2 * Edit capture files. We can delete packets, adjust timestamps, or
3 * simply convert from one format to another format.
5 * Originally written by Richard Sharpe.
6 * Improved by Guy Harris.
7 * Further improved by Richard Sharpe.
9 * Copyright 2013, Richard Sharpe <realrichardsharpe[AT]gmail.com>
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1998 Gerald Combs
15 * SPDX-License-Identifier: GPL-2.0-or-later
26 * Just make sure we include the prototype for strptime as well
27 * (needed for glibc 2.2) but make sure we do this only if not
46 #include <wiretap/wtap.h>
48 #include "epan/etypes.h"
50 #ifndef HAVE_GETOPT_LONG
51 #include "wsutil/wsgetopt.h"
55 #include <wsutil/unicode-utils.h>
56 #include <process.h> /* getpid */
61 # include "wsutil/strptime.h"
64 #include <wsutil/crash_info.h>
65 #include <wsutil/clopts_common.h>
66 #include <wsutil/cmdarg_err.h>
67 #include <wsutil/filesystem.h>
68 #include <wsutil/file_util.h>
69 #include <wsutil/wsgcrypt.h>
70 #include <wsutil/plugins.h>
71 #include <wsutil/privileges.h>
72 #include <wsutil/report_message.h>
73 #include <wsutil/strnatcmp.h>
74 #include <wsutil/str_util.h>
75 #include <version_info.h>
76 #include <wsutil/pint.h>
77 #include <wsutil/strtoi.h>
78 #include <wiretap/wtap_opttypes.h>
79 #include <wiretap/pcapng.h>
81 #include "ui/failure_message.h"
83 #include "ringbuffer.h" /* For RINGBUFFER_MAX_NUM_FILES */
85 #define INVALID_OPTION 1
86 #define INVALID_FILE 2
87 #define CANT_EXTRACT_PREFIX 2
92 * Some globals so we can pass things to various routines
101 * Duplicate frame detection
103 typedef struct _fd_hash_t {
109 #define DEFAULT_DUP_DEPTH 5 /* Used with -d */
110 #define MAX_DUP_DEPTH 1000000 /* the maximum window (and actual size of fd_hash[]) for de-duplication */
112 static fd_hash_t fd_hash[MAX_DUP_DEPTH];
113 static int dup_window = DEFAULT_DUP_DEPTH;
114 static int cur_dup_entry = 0;
116 static guint32 ignored_bytes = 0; /* Used with -I */
118 #define ONE_BILLION 1000000000
120 /* Weights of different errors we can introduce */
121 /* We should probably make these command-line arguments */
122 /* XXX - Should we add a bit-level error? */
123 #define ERR_WT_BIT 5 /* Flip a random bit */
124 #define ERR_WT_BYTE 5 /* Substitute a random byte */
125 #define ERR_WT_ALNUM 5 /* Substitute a random character in [A-Za-z0-9] */
126 #define ERR_WT_FMT 2 /* Substitute "%s" */
127 #define ERR_WT_AA 1 /* Fill the remainder of the buffer with 0xAA */
128 #define ERR_WT_TOTAL (ERR_WT_BIT + ERR_WT_BYTE + ERR_WT_ALNUM + ERR_WT_FMT + ERR_WT_AA)
130 #define ALNUM_CHARS "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
131 #define ALNUM_LEN (sizeof(ALNUM_CHARS) - 1)
133 struct time_adjustment {
138 typedef struct _chop_t {
148 /* Table of user comments */
149 GTree *frames_user_comments = NULL;
151 #define MAX_SELECTIONS 512
152 static struct select_item selectfrm[MAX_SELECTIONS];
153 static guint max_selected = 0;
154 static int keep_em = 0;
155 #ifdef PCAP_NG_DEFAULT
156 static int out_file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAPNG; /* default to pcapng */
158 static int out_file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP; /* default to pcap */
160 static int out_frame_type = -2; /* Leave frame type alone */
161 static int verbose = 0; /* Not so verbose */
162 static struct time_adjustment time_adj = {{0, 0}, 0}; /* no adjustment */
163 static nstime_t relative_time_window = {0, 0}; /* de-dup time window */
164 static double err_prob = 0.0;
165 static time_t starttime = 0;
166 static time_t stoptime = 0;
167 static gboolean check_startstop = FALSE;
168 static gboolean rem_vlan = FALSE;
169 static gboolean dup_detect = FALSE;
170 static gboolean dup_detect_by_time = FALSE;
172 static int do_strict_time_adjustment = FALSE;
173 static struct time_adjustment strict_time_adj = {{0, 0}, 0}; /* strict time adjustment */
174 static nstime_t previous_time = {0, 0}; /* previous time */
176 static int find_dct2000_real_data(guint8 *buf);
177 static void handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
178 const wtap_packet_header *in_phdr, guint8 **buf,
182 abs_time_to_str_with_sec_resolution(const nstime_t *abs_time)
185 gchar *buf = (gchar *)g_malloc(16);
187 tmp = localtime(&abs_time->secs);
190 g_snprintf(buf, 16, "%d%02d%02d%02d%02d%02d",
205 fileset_get_filename_by_pattern(guint idx, const wtap_rec *rec,
206 gchar *fprefix, gchar *fsuffix)
212 g_snprintf(filenum, sizeof(filenum), "%05u", idx % RINGBUFFER_MAX_NUM_FILES);
213 if (rec->presence_flags & WTAP_HAS_TS) {
214 timestr = abs_time_to_str_with_sec_resolution(&rec->ts);
215 abs_str = g_strconcat(fprefix, "_", filenum, "_", timestr, fsuffix, NULL);
218 abs_str = g_strconcat(fprefix, "_", filenum, fsuffix, NULL);
224 fileset_extract_prefix_suffix(const char *fname, gchar **fprefix, gchar **fsuffix)
226 char *pfx, *last_pathsep;
229 save_file = g_strdup(fname);
230 if (save_file == NULL) {
231 fprintf(stderr, "editcap: Out of memory\n");
235 last_pathsep = strrchr(save_file, G_DIR_SEPARATOR);
236 pfx = strrchr(save_file,'.');
237 if (pfx != NULL && (last_pathsep == NULL || pfx > last_pathsep)) {
238 /* The pathname has a "." in it, and it's in the last component
239 * of the pathname (because there is either only one component,
240 * i.e. last_pathsep is null as there are no path separators,
241 * or the "." is after the path separator before the last
244 * Treat it as a separator between the rest of the file name and
245 * the file name suffix, and arrange that the names given to the
246 * ring buffer files have the specified suffix, i.e. put the
247 * changing part of the name *before* the suffix. */
249 *fprefix = g_strdup(save_file);
250 pfx[0] = '.'; /* restore capfile_name */
251 *fsuffix = g_strdup(pfx);
253 /* Either there's no "." in the pathname, or it's in a directory
254 * component, so the last component has no suffix. */
255 *fprefix = g_strdup(save_file);
262 /* Add a selection item, a simple parser for now */
264 add_selection(char *sel, guint* max_selection)
269 if (max_selected >= MAX_SELECTIONS) {
270 /* Let the user know we stopped selecting */
271 fprintf(stderr, "Out of room for packet selections.\n");
276 fprintf(stderr, "Add_Selected: %s\n", sel);
278 if ((locn = strchr(sel, '-')) == NULL) { /* No dash, so a single number? */
280 fprintf(stderr, "Not inclusive ...");
282 selectfrm[max_selected].inclusive = FALSE;
283 selectfrm[max_selected].first = get_guint32(sel, "packet number");
284 if (selectfrm[max_selected].first > *max_selection)
285 *max_selection = selectfrm[max_selected].first;
288 fprintf(stderr, " %u\n", selectfrm[max_selected].first);
291 fprintf(stderr, "Inclusive ...");
293 *locn = '\0'; /* split the range */
295 selectfrm[max_selected].inclusive = TRUE;
296 selectfrm[max_selected].first = get_guint32(sel, "beginning of packet range");
297 selectfrm[max_selected].second = get_guint32(next, "end of packet range");
299 if (selectfrm[max_selected].second == 0)
301 /* Not a valid number, presume all */
302 selectfrm[max_selected].second = *max_selection = G_MAXUINT;
304 else if (selectfrm[max_selected].second > *max_selection)
