6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
46 #include <epan/epan.h>
47 #include <epan/filesystem.h>
50 #include "color_filters.h"
52 #include <epan/column.h>
53 #include <epan/packet.h>
54 #include <epan/column-utils.h>
55 #include "packet-range.h"
61 #include "alert_box.h"
62 #include "simple_dialog.h"
63 #include "progress_dlg.h"
65 #include <epan/prefs.h>
66 #include <epan/dfilter/dfilter.h>
67 #include <epan/epan_dissect.h>
69 #include <epan/dissectors/packet-data.h>
70 #include <epan/dissectors/packet-ber.h>
71 #include <epan/timestamp.h>
72 #include <epan/dfilter/dfilter-macro.h>
73 #include <wsutil/file_util.h>
74 #include <epan/strutil.h>
78 gboolean auto_scroll_live;
81 static nstime_t first_ts;
82 static nstime_t prev_dis_ts;
83 static guint32 cum_bytes = 0;
85 static void cf_reset_state(capture_file *cf);
87 static int read_packet(capture_file *cf, dfilter_t *dfcode,
88 gboolean filtering_tap_listeners, guint tap_flags, gint64 offset);
90 static void rescan_packets(capture_file *cf, const char *action, const char *action_item,
91 gboolean refilter, gboolean redissect);
93 static gboolean match_protocol_tree(capture_file *cf, frame_data *fdata,
95 static void match_subtree_text(proto_node *node, gpointer data);
96 static gboolean match_summary_line(capture_file *cf, frame_data *fdata,
98 static gboolean match_ascii_and_unicode(capture_file *cf, frame_data *fdata,
100 static gboolean match_ascii(capture_file *cf, frame_data *fdata,
102 static gboolean match_unicode(capture_file *cf, frame_data *fdata,
104 static gboolean match_binary(capture_file *cf, frame_data *fdata,
106 static gboolean match_dfilter(capture_file *cf, frame_data *fdata,
108 static gboolean find_packet(capture_file *cf,
109 gboolean (*match_function)(capture_file *, frame_data *, void *),
112 static void cf_open_failure_alert_box(const char *filename, int err,
113 gchar *err_info, gboolean for_writing,
115 static const char *file_rename_error_message(int err);
116 static void cf_write_failure_alert_box(const char *filename, int err);
117 static void cf_close_failure_alert_box(const char *filename, int err);
118 #ifdef NEW_PACKET_LIST
119 static void ref_time_packets(capture_file *cf);
121 /* Update the progress bar this many times when reading a file. */
122 #define N_PROGBAR_UPDATES 100
124 /* Number of "frame_data" structures per memory chunk.
125 XXX - is this the right number? */
126 #define FRAME_DATA_CHUNK_SIZE 1024
129 /* this callback mechanism should possibly be replaced by the g_signal_...() stuff (if I only would know how :-) */
131 cf_callback_t cb_fct;
133 } cf_callback_data_t;
135 static GList *cf_callbacks = NULL;
138 cf_callback_invoke(int event, gpointer data)
140 cf_callback_data_t *cb;
141 GList *cb_item = cf_callbacks;
143 /* there should be at least one interested */
144 g_assert(cb_item != NULL);
146 while(cb_item != NULL) {
148 cb->cb_fct(event, data, cb->user_data);
149 cb_item = g_list_next(cb_item);
155 cf_callback_add(cf_callback_t func, gpointer user_data)
157 cf_callback_data_t *cb;
159 cb = g_malloc(sizeof(cf_callback_data_t));
161 cb->user_data = user_data;
163 cf_callbacks = g_list_append(cf_callbacks, cb);
167 cf_callback_remove(cf_callback_t func)
169 cf_callback_data_t *cb;
170 GList *cb_item = cf_callbacks;
172 while(cb_item != NULL) {
174 if(cb->cb_fct == func) {
175 cf_callbacks = g_list_remove(cf_callbacks, cb);
179 cb_item = g_list_next(cb_item);
182 g_assert_not_reached();
186 cf_timestamp_auto_precision(capture_file *cf)
188 int prec = timestamp_get_precision();
191 /* don't try to get the file's precision if none is opened */
192 if(cf->state == FILE_CLOSED) {
196 /* if we are in auto mode, set precision of current file */
197 if(prec == TS_PREC_AUTO ||
198 prec == TS_PREC_AUTO_SEC ||
199 prec == TS_PREC_AUTO_DSEC ||
200 prec == TS_PREC_AUTO_CSEC ||
201 prec == TS_PREC_AUTO_MSEC ||
202 prec == TS_PREC_AUTO_USEC ||
203 prec == TS_PREC_AUTO_NSEC)
205 switch(wtap_file_tsprecision(cf->wth)) {
206 case(WTAP_FILE_TSPREC_SEC):
207 timestamp_set_precision(TS_PREC_AUTO_SEC);
209 case(WTAP_FILE_TSPREC_DSEC):
210 timestamp_set_precision(TS_PREC_AUTO_DSEC);
212 case(WTAP_FILE_TSPREC_CSEC):
213 timestamp_set_precision(TS_PREC_AUTO_CSEC);
215 case(WTAP_FILE_TSPREC_MSEC):
216 timestamp_set_precision(TS_PREC_AUTO_MSEC);
218 case(WTAP_FILE_TSPREC_USEC):
219 timestamp_set_precision(TS_PREC_AUTO_USEC);
221 case(WTAP_FILE_TSPREC_NSEC):
222 timestamp_set_precision(TS_PREC_AUTO_NSEC);
225 g_assert_not_reached();
232 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
237 wth = wtap_open_offline(fname, err, &err_info, TRUE);
241 /* The open succeeded. Close whatever capture file we had open,
242 and fill in the information for this file. */
245 /* Initialize all data structures used for dissection. */
248 /* We're about to start reading the file. */
249 cf->state = FILE_READ_IN_PROGRESS;
254 /* Set the file name because we need it to set the follow stream filter.
255 XXX - is that still true? We need it for other reasons, though,
257 cf->filename = g_strdup(fname);
259 /* Indicate whether it's a permanent or temporary file. */
260 cf->is_tempfile = is_tempfile;
262 /* If it's a temporary capture buffer file, mark it as not saved. */
263 cf->user_saved = !is_tempfile;
265 cf->cd_t = wtap_file_type(cf->wth);
267 cf->displayed_count = 0;
268 cf->marked_count = 0;
269 cf->drops_known = FALSE;
271 cf->snap = wtap_snapshot_length(cf->wth);
273 /* Snapshot length not known. */
274 cf->has_snap = FALSE;
275 cf->snap = WTAP_MAX_PACKET_SIZE;
278 nstime_set_zero(&cf->elapsed_time);
279 nstime_set_unset(&first_ts);
280 nstime_set_unset(&prev_dis_ts);
282 #if GLIB_CHECK_VERSION(2,10,0)
284 /* memory chunks have been deprecated in favor of the slice allocator,
285 * which has been added in 2.10
287 cf->plist_chunk = g_mem_chunk_new("frame_data_chunk",
289 FRAME_DATA_CHUNK_SIZE * sizeof(frame_data),
291 g_assert(cf->plist_chunk);
293 /* change the time formats now, as we might have a new precision */
294 cf_change_time_formats(cf);
296 fileset_file_opened(fname);
298 if(cf->cd_t == WTAP_FILE_BER) {
299 /* tell the BER dissector the file name */
300 ber_set_filename(cf->filename);
306 cf_open_failure_alert_box(fname, *err, err_info, FALSE, 0);
312 * Reset the state for the currently closed file, but don't do the
313 * UI callbacks; this is for use in "cf_open()", where we don't
314 * want the UI to go from "file open" to "file closed" back to
315 * "file open", we want it to go from "old file open" to "new file
316 * open and being read".
319 cf_reset_state(capture_file *cf)
321 /* Die if we're in the middle of reading a file. */
322 g_assert(cf->state != FILE_READ_IN_PROGRESS);
328 /* We have no file open... */
329 if (cf->filename != NULL) {
330 /* If it's a temporary file, remove it. */
332 ws_unlink(cf->filename);
333 g_free(cf->filename);
336 /* ...which means we have nothing to save. */
337 cf->user_saved = FALSE;
339 #if GLIB_CHECK_VERSION(2,10,0)
340 if (cf->plist != NULL)
341 g_slice_free_chain(frame_data, cf->plist, next);
343 /* memory chunks have been deprecated in favor of the slice allocator,
344 * which has been added in 2.10
346 if (cf->plist_chunk != NULL) {
347 g_mem_chunk_destroy(cf->plist_chunk);
348 cf->plist_chunk = NULL;
351 if (cf->rfcode != NULL) {
352 dfilter_free(cf->rfcode);
356 cf->plist_end = NULL;
357 cf_unselect_packet(cf); /* nothing to select */
358 cf->first_displayed = NULL;
359 cf->last_displayed = NULL;
361 /* No frame selected, no field in that frame selected. */
362 cf->current_frame = NULL;
364 cf->finfo_selected = NULL;
366 /* Clear the packet list. */
367 #ifdef NEW_PACKET_LIST
368 new_packet_list_freeze();
369 new_packet_list_clear();
370 new_packet_list_thaw();
372 packet_list_freeze();
379 nstime_set_zero(&cf->elapsed_time);
381 reset_tap_listeners();
383 /* We have no file open. */
384 cf->state = FILE_CLOSED;
386 fileset_file_closed();
389 /* Reset everything to a pristine state */
391 cf_close(capture_file *cf)
393 /* do GUI things even if file is already closed,
394 * e.g. to cleanup things if a capture couldn't be started */
395 cf_callback_invoke(cf_cb_file_closing, cf);
397 /* close things, if not already closed before */
398 if(cf->state != FILE_CLOSED) {
399 color_filters_cleanup();
401 cleanup_dissection();
404 cf_callback_invoke(cf_cb_file_closed, cf);
407 /* an out of memory exception occured, wait for a user button press to exit */
408 void outofmemory_cb(gpointer dialog _U_, gint btn _U_, gpointer data _U_)
414 cf_read(capture_file *cf)
418 const gchar *name_ptr;
420 char errmsg_errno[1024+1];
422 progdlg_t *volatile progbar = NULL;
424 volatile gint64 size;
426 volatile float progbar_val;
428 gchar status_str[100];
429 volatile gint64 progbar_nextstep;
430 volatile gint64 progbar_quantum;
432 gboolean filtering_tap_listeners;
435 volatile int displayed_once = 0;
438 /* Compile the current display filter.
439 * We assume this will not fail since cf->dfilter is only set in
440 * cf_filter IFF the filter was valid.
444 dfilter_compile(cf->dfilter, &dfcode);
447 /* Do we have any tap listeners with filters? */
448 filtering_tap_listeners = have_filtering_tap_listeners();
450 /* Get the union of the flags for all tap listeners. */
451 tap_flags = union_of_tap_listener_flags();
455 reset_tap_listeners();
457 cf_callback_invoke(cf_cb_file_read_start, cf);
459 name_ptr = get_basename(cf->filename);
461 /* Find the size of the file. */
462 size = wtap_file_size(cf->wth, NULL);
464 /* Update the progress bar when it gets to this value. */
465 progbar_nextstep = 0;
466 /* When we reach the value that triggers a progress bar update,
467 bump that value by this amount. */
469 progbar_quantum = size/N_PROGBAR_UPDATES;
472 /* Progress so far. */
475 #ifdef NEW_PACKET_LIST
476 new_packet_list_freeze();
478 packet_list_freeze();
482 g_get_current_time(&start_time);
484 while ((wtap_read(cf->wth, &err, &err_info, &data_offset))) {
486 /* Create the progress bar if necessary.
487 We check on every iteration of the loop, so that it takes no
488 longer than the standard time to create it (otherwise, for a
489 large file, we might take considerably longer than that standard
490 time in order to get to the next progress bar step). */
491 if (progbar == NULL) {
492 progbar = delayed_create_progress_dlg("Loading", name_ptr,
493 TRUE, &stop_flag, &start_time, progbar_val);
496 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
497 when we update it, we have to run the GTK+ main loop to get it
498 to repaint what's pending, and doing so may involve an "ioctl()"
499 to see if there's any pending input from an X server, and doing
500 that for every packet can be costly, especially on a big file. */
501 if (data_offset >= progbar_nextstep) {
502 file_pos = wtap_read_so_far(cf->wth, NULL);
503 progbar_val = (gfloat) file_pos / (gfloat) size;
504 if (progbar_val > 1.0) {
505 /* The file probably grew while we were reading it.
