Get the last component of the file name, and use that. */
1103 /* If the file name ends with any extension that corresponds
1104 to a file type we support - including compressed versions
1105 of those files - strip it off. */
1110 /* Does the file name end with that extension? */
1116 /* Yes. Strip the extension off, and return the result. */
1119 }
1120 }
1124 }
1126 /* The file we read is a temporary file from a live capture or
1127 a merge operation; we don't mention its name, but, if it's
1128 from a capture, give the source of the capture. */
1133 }
1134 }
1136 }
1138 void
1140 {
1143 }
1149 }
1150 }
1154 {
1157 }
1160 }
1162 /* XXX - use a macro instead? */
1163 int
1165 {
1167 }
1169 /* XXX - use a macro instead? */
1170 bool
1172 {
1174 }
1176 void
1178 {
1180 }
1183 /* XXX - use a macro instead? */
1184 void
1186 {
1188 }
1190 /* XXX - use a macro instead? */
1191 void
1193 {
1195 }
1197 /* XXX - use a macro instead? */
1198 bool
1200 {
1202 }
1204 /* XXX - use a macro instead? */
1205 uint32_t
1207 {
1209 }
1211 void
1213 {
1215 }
1217 static void
1221 {
1228 }
1229 #if 0
1230 /* Prepare coloring rules, this ensures that display filter rules containing
1231 * frame.color_rule references are still processed.
1232 * TODO: actually detect that situation or maybe apply other optimizations? */
1236 }
1237 #endif
1240 /* This is the first pass, so prime the epan_dissect_t with the
1241 hfids postdissectors want on the first pass. */
1243 }
1245 /* Initialize passed_dfilter here so that dissectors can hide packets. */
1246 /* XXX We might want to add a separate "visible" bit to frame_data instead. */
1249 /* Dissect the frame. */
1258 /* This frame passed the display filter but it may depend on other
1259 * (potentially not displayed) frames. Find those frames and mark them
1260 * as depended upon.
1261 */
1262 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
1263 }
1264 }
1269 }
1272 /* We fill the needed columns from new_packet_list */
1274 }
1277 {
1279 /* The only way we use prev_dis is to get the time stamp of
1280 * the previous displayed frame, so ignore it if it doesn't
1281 * have a time stamp, because we're presumably interested in
1282 * the timestamp of the previously displayed frame with a
1283 * time. XXX: What if in the future we want to use the previously
1284 * displayed frame for something else, too?
1285 */
1288 }
1290 /* If we haven't yet seen the first frame, this is it. */
1294 /* This is the last frame we've seen so far. */
1296 }
1299 }
1301 /*
1302 * Read in a new record.
1303 * Returns true if the packet was added to the packet (record) list,
1304 * false otherwise.
1305 */
1306 static bool
1310 {
1311 frame_data fdlocal;
1318 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
1319 it's not already there.
1320 XXX - yes, this is O(N), so if every packet had a different
1321 link-layer encapsulation type, it'd be O(N^2) to read the file, but
1322 there are probably going to be a small number of encapsulation types
1323 in a file. */
1326 }
1328 /* The frame number of this packet, if we add it to the set of frames,
1329 would be one more than the count of frames in the file so far. */
1333 epan_dissect_t rf_edt;
1340 }
1346 }
1351 /* This does a shallow copy of fdlocal, which is good enough. */
1359 // Should we check if the frame data is a duplicate, and thus, ignore
1360 // this frame?
1370 }
1371 }
1373 /* When a redissection is in progress (or queued), do not process packets.
1374 * This will be done once all (new) packets have been scanned. */
1377 }
1378 }
1381 }
1393 static bool
1397 {
1406 /* do nothing */
1410 /* do nothing */
1414 /* Get the sum of the sizes of all the files. */
1423 {
1424 /* Create the progress bar if necessary.
1425 We check on every iteration of the loop, so that it takes no
1426 longer than the standard time to create it (otherwise, for a
1427 large file, we might take considerably longer than that standard
1428 time in order to get to the next progress bar step). */
1432 }
1434 /*
1435 * Update the progress bar, but do it only after
1436 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
1437 * and packets_bar_update will likely trigger UI paint events, which
1438 * might take a while depending on the platform and display. Reset
1439 * our timer *after* painting.
1440 */
1444 /* Get the sum of the seek positions in all of the files. */
1450 /* Some file probably grew while we were reading it.
1451 That "shouldn't happen", so we'll just clip the progress
1452 value at 1.0. */
1454 }
1462 }
1464 }
1465 }
1469 /* We're done merging the files; destroy the progress bar if it was created. */
1474 }
1477 }
1481 cf_status_t
1485 {
1487 merge_progress_callback_t cb;
1490 /* prepare our callback routine */
1497 /* merge the files */
1499 in_filenames,
1509 /* Callers aren't expected to treat an error or an explicit abort
1510 differently - the merge code puts up error dialogs itself, so
1511 they don't have to. */
1515 }
1517 cf_status_t
1519 {
1525 /* if new filter equals old one, do nothing unless told to do so */
1526 /* XXX - The text can be the same without compiling to the same code.
1527 * (Macros, field references, etc.)
1528 */
1531 }
1536 /* The new filter is an empty filter (i.e., display all packets).
1537 * so leave dfcode==NULL
1538 */
1540 /*
1541 * We have a filter; make a copy of it (as we'll be saving it),
1542 * and try to compile it.
1543 */
1546 /* The attempt failed; report an error. */
1554 }
1556 /* Was it empty? */
1558 /* Yes - free the filter text, and set it to null. */
1561 }
1562 }
1564 /* We have a valid filter. Replace the current filter. */
1568 /* We'll recompile this when the rescan starts, or in cf_read()
1569 * if no file is open currently. However, if no file is open and
1570 * we start a new capture, we want to use this rather than
1571 * recompiling in cf_continue_tail() */
1575 /* Now rescan the packet list, applying the new filter, but not
1576 * throwing away information constructed on a previous pass.
1577 * If a dissection is already in progress, queue it.
1578 */
1587 }
1588 }
1589 }
1592 }
1594 void
1596 {
1598 /* Dissection in progress, signal redissection rather than rescanning. That
1599 * would destroy the current (in-progress) dissection in "cf_read" which
1600 * will cause issues when "cf_read" tries to add packets to the list.
1601 * If a previous rescan was requested, "upgrade" it to a full redissection.
1602 */
1604 }
1606 /* Redissection is (already) queued, wait for "cf_read" to finish. */
1607 /* XXX - what if whatever set and later clears read_lock is *not*
1608 * cf_read, e.g. process_specified_records ? We need to handle a
1609 * queued redissection there too like we do in cf_read.
1610 */
1612 }
1615 /* Restart dissection in case no cf_read is pending. */
1617 }
1618 }
1620 bool
1623 {
1630 }
1632 }
1634 bool
1637 {
1644 }
1646 }
1648 bool
1650 {
1652 }
1654 /* Rescan the list of packets, reconstructing the CList.
1656 "action" describes why we're doing this; it's used in the progress
1657 dialog box.
1659 "action_item" describes what we're doing; it's used in the progress
1660 dialog box.
1662 "redissect" is true if we need to make the dissectors reconstruct
1663 any state information they have (because a preference that affects
1664 some dissector has changed, meaning some dissector might construct
1665 its state differently from the way it was constructed the last time). */
1666 static void
1668 {
1669 /* Rescan packets new packet list */
1672 wtap_rec rec;
1673 Buffer buf;
1683 epan_dissect_t edt;
1696 }
1698 /* Rescan in progress, clear pending actions. */
1706 /* Compile the current display filter.
1707 * The code it compiles to might have changed, e.g. if a display
1708 * filter macro used has changed.
1709 *
1710 * We assume this will not fail since cf->dfilter is only set in
1711 * cf_filter IFF the filter was valid.
1712 * XXX - This is not necessarily true, if the filter has a FT_IPv4
1713 * or FT_IPv6 field compared to a resolved hostname in it, because
1714 * we do a new host lookup, and that *could* timeout this time
1715 * (though with the read lock above we shouldn't have many lookups at
1716 * once, reducing the chances of that)... (#19612)
1717 */
1721 }
1726 /* Do we have any tap listeners with filters? */
1729 /* Update references in filters (if any) for the protocol
1730 * tree corresponding to the currently selected frame in the GUI. */
1736 }
1741 }
1743 /* Get the union of the flags for all tap listeners. */
1746 /* If the display filter or any tap listeners require the columns,
1747 * construct them. */
1751 /*
1752 * Determine whether we need to create a protocol tree.