305 *max_selection = selectfrm[max_selected].second;
308 fprintf(stderr, " %u, %u\n", selectfrm[max_selected].first,
309 selectfrm[max_selected].second);
316 /* Was the packet selected? */
319 selected(guint recno)
323 for (i = 0; i < max_selected; i++) {
324 if (selectfrm[i].inclusive) {
325 if (selectfrm[i].first <= recno && selectfrm[i].second >= recno)
328 if (recno == selectfrm[i].first)
337 set_time_adjustment(char *optarg_str_p)
346 /* skip leading whitespace */
347 while (*optarg_str_p == ' ' || *optarg_str_p == '\t')
350 /* check for a negative adjustment */
351 if (*optarg_str_p == '-') {
352 time_adj.is_negative = 1;
356 /* collect whole number of seconds, if any */
357 if (*optarg_str_p == '.') { /* only fractional (i.e., .5 is ok) */
361 val = strtol(optarg_str_p, &frac, 10);
362 if (frac == NULL || frac == optarg_str_p
363 || val == LONG_MIN || val == LONG_MAX) {
364 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
368 if (val < 0) { /* implies '--' since we caught '-' above */
369 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
374 time_adj.tv.secs = val;
376 /* now collect the partial seconds, if any */
377 if (*frac != '\0') { /* chars left, so get fractional part */
378 val = strtol(&(frac[1]), &end, 10);
379 /* if more than 9 fractional digits truncate to 9 */
380 if ((end - &(frac[1])) > 9) {
381 frac[10] = 't'; /* 't' for truncate */
382 val = strtol(&(frac[1]), &end, 10);
384 if (*frac != '.' || end == NULL || end == frac || val < 0
385 || val > ONE_BILLION || val == LONG_MIN || val == LONG_MAX) {
386 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
391 return TRUE; /* no fractional digits */
394 /* adjust fractional portion from fractional to numerator
395 * e.g., in "1.5" from 5 to 500000000 since .5*10^9 = 500000000 */
396 frac_digits = end - frac - 1; /* fractional digit count (remember '.') */
397 while(frac_digits < 9) { /* this is frac of 10^9 */
402 time_adj.tv.nsecs = (int)val;
407 set_strict_time_adj(char *optarg_str_p)
416 /* skip leading whitespace */
417 while (*optarg_str_p == ' ' || *optarg_str_p == '\t')
421 * check for a negative adjustment
422 * A negative strict adjustment value is a flag
423 * to adjust all frames by the specifed delta time.
425 if (*optarg_str_p == '-') {
426 strict_time_adj.is_negative = 1;
430 /* collect whole number of seconds, if any */
431 if (*optarg_str_p == '.') { /* only fractional (i.e., .5 is ok) */
435 val = strtol(optarg_str_p, &frac, 10);
436 if (frac == NULL || frac == optarg_str_p
437 || val == LONG_MIN || val == LONG_MAX) {
438 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
442 if (val < 0) { /* implies '--' since we caught '-' above */
443 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
448 strict_time_adj.tv.secs = val;
450 /* now collect the partial seconds, if any */
451 if (*frac != '\0') { /* chars left, so get fractional part */
452 val = strtol(&(frac[1]), &end, 10);
453 /* if more than 9 fractional digits truncate to 9 */
454 if ((end - &(frac[1])) > 9) {
455 frac[10] = 't'; /* 't' for truncate */
456 val = strtol(&(frac[1]), &end, 10);
458 if (*frac != '.' || end == NULL || end == frac || val < 0
459 || val > ONE_BILLION || val == LONG_MIN || val == LONG_MAX) {
460 fprintf(stderr, "editcap: \"%s\" isn't a valid time adjustment\n",
465 return TRUE; /* no fractional digits */
468 /* adjust fractional portion from fractional to numerator
469 * e.g., in "1.5" from 5 to 500000000 since .5*10^9 = 500000000 */
470 frac_digits = end - frac - 1; /* fractional digit count (remember '.') */
471 while(frac_digits < 9) { /* this is frac of 10^9 */
476 strict_time_adj.tv.nsecs = (int)val;
481 set_rel_time(char *optarg_str_p)
490 /* skip leading whitespace */
491 while (*optarg_str_p == ' ' || *optarg_str_p == '\t')
494 /* ignore negative adjustment */
495 if (*optarg_str_p == '-')
498 /* collect whole number of seconds, if any */
499 if (*optarg_str_p == '.') { /* only fractional (i.e., .5 is ok) */
503 val = strtol(optarg_str_p, &frac, 10);
504 if (frac == NULL || frac == optarg_str_p
505 || val == LONG_MIN || val == LONG_MAX) {
506 fprintf(stderr, "1: editcap: \"%s\" isn't a valid rel time value\n",
510 if (val < 0) { /* implies '--' since we caught '-' above */
511 fprintf(stderr, "2: editcap: \"%s\" isn't a valid rel time value\n",
516 relative_time_window.secs = val;
518 /* now collect the partial seconds, if any */
519 if (*frac != '\0') { /* chars left, so get fractional part */
520 val = strtol(&(frac[1]), &end, 10);
521 /* if more than 9 fractional digits truncate to 9 */
522 if ((end - &(frac[1])) > 9) {
523 frac[10] = 't'; /* 't' for truncate */
524 val = strtol(&(frac[1]), &end, 10);
526 if (*frac != '.' || end == NULL || end == frac || val < 0
527 || val > ONE_BILLION || val == LONG_MIN || val == LONG_MAX) {
528 fprintf(stderr, "3: editcap: \"%s\" isn't a valid rel time value\n",
533 return TRUE; /* no fractional digits */
536 /* adjust fractional portion from fractional to numerator
537 * e.g., in "1.5" from 5 to 500000000 since .5*10^9 = 500000000 */
538 frac_digits = end - frac - 1; /* fractional digit count (remember '.') */
539 while(frac_digits < 9) { /* this is frac of 10^9 */
544 relative_time_window.nsecs = (int)val;
548 #define LINUX_SLL_OFFSETP 14
551 sll_remove_vlan_info(guint8* fd, guint32* len) {
552 if (pntoh16(fd + LINUX_SLL_OFFSETP) == ETHERTYPE_VLAN) {
554 /* point to start of vlan */
555 fd = fd + LINUX_SLL_OFFSETP;
556 /* bytes to read after vlan info */
557 rest_len = *len - (LINUX_SLL_OFFSETP + VLAN_SIZE);
558 /* remove vlan info from packet */
559 memmove(fd, fd + VLAN_SIZE, rest_len);
565 remove_vlan_info(const wtap_packet_header *phdr, guint8* fd, guint32* len) {
566 switch (phdr->pkt_encap) {
568 sll_remove_vlan_info(fd, len);
571 /* no support for current pkt_encap */
577 is_duplicate(guint8* fd, guint32 len) {
580 /*Hint to ignore some bytes at the start of the frame for the digest calculation(-I option) */
581 guint32 offset = ignored_bytes;
585 if (len <= ignored_bytes) {
589 new_fd = &fd[offset];
590 new_len = len - (offset);
593 if (cur_dup_entry >= dup_window)
596 /* Calculate our digest */
597 gcry_md_hash_buffer(GCRY_MD_MD5, fd_hash[cur_dup_entry].digest, new_fd, new_len);
599 fd_hash[cur_dup_entry].len = len;
601 /* Look for duplicates */
602 for (i = 0; i < dup_window; i++) {
603 if (i == cur_dup_entry)
606 if (fd_hash[i].len == fd_hash[cur_dup_entry].len
607 && memcmp(fd_hash[i].digest, fd_hash[cur_dup_entry].digest, 16) == 0) {
616 is_duplicate_rel_time(guint8* fd, guint32 len, const nstime_t *current) {
619 /*Hint to ignore some bytes at the start of the frame for the digest calculation(-I option) */
620 guint32 offset = ignored_bytes;
624 if (len <= ignored_bytes) {
628 new_fd = &fd[offset];
629 new_len = len - (offset);
632 if (cur_dup_entry >= dup_window)
635 /* Calculate our digest */
636 gcry_md_hash_buffer(GCRY_MD_MD5, fd_hash[cur_dup_entry].digest, new_fd, new_len);
638 fd_hash[cur_dup_entry].len = len;
639 fd_hash[cur_dup_entry].frame_time.secs = current->secs;
640 fd_hash[cur_dup_entry].frame_time.nsecs = current->nsecs;
643 * Look for relative time related duplicates.