506 Update file size, and try again. */
507 size = wtap_file_size(cf->wth, NULL);
509 progbar_val = (gfloat) file_pos / (gfloat) size;
510 /* If it's still > 1, either "wtap_file_size()" failed (in which
511 case there's not much we can do about it), or the file
512 *shrank* (in which case there's not much we can do about
513 it); just clip the progress value at 1.0. */
514 if (progbar_val > 1.0f)
517 if (progbar != NULL) {
518 /* update the packet lists content on the first run or frequently on very large files */
519 /* (on smaller files the display update takes longer than reading the file) */
521 if (progbar_quantum > 500000 || displayed_once == 0) {
522 if ((auto_scroll_live || displayed_once == 0 || cf->displayed_count < 1000) && cf->plist_end != NULL) {
524 #ifdef NEW_PACKET_LIST
525 /* XXX - Add move to end function call. Freeze/thaw if
529 if (auto_scroll_live)
530 packet_list_moveto_end();
531 packet_list_freeze();
532 #endif /* NEW_PACKET_LIST */
535 #endif /* HAVE_LIBPCAP */
536 g_snprintf(status_str, sizeof(status_str),
537 "%" G_GINT64_MODIFIER "dKB of %" G_GINT64_MODIFIER "dKB",
538 file_pos / 1024, size / 1024);
539 update_progress_dlg(progbar, progbar_val, status_str);
541 progbar_nextstep += progbar_quantum;
546 /* Well, the user decided to abort the read. He/She will be warned and
547 it might be enough for him/her to work with the already loaded
549 This is especially true for very large capture files, where you don't
550 want to wait loading the whole file (which may last minutes or even
551 hours even on fast machines) just to see that it was the wrong file. */
555 read_packet(cf, dfcode, filtering_tap_listeners, tap_flags, data_offset);
557 CATCH(OutOfMemoryError) {
560 dialog = simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
561 "%sOut Of Memory!%s\n"
563 "Sorry, but Wireshark has to terminate now!\n"
565 "Some infos / workarounds can be found at:\n"
566 "http://wiki.wireshark.org/KnownBugs/OutOfMemory",
567 simple_dialog_primary_start(), simple_dialog_primary_end());
568 /* we have to terminate, as we cannot recover from the memory error */
569 simple_dialog_set_cb(dialog, outofmemory_cb, NULL);
571 main_window_update();
572 /* XXX - how to avoid a busy wait? */
580 /* Cleanup and release all dfilter resources */
582 dfilter_free(dfcode);
585 /* We're done reading the file; destroy the progress bar if it was created. */
587 destroy_progress_dlg(progbar);
589 /* We're done reading sequentially through the file. */
590 cf->state = FILE_READ_DONE;
592 /* Close the sequential I/O side, to free up memory it requires. */
593 wtap_sequential_close(cf->wth);
595 /* Allow the protocol dissectors to free up memory that they
596 * don't need after the sequential run-through of the packets. */
597 postseq_cleanup_all_protocols();
599 /* Set the file encapsulation type now; we don't know what it is until
600 we've looked at all the packets, as we don't know until then whether
601 there's more than one type (and thus whether it's
602 WTAP_ENCAP_PER_PACKET). */
603 cf->lnk_t = wtap_file_encap(cf->wth);
605 cf->current_frame = cf->first_displayed;
608 #ifdef NEW_PACKET_LIST
609 new_packet_list_thaw();
614 cf_callback_invoke(cf_cb_file_read_finished, cf);
616 /* If we have any displayed packets to select, select the first of those
617 packets by making the first row the selected row. */
618 if (cf->first_displayed != NULL){
619 #ifdef NEW_PACKET_LIST
620 new_packet_list_select_first_row();
622 packet_list_select_row(0);
623 #endif /* NEW_PACKET_LIST */
627 simple_dialog(ESD_TYPE_WARN, ESD_BTN_OK,
628 "%sFile loading was cancelled!%s\n"
630 "The remaining packets in the file were discarded.\n"
632 "As a lot of packets from the original file will be missing,\n"
633 "remember to be careful when saving the current content to a file.\n",
634 simple_dialog_primary_start(), simple_dialog_primary_end());
635 return CF_READ_ERROR;
639 /* Put up a message box noting that the read failed somewhere along
640 the line. Don't throw out the stuff we managed to read, though,
644 case WTAP_ERR_UNSUPPORTED_ENCAP:
645 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
646 "The capture file has a packet with a network type that Wireshark doesn't support.\n(%s)",
649 errmsg = errmsg_errno;
652 case WTAP_ERR_CANT_READ:
653 errmsg = "An attempt to read from the capture file failed for"
654 " some unknown reason.";
657 case WTAP_ERR_SHORT_READ:
658 errmsg = "The capture file appears to have been cut short"
659 " in the middle of a packet.";
662 case WTAP_ERR_BAD_RECORD:
663 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
664 "The capture file appears to be damaged or corrupt.\n(%s)",
667 errmsg = errmsg_errno;
671 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
672 "An error occurred while reading the"
673 " capture file: %s.", wtap_strerror(err));
674 errmsg = errmsg_errno;
677 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s", errmsg);
678 return CF_READ_ERROR;
685 cf_start_tail(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
687 cf_status_t cf_status;
689 cf_status = cf_open(cf, fname, is_tempfile, err);
694 cf_continue_tail(capture_file *cf, volatile int to_read, int *err)
696 gint64 data_offset = 0;
698 volatile int newly_displayed_packets = 0;
700 gboolean filtering_tap_listeners;
703 /* Compile the current display filter.
704 * We assume this will not fail since cf->dfilter is only set in
705 * cf_filter IFF the filter was valid.
709 dfilter_compile(cf->dfilter, &dfcode);
712 /* Do we have any tap listeners with filters? */
713 filtering_tap_listeners = have_filtering_tap_listeners();
715 /* Get the union of the flags for all tap listeners. */
716 tap_flags = union_of_tap_listener_flags();
720 #ifdef NEW_PACKET_LIST
721 new_packet_list_freeze();
723 packet_list_check_end();
724 packet_list_freeze();
727 /*g_log(NULL, G_LOG_LEVEL_MESSAGE, "cf_continue_tail: %u new: %u", cf->count, to_read);*/
729 while (to_read != 0 && (wtap_read(cf->wth, err, &err_info, &data_offset))) {
730 if (cf->state == FILE_READ_ABORTED) {
731 /* Well, the user decided to exit Wireshark. Break out of the
732 loop, and let the code below (which is called even if there
733 aren't any packets left to read) exit. */
737 if (read_packet(cf, dfcode, filtering_tap_listeners, tap_flags,
738 data_offset) != -1) {
739 newly_displayed_packets++;
742 CATCH(OutOfMemoryError) {
745 dialog = simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
746 "%sOut Of Memory!%s\n"
748 "Sorry, but Wireshark has to terminate now!\n"
750 "The capture file is not lost, it can be found at:\n"
753 "Some infos / workarounds can be found at:\n"
754 "http://wiki.wireshark.org/KnownBugs/OutOfMemory",
755 simple_dialog_primary_start(), simple_dialog_primary_end(), cf->filename);
756 /* we have to terminate, as we cannot recover from the memory error */
757 simple_dialog_set_cb(dialog, outofmemory_cb, NULL);
759 main_window_update();
760 /* XXX - how to avoid a busy wait? */
763 #ifdef NEW_PACKET_LIST
764 new_packet_list_thaw();
768 return CF_READ_ABORTED;
774 /* Cleanup and release all dfilter resources */
776 dfilter_free(dfcode);
779 /*g_log(NULL, G_LOG_LEVEL_MESSAGE, "cf_continue_tail: count %u state: %u err: %u",
780 cf->count, cf->state, *err);*/
782 #ifdef NEW_PACKET_LIST
783 new_packet_list_thaw();
785 /* XXX - this causes "flickering" of the list */
789 #ifndef NEW_PACKET_LIST
790 /* moving to the end of the packet list - if the user requested so and
791 we have some new packets.
792 this doesn't seem to work well with a frozen GTK_Clist, so do this after
793 packet_list_thaw() is done, see bugzilla 1188 */
794 /* XXX - this cheats and looks inside the packet list to find the final
796 if (newly_displayed_packets && auto_scroll_live && cf->plist_end != NULL)
797 packet_list_moveto_end();
798 #endif /* NEW_PACKET_LIST */
800 if (cf->state == FILE_READ_ABORTED) {
801 /* Well, the user decided to exit Wireshark. Return CF_READ_ABORTED
802 so that our caller can kill off the capture child process;
803 this will cause an EOF on the pipe from the child, so
804 "cf_finish_tail()" will be called, and it will clean up
806 return CF_READ_ABORTED;
807 } else if (*err != 0) {
808 /* We got an error reading the capture file.
809 XXX - pop up a dialog box instead? */
810 g_warning("Error \"%s\" while reading: \"%s\"\n",
811 wtap_strerror(*err), cf->filename);
813 return CF_READ_ERROR;
819 cf_finish_tail(capture_file *cf, int *err)
824 gboolean filtering_tap_listeners;
827 /* Compile the current display filter.
828 * We assume this will not fail since cf->dfilter is only set in
829 * cf_filter IFF the filter was valid.
833 dfilter_compile(cf->dfilter, &dfcode);
836 /* Do we have any tap listeners with filters? */
837 filtering_tap_listeners = have_filtering_tap_listeners();
839 /* Get the union of the flags for all tap listeners. */
840 tap_flags = union_of_tap_listener_flags();
842 if(cf->wth == NULL) {
844 return CF_READ_ERROR;
847 #ifdef NEW_PACKET_LIST
848 new_packet_list_freeze();
850 packet_list_check_end();
851 packet_list_freeze();
854 while ((wtap_read(cf->wth, err, &err_info, &data_offset))) {
855 if (cf->state == FILE_READ_ABORTED) {
856 /* Well, the user decided to abort the read. Break out of the
857 loop, and let the code below (which is called even if there
858 aren't any packets left to read) exit. */
861 read_packet(cf, dfcode, filtering_tap_listeners, tap_flags, data_offset);
864 /* Cleanup and release all dfilter resources */
866 dfilter_free(dfcode);
869 #ifdef NEW_PACKET_LIST
870 new_packet_list_thaw();
875 if (cf->state == FILE_READ_ABORTED) {
876 /* Well, the user decided to abort the read. We're only called
877 when the child capture process closes the pipe to us (meaning
878 it's probably exited), so we can just close the capture
879 file; we return CF_READ_ABORTED so our caller can do whatever
880 is appropriate when that happens. */
882 return CF_READ_ABORTED;
885 #ifndef NEW_PACKET_LIST
886 if (auto_scroll_live && cf->plist_end != NULL)
887 /* XXX - this cheats and looks inside the packet list to find the final
889 packet_list_moveto_end();
892 /* We're done reading sequentially through the file. */
893 cf->state = FILE_READ_DONE;
895 /* We're done reading sequentially through the file; close the
896 sequential I/O side, to free up memory it requires. */
897 wtap_sequential_close(cf->wth);
899 /* Allow the protocol dissectors to free up memory that they
900 * don't need after the sequential run-through of the packets. */
901 postseq_cleanup_all_protocols();
903 /* Set the file encapsulation type now; we don't know what it is until
904 we've looked at all the packets, as we don't know until then whether
905 there's more than one type (and thus whether it's
906 WTAP_ENCAP_PER_PACKET). */
907 cf->lnk_t = wtap_file_encap(cf->wth);
910 /* We got an error reading the capture file.
911 XXX - pop up a dialog box? */
912 return CF_READ_ERROR;
917 #endif /* HAVE_LIBPCAP */
920 cf_get_display_name(capture_file *cf)
922 const gchar *displayname;
924 /* Return a name to use in displays */
925 if (!cf->is_tempfile) {
926 /* Get the last component of the file name, and use that. */
928 displayname = get_basename(cf->filename);
930 displayname="(No file)";
933 /* The file we read is a temporary file from a live capture;
934 we don't mention its name. */
935 displayname = "(Untitled)";
940 /* XXX - use a macro instead? */
942 cf_get_packet_count(capture_file *cf)
947 /* XXX - use a macro instead? */
949 cf_set_packet_count(capture_file *cf, int packet_count)
951 cf->count = packet_count;
954 /* XXX - use a macro instead? */
956 cf_is_tempfile(capture_file *cf)
958 return cf->is_tempfile;
961 void cf_set_tempfile(capture_file *cf, gboolean is_tempfile)
963 cf->is_tempfile = is_tempfile;
967 /* XXX - use a macro instead? */
968 void cf_set_drops_known(capture_file *cf, gboolean drops_known)
970 cf->drops_known = drops_known;
973 /* XXX - use a macro instead? */
974 void cf_set_drops(capture_file *cf, guint32 drops)
979 /* XXX - use a macro instead? */
980 gboolean cf_get_drops_known(capture_file *cf)
982 return cf->drops_known;
985 /* XXX - use a macro instead? */
986 guint32 cf_get_drops(capture_file *cf)
991 void cf_set_rfcode(capture_file *cf, dfilter_t *rfcode)
997 add_packet_to_packet_list(frame_data *fdata, capture_file *cf,
998 dfilter_t *dfcode, gboolean filtering_tap_listeners,
1000 union wtap_pseudo_header *pseudo_header, const guchar *buf,
1002 #ifdef NEW_PACKET_LIST
1003 gboolean add_to_packet_list)
1005 gboolean add_to_packet_list _U_)
1008 gboolean create_proto_tree = FALSE;
1013 #ifdef NEW_PACKET_LIST
1014 cinfo = (tap_flags & TL_REQUIRES_COLUMNS) ? &cf->cinfo : NULL;
1019 /* just add some value here until we know if it is being displayed or not */
1020 fdata->cum_bytes = cum_bytes + fdata->pkt_len;
1022 /* If we don't have the time stamp of the first packet in the
1023 capture, it's because this is the first packet. Save the time
1024 stamp of this packet as the time stamp of the first packet. */
1025 if (nstime_is_unset(&first_ts)) {
1026 first_ts = fdata->abs_ts;
1028 /* if this frames is marked as a reference time frame, reset
1029 firstsec and firstusec to this frame */
1030 if(fdata->flags.ref_time){
1031 first_ts = fdata->abs_ts;
1034 /* If we don't have the time stamp of the previous displayed packet,
1035 it's because this is the first displayed packet. Save the time
1036 stamp of this packet as the time stamp of the previous displayed
1038 if (nstime_is_unset(&prev_dis_ts)) {
1039 prev_dis_ts = fdata->abs_ts;
1042 /* Get the time elapsed between the first packet and this packet. */
1043 nstime_delta(&fdata->rel_ts, &fdata->abs_ts, &first_ts);
1045 /* If it's greater than the current elapsed time, set the elapsed time
1046 to it (we check for "greater than" so as not to be confused by
1047 time moving backwards). */
1048 if ((gint32)cf->elapsed_time.secs < fdata->rel_ts.secs
1049 || ((gint32)cf->elapsed_time.secs == fdata->rel_ts.secs && (gint32)cf->elapsed_time.nsecs < fdata->rel_ts.nsecs)) {
1050 cf->elapsed_time = fdata->rel_ts;
1053 /* Get the time elapsed between the previous displayed packet and
1055 nstime_delta(&fdata->del_dis_ts, &fdata->abs_ts, &prev_dis_ts);
1059 we have a display filter and are re-applying it;
1061 we have a list of color filters;
1063 we have tap listeners with filters;
1065 we have tap listeners that require a protocol tree;
1067 we have custom columns;
1069 allocate a protocol tree root node, so that we'll construct
1070 a protocol tree against which a filter expression can be
1072 if ((dfcode != NULL && refilter) ||
1073 #ifndef NEW_PACKET_LIST
1074 color_filters_used() ||
1075 have_custom_cols(cinfo) ||
1077 filtering_tap_listeners || (tap_flags & TL_REQUIRES_PROTO_TREE))
1078 create_proto_tree = TRUE;
1080 /* Dissect the frame. */
1081 epan_dissect_init(&edt, create_proto_tree, FALSE);
1083 if (dfcode != NULL && refilter) {
1084 epan_dissect_prime_dfilter(&edt, dfcode);
1087 /* prepare color filters */
1088 #ifndef NEW_PACKET_LIST
1089 color_filters_prime_edt(&edt);
1090 col_custom_prime_edt(&edt, cinfo);
1093 tap_queue_init(&edt);
1094 epan_dissect_run(&edt, pseudo_header, buf, fdata, cinfo);
1095 tap_push_tapped_queue(&edt);
1097 /* If we have a display filter, apply it if we're refiltering, otherwise
1098 leave the "passed_dfilter" flag alone.