1753 * We do if:
1754 *
1755 * we're going to apply a display filter;
1756 *
1757 * one of the tap listeners is going to apply a filter;
1758 *
1759 * one of the tap listeners requires a protocol tree;
1760 *
1761 * we're redissecting and a postdissector wants field
1762 * values or protocols on the first pass.
1763 */
1764 create_proto_tree =
1770 /* Which frame, if any, is the currently selected frame?
1771 XXX - should the selected frame or the focus frame be the "current"
1772 frame, that frame being the one from which "Find Frame" searches
1773 start? */
1776 /* Mark frame num as not found */
1779 /* Freeze the packet list while we redo it, so we don't get any
1780 screen updates while it happens. */
1784 /* We need to re-initialize all the state information that protocols
1785 keep, because some preference that controls a dissector has changed,
1786 which might cause the state information to be constructed differently
1787 by that dissector. */
1789 /* We might receive new packets while redissecting, and we don't
1790 want to dissect those before their time. */
1793 /* 'reset' dissection session */
1796 /* All pointers in "per frame proto data" for the currently selected
1797 packet are allocated in wmem_file_scope() and deallocated in epan_free().
1798 Free them here to avoid unintended usage in packet_list_clear(). */
1800 }
1804 /* A new Lua tap listener may be registered in lua_prime_all_fields()
1805 called via epan_new() / init_dissection() when reloading Lua plugins. */
1808 }
1811 }
1813 /* We need to redissect the packets so we have to discard our old
1814 * packet list store. */
1817 }
1819 /* We don't yet know which will be the first and last frames displayed. */
1823 /* We currently don't display any packets */
1826 /* Iterate through the list of frames. Call a routine for each frame
1827 to check whether it should be displayed and, if so, add it to
1828 the display list. */
1837 /* Count of packets at which we've looked. */
1839 /* Progress so far. */
1845 /* no previous row yet */
1861 /*
1862 * Decryption secrets and name resolution blocks are read while
1863 * sequentially processing records and then passed to the dissector.
1864 * During redissection, the previous information is lost (see epan_free
1865 * above), but they are not read again from the file as only packet
1866 * records are re-read. Therefore reset the wtap secrets and name
1867 * resolution callbacks such that wtap resupplies the callbacks with
1868 * previously read information.
1869 */
1873 }
1878 /* Create the progress bar if necessary.
1879 We check on every iteration of the loop, so that it takes no
1880 longer than the standard time to create it (otherwise, for a
1881 large file, we might take considerably longer than that standard
1882 time in order to get to the next progress bar step). */
1886 progbar_val);
1888 /*
1889 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
1890 * has elapsed. Calling update_progress_dlg and packets_bar_update will
1891 * likely trigger UI paint events, which might take a while depending on
1892 * the platform and display. Reset our timer *after* painting.
1893 */
1895 /* let's not divide by zero. I should never be started
1896 * with count == 0, so let's assert that
1897 */
1905 }
1908 }
1912 /* A redissection was requested while an existing redissection was
1913 * pending. */
1915 }
1918 /* Well, the user decided to abort the filtering. Just stop.
1920 XXX - go back to the previous filter? Users probably just
1921 want not to wait for a filtering operation to finish;
1922 unless we cancel by having no filter, reverting to the
1923 previous filter will probably be even more expensive than
1924 continuing the filtering, as it involves going back to the
1925 beginning and filtering, and even with no filter we currently
1926 have to re-generate the entire clist, which is also expensive.
1928 I'm not sure what Network Monitor does, but it doesn't appear
1929 to give you an unfiltered display if you cancel. */
1931 }
1933 count++;
1936 /* Since all state for the frame was destroyed, mark the frame
1937 * as not visited, free the GSList referring to the state
1938 * data (the per-frame data itself was freed by
1939 * "init_dissection()"), and null out the GSList pointer. */
1942 }
1944 /* Frame dependencies from the previous dissection/filtering are no longer valid. */
1950 /* If the previous frame is displayed, and we haven't yet seen the
1951 selected frame, remember that frame - it's the closest one we've
1952 yet seen before the selected frame. */
1956 }
1960 add_to_packet_list);
1962 /* If this frame is displayed, and this is the first frame we've
1963 seen displayed after the selected frame, remember this frame -
1964 it's the closest one we've yet seen at or after the selected
1965 frame. */
1969 }
1974 }
1976 /* Remember this frame - it'll be the previous frame
1977 on the next pass through the loop. */
1981 }
1987 /* We are done redissecting the packet list. */
1992 /* Clear out what remains of the visited flags and per-frame data
1993 pointers.
1995 XXX - that may cause various forms of bogosity when dissecting
1996 these frames, as they won't have been seen by this sequential
1997 pass, but the only alternative I see is to keep scanning them
1998 even though the user requested that the scan stop, and that
1999 would leave the user stuck with an Wireshark grinding on
2000 until it finishes. Should we just stick them with that? */
2004 }
2005 }
2007 /* We're done filtering the packets; destroy the progress bar if it
2008 was created. */
2013 /* Unfreeze the packet list. */
2017 /* Compute the time it took to filter the file */
2022 /* It is safe again to execute redissections or sort. */
2029 /* The selected frame didn't pass the filter. */
2031 /* That's because there *was* no selected frame. Make the first
2032 displayed frame the current frame. */
2035 /* Find the nearest displayed frame to the selected frame (whether
2036 it's before or after that frame) and make that the current frame.
2037 If the next and previous displayed frames are equidistant from the
2038 selected frame, choose the next one. */
2044 /* No frame after the selected frame passed the filter, so we
2045 have to select the last displayed frame before the selected
2046 frame. */
2050 /* No frame before the selected frame passed the filter, so we
2051 have to select the first displayed frame after the selected
2052 frame. */
2056 /* Frames before and after the selected frame passed the filter, so
2057 we'll select the previous frame */
2060 }
2061 }
2062 }
2065 /* There are no frames displayed at all. */
2068 /* Either the frame that was selected passed the filter, or we've
2069 found the nearest displayed frame to that frame. Select it, make
2070 it the focus row, and make it visible. */
2071 /* Set to invalid to force update of packet list and packet details */
2076 /* We didn't find a row corresponding to this frame.
2077 This means that the frame isn't being displayed currently,
2078 so we can't select it. */
2082 }
2083 }
2084 }
2086 /* If another rescan (due to dfilter change) or redissection (due to profile
2087 * change) was requested, the rescan above is aborted and restarted here. */
2091 }
2092 }
2095 /*
2096 * Scan through all frame data and recalculate the ref time
2097 * without rereading the file.
2098 * XXX - do we need a progress bar or is this fast enough?
2099 */
2100 void
2102 {
2105 nstime_t rel_ts;
2114 /* just add some value here until we know if it is being displayed or not */
2117 /*
2118 * Timestamps
2119 */
2122 /* If we don't have the time stamp of the first packet in the
2123 capture, it's because this is the first packet. Save the time
2124 stamp of this packet as the time stamp of the first packet. */
2127 /* if this frames is marked as a reference time frame, reset
2128 firstsec and firstusec to this frame */
2132 /* Get the time elapsed between the first packet and this one. */
2136 /* If it's greater than the current elapsed time, set the elapsed
2137 time to it (we check for "greater than" so as not to be
2138 confused by time moving backwards). */
2140 || ((int32_t)cf->elapsed_time.secs == rel_ts.secs && (int32_t)cf->elapsed_time.nsecs < rel_ts.nsecs)) {
2142 }
2144 /* If this frame is displayed, get the time elapsed between the
2145 previous displayed packet and this packet. */
2146 /* XXX: What if in the future we want to use the previously
2147 * displayed frame for something else, too? Then we'd want
2148 * to store this frame as prev_dis even if it doesn't have a
2149 * timestamp. */
2151 /* If we don't have the time stamp of the previous displayed
2152 packet, it's because this is the first displayed packet.