644 * This is hopefully a reasonably efficient mechanism for
645 * finding duplicates by rel time in the fd_hash[] cache.
646 * We check starting from the most recently added hash
647 * entries and work backwards towards older packets.
648 * This approach allows the dup test to be terminated
649 * when the relative time of a cached entry is found to
650 * be beyond the dup time window.
652 * Of course this assumes that the input trace file is
653 * "well-formed" in the sense that the packet timestamps are
654 * in strict chronologically increasing order (which is NOT
655 * always the case!!).
657 * The fd_hash[] table was deliberately created large (1,000,000).
658 * Looking for time related duplicates in large trace files with
659 * non-fractional dup time window values can potentially take
660 * a long time to complete.
663 for (i = cur_dup_entry - 1;; i--) {
670 if (i == cur_dup_entry) {
672 * We've decremented back to where we started.
678 if (nstime_is_unset(&(fd_hash[i].frame_time))) {
680 * We've decremented to an unused fd_hash[] entry.
686 nstime_delta(&delta, current, &fd_hash[i].frame_time);
688 if (delta.secs < 0 || delta.nsecs < 0) {
690 * A negative delta implies that the current packet
691 * has an absolute timestamp less than the cached packet
692 * that it is being compared to. This is NOT a normal
693 * situation since trace files usually have packets in
694 * chronological order (oldest to newest).
696 * There are several possible ways to deal with this:
697 * 1. 'continue' dup checking with the next cached frame.
698 * 2. 'break' from looking for a duplicate of the current frame.
699 * 3. Take the absolute value of the delta and see if that
700 * falls within the specifed dup time window.
702 * Currently this code does option 1. But it would pretty
703 * easy to add yet-another-editcap-option to select one of
704 * the other behaviors for dealing with out-of-sequence
710 cmp = nstime_cmp(&delta, &relative_time_window);
714 * The delta time indicates that we are now looking at
715 * cached packets beyond the specified dup time window.
719 } else if (fd_hash[i].len == fd_hash[cur_dup_entry].len
720 && memcmp(fd_hash[i].digest, fd_hash[cur_dup_entry].digest, 16) == 0) {
729 print_usage(FILE *output)
731 fprintf(output, "\n");
732 fprintf(output, "Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]\n");
733 fprintf(output, "\n");
734 fprintf(output, "<infile> and <outfile> must both be present.\n");
735 fprintf(output, "A single packet or a range of packets can be selected.\n");
736 fprintf(output, "\n");
737 fprintf(output, "Packet selection:\n");
738 fprintf(output, " -r keep the selected packets; default is to delete them.\n");
739 fprintf(output, " -A <start time> only output packets whose timestamp is after (or equal\n");
740 fprintf(output, " to) the given time (format as YYYY-MM-DD hh:mm:ss).\n");
741 fprintf(output, " -B <stop time> only output packets whose timestamp is before the\n");
742 fprintf(output, " given time (format as YYYY-MM-DD hh:mm:ss).\n");
743 fprintf(output, "\n");
744 fprintf(output, "Duplicate packet removal:\n");
745 fprintf(output, " --novlan remove vlan info from packets before checking for duplicates.\n");
746 fprintf(output, " -d remove packet if duplicate (window == %d).\n", DEFAULT_DUP_DEPTH);
747 fprintf(output, " -D <dup window> remove packet if duplicate; configurable <dup window>.\n");
748 fprintf(output, " Valid <dup window> values are 0 to %d.\n", MAX_DUP_DEPTH);
749 fprintf(output, " NOTE: A <dup window> of 0 with -v (verbose option) is\n");
750 fprintf(output, " useful to print MD5 hashes.\n");
751 fprintf(output, " -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR\n");
752 fprintf(output, " LESS THAN <dup time window> prior to current packet.\n");
753 fprintf(output, " A <dup time window> is specified in relative seconds\n");
754 fprintf(output, " (e.g. 0.000001).\n");
755 fprintf(output, " -a <framenum>:<comment> Add or replace comment for given frame number\n");
756 fprintf(output, "\n");
757 fprintf(output, " -I <bytes to ignore> ignore the specified number of bytes at the beginning\n");
758 fprintf(output, " of the frame during MD5 hash calculation, unless the\n");
759 fprintf(output, " frame is too short, then the full frame is used.\n");
760 fprintf(output, " Useful to remove duplicated packets taken on\n");
761 fprintf(output, " several routers (different mac addresses for\n");
762 fprintf(output, " example).\n");
763 fprintf(output, " e.g. -I 26 in case of Ether/IP will ignore\n");
764 fprintf(output, " ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).\n");
765 fprintf(output, "\n");
766 fprintf(output, " NOTE: The use of the 'Duplicate packet removal' options with\n");
767 fprintf(output, " other editcap options except -v may not always work as expected.\n");
768 fprintf(output, " Specifically the -r, -t or -S options will very likely NOT have the\n");
769 fprintf(output, " desired effect if combined with the -d, -D or -w.\n");
770 fprintf(output, "\n");
771 fprintf(output, "Packet manipulation:\n");
772 fprintf(output, " -s <snaplen> truncate each packet to max. <snaplen> bytes of data.\n");
773 fprintf(output, " -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values\n");
774 fprintf(output, " chop at the packet beginning, negative values at the\n");
775 fprintf(output, " packet end. If an optional offset precedes the length,\n");
776 fprintf(output, " then the bytes chopped will be offset from that value.\n");
777 fprintf(output, " Positive offsets are from the packet beginning,\n");
778 fprintf(output, " negative offsets are from the packet end. You can use\n");
779 fprintf(output, " this option more than once, allowing up to 2 chopping\n");
780 fprintf(output, " regions within a packet provided that at least 1\n");
781 fprintf(output, " choplen is positive and at least 1 is negative.\n");
782 fprintf(output, " -L adjust the frame (i.e. reported) length when chopping\n");
783 fprintf(output, " and/or snapping.\n");
784 fprintf(output, " -t <time adjustment> adjust the timestamp of each packet.\n");
785 fprintf(output, " <time adjustment> is in relative seconds (e.g. -0.5).\n");
786 fprintf(output, " -S <strict adjustment> adjust timestamp of packets if necessary to ensure\n");
787 fprintf(output, " strict chronological increasing order. The <strict\n");
788 fprintf(output, " adjustment> is specified in relative seconds with\n");
789 fprintf(output, " values of 0 or 0.000001 being the most reasonable.\n");
790 fprintf(output, " A negative adjustment value will modify timestamps so\n");
