| blob | 47321395057579a8c1a90485c468288fef52ab1e |
1 /* file.c
2 * File I/O routines
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
11 #include <config.h>
12 #define WS_LOG_DOMAIN LOG_DOMAIN_CAPTURE
14 #include <time.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <errno.h>
22 #include <wsutil/file_util.h>
23 #include <wsutil/filesystem.h>
24 #include <wsutil/json_dumper.h>
25 #include <wsutil/wslog.h>
26 #include <wsutil/ws_assert.h>
27 #include <wsutil/version_info.h>
28 #include <wsutil/report_message.h>
30 #include <wiretap/merge.h>
32 #include <epan/exceptions.h>
33 #include <epan/epan.h>
34 #include <epan/column.h>
35 #include <epan/packet.h>
36 #include <epan/column-utils.h>
37 #include <epan/expert.h>
38 #include <epan/prefs.h>
39 #include <epan/dfilter/dfilter.h>
40 #include <epan/epan_dissect.h>
41 #include <epan/tap.h>
42 #include <epan/timestamp.h>
43 #include <epan/strutil.h>
44 #include <epan/addr_resolv.h>
45 #include <epan/color_filters.h>
46 #include <epan/secrets.h>
59 /* Needed for addrinfo */
60 #include <sys/types.h>
62 #ifdef HAVE_SYS_SOCKET_H
63 #include <sys/socket.h>
64 #endif
66 #ifdef HAVE_NETINET_IN_H
67 # include <netinet/in.h>
68 #endif
70 #ifdef _WIN32
71 # include <winsock2.h>
72 # include <ws2tcpip.h>
73 #endif
79 static void rescan_packets(capture_file *cf, const char *action, const char *action_item, bool redissect);
82 MR_NOTMATCHED,
83 MR_MATCHED,
84 MR_ERROR
131 /* Seconds spent processing packets between pushing UI updates. */
132 #define PROGBAR_UPDATE_INTERVAL 0.150
134 /* Show the progress bar after this many seconds. */
135 #define PROGBAR_SHOW_DELAY 0.5
137 /*
138 * Maximum number of records we support in a file.
139 *
140 * It is, at most, the maximum value of a uint32_t, as we use a uint32_t
141 * for the frame number.
142 *
143 * We allow it to be set to a lower value; see issue #16908 for why
144 * we're doing this. Thanks, Qt!
145 */
148 void
150 {
152 }
154 /*
155 * We could probably use g_signal_...() instead of the callbacks below but that
156 * would require linking our CLI programs to libgobject and creating an object
157 * instance for the signals.
158 */
160 cf_callback_t cb_fct;
166 static void
168 {
172 /* there should be at least one interested */
179 }
180 }
182 void
184 {
192 }
194 void
196 {
206 }
208 }
211 }
213 unsigned long
215 {
217 }
219 static void
221 {
225 }
229 {
231 cap_file_provider_get_frame_ts,
232 cap_file_provider_get_interface_name,
233 cap_file_provider_get_interface_description,
234 cap_file_provider_get_modified_block
235 };
238 }
240 cf_status_t
242 {
250 /* The open succeeded. Close whatever capture file we had open,
251 and fill in the information for this file. */
254 /* Initialize the record information.
255 XXX - we really want to initialize this after we've read all
256 the packets, so we know how much we'll ultimately need. */
259 /* We're about to start reading the file. */
262 /* If there was a pending redissection for the old file (there
263 * shouldn't be), clear it. cf_close() should have failed if the
264 * old file's read lock was held, but it doesn't hurt to clear it. */
271 /* Set the file name because we need it to set the follow stream filter.
272 XXX - is that still true? We need it for other reasons, though,
273 in any case. */
276 /* Indicate whether it's a permanent or temporary file. */
279 /* No user changes yet. */
284 /* Record the file's type and compression type. */
300 /* Allocate a frame_data_sequence for the frames in this file */
309 /* Create new epan session for dissection.
310 * (The old one was freed in cf_close().)
311 */
323 fail:
326 }
328 /*
329 * Add an encapsulation type to cf->linktypes.
330 */
331 static void
333 {
339 }
340 /* It's not already there - add it. */
342 }
344 /* Reset everything to a pristine state */
345 void
347 {
352 /* Die if we're in the middle of reading a file. */
358 /* close things, if not already closed before */
364 }
365 /* We have no file open... */
367 /* If it's a temporary file, remove it. */
372 }
373 /* ...which means we have no changes to that file to save. */
376 /* no open_routine type */
379 /* Clean up the record information. */
382 /* Clear the packet list. */
392 }
396 }
401 /* No frames, no frame selected, no field in that frame selected. */
406 /* No frame link-layer types, either. */
410 }
420 /* We have no file open. */
424 }
426 /*
427 * true if the progress dialog doesn't exist and it looks like we'll
428 * take > PROGBAR_SHOW_DELAY (500ms) to load, false otherwise.
429 */
432 {
437 /* This only gets checked between reading records, which doesn't help if
438 * a single record takes a very long time, e.g., the first TLS packet if
439 * the SSLKEYLOGFILE is very large. (#17051) */
440 if ((elapsed * 2 > PROGBAR_SHOW_DELAY && (size / pos) >= 2) /* It looks like we're going to be slow. */
443 }
445 }
447 static float
448 calc_progbar_val(capture_file *cf, int64_t size, int64_t file_pos, char *status_str, unsigned long status_size)
449 {
455 /* The file probably grew while we were reading it.
456 * Update file size, and try again.
457 */
463 /* If it's still > 1, either "wtap_file_size()" failed (in which
464 * case there's not much we can do about it), or the file
465 * *shrank* (in which case there's not much we can do about
466 * it); just clip the progress value at 1.0.
467 */
470 }
477 }
479 cf_read_status_t
481 {
490 epan_dissect_t edt;
491 wtap_rec rec;
499 /* The update_progress_dlg call below might end up accepting a user request to
500 * trigger redissection/rescans which can modify/destroy the dissection
501 * context ("cf->epan"). That condition should be prevented by callers, but in
502 * case it occurs let's fail gracefully.
503 */
508 }
509 /* This is a full dissection, so clear any pending request for one. */
513 /* Compile the current display filter.
514 * The code it compiles to might have changed, e.g. if a display
515 * filter macro used has changed.
516 *
517 * We assume this will not fail since cf->dfilter is only set in
518 * cf_filter IFF the filter was valid.
519 * XXX - This is not necessarily true, if the filter has a FT_IPv4
520 * or FT_IPv6 field compared to a resolved hostname in it, because
521 * we do a new host lookup, and that *could* timeout this time
522 * (though with the read lock above we shouldn't have many lookups at
523 * once, reducing the chances of that)... (#19612)
524 */
528 }
533 /* The compiled dfilter might have a field reference; recompiling it
534 * means that the field references won't match anything. That's what
535 * we want since this is a new sequential read and we don't have
536 * a selected frame with a tree. (Will taps with filters with display
537 * references also have cleared display references?)
538 */
540 /* Get the union of the flags for all tap listeners. */
543 /*
544 * Determine whether we need to create a protocol tree.
545 * We do if:
546 *
547 * we're going to apply a display filter;
548 *
549 * one of the tap listeners is going to apply a filter;
550 *
551 * one of the tap listeners requires a protocol tree;
552 *
553 * a postdissector wants field values or protocols on
554 * the first pass.
555 */
556 create_proto_tree =
566 else
569 /* The packet list window will be empty until the file is completely loaded */
577 /* If the display filter or any tap listeners require the columns,
578 * construct them. */
582 /* Find the size of the file. */
585 /* If we are to ignore duplicate frames, we need a container to store
586 * hashes frame contents */
587 fifo_string_cache_t frame_dup_cache;
593 }
599 TRY {
610 /*
611 * Quit if we've already read the maximum number of
612 * records allowed.
613 */
616 }
619 /* Create the progress bar if necessary. */
624 }
626 /*
627 * Update the progress bar, but do it only after
628 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
629 * and packets_bar_update will likely trigger UI paint events, which
630 * might take a while depending on the platform and display. Reset
631 * our timer *after* painting.
632 */
635 /* update the packet bar content on the first run or frequently on very large files */
640 }
641 /*
642 * The previous GUI triggers should not have destroyed the running
643 * session. If that did happen, it could blow up when read_record tries
644 * to use the destroyed edt.session, so detect it right here.
645 */
647 }
650 /* Well, the user decided to exit Wireshark. Break out of the
651 loop, and let the code below (which is called even if there
652 aren't any packets left to read) exit. */
655 }
657 /* Well, the user decided to abort the read. He/She will be warned and
658 it might be enough for him/her to work with the already loaded
659 packets.
660 This is especially true for very large capture files, where you don't
661 want to wait loading the whole file (which may last minutes or even
662 hours even on fast machines) just to see that it was the wrong file. */
664 }
667 }
668 }
674 #if 0
675 /* Could we close the current capture and free up memory from that? */
676 #else
677 /* we have to terminate, as we cannot recover from the memory error */
679 #endif
680 }
681 ENDTRY;
683 // If we're ignoring duplicate frames, clear the data structures.
684 // We really could look at prefs.ignore_dup_frames here, but it's even
685 // safer to check if we had allocated 'cksum'.
689 }
691 /* We're done reading sequentially through the file. */
694 /* Destroy the progress bar if it was created. */
699 /* Free the display name */
705 /* Close the sequential I/O side, to free up memory it requires. */
708 /* Allow the protocol dissectors to free up memory that they
709 * don't need after the sequential run-through of the packets. */
712 /* compute the time it took to load the file */
715 /* Set the file encapsulation type now; we don't know what it is until
716 we've looked at all the packets, as we don't know until then whether
717 there's more than one type (and thus whether it's
718 WTAP_ENCAP_PER_PACKET). */
725 /* It is safe again to execute redissections or sort. */
731 else
734 /* If we have any displayed packets to select, select the first of those
735 packets by making the first row the selected row. */
738 }
741 /*
742 * Well, the user decided to exit Wireshark while reading this *offline*
743 * capture file (Live captures are handled by something like
744 * cf_continue_tail). Clean up accordingly.