1100 If we don't have a display filter, set "passed_dfilter" to 1. */
1101 if (dfcode != NULL) {
1103 fdata->flags.passed_dfilter = dfilter_apply_edt(dfcode, &edt) ? 1 : 0;
1106 fdata->flags.passed_dfilter = 1;
1108 #ifdef NEW_PACKET_LIST
1109 if (add_to_packet_list) {
1111 epan_dissect_fill_in_columns(&edt, FALSE);
1112 row = new_packet_list_append(cinfo, fdata, &edt.pi);
1116 if( (fdata->flags.passed_dfilter) || (edt.pi.fd->flags.ref_time) )
1118 /* This frame either passed the display filter list or is marked as
1119 a time reference frame. All time reference frames are displayed
1120 even if they dont pass the display filter */
1121 if(edt.pi.fd->flags.ref_time){
1122 /* if this was a TIME REF frame we should reset the cul bytes field */
1123 cum_bytes = fdata->pkt_len;
1124 fdata->cum_bytes = cum_bytes;
1126 /* increase cum_bytes with this packets length */
1127 cum_bytes += fdata->pkt_len;
1130 #ifndef NEW_PACKET_LIST
1131 epan_dissect_fill_in_columns(&edt, TRUE);
1134 /* If we haven't yet seen the first frame, this is it.
1136 XXX - we must do this before we add the row to the display,
1137 as, if the display's GtkCList's selection mode is
1138 GTK_SELECTION_BROWSE, when the first entry is added to it,
1139 "cf_select_packet()" will be called, and it will fetch the row
1140 data for the 0th row, and will get a null pointer rather than
1141 "fdata", as "gtk_clist_append()" won't yet have returned and
1142 thus "gtk_clist_set_row_data()" won't yet have been called.
1144 We thus need to leave behind bread crumbs so that
1145 "cf_select_packet()" can find this frame. See the comment
1146 in "cf_select_packet()". */
1147 if (cf->first_displayed == NULL)
1148 cf->first_displayed = fdata;
1150 /* This is the last frame we've seen so far. */
1151 cf->last_displayed = fdata;
1153 #ifndef NEW_PACKET_LIST
1154 row = packet_list_append(cinfo->col_data, fdata);
1156 /* colorize packet: first apply color filters
1157 * then if packet is marked, use preferences to overwrite color
1158 * we do both to make sure that when a packet gets un-marked, the
1159 * color will be correctly set (fixes bug 2038)
1161 fdata->color_filter = color_filters_colorize_packet(row, &edt);
1162 if (fdata->flags.marked) {
1163 packet_list_set_colors(row, &prefs.gui_marked_fg, &prefs.gui_marked_bg);
1165 #endif /* NEW_PACKET_LIST */
1167 /* Set the time of the previous displayed frame to the time of this
1169 prev_dis_ts = fdata->abs_ts;
1171 cf->displayed_count++;
1174 epan_dissect_cleanup(&edt);
1178 /* read in a new packet */
1179 /* returns the row of the new packet in the packet list or -1 if not displayed */
1181 read_packet(capture_file *cf, dfilter_t *dfcode,
1182 gboolean filtering_tap_listeners, guint tap_flags, gint64 offset)
1184 const struct wtap_pkthdr *phdr = wtap_phdr(cf->wth);
1185 union wtap_pseudo_header *pseudo_header = wtap_pseudoheader(cf->wth);
1186 const guchar *buf = wtap_buf_ptr(cf->wth);
1189 frame_data *plist_end;
1192 /* Allocate the next list entry, and add it to the list.
1193 * memory chunks have been deprecated in favor of the slice allocator,
1194 * which has been added in 2.10
1196 #if GLIB_CHECK_VERSION(2,10,0)
1197 fdata = g_slice_new(frame_data);
1199 fdata = g_mem_chunk_alloc(cf->plist_chunk);
1205 fdata->pkt_len = phdr->len;
1206 fdata->cap_len = phdr->caplen;
1207 fdata->file_off = offset;
1208 fdata->lnk_t = phdr->pkt_encap;
1209 fdata->flags.encoding = CHAR_ASCII;
1210 fdata->flags.visited = 0;
1211 fdata->flags.marked = 0;
1212 fdata->flags.ref_time = 0;
1213 fdata->color_filter = NULL;
1215 fdata->abs_ts.secs = phdr->ts.secs;
1216 fdata->abs_ts.nsecs = phdr->ts.nsecs;
1218 if (cf->plist_end != NULL)
1219 nstime_delta(&fdata->del_cap_ts, &fdata->abs_ts, &cf->plist_end->abs_ts);
1221 nstime_set_zero(&fdata->del_cap_ts);
1226 epan_dissect_init(&edt, TRUE, FALSE);
1227 epan_dissect_prime_dfilter(&edt, cf->rfcode);
1228 epan_dissect_run(&edt, pseudo_header, buf, fdata, NULL);
1229 passed = dfilter_apply_edt(cf->rfcode, &edt);
1230 epan_dissect_cleanup(&edt);
1233 plist_end = cf->plist_end;
1234 fdata->prev = plist_end;
1235 if (plist_end != NULL)
1236 plist_end->next = fdata;
1239 cf->plist_end = fdata;
1242 cf->f_datalen = offset + phdr->caplen;
1243 fdata->num = cf->count;
1244 if (!cf->redissecting) {
1245 row = add_packet_to_packet_list(fdata, cf, dfcode,
1246 filtering_tap_listeners, tap_flags,
1247 pseudo_header, buf, TRUE, TRUE);
1250 /* XXX - if we didn't have read filters, or if we could avoid
1251 allocating the "frame_data" structure until we knew whether
1252 the frame passed the read filter, we could use a G_ALLOC_ONLY
1255 ...but, at least in one test I did, where I just made the chunk
1256 a G_ALLOC_ONLY chunk and read in a huge capture file, it didn't
1257 seem to save a noticeable amount of time or space. */
1258 #if GLIB_CHECK_VERSION(2,10,0)
1259 /* memory chunks have been deprecated in favor of the slice allocator,
1260 * which has been added in 2.10
1262 g_slice_free(frame_data,fdata);
1264 g_mem_chunk_free(cf->plist_chunk, fdata);
1272 cf_merge_files(char **out_filenamep, int in_file_count,
1273 char *const *in_filenames, int file_type, gboolean do_append)
1275 merge_in_file_t *in_files;
1281 int open_err, read_err, write_err, close_err;
1285 char errmsg_errno[1024+1];
1287 gboolean got_read_error = FALSE, got_write_error = FALSE;
1289 progdlg_t *progbar = NULL;
1291 gint64 f_len, file_pos;
1293 GTimeVal start_time;
1294 gchar status_str[100];
1295 gint64 progbar_nextstep;
1296 gint64 progbar_quantum;
1298 /* open the input files */
1299 if (!merge_open_in_files(in_file_count, in_filenames, &in_files,
1300 &open_err, &err_info, &err_fileno)) {
1302 cf_open_failure_alert_box(in_filenames[err_fileno], open_err, err_info,
1307 if (*out_filenamep != NULL) {
1308 out_filename = *out_filenamep;
1309 out_fd = ws_open(out_filename, O_CREAT|O_TRUNC|O_BINARY, 0600);
1313 out_fd = create_tempfile(&tmpname, "wireshark");
1316 out_filename = g_strdup(tmpname);
1317 *out_filenamep = out_filename;
1321 merge_close_in_files(in_file_count, in_files);
1323 cf_open_failure_alert_box(out_filename, open_err, NULL, TRUE, file_type);
1327 pdh = wtap_dump_fdopen(out_fd, file_type,
1328 merge_select_frame_type(in_file_count, in_files),
1329 merge_max_snapshot_length(in_file_count, in_files),
1330 FALSE /* compressed */, &open_err);
1333 merge_close_in_files(in_file_count, in_files);
1335 cf_open_failure_alert_box(out_filename, open_err, err_info, TRUE,
1340 /* Get the sum of the sizes of all the files. */
1342 for (i = 0; i < in_file_count; i++)
1343 f_len += in_files[i].size;
1345 /* Update the progress bar when it gets to this value. */
1346 progbar_nextstep = 0;
1347 /* When we reach the value that triggers a progress bar update,
1348 bump that value by this amount. */
1349 progbar_quantum = f_len/N_PROGBAR_UPDATES;
1350 /* Progress so far. */
1354 g_get_current_time(&start_time);
1356 /* do the merge (or append) */
1359 wth = merge_append_read_packet(in_file_count, in_files, &read_err,
1362 wth = merge_read_packet(in_file_count, in_files, &read_err,
1366 got_read_error = TRUE;
1370 /* Get the sum of the data offsets in all of the files. */
1372 for (i = 0; i < in_file_count; i++)
1373 data_offset += in_files[i].data_offset;
1375 /* Create the progress bar if necessary.
1376 We check on every iteration of the loop, so that it takes no
1377 longer than the standard time to create it (otherwise, for a
1378 large file, we might take considerably longer than that standard
1379 time in order to get to the next progress bar step). */
1380 if (progbar == NULL) {
1381 progbar = delayed_create_progress_dlg("Merging", "files",
1382 FALSE, &stop_flag, &start_time, progbar_val);
1385 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1386 when we update it, we have to run the GTK+ main loop to get it
1387 to repaint what's pending, and doing so may involve an "ioctl()"
1388 to see if there's any pending input from an X server, and doing
1389 that for every packet can be costly, especially on a big file. */
1390 if (data_offset >= progbar_nextstep) {
1391 /* Get the sum of the seek positions in all of the files. */
1393 for (i = 0; i < in_file_count; i++)
1394 file_pos += wtap_read_so_far(in_files[i].wth, NULL);
1395 progbar_val = (gfloat) file_pos / (gfloat) f_len;
1396 if (progbar_val > 1.0f) {
1397 /* Some file probably grew while we were reading it.
1398 That "shouldn't happen", so we'll just clip the progress
1402 if (progbar != NULL) {
1403 g_snprintf(status_str, sizeof(status_str),
1404 "%" G_GINT64_MODIFIER "dKB of %" G_GINT64_MODIFIER "dKB",
1405 file_pos / 1024, f_len / 1024);
1406 update_progress_dlg(progbar, progbar_val, status_str);
1408 progbar_nextstep += progbar_quantum;
1412 /* Well, the user decided to abort the merge. */
1416 if (!wtap_dump(pdh, wtap_phdr(wth), wtap_pseudoheader(wth),
1417 wtap_buf_ptr(wth), &write_err)) {
1418 got_write_error = TRUE;
1423 /* We're done merging the files; destroy the progress bar if it was created. */
1424 if (progbar != NULL)
1425 destroy_progress_dlg(progbar);
1427 merge_close_in_files(in_file_count, in_files);
1428 if (!got_read_error && !got_write_error) {
1429 if (!wtap_dump_close(pdh, &write_err))
1430 got_write_error = TRUE;
1432 wtap_dump_close(pdh, &close_err);
1434 if (got_read_error) {
1436 * Find the file on which we got the error, and report the error.
1438 for (i = 0; i < in_file_count; i++) {
1439 if (in_files[i].state == GOT_ERROR) {
1440 /* Put up a message box noting that a read failed somewhere along
1444 case WTAP_ERR_UNSUPPORTED_ENCAP:
1445 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
1446 "The capture file %%s has a packet with a network type that Wireshark doesn't support.\n(%s)",
1449 errmsg = errmsg_errno;
1452 case WTAP_ERR_CANT_READ:
1453 errmsg = "An attempt to read from the capture file %s failed for"
1454 " some unknown reason.";
1457 case WTAP_ERR_SHORT_READ:
1458 errmsg = "The capture file %s appears to have been cut short"
1459 " in the middle of a packet.";
1462 case WTAP_ERR_BAD_RECORD:
1463 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
1464 "The capture file %%s appears to be damaged or corrupt.\n(%s)",
1467 errmsg = errmsg_errno;
1471 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
1472 "An error occurred while reading the"
1473 " capture file %%s: %s.", wtap_strerror(read_err));
1474 errmsg = errmsg_errno;
1477 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, errmsg, in_files[i].filename);
1482 if (got_write_error) {
1483 /* Put up an alert box for the write error. */
1484 cf_write_failure_alert_box(out_filename, write_err);
1487 if (got_read_error || got_write_error || stop_flag) {
1488 /* Callers aren't expected to treat an error or an explicit abort
1489 differently - we put up error dialogs ourselves, so they don't
1497 cf_filter_packets(capture_file *cf, gchar *dftext, gboolean force)
1499 const char *filter_new = dftext ? dftext : "";
1500 const char *filter_old = cf->dfilter ? cf->dfilter : "";
1503 /* if new filter equals old one, do nothing unless told to do so */
1504 if (!force && strcmp(filter_new, filter_old) == 0) {
1510 if (dftext == NULL) {
1511 /* The new filter is an empty filter (i.e., display all packets).
1512 * so leave dfcode==NULL
1516 * We have a filter; make a copy of it (as we'll be saving it),
1517 * and try to compile it.
1519 dftext = g_strdup(dftext);
1520 if (!dfilter_compile(dftext, &dfcode)) {
1521 /* The attempt failed; report an error. */
1522 gchar *safe_dftext = simple_dialog_format_message(dftext);
1523 gchar *safe_dfilter_error_msg = simple_dialog_format_message(
1525 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
1528 "The following display filter isn't a valid display filter:\n%s\n"
1529 "See the help for a description of the display filter syntax.",
1530 simple_dialog_primary_start(), safe_dfilter_error_msg,
1531 simple_dialog_primary_end(), safe_dftext);
1532 g_free(safe_dfilter_error_msg);
1533 g_free(safe_dftext);
1539 if (dfcode == NULL) {
1540 /* Yes - free the filter text, and set it to null. */
1546 /* We have a valid filter. Replace the current filter. */
1547 g_free(cf->dfilter);
1548 cf->dfilter = dftext;
1550 /* Now rescan the packet list, applying the new filter, but not
1551 throwing away information constructed on a previous pass. */
1552 if (dftext == NULL) {
1553 rescan_packets(cf, "Resetting", "Filter", TRUE, FALSE);
1555 rescan_packets(cf, "Filtering", dftext, TRUE, FALSE);
1558 /* Cleanup and release all dfilter resources */
1559 if (dfcode != NULL){
1560 dfilter_free(dfcode);
1566 cf_colorize_packets(capture_file *cf)
1568 rescan_packets(cf, "Colorizing", "all packets", FALSE, FALSE);
1572 cf_reftime_packets(capture_file *cf)
1575 #ifdef NEW_PACKET_LIST
1576 ref_time_packets(cf);
1578 rescan_packets(cf, "Reprocessing", "all packets", TRUE, TRUE);
1583 cf_redissect_packets(capture_file *cf)
1585 rescan_packets(cf, "Reprocessing", "all packets", TRUE, TRUE);
1588 /* Rescan the list of packets, reconstructing the CList.