2153 Save the time stamp of this packet as the time stamp of
2154 the previous displayed packet. */
2157 }
2161 }
2163 /* If this frame doesn't have a timestamp, don't calculate
2164 anything with relative times. */
2165 /* However, if this frame is marked as a reference time frame,
2166 clear the reference frame so that the next frame with a
2167 timestamp becomes the reference frame. */
2170 }
2171 }
2173 /*
2174 * Byte counts
2175 */
2177 /* This frame either passed the display filter list or is marked as
2178 a time reference frame. All time reference frames are displayed
2179 even if they don't pass the display filter */
2181 /* if this was a TIME REF frame we should reset the cum_bytes field */
2185 /* increase cum_bytes with this packets length */
2187 }
2188 }
2189 }
2190 }
2193 PSP_FINISHED,
2194 PSP_STOPPED,
2195 PSP_FAILED
2198 static psp_return_t
2205 {
2208 wtap_rec rec;
2209 Buffer buf;
2217 range_process_e process_this;
2223 /* Count of packets at which we've looked. */
2225 /* Progress so far. */
2228 /* XXX - It should be ok to have multiple readers, so long as nothing
2229 * frees the epan context, e.g. rescan_packets with redissect true,
2230 * or anything that closes the file (including reload and certain forms
2231 * of saving.) This is mostly to stop cf_save_records but should probably
2232 * be handled by callers in order to allow multiple readers (e.g.,
2233 * restarting taps after adding or changing one.) We should probably
2234 * make this a real reader-writer lock.
2235 */
2239 }
2247 /* Iterate through all the packets, printing the packets that
2248 were selected by the current display filter. */
2252 /* Create the progress bar if necessary.
2253 We check on every iteration of the loop, so that it takes no
2254 longer than the standard time to create it (otherwise, for a
2255 large file, we might take considerably longer than that standard
2256 time in order to get to the next progress bar step). */
2259 terminate_is_stop,
2261 progbar_val);
2263 /*
2264 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
2265 * has elapsed. Calling update_progress_dlg and packets_bar_update will
2266 * likely trigger UI paint events, which might take a while depending on
2267 * the platform and display. Reset our timer *after* painting.
2268 */
2270 /* let's not divide by zero. I should never be started
2271 * with count == 0, so let's assert that
2272 */
2281 }
2284 /* Well, the user decided to abort the operation. Just stop,
2285 and arrange to return PSP_STOPPED to our caller, so they know
2286 it was stopped explicitly. */
2289 }
2291 progbar_count++;
2294 /* do we have to process this packet? */
2297 /* this packet uninteresting, continue with next one */
2300 /* all interesting packets processed, stop the loop */
2302 }
2303 }
2305 /* Get the packet */
2307 /* Attempt to get the packet failed. */
2310 }
2311 /* Process the packet */
2313 /* Callback failed. We assume it reported the error appropriately. */
2316 }
2318 }
2320 /* We're done printing the packets; destroy the progress bar if
2321 it was created. */
2333 }
2336 epan_dissect_t edt;
2340 static bool
2343 {
2352 }
2354 cf_read_status_t
2356 {
2357 packet_range_t range;
2358 retap_callback_args_t callback_args;
2362 psp_return_t ret;
2364 /* Presumably the user closed the capture file. */
2367 }
2369 /* XXX - If cf->read_lock is true, process_specified_records will fail
2370 * due to a nested call. We fail here so that we don't reset the tap
2371 * listeners if this tap isn't going to succeed.
2372 */
2376 }
2380 /* Do we have any tap listeners with filters? */
2383 /* Update references in filters (if any) for the protocol
2384 * tree corresponding to the currently selected frame in the GUI. */
2385 /* XXX - What if we *don't* have a currently selected frame in the GUI,
2386 * but we did the last time we loaded field references? Then they'll
2387 * match something instead of nothing (unless they've been recompiled).
2388 * Should we have a way to clear the field references even with a NULL tree?
2389 */
2393 }
2395 /* Get the union of the flags for all tap listeners. */
2398 /* If any tap listeners require the columns, construct them. */
2401 /*
2402 * Determine whether we need to create a protocol tree.
2403 * We do if:
2404 *
2405 * one of the tap listeners is going to apply a filter;
2406 *
2407 * one of the tap listeners requires a protocol tree.
2408 */
2409 create_proto_tree =
2412 /* Reset the tap listeners. */
2418 /* Iterate through the list of packets, dissecting all packets and
2419 re-running the taps. */
2424 /* We're not done with the sequential read of the file and might
2425 * add more frames while process_specified_records is going. We
2426 * don't want to tap new frames twice, so limit the range to the
2427 * frames already here.
2428 *
2429 * cf_read sets read_lock so we don't tap in case of an offline
2430 * file, but cf_continue_tail and cf_finish_tail don't, and we
2431 * don't want them to, because tapping new packets in a live
2432 * capture is a common use case.
2433 *
2434 * Note that most other users of process_specified_records (saving,
2435 * printing) do want to process new packets, unlike taps.
2436 */
2442 /* range_t treats a missing number as meaning 1, not 0, and
2443 * reverses the order if backwards; thus the syntax -0 means
2444 * 0-1, so to only take zero packets we do this.
2445 */
2447 }
2449 }
2462 /* Completed successfully. */
2466 /* Well, the user decided to abort the refiltering.
2467 Return CF_READ_ABORTED so our caller knows they did that. */
2471 /* Error while retapping. */
2473 }
2477 }
2491 epan_dissect_t edt;
2494 static bool
2497 {
2509 /* Fill in the column information if we're printing the summary
2510 information. */
2526 /*
2527 * Print another header line if we print a packet summary on the
2528 * new page.
2529 */
2536 }
2537 }
2539 /*
2540 * We generate bookmarks, if the output format supports them.
2541 * The name is "__frameN__".
2542 */
2552 }
2558 /* Find the length of the string for this column. */
2563 /* Make sure there's room in the line buffer for the column; if not,
2564 double its length. */
2571 }
2573 /* Right-justify the packet number column. */
2576 else
2581 }
2584 /*
2585 * Generate a bookmark, using the summary line as the title.
2586 */
2594 /*
2595 * Generate a bookmark, using "Frame N" as the title, as we're not
2596 * printing the summary line.
2597 */
2600 bookmark_title))
2606 /* Separate the summary line from the tree with a blank line. */
2609 }
2611 /* Print the information in that tree. */
2617 /* Print a blank line if we print anything after this (aka more than one packet). */
2620 /* Print a header line if we print any more packet summaries */
2623 }
2626 if (args->print_args->print_summary || (args->print_args->print_dissections != print_dissections_none)) {
2629 }
2630 /* Print the full packet data as hex. */
2634 /* Print a blank line if we print anything after this (aka more than one packet). */
2637 /* Print a header line if we print any more packet summaries */
2644 /* do we want to have a formfeed between each packet from now on? */
2647 }
2651 fail:
2654 }
2656 cf_print_status_t
2659 {
2660 print_callback_args_t callback_args;
2665 psp_return_t ret;
2685 }
2688 /* We're printing packet summaries. Allocate the header line buffer
2689 and get the column widths. */
2692 /* Find the number of visible columns and the last visible column */
2701 num_visible_col++;
2703 }
2704 }
2706 /* if num_visible_col is 0, we are done */
2710 }
2712 /* Find the widths for each of the columns - maximum of the
2713 width of the title and the width of the data - and construct
2714 a buffer with a line containing the column titles. */
2731 /* Save the order of visible columns */
2734 /* Don't pad the last column. */
2742 }
2744 /* Find the length of the string for this column. */
2749 /* Make sure there's room in the line buffer for the column; if not,
2750 double its length. */
2758 }
2760 /* Right-justify the packet number column. */
2761 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER || cf->cinfo.col_fmt[i] == COL_NUMBER_DIS)
2762 snprintf(cp, column_len+1, "%*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2763 else*/
2764 snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2769 visible_col_count++;
2770 }
2773 /* Now start out the main line buffer with the same length as the
2774 header line buffer. */
2779 /* Create the protocol tree, and make it visible, if we're printing
2780 the dissection or the hex data.
2781 XXX - do we need it if we're just printing the hex data? */
2782 proto_tree_needed =
2788 /* Iterate through the list of packets, printing the packets we were
2789 told to print. */
2802 /* Completed successfully. */
2806 /* Well, the user decided to abort the printing.
2808 XXX - note that what got generated before they did that
2809 will get printed if we're piping to a print program; we'd
2810 have to write to a file and then hand that to the print
2811 program to make it actually not print anything. */
2815 /* Error while printing.