745 */
749 }
752 /* Redissection was queued up. Clear the request and perform it now. */
755 }
765 }
768 /* Put up a message box noting that the read failed somewhere along
769 the line. Don't throw out the stuff we managed to read, though,
770 if any. */
780 "The command-line utility editcap can be used to split "
782 "The file contains more records than the maximum "
787 }
789 #ifdef HAVE_LIBPCAP
790 cf_read_status_t
793 {
796 epan_dissect_t edt;
800 /* Don't compile the current display filter. The current display filter
801 * text might compile to different code than when the capture started:
802 *
803 * If it has a IP address resolved name, calling get_host_ipaddr every
804 * time new packets arrive can mean a *lot* of gethostbyname calls
805 * in flight at once, eventually leading to a timeout (#19612).
806 * addr_resolv.c says that ares_gethostbyname is "usually interactive",
807 * unlike ares_gethostbyaddr (used in dissection), and violating that
808 * expectation is bad.
809 *
810 * If it has a display filter macro, the definition might have changed.
811 *
812 * If it has a field reference, the selected frame / current proto tree
813 * might have changed, and we don't have the old one. If we recompile,
814 * we can't set the field references to the old values.
815 *
816 * For a rescan, redissection, reload, retap, or opening a new file, we
817 * want to compile. What about here, when new frames have arrived in a live
818 * capture? We might be able to cache the host lookup, and a user might want
819 * the new display filter macro definition, but the user almost surely wants
820 * the field references to refer to values from the proto tree when the
821 * filter was applied, not whatever it happens to be now if the user has
822 * clicked on a different packet.
823 *
824 * To get the new compiled filter, the user should refilter.
825 */
827 /* Get the union of the flags for all tap listeners. */
830 /*
831 * Determine whether we need to create a protocol tree.
832 * We do if:
833 *
834 * we're going to apply a display filter;
835 *
836 * one of the tap listeners is going to apply a filter;
837 *
838 * one of the tap listeners requires a protocol tree;
839 *
840 * a postdissector wants field values or protocols on
841 * the first pass.
842 */
843 create_proto_tree =
849 /* Don't freeze/thaw the list when doing live capture */
850 /*packet_list_freeze();*/
854 TRY {
858 /* If the display filter or any tap listeners require the columns,
859 * construct them. */
868 }
870 /* Well, the user decided to exit Wireshark. Break out of the
871 loop, and let the code below (which is called even if there
872 aren't any packets left to read) exit. */
874 }
876 newly_displayed_packets++;
877 }
878 to_read--;
879 }
881 }
887 #if 0
888 /* Could we close the current capture and free up memory from that? */
890 #else
891 /* we have to terminate, as we cannot recover from the memory error */
893 #endif
894 }
895 ENDTRY;
897 /* Update the file encapsulation; it might have changed based on the
898 packets we've read. */
903 /* Don't freeze/thaw the list when doing live capture */
904 /*packet_list_thaw();*/
905 /* With the new packet list the first packet
906 * isn't automatically selected.
907 */
912 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
913 so that our caller can kill off the capture child process;
914 this will cause an EOF on the pipe from the child, so
915 "cf_finish_tail()" will be called, and it will clean up
916 and exit. */
919 /* We got an error reading the capture file. */
924 }
926 void
928 {
931 }
932 }
934 cf_read_status_t
937 {
941 epan_dissect_t edt;
945 /* All the comments above in cf_continue_tail apply regarding the
946 * current display filter.
947 */
949 /* Get the union of the flags for all tap listeners. */
952 /* If the display filter or any tap listeners require the columns,
953 * construct them. */
957 /*
958 * Determine whether we need to create a protocol tree.
959 * We do if:
960 *
961 * we're going to apply a display filter;
962 *
963 * one of the tap listeners is going to apply a filter;
964 *
965 * one of the tap listeners requires a protocol tree;
966 *
967 * a postdissector wants field values or protocols on
968 * the first pass.
969 */
970 create_proto_tree =
977 }
979 /* Don't freeze/thaw the list when doing live capture */
980 /*packet_list_freeze();*/
987 /* Well, the user decided to abort the read. Break out of the
988 loop, and let the code below (which is called even if there
989 aren't any packets left to read) exit. */
991 }
994 }
998 /* Don't freeze/thaw the list when doing live capture */
999 /*packet_list_thaw();*/
1002 /* Well, the user decided to abort the read. We're only called
1003 when the child capture process closes the pipe to us (meaning
1004 it's probably exited), so we can just close the capture
1005 file; we return CF_READ_ABORTED so our caller can do whatever
1006 is appropriate when that happens. */
1009 }
1011 /* We're done reading sequentially through the file. */
1014 /* We're done reading sequentially through the file; close the
1015 sequential I/O side, to free up memory it requires. */
1018 /* Allow the protocol dissectors to free up memory that they
1019 * don't need after the sequential run-through of the packets. */
1022 /* Update the file encapsulation; it might have changed based on the
1023 packets we've read. */
1026 /* Update the details in the file-set dialog, as the capture file
1027 * has likely grown since we first stat-ed it */
1031 /* We got an error reading the capture file. */
1036 }
1037 }
1042 {
1045 /* Return a name to use in displays */
1047 /* Get the last component of the file name, and use that. */
1052 }
1054 /* The file we read is a temporary file from a live capture or
1055 a merge operation; we don't mention its name, but, if it's
1056 from a capture, give the source of the capture. */
1061 }
1062 }
1064 }
1068 {
1071 /* Return a name to use in the GUI for the basename for files to
1072 which we save statistics */
1074 /* Get the last component of the file name, and use that. */
1078 /* If the file name ends with any extension that corresponds
1079 to a file type we support - including compressed versions
1080 of those files - strip it off. */
1085 /* Does the file name end with that extension? */
1091 /* Yes. Strip the extension off, and return the result. */
1094 }
1095 }
1099 }
1101 /* The file we read is a temporary file from a live capture or
1102 a merge operation; we don't mention its name, but, if it's
1103 from a capture, give the source of the capture. */
1108 }
1109 }
1111 }
1113 void
1115 {
1118 }
1124 }
1125 }
1129 {
1132 }
1135 }
1137 /* XXX - use a macro instead? */
1138 int
1140 {
1142 }
1144 /* XXX - use a macro instead? */
1145 bool
1147 {
1149 }
1151 void
1153 {
1155 }
1158 /* XXX - use a macro instead? */
1159 void
1161 {
1163 }
1165 /* XXX - use a macro instead? */
1166 void
1168 {
1170 }
1172 /* XXX - use a macro instead? */
1173 bool
1175 {
1177 }
1179 /* XXX - use a macro instead? */
1180 uint32_t
1182 {
1184 }
1186 void
1188 {
1190 }
1192 static void
1196 {
1203 }
1204 #if 0
1205 /* Prepare coloring rules, this ensures that display filter rules containing
1206 * frame.color_rule references are still processed.
1207 * TODO: actually detect that situation or maybe apply other optimizations? */
1211 }
1212 #endif
1215 /* This is the first pass, so prime the epan_dissect_t with the
1216 hfids postdissectors want on the first pass. */
1218 }
1220 /* Initialize passed_dfilter here so that dissectors can hide packets. */
1221 /* XXX We might want to add a separate "visible" bit to frame_data instead. */
1224 /* Dissect the frame. */
1231 /* This frame passed the display filter but it may depend on other
1232 * (potentially not displayed) frames. Find those frames and mark them
1233 * as depended upon.
1234 */
1235 g_hash_table_foreach(edt->pi.fd->dependent_frames, find_and_mark_frame_depended_upon, cf->provider.frames);
1236 }
1237 }
1242 }
1245 /* We fill the needed columns from new_packet_list */
1247 }
1250 {
1252 /* The only way we use prev_dis is to get the time stamp of
1253 * the previous displayed frame, so ignore it if it doesn't
1254 * have a time stamp, because we're presumably interested in
1255 * the timestamp of the previously displayed frame with a
1256 * time. XXX: What if in the future we want to use the previously
1257 * displayed frame for something else, too?
1258 */
1261 }
1263 /* If we haven't yet seen the first frame, this is it. */
1267 /* This is the last frame we've seen so far. */
1269 }
1272 }
1274 /*
1275 * Read in a new record.
1276 * Returns true if the packet was added to the packet (record) list,
1277 * false otherwise.
1278 */
1279 static bool
1283 {
1284 frame_data fdlocal;
1291 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
1292 it's not already there.
1293 XXX - yes, this is O(N), so if every packet had a different
1294 link-layer encapsulation type, it'd be O(N^2) to read the file, but
1295 there are probably going to be a small number of encapsulation types
1296 in a file. */
1299 }
1301 /* The frame number of this packet, if we add it to the set of frames,
1302 would be one more than the count of frames in the file so far. */
1306 epan_dissect_t rf_edt;
1313 }
1317 }
1322 /* This does a shallow copy of fdlocal, which is good enough. */
1330 // Should we check if the frame data is a duplicate, and thus, ignore
1331 // this frame?
1341 }
1342 }
1344 /* When a redissection is in progress (or queued), do not process packets.
1345 * This will be done once all (new) packets have been scanned. */
1348 }
1349 }
1352 }
1364 static bool
1368 {
1377 /* do nothing */
1381 /* do nothing */
1385 /* Get the sum of the sizes of all the files. */
1394 {
1395 /* Create the progress bar if necessary.
1396 We check on every iteration of the loop, so that it takes no
1397 longer than the standard time to create it (otherwise, for a
1398 large file, we might take considerably longer than that standard
1399 time in order to get to the next progress bar step). */
1403 }
1405 /*
1406 * Update the progress bar, but do it only after
1407 * PROGBAR_UPDATE_INTERVAL has elapsed. Calling update_progress_dlg
1408 * and packets_bar_update will likely trigger UI paint events, which
1409 * might take a while depending on the platform and display. Reset
1410 * our timer *after* painting.
1411 */
1415 /* Get the sum of the seek positions in all of the files. */
1421 /* Some file probably grew while we were reading it.
1422 That "shouldn't happen", so we'll just clip the progress
1423 value at 1.0. */
1425 }
1433 }
1435 }
1436 }
1440 /* We're done merging the files; destroy the progress bar if it was created. */
1445 }
1448 }
1452 cf_status_t
1456 {
1458 merge_progress_callback_t cb;
1461 /* prepare our callback routine */
1468 /* merge the files */
1470 in_filenames,
1480 /* Callers aren't expected to treat an error or an explicit abort
1481 differently - the merge code puts up error dialogs itself, so
1482 they don't have to. */
1486 }
1488 cf_status_t
1490 {
1496 /* if new filter equals old one, do nothing unless told to do so */
1497 /* XXX - The text can be the same without compiling to the same code.