1590 "action" describes why we're doing this; it's used in the progress
1593 "action_item" describes what we're doing; it's used in the progress
1596 "refilter" is TRUE if we need to re-evaluate the filter expression.
1598 "redissect" is TRUE if we need to make the dissectors reconstruct
1599 any state information they have (because a preference that affects
1600 some dissector has changed, meaning some dissector might construct
1601 its state differently from the way it was constructed the last time). */
1603 rescan_packets(capture_file *cf, const char *action, const char *action_item,
1604 gboolean refilter, gboolean redissect)
1607 progdlg_t *progbar = NULL;
1612 frame_data *selected_frame, *preceding_frame, *following_frame, *prev_frame;
1613 int selected_row, prev_row, preceding_row, following_row;
1614 gboolean selected_frame_seen;
1617 GTimeVal start_time;
1618 gchar status_str[100];
1619 int progbar_nextstep;
1620 int progbar_quantum;
1622 gboolean filtering_tap_listeners;
1624 #ifdef NEW_PACKET_LIST
1625 gboolean add_to_packet_list = FALSE;
1627 gboolean add_to_packet_list = TRUE;
1630 /* Compile the current display filter.
1631 * We assume this will not fail since cf->dfilter is only set in
1632 * cf_filter IFF the filter was valid.
1636 dfilter_compile(cf->dfilter, &dfcode);
1639 /* Do we have any tap listeners with filters? */
1640 filtering_tap_listeners = have_filtering_tap_listeners();
1642 /* Get the union of the flags for all tap listeners. */
1643 tap_flags = union_of_tap_listener_flags();
1646 reset_tap_listeners();
1647 /* Which frame, if any, is the currently selected frame?
1648 XXX - should the selected frame or the focus frame be the "current"
1649 frame, that frame being the one from which "Find Frame" searches
1651 selected_frame = cf->current_frame;
1653 /* We don't yet know what row that frame will be on, if any, after we
1654 rebuild the clist, however. */
1657 /* Freeze the packet list while we redo it, so we don't get any
1658 screen updates while it happens. */
1659 #ifdef NEW_PACKET_LIST
1660 new_packet_list_freeze();
1662 packet_list_freeze();
1665 packet_list_clear();
1669 /* We need to re-initialize all the state information that protocols
1670 keep, because some preference that controls a dissector has changed,
1671 which might cause the state information to be constructed differently
1672 by that dissector. */
1674 /* We might receive new packets while redissecting, and we don't
1675 want to dissect those before their time. */
1676 cf->redissecting = TRUE;
1678 /* Initialize all data structures used for dissection. */
1681 #ifdef NEW_PACKET_LIST
1682 /* We need to redissect the packets so we have to discard our old
1683 * packet list store. */
1684 new_packet_list_clear();
1685 add_to_packet_list = TRUE;
1689 /* We don't yet know which will be the first and last frames displayed. */
1690 cf->first_displayed = NULL;
1691 cf->last_displayed = NULL;
1693 /* We currently don't display any packets */
1694 cf->displayed_count = 0;
1696 /* Iterate through the list of frames. Call a routine for each frame
1697 to check whether it should be displayed and, if so, add it to
1698 the display list. */
1699 nstime_set_unset(&first_ts);
1700 nstime_set_unset(&prev_dis_ts);
1702 /* Update the progress bar when it gets to this value. */
1703 progbar_nextstep = 0;
1704 /* When we reach the value that triggers a progress bar update,
1705 bump that value by this amount. */
1706 progbar_quantum = cf->count/N_PROGBAR_UPDATES;
1707 /* Count of packets at which we've looked. */
1709 /* Progress so far. */
1713 g_get_current_time(&start_time);
1715 row = -1; /* no previous row yet */
1720 preceding_frame = NULL;
1722 following_frame = NULL;
1724 selected_frame_seen = FALSE;
1726 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
1727 /* Create the progress bar if necessary.
1728 We check on every iteration of the loop, so that it takes no
1729 longer than the standard time to create it (otherwise, for a
1730 large file, we might take considerably longer than that standard
1731 time in order to get to the next progress bar step). */
1732 if (progbar == NULL)
1733 progbar = delayed_create_progress_dlg(action, action_item, TRUE,
1734 &stop_flag, &start_time,
1737 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1738 when we update it, we have to run the GTK+ main loop to get it
1739 to repaint what's pending, and doing so may involve an "ioctl()"
1740 to see if there's any pending input from an X server, and doing
1741 that for every packet can be costly, especially on a big file. */
1742 if (count >= progbar_nextstep) {
1743 /* let's not divide by zero. I should never be started
1744 * with count == 0, so let's assert that
1746 g_assert(cf->count > 0);
1747 progbar_val = (gfloat) count / cf->count;
1749 if (progbar != NULL) {
1750 g_snprintf(status_str, sizeof(status_str),
1751 "%4u of %u frames", count, cf->count);
1752 update_progress_dlg(progbar, progbar_val, status_str);
1755 progbar_nextstep += progbar_quantum;
1759 /* Well, the user decided to abort the filtering. Just stop.
1761 XXX - go back to the previous filter? Users probably just
1762 want not to wait for a filtering operation to finish;
1763 unless we cancel by having no filter, reverting to the
1764 previous filter will probably be even more expensive than
1765 continuing the filtering, as it involves going back to the
1766 beginning and filtering, and even with no filter we currently
1767 have to re-generate the entire clist, which is also expensive.
1769 I'm not sure what Network Monitor does, but it doesn't appear
1770 to give you an unfiltered display if you cancel. */
1777 /* Since all state for the frame was destroyed, mark the frame
1778 * as not visited, free the GSList referring to the state
1779 * data (the per-frame data itself was freed by
1780 * "init_dissection()"), and null out the GSList pointer. */
1781 fdata->flags.visited = 0;
1783 g_slist_free(fdata->pfd);
1788 if (!wtap_seek_read (cf->wth, fdata->file_off, &cf->pseudo_header,
1789 cf->pd, fdata->cap_len, &err, &err_info)) {
1790 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
1791 cf_read_error_message(err, err_info), cf->filename);
1795 /* If the previous frame is displayed, and we haven't yet seen the
1796 selected frame, remember that frame - it's the closest one we've
1797 yet seen before the selected frame. */
1798 if (prev_row != -1 && !selected_frame_seen) {
1799 preceding_row = prev_row;
1800 preceding_frame = prev_frame;
1802 row = add_packet_to_packet_list(fdata, cf, dfcode, filtering_tap_listeners,
1803 tap_flags, &cf->pseudo_header, cf->pd,
1805 add_to_packet_list);
1807 /* If this frame is displayed, and this is the first frame we've
1808 seen displayed after the selected frame, remember this frame -
1809 it's the closest one we've yet seen at or after the selected
1811 if (row != -1 && selected_frame_seen && following_row == -1) {
1812 following_row = row;
1813 following_frame = fdata;
1815 if (fdata == selected_frame) {
1817 selected_frame_seen = TRUE;
1820 /* Remember this row/frame - it'll be the previous row/frame
1821 on the next pass through the loop. */
1826 /* We are done redissecting the packet list. */
1827 cf->redissecting = FALSE;
1829 #ifndef NEW_PACKET_LIST
1830 /* Re-sort the list using the previously selected order */
1831 packet_list_set_sort_column();
1835 /* Clear out what remains of the visited flags and per-frame data
1838 XXX - that may cause various forms of bogosity when dissecting
1839 these frames, as they won't have been seen by this sequential
1840 pass, but the only alternative I see is to keep scanning them
1841 even though the user requested that the scan stop, and that
1842 would leave the user stuck with an Wireshark grinding on
1843 until it finishes. Should we just stick them with that? */
1844 for (; fdata != NULL; fdata = fdata->next) {
1845 fdata->flags.visited = 0;
1847 g_slist_free(fdata->pfd);
1853 /* We're done filtering the packets; destroy the progress bar if it
1855 if (progbar != NULL)
1856 destroy_progress_dlg(progbar);
1858 /* Unfreeze the packet list. */
1859 #ifdef NEW_PACKET_LIST
1860 new_packet_list_thaw();
1865 if (selected_row == -1) {
1866 /* The selected frame didn't pass the filter. */
1867 if (selected_frame == NULL) {
1868 /* That's because there *was* no selected frame. Make the first
1869 displayed frame the current frame. */
1872 /* Find the nearest displayed frame to the selected frame (whether
1873 it's before or after that frame) and make that the current frame.
1874 If the next and previous displayed frames are equidistant from the
1875 selected frame, choose the next one. */
1876 g_assert(following_frame == NULL ||
1877 following_frame->num >= selected_frame->num);
1878 g_assert(preceding_frame == NULL ||
1879 preceding_frame->num <= selected_frame->num);
1880 if (following_frame == NULL) {
1881 /* No frame after the selected frame passed the filter, so we
1882 have to select the last displayed frame before the selected
1884 selected_row = preceding_row;
1885 } else if (preceding_frame == NULL) {
1886 /* No frame before the selected frame passed the filter, so we
1887 have to select the first displayed frame after the selected
1889 selected_row = following_row;
1891 /* Frames before and after the selected frame passed the filter, so
1892 we'll select the previous frame */
1893 selected_row = preceding_row;
1898 if (selected_row == -1) {
1899 /* There are no frames displayed at all. */
1900 cf_unselect_packet(cf);
1902 #ifndef NEW_PACKET_LIST
1903 /* Either the frame that was selected passed the filter, or we've
1904 found the nearest displayed frame to that frame. Select it, make
1905 it the focus row, and make it visible. */
1906 if (selected_row == 0) {
1907 /* Set to invalid to force update of packet list and packet details */
1908 cf->current_row = -1;
1910 packet_list_set_selected_row(selected_row);
1911 #endif /* NEW_PACKET_LIST */
1914 /* Cleanup and release all dfilter resources */
1915 if (dfcode != NULL){
1916 dfilter_free(dfcode);
1920 * Scan trough all frame data and recalculate the ref time
1921 * without rereading the file.
1922 * XXX - do we need a progres bar or is this fast enough?
1924 #ifdef NEW_PACKET_LIST
1926 ref_time_packets(capture_file *cf)
1932 nstime_set_unset(&first_ts);
1933 nstime_set_unset(&prev_dis_ts);
1936 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
1938 fdata->cum_bytes = cum_bytes + fdata->pkt_len;
1939 /* just add some value here until we know if it is being displayed or not */
1940 fdata->cum_bytes = cum_bytes + fdata->pkt_len;
1942 /* If we don't have the time stamp of the first packet in the
1943 capture, it's because this is the first packet. Save the time
1944 stamp of this packet as the time stamp of the first packet. */
1945 if (nstime_is_unset(&first_ts)) {
1946 first_ts = fdata->abs_ts;
1948 /* if this frames is marked as a reference time frame, reset
1949 firstsec and firstusec to this frame */
1950 if(fdata->flags.ref_time){
1951 first_ts = fdata->abs_ts;
1954 /* If we don't have the time stamp of the previous displayed packet,
1955 it's because this is the first displayed packet. Save the time
1956 stamp of this packet as the time stamp of the previous displayed
1958 if (nstime_is_unset(&prev_dis_ts)) {
1959 prev_dis_ts = fdata->abs_ts;
1962 /* Get the time elapsed between the first packet and this packet. */
1963 nstime_delta(&fdata->rel_ts, &fdata->abs_ts, &first_ts);
1965 /* If it's greater than the current elapsed time, set the elapsed time
1966 to it (we check for "greater than" so as not to be confused by
1967 time moving backwards). */
1968 if ((gint32)cf->elapsed_time.secs < fdata->rel_ts.secs
1969 || ((gint32)cf->elapsed_time.secs == fdata->rel_ts.secs && (gint32)cf->elapsed_time.nsecs < fdata->rel_ts.nsecs)) {
1970 cf->elapsed_time = fdata->rel_ts;
1973 /* Get the time elapsed between the previous displayed packet and
1975 nstime_delta(&fdata->del_dis_ts, &fdata->abs_ts, &prev_dis_ts);
1977 if( (fdata->flags.passed_dfilter) || (fdata->flags.ref_time) ){
1978 /* This frame either passed the display filter list or is marked as
1979 a time reference frame. All time reference frames are displayed
1980 even if they dont pass the display filter */
1981 if(fdata->flags.ref_time){
1982 /* if this was a TIME REF frame we should reset the cul bytes field */
1983 cum_bytes = fdata->pkt_len;
1984 fdata->cum_bytes = cum_bytes;
1986 /* increase cum_bytes with this packets length */
1987 cum_bytes += fdata->pkt_len;
2000 process_specified_packets(capture_file *cf, packet_range_t *range,
2001 const char *string1, const char *string2, gboolean terminate_is_stop,
2002 gboolean (*callback)(capture_file *, frame_data *,
2003 union wtap_pseudo_header *, const guint8 *, void *),
2004 void *callback_args)
2009 union wtap_pseudo_header pseudo_header;
2010 guint8 pd[WTAP_MAX_PACKET_SIZE+1];
2011 psp_return_t ret = PSP_FINISHED;
2013 progdlg_t *progbar = NULL;
2016 gboolean progbar_stop_flag;
2017 GTimeVal progbar_start_time;
2018 gchar progbar_status_str[100];
2019 int progbar_nextstep;
2020 int progbar_quantum;
2021 range_process_e process_this;
2023 /* Update the progress bar when it gets to this value. */
2024 progbar_nextstep = 0;
2025 /* When we reach the value that triggers a progress bar update,
2026 bump that value by this amount. */
2027 progbar_quantum = cf->count/N_PROGBAR_UPDATES;
2028 /* Count of packets at which we've looked. */
2030 /* Progress so far. */
2033 progbar_stop_flag = FALSE;
2034 g_get_current_time(&progbar_start_time);
2036 packet_range_process_init(range);
2038 /* Iterate through the list of packets, printing the packets that
2039 were selected by the current display filter. */
2040 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
2041 /* Create the progress bar if necessary.