2817 XXX - note that what got generated before they did that
2818 will get printed if we're piping to a print program; we'd
2819 have to write to a file and then hand that to the print
2820 program to make it actually not print anything. */
2823 }
2828 }
2834 }
2838 epan_dissect_t edt;
2840 json_dumper jdumper;
2843 static bool
2846 {
2849 /* Create the protocol tree, but don't fill in the column information. */
2854 /* Write out the information in that tree. */
2860 }
2862 cf_print_status_t
2864 {
2865 write_packet_callback_args_t callback_args;
2867 psp_return_t ret;
2877 }
2883 /* Iterate through the list of packets, printing the packets we were
2884 told to print. */
2894 /* Completed successfully. */
2898 /* Well, the user decided to abort the printing. */
2902 /* Error while printing. */
2905 }
2911 }
2913 /* XXX - check for an error */
2917 }
2919 static bool
2922 {
2925 /* Fill in the column information */
2932 /* Write out the column information. */
2938 }
2940 cf_print_status_t
2942 {
2943 write_packet_callback_args_t callback_args;
2945 psp_return_t ret;
2957 }
2962 /* Fill in the column information, only create the protocol tree
2963 if having custom columns or field extractors. */
2967 /* Iterate through the list of packets, printing the packets we were
2968 told to print. */
2978 /* Completed successfully. */
2982 /* Well, the user decided to abort the printing. */
2986 /* Error while printing. */
2989 }
2995 }
2997 /* XXX - check for an error */
3001 }
3003 static bool
3006 {
3009 /* Fill in the column information */
3016 /* Write out the column information. */
3022 }
3024 cf_print_status_t
3026 {
3027 write_packet_callback_args_t callback_args;
3030 psp_return_t ret;
3040 }
3045 /* only create the protocol tree if having custom columns or field extractors. */
3049 /* Iterate through the list of packets, printing the packets we were
3050 told to print. */
3060 /* Completed successfully. */
3064 /* Well, the user decided to abort the printing. */
3068 /* Error while printing. */
3071 }
3073 /* XXX - check for an error */
3077 }
3079 static bool
3082 {
3092 }
3094 cf_print_status_t
3096 {
3097 write_packet_callback_args_t callback_args;
3099 psp_return_t ret;
3109 }
3115 /* Iterate through the list of packets, printing the packets we were
3116 told to print. */
3126 /* Completed successfully. */
3129 /* Well, the user decided to abort the printing. */
3132 /* Error while printing. */
3135 }
3139 }
3141 static bool
3144 {
3147 /* Create the protocol tree, but don't fill in the column information. */
3152 /* Write out the information in that tree. */
3161 }
3163 cf_print_status_t
3165 {
3166 write_packet_callback_args_t callback_args;
3168 psp_return_t ret;
3178 }
3184 /* Iterate through the list of packets, printing the packets we were
3185 told to print. */
3195 /* Completed successfully. */
3199 /* Well, the user decided to abort the printing. */
3203 /* Error while printing. */
3206 }
3212 }
3214 /* XXX - check for an error */
3218 }
3220 bool
3223 {
3224 match_data mdata;
3237 }
3241 }
3242 }
3244 }
3246 field_info*
3248 {
3249 match_data mdata;
3256 /* Iterate through all the nodes looking for matching text */
3261 }
3264 }
3266 static match_result
3269 {
3271 epan_dissect_t edt;
3273 /* Load the frame's data. */
3275 /* Attempt to get the packet failed. */
3277 }
3279 /* Construct the protocol tree, including the displayed text */
3281 /* We don't need the column information */
3286 /* Iterate through all the nodes, seeing if they have text that matches. */
3291 /* We don't care about the direction here, because we're just looking
3292 * for one match and we'll destroy this tree anyway. (We find the actual
3293 * field later in PacketList::selectionChanged().) Forwards is faster.
3294 */
3298 }
3300 static void
3302 {
3315 /* dissection with an invisible proto tree? */
3319 /* We already had a match; don't bother doing any more work. */
3321 }
3323 /* Don't match invisible entries. */
3328 /* Haven't found the old match, so don't match this node. */
3330 /* Found the old match, look for the next one after this. */
3332 }
3334 /* was a free format label produced? */
3338 /* no, make a generic label */
3341 }
3348 }
3350 /* Case insensitive match */
3358 /* If c_match is non-zero, save candidate for retrying full match. */
3362 c_match++;
3366 /* No need to look further; we have a match */
3368 }
3375 }
3377 /* Case sensitive match */
3381 }
3382 }
3384 /* Recurse into the subtree, if it exists */
3387 }
3389 static void
3391 {
3404 /* dissection with an invisible proto tree? */
3407 /* We don't have an easy way to search backwards in the tree
3408 * (see also, proto_find_field_from_offset()) because we don't
3409 * have a previous node pointer, so we search backwards by
3410 * searching forwards, only stopping if we see the old match
3411 * (if we have one).
3412 */
3416 }
3418 /* Don't match invisible entries. */
3423 /* Found the old match, use the previous match. */
3426 }
3428 /* was a free format label produced? */
3432 /* no, make a generic label */
3435 }
3441 }
3443 /* Case insensitive match */
3451 /* If c_match is non-zero, save candidate for retrying full match. */
3455 c_match++;
3460 }
3467 }
3469 /* Case sensitive match */
3472 }
3474 /* Recurse into the subtree, if it exists */
3477 }
3479 bool
3481 search_direction dir)
3482 {
3483 match_data mdata;
3488 }
3490 static match_result
3493 {
3497 epan_dissect_t edt;
3506 /* Load the frame's data. */
3508 /* Attempt to get the packet failed. */
3510 }
3512 /* Don't bother constructing the protocol tree */
3514 /* Get the column information */
3519 /* Find the Info column */
3522 /* Found it. See if we match. */
3529 }
3531 /* Case insensitive match */
3538 /* If c_match is non-zero, save candidate for retrying full match. */
3542 c_match++;
3546 }
3553 }
3555 /* Case sensitive match */
3557 }
3559 }
3560 }
3563 }
3572 /*
3573 * The current match_* routines only support ASCII case insensitivity and don't
3574 * convert UTF-8 inputs to UTF-16 for matching. The UTF-16 support just
3575 * interleaves with \0 bytes, which works for 7 bit ASCII.
3576 *
3577 * We could modify them to use the GLib Unicode routines or the International
3578 * Components for Unicode library but it's not apparent that we could do so
3579 * without consuming a lot more CPU and memory or that searching would be
3580 * significantly better.
3581 *
3582 * XXX: We could test the search string to see if it's all ASCII, and if not
3583 * use Unicode aware routines for case insensitive searches or any UTF-16
3584 * search.
3585 */
3587 bool
3590 {
3591 cbs_t info;
3594 ws_match_function match_function;
3599 /* Regex, String or hex search? */
3601 /* Regular Expression search */
3604 /* String search - what type of string? */
3614 match_function = (cf->dir == SD_FORWARD) ? match_narrow_and_wide_case : match_narrow_and_wide_case_reverse;
3628 }
3634 match_function = (cf->dir == SD_FORWARD) ? match_narrow_and_wide : match_narrow_and_wide_reverse;
3638 /* Narrow, case-sensitive match is the same as looking
3639 * for a converted hexstring. */
3650 }
3651 }
3654 }
3657 /* Use the current frame (this will perform the equivalent of
3658 * cf_read_current_record() in match_function).