1498 * (Macros, field references, etc.)
1499 */
1502 }
1507 /* The new filter is an empty filter (i.e., display all packets).
1508 * so leave dfcode==NULL
1509 */
1511 /*
1512 * We have a filter; make a copy of it (as we'll be saving it),
1513 * and try to compile it.
1514 */
1517 /* The attempt failed; report an error. */
1525 }
1527 /* Was it empty? */
1529 /* Yes - free the filter text, and set it to null. */
1532 }
1533 }
1535 /* We have a valid filter. Replace the current filter. */
1539 /* We'll recompile this when the rescan starts, or in cf_read()
1540 * if no file is open currently. However, if no file is open and
1541 * we start a new capture, we want to use this rather than
1542 * recompiling in cf_continue_tail() */
1546 /* Now rescan the packet list, applying the new filter, but not
1547 * throwing away information constructed on a previous pass.
1548 * If a dissection is already in progress, queue it.
1549 */
1558 }
1559 }
1560 }
1563 }
1565 void
1567 {
1569 /* Dissection in progress, signal redissection rather than rescanning. That
1570 * would destroy the current (in-progress) dissection in "cf_read" which
1571 * will cause issues when "cf_read" tries to add packets to the list.
1572 * If a previous rescan was requested, "upgrade" it to a full redissection.
1573 */
1575 }
1577 /* Redissection is (already) queued, wait for "cf_read" to finish. */
1578 /* XXX - what if whatever set and later clears read_lock is *not*
1579 * cf_read, e.g. process_specified_records ? We need to handle a
1580 * queued redissection there too like we do in cf_read.
1581 */
1583 }
1586 /* Restart dissection in case no cf_read is pending. */
1588 }
1589 }
1591 bool
1593 {
1600 }
1602 }
1604 bool
1607 {
1614 }
1616 }
1618 bool
1620 {
1622 }
1624 /* Rescan the list of packets, reconstructing the CList.
1626 "action" describes why we're doing this; it's used in the progress
1627 dialog box.
1629 "action_item" describes what we're doing; it's used in the progress
1630 dialog box.
1632 "redissect" is true if we need to make the dissectors reconstruct
1633 any state information they have (because a preference that affects
1634 some dissector has changed, meaning some dissector might construct
1635 its state differently from the way it was constructed the last time). */
1636 static void
1638 {
1639 /* Rescan packets new packet list */
1642 wtap_rec rec;
1652 epan_dissect_t edt;
1665 }
1667 /* Rescan in progress, clear pending actions. */
1674 /* Compile the current display filter.
1675 * The code it compiles to might have changed, e.g. if a display
1676 * filter macro used has changed.
1677 *
1678 * We assume this will not fail since cf->dfilter is only set in
1679 * cf_filter IFF the filter was valid.
1680 * XXX - This is not necessarily true, if the filter has a FT_IPv4
1681 * or FT_IPv6 field compared to a resolved hostname in it, because
1682 * we do a new host lookup, and that *could* timeout this time
1683 * (though with the read lock above we shouldn't have many lookups at
1684 * once, reducing the chances of that)... (#19612)
1685 */
1689 }
1694 /* Do we have any tap listeners with filters? */
1697 /* Update references in filters (if any) for the protocol
1698 * tree corresponding to the currently selected frame in the GUI. */
1704 }
1709 }
1711 /* Get the union of the flags for all tap listeners. */
1714 /* If the display filter or any tap listeners require the columns,
1715 * construct them. */
1719 /*
1720 * Determine whether we need to create a protocol tree.
1721 * We do if:
1722 *
1723 * we're going to apply a display filter;
1724 *
1725 * one of the tap listeners is going to apply a filter;
1726 *
1727 * one of the tap listeners requires a protocol tree;
1728 *
1729 * we're redissecting and a postdissector wants field
1730 * values or protocols on the first pass.
1731 */
1732 create_proto_tree =
1738 /* Which frame, if any, is the currently selected frame?
1739 XXX - should the selected frame or the focus frame be the "current"
1740 frame, that frame being the one from which "Find Frame" searches
1741 start? */
1744 /* Mark frame num as not found */
1747 /* Freeze the packet list while we redo it, so we don't get any
1748 screen updates while it happens. */
1752 /* We need to re-initialize all the state information that protocols
1753 keep, because some preference that controls a dissector has changed,
1754 which might cause the state information to be constructed differently
1755 by that dissector. */
1757 /* We might receive new packets while redissecting, and we don't
1758 want to dissect those before their time. */
1761 /* 'reset' dissection session */
1764 /* All pointers in "per frame proto data" for the currently selected
1765 packet are allocated in wmem_file_scope() and deallocated in epan_free().
1766 Free them here to avoid unintended usage in packet_list_clear(). */
1768 }
1772 /* A new Lua tap listener may be registered in lua_prime_all_fields()
1773 called via epan_new() / init_dissection() when reloading Lua plugins. */
1776 }
1779 }
1781 /* We need to redissect the packets so we have to discard our old
1782 * packet list store. */
1785 }
1787 /* We don't yet know which will be the first and last frames displayed. */
1791 /* We currently don't display any packets */
1794 /* Iterate through the list of frames. Call a routine for each frame
1795 to check whether it should be displayed and, if so, add it to
1796 the display list. */
1805 /* Count of packets at which we've looked. */
1807 /* Progress so far. */
1813 /* no previous row yet */
1829 /*
1830 * Decryption secrets and name resolution blocks are read while
1831 * sequentially processing records and then passed to the dissector.
1832 * During redissection, the previous information is lost (see epan_free
1833 * above), but they are not read again from the file as only packet
1834 * records are re-read. Therefore reset the wtap secrets and name
1835 * resolution callbacks such that wtap resupplies the callbacks with
1836 * previously read information.
1837 */
1841 }
1846 /* Create the progress bar if necessary.
1847 We check on every iteration of the loop, so that it takes no
1848 longer than the standard time to create it (otherwise, for a
1849 large file, we might take considerably longer than that standard
1850 time in order to get to the next progress bar step). */
1854 progbar_val);
1856 /*
1857 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
1858 * has elapsed. Calling update_progress_dlg and packets_bar_update will
1859 * likely trigger UI paint events, which might take a while depending on
1860 * the platform and display. Reset our timer *after* painting.
1861 */
1863 /* let's not divide by zero. I should never be started
1864 * with count == 0, so let's assert that
1865 */
1873 }
1876 }
1880 /* A redissection was requested while an existing redissection was
1881 * pending. */
1883 }
1886 /* Well, the user decided to abort the filtering. Just stop.
1888 XXX - go back to the previous filter? Users probably just
1889 want not to wait for a filtering operation to finish;
1890 unless we cancel by having no filter, reverting to the
1891 previous filter will probably be even more expensive than
1892 continuing the filtering, as it involves going back to the
1893 beginning and filtering, and even with no filter we currently
1894 have to re-generate the entire clist, which is also expensive.
1896 I'm not sure what Network Monitor does, but it doesn't appear
1897 to give you an unfiltered display if you cancel. */
1899 }
1901 count++;
1904 /* Since all state for the frame was destroyed, mark the frame
1905 * as not visited, free the GSList referring to the state
1906 * data (the per-frame data itself was freed by
1907 * "init_dissection()"), and null out the GSList pointer. */
1910 }
1912 /* Frame dependencies from the previous dissection/filtering are no longer valid. */
1918 /* If the previous frame is displayed, and we haven't yet seen the
1919 selected frame, remember that frame - it's the closest one we've
1920 yet seen before the selected frame. */
1924 }
1927 add_to_packet_list);
1929 /* If this frame is displayed, and this is the first frame we've
1930 seen displayed after the selected frame, remember this frame -
1931 it's the closest one we've yet seen at or after the selected
1932 frame. */
1936 }
1941 }
1943 /* Remember this frame - it'll be the previous frame
1944 on the next pass through the loop. */
1948 }
1953 /* We are done redissecting the packet list. */
1958 /* Clear out what remains of the visited flags and per-frame data
1959 pointers.
1961 XXX - that may cause various forms of bogosity when dissecting
1962 these frames, as they won't have been seen by this sequential
1963 pass, but the only alternative I see is to keep scanning them
1964 even though the user requested that the scan stop, and that
1965 would leave the user stuck with an Wireshark grinding on
1966 until it finishes. Should we just stick them with that? */
1970 }
1971 }
1973 /* We're done filtering the packets; destroy the progress bar if it
1974 was created. */
1979 /* Unfreeze the packet list. */
1983 /* Compute the time it took to filter the file */
1988 /* It is safe again to execute redissections or sort. */
1995 /* The selected frame didn't pass the filter. */
1997 /* That's because there *was* no selected frame. Make the first
1998 displayed frame the current frame. */
2001 /* Find the nearest displayed frame to the selected frame (whether
2002 it's before or after that frame) and make that the current frame.
2003 If the next and previous displayed frames are equidistant from the
2004 selected frame, choose the next one. */
2010 /* No frame after the selected frame passed the filter, so we
2011 have to select the last displayed frame before the selected
2012 frame. */
2016 /* No frame before the selected frame passed the filter, so we
2017 have to select the first displayed frame after the selected
2018 frame. */
2022 /* Frames before and after the selected frame passed the filter, so
2023 we'll select the previous frame */
2026 }
2027 }
2028 }
2031 /* There are no frames displayed at all. */
2034 /* Either the frame that was selected passed the filter, or we've
2035 found the nearest displayed frame to that frame. Select it, make
2036 it the focus row, and make it visible. */
2037 /* Set to invalid to force update of packet list and packet details */
2042 /* We didn't find a row corresponding to this frame.
2043 This means that the frame isn't being displayed currently,
2044 so we can't select it. */
2048 }
2049 }
2050 }
2052 /* If another rescan (due to dfilter change) or redissection (due to profile
2053 * change) was requested, the rescan above is aborted and restarted here. */
2057 }
2058 }
2061 /*
2062 * Scan through all frame data and recalculate the ref time
2063 * without rereading the file.
2064 * XXX - do we need a progress bar or is this fast enough?