791 fprintf(output, " that each packet's delta time is the absolute value\n");
792 fprintf(output, " of the adjustment specified. A value of -0 will set\n");
793 fprintf(output, " all packets to the timestamp of the first packet.\n");
794 fprintf(output, " -E <error probability> set the probability (between 0.0 and 1.0 incl.) that\n");
795 fprintf(output, " a particular packet byte will be randomly changed.\n");
796 fprintf(output, " -o <change offset> When used in conjunction with -E, skip some bytes from the\n");
797 fprintf(output, " beginning of the packet. This allows one to preserve some\n");
798 fprintf(output, " bytes, in order to have some headers untouched.\n");
799 fprintf(output, "\n");
800 fprintf(output, "Output File(s):\n");
801 fprintf(output, " -c <packets per file> split the packet output to different files based on\n");
802 fprintf(output, " uniform packet counts with a maximum of\n");
803 fprintf(output, " <packets per file> each.\n");
804 fprintf(output, " -i <seconds per file> split the packet output to different files based on\n");
805 fprintf(output, " uniform time intervals with a maximum of\n");
806 fprintf(output, " <seconds per file> each.\n");
807 fprintf(output, " -F <capture type> set the output file type; default is pcapng. An empty\n");
808 fprintf(output, " \"-F\" option will list the file types.\n");
809 fprintf(output, " -T <encap type> set the output file encapsulation type; default is the\n");
810 fprintf(output, " same as the input file. An empty \"-T\" option will\n");
811 fprintf(output, " list the encapsulation types.\n");
812 fprintf(output, "\n");
813 fprintf(output, "Miscellaneous:\n");
814 fprintf(output, " -h display this help and exit.\n");
815 fprintf(output, " -v verbose output.\n");
816 fprintf(output, " If -v is used with any of the 'Duplicate Packet\n");
817 fprintf(output, " Removal' options (-d, -D or -w) then Packet lengths\n");
818 fprintf(output, " and MD5 hashes are printed to standard-error.\n");
822 const char *sstr; /* The short string */
823 const char *lstr; /* The long string */
827 string_compare(gconstpointer a, gconstpointer b)
829 return strcmp(((const struct string_elem *)a)->sstr,
830 ((const struct string_elem *)b)->sstr);
834 string_nat_compare(gconstpointer a, gconstpointer b)
836 return ws_ascii_strnatcmp(((const struct string_elem *)a)->sstr,
837 ((const struct string_elem *)b)->sstr);
841 string_elem_print(gpointer data, gpointer stream_ptr)
843 fprintf((FILE *) stream_ptr, " %s - %s\n",
844 ((struct string_elem *)data)->sstr,
845 ((struct string_elem *)data)->lstr);
849 list_capture_types(FILE *stream) {
851 struct string_elem *captypes;
854 captypes = g_new(struct string_elem,WTAP_NUM_FILE_TYPES_SUBTYPES);
855 fprintf(stream, "editcap: The available capture file types for the \"-F\" flag are:\n");
856 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
857 if (wtap_dump_can_open(i)) {
858 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
859 captypes[i].lstr = wtap_file_type_subtype_string(i);
860 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
863 g_slist_foreach(list, string_elem_print, stream);
869 list_encap_types(FILE *stream) {
871 struct string_elem *encaps;
874 encaps = (struct string_elem *)g_malloc(sizeof(struct string_elem) * WTAP_NUM_ENCAP_TYPES);
875 fprintf(stream, "editcap: The available encapsulation types for the \"-T\" flag are:\n");
876 for (i = 0; i < WTAP_NUM_ENCAP_TYPES; i++) {
877 encaps[i].sstr = wtap_encap_short_string(i);
878 if (encaps[i].sstr != NULL) {
879 encaps[i].lstr = wtap_encap_string(i);
880 list = g_slist_insert_sorted(list, &encaps[i], string_nat_compare);
883 g_slist_foreach(list, string_elem_print, stream);
889 framenum_compare(gconstpointer a, gconstpointer b, gpointer user_data _U_)
891 if (GPOINTER_TO_UINT(a) < GPOINTER_TO_UINT(b))
894 if (GPOINTER_TO_UINT(a) > GPOINTER_TO_UINT(b))
901 * General errors and warnings are reported with an console message
905 failure_warning_message(const char *msg_format, va_list ap)
907 fprintf(stderr, "editcap: ");
908 vfprintf(stderr, msg_format, ap);
909 fprintf(stderr, "\n");
913 * Report additional information for an error in command-line arguments.
916 failure_message_cont(const char *msg_format, va_list ap)
918 vfprintf(stderr, msg_format, ap);
919 fprintf(stderr, "\n");
923 editcap_dump_open(const char *filename, guint32 snaplen,
925 wtapng_iface_descriptions_t *idb_inf,
926 GArray* nrb_hdrs, int *write_err)
930 if (strcmp(filename, "-") == 0) {
931 /* Write to the standard output. */
932 pdh = wtap_dump_open_stdout_ng(out_file_type_subtype, out_frame_type,
933 snaplen, FALSE /* compressed */,
934 shb_hdrs, idb_inf, nrb_hdrs, write_err);
936 pdh = wtap_dump_open_ng(filename, out_file_type_subtype, out_frame_type,
937 snaplen, FALSE /* compressed */,
938 shb_hdrs, idb_inf, nrb_hdrs, write_err);
944 main(int argc, char *argv[])
946 GString *comp_info_str;
947 GString *runtime_info_str;
948 char *init_progfile_dir_error;
950 int i, j, read_err, write_err;
951 gchar *read_err_info, *write_err_info;
953 static const struct option long_options[] = {
954 {"novlan", no_argument, NULL, 0x8100},
955 {"help", no_argument, NULL, 'h'},
956 {"version", no_argument, NULL, 'V'},
961 guint32 snaplen = 0; /* No limit */
962 chop_t chop = {0, 0, 0, 0, 0, 0}; /* No chop */
963 gboolean adjlen = FALSE;
964 wtap_dumper *pdh = NULL;
965 unsigned int count = 1;
966 unsigned int duplicate_count = 0;
970 guint32 read_count = 0;
971 guint32 split_packet_count = 0;
972 int written_count = 0;
973 char *filename = NULL;
975 guint32 secs_per_block = 0;
977 nstime_t block_start;
978 gchar *fprefix = NULL;
979 gchar *fsuffix = NULL;
980 guint32 change_offset = 0;
981 guint max_packet_number = 0;
984 wtapng_iface_descriptions_t *idb_inf = NULL;
985 GArray *shb_hdrs = NULL;
986 GArray *nrb_hdrs = NULL;
988 gboolean do_mutation;
990 int ret = EXIT_SUCCESS;
992 cmdarg_err_init(failure_warning_message, failure_message_cont);
995 arg_list_utf_16to8(argc, argv);
996 create_app_running_mutex();
999 /* Get the compile-time version information string */
1000 comp_info_str = get_compiled_version_info(NULL, NULL);
1002 /* Get the run-time version information string */
1003 runtime_info_str = get_runtime_version_info(NULL);
1005 /* Add it to the information to be reported on a crash. */
1006 ws_add_crash_info("Editcap (Wireshark) %s\n"
1011 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1012 g_string_free(comp_info_str, TRUE);
1013 g_string_free(runtime_info_str, TRUE);
1016 * Get credential information for later use.