3659 */
3664 /* The regex match can match an empty string. */
3666 fi = proto_find_field_from_offset(cf->edt->tree, cf->search_pos + cf->search_len - 1, cf->edt->tvb);
3667 }
3671 }
3674 }
3675 }
3679 }
3681 static match_result
3684 {
3688 match_result result;
3695 /* Load the frame's data. */
3697 /* Attempt to get the packet failed. */
3699 }
3707 /* we want to start searching one byte past the previous match start */
3709 }
3713 /* Try narrow match at this start location */
3718 c_match++;
3721 /* Save position and length for highlighting the field. */
3725 }
3728 }
3729 }
3731 /* Now try wide match at the same start location. */
3736 c_match++;
3739 /* Save position and length for highlighting the field. */
3743 }
3744 i++;
3748 }
3749 }
3750 }
3752 done:
3754 }
3756 static match_result
3759 {
3763 match_result result;
3770 /* Load the frame's data. */
3772 /* Attempt to get the packet failed. */
3774 }
3777 /* Has to be room to hold the sought data. */
3780 }
3786 /* we want to start searching one byte before the previous match start */
3788 }
3792 /* Try narrow match at this start location */
3797 c_match++;
3800 /* Save position and length for highlighting the field. */
3804 }
3807 }
3808 }
3810 /* Now try wide match at the same start location. */
3815 c_match++;
3818 /* Save position and length for highlighting the field. */
3822 }
3823 i++;
3827 }
3828 }
3829 }
3831 done:
3833 }
3835 /* Case insensitive match */
3836 static match_result
3839 {
3844 match_result result;
3851 /* Load the frame's data. */
3853 /* Attempt to get the packet failed. */
3855 }
3865 /* we want to start searching one byte past the previous match start */
3867 }
3871 /* Try narrow match at this start location */
3876 c_match++;
3879 /* Save position and length for highlighting the field. */
3883 }
3886 }
3887 }
3889 /* Now try wide match at the same start location. */
3894 c_match++;
3897 /* Save position and length for highlighting the field. */
3901 }
3902 i++;
3906 }
3907 }
3908 }
3910 done:
3912 }
3914 static match_result
3917 {
3922 match_result result;
3929 /* Load the frame's data. */
3931 /* Attempt to get the packet failed. */
3933 }
3938 /* Has to be room to hold the sought data. */
3941 }
3947 /* we want to start searching one byte before the previous match start */
3949 }
3953 /* Try narrow match at this start location */
3958 c_match++;
3961 /* Save position and length for highlighting the field. */
3965 }
3968 }
3969 }
3971 /* Now try wide match at the same start location. */
3976 c_match++;
3979 /* Save position and length for highlighting the field. */
3983 }
3984 i++;
3988 }
3989 }
3990 }
3992 done:
3994 }
3996 /* Case insensitive match */
3997 static match_result
4000 {
4005 match_result result;
4012 /* Load the frame's data. */
4014 /* Attempt to get the packet failed. */
4016 }
4026 /* we want to start searching one byte past the previous match start */
4028 }
4036 c_match++;
4038 /* Save position and length for highlighting the field. */
4043 }
4046 }
4047 }
4048 }
4050 done:
4052 }
4054 static match_result
4057 {
4062 match_result result;
4069 /* Load the frame's data. */
4071 /* Attempt to get the packet failed. */
4073 }
4078 /* Has to be room to hold the sought data. */
4081 }
4087 /* we want to start searching one byte before the previous match start */
4089 }
4097 c_match++;
4099 /* Save position and length for highlighting the field. */
4104 }
4107 }
4108 }
4109 }
4111 done:
4113 }
4115 static match_result
4118 {
4122 match_result result;
4129 /* Load the frame's data. */
4131 /* Attempt to get the packet failed. */
4133 }
4141 /* we want to start searching one byte past the previous match start */
4143 }
4151 c_match++;
4154 /* Save position and length for highlighting the field. */
4158 }
4159 i++;
4163 }
4164 }
4165 }
4167 done:
4169 }
4171 static match_result
4174 {
4178 match_result result;
4185 /* Load the frame's data. */
4187 /* Attempt to get the packet failed. */
4189 }
4192 /* Has to be room to hold the sought data. */
4195 }
4201 /* we want to start searching one byte before the previous match start */
4203 }
4211 c_match++;
4214 /* Save position and length for highlighting the field. */
4218 }
4219 i++;
4223 }
4224 }
4225 }
4227 done:
4229 }
4231 /* Case insensitive match */
4232 static match_result
4235 {
4240 match_result result;
4247 /* Load the frame's data. */
4249 /* Attempt to get the packet failed. */
4251 }
4261 /* we want to start searching one byte past the previous match start */
4263 }
4271 c_match++;
4274 /* Save position and length for highlighting the field. */
4278 }
4279 i++;
4283 }
4284 }
4285 }
4287 done:
4289 }
4291 /* Case insensitive match */
4292 static match_result
4295 {
4300 match_result result;
4307 /* Load the frame's data. */
4309 /* Attempt to get the packet failed. */
4311 }
4316 /* Has to be room to hold the sought data. */
4319 }
4325 /* we want to start searching one byte before the previous match start */
4327 }
4335 c_match++;
4338 /* Save position and length for highlighting the field. */
4342 }
4343 i++;
4347 }
4348 }
4349 }
4351 done:
4353 }
4355 static match_result
4358 {
4361 match_result result;
4364 /* Load the frame's data. */
4366 /* Attempt to get the packet failed. */
4368 }
4374 /* we want to start searching one byte past the previous match start */
4376 }
4379 }
4382 /* Save position and length for highlighting the field. */
4385 }
4388 }
4390 static match_result
4393 {
4396 match_result result;
4399 /* Load the frame's data. */
4401 /* Attempt to get the packet failed. */
4403 }
4407 /* Has to be room to hold the sought data. */
4410 }
4413 /* we want to start searching one byte before the previous match start */
4415 }
4421 /* Save position and length for highlighting the field. */
4425 }
4426 }
4429 }
4431 static match_result
4434 {
4438 /* Load the frame's data. */
4440 /* Attempt to get the packet failed. */
4442 }
4446 /* we want to start searching one byte past the previous match start */
4448 }
4453 result_pos)) {
4454 //TODO: A chosen regex can match the empty string (zero length)
4455 // which doesn't make a lot of sense for searching the packet bytes.
4456 // Should we search with the PCRE2_NOTEMPTY option?
4457 //TODO: Fix cast.
4458 /* Save position and length for highlighting the field. */
4462 }
4463 }
4465 }
4467 static match_result
4470 {
4474 /* Load the frame's data. */
4476 /* Attempt to get the packet failed. */
4478 }
4482 /* we want to start searching one byte before the previous match */
4484 }
4489 result_pos)) {
4490 //TODO: A chosen regex can match the empty string (zero length)
4491 // which doesn't make a lot of sense for searching the packet bytes.
4492 // Should we search with the PCRE2_NOTEMPTY option?
4493 //TODO: Fix cast.
4494 /* Save position and length for highlighting the field. */
4499 }
4500 }
4502 }
4504 bool
4506 search_direction dir)
4507 {
4509 }
4511 bool
4513 search_direction dir)
4514 {
4519 /*
4520 * XXX - this shouldn't happen, as the filter string is machine
4521 * generated
4522 */
4524 }
4526 /*
4527 * XXX - this shouldn't happen, as the filter string is machine
4528 * generated.
4529 */
4531 }
4535 }
4537 static match_result
4540 {
4542 epan_dissect_t edt;
4543 match_result result;
4545 /* Load the frame's data. */
4547 /* Attempt to get the packet failed. */
4549 }
4559 }
4561 bool
4563 {
4565 }
4567 static match_result
4570 {
4572 }
4574 bool
4576 {
4578 }
4580 static match_result
4583 {
4585 }
4587 static bool
4590 {
4595 wtap_rec rec;
4596 Buffer buf;
4605 match_result result;
4616 }
4618 /* Iterate through the list of packets, starting at the packet we've
4619 picked, calling a routine to run the filter on the packet, see if
4620 it matches, and stop if so. */
4624 /* If we have no start packet selected, and we're going backwards,
4625 * start at the end (even if wrap is off.)
4626 */
4628 }
4631 /* Progress so far. */
4637 /* Create the progress bar if necessary.
4638 We check on every iteration of the loop, so that it takes no
4639 longer than the standard time to create it (otherwise, for a
4640 large file, we might take considerably longer than that standard
4641 time in order to get to the next progress bar step). */
4646 /*
4647 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
4648 * has elapsed. Calling update_progress_dlg and packets_bar_update will
4649 * likely trigger UI paint events, which might take a while depending on
4650 * the platform and display. Reset our timer *after* painting.
4651 */
4653 /* let's not divide by zero. I should never be started
4654 * with count == 0, so let's assert that
4655 */
4665 }
4668 /* Well, the user decided to abort the search. Go back to the
4669 frame where we started. */
4672 }
4674 /* Go past the current frame. */
4676 /* Go on to the previous frame. */
4678 /*
4679 * XXX - other apps have a bit more of a detailed message
4680 * for this, and instead of offering "OK" and "Cancel",
4681 * they offer things such as "Continue" and "Cancel";
4682 * we need an API for popping up alert boxes with
4683 * {Verb} and "Cancel".