2065 */
2066 void
2068 {
2071 nstime_t rel_ts;
2080 /* just add some value here until we know if it is being displayed or not */
2083 /*
2084 * Timestamps
2085 */
2088 /* If we don't have the time stamp of the first packet in the
2089 capture, it's because this is the first packet. Save the time
2090 stamp of this packet as the time stamp of the first packet. */
2093 /* if this frames is marked as a reference time frame, reset
2094 firstsec and firstusec to this frame */
2098 /* Get the time elapsed between the first packet and this one. */
2102 /* If it's greater than the current elapsed time, set the elapsed
2103 time to it (we check for "greater than" so as not to be
2104 confused by time moving backwards). */
2107 }
2109 /* If this frame is displayed, get the time elapsed between the
2110 previous displayed packet and this packet. */
2111 /* XXX: What if in the future we want to use the previously
2112 * displayed frame for something else, too? Then we'd want
2113 * to store this frame as prev_dis even if it doesn't have a
2114 * timestamp. */
2116 /* If we don't have the time stamp of the previous displayed
2117 packet, it's because this is the first displayed packet.
2118 Save the time stamp of this packet as the time stamp of
2119 the previous displayed packet. */
2122 }
2126 }
2128 /* If this frame doesn't have a timestamp, don't calculate
2129 anything with relative times. */
2130 /* However, if this frame is marked as a reference time frame,
2131 clear the reference frame so that the next frame with a
2132 timestamp becomes the reference frame. */
2135 }
2136 }
2138 /*
2139 * Byte counts
2140 */
2142 /* This frame either passed the display filter list or is marked as
2143 a time reference frame. All time reference frames are displayed
2144 even if they don't pass the display filter */
2146 /* if this was a TIME REF frame we should reset the cum_bytes field */
2150 /* increase cum_bytes with this packets length */
2152 }
2153 }
2154 }
2155 }
2158 PSP_FINISHED,
2159 PSP_STOPPED,
2160 PSP_FAILED
2163 static psp_return_t
2170 {
2173 wtap_rec rec;
2181 range_process_e process_this;
2186 /* Count of packets at which we've looked. */
2188 /* Progress so far. */
2191 /* XXX - It should be ok to have multiple readers, so long as nothing
2192 * frees the epan context, e.g. rescan_packets with redissect true,
2193 * or anything that closes the file (including reload and certain forms
2194 * of saving.) This is mostly to stop cf_save_records but should probably
2195 * be handled by callers in order to allow multiple readers (e.g.,
2196 * restarting taps after adding or changing one.) We should probably
2197 * make this a real reader-writer lock.
2198 */
2202 }
2210 /* Iterate through all the packets, printing the packets that
2211 were selected by the current display filter. */
2215 /* Create the progress bar if necessary.
2216 We check on every iteration of the loop, so that it takes no
2217 longer than the standard time to create it (otherwise, for a
2218 large file, we might take considerably longer than that standard
2219 time in order to get to the next progress bar step). */
2222 terminate_is_stop,
2224 progbar_val);
2226 /*
2227 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
2228 * has elapsed. Calling update_progress_dlg and packets_bar_update will
2229 * likely trigger UI paint events, which might take a while depending on
2230 * the platform and display. Reset our timer *after* painting.
2231 */
2233 /* let's not divide by zero. I should never be started
2234 * with count == 0, so let's assert that
2235 */
2244 }
2247 /* Well, the user decided to abort the operation. Just stop,
2248 and arrange to return PSP_STOPPED to our caller, so they know
2249 it was stopped explicitly. */
2252 }
2254 progbar_count++;
2257 /* do we have to process this packet? */
2260 /* this packet uninteresting, continue with next one */
2263 /* all interesting packets processed, stop the loop */
2265 }
2266 }
2268 /* Get the packet */
2270 /* Attempt to get the packet failed. */
2273 }
2274 /* Process the packet */
2276 /* Callback failed. We assume it reported the error appropriately. */
2279 }
2281 }
2283 /* We're done printing the packets; destroy the progress bar if
2284 it was created. */
2295 }
2298 epan_dissect_t edt;
2302 static bool
2304 {
2311 }
2313 cf_read_status_t
2315 {
2316 packet_range_t range;
2317 retap_callback_args_t callback_args;
2321 psp_return_t ret;
2323 /* Presumably the user closed the capture file. */
2326 }
2328 /* XXX - If cf->read_lock is true, process_specified_records will fail
2329 * due to a nested call. We fail here so that we don't reset the tap
2330 * listeners if this tap isn't going to succeed.
2331 */
2335 }
2339 /* Do we have any tap listeners with filters? */
2342 /* Update references in filters (if any) for the protocol
2343 * tree corresponding to the currently selected frame in the GUI. */
2344 /* XXX - What if we *don't* have a currently selected frame in the GUI,
2345 * but we did the last time we loaded field references? Then they'll
2346 * match something instead of nothing (unless they've been recompiled).
2347 * Should we have a way to clear the field references even with a NULL tree?
2348 */
2352 }
2354 /* Get the union of the flags for all tap listeners. */
2357 /* If any tap listeners require the columns, construct them. */
2360 /*
2361 * Determine whether we need to create a protocol tree.
2362 * We do if:
2363 *
2364 * one of the tap listeners is going to apply a filter;
2365 *
2366 * one of the tap listeners requires a protocol tree.
2367 */
2368 create_proto_tree =
2371 /* Reset the tap listeners. */
2377 /* Iterate through the list of packets, dissecting all packets and
2378 re-running the taps. */
2383 /* We're not done with the sequential read of the file and might
2384 * add more frames while process_specified_records is going. We
2385 * don't want to tap new frames twice, so limit the range to the
2386 * frames already here.
2387 *
2388 * cf_read sets read_lock so we don't tap in case of an offline
2389 * file, but cf_continue_tail and cf_finish_tail don't, and we
2390 * don't want them to, because tapping new packets in a live
2391 * capture is a common use case.
2392 *
2393 * Note that most other users of process_specified_records (saving,
2394 * printing) do want to process new packets, unlike taps.
2395 */
2401 /* range_t treats a missing number as meaning 1, not 0, and
2402 * reverses the order if backwards; thus the syntax -0 means
2403 * 0-1, so to only take zero packets we do this.
2404 */
2406 }
2408 }
2421 /* Completed successfully. */
2425 /* Well, the user decided to abort the refiltering.
2426 Return CF_READ_ABORTED so our caller knows they did that. */
2430 /* Error while retapping. */
2432 }
2436 }
2450 epan_dissect_t edt;
2453 static bool
2455 {
2467 /* Fill in the column information if we're printing the summary
2468 information. */
2480 /*
2481 * Print another header line if we print a packet summary on the
2482 * new page.
2483 */
2490 }
2491 }
2493 /*
2494 * We generate bookmarks, if the output format supports them.
2495 * The name is "__frameN__".
2496 */
2506 }
2512 /* Find the length of the string for this column. */
2517 /* Make sure there's room in the line buffer for the column; if not,
2518 double its length. */
2525 }
2527 /* Right-justify the packet number column. */
2530 else
2535 }
2538 /*
2539 * Generate a bookmark, using the summary line as the title.
2540 */
2548 /*
2549 * Generate a bookmark, using "Frame N" as the title, as we're not
2550 * printing the summary line.
2551 */
2554 bookmark_title))
2560 /* Separate the summary line from the tree with a blank line. */
2563 }
2565 /* Print the information in that tree. */
2571 /* Print a blank line if we print anything after this (aka more than one packet). */
2574 /* Print a header line if we print any more packet summaries */
2577 }
2580 if (args->print_args->print_summary || (args->print_args->print_dissections != print_dissections_none)) {
2583 }
2584 /* Print the full packet data as hex. */
2588 /* Print a blank line if we print anything after this (aka more than one packet). */
2591 /* Print a header line if we print any more packet summaries */
2598 /* do we want to have a formfeed between each packet from now on? */
2601 }
2605 fail:
2608 }
2610 cf_print_status_t
2613 {
2614 print_callback_args_t callback_args;
2619 psp_return_t ret;
2639 }
2642 /* We're printing packet summaries. Allocate the header line buffer
2643 and get the column widths. */
2646 /* Find the number of visible columns and the last visible column */
2655 num_visible_col++;
2657 }
2658 }
2660 /* if num_visible_col is 0, we are done */
2664 }
2666 /* Find the widths for each of the columns - maximum of the
2667 width of the title and the width of the data - and construct
2668 a buffer with a line containing the column titles. */
2685 /* Save the order of visible columns */
2688 /* Don't pad the last column. */
2696 }
2698 /* Find the length of the string for this column. */
2703 /* Make sure there's room in the line buffer for the column; if not,
2704 double its length. */
2712 }
2714 /* Right-justify the packet number column. */
2715 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER || cf->cinfo.col_fmt[i] == COL_NUMBER_DIS)
2716 snprintf(cp, column_len+1, "%*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2717 else*/
2718 snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[visible_col_count], cf->cinfo.columns[i].col_title);
2723 visible_col_count++;
2724 }
2727 /* Now start out the main line buffer with the same length as the
2728 header line buffer. */
2733 /* Create the protocol tree, and make it visible, if we're printing
2734 the dissection or the hex data.
2735 XXX - do we need it if we're just printing the hex data? */
2736 proto_tree_needed =
2742 /* Iterate through the list of packets, printing the packets we were
2743 told to print. */
2756 /* Completed successfully. */
2760 /* Well, the user decided to abort the printing.
2762 XXX - note that what got generated before they did that
2763 will get printed if we're piping to a print program; we'd
2764 have to write to a file and then hand that to the print
2765 program to make it actually not print anything. */
2769 /* Error while printing.