2042 We check on every iteration of the loop, so that it takes no
2043 longer than the standard time to create it (otherwise, for a
2044 large file, we might take considerably longer than that standard
2045 time in order to get to the next progress bar step). */
2046 if (progbar == NULL)
2047 progbar = delayed_create_progress_dlg(string1, string2,
2050 &progbar_start_time,
2053 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
2054 when we update it, we have to run the GTK+ main loop to get it
2055 to repaint what's pending, and doing so may involve an "ioctl()"
2056 to see if there's any pending input from an X server, and doing
2057 that for every packet can be costly, especially on a big file. */
2058 if (progbar_count >= progbar_nextstep) {
2059 /* let's not divide by zero. I should never be started
2060 * with count == 0, so let's assert that
2062 g_assert(cf->count > 0);
2063 progbar_val = (gfloat) progbar_count / cf->count;
2065 if (progbar != NULL) {
2066 g_snprintf(progbar_status_str, sizeof(progbar_status_str),
2067 "%4u of %u packets", progbar_count, cf->count);
2068 update_progress_dlg(progbar, progbar_val, progbar_status_str);
2071 progbar_nextstep += progbar_quantum;
2074 if (progbar_stop_flag) {
2075 /* Well, the user decided to abort the operation. Just stop,
2076 and arrange to return PSP_STOPPED to our caller, so they know
2077 it was stopped explicitly. */
2084 /* do we have to process this packet? */
2085 process_this = packet_range_process_packet(range, fdata);
2086 if (process_this == range_process_next) {
2087 /* this packet uninteresting, continue with next one */
2089 } else if (process_this == range_processing_finished) {
2090 /* all interesting packets processed, stop the loop */
2094 /* Get the packet */
2095 if (!wtap_seek_read(cf->wth, fdata->file_off, &pseudo_header,
2096 pd, fdata->cap_len, &err, &err_info)) {
2097 /* Attempt to get the packet failed. */
2098 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
2099 cf_read_error_message(err, err_info), cf->filename);
2103 /* Process the packet */
2104 if (!callback(cf, fdata, &pseudo_header, pd, callback_args)) {
2105 /* Callback failed. We assume it reported the error appropriately. */
2111 /* We're done printing the packets; destroy the progress bar if
2113 if (progbar != NULL)
2114 destroy_progress_dlg(progbar);
2120 gboolean construct_protocol_tree;
2122 } retap_callback_args_t;
2125 retap_packet(capture_file *cf _U_, frame_data *fdata,
2126 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
2129 retap_callback_args_t *args = argsp;
2132 epan_dissect_init(&edt, args->construct_protocol_tree, FALSE);
2133 tap_queue_init(&edt);
2134 epan_dissect_run(&edt, pseudo_header, pd, fdata, args->cinfo);
2135 tap_push_tapped_queue(&edt);
2136 epan_dissect_cleanup(&edt);
2142 cf_retap_packets(capture_file *cf)
2144 packet_range_t range;
2145 retap_callback_args_t callback_args;
2146 gboolean filtering_tap_listeners;
2149 /* Do we have any tap listeners with filters? */
2150 filtering_tap_listeners = have_filtering_tap_listeners();
2152 tap_flags = union_of_tap_listener_flags();
2154 /* If any tap listeners have filters, or require the protocol tree,
2155 construct the protocol tree. */
2156 callback_args.construct_protocol_tree = filtering_tap_listeners ||
2157 (tap_flags & TL_REQUIRES_PROTO_TREE);
2159 /* If any tap listeners require the columns, construct them. */
2160 callback_args.cinfo = (tap_flags & TL_REQUIRES_COLUMNS) ? &cf->cinfo : NULL;
2162 /* Reset the tap listeners. */
2163 reset_tap_listeners();
2165 /* Iterate through the list of packets, dissecting all packets and
2166 re-running the taps. */
2167 packet_range_init(&range);
2168 packet_range_process_init(&range);
2169 switch (process_specified_packets(cf, &range, "Recalculating statistics on",
2170 "all packets", TRUE, retap_packet,
2173 /* Completed successfully. */
2177 /* Well, the user decided to abort the refiltering.
2178 Return CF_READ_ABORTED so our caller knows they did that. */
2179 return CF_READ_ABORTED;
2182 /* Error while retapping. */
2183 return CF_READ_ERROR;
2186 g_assert_not_reached();
2191 print_args_t *print_args;
2192 gboolean print_header_line;
2193 char *header_line_buf;
2194 int header_line_buf_len;
2195 gboolean print_formfeed;
2196 gboolean print_separator;
2200 } print_callback_args_t;
2203 print_packet(capture_file *cf, frame_data *fdata,
2204 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
2207 print_callback_args_t *args = argsp;
2214 gboolean proto_tree_needed;
2215 char bookmark_name[9+10+1]; /* "__frameNNNNNNNNNN__\0" */
2216 char bookmark_title[6+10+1]; /* "Frame NNNNNNNNNN__\0" */
2218 /* Create the protocol tree, and make it visible, if we're printing
2219 the dissection or the hex data.
2220 XXX - do we need it if we're just printing the hex data? */
2222 args->print_args->print_dissections != print_dissections_none || args->print_args->print_hex || have_custom_cols(&cf->cinfo);
2223 epan_dissect_init(&edt, proto_tree_needed, proto_tree_needed);
2225 /* Fill in the column information if we're printing the summary
2227 if (args->print_args->print_summary) {
2228 epan_dissect_run(&edt, pseudo_header, pd, fdata, &cf->cinfo);
2229 epan_dissect_fill_in_columns(&edt, TRUE);
2231 epan_dissect_run(&edt, pseudo_header, pd, fdata, NULL);
2233 if (args->print_formfeed) {
2234 if (!new_page(args->print_args->stream))
2237 if (args->print_separator) {
2238 if (!print_line(args->print_args->stream, 0, ""))
2244 * We generate bookmarks, if the output format supports them.
2245 * The name is "__frameN__".
2247 g_snprintf(bookmark_name, sizeof bookmark_name, "__frame%u__", fdata->num);
2249 if (args->print_args->print_summary) {
2250 if (args->print_header_line) {
2251 if (!print_line(args->print_args->stream, 0, args->header_line_buf))
2253 args->print_header_line = FALSE; /* we might not need to print any more */
2255 cp = &args->line_buf[0];
2257 for (i = 0; i < cf->cinfo.num_cols; i++) {
2258 /* Find the length of the string for this column. */
2259 column_len = (int) strlen(cf->cinfo.col_data[i]);
2260 if (args->col_widths[i] > column_len)
2261 column_len = args->col_widths[i];
2263 /* Make sure there's room in the line buffer for the column; if not,
2264 double its length. */
2265 line_len += column_len + 1; /* "+1" for space */
2266 if (line_len > args->line_buf_len) {
2267 cp_off = (int) (cp - args->line_buf);
2268 args->line_buf_len = 2 * line_len;
2269 args->line_buf = g_realloc(args->line_buf, args->line_buf_len + 1);
2270 cp = args->line_buf + cp_off;
2273 /* Right-justify the packet number column. */
2274 if (cf->cinfo.col_fmt[i] == COL_NUMBER)
2275 g_snprintf(cp, column_len+1, "%*s", args->col_widths[i], cf->cinfo.col_data[i]);
2277 g_snprintf(cp, column_len+1, "%-*s", args->col_widths[i], cf->cinfo.col_data[i]);
2279 if (i != cf->cinfo.num_cols - 1)
2285 * Generate a bookmark, using the summary line as the title.
2287 if (!print_bookmark(args->print_args->stream, bookmark_name,
2291 if (!print_line(args->print_args->stream, 0, args->line_buf))
2295 * Generate a bookmark, using "Frame N" as the title, as we're not
2296 * printing the summary line.
2298 g_snprintf(bookmark_title, sizeof bookmark_title, "Frame %u", fdata->num);
2299 if (!print_bookmark(args->print_args->stream, bookmark_name,
2302 } /* if (print_summary) */
2304 if (args->print_args->print_dissections != print_dissections_none) {
2305 if (args->print_args->print_summary) {
2306 /* Separate the summary line from the tree with a blank line. */
2307 if (!print_line(args->print_args->stream, 0, ""))
2311 /* Print the information in that tree. */
2312 if (!proto_tree_print(args->print_args, &edt, args->print_args->stream))
2315 /* Print a blank line if we print anything after this (aka more than one packet). */
2316 args->print_separator = TRUE;
2318 /* Print a header line if we print any more packet summaries */
2319 args->print_header_line = TRUE;
2322 if (args->print_args->print_hex) {
2323 /* Print the full packet data as hex. */
2324 if (!print_hex_data(args->print_args->stream, &edt))
2327 /* Print a blank line if we print anything after this (aka more than one packet). */
2328 args->print_separator = TRUE;
2330 /* Print a header line if we print any more packet summaries */
2331 args->print_header_line = TRUE;
2332 } /* if (args->print_args->print_dissections != print_dissections_none) */
2334 epan_dissect_cleanup(&edt);
2336 /* do we want to have a formfeed between each packet from now on? */
2337 if(args->print_args->print_formfeed) {
2338 args->print_formfeed = TRUE;
2344 epan_dissect_cleanup(&edt);
2349 cf_print_packets(capture_file *cf, print_args_t *print_args)
2352 print_callback_args_t callback_args;
2360 callback_args.print_args = print_args;
2361 callback_args.print_header_line = TRUE;
2362 callback_args.header_line_buf = NULL;
2363 callback_args.header_line_buf_len = 256;
2364 callback_args.print_formfeed = FALSE;
2365 callback_args.print_separator = FALSE;
2366 callback_args.line_buf = NULL;
2367 callback_args.line_buf_len = 256;
2368 callback_args.col_widths = NULL;
2370 if (!print_preamble(print_args->stream, cf->filename)) {
2371 destroy_print_stream(print_args->stream);
2372 return CF_PRINT_WRITE_ERROR;
2375 if (print_args->print_summary) {
2376 /* We're printing packet summaries. Allocate the header line buffer
2377 and get the column widths. */
2378 callback_args.header_line_buf = g_malloc(callback_args.header_line_buf_len + 1);
2380 /* Find the widths for each of the columns - maximum of the
2381 width of the title and the width of the data - and construct
2382 a buffer with a line containing the column titles. */
2383 callback_args.col_widths = (gint *) g_malloc(sizeof(gint) * cf->cinfo.num_cols);
2384 cp = &callback_args.header_line_buf[0];
2386 for (i = 0; i < cf->cinfo.num_cols; i++) {
2387 /* Don't pad the last column. */
2388 if (i == cf->cinfo.num_cols - 1)
2389 callback_args.col_widths[i] = 0;
2391 callback_args.col_widths[i] = (gint) strlen(cf->cinfo.col_title[i]);
2392 data_width = get_column_char_width(get_column_format(i));
2393 if (data_width > callback_args.col_widths[i])
2394 callback_args.col_widths[i] = data_width;
2397 /* Find the length of the string for this column. */
2398 column_len = (int) strlen(cf->cinfo.col_title[i]);
2399 if (callback_args.col_widths[i] > column_len)
2400 column_len = callback_args.col_widths[i];
2402 /* Make sure there's room in the line buffer for the column; if not,
2403 double its length. */
2404 line_len += column_len + 1; /* "+1" for space */
2405 if (line_len > callback_args.header_line_buf_len) {
2406 cp_off = (int) (cp - callback_args.header_line_buf);
2407 callback_args.header_line_buf_len = 2 * line_len;
2408 callback_args.header_line_buf = g_realloc(callback_args.header_line_buf,
2409 callback_args.header_line_buf_len + 1);
2410 cp = callback_args.header_line_buf + cp_off;
2413 /* Right-justify the packet number column. */
2414 /* if (cf->cinfo.col_fmt[i] == COL_NUMBER)
2415 g_snprintf(cp, column_len+1, "%*s", callback_args.col_widths[i], cf->cinfo.col_title[i]);
2417 g_snprintf(cp, column_len+1, "%-*s", callback_args.col_widths[i], cf->cinfo.col_title[i]);
2419 if (i != cf->cinfo.num_cols - 1)
2424 /* Now start out the main line buffer with the same length as the
2425 header line buffer. */
2426 callback_args.line_buf_len = callback_args.header_line_buf_len;
2427 callback_args.line_buf = g_malloc(callback_args.line_buf_len + 1);
2428 } /* if (print_summary) */
2430 /* Iterate through the list of packets, printing the packets we were
2432 ret = process_specified_packets(cf, &print_args->range, "Printing",
2433 "selected packets", TRUE, print_packet,
2436 g_free(callback_args.header_line_buf);
2437 g_free(callback_args.line_buf);
2438 g_free(callback_args.col_widths);
2443 /* Completed successfully. */
2447 /* Well, the user decided to abort the printing.
2449 XXX - note that what got generated before they did that
2450 will get printed if we're piping to a print program; we'd
2451 have to write to a file and then hand that to the print
2452 program to make it actually not print anything. */
2456 /* Error while printing.