4684 */
4693 }
4695 framenum--;
4697 /* Go on to the next frame. */
4706 }
4708 framenum++;
4709 }
4712 count++;
4714 /* Is this packet in the display? */
4716 /* Yes. Does it match the search criterion? */
4719 /* Error; our caller has reported the error. Go back to the frame
4720 where we started. */
4724 /* Yes. Go to the new frame. */
4727 }
4729 }
4732 /* We're back to the frame we were on originally, and that frame
4733 doesn't match the search filter. The search failed. */
4735 }
4736 }
4738 /* We're done scanning the packets; destroy the progress bar if it
4739 was created. */
4745 /* We found a frame that's displayed and that matches.
4746 Try to find and select the packet summary list row for that frame. */
4753 /* We didn't find a row corresponding to this frame.
4754 This means that the frame isn't being displayed currently,
4755 so we can't select it. */
4769 }
4771 bool
4773 {
4777 /* we don't have a loaded capture file - fix for bugs 11810 & 11989 */
4780 }
4785 /* we didn't find a packet with that packet number */
4788 }
4790 /* that packet currently isn't displayed */
4791 /* XXX - add it to the set of displayed packets? */
4793 /* We only want that exact frame, or no frames are displayed. */
4796 }
4798 /* There is no previous displayed frame, so this frame is
4799 * before the first displayed frame. Go to the first line,
4800 * which is the closest frame.
4801 */
4803 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the first displayed packet, %u.", fnumber, cf->first_displayed);
4806 /* The next displayed frame might be closer, we can do an
4807 * O(log n) binary search for the earliest displayed frame
4808 * in the open interval (fnumber, fnumber + delta).
4809 *
4810 * This is possibly overkill, we could just go to the previous
4811 * displayed frame.
4812 */
4821 /* We don't have a frame of that number, so search before it. */
4824 }
4825 /* We have a frame of that number. What's the displayed
4826 * frame before it? */
4828 /* The previous frame that passed the filter is also after
4829 * our target, so our answer is no later than that.
4830 */
4833 /* The previous displayed frame is before fnumber.
4834 * (We already know fnumber itself is not displayed.)
4835 * Is this frame itself displayed?
4836 */
4838 /* Yes. So this is our answer. */
4841 }
4842 /* No. So our answer, if any, is after this frame. */
4844 }
4845 }
4848 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the next displayed packet, %u.", fnumber, fdata->num);
4850 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the previous displayed packet, %u.", fnumber, fdata->prev_dis_num);
4852 }
4853 }
4854 }
4857 /* We didn't find a row corresponding to this frame.
4858 This means that the frame isn't being displayed currently,
4859 so we can't select it. */
4864 }
4866 }
4868 /*
4869 * Go to frame specified by currently selected protocol tree item.
4870 */
4871 bool
4873 {
4883 /* We probably only want to go to the exact match,
4884 * even though "Go to Previous Packet in History" exists.
4885 */
4887 }
4888 }
4889 }
4892 }
4894 /* Select the packet on a given row. */
4895 void
4897 {
4900 /* check the frame data struct pointer for this frame */
4903 }
4905 /* Get the data in that frame. */
4908 }
4910 /* Record that this frame is the current frame. */
4913 /*
4914 * The change to defer freeing the current epan_dissect_t was in
4915 * commit a2bb94c3b33d53f42534aceb7cc67aab1d1fb1f9; to quote
4916 * that commit's comment:
4917 *
4918 * Clear GtkTreeStore before freeing edt
4919 *
4920 * When building current data for packet details treeview we store two
4921 * things.
4922 * - Generated string with item label
4923 * - Pointer to node field_info structure
4924 *
4925 * After epan_dissect_{free, cleanup} pointer to field_info node is no
4926 * longer valid so we should clear GtkTreeStore before freeing.
4927 *
4928 * XXX - we're no longer using GTK+; is there a way to ensure that
4929 * *nothing* refers to any of the current frame information before
4930 * we replace it?
4931 */
4933 /* Create the logical protocol tree. */
4934 /* We don't need the columns here. */
4944 }
4946 /* Unselect the selected packet, if any. */
4947 void
4949 {
4952 /*
4953 * See the comment in cf_select_packet() about deferring the freeing
4954 * of the old cf->edt.
4955 */
4958 /* No packet is selected. */
4961 /* Destroy the epan_dissect_t for the unselected packet. */
4964 }
4966 /*
4967 * Mark a particular frame.
4968 */
4969 void
4971 {
4976 }
4977 }
4979 /*
4980 * Unmark a particular frame.
4981 */
4982 void
4984 {
4989 }
4990 }
4992 /*
4993 * Ignore a particular frame.
4994 */
4995 void
4997 {
5002 }
5003 }
5005 /*
5006 * Un-ignore a particular frame.
5007 */
5008 void
5010 {
5015 }
5016 }
5018 /*
5019 * Modify the section comment.
5020 */
5021 void
5023 {
5024 wtap_block_t shb_inf;
5027 /* Get the first SHB. */
5028 /* XXX - support multiple SHBs */
5031 /* Get the first comment from the SHB. */
5032 /* XXX - support multiple comments */
5033 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, 0, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5034 /* There's no comment - add one. */
5037 /* See if the comment has changed or not */
5041 }
5043 /* The comment has changed, let's update it */
5045 }
5046 /* Mark the file as having unsaved changes */
5048 }
5050 /*
5051 * Modify the section comments for a given section.
5052 */
5053 void
5055 {
5056 wtap_block_t shb_inf;
5061 /* Shouldn't happen. XXX: Report it if it does? */
5063 }
5071 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, i, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5072 /* There's no comment - add one. */
5076 /* See if the comment has changed or not */
5078 /* The comment has changed, let's update it */
5081 }
5083 }
5084 }
5085 /* We either transferred ownership of the comments or freed them
5086 * above, so free the array of strings but not the strings themselves. */
5089 /* If there are extra old comments, remove them. Start at the end. */
5093 }
5094 }
5096 /*
5097 * Get the packet block for a packet (record).
5098 * If the block has been edited, it returns the result of the edit,
5099 * otherwise it returns the block from the file.
5100 * NB. Caller must wtap_block_unref() the result when done.
5101 */
5102 wtap_block_t
5104 {
5105 /* If this block has been modified, fetch the modified version */
5111 wtap_block_t block;
5113 /* fetch record block */
5120 /* rec.block is owned by the record, steal it before it is gone. */
5126 }
5127 }
5129 /*
5130 * Update(replace) the block on a capture from a frame
5131 */
5132 bool
5134 {
5137 /* It's possible to further modify the modified block "in place" by doing
5138 * a call to cf_get_packet_block() that returns an already created modified
5139 * block, modifying that, and calling this function.
5140 * If the caller did that, then the block pointers will be equal.
5141 */
5143 /* No need to save anything here, the caller changes went right
5144 * onto the block.
5145 * Unfortunately we don't have a way to know how many comments were
5146 * in the block before the caller modified it, so tell the caller
5147 * it is its responsibility to update the comment count.
5148 */
5150 }
5161 }
5163 /* Either way, we have unsaved changes. */
5167 }
5169 /*
5170 * What types of comments does this capture file have?
5171 */
5172 uint32_t
5174 {
5177 /*
5178 * Does this file have any sections with at least one comment?
5179 */
5182 section_number++) {
5183 wtap_block_t shb_inf;
5188 /* Try to get the first comment from that SHB. */
5191 /* We succeeded, so this file has at least one section comment. */
5194 /* We don't need to search any more. */
5196 }
5197 }
5201 }
5203 /*
5204 * Add a resolved address to this file's list of resolved addresses.
5205 */
5206 bool
5208 {
5209 /*
5210 * XXX - support multiple resolved address lists, and add to the one
5211 * attached to this file?
5212 */
5216 /* OK, we have unsaved changes. */
5219 }
5228 /*
5229 * Save a capture to a file, in a particular format, saving either
5230 * all packets, all currently-displayed packets, or all marked packets.
5231 *
5232 * Returns true if it succeeds, false otherwise; if it fails, it pops
5233 * up a message box for the failure.