1018 init_process_policies();
1021 * Attempt to get the pathname of the directory containing the
1024 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1025 if (init_progfile_dir_error != NULL) {
1027 "editcap: Can't get pathname of directory containing the editcap program: %s.\n",
1028 init_progfile_dir_error);
1029 g_free(init_progfile_dir_error);
1032 init_report_message(failure_warning_message, failure_warning_message,
1037 /* Process the options */
1038 while ((opt = getopt_long(argc, argv, ":a:A:B:c:C:dD:E:F:hi:I:Lo:rs:S:t:T:vVw:", long_options, NULL)) != -1) {
1049 gint string_start_index = 0;
1051 if ((sscanf(optarg, "%u:%n", &frame_number, &string_start_index) < 1) || (string_start_index == 0)) {
1052 fprintf(stderr, "editcap: \"%s\" isn't a valid <frame>:<comment>\n\n",
1054 ret = INVALID_OPTION;
1058 /* Lazily create the table */
1059 if (!frames_user_comments) {
1060 frames_user_comments = g_tree_new_full(framenum_compare, NULL, NULL, g_free);
1063 /* Insert this entry (framenum -> comment) */
1064 g_tree_replace(frames_user_comments, GUINT_TO_POINTER(frame_number), g_strdup(optarg+string_start_index));
1072 memset(&starttm,0,sizeof(struct tm));
1074 if (!strptime(optarg,"%Y-%m-%d %T", &starttm)) {
1075 fprintf(stderr, "editcap: \"%s\" isn't a valid time format\n\n",
1077 ret = INVALID_OPTION;
1081 check_startstop = TRUE;
1082 starttm.tm_isdst = -1;
1084 starttime = mktime(&starttm);
1092 memset(&stoptm,0,sizeof(struct tm));
1094 if (!strptime(optarg,"%Y-%m-%d %T", &stoptm)) {
1095 fprintf(stderr, "editcap: \"%s\" isn't a valid time format\n\n",
1097 ret = INVALID_OPTION;
1100 check_startstop = TRUE;
1101 stoptm.tm_isdst = -1;
1102 stoptime = mktime(&stoptm);
1107 split_packet_count = get_nonzero_guint32(optarg, "packet count");
1112 int choplen = 0, chopoff = 0;
1114 switch (sscanf(optarg, "%d:%d", &chopoff, &choplen)) {
1115 case 1: /* only the chop length was specififed */
1120 case 2: /* both an offset and chop length was specified */
1124 fprintf(stderr, "editcap: \"%s\" isn't a valid chop length or offset:length\n",
1126 ret = INVALID_OPTION;
1132 chop.len_begin += choplen;
1134 chop.off_begin_pos += chopoff;
1136 chop.off_begin_neg += chopoff;
1137 } else if (choplen < 0) {
1138 chop.len_end += choplen;
1140 chop.off_end_pos += chopoff;
1142 chop.off_end_neg += chopoff;
1149 dup_detect_by_time = FALSE;
1150 dup_window = DEFAULT_DUP_DEPTH;
1155 dup_detect_by_time = FALSE;
1156 dup_window = get_guint32(optarg, "duplicate window");
1157 if (dup_window > MAX_DUP_DEPTH) {
1158 fprintf(stderr, "editcap: \"%d\" duplicate window value must be between 0 and %d inclusive.\n",
1159 dup_window, MAX_DUP_DEPTH);
1160 ret = INVALID_OPTION;
1166 err_prob = g_ascii_strtod(optarg, &p);
1167 if (p == optarg || err_prob < 0.0 || err_prob > 1.0) {
1168 fprintf(stderr, "editcap: probability \"%s\" must be between 0.0 and 1.0\n",
1170 ret = INVALID_OPTION;
1173 srand( (unsigned int) (time(NULL) + ws_getpid()) );
1177 out_file_type_subtype = wtap_short_string_to_file_type_subtype(optarg);
1178 if (out_file_type_subtype < 0) {
1179 fprintf(stderr, "editcap: \"%s\" isn't a valid capture file type\n\n",
1181 list_capture_types(stderr);
1182 ret = INVALID_OPTION;
1188 printf("Editcap (Wireshark) %s\n"
1189 "Edit and/or translate the format of capture files.\n"
1190 "See https://www.wireshark.org for more information.\n",
1191 get_ws_vcs_version_info());
1192 print_usage(stdout);
1196 case 'i': /* break capture file based on time interval */
1197 secs_per_block = get_nonzero_guint32(optarg, "time interval");
1200 case 'I': /* ignored_bytes at the beginning of the frame for duplications removal */
1201 ignored_bytes = get_guint32(optarg, "number of bytes to ignore");
1209 change_offset = get_guint32(optarg, "change offset");
1213 keep_em = !keep_em; /* Just invert */
1217 snaplen = get_nonzero_guint32(optarg, "snapshot length");
1221 if (!set_strict_time_adj(optarg)) {
1222 ret = INVALID_OPTION;
1225 do_strict_time_adjustment = TRUE;
1229 if (!set_time_adjustment(optarg)) {
1230 ret = INVALID_OPTION;
1236 out_frame_type = wtap_short_string_to_encap(optarg);
1237 if (out_frame_type < 0) {
1238 fprintf(stderr, "editcap: \"%s\" isn't a valid encapsulation type\n\n",
1240 list_encap_types(stderr);
1241 ret = INVALID_OPTION;
1247 verbose = !verbose; /* Just invert */
1251 comp_info_str = get_compiled_version_info(NULL, NULL);
1252 runtime_info_str = get_runtime_version_info(NULL);
1253 show_version("Editcap (Wireshark)", comp_info_str, runtime_info_str);
1254 g_string_free(comp_info_str, TRUE);
1255 g_string_free(runtime_info_str, TRUE);
1261 dup_detect_by_time = TRUE;
1262 dup_window = MAX_DUP_DEPTH;
1263 if (!set_rel_time(optarg)) {
1264 ret = INVALID_OPTION;
1269 case '?': /* Bad options if GNU getopt */
1270 case ':': /* missing option argument */
1273 list_capture_types(stdout);
1276 list_encap_types(stdout);
1280 fprintf(stderr, "editcap: invalid option -- '%c'\n", optopt);
1282 fprintf(stderr, "editcap: option requires an argument -- '%c'\n", optopt);
1284 print_usage(stderr);
1285 ret = INVALID_OPTION;
1291 } /* processing commmand-line options */
1294 fprintf(stderr, "Optind = %i, argc = %i\n", optind, argc);
1297 if ((argc - optind) < 1) {
1298 print_usage(stderr);
1299 ret = INVALID_OPTION;
1303 if (check_startstop && !stoptime) {
1306 /* XXX: will work until 2035 */
1307 memset(&stoptm,0,sizeof(struct tm));
1308 stoptm.tm_year = 135;
1309 stoptm.tm_mday = 31;
1312 stoptime = mktime(&stoptm);
1315 nstime_set_unset(&block_start);
1317 if (starttime > stoptime) {
1318 fprintf(stderr, "editcap: start time is after the stop time\n");
1319 ret = INVALID_OPTION;
1323 if (split_packet_count != 0 && secs_per_block != 0) {
1324 fprintf(stderr, "editcap: can't split on both packet count and time interval\n");
1325 fprintf(stderr, "editcap: at the same time\n");
1326 ret = INVALID_OPTION;
1330 wth = wtap_open_offline(argv[optind], WTAP_TYPE_AUTO, &read_err, &read_err_info, FALSE);
1333 cfile_open_failure_message("editcap", argv[optind], read_err,
1340 fprintf(stderr, "File %s is a %s capture file.\n", argv[optind],
1341 wtap_file_type_subtype_string(wtap_file_type_subtype(wth)));
1344 shb_hdrs = wtap_file_get_shb_for_new_file(wth);
1345 idb_inf = wtap_file_get_idb_info(wth);
1346 nrb_hdrs = wtap_file_get_nrb_for_new_file(wth);
1349 * Now, process the rest, if any ... we only write if there is an extra
1350 * argument or so ...