2771 XXX - note that what got generated before they did that
2772 will get printed if we're piping to a print program; we'd
2773 have to write to a file and then hand that to the print
2774 program to make it actually not print anything. */
2777 }
2782 }
2788 }
2792 epan_dissect_t edt;
2794 json_dumper jdumper;
2797 static bool
2800 {
2803 /* Create the protocol tree, but don't fill in the column information. */
2806 /* Write out the information in that tree. */
2812 }
2814 cf_print_status_t
2816 {
2817 write_packet_callback_args_t callback_args;
2819 psp_return_t ret;
2829 }
2835 /* Iterate through the list of packets, printing the packets we were
2836 told to print. */
2846 /* Completed successfully. */
2850 /* Well, the user decided to abort the printing. */
2854 /* Error while printing. */
2857 }
2863 }
2865 /* XXX - check for an error */
2869 }
2871 static bool
2874 {
2877 /* Fill in the column information */
2882 /* Write out the column information. */
2888 }
2890 cf_print_status_t
2892 {
2893 write_packet_callback_args_t callback_args;
2895 psp_return_t ret;
2907 }
2912 /* Fill in the column information, only create the protocol tree
2913 if having custom columns or field extractors. */
2917 /* Iterate through the list of packets, printing the packets we were
2918 told to print. */
2928 /* Completed successfully. */
2932 /* Well, the user decided to abort the printing. */
2936 /* Error while printing. */
2939 }
2945 }
2947 /* XXX - check for an error */
2951 }
2953 static bool
2956 {
2963 /* Write out the column information. */
2969 }
2971 cf_print_status_t
2973 {
2974 write_packet_callback_args_t callback_args;
2977 psp_return_t ret;
2987 }
2992 /* only create the protocol tree if having custom columns or field extractors. */
2996 /* Iterate through the list of packets, printing the packets we were
2997 told to print. */
3007 /* Completed successfully. */
3011 /* Well, the user decided to abort the printing. */
3015 /* Error while printing. */
3018 }
3020 /* XXX - check for an error */
3024 }
3026 static bool
3029 {
3037 }
3039 cf_print_status_t
3041 {
3042 write_packet_callback_args_t callback_args;
3044 psp_return_t ret;
3054 }
3060 /* Iterate through the list of packets, printing the packets we were
3061 told to print. */
3071 /* Completed successfully. */
3074 /* Well, the user decided to abort the printing. */
3077 /* Error while printing. */
3080 }
3084 }
3086 static bool
3089 {
3092 /* Create the protocol tree, but don't fill in the column information. */
3095 /* Write out the information in that tree. */
3104 }
3106 cf_print_status_t
3108 {
3109 write_packet_callback_args_t callback_args;
3111 psp_return_t ret;
3121 }
3127 /* Iterate through the list of packets, printing the packets we were
3128 told to print. */
3138 /* Completed successfully. */
3142 /* Well, the user decided to abort the printing. */
3146 /* Error while printing. */
3149 }
3155 }
3157 /* XXX - check for an error */
3161 }
3163 bool
3166 {
3167 match_data mdata;
3180 }
3184 }
3185 }
3187 }
3189 field_info*
3191 {
3192 match_data mdata;
3199 /* Iterate through all the nodes looking for matching text */
3204 }
3207 }
3209 static match_result
3212 {
3214 epan_dissect_t edt;
3216 /* Load the frame's data. */
3218 /* Attempt to get the packet failed. */
3220 }
3222 /* Construct the protocol tree, including the displayed text */
3224 /* We don't need the column information */
3227 /* Iterate through all the nodes, seeing if they have text that matches. */
3232 /* We don't care about the direction here, because we're just looking
3233 * for one match and we'll destroy this tree anyway. (We find the actual
3234 * field later in PacketList::selectionChanged().) Forwards is faster.
3235 */
3239 }
3241 static void
3243 {
3256 /* dissection with an invisible proto tree? */
3260 /* We already had a match; don't bother doing any more work. */
3262 }
3264 /* Don't match invisible entries. */
3269 /* Haven't found the old match, so don't match this node. */
3271 /* Found the old match, look for the next one after this. */
3273 }
3275 /* was a free format label produced? */
3279 /* no, make a generic label */
3282 }
3289 }
3291 /* Case insensitive match */
3299 /* If c_match is non-zero, save candidate for retrying full match. */
3303 c_match++;
3307 /* No need to look further; we have a match */
3309 }
3316 }
3318 /* Case sensitive match */
3322 }
3323 }
3325 /* Recurse into the subtree, if it exists */
3328 }
3330 static void
3332 {
3345 /* dissection with an invisible proto tree? */
3348 /* We don't have an easy way to search backwards in the tree
3349 * (see also, proto_find_field_from_offset()) because we don't
3350 * have a previous node pointer, so we search backwards by
3351 * searching forwards, only stopping if we see the old match
3352 * (if we have one).
3353 */
3357 }
3359 /* Don't match invisible entries. */
3364 /* Found the old match, use the previous match. */
3367 }
3369 /* was a free format label produced? */
3373 /* no, make a generic label */
3376 }
3382 }
3384 /* Case insensitive match */
3392 /* If c_match is non-zero, save candidate for retrying full match. */
3396 c_match++;
3401 }
3408 }
3410 /* Case sensitive match */
3413 }
3415 /* Recurse into the subtree, if it exists */
3418 }
3420 bool
3422 search_direction dir)
3423 {
3424 match_data mdata;
3429 }
3431 static match_result
3434 {
3438 epan_dissect_t edt;
3447 /* Load the frame's data. */
3449 /* Attempt to get the packet failed. */
3451 }
3453 /* Don't bother constructing the protocol tree */
3455 /* Get the column information */
3458 /* Find the Info column */
3461 /* Found it. See if we match. */
3468 }
3470 /* Case insensitive match */
3477 /* If c_match is non-zero, save candidate for retrying full match. */
3481 c_match++;
3485 }
3492 }
3494 /* Case sensitive match */
3496 }
3498 }
3499 }
3502 }
3511 /*
3512 * The current match_* routines only support ASCII case insensitivity and don't
3513 * convert UTF-8 inputs to UTF-16 for matching. The UTF-16 support just
3514 * interleaves with \0 bytes, which works for 7 bit ASCII.
3515 *
3516 * We could modify them to use the GLib Unicode routines or the International
3517 * Components for Unicode library but it's not apparent that we could do so
3518 * without consuming a lot more CPU and memory or that searching would be
3519 * significantly better.
3520 *
3521 * XXX: We could test the search string to see if it's all ASCII, and if not
3522 * use Unicode aware routines for case insensitive searches or any UTF-16
3523 * search.
3524 */
3526 bool
3529 {
3530 cbs_t info;
3533 ws_match_function match_function;
3538 /* Regex, String or hex search? */
3540 /* Regular Expression search */
3543 /* String search - what type of string? */
3553 match_function = (dir == SD_FORWARD) ? match_narrow_and_wide_case : match_narrow_and_wide_case_reverse;
3567 }
3577 /* Narrow, case-sensitive match is the same as looking
3578 * for a converted hexstring. */
3589 }
3590 }
3593 }
3596 /* Use the current frame (this will perform the equivalent of
3597 * cf_read_current_record() in match_function).
3598 */
3603 /* The regex match can match an empty string. */
3605 fi = proto_find_field_from_offset(cf->edt->tree, cf->search_pos + cf->search_len - 1, cf->edt->tvb);
3606 }
3610 }
3613 }
3614 }
3618 }
3620 static match_result
3623 {
3627 match_result result;
3634 /* Load the frame's data. */
3636 /* Attempt to get the packet failed. */
3638 }
3646 /* we want to start searching one byte past the previous match start */
3648 }
3652 /* Try narrow match at this start location */
3657 c_match++;
3660 /* Save position and length for highlighting the field. */
3664 }
3667 }
3668 }
3670 /* Now try wide match at the same start location. */
3675 c_match++;
3678 /* Save position and length for highlighting the field. */
3682 }
3683 i++;
3687 }
3688 }
3689 }
3691 done:
3693 }
3695 static match_result
3698 {
3702 match_result result;
3709 /* Load the frame's data. */
3711 /* Attempt to get the packet failed. */
3713 }
3716 /* Has to be room to hold the sought data. */
3719 }
3725 /* we want to start searching one byte before the previous match start */
3727 }
3731 /* Try narrow match at this start location */
3736 c_match++;
3739 /* Save position and length for highlighting the field. */
3743 }
3746 }
3747 }
3749 /* Now try wide match at the same start location. */
3754 c_match++;
3757 /* Save position and length for highlighting the field. */
3761 }
3762 i++;
3766 }
3767 }
3768 }
3770 done:
3772 }
3774 /* Case insensitive match */
3775 static match_result
3778 {
3783 match_result result;
3790 /* Load the frame's data. */
3792 /* Attempt to get the packet failed. */
3794 }
3804 /* we want to start searching one byte past the previous match start */
3806 }
3810 /* Try narrow match at this start location */
3815 c_match++;
3818 /* Save position and length for highlighting the field. */
3822 }
3825 }
3826 }
3828 /* Now try wide match at the same start location. */
3833 c_match++;
3836 /* Save position and length for highlighting the field. */
3840 }
3841 i++;
3845 }
3846 }
3847 }
3849 done:
3851 }
3853 static match_result
3856 {
3861 match_result result;
3868 /* Load the frame's data. */
3870 /* Attempt to get the packet failed. */
3872 }
3877 /* Has to be room to hold the sought data. */
3880 }
3886 /* we want to start searching one byte before the previous match start */
3888 }
3892 /* Try narrow match at this start location */
3897 c_match++;
3900 /* Save position and length for highlighting the field. */
3904 }
3907 }
3908 }
3910 /* Now try wide match at the same start location. */
3915 c_match++;
3918 /* Save position and length for highlighting the field. */
3922 }
3923 i++;
3927 }
3928 }
3929 }
3931 done:
3933 }
3935 /* Case insensitive match */
3936 static match_result
3939 {
3944 match_result result;
3951 /* Load the frame's data. */
3953 /* Attempt to get the packet failed. */
3955 }
3965 /* we want to start searching one byte past the previous match start */
3967 }
3975 c_match++;
3977 /* Save position and length for highlighting the field. */
3982 }
3985 }
3986 }
3987 }
3989 done:
3991 }
3993 static match_result
3996 {
4001 match_result result;
4008 /* Load the frame's data. */
4010 /* Attempt to get the packet failed. */
4012 }
4017 /* Has to be room to hold the sought data. */
4020 }
4026 /* we want to start searching one byte before the previous match start */
4028 }
4036 c_match++;
4038 /* Save position and length for highlighting the field. */
4043 }
4046 }
4047 }
4048 }
4050 done:
4052 }
4054 static match_result
4057 {
4061 match_result result;
4068 /* Load the frame's data. */
4070 /* Attempt to get the packet failed. */
4072 }
4080 /* we want to start searching one byte past the previous match start */
4082 }
4090 c_match++;
4093 /* Save position and length for highlighting the field. */
4097 }
4098 i++;
4102 }
4103 }
4104 }
4106 done:
4108 }
4110 static match_result
4113 {
4117 match_result result;
4124 /* Load the frame's data. */
4126 /* Attempt to get the packet failed. */
4128 }
4131 /* Has to be room to hold the sought data. */
4134 }
4140 /* we want to start searching one byte before the previous match start */
4142 }
4150 c_match++;
4153 /* Save position and length for highlighting the field. */
4157 }
4158 i++;
4162 }
4163 }
4164 }
4166 done:
4168 }
4170 /* Case insensitive match */
4171 static match_result
4174 {
4179 match_result result;
4186 /* Load the frame's data. */
4188 /* Attempt to get the packet failed. */
4190 }
4200 /* we want to start searching one byte past the previous match start */
4202 }
4210 c_match++;
4213 /* Save position and length for highlighting the field. */
4217 }
4218 i++;
4222 }
4223 }
4224 }
4226 done:
4228 }
4230 /* Case insensitive match */
4231 static match_result
4234 {
4239 match_result result;
4246 /* Load the frame's data. */
4248 /* Attempt to get the packet failed. */
4250 }
4255 /* Has to be room to hold the sought data. */
4258 }
4264 /* we want to start searching one byte before the previous match start */
4266 }
4274 c_match++;
4277 /* Save position and length for highlighting the field. */
4281 }
4282 i++;
4286 }
4287 }
4288 }
4290 done:
4292 }
4294 static match_result
4297 {
4300 match_result result;
4303 /* Load the frame's data. */
4305 /* Attempt to get the packet failed. */
4307 }
4313 /* we want to start searching one byte past the previous match start */
4315 }
4318 }
4321 /* Save position and length for highlighting the field. */
4324 }
4327 }
4329 static match_result
4332 {
4335 match_result result;
4338 /* Load the frame's data. */
4340 /* Attempt to get the packet failed. */
4342 }
4346 /* Has to be room to hold the sought data. */
4349 }
4352 /* we want to start searching one byte before the previous match start */
4354 }
4360 /* Save position and length for highlighting the field. */
4364 }
4365 }
4368 }
4370 static match_result
4373 {
4377 /* Load the frame's data. */
4379 /* Attempt to get the packet failed. */
4381 }
4385 /* we want to start searching one byte past the previous match start */
4387 }
4392 result_pos)) {
4393 //TODO: A chosen regex can match the empty string (zero length)
4394 // which doesn't make a lot of sense for searching the packet bytes.