5234 */
5235 static bool
5238 {
5240 wtap_rec new_rec;
5243 wtap_block_t pkt_block;
5245 /* Copy the record information from what was read in from the file. */
5248 /* Make changes based on anything that the user has done but that
5249 hasn't been saved yet. */
5252 else
5260 }
5261 }
5263 /* and save the packet */
5268 }
5270 /* If we are saving (i.e., replacing the current file with the one we're
5271 * writing), then update the frame data to clear the shift offset.
5272 * This keeps us from having to re-read the entire file.
5273 * We could do this in rescan_file(), but
5274 * 1) Ideally we shouldn't have to call rescan_file if all we're doing
5275 * is changing the timestamps, since that shouldn't change the offsets.
5276 * 2) The long term goal is to try to do the offset adjustment here
5277 * instead of using rescan_file, which should be faster (#1257).
5278 *
5279 * If we're exporting to a different file, then don't do that.
5280 */
5283 }
5286 }
5288 /*
5289 * Can this capture file be written out in any format using Wiretap
5290 * rather than by copying the raw data?
5291 */
5292 bool
5294 {
5295 /* We don't care whether we support the comments in this file or not;
5296 if we can't, we'll offer the user the option of discarding the
5297 comments. */
5299 }
5301 /*
5302 * Should we let the user do a save?
5303 *
5304 * We should if:
5305 *
5306 * the file has unsaved changes, and we can save it in some
5307 * format through Wiretap
5308 *
5309 * or
5310 *
5311 * the file is a temporary file and has no unsaved changes (so
5312 * that "saving" it just means copying it).
5313 *
5314 * XXX - we shouldn't allow files to be edited if they can't be saved,
5315 * so cf->unsaved_changes should be true only if the file can be saved.
5316 *
5317 * We don't care whether we support the comments in this file or not;
5318 * if we can't, we'll offer the user the option of discarding the
5319 * comments.
5320 */
5321 bool
5323 {
5325 /* Saved changes, and we can write it out with Wiretap. */
5327 }
5330 /*
5331 * Temporary file with no unsaved changes, so we can just do a
5332 * raw binary copy.
5333 */
5335 }
5337 /* Nothing to save. */
5339 }
5341 /*
5342 * Should we let the user do a "save as"?
5343 *
5344 * That's true if:
5345 *
5346 * we can save it in some format through Wiretap
5347 *
5348 * or
5349 *
5350 * the file is a temporary file and has no unsaved changes (so
5351 * that "saving" it just means copying it).
5352 *
5353 * XXX - we shouldn't allow files to be edited if they can't be saved,
5354 * so cf->unsaved_changes should be true only if the file can be saved.
5355 *
5356 * We don't care whether we support the comments in this file or not;
5357 * if we can't, we'll offer the user the option of discarding the
5358 * comments.
5359 */
5360 bool
5362 {
5364 /* We can write it out with Wiretap. */
5366 }
5369 /*
5370 * Temporary file with no unsaved changes, so we can just do a
5371 * raw binary copy.
5372 */
5374 }
5376 /* Nothing to save. */
5378 }
5380 /*
5381 * Does this file have unsaved data?
5382 */
5383 bool
5385 {
5386 /*
5387 * If this is a temporary file, or a file with unsaved changes, it
5388 * has unsaved data.
5389 */
5391 }
5393 /*
5394 * Quick scan to find packet offsets.
5395 */
5396 static cf_read_status_t
5398 {
5399 wtap_rec rec;
5400 Buffer buf;
5414 /* Close the old handle. */
5417 /* Open the new file. */
5418 /* XXX: this will go through all open_routines for a matching one. But right
5419 now rescan_file() is only used when a file is being saved to a different
5420 format than the original, and the user is not given a choice of which
5421 reader to use (only which format to save it in), so doing this makes
5422 sense for now. (XXX: Now it is also used when saving a changed file,
5423 e.g. comments or time-shifted frames.) */
5428 }
5430 /* We're scanning a file whose contents should be the same as what
5431 we had before, so we don't discard dissection state etc.. */
5434 /* Set the file name because we need it to set the follow stream filter.
5435 XXX - is that still true? We need it for other reasons, though,
5436 in any case. */
5439 }
5442 /* Indicate whether it's a permanent or temporary file. */
5445 /* No user changes yet. */
5451 }
5460 /* Record the file's compression type.
5461 XXX - do we know this at open time? */
5464 /* Find the size of the file. */
5477 framenum++;
5481 }
5485 /* Create the progress bar if necessary. */
5490 }
5492 /*
5493 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
5494 * has elapsed. Calling update_progress_dlg and packets_bar_update will
5495 * likely trigger UI paint events, which might take a while depending on
5496 * the platform and display. Reset our timer *after* painting.
5497 */
5500 /* update the packet bar content on the first run or frequently on very large files */
5505 }
5506 }
5509 /* Well, the user decided to abort the rescan. Sadly, as this
5510 isn't a reread, recovering is difficult, so we'll just
5511 close the current capture. */
5513 }
5515 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
5516 it's not already there.
5517 XXX - yes, this is O(N), so if every packet had a different
5518 link-layer encapsulation type, it'd be O(N^2) to read the file, but
5519 there are probably going to be a small number of encapsulation types
5520 in a file. */
5523 }
5525 }
5529 /* Free the display name */
5532 /* We're done reading the file; destroy the progress bar if it was created. */
5537 /* We're done reading sequentially through the file. */
5540 /* Close the sequential I/O side, to free up memory it requires. */
5543 /* compute the time it took to load the file */
5546 /* Set the file encapsulation type now; we don't know what it is until
5547 we've looked at all the packets, as we don't know until then whether
5548 there's more than one type (and thus whether it's
5549 WTAP_ENCAP_PER_PACKET). */
5555 /* Our caller will give up at this point. */
5557 }
5560 /* Put up a message box noting that the read failed somewhere along
5561 the line. Don't throw out the stuff we managed to read, though,
5562 if any. */
5567 }
5569 cf_write_status_t
5571 wtap_compression_type compression_type,
5573 {
5582 SAVE_WITH_MOVE,
5583 SAVE_WITH_COPY,
5584 SAVE_WITH_WTAP
5586 save_callback_args_t callback_args;
5590 /* XXX caller should avoid saving the file while a read is pending
5591 * (e.g. by delaying the save action) */
5593 ws_warning("cf_save_records(\"%s\") while the file is being read, potential crash ahead", fname);
5594 }
5602 && (wtap_addrinfo_list_empty(addr_lists) || wtap_file_type_subtype_supports_block(save_format, WTAP_BLOCK_NAME_RESOLUTION) == BLOCK_NOT_SUPPORTED)) {
5603 /* We're saving in the format it's already in, and we're not discarding
5604 comments, and there are no changes we have in memory that aren't saved
5605 to the file, and we have no name resolution information to write or
5606 the file format we're saving in doesn't support writing name
5607 resolution information, so we can just move or copy the raw data. */
5610 /* The file being saved is a temporary file from a live
5611 capture, so it doesn't need to stay around under that name;
5612 first, try renaming the capture buffer file to the new name.
5613 This acts as a "safe save", in that, if the file already
5614 exists, the existing file will be removed only if the rename
5615 succeeds.
5617 Sadly, on Windows, as we have the current capture file
5618 open, even MoveFileEx() with MOVEFILE_REPLACE_EXISTING
5619 (to cause the rename to remove an existing target), as
5620 done by ws_stdio_rename() (ws_rename() is #defined to
5621 be ws_stdio_rename() on Windows) will fail.
5623 According to the MSDN documentation for CreateFile(), if,
5624 when we open a capture file, we were to directly do a CreateFile(),
5625 opening with FILE_SHARE_DELETE|FILE_SHARE_READ, and then
5626 convert it to a file descriptor with _open_osfhandle(),
5627 that would allow the file to be renamed out from under us.