2458 XXX - note that what got generated before they did that
2459 will get printed if we're piping to a print program; we'd
2460 have to write to a file and then hand that to the print
2461 program to make it actually not print anything. */
2462 destroy_print_stream(print_args->stream);
2463 return CF_PRINT_WRITE_ERROR;
2466 if (!print_finale(print_args->stream)) {
2467 destroy_print_stream(print_args->stream);
2468 return CF_PRINT_WRITE_ERROR;
2471 if (!destroy_print_stream(print_args->stream))
2472 return CF_PRINT_WRITE_ERROR;
2478 write_pdml_packet(capture_file *cf _U_, frame_data *fdata,
2479 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
2485 /* Create the protocol tree, but don't fill in the column information. */
2486 epan_dissect_init(&edt, TRUE, TRUE);
2487 epan_dissect_run(&edt, pseudo_header, pd, fdata, NULL);
2489 /* Write out the information in that tree. */
2490 proto_tree_write_pdml(&edt, fh);
2492 epan_dissect_cleanup(&edt);
2498 cf_write_pdml_packets(capture_file *cf, print_args_t *print_args)
2503 fh = ws_fopen(print_args->file, "w");
2505 return CF_PRINT_OPEN_ERROR; /* attempt to open destination failed */
2507 write_pdml_preamble(fh);
2510 return CF_PRINT_WRITE_ERROR;
2513 /* Iterate through the list of packets, printing the packets we were
2515 ret = process_specified_packets(cf, &print_args->range, "Writing PDML",
2516 "selected packets", TRUE,
2517 write_pdml_packet, fh);
2522 /* Completed successfully. */
2526 /* Well, the user decided to abort the printing. */
2530 /* Error while printing. */
2532 return CF_PRINT_WRITE_ERROR;
2535 write_pdml_finale(fh);
2538 return CF_PRINT_WRITE_ERROR;
2541 /* XXX - check for an error */
2548 write_psml_packet(capture_file *cf, frame_data *fdata,
2549 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
2554 gboolean proto_tree_needed;
2556 /* Fill in the column information, only create the protocol tree
2557 if having custom columns. */
2558 proto_tree_needed = have_custom_cols(&cf->cinfo);
2559 epan_dissect_init(&edt, proto_tree_needed, proto_tree_needed);
2560 epan_dissect_run(&edt, pseudo_header, pd, fdata, &cf->cinfo);
2561 epan_dissect_fill_in_columns(&edt, TRUE);
2563 /* Write out the information in that tree. */
2564 proto_tree_write_psml(&edt, fh);
2566 epan_dissect_cleanup(&edt);
2572 cf_write_psml_packets(capture_file *cf, print_args_t *print_args)
2577 fh = ws_fopen(print_args->file, "w");
2579 return CF_PRINT_OPEN_ERROR; /* attempt to open destination failed */
2581 write_psml_preamble(fh);
2584 return CF_PRINT_WRITE_ERROR;
2587 /* Iterate through the list of packets, printing the packets we were
2589 ret = process_specified_packets(cf, &print_args->range, "Writing PSML",
2590 "selected packets", TRUE,
2591 write_psml_packet, fh);
2596 /* Completed successfully. */
2600 /* Well, the user decided to abort the printing. */
2604 /* Error while printing. */
2606 return CF_PRINT_WRITE_ERROR;
2609 write_psml_finale(fh);
2612 return CF_PRINT_WRITE_ERROR;
2615 /* XXX - check for an error */
2622 write_csv_packet(capture_file *cf, frame_data *fdata,
2623 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
2628 gboolean proto_tree_needed;
2630 /* Fill in the column information, only create the protocol tree
2631 if having custom columns. */
2632 proto_tree_needed = have_custom_cols(&cf->cinfo);
2633 epan_dissect_init(&edt, proto_tree_needed, proto_tree_needed);
2634 epan_dissect_run(&edt, pseudo_header, pd, fdata, &cf->cinfo);
2635 epan_dissect_fill_in_columns(&edt, TRUE);
2637 /* Write out the information in that tree. */
2638 proto_tree_write_csv(&edt, fh);
2640 epan_dissect_cleanup(&edt);
2646 cf_write_csv_packets(capture_file *cf, print_args_t *print_args)
2651 fh = ws_fopen(print_args->file, "w");
2653 return CF_PRINT_OPEN_ERROR; /* attempt to open destination failed */
2655 write_csv_preamble(fh);
2658 return CF_PRINT_WRITE_ERROR;
2661 /* Iterate through the list of packets, printing the packets we were
2663 ret = process_specified_packets(cf, &print_args->range, "Writing CSV",
2664 "selected packets", TRUE,
2665 write_csv_packet, fh);
2670 /* Completed successfully. */
2674 /* Well, the user decided to abort the printing. */
2678 /* Error while printing. */
2680 return CF_PRINT_WRITE_ERROR;
2683 write_csv_finale(fh);
2686 return CF_PRINT_WRITE_ERROR;
2689 /* XXX - check for an error */
2696 write_carrays_packet(capture_file *cf _U_, frame_data *fdata,
2697 union wtap_pseudo_header *pseudo_header _U_,
2698 const guint8 *pd, void *argsp)
2702 proto_tree_write_carrays(pd, fdata->cap_len, fdata->num, fh);
2707 cf_write_carrays_packets(capture_file *cf, print_args_t *print_args)
2712 fh = ws_fopen(print_args->file, "w");
2715 return CF_PRINT_OPEN_ERROR; /* attempt to open destination failed */
2717 write_carrays_preamble(fh);
2721 return CF_PRINT_WRITE_ERROR;
2724 /* Iterate through the list of packets, printing the packets we were
2726 ret = process_specified_packets(cf, &print_args->range,
2728 "selected packets", TRUE,
2729 write_carrays_packet, fh);
2732 /* Completed successfully. */
2735 /* Well, the user decided to abort the printing. */
2738 /* Error while printing. */
2740 return CF_PRINT_WRITE_ERROR;
2743 write_carrays_finale(fh);
2747 return CF_PRINT_WRITE_ERROR;
2754 /* Scan through the packet list and change all columns that use the
2755 "command-line-specified" time stamp format to use the current
2756 value of that format. */
2758 cf_change_time_formats(capture_file *cf)
2761 progdlg_t *progbar = NULL;
2767 GTimeVal start_time;
2768 gchar status_str[100];
2769 int progbar_nextstep;
2770 int progbar_quantum;
2771 gboolean sorted_by_frame_column;
2774 /* adjust timestamp precision if auto is selected */
2775 cf_timestamp_auto_precision(cf);
2777 /* Are there any columns with time stamps in the "command-line-specified"
2780 XXX - we have to force the "column is writable" flag on, as it
2781 might be off from the last frame that was dissected. */
2782 col_set_writable(&cf->cinfo, TRUE);
2783 if (!check_col(&cf->cinfo, COL_CLS_TIME) &&
2784 !check_col(&cf->cinfo, COL_ABS_TIME) &&
2785 !check_col(&cf->cinfo, COL_ABS_DATE_TIME) &&
2786 !check_col(&cf->cinfo, COL_REL_TIME) &&
2787 !check_col(&cf->cinfo, COL_DELTA_TIME) &&
2788 !check_col(&cf->cinfo, COL_DELTA_TIME_DIS)) {
2789 /* No, there aren't any columns in that format, so we have no work
2794 /* Freeze the packet list while we redo it, so we don't get any
2795 screen updates while it happens. */
2796 #ifdef NEW_PACKET_LIST
2797 new_packet_list_freeze();
2799 packet_list_freeze();
2802 /* Update the progress bar when it gets to this value. */
2803 progbar_nextstep = 0;
2804 /* When we reach the value that triggers a progress bar update,
2805 bump that value by this amount. */
2806 progbar_quantum = cf->count/N_PROGBAR_UPDATES;
2807 /* Count of packets at which we've looked. */
2809 /* Progress so far. */
2812 /* If the rows are currently sorted by the frame column then we know
2813 * the row number of each packet: it's the row number of the previously
2814 * displayed packet + 1.
2816 * Otherwise, if the display is sorted by a different column then we have
2817 * to use the O(N) packet_list_find_row_from_data() (thus making the job
2818 * of changing the time display format O(N**2)).
2820 * (XXX - In fact it's still O(N**2) because gtk_clist_set_text() takes
2821 * the row number and walks that many elements down the clist to find
2822 * the appropriate element.)
2824 sorted_by_frame_column = FALSE;
2825 for (i = 0; i < cf->cinfo.num_cols; i++) {
2826 if (cf->cinfo.col_fmt[i] == COL_NUMBER)
2828 #ifndef NEW_PACKET_LIST
2829 sorted_by_frame_column = (i == packet_list_get_sort_column());
2836 g_get_current_time(&start_time);
2838 /* Iterate through the list of packets, checking whether the packet
2839 is in a row of the summary list and, if so, whether there are
2840 any columns that show the time in the "command-line-specified"
2841 format and, if so, update that row. */
2842 for (fdata = cf->plist, row = -1; fdata != NULL; fdata = fdata->next) {
2843 /* Create the progress bar if necessary.
2844 We check on every iteration of the loop, so that it takes no
2845 longer than the standard time to create it (otherwise, for a
2846 large file, we might take considerably longer than that standard
2847 time in order to get to the next progress bar step). */
2848 if (progbar == NULL)
2849 progbar = delayed_create_progress_dlg("Changing", "time display",
2850 TRUE, &stop_flag, &start_time, progbar_val);
2852 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
2853 when we update it, we have to run the GTK+ main loop to get it
2854 to repaint what's pending, and doing so may involve an "ioctl()"
2855 to see if there's any pending input from an X server, and doing
2856 that for every packet can be costly, especially on a big file. */
2857 if (count >= progbar_nextstep) {
2858 /* let's not divide by zero. I should never be started
2859 * with count == 0, so let's assert that
2861 g_assert(cf->count > 0);
2863 progbar_val = (gfloat) count / cf->count;
2865 if (progbar != NULL) {
2866 g_snprintf(status_str, sizeof(status_str),
2867 "%4u of %u packets", count, cf->count);
2868 update_progress_dlg(progbar, progbar_val, status_str);
2871 progbar_nextstep += progbar_quantum;
2875 /* Well, the user decided to abort the redisplay. Just stop.
2877 XXX - this leaves the time field in the old format in
2878 frames we haven't yet processed. So it goes; should we
2879 simply not offer them the option of stopping? */
2885 /* Find what row this packet is in. */
2886 if (!sorted_by_frame_column) {
2887 /* This function is O(N), so we try to avoid using it... */
2888 #ifdef NEW_PACKET_LIST
2889 row = new_packet_list_find_row_from_data(fdata, FALSE);
2891 row = packet_list_find_row_from_data(fdata);
2894 /* ...which we do by maintaining a count of packets that are
2895 being displayed (i.e., that have passed the display filter),
2896 and using the current value of that count as the row number
2897 (which is why we can only do it when the display is sorted
2898 by the frame number). */
2899 if (fdata->flags.passed_dfilter)
2906 /* This packet is in the summary list, on row "row". */
2908 for (i = 0; i < cf->cinfo.num_cols; i++) {
2909 if (col_has_time_fmt(&cf->cinfo, i)) {
2910 /* This is one of the columns that shows the time in
2911 "command-line-specified" format; update it. */
2912 cf->cinfo.col_buf[i][0] = '\0';
2913 col_set_fmt_time(fdata, &cf->cinfo, cf->cinfo.col_fmt[i], i);
2914 #ifdef NEW_PACKET_LIST
2916 packet_list_set_text(row, i, cf->cinfo.col_data[i]);
2923 /* We're done redisplaying the packets; destroy the progress bar if it
2925 if (progbar != NULL)
2926 destroy_progress_dlg(progbar);
2928 /* Set the column widths of those columns that show the time in
2929 "command-line-specified" format. */
2930 for (i = 0; i < cf->cinfo.num_cols; i++) {
2931 if (col_has_time_fmt(&cf->cinfo, i)) {
2932 #ifndef NEW_PACKET_LIST
2933 packet_list_set_time_width(cf->cinfo.col_fmt[i], i);
2938 /* Unfreeze the packet list. */
2939 #ifdef NEW_PACKET_LIST
2940 new_packet_list_thaw();
2950 gboolean frame_matched;
2954 cf_find_packet_protocol_tree(capture_file *cf, const char *string)
2958 mdata.string = string;
2959 mdata.string_len = strlen(string);
2960 return find_packet(cf, match_protocol_tree, &mdata);
2964 match_protocol_tree(capture_file *cf, frame_data *fdata, void *criterion)
2966 match_data *mdata = criterion;
2969 /* Construct the protocol tree, including the displayed text */
2970 epan_dissect_init(&edt, TRUE, TRUE);
2971 /* We don't need the column information */
2972 epan_dissect_run(&edt, &cf->pseudo_header, cf->pd, fdata, NULL);
2974 /* Iterate through all the nodes, seeing if they have text that matches. */
2976 mdata->frame_matched = FALSE;
2977 proto_tree_children_foreach(edt.tree, match_subtree_text, mdata);
2978 epan_dissect_cleanup(&edt);
2979 return mdata->frame_matched;
2983 match_subtree_text(proto_node *node, gpointer data)
2985 match_data *mdata = (match_data*) data;
2986 const gchar *string = mdata->string;
2987 size_t string_len = mdata->string_len;
2988 capture_file *cf = mdata->cf;
2989 field_info *fi = PNODE_FINFO(node);
2990 gchar label_str[ITEM_LABEL_LENGTH];
2997 if (mdata->frame_matched) {
2998 /* We already had a match; don't bother doing any more work. */
3002 /* Don't match invisible entries. */
3003 if (PROTO_ITEM_IS_HIDDEN(node))
3006 /* was a free format label produced? */
3008 label_ptr = fi->rep->representation;
3010 /* no, make a generic label */
3011 label_ptr = label_str;
3012 proto_item_fill_label(fi, label_str);
3015 /* Does that label match? */
3016 label_len = strlen(label_ptr);
3017 for (i = 0; i < label_len; i++) {
3018 c_char = label_ptr[i];
3020 c_char = toupper(c_char);
3021 if (c_char == string[c_match]) {
3023 if (c_match == string_len) {
3024 /* No need to look further; we have a match */
3025 mdata->frame_matched = TRUE;
3032 /* Recurse into the subtree, if it exists */
3033 if (node->first_child != NULL)
3034 proto_tree_children_foreach(node, match_subtree_text, mdata);
3038 cf_find_packet_summary_line(capture_file *cf, const char *string)
3042 mdata.string = string;
3043 mdata.string_len = strlen(string);
3044 return find_packet(cf, match_summary_line, &mdata);
3048 match_summary_line(capture_file *cf, frame_data *fdata, void *criterion)
3050 match_data *mdata = criterion;
3051 const gchar *string = mdata->string;
3052 size_t string_len = mdata->string_len;
3054 const char *info_column;
3055 size_t info_column_len;
3056 gboolean frame_matched = FALSE;
3062 /* Don't bother constructing the protocol tree */
3063 epan_dissect_init(&edt, FALSE, FALSE);
3064 /* Get the column information */
3065 epan_dissect_run(&edt, &cf->pseudo_header, cf->pd, fdata, &cf->cinfo);
3067 /* Find the Info column */