4395 // Should we search with the PCRE2_NOTEMPTY option?
4396 //TODO: Fix cast.
4397 /* Save position and length for highlighting the field. */
4401 }
4402 }
4404 }
4406 static match_result
4409 {
4413 /* Load the frame's data. */
4415 /* Attempt to get the packet failed. */
4417 }
4421 /* we want to start searching one byte before the previous match */
4423 }
4428 result_pos)) {
4429 //TODO: A chosen regex can match the empty string (zero length)
4430 // which doesn't make a lot of sense for searching the packet bytes.
4431 // Should we search with the PCRE2_NOTEMPTY option?
4432 //TODO: Fix cast.
4433 /* Save position and length for highlighting the field. */
4438 }
4439 }
4441 }
4443 bool
4446 {
4448 }
4450 bool
4452 search_direction dir)
4453 {
4458 /*
4459 * XXX - this shouldn't happen, as the filter string is machine
4460 * generated
4461 */
4463 }
4465 /*
4466 * XXX - this shouldn't happen, as the filter string is machine
4467 * generated.
4468 */
4470 }
4474 }
4476 static match_result
4479 {
4481 epan_dissect_t edt;
4482 match_result result;
4484 /* Load the frame's data. */
4486 /* Attempt to get the packet failed. */
4488 }
4496 }
4498 bool
4500 {
4502 }
4504 static match_result
4507 {
4509 }
4511 bool
4513 {
4515 }
4517 static match_result
4520 {
4522 }
4524 static bool
4527 {
4532 wtap_rec rec;
4541 match_result result;
4551 }
4553 /* Iterate through the list of packets, starting at the packet we've
4554 picked, calling a routine to run the filter on the packet, see if
4555 it matches, and stop if so. */
4559 /* If we have no start packet selected, and we're going backwards,
4560 * start at the end (even if wrap is off.)
4561 */
4563 }
4566 /* Progress so far. */
4572 /* Create the progress bar if necessary.
4573 We check on every iteration of the loop, so that it takes no
4574 longer than the standard time to create it (otherwise, for a
4575 large file, we might take considerably longer than that standard
4576 time in order to get to the next progress bar step). */
4581 /*
4582 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
4583 * has elapsed. Calling update_progress_dlg and packets_bar_update will
4584 * likely trigger UI paint events, which might take a while depending on
4585 * the platform and display. Reset our timer *after* painting.
4586 */
4588 /* let's not divide by zero. I should never be started
4589 * with count == 0, so let's assert that
4590 */
4600 }
4603 /* Well, the user decided to abort the search. Go back to the
4604 frame where we started.
4605 XXX - This ends up selecting the start packet and reporting
4606 "success". Perhaps new_fd should stay NULL? */
4609 }
4611 /* Go past the current frame. */
4613 /* Go on to the previous frame. */
4615 /*
4616 * XXX - other apps have a bit more of a detailed message
4617 * for this, and instead of offering "OK" and "Cancel",
4618 * they offer things such as "Continue" and "Cancel";
4619 * we need an API for popping up alert boxes with
4620 * {Verb} and "Cancel".
4621 */
4630 }
4632 framenum--;
4634 /* Go on to the next frame. */
4643 }
4645 framenum++;
4646 }
4649 count++;
4651 /* Is this packet in the display? */
4653 /* Yes. Does it match the search criterion? */
4656 /* Error; our caller has reported the error. Go back to the frame
4657 where we started.
4658 XXX - This ends up selecting the start packet and reporting
4659 "success." Perhaps new_fd should stay NULL? */
4663 /* Yes. Go to the new frame. */
4666 }
4668 }
4671 /* We're back to the frame we were on originally, and that frame
4672 doesn't match the search filter. The search failed. */
4674 }
4675 }
4677 /* We're done scanning the packets; destroy the progress bar if it
4678 was created. */
4684 /* We found a frame that's displayed and that matches.
4685 Try to find and select the packet summary list row for that frame. */
4692 /* We didn't find a row corresponding to this frame.
4693 This means that the frame isn't being displayed currently,
4694 so we can't select it. */
4707 }
4709 bool
4711 {
4715 /* we don't have a loaded capture file - fix for bugs 11810 & 11989 */
4718 }
4723 /* we didn't find a packet with that packet number */
4726 }
4728 /* that packet currently isn't displayed */
4729 /* XXX - add it to the set of displayed packets? */
4731 /* We only want that exact frame, or no frames are displayed. */
4734 }
4736 /* There is no previous displayed frame, so this frame is
4737 * before the first displayed frame. Go to the first line,
4738 * which is the closest frame.
4739 */
4741 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the first displayed packet, %u.", fnumber, cf->first_displayed);
4744 /* The next displayed frame might be closer, we can do an
4745 * O(log n) binary search for the earliest displayed frame
4746 * in the open interval (fnumber, fnumber + delta).
4747 *
4748 * This is possibly overkill, we could just go to the previous
4749 * displayed frame.
4750 */
4759 /* We don't have a frame of that number, so search before it. */
4762 }
4763 /* We have a frame of that number. What's the displayed
4764 * frame before it? */
4766 /* The previous frame that passed the filter is also after
4767 * our target, so our answer is no later than that.
4768 */
4771 /* The previous displayed frame is before fnumber.
4772 * (We already know fnumber itself is not displayed.)
4773 * Is this frame itself displayed?
4774 */
4776 /* Yes. So this is our answer. */
4779 }
4780 /* No. So our answer, if any, is after this frame. */
4782 }
4783 }
4786 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the next displayed packet, %u.", fnumber, fdata->num);
4788 statusbar_push_temporary_msg("Packet number %u isn't displayed, going to the previous displayed packet, %u.", fnumber, fdata->prev_dis_num);
4790 }
4791 }
4792 }
4795 /* We didn't find a row corresponding to this frame.
4796 This means that the frame isn't being displayed currently,
4797 so we can't select it. */
4802 }
4804 }
4806 /*
4807 * Go to frame specified by currently selected protocol tree item.
4808 */
4809 bool
4811 {
4821 /* We probably only want to go to the exact match,
4822 * even though "Go to Previous Packet in History" exists.
4823 */
4825 }
4826 }
4827 }
4830 }
4832 /* Select the packet on a given row. */
4833 void
4835 {
4838 /* check the frame data struct pointer for this frame */
4841 }
4843 /* Get the data in that frame. */
4846 }
4848 /* Record that this frame is the current frame. */
4851 /*
4852 * The change to defer freeing the current epan_dissect_t was in
4853 * commit a2bb94c3b33d53f42534aceb7cc67aab1d1fb1f9; to quote
4854 * that commit's comment:
4855 *
4856 * Clear GtkTreeStore before freeing edt
4857 *
4858 * When building current data for packet details treeview we store two
4859 * things.
4860 * - Generated string with item label
4861 * - Pointer to node field_info structure
4862 *
4863 * After epan_dissect_{free, cleanup} pointer to field_info node is no
4864 * longer valid so we should clear GtkTreeStore before freeing.
4865 *
4866 * XXX - we're no longer using GTK+; is there a way to ensure that
4867 * *nothing* refers to any of the current frame information before
4868 * we replace it?
4869 */
4871 /* Create the logical protocol tree. */
4872 /* We don't need the columns here. */
4880 }
4882 /* Unselect the selected packet, if any. */
4883 void
4885 {
4888 /*
4889 * See the comment in cf_select_packet() about deferring the freeing
4890 * of the old cf->edt.
4891 */
4894 /* No packet is selected. */
4897 /* Destroy the epan_dissect_t for the unselected packet. */
4900 }
4902 /*
4903 * Mark a particular frame.
4904 */
4905 void
4907 {
4912 }
4913 }
4915 /*
4916 * Unmark a particular frame.
4917 */
4918 void
4920 {
4925 }
4926 }
4928 /*
4929 * Ignore a particular frame.