5629 However, that doesn't work in practice. Perhaps the problem
5630 is that the process doing the rename is the process that
5631 has the file open. */
5632 #ifndef _WIN32
5634 /* That succeeded - there's no need to copy the source file. */
5638 /* They're on different file systems, so we have to copy the
5639 file. */
5642 /* The rename failed, but not because they're on different
5643 file systems - put up an error message. (Or should we
5644 just punt and try to copy? The only reason why I'd
5645 expect the rename to fail and the copy to succeed would
5646 be if we didn't have permission to remove the file from
5647 the temporary directory, and that might be fixable - but
5648 is it worth requiring the user to go off and fix it?) */
5651 }
5652 }
5653 #else
5654 /* Windows - copy the file to its new location. */
5656 #endif
5658 /* It's a permanent file, so we should copy it, and not remove the
5659 original. */
5661 }
5664 /* Copy the file, if we haven't moved it. If we're overwriting
5665 an existing file, we do it with a "safe save", by writing
5666 to a new file and, if the write succeeds, renaming the
5667 new file on top of the old file. */
5675 }
5676 }
5678 /* Either we're saving in a different format or we're saving changes,
5679 such as added, modified, or removed comments, that haven't yet
5680 been written to the underlying file; we can't do that by copying
5681 or moving the capture file, we have to do it by writing the packets
5682 out in Wiretap. */
5684 wtap_dump_params params;
5690 /* Determine what file encapsulation type we should use. */
5694 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5698 /* We're overwriting an existing file; write out to a new file,
5699 and, if that succeeds, rename the new file on top of the
5700 old file. That makes this a "safe save", so that we don't
5701 lose the old file if we have a problem writing out the new
5702 file. (If the existing file is the current capture file,
5703 we *HAVE* to do that, otherwise we're overwriting the file
5704 from which we're reading the packets that we're writing!) */
5711 }
5712 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5719 }
5721 /* Add address resolution */
5724 /* Iterate through the list of packets, processing all the packets. */
5732 /* Completed successfully. */
5736 /* The user decided to abort the saving.
5737 If we're writing to a temporary file, remove it.
5738 XXX - should we do so even if we're not writing to a
5739 temporary file? */
5748 /* Error while saving.
5749 If we're writing to a temporary file, remove it. */
5755 }
5761 }
5764 }
5767 /* We wrote out to fname_new, and should rename it on top of
5768 fname. fname_new is now closed, so that should be possible even
5769 on Windows. However, on Windows, we first need to close whatever
5770 file descriptors we have open for fname. */
5771 #ifdef _WIN32
5773 #endif
5774 /* Now do the rename. */
5776 /* Well, the rename failed. */
5778 #ifdef _WIN32
5779 /* Attempt to reopen the random file descriptor using the
5780 current file's filename. (At this point, the sequential
5781 file descriptor is closed.) */
5783 /* Oh, well, we're screwed. */
5785 }
5786 #endif
5788 }
5790 }
5792 /* If this was a temporary file, and we didn't do the save by doing
5793 a move, so the tempoary file is still around under its old name,
5794 remove it. */
5796 /* If this fails, there's not much we can do, so just ignore errors. */
5798 }
5807 /* We just moved the file, so the wtap structure refers to the
5808 new file, and all the information other than the filename
5809 and the "is temporary" status applies to the new file; just
5810 update that. */
5818 /* We just copied the file, so all the information other than
5819 the file descriptors, the filename, and the "is temporary"
5820 status applies to the new file; just update that. */
5822 /* Attempt to reopen the random file descriptor using the
5823 new file's filename. (At this point, the sequential
5824 file descriptor is closed.) */
5832 }
5837 /* Open and read the file we saved to.
5839 XXX - this is somewhat of a waste; we already have the
5840 packets, all this gets us is updated file type information
5841 (which we could just stuff into "cf"), and having the new
5842 file be the one we have opened and from which we're reading
5843 the data, and it means we have to spend time opening and
5844 reading the file, which could be a significant amount of
5845 time if the file is large.
5847 If the capture-file-writing code were to return the
5848 seek offset of each packet it writes, we could save that
5849 in the frame_data structure for the frame, and just open
5850 the file without reading it again...
5852 ...as long as, for gzipped files, the process of writing
5853 out the file *also* generates the information needed to
5854 support fast random access to the compressed file. */
5855 /* rescan_file will cause us to try all open_routines, so
5856 reset cfile's open_type */
5858 /* There are cases when SAVE_WITH_WTAP can result in new packets
5859 being written to the file, e.g ERF records
5860 In that case, we need to reload the whole file */
5864 /* The rescan failed; just close the file. Either
5865 a dialog was popped up for the failure, so the
5866 user knows what happened, or they stopped the
5867 rescan, in which case they know what happened. */
5868 /* XXX: This is inconsistent with normal open/reload behaviour. */
5870 }
5871 }
5872 }
5875 /* The rescan failed; just close the file. Either
5876 a dialog was popped up for the failure, so the
5877 user knows what happened, or they stopped the
5878 rescan, in which case they know what happened. */
5880 }
5881 }
5883 }
5885 /* If we were told to discard the comments, do so. */
5887 /* Remove SHB comment, if any. */
5890 /* remove all user comments */
5894 // XXX: This also ignores non-comment options like verdict
5896 }
5901 }
5904 }
5905 }
5908 fail:
5910 /* We were trying to write to a temporary file; get rid of it if it
5911 exists. (We don't care whether this fails, as, if it fails,
5912 there's not much we can do about it. I guess if it failed for
5913 a reason other than "it doesn't exist", we could report an
5914 error, so the user knows there's a junk file that they might
5915 want to clean up.) */
5918 }
5921 }
5923 cf_write_status_t
5926 wtap_compression_type compression_type)
5927 {
5932 save_callback_args_t callback_args;
5933 wtap_dump_params params;
5939 /* We're writing out specified packets from the specified capture
5940 file to another file. Even if all captured packets are to be
5941 written, don't special-case the operation - read each packet
5942 and then write it out if it's one of the specified ones. */
5946 /* Determine what file encapsulation type we should use. */
5950 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5954 /* We're overwriting an existing file; write out to a new file,
5955 and, if that succeeds, rename the new file on top of the
5956 old file. That makes this a "safe save", so that we don't
5957 lose the old file if we have a problem writing out the new
5958 file. (If the existing file is the current capture file,
5959 we *HAVE* to do that, otherwise we're overwriting the file
5960 from which we're reading the packets that we're writing!) */
5967 }
5968 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5975 }
5977 /* Add address resolution */
5980 /* Iterate through the list of packets, processing the packets we were
5981 told to process.
5983 XXX - we've already called "packet_range_process_init(range)", but
5984 "process_specified_records()" will do it again. Fortunately,
5985 that's harmless in this case, as we haven't done anything to
5986 "range" since we initialized it. */
5994 /* Completed successfully. */
5998 /* The user decided to abort the saving.
5999 If we're writing to a temporary file, remove it.
6000 XXX - should we do so even if we're not writing to a
6001 temporary file? */
6006 }
6012 /* Error while saving. */
6014 /*
6015 * We don't report any error from closing; the error that caused
6016 * process_specified_records() to fail has already been reported.
6017 */
6019 }
6024 }
6027 /* We wrote out to fname_new, and should rename it on top of
6028 fname; fname is now closed, so that should be possible even
6029 on Windows. Do the rename. */
6031 /* Well, the rename failed. */
6034 }
6036 }
6041 fail:
6043 /* We were trying to write to a temporary file; get rid of it if it
6044 exists. (We don't care whether this fails, as, if it fails,
6045 there's not much we can do about it. I guess if it failed for
6046 a reason other than "it doesn't exist", we could report an
6047 error, so the user knows there's a junk file that they might
6048 want to clean up.) */
6051 }
6055 }
6057 /* Reload the current capture file. */
6058 cf_status_t
6060 {
6069 }
6071 /* If the file could be opened, "cf_open()" calls "cf_close()"
6072 to get rid of state for the old capture file before filling in state
6073 for the new capture file. "cf_close()" will remove the file if
6074 it's a temporary file; we don't want that to happen (for one thing,
6075 it'd prevent subsequent reopens from working). Remember whether it's
6076 a temporary file, mark it as not being a temporary file, and then
6077 reopen it as the type of file it was.
6079 Also, "cf_close()" will free "cf->filename", so we must make
6080 a copy of it first. */
6089 /* Just because we got an error, that doesn't mean we were unable
6090 to read any of the file; we handle what we could get from the
6091 file. */
6095 /* The user bailed out of re-reading the capture file; the
6096 capture file has been closed. */
6098 }
6100 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
6101 Instead, the file was left open, so we should restore "cf->is_tempfile"
6102 ourselves.
6104 XXX - change the menu? Presumably "cf_open()" will do that;
6105 make sure it does! */
6108 }
6109 /* "cf_open()" made a copy of the file name we handed it, so
6110 we should free up our copy. */
6113 }