3068 for (colx = 0; colx < cf->cinfo.num_cols; colx++) {
3069 if (cf->cinfo.fmt_matx[colx][COL_INFO]) {
3070 /* Found it. See if we match. */
3071 info_column = edt.pi.cinfo->col_data[colx];
3072 info_column_len = strlen(info_column);
3073 for (i = 0; i < info_column_len; i++) {
3074 c_char = info_column[i];
3076 c_char = toupper(c_char);
3077 if (c_char == string[c_match]) {
3079 if (c_match == string_len) {
3080 frame_matched = TRUE;
3089 epan_dissect_cleanup(&edt);
3090 return frame_matched;
3096 } cbs_t; /* "Counted byte string" */
3099 cf_find_packet_data(capture_file *cf, const guint8 *string, size_t string_size)
3104 info.data_len = string_size;
3106 /* String or hex search? */
3108 /* String search - what type of string? */
3109 switch (cf->scs_type) {
3111 case SCS_ASCII_AND_UNICODE:
3112 return find_packet(cf, match_ascii_and_unicode, &info);
3115 return find_packet(cf, match_ascii, &info);
3118 return find_packet(cf, match_unicode, &info);
3121 g_assert_not_reached();
3125 return find_packet(cf, match_binary, &info);
3129 match_ascii_and_unicode(capture_file *cf, frame_data *fdata, void *criterion)
3131 cbs_t *info = criterion;
3132 const guint8 *ascii_text = info->data;
3133 size_t textlen = info->data_len;
3134 gboolean frame_matched;
3140 frame_matched = FALSE;
3141 buf_len = fdata->pkt_len;
3142 for (i = 0; i < buf_len; i++) {
3145 c_char = toupper(c_char);
3147 if (c_char == ascii_text[c_match]) {
3149 if (c_match == textlen) {
3150 frame_matched = TRUE;
3151 cf->search_pos = i; /* Save the position of the last character
3152 for highlighting the field. */
3159 return frame_matched;
3163 match_ascii(capture_file *cf, frame_data *fdata, void *criterion)
3165 cbs_t *info = criterion;
3166 const guint8 *ascii_text = info->data;
3167 size_t textlen = info->data_len;
3168 gboolean frame_matched;
3174 frame_matched = FALSE;
3175 buf_len = fdata->pkt_len;
3176 for (i = 0; i < buf_len; i++) {
3179 c_char = toupper(c_char);
3180 if (c_char == ascii_text[c_match]) {
3182 if (c_match == textlen) {
3183 frame_matched = TRUE;
3184 cf->search_pos = i; /* Save the position of the last character
3185 for highlighting the field. */
3191 return frame_matched;
3195 match_unicode(capture_file *cf, frame_data *fdata, void *criterion)
3197 cbs_t *info = criterion;
3198 const guint8 *ascii_text = info->data;
3199 size_t textlen = info->data_len;
3200 gboolean frame_matched;
3206 frame_matched = FALSE;
3207 buf_len = fdata->pkt_len;
3208 for (i = 0; i < buf_len; i++) {
3211 c_char = toupper(c_char);
3212 if (c_char == ascii_text[c_match]) {
3215 if (c_match == textlen) {
3216 frame_matched = TRUE;
3217 cf->search_pos = i; /* Save the position of the last character
3218 for highlighting the field. */
3224 return frame_matched;
3228 match_binary(capture_file *cf, frame_data *fdata, void *criterion)
3230 cbs_t *info = criterion;
3231 const guint8 *binary_data = info->data;
3232 size_t datalen = info->data_len;
3233 gboolean frame_matched;
3238 frame_matched = FALSE;
3239 buf_len = fdata->pkt_len;
3240 for (i = 0; i < buf_len; i++) {
3241 if (cf->pd[i] == binary_data[c_match]) {
3243 if (c_match == datalen) {
3244 frame_matched = TRUE;
3245 cf->search_pos = i; /* Save the position of the last character
3246 for highlighting the field. */
3252 return frame_matched;
3256 cf_find_packet_dfilter(capture_file *cf, dfilter_t *sfcode)
3258 return find_packet(cf, match_dfilter, sfcode);
3262 match_dfilter(capture_file *cf, frame_data *fdata, void *criterion)
3264 dfilter_t *sfcode = criterion;
3266 gboolean frame_matched;
3268 epan_dissect_init(&edt, TRUE, FALSE);
3269 epan_dissect_prime_dfilter(&edt, sfcode);
3270 epan_dissect_run(&edt, &cf->pseudo_header, cf->pd, fdata, NULL);
3271 frame_matched = dfilter_apply_edt(sfcode, &edt);
3272 epan_dissect_cleanup(&edt);
3273 return frame_matched;
3277 find_packet(capture_file *cf,
3278 gboolean (*match_function)(capture_file *, frame_data *, void *),
3281 frame_data *start_fd;
3283 frame_data *new_fd = NULL;
3284 progdlg_t *progbar = NULL;
3291 GTimeVal start_time;
3292 gchar status_str[100];
3293 int progbar_nextstep;
3294 int progbar_quantum;
3297 start_fd = cf->current_frame;
3298 if (start_fd != NULL) {
3299 /* Iterate through the list of packets, starting at the packet we've
3300 picked, calling a routine to run the filter on the packet, see if
3301 it matches, and stop if so. */
3305 /* Update the progress bar when it gets to this value. */
3306 progbar_nextstep = 0;
3307 /* When we reach the value that triggers a progress bar update,
3308 bump that value by this amount. */
3309 progbar_quantum = cf->count/N_PROGBAR_UPDATES;
3310 /* Progress so far. */
3314 g_get_current_time(&start_time);
3317 title = cf->sfilter?cf->sfilter:"";
3319 /* Create the progress bar if necessary.
3320 We check on every iteration of the loop, so that it takes no
3321 longer than the standard time to create it (otherwise, for a
3322 large file, we might take considerably longer than that standard
3323 time in order to get to the next progress bar step). */
3324 if (progbar == NULL)
3325 progbar = delayed_create_progress_dlg("Searching", title,
3326 FALSE, &stop_flag, &start_time, progbar_val);
3328 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
3329 when we update it, we have to run the GTK+ main loop to get it
3330 to repaint what's pending, and doing so may involve an "ioctl()"
3331 to see if there's any pending input from an X server, and doing
3332 that for every packet can be costly, especially on a big file. */
3333 if (count >= progbar_nextstep) {
3334 /* let's not divide by zero. I should never be started
3335 * with count == 0, so let's assert that
3337 g_assert(cf->count > 0);
3339 progbar_val = (gfloat) count / cf->count;
3341 if (progbar != NULL) {
3342 g_snprintf(status_str, sizeof(status_str),
3343 "%4u of %u packets", count, cf->count);
3344 update_progress_dlg(progbar, progbar_val, status_str);
3347 progbar_nextstep += progbar_quantum;
3351 /* Well, the user decided to abort the search. Go back to the
3352 frame where we started. */
3357 /* Go past the current frame. */
3358 if (cf->sbackward) {
3359 /* Go on to the previous frame. */
3360 fdata = fdata->prev;
3361 if (fdata == NULL) {
3363 * XXX - other apps have a bit more of a detailed message
3364 * for this, and instead of offering "OK" and "Cancel",
3365 * they offer things such as "Continue" and "Cancel";
3366 * we need an API for popping up alert boxes with
3367 * {Verb} and "Cancel".
3370 if (prefs.gui_find_wrap)
3372 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
3373 "%sBeginning of capture exceeded!%s\n\n"
3374 "Search is continued from the end of the capture.",
3375 simple_dialog_primary_start(), simple_dialog_primary_end());
3376 fdata = cf->plist_end; /* wrap around */
3380 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
3381 "%sBeginning of capture exceeded!%s\n\n"
3382 "Try searching forwards.",
3383 simple_dialog_primary_start(), simple_dialog_primary_end());
3384 fdata = start_fd; /* stay on previous packet */
3388 /* Go on to the next frame. */
3389 fdata = fdata->next;
3390 if (fdata == NULL) {
3391 if (prefs.gui_find_wrap)
3393 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
3394 "%sEnd of capture exceeded!%s\n\n"
3395 "Search is continued from the start of the capture.",
3396 simple_dialog_primary_start(), simple_dialog_primary_end());
3397 fdata = cf->plist; /* wrap around */
3401 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
3402 "%sEnd of capture exceeded!%s\n\n"
3403 "Try searching backwards.",
3404 simple_dialog_primary_start(), simple_dialog_primary_end());
3405 fdata = start_fd; /* stay on previous packet */
3412 /* Is this packet in the display? */
3413 if (fdata->flags.passed_dfilter) {
3414 /* Yes. Load its data. */
3415 if (!wtap_seek_read(cf->wth, fdata->file_off, &cf->pseudo_header,
3416 cf->pd, fdata->cap_len, &err, &err_info)) {
3417 /* Read error. Report the error, and go back to the frame
3418 where we started. */
3419 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3420 cf_read_error_message(err, err_info), cf->filename);
3425 /* Does it match the search criterion? */
3426 if ((*match_function)(cf, fdata, criterion)) {
3428 break; /* found it! */
3432 if (fdata == start_fd) {
3433 /* We're back to the frame we were on originally, and that frame
3434 doesn't match the search filter. The search failed. */
3439 /* We're done scanning the packets; destroy the progress bar if it
3441 if (progbar != NULL)
3442 destroy_progress_dlg(progbar);
3445 if (new_fd != NULL) {
3446 #ifdef NEW_PACKET_LIST
3447 /* Find and select */
3448 row = new_packet_list_find_row_from_data(fdata, TRUE);
3450 /* We found a frame. Find what row it's in. */
3451 row = packet_list_find_row_from_data(new_fd);
3452 #endif /* NEW_PACKET_LIST */
3454 /* We didn't find a row even though we know that a frame
3455 * exists that satifies the search criteria. This means that the
3456 * frame isn't being displayed currently so we can't select it. */
3457 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
3458 "%sEnd of capture exceeded!%s\n\n"
3459 "The capture file is probably not fully loaded.",
3460 simple_dialog_primary_start(), simple_dialog_primary_end());
3464 #ifndef NEW_PACKET_LIST
3465 /* Select that row, make it the focus row, and make it visible. */
3466 packet_list_set_selected_row(row);
3467 #endif /* NEW_PACKET_LIST */
3468 return TRUE; /* success */
3470 return FALSE; /* failure */
3474 cf_goto_frame(capture_file *cf, guint fnumber)
3479 for (fdata = cf->plist; fdata != NULL && fdata->num < fnumber; fdata = fdata->next)
3482 if (fdata == NULL) {
3483 /* we didn't find a packet with that packet number */
3484 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3485 "There is no packet with the packet number %u.", fnumber);
3486 return FALSE; /* we failed to go to that packet */
3488 if (!fdata->flags.passed_dfilter) {
3489 /* that packet currently isn't displayed */
3490 /* XXX - add it to the set of displayed packets? */
3491 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3492 "The packet number %u isn't currently being displayed.", fnumber);
3493 return FALSE; /* we failed to go to that packet */
3496 #ifdef NEW_PACKET_LIST
3497 row = new_packet_list_find_row_from_data(fdata, TRUE);
3499 /* We found that packet, and it's currently being displayed.
3500 Find what row it's in. */
3501 row = packet_list_find_row_from_data(fdata);
3502 g_assert(row != -1);
3504 /* Select that row, make it the focus row, and make it visible. */
3505 packet_list_set_selected_row(row);
3506 #endif /* NEW_PACKET_LIST */
3507 return TRUE; /* we got to that packet */
3511 cf_goto_top_frame(capture_file *cf _U_)
3513 #ifdef NEW_PACKET_LIST
3514 /* Find and select */
3515 new_packet_list_select_first_row();
3519 frame_data *lowest_fdata = NULL;
3521 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
3522 if (fdata->flags.passed_dfilter) {
3523 lowest_fdata = fdata;
3528 if (lowest_fdata == NULL) {
3532 /* We found that packet, and it's currently being displayed.
3533 Find what row it's in. */
3534 row = packet_list_find_row_from_data(lowest_fdata);
3535 g_assert(row != -1);
3537 /* Select that row, make it the focus row, and make it visible. */
3538 packet_list_set_selected_row(row);
3539 #endif /* NEW_PACKET_LIST */
3540 return TRUE; /* we got to that packet */
3544 cf_goto_bottom_frame(capture_file *cf _U_) /* cf is unused w/ NEW_PACKET_LIST */
3546 #ifdef NEW_PACKET_LIST
3547 /* Find and select */
3548 new_packet_list_select_last_row();
3552 frame_data *highest_fdata = NULL;
3554 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
3555 if (fdata->flags.passed_dfilter) {
3556 highest_fdata = fdata;
3560 if (highest_fdata == NULL) {
3564 /* We found that packet, and it's currently being displayed.
3565 Find what row it's in. */
3566 row = packet_list_find_row_from_data(highest_fdata);
3567 g_assert(row != -1);
3569 /* Select that row, make it the focus row, and make it visible. */
3570 packet_list_set_selected_row(row);
3571 #endif /* NEW_PACKET_LIST */
3572 return TRUE; /* we got to that packet */
3576 * Go to frame specified by currently selected protocol tree item.
3579 cf_goto_framenum(capture_file *cf)
3581 header_field_info *hfinfo;
3584 if (cf->finfo_selected) {
3585 hfinfo = cf->finfo_selected->hfinfo;
3587 if (hfinfo->type == FT_FRAMENUM) {
3588 framenum = fvalue_get_uinteger(&cf->finfo_selected->value);
3590 return cf_goto_frame(cf, framenum);
3597 /* Select the packet on a given row. */
3599 cf_select_packet(capture_file *cf, int row)
3605 /* Get the frame data struct pointer for this frame */
3606 #ifdef NEW_PACKET_LIST
3607 fdata = new_packet_list_get_row_data(row);
3609 fdata = (frame_data *)packet_list_get_row_data(row);
3612 if (fdata == NULL) {
3613 /* XXX - if a GtkCList's selection mode is GTK_SELECTION_BROWSE, when
3614 the first entry is added to it by "real_insert_row()", that row
3615 is selected (see "real_insert_row()", in "gtk/gtkclist.c", in both
3616 our version and the vanilla GTK+ version).
3618 This means that a "select-row" signal is emitted; this causes
3619 "packet_list_select_cb()" to be called, which causes "cf_select_packet()"
3622 "cf_select_packet()" fetches, above, the data associated with the
3623 row that was selected; however, as "gtk_clist_append()", which
3624 called "real_insert_row()", hasn't yet returned, we haven't yet
3625 associated any data with that row, so we get back a null pointer.
3627 We can't assume that there's only one frame in the frame list,
3628 either, as we may be filtering the display.
3630 We therefore assume that, if "row" is 0, i.e. the first row
3631 is being selected, and "cf->first_displayed" equals
3632 "cf->last_displayed", i.e. there's only one frame being
3633 displayed, that frame is the frame we want.