4930 */
4931 void
4933 {
4938 }
4939 }
4941 /*
4942 * Un-ignore a particular frame.
4943 */
4944 void
4946 {
4951 }
4952 }
4954 /*
4955 * Modify the section comment.
4956 */
4957 void
4959 {
4960 wtap_block_t shb_inf;
4963 /* Get the first SHB. */
4964 /* XXX - support multiple SHBs */
4967 /* Get the first comment from the SHB. */
4968 /* XXX - support multiple comments */
4969 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, 0, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
4970 /* There's no comment - add one. */
4973 /* See if the comment has changed or not */
4977 }
4979 /* The comment has changed, let's update it */
4981 }
4982 /* Mark the file as having unsaved changes */
4984 }
4986 /*
4987 * Modify the section comments for a given section.
4988 */
4989 void
4991 {
4992 wtap_block_t shb_inf;
4997 /* Shouldn't happen. XXX: Report it if it does? */
4999 }
5007 if (wtap_block_get_nth_string_option_value(shb_inf, OPT_COMMENT, i, &shb_comment) != WTAP_OPTTYPE_SUCCESS) {
5008 /* There's no comment - add one. */
5012 /* See if the comment has changed or not */
5014 /* The comment has changed, let's update it */
5017 }
5019 }
5020 }
5021 /* We either transferred ownership of the comments or freed them
5022 * above, so free the array of strings but not the strings themselves. */
5025 /* If there are extra old comments, remove them. Start at the end. */
5029 }
5030 }
5032 /*
5033 * Get the packet block for a packet (record).
5034 * If the block has been edited, it returns the result of the edit,
5035 * otherwise it returns the block from the file.
5036 * NB. Caller must wtap_block_unref() the result when done.
5037 */
5038 wtap_block_t
5040 {
5041 /* If this block has been modified, fetch the modified version */
5046 wtap_block_t block;
5048 /* fetch record block */
5054 /* rec.block is owned by the record, steal it before it is gone. */
5059 }
5060 }
5062 /*
5063 * Update(replace) the block on a capture from a frame
5064 */
5065 bool
5067 {
5070 /* It's possible to further modify the modified block "in place" by doing
5071 * a call to cf_get_packet_block() that returns an already created modified
5072 * block, modifying that, and calling this function.
5073 * If the caller did that, then the block pointers will be equal.
5074 */
5076 /* No need to save anything here, the caller changes went right
5077 * onto the block.
5078 * Unfortunately we don't have a way to know how many comments were
5079 * in the block before the caller modified it, so tell the caller
5080 * it is its responsibility to update the comment count.
5081 */
5083 }
5094 }
5096 /* Either way, we have unsaved changes. */
5100 }
5102 /*
5103 * What types of comments does this capture file have?
5104 */
5105 uint32_t
5107 {
5110 /*
5111 * Does this file have any sections with at least one comment?
5112 */
5115 section_number++) {
5116 wtap_block_t shb_inf;
5121 /* Try to get the first comment from that SHB. */
5124 /* We succeeded, so this file has at least one section comment. */
5127 /* We don't need to search any more. */
5129 }
5130 }
5134 }
5136 /*
5137 * Add a resolved address to this file's list of resolved addresses.
5138 */
5139 bool
5141 {
5142 /*
5143 * XXX - support multiple resolved address lists, and add to the one
5144 * attached to this file?
5145 */
5149 /* OK, we have unsaved changes. */
5152 }
5161 /*
5162 * Save a capture to a file, in a particular format, saving either
5163 * all packets, all currently-displayed packets, or all marked packets.
5164 *
5165 * Returns true if it succeeds, false otherwise; if it fails, it pops
5166 * up a message box for the failure.
5167 */
5168 static bool
5170 {
5172 wtap_rec new_rec;
5175 wtap_block_t pkt_block;
5177 /* Copy the record information from what was read in from the file. */
5180 /* Make changes based on anything that the user has done but that
5181 hasn't been saved yet. */
5184 else
5192 }
5193 }
5195 /* and save the packet */
5200 }
5202 /* If we are saving (i.e., replacing the current file with the one we're
5203 * writing), then update the frame data to clear the shift offset.
5204 * This keeps us from having to re-read the entire file.
5205 * We could do this in rescan_file(), but
5206 * 1) Ideally we shouldn't have to call rescan_file if all we're doing
5207 * is changing the timestamps, since that shouldn't change the offsets.
5208 * 2) The long term goal is to try to do the offset adjustment here
5209 * instead of using rescan_file, which should be faster (#1257).
5210 *
5211 * If we're exporting to a different file, then don't do that.
5212 */
5215 }
5218 }
5220 /*
5221 * Can this capture file be written out in any format using Wiretap
5222 * rather than by copying the raw data?
5223 */
5224 bool
5226 {
5227 /* We don't care whether we support the comments in this file or not;
5228 if we can't, we'll offer the user the option of discarding the
5229 comments. */
5231 }
5233 /*
5234 * Should we let the user do a save?
5235 *
5236 * We should if:
5237 *
5238 * the file has unsaved changes, and we can save it in some
5239 * format through Wiretap
5240 *
5241 * or
5242 *
5243 * the file is a temporary file and has no unsaved changes (so
5244 * that "saving" it just means copying it).
5245 *
5246 * XXX - we shouldn't allow files to be edited if they can't be saved,
5247 * so cf->unsaved_changes should be true only if the file can be saved.
5248 *
5249 * We don't care whether we support the comments in this file or not;
5250 * if we can't, we'll offer the user the option of discarding the
5251 * comments.
5252 */
5253 bool
5255 {
5257 /* Saved changes, and we can write it out with Wiretap. */
5259 }
5262 /*
5263 * Temporary file with no unsaved changes, so we can just do a
5264 * raw binary copy.
5265 */
5267 }
5269 /* Nothing to save. */
5271 }
5273 /*
5274 * Should we let the user do a "save as"?
5275 *
5276 * That's true if:
5277 *
5278 * we can save it in some format through Wiretap
5279 *
5280 * or
5281 *
5282 * the file is a temporary file and has no unsaved changes (so
5283 * that "saving" it just means copying it).
5284 *
5285 * XXX - we shouldn't allow files to be edited if they can't be saved,
5286 * so cf->unsaved_changes should be true only if the file can be saved.
5287 *
5288 * We don't care whether we support the comments in this file or not;
5289 * if we can't, we'll offer the user the option of discarding the
5290 * comments.
5291 */
5292 bool
5294 {
5296 /* We can write it out with Wiretap. */
5298 }
5301 /*
5302 * Temporary file with no unsaved changes, so we can just do a
5303 * raw binary copy.
5304 */
5306 }
5308 /* Nothing to save. */
5310 }
5312 /*
5313 * Does this file have unsaved data?
5314 */
5315 bool
5317 {
5318 /*
5319 * If this is a temporary file, or a file with unsaved changes, it
5320 * has unsaved data.
5321 */
5323 }
5325 /*
5326 * Quick scan to find packet offsets.
5327 */
5328 static cf_read_status_t
5330 {
5331 wtap_rec rec;
5345 /* Close the old handle. */
5348 /* Open the new file. */
5349 /* XXX: this will go through all open_routines for a matching one. But right
5350 now rescan_file() is only used when a file is being saved to a different
5351 format than the original, and the user is not given a choice of which
5352 reader to use (only which format to save it in), so doing this makes
5353 sense for now. (XXX: Now it is also used when saving a changed file,
5354 e.g. comments or time-shifted frames.) */
5359 }
5361 /* We're scanning a file whose contents should be the same as what
5362 we had before, so we don't discard dissection state etc.. */
5365 /* Set the file name because we need it to set the follow stream filter.
5366 XXX - is that still true? We need it for other reasons, though,
5367 in any case. */
5370 }
5373 /* Indicate whether it's a permanent or temporary file. */
5376 /* No user changes yet. */
5379 /* Record the file's type and compression type. */
5384 }
5393 /* Find the size of the file. */
5405 framenum++;
5409 }
5413 /* Create the progress bar if necessary. */
5418 }
5420 /*
5421 * Update the progress bar, but do it only after PROGBAR_UPDATE_INTERVAL
5422 * has elapsed. Calling update_progress_dlg and packets_bar_update will
5423 * likely trigger UI paint events, which might take a while depending on
5424 * the platform and display. Reset our timer *after* painting.
5425 */
5428 /* update the packet bar content on the first run or frequently on very large files */
5433 }
5434 }
5437 /* Well, the user decided to abort the rescan. Sadly, as this
5438 isn't a reread, recovering is difficult, so we'll just
5439 close the current capture. */
5441 }
5443 /* Add this packet's link-layer encapsulation type to cf->linktypes, if
5444 it's not already there.
5445 XXX - yes, this is O(N), so if every packet had a different
5446 link-layer encapsulation type, it'd be O(N^2) to read the file, but
5447 there are probably going to be a small number of encapsulation types
5448 in a file. */
5451 }
5453 }
5456 /* Free the display name */
5459 /* We're done reading the file; destroy the progress bar if it was created. */
5464 /* We're done reading sequentially through the file. */
5467 /* Close the sequential I/O side, to free up memory it requires. */
5470 /* compute the time it took to load the file */
5473 /* Set the file encapsulation type now; we don't know what it is until
5474 we've looked at all the packets, as we don't know until then whether
5475 there's more than one type (and thus whether it's
5476 WTAP_ENCAP_PER_PACKET). */
5482 /* Our caller will give up at this point. */
5484 }
5487 /* Put up a message box noting that the read failed somewhere along
5488 the line. Don't throw out the stuff we managed to read, though,
5489 if any. */
5494 }
5496 cf_write_status_t
5498 wtap_compression_type compression_type,
5500 {
5509 SAVE_WITH_MOVE,
5510 SAVE_WITH_COPY,
5511 SAVE_WITH_WTAP
5513 save_callback_args_t callback_args;
5517 /* XXX caller should avoid saving the file while a read is pending
5518 * (e.g. by delaying the save action) */
5520 ws_warning("cf_save_records(\"%s\") while the file is being read, potential crash ahead", fname);
5521 }
5529 && (wtap_addrinfo_list_empty(addr_lists) || wtap_file_type_subtype_supports_block(save_format, WTAP_BLOCK_NAME_RESOLUTION) == BLOCK_NOT_SUPPORTED)) {
5530 /* We're saving in the format it's already in, and we're not discarding
5531 comments, and there are no changes we have in memory that aren't saved
5532 to the file, and we have no name resolution information to write or
5533 the file format we're saving in doesn't support writing name
5534 resolution information, so we can just move or copy the raw data. */
5537 /* The file being saved is a temporary file from a live
5538 capture, so it doesn't need to stay around under that name;
5539 first, try renaming the capture buffer file to the new name.