1353 if ((argc - optind) >= 2) {
1354 if (out_frame_type == -2)
1355 out_frame_type = wtap_file_encap(wth);
1357 for (i = optind + 2; i < argc; i++)
1358 if (add_selection(argv[i], &max_packet_number) == FALSE)
1361 if (keep_em == FALSE)
1362 max_packet_number = G_MAXUINT;
1364 if (dup_detect || dup_detect_by_time) {
1365 for (i = 0; i < dup_window; i++) {
1366 memset(&fd_hash[i].digest, 0, 16);
1368 nstime_set_unset(&fd_hash[i].frame_time);
1372 /* Read all of the packets in turn */
1373 while (wtap_read(wth, &read_err, &read_err_info, &data_offset)) {
1374 if (max_packet_number <= read_count)
1379 rec = wtap_get_rec(wth);
1381 /* Extra actions for the first packet */
1382 if (read_count == 1) {
1383 if (split_packet_count != 0 || secs_per_block != 0) {
1384 if (!fileset_extract_prefix_suffix(argv[optind+1], &fprefix, &fsuffix)) {
1385 ret = CANT_EXTRACT_PREFIX;
1389 filename = fileset_get_filename_by_pattern(block_cnt++, rec, fprefix, fsuffix);
1391 filename = g_strdup(argv[optind+1]);
1395 /* If we don't have an application name add Editcap */
1396 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
1397 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "Editcap " VERSION);
1400 pdh = editcap_dump_open(filename,
1401 snaplen ? MIN(snaplen, wtap_snapshot_length(wth)) : wtap_snapshot_length(wth),
1402 shb_hdrs, idb_inf, nrb_hdrs, &write_err);
1405 cfile_dump_open_failure_message("editcap", filename,
1407 out_file_type_subtype);
1411 } /* first packet only handling */
1414 buf = wtap_get_buf_ptr(wth);
1417 * Not all packets have time stamps. Only process the time
1418 * stamp if we have one.
1420 if (rec->presence_flags & WTAP_HAS_TS) {
1421 if (nstime_is_unset(&block_start)) {
1422 block_start = rec->ts;
1424 if (secs_per_block != 0) {
1425 while (((guint32)(rec->ts.secs - block_start.secs) > secs_per_block)
1426 || ((guint32)(rec->ts.secs - block_start.secs) == secs_per_block
1427 && rec->ts.nsecs >= block_start.nsecs )) { /* time for the next file */
1429 if (!wtap_dump_close(pdh, &write_err)) {
1430 cfile_close_failure_message(filename, write_err);
1434 block_start.secs = block_start.secs + secs_per_block; /* reset for next interval */
1436 filename = fileset_get_filename_by_pattern(block_cnt++, rec, fprefix, fsuffix);
1440 fprintf(stderr, "Continuing writing in file %s\n", filename);
1442 pdh = editcap_dump_open(filename,
1443 snaplen ? MIN(snaplen, wtap_snapshot_length(wth)) : wtap_snapshot_length(wth),
1444 shb_hdrs, idb_inf, nrb_hdrs, &write_err);
1447 cfile_dump_open_failure_message("editcap", filename,
1449 out_file_type_subtype);
1455 } /* time stamp handling */
1457 if (split_packet_count != 0) {
1458 /* time for the next file? */
1459 if (written_count > 0 && (written_count % split_packet_count) == 0) {
1460 if (!wtap_dump_close(pdh, &write_err)) {
1461 cfile_close_failure_message(filename, write_err);
1467 filename = fileset_get_filename_by_pattern(block_cnt++, rec, fprefix, fsuffix);
1471 fprintf(stderr, "Continuing writing in file %s\n", filename);
1473 pdh = editcap_dump_open(filename,
1474 snaplen ? MIN(snaplen, wtap_snapshot_length(wth)) : wtap_snapshot_length(wth),
1475 shb_hdrs, idb_inf, nrb_hdrs, &write_err);
1477 cfile_dump_open_failure_message("editcap", filename,
1479 out_file_type_subtype);
1484 } /* split packet handling */
1486 if (check_startstop) {
1488 * Is the packet in the selected timeframe?
1489 * If the packet has no time stamp, the answer is "no".
1491 if (rec->presence_flags & WTAP_HAS_TS)
1492 ts_okay = (rec->ts.secs >= starttime) && (rec->ts.secs < stoptime);
1497 * No selected timeframe, so all packets are "in the
1498 * selected timeframe".
1503 if (ts_okay && ((!selected(count) && !keep_em)
1504 || (selected(count) && keep_em))) {
1506 if (verbose && !dup_detect && !dup_detect_by_time)
1507 fprintf(stderr, "Packet: %u\n", count);
1509 /* We simply write it, perhaps after truncating it; we could
1510 * do other things, like modify it. */
1512 rec = wtap_get_rec(wth);
1514 if (rec->presence_flags & WTAP_HAS_TS) {
1515 /* Do we adjust timestamps to ensure strict chronological
1517 if (do_strict_time_adjustment) {
1518 if (previous_time.secs || previous_time.nsecs) {
1519 if (!strict_time_adj.is_negative) {
1525 nstime_delta(&delta, ¤t, &previous_time);
1527 if (delta.secs < 0 || delta.nsecs < 0) {
1529 * A negative delta indicates that the current packet
1530 * has an absolute timestamp less than the previous packet
1531 * that it is being compared to. This is NOT a normal
1532 * situation since trace files usually have packets in
1533 * chronological order (oldest to newest).