3635 This means we have to set "cf->first_displayed" and
3636 "cf->last_displayed" before adding the row to the
3637 GtkCList; see the comment in "add_packet_to_packet_list()". */
3639 if (row == 0 && cf->first_displayed == cf->last_displayed)
3640 fdata = cf->first_displayed;
3643 /* If fdata _still_ isn't set simply give up. */
3644 if (fdata == NULL) {
3648 /* Get the data in that frame. */
3649 if (!wtap_seek_read (cf->wth, fdata->file_off, &cf->pseudo_header,
3650 cf->pd, fdata->cap_len, &err, &err_info)) {
3651 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3652 cf_read_error_message(err, err_info), cf->filename);
3656 /* Record that this frame is the current frame. */
3657 cf->current_frame = fdata;
3658 cf->current_row = row;
3660 /* Create the logical protocol tree. */
3661 if (cf->edt != NULL) {
3662 epan_dissect_free(cf->edt);
3665 /* We don't need the columns here. */
3666 cf->edt = epan_dissect_new(TRUE, TRUE);
3668 epan_dissect_run(cf->edt, &cf->pseudo_header, cf->pd, cf->current_frame,
3671 dfilter_macro_build_ftv_cache(cf->edt->tree);
3673 cf_callback_invoke(cf_cb_packet_selected, cf);
3676 /* Unselect the selected packet, if any. */
3678 cf_unselect_packet(capture_file *cf)
3680 /* Destroy the epan_dissect_t for the unselected packet. */
3681 if (cf->edt != NULL) {
3682 epan_dissect_free(cf->edt);
3686 /* No packet is selected. */
3687 cf->current_frame = NULL;
3688 cf->current_row = 0;
3690 cf_callback_invoke(cf_cb_packet_unselected, cf);
3692 /* No protocol tree means no selected field. */
3693 cf_unselect_field(cf);
3696 /* Unset the selected protocol tree field, if any. */
3698 cf_unselect_field(capture_file *cf)
3700 cf->finfo_selected = NULL;
3702 cf_callback_invoke(cf_cb_field_unselected, cf);
3706 * Mark a particular frame.
3709 cf_mark_frame(capture_file *cf, frame_data *frame)
3711 if (! frame->flags.marked) {
3712 frame->flags.marked = TRUE;
3713 if (cf->count > cf->marked_count)
3719 * Unmark a particular frame.
3722 cf_unmark_frame(capture_file *cf, frame_data *frame)
3724 if (frame->flags.marked) {
3725 frame->flags.marked = FALSE;
3726 if (cf->marked_count > 0)
3734 } save_callback_args_t;
3737 * Save a capture to a file, in a particular format, saving either
3738 * all packets, all currently-displayed packets, or all marked packets.
3740 * Returns TRUE if it succeeds, FALSE otherwise; if it fails, it pops
3741 * up a message box for the failure.
3744 save_packet(capture_file *cf _U_, frame_data *fdata,
3745 union wtap_pseudo_header *pseudo_header, const guint8 *pd,
3748 save_callback_args_t *args = argsp;
3749 struct wtap_pkthdr hdr;
3752 /* init the wtap header for saving */
3753 hdr.ts.secs = fdata->abs_ts.secs;
3754 hdr.ts.nsecs = fdata->abs_ts.nsecs;
3755 hdr.caplen = fdata->cap_len;
3756 hdr.len = fdata->pkt_len;
3757 hdr.pkt_encap = fdata->lnk_t;
3759 /* and save the packet */
3760 if (!wtap_dump(args->pdh, &hdr, pseudo_header, pd, &err)) {
3761 cf_write_failure_alert_box(args->fname, err);
3768 * Can this capture file be saved in any format except by copying the raw data?
3771 cf_can_save_as(capture_file *cf)
3775 for (ft = 0; ft < WTAP_NUM_FILE_TYPES; ft++) {
3776 /* To save a file with Wiretap, Wiretap has to handle that format,
3777 and its code to handle that format must be able to write a file
3778 with this file's encapsulation type. */
3779 if (wtap_dump_can_open(ft) && wtap_dump_can_write_encap(ft, cf->lnk_t)) {
3780 /* OK, we can write it out in this type. */
3785 /* No, we couldn't save it in any format. */
3790 cf_save(capture_file *cf, const char *fname, packet_range_t *range, guint save_format, gboolean compressed)
3792 gchar *from_filename;
3796 save_callback_args_t callback_args;
3798 cf_callback_invoke(cf_cb_file_safe_started, (gpointer) fname);
3800 /* don't write over an existing file. */
3801 /* this should've been already checked by our caller, just to be sure... */
3802 if (file_exists(fname)) {
3803 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3804 "%sCapture file: \"%s\" already exists!%s\n\n"
3805 "Please choose a different filename.",
3806 simple_dialog_primary_start(), fname, simple_dialog_primary_end());
3810 packet_range_process_init(range);
3813 if (packet_range_process_all(range) && save_format == cf->cd_t) {
3814 /* We're not filtering packets, and we're saving it in the format
3815 it's already in, so we can just move or copy the raw data. */
3817 if (cf->is_tempfile) {
3818 /* The file being saved is a temporary file from a live
3819 capture, so it doesn't need to stay around under that name;
3820 first, try renaming the capture buffer file to the new name. */
3822 if (ws_rename(cf->filename, fname) == 0) {
3823 /* That succeeded - there's no need to copy the source file. */
3824 from_filename = NULL;
3827 if (errno == EXDEV) {
3828 /* They're on different file systems, so we have to copy the
3831 from_filename = cf->filename;
3833 /* The rename failed, but not because they're on different
3834 file systems - put up an error message. (Or should we
3835 just punt and try to copy? The only reason why I'd
3836 expect the rename to fail and the copy to succeed would
3837 be if we didn't have permission to remove the file from
3838 the temporary directory, and that might be fixable - but
3839 is it worth requiring the user to go off and fix it?) */
3840 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3841 file_rename_error_message(errno), fname);
3847 from_filename = cf->filename;
3850 /* It's a permanent file, so we should copy it, and not remove the
3853 from_filename = cf->filename;
3857 /* Copy the file, if we haven't moved it. */
3858 if (!copy_file_binary_mode(from_filename, fname))
3862 /* Either we're filtering packets, or we're saving in a different
3863 format; we can't do that by copying or moving the capture file,
3864 we have to do it by writing the packets out in Wiretap. */
3865 pdh = wtap_dump_open(fname, save_format, cf->lnk_t, cf->snap,
3868 cf_open_failure_alert_box(fname, err, NULL, TRUE, save_format);
3872 /* XXX - we let the user save a subset of the packets.
3874 If we do that, should we make that file the current file? If so,
3875 it means we can no longer get at the other packets. What does
3878 /* Iterate through the list of packets, processing the packets we were
3881 XXX - we've already called "packet_range_process_init(range)", but
3882 "process_specified_packets()" will do it again. Fortunately,
3883 that's harmless in this case, as we haven't done anything to
3884 "range" since we initialized it. */
3885 callback_args.pdh = pdh;
3886 callback_args.fname = fname;
3887 switch (process_specified_packets(cf, range, "Saving", "selected packets",
3888 TRUE, save_packet, &callback_args)) {
3891 /* Completed successfully. */
3895 /* The user decided to abort the saving.
3896 XXX - remove the output file? */
3900 /* Error while saving. */
3901 wtap_dump_close(pdh, &err);
3905 if (!wtap_dump_close(pdh, &err)) {
3906 cf_close_failure_alert_box(fname, err);
3911 cf_callback_invoke(cf_cb_file_safe_finished, NULL);
3913 if (packet_range_process_all(range)) {
3914 /* We saved the entire capture, not just some packets from it.
3915 Open and read the file we saved it to.
3917 XXX - this is somewhat of a waste; we already have the
3918 packets, all this gets us is updated file type information
3919 (which we could just stuff into "cf"), and having the new
3920 file be the one we have opened and from which we're reading
3921 the data, and it means we have to spend time opening and
3922 reading the file, which could be a significant amount of
3923 time if the file is large. */
3924 cf->user_saved = TRUE;
3926 if ((cf_open(cf, fname, FALSE, &err)) == CF_OK) {
3927 /* XXX - report errors if this fails?
3928 What should we return if it fails or is aborted? */
3929 switch (cf_read(cf)) {
3933 /* Just because we got an error, that doesn't mean we were unable
3934 to read any of the file; we handle what we could get from the
3938 case CF_READ_ABORTED:
3939 /* The user bailed out of re-reading the capture file; the
3940 capture file has been closed - just return (without
3941 changing any menu settings; "cf_close()" set them
3942 correctly for the "no capture file open" state). */
3945 cf_callback_invoke(cf_cb_file_safe_reload_finished, NULL);
3951 cf_callback_invoke(cf_cb_file_safe_failed, NULL);
3956 cf_open_failure_alert_box(const char *filename, int err, gchar *err_info,
3957 gboolean for_writing, int file_type)
3960 /* Wiretap error. */
3963 case WTAP_ERR_NOT_REGULAR_FILE:
3964 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3965 "The file \"%s\" is a \"special file\" or socket or other non-regular file.",
3969 case WTAP_ERR_RANDOM_OPEN_PIPE:
3970 /* Seen only when opening a capture file for reading. */
3971 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3972 "The file \"%s\" is a pipe or FIFO; Wireshark can't read pipe or FIFO files.",
3976 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
3977 /* Seen only when opening a capture file for reading. */
3978 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3979 "The file \"%s\" isn't a capture file in a format Wireshark understands.",
3983 case WTAP_ERR_UNSUPPORTED:
3984 /* Seen only when opening a capture file for reading. */
3985 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3986 "The file \"%s\" isn't a capture file in a format Wireshark understands.\n"
3988 filename, err_info);
3992 case WTAP_ERR_CANT_WRITE_TO_PIPE:
3993 /* Seen only when opening a capture file for writing. */
3994 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
3995 "The file \"%s\" is a pipe, and %s capture files can't be "
3996 "written to a pipe.",
3997 filename, wtap_file_type_string(file_type));
4000 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4001 /* Seen only when opening a capture file for writing. */
4002 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4003 "Wireshark doesn't support writing capture files in that format.");
4006 case WTAP_ERR_UNSUPPORTED_ENCAP:
4008 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4009 "Wireshark can't save this capture in that format.");
4011 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4012 "The file \"%s\" is a capture for a network type that Wireshark doesn't support.\n"
4014 filename, err_info);
4019 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4021 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4022 "Wireshark can't save this capture in that format.");
4024 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4025 "The file \"%s\" is a capture for a network type that Wireshark doesn't support.",
4030 case WTAP_ERR_BAD_RECORD:
4031 /* Seen only when opening a capture file for reading. */
4032 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4033 "The file \"%s\" appears to be damaged or corrupt.\n"
4035 filename, err_info);
4039 case WTAP_ERR_CANT_OPEN:
4041 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4042 "The file \"%s\" could not be created for some unknown reason.",
4045 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4046 "The file \"%s\" could not be opened for some unknown reason.",
4051 case WTAP_ERR_SHORT_READ:
4052 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4053 "The file \"%s\" appears to have been cut short"
4054 " in the middle of a packet or other data.",
4058 case WTAP_ERR_SHORT_WRITE:
4059 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4060 "A full header couldn't be written to the file \"%s\".",
4064 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4065 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4066 "Gzip compression not supported by this file type.");
4070 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4071 "The file \"%s\" could not be %s: %s.",
4073 for_writing ? "created" : "opened",
4074 wtap_strerror(err));
4079 open_failure_alert_box(filename, err, for_writing);
4084 file_rename_error_message(int err)
4087 static char errmsg_errno[1024+1];
4092 errmsg = "The path to the file \"%s\" doesn't exist.";
4096 errmsg = "You don't have permission to move the capture file to \"%s\".";
4100 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4101 "The file \"%%s\" could not be moved: %s.",
4102 wtap_strerror(err));
4103 errmsg = errmsg_errno;
4110 cf_read_error_message(int err, gchar *err_info)
4112 static char errmsg_errno[1024+1];
4116 case WTAP_ERR_UNSUPPORTED_ENCAP:
4117 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4118 "The file \"%%s\" has a packet with a network type that Wireshark doesn't support.\n(%s)",
4123 case WTAP_ERR_BAD_RECORD:
4124 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4125 "An error occurred while reading from the file \"%%s\": %s.\n(%s)",
4126 wtap_strerror(err), err_info);
4131 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4132 "An error occurred while reading from the file \"%%s\": %s.",
4133 wtap_strerror(err));
4136 return errmsg_errno;
4140 cf_write_failure_alert_box(const char *filename, int err)
4143 /* Wiretap error. */
4144 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4145 "An error occurred while writing to the file \"%s\": %s.",
4146 filename, wtap_strerror(err));
4149 write_failure_alert_box(filename, err);
4153 /* Check for write errors - if the file is being written to an NFS server,
4154 a write error may not show up until the file is closed, as NFS clients
4155 might not send writes to the server until the "write()" call finishes,
4156 so that the write may fail on the server but the "write()" may succeed. */
4158 cf_close_failure_alert_box(const char *filename, int err)
4161 /* Wiretap error. */
4164 case WTAP_ERR_CANT_CLOSE:
4165 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4166 "The file \"%s\" couldn't be closed for some unknown reason.",
4170 case WTAP_ERR_SHORT_WRITE:
4171 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4172 "Not all the packets could be written to the file \"%s\".",
4177 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
4178 "An error occurred while closing the file \"%s\": %s.",
4179 filename, wtap_strerror(err));
4184 We assume that a close error from the OS is really a write error. */
4185 write_failure_alert_box(filename, err);
4189 /* Reload the current capture file. */
4191 cf_reload(capture_file *cf) {
4193 gboolean is_tempfile;
4196 /* If the file could be opened, "cf_open()" calls "cf_close()"
4197 to get rid of state for the old capture file before filling in state
4198 for the new capture file. "cf_close()" will remove the file if
4199 it's a temporary file; we don't want that to happen (for one thing,
4200 it'd prevent subsequent reopens from working). Remember whether it's
4201 a temporary file, mark it as not being a temporary file, and then
4202 reopen it as the type of file it was.
4204 Also, "cf_close()" will free "cf->filename", so we must make
4205 a copy of it first. */
4206 filename = g_strdup(cf->filename);
4207 is_tempfile = cf->is_tempfile;
4208 cf->is_tempfile = FALSE;
4209 if (cf_open(cf, filename, is_tempfile, &err) == CF_OK) {
4210 switch (cf_read(cf)) {
4214 /* Just because we got an error, that doesn't mean we were unable
4215 to read any of the file; we handle what we could get from the
4219 case CF_READ_ABORTED:
4220 /* The user bailed out of re-reading the capture file; the
4221 capture file has been closed - just free the capture file name
4222 string and return (without changing the last containing
4228 /* The open failed, so "cf->is_tempfile" wasn't set to "is_tempfile".
4229 Instead, the file was left open, so we should restore "cf->is_tempfile"
4232 XXX - change the menu? Presumably "cf_open()" will do that;
4233 make sure it does! */
4234 cf->is_tempfile = is_tempfile;
4236 /* "cf_open()" made a copy of the file name we handed it, so
4237 we should free up our copy. */