5540 This acts as a "safe save", in that, if the file already
5541 exists, the existing file will be removed only if the rename
5542 succeeds.
5544 Sadly, on Windows, as we have the current capture file
5545 open, even MoveFileEx() with MOVEFILE_REPLACE_EXISTING
5546 (to cause the rename to remove an existing target), as
5547 done by ws_stdio_rename() (ws_rename() is #defined to
5548 be ws_stdio_rename() on Windows) will fail.
5550 According to the MSDN documentation for CreateFile(), if,
5551 when we open a capture file, we were to directly do a CreateFile(),
5552 opening with FILE_SHARE_DELETE|FILE_SHARE_READ, and then
5553 convert it to a file descriptor with _open_osfhandle(),
5554 that would allow the file to be renamed out from under us.
5556 However, that doesn't work in practice. Perhaps the problem
5557 is that the process doing the rename is the process that
5558 has the file open. */
5559 #ifndef _WIN32
5561 /* That succeeded - there's no need to copy the source file. */
5565 /* They're on different file systems, so we have to copy the
5566 file. */
5569 /* The rename failed, but not because they're on different
5570 file systems - put up an error message. (Or should we
5571 just punt and try to copy? The only reason why I'd
5572 expect the rename to fail and the copy to succeed would
5573 be if we didn't have permission to remove the file from
5574 the temporary directory, and that might be fixable - but
5575 is it worth requiring the user to go off and fix it?) */
5578 }
5579 }
5580 #else
5581 /* Windows - copy the file to its new location. */
5583 #endif
5585 /* It's a permanent file, so we should copy it, and not remove the
5586 original. */
5588 }
5591 /* Copy the file, if we haven't moved it. If we're overwriting
5592 an existing file, we do it with a "safe save", by writing
5593 to a new file and, if the write succeeds, renaming the
5594 new file on top of the old file. */
5602 }
5603 }
5605 /* Either we're saving in a different format or we're saving changes,
5606 such as added, modified, or removed comments, that haven't yet
5607 been written to the underlying file; we can't do that by copying
5608 or moving the capture file, we have to do it by writing the packets
5609 out in Wiretap. */
5611 wtap_dump_params params;
5617 /* Determine what file encapsulation type we should use. */
5621 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5625 /* We're overwriting an existing file; write out to a new file,
5626 and, if that succeeds, rename the new file on top of the
5627 old file. That makes this a "safe save", so that we don't
5628 lose the old file if we have a problem writing out the new
5629 file. (If the existing file is the current capture file,
5630 we *HAVE* to do that, otherwise we're overwriting the file
5631 from which we're reading the packets that we're writing!) */
5638 }
5639 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5646 }
5648 /* Add address resolution */
5651 /* Iterate through the list of packets, processing all the packets. */
5659 /* Completed successfully. */
5663 /* The user decided to abort the saving.
5664 If we're writing to a temporary file, remove it.
5665 XXX - should we do so even if we're not writing to a
5666 temporary file? */
5675 /* Error while saving.
5676 If we're writing to a temporary file, remove it. */
5682 }
5688 }
5691 }
5694 /* We wrote out to fname_new, and should rename it on top of
5695 fname. fname_new is now closed, so that should be possible even
5696 on Windows. However, on Windows, we first need to close whatever
5697 file descriptors we have open for fname. */
5698 #ifdef _WIN32
5700 #endif
5701 /* Now do the rename. */
5703 /* Well, the rename failed. */
5705 #ifdef _WIN32
5706 /* Attempt to reopen the random file descriptor using the
5707 current file's filename. (At this point, the sequential
5708 file descriptor is closed.) */
5710 /* Oh, well, we're screwed. */
5712 }
5713 #endif
5715 }
5717 }
5719 /* If this was a temporary file, and we didn't do the save by doing
5720 a move, so the tempoary file is still around under its old name,
5721 remove it. */
5723 /* If this fails, there's not much we can do, so just ignore errors. */
5725 }
5734 /* We just moved the file, so the wtap structure refers to the
5735 new file, and all the information other than the filename
5736 and the "is temporary" status applies to the new file; just
5737 update that. */
5745 /* We just copied the file, so all the information other than
5746 the file descriptors, the filename, and the "is temporary"
5747 status applies to the new file; just update that. */
5749 /* Attempt to reopen the random file descriptor using the
5750 new file's filename. (At this point, the sequential
5751 file descriptor is closed.) */
5759 }
5764 /* Open and read the file we saved to.
5766 XXX - this is somewhat of a waste; we already have the
5767 packets, all this gets us is updated file type information
5768 (which we could just stuff into "cf"), and having the new
5769 file be the one we have opened and from which we're reading
5770 the data, and it means we have to spend time opening and
5771 reading the file, which could be a significant amount of
5772 time if the file is large.
5774 If the capture-file-writing code were to return the
5775 seek offset of each packet it writes, we could save that
5776 in the frame_data structure for the frame, and just open
5777 the file without reading it again...
5779 ...as long as, for gzipped files, the process of writing
5780 out the file *also* generates the information needed to
5781 support fast random access to the compressed file. */
5782 /* rescan_file will cause us to try all open_routines, so
5783 reset cfile's open_type */
5785 /* There are cases when SAVE_WITH_WTAP can result in new packets
5786 being written to the file, e.g ERF records
5787 In that case, we need to reload the whole file */
5791 /* The rescan failed; just close the file. Either
5792 a dialog was popped up for the failure, so the
5793 user knows what happened, or they stopped the
5794 rescan, in which case they know what happened. */
5795 /* XXX: This is inconsistent with normal open/reload behaviour. */
5797 }
5798 }
5799 }
5802 /* The rescan failed; just close the file. Either
5803 a dialog was popped up for the failure, so the
5804 user knows what happened, or they stopped the
5805 rescan, in which case they know what happened. */
5807 }
5808 }
5810 }
5812 /* If we were told to discard the comments, do so. */
5814 /* Remove SHB comment, if any. */
5817 /* remove all user comments */
5821 // XXX: This also ignores non-comment options like verdict
5823 }
5828 }
5831 }
5832 }
5835 fail:
5837 /* We were trying to write to a temporary file; get rid of it if it
5838 exists. (We don't care whether this fails, as, if it fails,
5839 there's not much we can do about it. I guess if it failed for
5840 a reason other than "it doesn't exist", we could report an
5841 error, so the user knows there's a junk file that they might
5842 want to clean up.) */
5845 }
5848 }
5850 cf_write_status_t
5853 wtap_compression_type compression_type)
5854 {
5859 save_callback_args_t callback_args;
5860 wtap_dump_params params;
5866 /* We're writing out specified packets from the specified capture
5867 file to another file. Even if all captured packets are to be
5868 written, don't special-case the operation - read each packet
5869 and then write it out if it's one of the specified ones. */
5873 /* Determine what file encapsulation type we should use. */
5877 /* Use the snaplen from cf (XXX - does wtap_dump_params_init handle that?) */
5881 /* We're overwriting an existing file; write out to a new file,
5882 and, if that succeeds, rename the new file on top of the
5883 old file. That makes this a "safe save", so that we don't
5884 lose the old file if we have a problem writing out the new
5885 file. (If the existing file is the current capture file,
5886 we *HAVE* to do that, otherwise we're overwriting the file
5887 from which we're reading the packets that we're writing!) */
5894 }
5895 /* XXX idb_inf is documented to be used until wtap_dump_close. */
5902 }
5904 /* Add address resolution */
5907 /* Iterate through the list of packets, processing the packets we were
5908 told to process.
5910 XXX - we've already called "packet_range_process_init(range)", but
5911 "process_specified_records()" will do it again. Fortunately,
5912 that's harmless in this case, as we haven't done anything to
5913 "range" since we initialized it. */
5921 /* Completed successfully. */
5925 /* The user decided to abort the saving.
5926 If we're writing to a temporary file, remove it.
5927 XXX - should we do so even if we're not writing to a
5928 temporary file? */
5933 }
5939 /* Error while saving. */
5941 /*
5942 * We don't report any error from closing; the error that caused
5943 * process_specified_records() to fail has already been reported.
5944 */
5946 }
5951 }
5954 /* We wrote out to fname_new, and should rename it on top of
5955 fname; fname is now closed, so that should be possible even
5956 on Windows. Do the rename. */
5958 /* Well, the rename failed. */
5961 }
5963 }
5968 fail:
5970 /* We were trying to write to a temporary file; get rid of it if it
5971 exists. (We don't care whether this fails, as, if it fails,
5972 there's not much we can do about it. I guess if it failed for
5973 a reason other than "it doesn't exist", we could report an
5974 error, so the user knows there's a junk file that they might
5975 want to clean up.) */
5978 }
5982 }
5984 /* Reload the current capture file. */
5985 cf_status_t
5987 {
5996 }
5998 /* If the file could be opened, "cf_open()" calls "cf_close()"
5999 to get rid of state for the old capture file before filling in state
6000 for the new capture file. "cf_close()" will remove the file if
6001 it's a temporary file; we don't want that to happen (for one thing,
6002 it'd prevent subsequent reopens from working). Remember whether it's
6003 a temporary file, mark it as not being a temporary file, and then
6004 reopen it as the type of file it was.
6006 Also, "cf_close()" will free "cf->filename", so we must make
6007 a copy of it first. */
6016 /* Just because we got an error, that doesn't mean we were unable
6017 to read any of the file; we handle what we could get from the
6018 file. */
6022 /* The user bailed out of re-reading the capture file; the
6023 capture file has been closed. */
6025 }
6027 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
6028 Instead, the file was left open, so we should restore "cf->is_tempfile"
6029 ourselves.
6031 XXX - change the menu? Presumably "cf_open()" will do that;
6032 make sure it does! */
6035 }
6036 /* "cf_open()" made a copy of the file name we handed it, so
6037 we should free up our copy. */
6040 }