1534 * Copy and change rather than modify
1537 /* fprintf(stderr, "++out of order, need to adjust this packet!\n"); */
1539 temp_rec.ts.secs = previous_time.secs + strict_time_adj.tv.secs;
1540 temp_rec.ts.nsecs = previous_time.nsecs;
1541 if (temp_rec.ts.nsecs + strict_time_adj.tv.nsecs > ONE_BILLION) {
1544 temp_rec.ts.nsecs += strict_time_adj.tv.nsecs - ONE_BILLION;
1546 temp_rec.ts.nsecs += strict_time_adj.tv.nsecs;
1552 * A negative strict time adjustment is requested.
1553 * Unconditionally set each timestamp to previous
1554 * packet's timestamp plus delta.
1555 * Copy and change rather than modify returned
1559 temp_rec.ts.secs = previous_time.secs + strict_time_adj.tv.secs;
1560 temp_rec.ts.nsecs = previous_time.nsecs;
1561 if (temp_rec.ts.nsecs + strict_time_adj.tv.nsecs > ONE_BILLION) {
1564 temp_rec.ts.nsecs += strict_time_adj.tv.nsecs - ONE_BILLION;
1566 temp_rec.ts.nsecs += strict_time_adj.tv.nsecs;
1571 previous_time = rec->ts;
1574 if (time_adj.tv.secs != 0) {
1575 /* Copy and change rather than modify returned rec */
1577 if (time_adj.is_negative)
1578 temp_rec.ts.secs -= time_adj.tv.secs;
1580 temp_rec.ts.secs += time_adj.tv.secs;
1584 if (time_adj.tv.nsecs != 0) {
1585 /* Copy and change rather than modify returned rec */
1587 if (time_adj.is_negative) { /* subtract */
1588 if (temp_rec.ts.nsecs < time_adj.tv.nsecs) { /* borrow */
1590 temp_rec.ts.nsecs += ONE_BILLION;
1592 temp_rec.ts.nsecs -= time_adj.tv.nsecs;
1594 if (temp_rec.ts.nsecs + time_adj.tv.nsecs > ONE_BILLION) {
1597 temp_rec.ts.nsecs += time_adj.tv.nsecs - ONE_BILLION;
1599 temp_rec.ts.nsecs += time_adj.tv.nsecs;
1604 } /* time stamp adjustment */
1606 if (rec->rec_type == REC_TYPE_PACKET) {
1608 /* Limit capture length to snaplen */
1609 if (rec->rec_header.packet_header.caplen > snaplen) {
1610 /* Copy and change rather than modify returned wtap_rec */
1612 temp_rec.rec_header.packet_header.caplen = snaplen;
1615 /* If -L, also set reported length to snaplen */
1616 if (adjlen && rec->rec_header.packet_header.len > snaplen) {
1617 /* Copy and change rather than modify returned phdr */
1619 temp_rec.rec_header.packet_header.len = snaplen;
1626 * Copy and change rather than modify returned phdr.
1629 handle_chopping(chop, &temp_rec.rec_header.packet_header,
1630 &rec->rec_header.packet_header, &buf,
1634 /* remove vlan info */
1636 /* Copy and change rather than modify returned rec */
1638 remove_vlan_info(&rec->rec_header.packet_header, buf,
1639 &temp_rec.rec_header.packet_header.caplen);
1643 /* suppress duplicates by packet window */
1645 if (is_duplicate(buf, rec->rec_header.packet_header.caplen)) {
1647 fprintf(stderr, "Skipped: %u, Len: %u, MD5 Hash: ",
1649 rec->rec_header.packet_header.caplen);
1650 for (i = 0; i < 16; i++)
1651 fprintf(stderr, "%02x",
1652 (unsigned char)fd_hash[cur_dup_entry].digest[i]);
1653 fprintf(stderr, "\n");
1660 fprintf(stderr, "Packet: %u, Len: %u, MD5 Hash: ",
1662 rec->rec_header.packet_header.caplen);
1663 for (i = 0; i < 16; i++)
1664 fprintf(stderr, "%02x",
1665 (unsigned char)fd_hash[cur_dup_entry].digest[i]);
1666 fprintf(stderr, "\n");
1669 } /* suppression of duplicates */
1671 if (rec->presence_flags & WTAP_HAS_TS) {
1672 /* suppress duplicates by time window */
1673 if (dup_detect_by_time) {
1676 current.secs = rec->ts.secs;
1677 current.nsecs = rec->ts.nsecs;
1679 if (is_duplicate_rel_time(buf,
1680 rec->rec_header.packet_header.caplen,
1683 fprintf(stderr, "Skipped: %u, Len: %u, MD5 Hash: ",
1685 rec->rec_header.packet_header.caplen);
1686 for (i = 0; i < 16; i++)
1687 fprintf(stderr, "%02x",
1688 (unsigned char)fd_hash[cur_dup_entry].digest[i]);
1689 fprintf(stderr, "\n");
1696 fprintf(stderr, "Packet: %u, Len: %u, MD5 Hash: ",
1698 rec->rec_header.packet_header.caplen);
1699 for (i = 0; i < 16; i++)
1700 fprintf(stderr, "%02x",
1701 (unsigned char)fd_hash[cur_dup_entry].digest[i]);
1702 fprintf(stderr, "\n");
1706 } /* suppress duplicates by time window */
1709 /* Random error mutation */
1710 do_mutation = FALSE;
1712 if (err_prob > 0.0) {
1713 switch (rec->rec_type) {
1715 case REC_TYPE_PACKET:
1716 caplen = rec->rec_header.packet_header.caplen;
1720 case REC_TYPE_SYSCALL:
1721 caplen = rec->rec_header.syscall_header.event_filelen;
1726 if (change_offset > caplen) {
1727 fprintf(stderr, "change offset %u is longer than caplen %u in packet %u\n",
1728 change_offset, caplen, count);
1729 do_mutation = FALSE;
1734 int real_data_start = 0;
1736 /* Protect non-protocol data */
1737 switch (rec->rec_type) {
1739 case REC_TYPE_PACKET:
1740 if (wtap_file_type_subtype(wth) == WTAP_FILE_TYPE_SUBTYPE_CATAPULT_DCT2000)
1741 real_data_start = find_dct2000_real_data(buf);
1745 real_data_start += change_offset;
1747 for (i = real_data_start; i < (int) caplen; i++) {
1748 if (rand() <= err_prob * RAND_MAX) {
1749 err_type = rand() / (RAND_MAX / ERR_WT_TOTAL + 1);
1751 if (err_type < ERR_WT_BIT) {
1752 buf[i] ^= 1 << (rand() / (RAND_MAX / 8 + 1));
1753 err_type = ERR_WT_TOTAL;
1755 err_type -= ERR_WT_BYTE;
1758 if (err_type < ERR_WT_BYTE) {
1759 buf[i] = rand() / (RAND_MAX / 255 + 1);
1760 err_type = ERR_WT_TOTAL;
1762 err_type -= ERR_WT_BYTE;
1765 if (err_type < ERR_WT_ALNUM) {
1766 buf[i] = ALNUM_CHARS[rand() / (RAND_MAX / ALNUM_LEN + 1)];
1767 err_type = ERR_WT_TOTAL;
1769 err_type -= ERR_WT_ALNUM;
1772 if (err_type < ERR_WT_FMT) {
1773 if ((unsigned int)i < caplen - 2)
1774 g_strlcpy((char*) &buf[i], "%s", 2);
1775 err_type = ERR_WT_TOTAL;
1777 err_type -= ERR_WT_FMT;
1780 if (err_type < ERR_WT_AA) {
1781 for (j = i; j < (int) caplen; j++)
1787 } /* random error mutation */
1789 /* Find a packet comment we may need to write */
1790 if (frames_user_comments) {
1791 const char *comment =
1792 (const char*)g_tree_lookup(frames_user_comments, GUINT_TO_POINTER(read_count));
1793 /* XXX: What about comment changed to no comment? */
1794 if (comment != NULL) {
1795 /* Copy and change rather than modify returned rec */
1797 temp_rec.opt_comment = g_strdup(comment);
1798 temp_rec.has_comment_changed = TRUE;
1801 /* Copy and change rather than modify returned rec */
1803 temp_rec.has_comment_changed = FALSE;
1808 /* Attempt to dump out current frame to the output file */
1809 if (!wtap_dump(pdh, rec, buf, &write_err, &write_err_info)) {
1810 cfile_write_failure_message("editcap", argv[optind],
1812 write_err, write_err_info,
1814 out_file_type_subtype);
1826 if (read_err != 0) {
1827 /* Print a message noting that the read failed somewhere along the
1829 cfile_read_failure_message("editcap", argv[optind], read_err,
1834 /* No valid packages found, open the outfile so we can write an
1837 filename = g_strdup(argv[optind+1]);
1839 pdh = editcap_dump_open(filename,
1840 snaplen ? MIN(snaplen, wtap_snapshot_length(wth)): wtap_snapshot_length(wth),
1841 shb_hdrs, idb_inf, nrb_hdrs, &write_err);
1843 cfile_dump_open_failure_message("editcap", filename,
1845 out_file_type_subtype);
1851 if (!wtap_dump_close(pdh, &write_err)) {
1852 cfile_close_failure_message(filename, write_err);
1858 if (frames_user_comments) {
1859 g_tree_destroy(frames_user_comments);
1864 fprintf(stderr, "%u packet%s seen, %u packet%s skipped with duplicate window of %i packets.\n",
1865 count - 1, plurality(count - 1, "", "s"), duplicate_count,
1866 plurality(duplicate_count, "", "s"), dup_window);
1867 } else if (dup_detect_by_time) {
1868 fprintf(stderr, "%u packet%s seen, %u packet%s skipped with duplicate time window equal to or less than %ld.%09ld seconds.\n",
1869 count - 1, plurality(count - 1, "", "s"), duplicate_count,
1870 plurality(duplicate_count, "", "s"),
1871 (long)relative_time_window.secs,
1872 (long int)relative_time_window.nsecs);
1876 wtap_block_array_free(shb_hdrs);
1877 wtap_block_array_free(nrb_hdrs);
1886 /* Skip meta-information read from file to return offset of real
1889 find_dct2000_real_data(guint8 *buf)
1893 for (n = 0; buf[n] != '\0'; n++); /* Context name */
1895 n++; /* Context port number */
1896 for (; buf[n] != '\0'; n++); /* Timestamp */
1898 for (; buf[n] != '\0'; n++); /* Protocol name */
1900 for (; buf[n] != '\0'; n++); /* Variant number (as string) */
1902 for (; buf[n] != '\0'; n++); /* Outhdr (as string) */
1904 n += 2; /* Direction & encap */
1910 * We support up to 2 chopping regions in a single pass: one specified by the
1911 * positive chop length, and one by the negative chop length.
1914 handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
1915 const wtap_packet_header *in_phdr, guint8 **buf,
1918 /* If we're not chopping anything from one side, then the offset for that
1919 * side is meaningless. */
1920 if (chop.len_begin == 0)
1921 chop.off_begin_pos = chop.off_begin_neg = 0;
1922 if (chop.len_end == 0)
1923 chop.off_end_pos = chop.off_end_neg = 0;
1925 if (chop.off_begin_neg < 0) {
1926 chop.off_begin_pos += in_phdr->caplen + chop.off_begin_neg;
1927 chop.off_begin_neg = 0;
1929 if (chop.off_end_pos > 0) {
1930 chop.off_end_neg += chop.off_end_pos - in_phdr->caplen;
1931 chop.off_end_pos = 0;
1934 /* If we've crossed chopping regions, swap them */
1935 if (chop.len_begin && chop.len_end) {
1936 if (chop.off_begin_pos > ((int)in_phdr->caplen + chop.off_end_neg)) {
1937 int tmp_len, tmp_off;
1939 tmp_off = in_phdr->caplen + chop.off_end_neg + chop.len_end;
1940 tmp_len = -chop.len_end;
1942 chop.off_end_neg = chop.len_begin + chop.off_begin_pos - in_phdr->caplen;
1943 chop.len_end = -chop.len_begin;
1945 chop.len_begin = tmp_len;
1946 chop.off_begin_pos = tmp_off;
1950 /* Make sure we don't chop off more than we have available */
1951 if (in_phdr->caplen < (guint32)(chop.off_begin_pos - chop.off_end_neg)) {
1955 if ((guint32)(chop.len_begin - chop.len_end) >
1956 (in_phdr->caplen - (guint32)(chop.off_begin_pos - chop.off_end_neg))) {
1957 chop.len_begin = in_phdr->caplen - (chop.off_begin_pos - chop.off_end_neg);
1961 /* Handle chopping from the beginning. Note that if a beginning offset
1962 * was specified, we need to keep that piece */
1963 if (chop.len_begin > 0) {
1964 *out_phdr = *in_phdr;
1966 if (chop.off_begin_pos > 0) {
1967 memmove(*buf + chop.off_begin_pos,
1968 *buf + chop.off_begin_pos + chop.len_begin,
1969 out_phdr->caplen - chop.len_begin);
1971 *buf += chop.len_begin;
1973 out_phdr->caplen -= chop.len_begin;
1976 if (in_phdr->len > (guint32)chop.len_begin)
1977 out_phdr->len -= chop.len_begin;
1984 /* Handle chopping from the end. Note that if an ending offset was
1985 * specified, we need to keep that piece */
1986 if (chop.len_end < 0) {
1987 *out_phdr = *in_phdr;
1989 if (chop.off_end_neg < 0) {
1990 memmove(*buf + (gint)out_phdr->caplen + (chop.len_end + chop.off_end_neg),
1991 *buf + (gint)out_phdr->caplen + chop.off_end_neg,
1994 out_phdr->caplen += chop.len_end;
1997 if (((signed int) in_phdr->len + chop.len_end) > 0)
1998 out_phdr->len += chop.len_end;
2002 /*in_phdr = out_phdr;*/
2007 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2012 * indent-tabs-mode: nil
2015 * vi: set shiftwidth=4 tabstop=8 expandtab:
2016 * :indentSize=4:tabSize=8:noTabs=true: