4 * $Id: file.c,v 1.317 2003/09/24 02:36:33 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #include <gtk/compat_macros.h>
49 #ifdef HAVE_SYS_STAT_H
57 #ifdef NEED_SNPRINTF_H
58 # include "snprintf.h"
61 #ifdef NEED_STRERROR_H
65 #include <epan/epan.h>
66 #include <epan/filesystem.h>
70 #include <epan/packet.h>
75 #include "simple_dialog.h"
76 #include "progress_dlg.h"
78 #include "statusbar.h"
80 #include <epan/dfilter/dfilter.h>
81 #include <epan/conversation.h>
83 #include <epan/epan_dissect.h>
85 #include "packet-data.h"
88 gboolean auto_scroll_live;
91 #define MAX_DECODE_BUFFER_SIZE 16536
93 static guint32 firstsec, firstusec;
94 static guint32 prevsec, prevusec;
95 static guint32 cul_bytes = 0;
97 static void read_packet(capture_file *cf, long offset);
99 static void rescan_packets(capture_file *cf, const char *action, const char *action_item,
100 gboolean refilter, gboolean redissect);
102 static gboolean match_protocol_tree(capture_file *cf, frame_data *fdata,
104 static void match_subtree_text(GNode *node, gpointer data);
105 static gboolean match_summary_line(capture_file *cf, frame_data *fdata,
107 static gboolean match_ascii_and_unicode(capture_file *cf, frame_data *fdata,
109 static gboolean match_ascii(capture_file *cf, frame_data *fdata,
111 static gboolean match_unicode(capture_file *cf, frame_data *fdata,
113 static gboolean match_binary(capture_file *cf, frame_data *fdata,
115 static gboolean match_dfilter(capture_file *cf, frame_data *fdata,
117 static gboolean find_packet(capture_file *cf,
118 gboolean (*match_function)(capture_file *, frame_data *, void *),
121 static void freeze_plist(capture_file *cf);
122 static void thaw_plist(capture_file *cf);
124 static char *file_rename_error_message(int err);
125 static char *file_close_error_message(int err);
126 static gboolean copy_binary_file(char *from_filename, char *to_filename);
128 /* Update the progress bar this many times when reading a file. */
129 #define N_PROGBAR_UPDATES 100
131 /* Number of "frame_data" structures per memory chunk.
132 XXX - is this the right number? */
133 #define FRAME_DATA_CHUNK_SIZE 1024
140 gboolean print_all_levels;
141 gboolean print_hex_for_data;
143 gint format; /* text or PostScript */
148 cf_open(char *fname, gboolean is_tempfile, capture_file *cf)
155 wth = wtap_open_offline(fname, &err, TRUE);
159 /* Find the size of the file. */
161 if (fstat(fd, &cf_stat) < 0) {
167 /* The open succeeded. Close whatever capture file we had open,
168 and fill in the information for this file. */
171 /* Initialize all data structures used for dissection. */
174 /* We're about to start reading the file. */
175 cf->state = FILE_READ_IN_PROGRESS;
179 cf->f_len = cf_stat.st_size;
181 /* Set the file name because we need it to set the follow stream filter.
182 XXX - is that still true? We need it for other reasons, though,
184 cf->filename = g_strdup(fname);
186 /* Indicate whether it's a permanent or temporary file. */
187 cf->is_tempfile = is_tempfile;
189 /* If it's a temporary capture buffer file, mark it as not saved. */
190 cf->user_saved = !is_tempfile;
192 cf->cd_t = wtap_file_type(cf->wth);
194 cf->marked_count = 0;
195 cf->drops_known = FALSE;
199 cf->snap = wtap_snapshot_length(cf->wth);
201 /* Snapshot length not known. */
202 cf->has_snap = FALSE;
203 cf->snap = WTAP_MAX_PACKET_SIZE;
206 cf->progbar_quantum = 0;
207 cf->progbar_nextstep = 0;
208 firstsec = 0, firstusec = 0;
209 prevsec = 0, prevusec = 0;
211 cf->plist_chunk = g_mem_chunk_new("frame_data_chunk",
213 FRAME_DATA_CHUNK_SIZE * sizeof(frame_data),
215 g_assert(cf->plist_chunk);
220 simple_dialog(ESD_TYPE_CRIT, NULL,
221 file_open_error_message(err, FALSE, 0), fname);
225 /* Reset everything to a pristine state */
227 cf_close(capture_file *cf)
229 /* Die if we're in the middle of reading a file. */
230 g_assert(cf->state != FILE_READ_IN_PROGRESS);
232 /* Destroy all popup packet windows, as they refer to packets in the
233 capture file we're closing. */
234 destroy_packet_wins();
240 /* We have no file open... */
241 if (cf->filename != NULL) {
242 /* If it's a temporary file, remove it. */
244 unlink(cf->filename);
245 g_free(cf->filename);
248 /* ...which means we have nothing to save. */
249 cf->user_saved = FALSE;
251 if (cf->plist_chunk != NULL) {
252 g_mem_chunk_destroy(cf->plist_chunk);
253 cf->plist_chunk = NULL;
255 if (cf->rfcode != NULL) {
256 dfilter_free(cf->rfcode);
260 cf->plist_end = NULL;
261 unselect_packet(cf); /* nothing to select */
262 cf->first_displayed = NULL;
263 cf->last_displayed = NULL;
265 /* No frame selected, no field in that frame selected. */
266 cf->current_frame = NULL;
267 cf->finfo_selected = NULL;
269 /* Clear the packet list. */
270 packet_list_freeze();
274 /* Clear any file-related status bar messages.
275 XXX - should be "clear *ALL* file-related status bar messages;
276 will there ever be more than one on the stack? */
277 statusbar_pop_file_msg();
279 /* Restore the standard title bar message. */
280 set_main_window_name("The Ethereal Network Analyzer");
282 /* Disable all menu items that make sense only if you have a capture. */
283 set_menus_for_capture_file(FALSE);
284 set_menus_for_unsaved_capture_file(FALSE);
285 set_menus_for_captured_packets(FALSE);
286 set_menus_for_selected_packet(cf);
287 set_menus_for_capture_in_progress(FALSE);
288 set_menus_for_selected_tree_row(cf);
290 /* We have no file open. */
291 cf->state = FILE_CLOSED;
294 /* Set the file name in the status line, in the name for the main window,
295 and in the name for the main window's icon. */
297 set_display_filename(capture_file *cf)
301 static const gchar done_fmt_nodrops[] = " File: %s";
302 static const gchar done_fmt_drops[] = " File: %s Drops: %u";
304 gchar *win_name_fmt = "%s - Ethereal";
307 name_ptr = cf_get_display_name(cf);
308 if (cf->drops_known) {
309 msg_len = strlen(name_ptr) + strlen(done_fmt_drops) + 64;
310 done_msg = g_malloc(msg_len);
311 snprintf(done_msg, msg_len, done_fmt_drops, name_ptr, cf->drops);
313 msg_len = strlen(name_ptr) + strlen(done_fmt_nodrops);
314 done_msg = g_malloc(msg_len);
315 snprintf(done_msg, msg_len, done_fmt_nodrops, name_ptr);
317 statusbar_push_file_msg(done_msg);
320 msg_len = strlen(name_ptr) + strlen(win_name_fmt) + 1;
321 win_name = g_malloc(msg_len);
322 snprintf(win_name, msg_len, win_name_fmt, name_ptr);
323 set_main_window_name(win_name);
328 cf_read(capture_file *cf, int *err)
330 gchar *name_ptr, *load_msg, *load_fmt = "%s";
333 char errmsg_errno[1024+1];
334 gchar err_str[2048+1];
336 progdlg_t *progbar = NULL;
339 * XXX - should be "off_t", but Wiretap would need more work to handle
340 * the full size of "off_t" on platforms where it's more than a "long"
348 gchar status_str[100];
351 reset_tap_listeners();
352 name_ptr = get_basename(cf->filename);
354 msg_len = strlen(name_ptr) + strlen(load_fmt) + 2;
355 load_msg = g_malloc(msg_len);
356 snprintf(load_msg, msg_len, load_fmt, name_ptr);
357 statusbar_push_file_msg(load_msg);
359 /* Update the progress bar when it gets to this value. */
360 cf->progbar_nextstep = 0;
361 /* When we reach the value that triggers a progress bar update,
362 bump that value by this amount. */
363 cf->progbar_quantum = cf->f_len/N_PROGBAR_UPDATES;
372 g_get_current_time(&start_time);
374 while ((wtap_read(cf->wth, err, &data_offset))) {
375 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
376 when we update it, we have to run the GTK+ main loop to get it
377 to repaint what's pending, and doing so may involve an "ioctl()"
378 to see if there's any pending input from an X server, and doing
379 that for every packet can be costly, especially on a big file. */
380 if (data_offset >= cf->progbar_nextstep) {
381 file_pos = lseek(cf->filed, 0, SEEK_CUR);
382 prog_val = (gfloat) file_pos / (gfloat) cf->f_len;
383 if (prog_val > 1.0) {
384 /* The file probably grew while we were reading it.
385 Update "cf->f_len", and try again. */
386 fd = wtap_fd(cf->wth);
387 if (fstat(fd, &cf_stat) >= 0) {
388 cf->f_len = cf_stat.st_size;
389 prog_val = (gfloat) file_pos / (gfloat) cf->f_len;
391 /* If it's still > 1, either the "fstat()" failed (in which
392 case there's not much we can do about it), or the file
393 *shrank* (in which case there's not much we can do about
394 it); just clip the progress value at 1.0. */
398 if (progbar == NULL) {
399 /* Create the progress bar if necessary */
400 progbar = delayed_create_progress_dlg("Loading", load_msg, "Stop",
401 &stop_flag, &start_time, prog_val);
405 if (progbar != NULL) {
406 g_snprintf(status_str, sizeof(status_str),
407 "%luKB of %luKB", file_pos / 1024, cf->f_len / 1024);
408 update_progress_dlg(progbar, prog_val, status_str);
410 cf->progbar_nextstep += cf->progbar_quantum;
414 /* Well, the user decided to abort the read. Destroy the progress
415 bar, close the capture file, and return READ_ABORTED so our caller
416 can do whatever is appropriate when that happens. */
417 destroy_progress_dlg(progbar);
418 cf->state = FILE_READ_ABORTED; /* so that we're allowed to close it */
419 packet_list_thaw(); /* undo our freeze */
421 return (READ_ABORTED);
423 read_packet(cf, data_offset);
426 /* We're done reading the file; destroy the progress bar if it was created. */
430 destroy_progress_dlg(progbar);
432 /* We're done reading sequentially through the file. */
433 cf->state = FILE_READ_DONE;
435 /* Close the sequential I/O side, to free up memory it requires. */
436 wtap_sequential_close(cf->wth);
438 /* Allow the protocol dissectors to free up memory that they
439 * don't need after the sequential run-through of the packets. */
440 postseq_cleanup_all_protocols();
442 /* Set the file encapsulation type now; we don't know what it is until
443 we've looked at all the packets, as we don't know until then whether
444 there's more than one type (and thus whether it's
445 WTAP_ENCAP_PER_PACKET). */
446 cf->lnk_t = wtap_file_encap(cf->wth);
448 cf->current_frame = cf->first_displayed;
451 statusbar_pop_file_msg();
452 set_display_filename(cf);
454 /* Enable menu items that make sense if you have a capture file you've
456 set_menus_for_capture_file(TRUE);
457 set_menus_for_unsaved_capture_file(!cf->user_saved);
459 /* Enable menu items that make sense if you have some captured packets. */
460 set_menus_for_captured_packets(TRUE);
462 /* If we have any displayed packets to select, select the first of those
463 packets by making the first row the selected row. */
464 if (cf->first_displayed != NULL)
465 packet_list_select_row(0);
468 /* Put up a message box noting that the read failed somewhere along
469 the line. Don't throw out the stuff we managed to read, though,
473 case WTAP_ERR_UNSUPPORTED_ENCAP:
474 errmsg = "The capture file is for a network type that Ethereal doesn't support.";
477 case WTAP_ERR_CANT_READ:
478 errmsg = "An attempt to read from the file failed for"
479 " some unknown reason.";
482 case WTAP_ERR_SHORT_READ:
483 errmsg = "The capture file appears to have been cut short"
484 " in the middle of a packet.";
487 case WTAP_ERR_BAD_RECORD:
488 errmsg = "The capture file appears to be damaged or corrupt.";
492 snprintf(errmsg_errno, sizeof(errmsg_errno),
493 "An error occurred while reading the"
494 " capture file: %s.", wtap_strerror(*err));
495 errmsg = errmsg_errno;
498 snprintf(err_str, sizeof err_str, errmsg);
499 simple_dialog(ESD_TYPE_CRIT, NULL, err_str);
502 return (READ_SUCCESS);
507 cf_start_tail(char *fname, gboolean is_tempfile, capture_file *cf)
512 err = cf_open(fname, is_tempfile, cf);
514 /* Disable menu items that make no sense if you're currently running
516 set_menus_for_capture_in_progress(TRUE);
518 /* Enable menu items that make sense if you have some captured
519 packets (yes, I know, we don't have any *yet*). */
520 set_menus_for_captured_packets(TRUE);
522 for (i = 0; i < cf->cinfo.num_cols; i++) {
523 if (get_column_resize_type(cf->cinfo.col_fmt[i]) == RESIZE_LIVE)
524 packet_list_set_column_auto_resize(i, TRUE);
526 packet_list_set_column_auto_resize(i, FALSE);
527 packet_list_set_column_width(i, cf->cinfo.col_width[i]);
528 packet_list_set_column_resizeable(i, TRUE);
532 statusbar_push_file_msg(" <live capture in progress>");
538 cf_continue_tail(capture_file *cf, int to_read, int *err)
540 long data_offset = 0;
544 packet_list_freeze();
546 while (to_read != 0 && (wtap_read(cf->wth, err, &data_offset))) {
547 if (cf->state == FILE_READ_ABORTED) {
548 /* Well, the user decided to exit Ethereal. Break out of the
549 loop, and let the code below (which is called even if there
550 aren't any packets left to read) exit. */
553 read_packet(cf, data_offset);
559 /* XXX - this cheats and looks inside the packet list to find the final
561 if (auto_scroll_live && cf->plist_end != NULL)
562 packet_list_moveto_end();
564 if (cf->state == FILE_READ_ABORTED) {
565 /* Well, the user decided to exit Ethereal. Return READ_ABORTED
566 so that our caller can kill off the capture child process;
567 this will cause an EOF on the pipe from the child, so
568 "cf_finish_tail()" will be called, and it will clean up
571 } else if (*err != 0) {
572 /* We got an error reading the capture file.
573 XXX - pop up a dialog box? */
576 return (READ_SUCCESS);
580 cf_finish_tail(capture_file *cf, int *err)
584 packet_list_freeze();
586 while ((wtap_read(cf->wth, err, &data_offset))) {
587 if (cf->state == FILE_READ_ABORTED) {
588 /* Well, the user decided to abort the read. Break out of the
589 loop, and let the code below (which is called even if there
590 aren't any packets left to read) exit. */
593 read_packet(cf, data_offset);
596 if (cf->state == FILE_READ_ABORTED) {
597 /* Well, the user decided to abort the read. We're only called
598 when the child capture process closes the pipe to us (meaning
599 it's probably exited), so we can just close the capture
600 file; we return READ_ABORTED so our caller can do whatever
601 is appropriate when that happens. */
607 if (auto_scroll_live && cf->plist_end != NULL)
608 /* XXX - this cheats and looks inside the packet list to find the final
610 packet_list_moveto_end();
612 /* We're done reading sequentially through the file. */
613 cf->state = FILE_READ_DONE;
615 /* We're done reading sequentially through the file; close the
616 sequential I/O side, to free up memory it requires. */
617 wtap_sequential_close(cf->wth);
619 /* Allow the protocol dissectors to free up memory that they
620 * don't need after the sequential run-through of the packets. */
621 postseq_cleanup_all_protocols();
623 /* Set the file encapsulation type now; we don't know what it is until
624 we've looked at all the packets, as we don't know until then whether
625 there's more than one type (and thus whether it's
626 WTAP_ENCAP_PER_PACKET). */
627 cf->lnk_t = wtap_file_encap(cf->wth);
629 /* Pop the "<live capture in progress>" message off the status bar. */
630 statusbar_pop_file_msg();
632 set_display_filename(cf);
634 /* Enable menu items that make sense if you're not currently running
636 set_menus_for_capture_in_progress(FALSE);
638 /* Enable menu items that make sense if you have a capture file
639 you've finished reading. */
640 set_menus_for_capture_file(TRUE);
641 set_menus_for_unsaved_capture_file(!cf->user_saved);
644 /* We got an error reading the capture file.
645 XXX - pop up a dialog box? */
648 return (READ_SUCCESS);
650 #endif /* HAVE_LIBPCAP */
653 cf_get_display_name(capture_file *cf)
657 /* Return a name to use in displays */
658 if (!cf->is_tempfile) {
659 /* Get the last component of the file name, and use that. */
660 displayname = get_basename(cf->filename);
662 /* The file we read is a temporary file from a live capture;
663 we don't mention its name. */
664 displayname = "<capture>";
670 color_filter_t *colorf;
672 } apply_color_filter_args;
675 * If no color filter has been applied, apply this one.
676 * (The "if no color filter has been applied" is to handle the case where
677 * more than one color filter matches the packet.)
680 apply_color_filter(gpointer filter_arg, gpointer argp)
682 color_filter_t *colorf = filter_arg;
683 apply_color_filter_args *args = argp;
685 if (colorf->c_colorfilter != NULL && args->colorf == NULL) {
686 if (dfilter_apply_edt(colorf->c_colorfilter, args->edt))
687 args->colorf = colorf;
692 add_packet_to_packet_list(frame_data *fdata, capture_file *cf,
693 union wtap_pseudo_header *pseudo_header, const guchar *buf,
696 apply_color_filter_args args;
698 gboolean create_proto_tree = FALSE;
701 /* just add some value here until we know if it is being displayed or not */
702 fdata->cul_bytes = cul_bytes + fdata->pkt_len;
704 /* We don't yet have a color filter to apply. */
707 /* If we don't have the time stamp of the first packet in the
708 capture, it's because this is the first packet. Save the time
709 stamp of this packet as the time stamp of the first packet. */
710 if (!firstsec && !firstusec) {
711 firstsec = fdata->abs_secs;
712 firstusec = fdata->abs_usecs;
714 /* if this frames is marked as a reference time frame, reset
715 firstsec and firstusec to this frame */
716 if(fdata->flags.ref_time){
717 firstsec = fdata->abs_secs;
718 firstusec = fdata->abs_usecs;
721 /* If we don't have the time stamp of the previous displayed packet,
722 it's because this is the first displayed packet. Save the time
723 stamp of this packet as the time stamp of the previous displayed
725 if (!prevsec && !prevusec) {
726 prevsec = fdata->abs_secs;
727 prevusec = fdata->abs_usecs;
730 /* Get the time elapsed between the first packet and this packet. */
731 compute_timestamp_diff(&fdata->rel_secs, &fdata->rel_usecs,
732 fdata->abs_secs, fdata->abs_usecs, firstsec, firstusec);
734 /* If it's greater than the current elapsed time, set the elapsed time
735 to it (we check for "greater than" so as not to be confused by
736 time moving backwards). */
737 if ((gint32)cf->esec < fdata->rel_secs
738 || ((gint32)cf->esec == fdata->rel_secs && (gint32)cf->eusec < fdata->rel_usecs)) {
739 cf->esec = fdata->rel_secs;
740 cf->eusec = fdata->rel_usecs;
743 /* Get the time elapsed between the previous displayed packet and
745 compute_timestamp_diff(&fdata->del_secs, &fdata->del_usecs,
746 fdata->abs_secs, fdata->abs_usecs, prevsec, prevusec);
750 we have a display filter and are re-applying it;
752 we have a list of color filters;
754 we have tap listeners;
756 allocate a protocol tree root node, so that we'll construct
757 a protocol tree against which a filter expression can be
759 if ((cf->dfcode != NULL && refilter) || filter_list != NULL
760 || num_tap_filters != 0)
761 create_proto_tree = TRUE;
763 /* Dissect the frame. */
764 edt = epan_dissect_new(create_proto_tree, FALSE);
766 if (cf->dfcode != NULL && refilter) {
767 epan_dissect_prime_dfilter(edt, cf->dfcode);
770 filter_list_prime_edt(edt);
773 epan_dissect_run(edt, pseudo_header, buf, fdata, &cf->cinfo);
774 tap_push_tapped_queue(edt);
776 /* If we have a display filter, apply it if we're refiltering, otherwise
777 leave the "passed_dfilter" flag alone.
779 If we don't have a display filter, set "passed_dfilter" to 1. */
780 if (cf->dfcode != NULL) {
782 if (cf->dfcode != NULL)
783 fdata->flags.passed_dfilter = dfilter_apply_edt(cf->dfcode, edt) ? 1 : 0;
785 fdata->flags.passed_dfilter = 1;
788 fdata->flags.passed_dfilter = 1;
790 /* If we have color filters, and the frame is to be displayed, apply
791 the color filters. */
792 if (fdata->flags.passed_dfilter) {
793 if (filter_list != NULL) {
795 g_slist_foreach(filter_list, apply_color_filter, &args);
800 if( (fdata->flags.passed_dfilter)
801 || (edt->pi.fd->flags.ref_time) ){
802 /* This frame either passed the display filter list or is marked as
803 a time reference frame. All time reference frames are displayed
804 even if they dont pass the display filter */
806 /* increase cul_bytes with this packets length */
807 cul_bytes += fdata->pkt_len;
809 epan_dissect_fill_in_columns(edt);
811 /* If we haven't yet seen the first frame, this is it.
813 XXX - we must do this before we add the row to the display,
814 as, if the display's GtkCList's selection mode is
815 GTK_SELECTION_BROWSE, when the first entry is added to it,
816 "select_packet()" will be called, and it will fetch the row
817 data for the 0th row, and will get a null pointer rather than
818 "fdata", as "gtk_clist_append()" won't yet have returned and
819 thus "gtk_clist_set_row_data()" won't yet have been called.
821 We thus need to leave behind bread crumbs so that
822 "select_packet()" can find this frame. See the comment
823 in "select_packet()". */
824 if (cf->first_displayed == NULL)
825 cf->first_displayed = fdata;
827 /* This is the last frame we've seen so far. */
828 cf->last_displayed = fdata;
830 row = packet_list_append(cf->cinfo.col_data, fdata);
832 if (fdata->flags.marked) {
833 packet_list_set_colors(row, &prefs.gui_marked_fg, &prefs.gui_marked_bg);
834 } else if (filter_list != NULL && (args.colorf != NULL)) {
835 packet_list_set_colors(row, &args.colorf->fg_color,
836 &args.colorf->bg_color);
839 /* Set the time of the previous displayed frame to the time of this
841 prevsec = fdata->abs_secs;
842 prevusec = fdata->abs_usecs;
844 /* This frame didn't pass the display filter, so it's not being added
845 to the clist, and thus has no row. */
848 epan_dissect_free(edt);
853 read_packet(capture_file *cf, long offset)
855 const struct wtap_pkthdr *phdr = wtap_phdr(cf->wth);
856 union wtap_pseudo_header *pseudo_header = wtap_pseudoheader(cf->wth);
857 const guchar *buf = wtap_buf_ptr(cf->wth);
860 frame_data *plist_end;
863 /* Allocate the next list entry, and add it to the list. */
864 fdata = g_mem_chunk_alloc(cf->plist_chunk);
869 fdata->pkt_len = phdr->len;
870 fdata->cap_len = phdr->caplen;
871 fdata->file_off = offset;
872 fdata->lnk_t = phdr->pkt_encap;
873 fdata->abs_secs = phdr->ts.tv_sec;
874 fdata->abs_usecs = phdr->ts.tv_usec;
875 fdata->flags.encoding = CHAR_ASCII;
876 fdata->flags.visited = 0;
877 fdata->flags.marked = 0;
878 fdata->flags.ref_time = 0;
882 edt = epan_dissect_new(TRUE, FALSE);
883 epan_dissect_prime_dfilter(edt, cf->rfcode);
884 epan_dissect_run(edt, pseudo_header, buf, fdata, NULL);
885 passed = dfilter_apply_edt(cf->rfcode, edt);
886 epan_dissect_free(edt);
889 plist_end = cf->plist_end;
890 fdata->prev = plist_end;
891 if (plist_end != NULL)
892 plist_end->next = fdata;
895 cf->plist_end = fdata;
898 fdata->num = cf->count;
899 add_packet_to_packet_list(fdata, cf, pseudo_header, buf, TRUE);
901 /* XXX - if we didn't have read filters, or if we could avoid
902 allocating the "frame_data" structure until we knew whether
903 the frame passed the read filter, we could use a G_ALLOC_ONLY
906 ...but, at least in one test I did, where I just made the chunk
907 a G_ALLOC_ONLY chunk and read in a huge capture file, it didn't
908 seem to save a noticeable amount of time or space. */
909 g_mem_chunk_free(cf->plist_chunk, fdata);
914 filter_packets(capture_file *cf, gchar *dftext)
918 if (dftext == NULL) {
919 /* The new filter is an empty filter (i.e., display all packets). */
923 * We have a filter; make a copy of it (as we'll be saving it),
924 * and try to compile it.
926 dftext = g_strdup(dftext);
927 if (!dfilter_compile(dftext, &dfcode)) {
928 /* The attempt failed; report an error. */
929 simple_dialog(ESD_TYPE_CRIT, NULL, dfilter_error_msg);
934 if (dfcode == NULL) {
935 /* Yes - free the filter text, and set it to null. */
941 /* We have a valid filter. Replace the current filter. */
942 if (cf->dfilter != NULL)
944 cf->dfilter = dftext;
945 if (cf->dfcode != NULL)
946 dfilter_free(cf->dfcode);
949 /* Now rescan the packet list, applying the new filter, but not
950 throwing away information constructed on a previous pass. */
951 if (dftext == NULL) {
952 rescan_packets(cf, "Resetting", "Filter", TRUE, FALSE);
954 rescan_packets(cf, "Filtering", dftext, TRUE, FALSE);
960 colorize_packets(capture_file *cf)
962 rescan_packets(cf, "Colorizing", "all frames", FALSE, FALSE);
966 reftime_packets(capture_file *cf)
968 rescan_packets(cf, "Updating Reftime", "all frames", FALSE, FALSE);
972 redissect_packets(capture_file *cf)
974 rescan_packets(cf, "Reprocessing", "all frames", TRUE, TRUE);
977 /* Rescan the list of packets, reconstructing the CList.
979 "action" describes why we're doing this; it's used in the progress
982 "action_item" describes what we're doing; it's used in the progress
985 "refilter" is TRUE if we need to re-evaluate the filter expression.
987 "redissect" is TRUE if we need to make the dissectors reconstruct
988 any state information they have (because a preference that affects
989 some dissector has changed, meaning some dissector might construct
990 its state differently from the way it was constructed the last time). */
992 rescan_packets(capture_file *cf, const char *action, const char *action_item,
993 gboolean refilter, gboolean redissect)
996 progdlg_t *progbar = NULL;
1000 frame_data *selected_frame;
1004 GTimeVal start_time;
1005 gchar status_str[100];
1008 reset_tap_listeners();
1009 /* Which frame, if any, is the currently selected frame?
1010 XXX - should the selected frame or the focus frame be the "current"
1011 frame, that frame being the one from which "Find Frame" searches
1013 selected_frame = cf->current_frame;
1015 /* We don't yet know what row that frame will be on, if any, after we
1016 rebuild the clist, however. */
1020 /* We need to re-initialize all the state information that protocols
1021 keep, because some preference that controls a dissector has changed,
1022 which might cause the state information to be constructed differently
1023 by that dissector. */
1025 /* Initialize all data structures used for dissection. */
1029 /* Freeze the packet list while we redo it, so we don't get any
1030 screen updates while it happens. */
1031 packet_list_freeze();
1034 packet_list_clear();
1036 /* We don't yet know which will be the first and last frames displayed. */
1037 cf->first_displayed = NULL;
1038 cf->last_displayed = NULL;
1040 /* Iterate through the list of frames. Call a routine for each frame
1041 to check whether it should be displayed and, if so, add it to
1042 the display list. */
1048 /* Update the progress bar when it gets to this value. */
1049 cf->progbar_nextstep = 0;
1050 /* When we reach the value that triggers a progress bar update,
1051 bump that value by this amount. */
1052 cf->progbar_quantum = cf->count/N_PROGBAR_UPDATES;
1053 /* Count of packets at which we've looked. */
1057 g_get_current_time(&start_time);
1059 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
1060 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1061 when we update it, we have to run the GTK+ main loop to get it
1062 to repaint what's pending, and doing so may involve an "ioctl()"
1063 to see if there's any pending input from an X server, and doing
1064 that for every packet can be costly, especially on a big file. */
1065 if (count >= cf->progbar_nextstep) {
1066 /* let's not divide by zero. I should never be started
1067 * with count == 0, so let's assert that
1069 g_assert(cf->count > 0);
1070 prog_val = (gfloat) count / cf->count;
1072 if (progbar == NULL)
1073 /* Create the progress bar if necessary */
1074 progbar = delayed_create_progress_dlg(action, action_item, "Stop", &stop_flag,
1075 &start_time, prog_val);
1077 if (progbar != NULL) {
1078 g_snprintf(status_str, sizeof(status_str),
1079 "%4u of %u frames", count, cf->count);
1080 update_progress_dlg(progbar, prog_val, status_str);
1083 cf->progbar_nextstep += cf->progbar_quantum;
1087 /* Well, the user decided to abort the filtering. Just stop.
1089 XXX - go back to the previous filter? Users probably just
1090 want not to wait for a filtering operation to finish;
1091 unless we cancel by having no filter, reverting to the
1092 previous filter will probably be even more expensive than
1093 continuing the filtering, as it involves going back to the
1094 beginning and filtering, and even with no filter we currently
1095 have to re-generate the entire clist, which is also expensive.
1097 I'm not sure what Network Monitor does, but it doesn't appear
1098 to give you an unfiltered display if you cancel. */
1105 /* Since all state for the frame was destroyed, mark the frame
1106 * as not visited, free the GSList referring to the state
1107 * data (the per-frame data itself was freed by
1108 * "init_dissection()"), and null out the GSList pointer. */
1109 fdata->flags.visited = 0;
1111 g_slist_free(fdata->pfd);
1116 if (!wtap_seek_read (cf->wth, fdata->file_off, &cf->pseudo_header,
1117 cf->pd, fdata->cap_len, &err)) {
1118 simple_dialog(ESD_TYPE_CRIT, NULL,
1119 file_read_error_message(err), cf->filename);
1123 row = add_packet_to_packet_list(fdata, cf, &cf->pseudo_header, cf->pd,
1125 if (fdata == selected_frame)
1130 /* Clear out what remains of the visited flags and per-frame data
1133 XXX - that may cause various forms of bogosity when dissecting
1134 these frames, as they won't have been seen by this sequential
1135 pass, but the only alternative I see is to keep scanning them
1136 even though the user requested that the scan stop, and that
1137 would leave the user stuck with an Ethereal grinding on
1138 until it finishes. Should we just stick them with that? */
1139 for (; fdata != NULL; fdata = fdata->next) {
1140 fdata->flags.visited = 0;
1142 g_slist_free(fdata->pfd);
1148 /* We're done filtering the packets; destroy the progress bar if it
1150 if (progbar != NULL)
1151 destroy_progress_dlg(progbar);
1153 /* Unfreeze the packet list. */
1156 if (selected_row != -1) {
1157 /* The frame that was selected passed the filter; select it, make it
1158 the focus row, and make it visible. */
1159 packet_list_set_selected_row(selected_row);
1161 /* New dissection, so no field has been selected yet. */
1162 cf->finfo_selected = NULL;
1164 /* The selected frame didn't pass the filter; make the first frame
1165 the current frame, and leave it unselected. */
1166 unselect_packet(cf);
1167 cf->current_frame = cf->first_displayed;
1172 print_packets(capture_file *cf, print_args_t *print_args)
1176 progdlg_t *progbar = NULL;
1180 gint *col_widths = NULL;
1182 gboolean print_separator;
1183 char *line_buf = NULL;
1184 int line_buf_len = 256;
1189 epan_dissect_t *edt = NULL;
1191 GTimeVal start_time;
1192 gchar status_str[100];
1194 cf->print_fh = open_print_dest(print_args->to_file, print_args->dest);
1195 if (cf->print_fh == NULL)
1196 return FALSE; /* attempt to open destination failed */
1198 print_preamble(cf->print_fh, print_args->format);
1200 if (print_args->print_summary) {
1201 /* We're printing packet summaries. Allocate the line buffer at
1202 its initial length. */
1203 line_buf = g_malloc(line_buf_len + 1);
1205 /* Find the widths for each of the columns - maximum of the
1206 width of the title and the width of the data - and print
1207 the column titles. */
1208 col_widths = (gint *) g_malloc(sizeof(gint) * cf->cinfo.num_cols);
1211 for (i = 0; i < cf->cinfo.num_cols; i++) {
1212 /* Don't pad the last column. */
1213 if (i == cf->cinfo.num_cols - 1)
1216 col_widths[i] = strlen(cf->cinfo.col_title[i]);
1217 data_width = get_column_char_width(get_column_format(i));
1218 if (data_width > col_widths[i])
1219 col_widths[i] = data_width;
1222 /* Find the length of the string for this column. */
1223 column_len = strlen(cf->cinfo.col_title[i]);
1224 if (col_widths[i] > column_len)
1225 column_len = col_widths[i];
1227 /* Make sure there's room in the line buffer for the column; if not,
1228 double its length. */
1229 line_len += column_len + 1; /* "+1" for space */
1230 if (line_len > line_buf_len) {
1231 cp_off = cp - line_buf;
1232 line_buf_len = 2 * line_len;
1233 line_buf = g_realloc(line_buf, line_buf_len + 1);
1234 cp = line_buf + cp_off;
1237 /* Right-justify the packet number column. */
1238 if (cf->cinfo.col_fmt[i] == COL_NUMBER)
1239 sprintf(cp, "%*s", col_widths[i], cf->cinfo.col_title[i]);
1241 sprintf(cp, "%-*s", col_widths[i], cf->cinfo.col_title[i]);
1243 if (i != cf->cinfo.num_cols - 1)
1247 print_line(cf->print_fh, 0, print_args->format, line_buf);
1250 print_separator = FALSE;
1252 /* Update the progress bar when it gets to this value. */
1253 cf->progbar_nextstep = 0;
1254 /* When we reach the value that triggers a progress bar update,
1255 bump that value by this amount. */
1256 cf->progbar_quantum = cf->count/N_PROGBAR_UPDATES;
1257 /* Count of packets at which we've looked. */
1261 g_get_current_time(&start_time);
1263 /* Iterate through the list of packets, printing the packets that
1264 were selected by the current display filter. */
1265 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
1266 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1267 when we update it, we have to run the GTK+ main loop to get it
1268 to repaint what's pending, and doing so may involve an "ioctl()"
1269 to see if there's any pending input from an X server, and doing
1270 that for every packet can be costly, especially on a big file. */
1271 if (count >= cf->progbar_nextstep) {
1272 /* let's not divide by zero. I should never be started
1273 * with count == 0, so let's assert that
1275 g_assert(cf->count > 0);
1276 prog_val = (gfloat) count / cf->count;
1278 if (progbar == NULL)
1279 /* Create the progress bar if necessary */
1280 progbar = delayed_create_progress_dlg("Printing", "selected frames", "Stop", &stop_flag,
1281 &start_time, prog_val);
1283 if (progbar != NULL) {
1284 g_snprintf(status_str, sizeof(status_str),
1285 "%4u of %u frames", count, cf->count);
1286 update_progress_dlg(progbar, prog_val, status_str);
1289 cf->progbar_nextstep += cf->progbar_quantum;
1293 /* Well, the user decided to abort the printing. Just stop.
1295 XXX - note that what got generated before they did that
1296 will get printed, as we're piping to a print program; we'd
1297 have to write to a file and then hand that to the print
1298 program to make it actually not print anything. */
1303 /* Check to see if we are suppressing unmarked packets, if so,
1304 * suppress them and then proceed to check for visibility.
1306 if (((print_args->print_only_marked && fdata->flags.marked ) ||
1307 !(print_args->print_only_marked)) && fdata->flags.passed_dfilter) {
1308 if (!wtap_seek_read (cf->wth, fdata->file_off, &cf->pseudo_header,
1309 cf->pd, fdata->cap_len, &err)) {
1310 simple_dialog(ESD_TYPE_CRIT, NULL,
1311 file_read_error_message(err), cf->filename);
1314 if (print_args->print_summary) {
1315 /* Fill in the column information, but don't bother creating
1316 the logical protocol tree. */
1317 edt = epan_dissect_new(FALSE, FALSE);
1318 epan_dissect_run(edt, &cf->pseudo_header, cf->pd, fdata, &cf->cinfo);
1319 epan_dissect_fill_in_columns(edt);
1322 for (i = 0; i < cf->cinfo.num_cols; i++) {
1323 /* Find the length of the string for this column. */
1324 column_len = strlen(cf->cinfo.col_data[i]);
1325 if (col_widths[i] > column_len)
1326 column_len = col_widths[i];
1328 /* Make sure there's room in the line buffer for the column; if not,
1329 double its length. */
1330 line_len += column_len + 1; /* "+1" for space */
1331 if (line_len > line_buf_len) {
1332 cp_off = cp - line_buf;
1333 line_buf_len = 2 * line_len;
1334 line_buf = g_realloc(line_buf, line_buf_len + 1);
1335 cp = line_buf + cp_off;
1338 /* Right-justify the packet number column. */
1339 if (cf->cinfo.col_fmt[i] == COL_NUMBER)
1340 sprintf(cp, "%*s", col_widths[i], cf->cinfo.col_data[i]);
1342 sprintf(cp, "%-*s", col_widths[i], cf->cinfo.col_data[i]);
1344 if (i != cf->cinfo.num_cols - 1)
1348 print_line(cf->print_fh, 0, print_args->format, line_buf);
1350 if (print_separator)
1351 print_line(cf->print_fh, 0, print_args->format, "");
1353 /* Create the logical protocol tree, complete with the display
1354 representation of the items; we don't need the columns here,
1356 edt = epan_dissect_new(TRUE, TRUE);
1357 epan_dissect_run(edt, &cf->pseudo_header, cf->pd, fdata, NULL);
1359 /* Print the information in that tree. */
1360 proto_tree_print(print_args, edt, cf->print_fh);
1362 if (print_args->print_hex) {
1363 /* Print the full packet data as hex. */
1364 print_hex_data(cf->print_fh, print_args->format, edt);
1367 /* Print a blank line if we print anything after this. */
1368 print_separator = TRUE;
1370 epan_dissect_free(edt);
1374 /* We're done printing the packets; destroy the progress bar if
1376 if (progbar != NULL)
1377 destroy_progress_dlg(progbar);
1379 if (col_widths != NULL)
1381 if (line_buf != NULL)
1384 print_finale(cf->print_fh, print_args->format);
1386 close_print_dest(print_args->to_file, cf->print_fh);
1388 cf->print_fh = NULL;
1393 /* Scan through the packet list and change all columns that use the
1394 "command-line-specified" time stamp format to use the current
1395 value of that format. */
1397 change_time_formats(capture_file *cf)
1400 progdlg_t *progbar = NULL;
1406 GTimeVal start_time;
1407 gchar status_str[100];
1409 /* Are there any columns with time stamps in the "command-line-specified"
1412 XXX - we have to force the "column is writable" flag on, as it
1413 might be off from the last frame that was dissected. */
1414 col_set_writable(&cf->cinfo, TRUE);
1415 if (!check_col(&cf->cinfo, COL_CLS_TIME)) {
1416 /* No, there aren't any columns in that format, so we have no work
1421 /* Freeze the packet list while we redo it, so we don't get any
1422 screen updates while it happens. */
1425 /* Update the progress bar when it gets to this value. */
1426 cf->progbar_nextstep = 0;
1427 /* When we reach the value that triggers a progress bar update,
1428 bump that value by this amount. */
1429 cf->progbar_quantum = cf->count/N_PROGBAR_UPDATES;
1430 /* Count of packets at which we've looked. */
1434 g_get_current_time(&start_time);
1436 /* Iterate through the list of packets, checking whether the packet
1437 is in a row of the summary list and, if so, whether there are
1438 any columns that show the time in the "command-line-specified"
1439 format and, if so, update that row. */
1440 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
1441 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1442 when we update it, we have to run the GTK+ main loop to get it
1443 to repaint what's pending, and doing so may involve an "ioctl()"
1444 to see if there's any pending input from an X server, and doing
1445 that for every packet can be costly, especially on a big file. */
1446 if (count >= cf->progbar_nextstep) {
1447 /* let's not divide by zero. I should never be started
1448 * with count == 0, so let's assert that
1450 g_assert(cf->count > 0);
1452 prog_val = (gfloat) count / cf->count;
1454 if (progbar == NULL)
1455 /* Create the progress bar if necessary */
1456 progbar = delayed_create_progress_dlg("Changing", "time display", "Stop",
1457 &stop_flag, &start_time, prog_val);
1459 if (progbar != NULL) {
1460 g_snprintf(status_str, sizeof(status_str),
1461 "%4u of %u frames", count, cf->count);
1462 update_progress_dlg(progbar, prog_val, status_str);
1465 cf->progbar_nextstep += cf->progbar_quantum;
1469 /* Well, the user decided to abort the redisplay. Just stop.
1471 XXX - this leaves the time field in the old format in
1472 frames we haven't yet processed. So it goes; should we
1473 simply not offer them the option of stopping? */
1479 /* Find what row this packet is in. */
1480 row = packet_list_find_row_from_data(fdata);
1483 /* This packet is in the summary list, on row "row". */
1485 for (i = 0; i < cf->cinfo.num_cols; i++) {
1486 if (cf->cinfo.fmt_matx[i][COL_CLS_TIME]) {
1487 /* This is one of the columns that shows the time in
1488 "command-line-specified" format; update it. */
1489 cf->cinfo.col_buf[i][0] = '\0';
1490 col_set_cls_time(fdata, &cf->cinfo, i);
1491 packet_list_set_text(row, i, cf->cinfo.col_data[i]);
1497 /* We're done redisplaying the packets; destroy the progress bar if it
1499 if (progbar != NULL)
1500 destroy_progress_dlg(progbar);
1502 /* Set the column widths of those columns that show the time in
1503 "command-line-specified" format. */
1504 for (i = 0; i < cf->cinfo.num_cols; i++) {
1505 if (cf->cinfo.fmt_matx[i][COL_CLS_TIME]) {
1506 packet_list_set_cls_time_width(i);
1510 /* Unfreeze the packet list. */
1518 gboolean frame_matched;
1522 find_packet_protocol_tree(capture_file *cf, const char *string)
1526 mdata.string = string;
1527 mdata.string_len = strlen(string);
1528 return find_packet(cf, match_protocol_tree, &mdata);
1532 match_protocol_tree(capture_file *cf, frame_data *fdata, void *criterion)
1534 match_data *mdata = criterion;
1535 epan_dissect_t *edt;
1537 /* Construct the protocol tree, including the displayed text */
1538 edt = epan_dissect_new(TRUE, TRUE);
1539 /* We don't need the column information */
1540 epan_dissect_run(edt, &cf->pseudo_header, cf->pd, fdata, NULL);
1542 /* Iterate through all the nodes, seeing if they have text that matches. */
1544 mdata->frame_matched = FALSE;
1545 g_node_children_foreach((GNode*) edt->tree, G_TRAVERSE_ALL,
1546 match_subtree_text, mdata);
1547 epan_dissect_free(edt);
1548 return mdata->frame_matched;
1552 match_subtree_text(GNode *node, gpointer data)
1554 match_data *mdata = (match_data*) data;
1555 const gchar *string = mdata->string;
1556 size_t string_len = mdata->string_len;
1557 capture_file *cf = mdata->cf;
1558 field_info *fi = PITEM_FINFO(node);
1559 gchar label_str[ITEM_LABEL_LENGTH];
1566 if (mdata->frame_matched) {
1567 /* We already had a match; don't bother doing any more work. */
1571 /* Don't match invisible entries. */
1575 /* was a free format label produced? */
1576 if (fi->representation) {
1577 label_ptr = fi->representation;
1579 /* no, make a generic label */
1580 label_ptr = label_str;
1581 proto_item_fill_label(fi, label_str);
1584 /* Does that label match? */
1585 label_len = strlen(label_ptr);
1586 for (i = 0; i < label_len; i++) {
1587 c_char = label_ptr[i];
1589 c_char = toupper(c_char);
1590 if (c_char == string[c_match]) {
1592 if (c_match == string_len) {
1593 /* No need to look further; we have a match */
1594 mdata->frame_matched = TRUE;
1601 /* Recurse into the subtree, if it exists */
1602 if (g_node_n_children(node) > 0)
1603 g_node_children_foreach(node, G_TRAVERSE_ALL, match_subtree_text, mdata);
1607 find_packet_summary_line(capture_file *cf, const char *string)
1611 mdata.string = string;
1612 mdata.string_len = strlen(string);
1613 return find_packet(cf, match_summary_line, &mdata);
1617 match_summary_line(capture_file *cf, frame_data *fdata, void *criterion)
1619 match_data *mdata = criterion;
1620 const gchar *string = mdata->string;
1621 size_t string_len = mdata->string_len;
1622 epan_dissect_t *edt;
1623 const char *info_column;
1624 size_t info_column_len;
1625 gboolean frame_matched = FALSE;
1631 /* Don't bother constructing the protocol tree */
1632 edt = epan_dissect_new(FALSE, FALSE);
1633 /* Get the column information */
1634 epan_dissect_run(edt, &cf->pseudo_header, cf->pd, fdata, &cf->cinfo);
1636 /* Find the Info column */
1637 for (colx = 0; colx < cf->cinfo.num_cols; colx++) {
1638 if (cf->cinfo.fmt_matx[colx][COL_INFO]) {
1639 /* Found it. See if we match. */
1640 info_column = edt->pi.cinfo->col_data[colx];
1641 info_column_len = strlen(info_column);
1642 for (i = 0; i < info_column_len; i++) {
1643 c_char = info_column[i];
1645 c_char = toupper(c_char);
1646 if (c_char == string[c_match]) {
1648 if (c_match == string_len) {
1649 frame_matched = TRUE;
1658 epan_dissect_free(edt);
1659 return frame_matched;
1665 } cbs_t; /* "Counted byte string" */
1668 find_packet_data(capture_file *cf, const guint8 *string, size_t string_size)
1673 info.data_len = string_size;
1675 /* String or hex search? */
1677 /* String search - what type of string? */
1678 switch (cf->scs_type) {
1680 case SCS_ASCII_AND_UNICODE:
1681 return find_packet(cf, match_ascii_and_unicode, &info);
1684 return find_packet(cf, match_ascii, &info);
1687 return find_packet(cf, match_unicode, &info);
1690 g_assert_not_reached();
1694 return find_packet(cf, match_binary, &info);
1698 match_ascii_and_unicode(capture_file *cf, frame_data *fdata, void *criterion)
1700 cbs_t *info = criterion;
1701 const char *ascii_text = info->data;
1702 size_t textlen = info->data_len;
1703 gboolean frame_matched;
1709 frame_matched = FALSE;
1710 buf_len = fdata->pkt_len;
1711 for (i = 0; i < buf_len; i++) {
1714 c_char = toupper(c_char);
1716 if (c_char == ascii_text[c_match]) {
1718 if (c_match == textlen) {
1719 frame_matched = TRUE;
1726 return frame_matched;
1730 match_ascii(capture_file *cf, frame_data *fdata, void *criterion)
1732 cbs_t *info = criterion;
1733 const char *ascii_text = info->data;
1734 size_t textlen = info->data_len;
1735 gboolean frame_matched;
1741 frame_matched = FALSE;
1742 buf_len = fdata->pkt_len;
1743 for (i = 0; i < buf_len; i++) {
1746 c_char = toupper(c_char);
1747 if (c_char == ascii_text[c_match]) {
1749 if (c_match == textlen) {
1750 frame_matched = TRUE;
1756 return frame_matched;
1760 match_unicode(capture_file *cf, frame_data *fdata, void *criterion)
1762 cbs_t *info = criterion;
1763 const char *ascii_text = info->data;
1764 size_t textlen = info->data_len;
1765 gboolean frame_matched;
1771 frame_matched = FALSE;
1772 buf_len = fdata->pkt_len;
1773 for (i = 0; i < buf_len; i++) {
1776 c_char = toupper(c_char);
1777 if (c_char == ascii_text[c_match]) {
1780 if (c_match == textlen) {
1781 frame_matched = TRUE;
1787 return frame_matched;
1791 match_binary(capture_file *cf, frame_data *fdata, void *criterion)
1793 cbs_t *info = criterion;
1794 const guint8 *binary_data = info->data;
1795 size_t datalen = info->data_len;
1796 gboolean frame_matched;
1801 frame_matched = FALSE;
1802 buf_len = fdata->pkt_len;
1803 for (i = 0; i < buf_len; i++) {
1804 if (cf->pd[i] == binary_data[c_match]) {
1806 if (c_match == datalen) {
1807 frame_matched = TRUE;
1813 return frame_matched;
1817 find_packet_dfilter(capture_file *cf, dfilter_t *sfcode)
1819 return find_packet(cf, match_dfilter, sfcode);
1823 match_dfilter(capture_file *cf, frame_data *fdata, void *criterion)
1825 dfilter_t *sfcode = criterion;
1826 epan_dissect_t *edt;
1827 gboolean frame_matched;
1829 edt = epan_dissect_new(TRUE, FALSE);
1830 epan_dissect_prime_dfilter(edt, sfcode);
1831 epan_dissect_run(edt, &cf->pseudo_header, cf->pd, fdata, NULL);
1832 frame_matched = dfilter_apply_edt(sfcode, edt);
1833 epan_dissect_free(edt);
1834 return frame_matched;
1838 find_packet(capture_file *cf,
1839 gboolean (*match_function)(capture_file *, frame_data *, void *),
1842 frame_data *start_fd;
1844 frame_data *new_fd = NULL;
1845 progdlg_t *progbar = NULL;
1851 GTimeVal start_time;
1852 gchar status_str[100];
1854 start_fd = cf->current_frame;
1855 if (start_fd != NULL) {
1856 /* Iterate through the list of packets, starting at the packet we've
1857 picked, calling a routine to run the filter on the packet, see if
1858 it matches, and stop if so. */
1862 cf->progbar_nextstep = 0;
1863 /* When we reach the value that triggers a progress bar update,
1864 bump that value by this amount. */
1865 cf->progbar_quantum = cf->count/N_PROGBAR_UPDATES;
1868 g_get_current_time(&start_time);
1872 /* Update the progress bar, but do it only N_PROGBAR_UPDATES times;
1873 when we update it, we have to run the GTK+ main loop to get it
1874 to repaint what's pending, and doing so may involve an "ioctl()"
1875 to see if there's any pending input from an X server, and doing
1876 that for every packet can be costly, especially on a big file. */
1877 if (count >= cf->progbar_nextstep) {
1878 /* let's not divide by zero. I should never be started
1879 * with count == 0, so let's assert that
1881 g_assert(cf->count > 0);
1883 prog_val = (gfloat) count / cf->count;
1885 /* Create the progress bar if necessary */
1886 if (progbar == NULL)
1887 progbar = delayed_create_progress_dlg("Searching", cf->sfilter, "Cancel",
1888 &stop_flag, &start_time, prog_val);
1890 if (progbar != NULL) {
1891 g_snprintf(status_str, sizeof(status_str),
1892 "%4u of %u frames", count, cf->count);
1893 update_progress_dlg(progbar, prog_val, status_str);
1896 cf->progbar_nextstep += cf->progbar_quantum;
1900 /* Well, the user decided to abort the search. Go back to the
1901 frame where we started. */
1906 /* Go past the current frame. */
1907 if (cf->sbackward) {
1908 /* Go on to the previous frame. */
1909 fdata = fdata->prev;
1911 fdata = cf->plist_end; /* wrap around */
1913 /* Go on to the next frame. */
1914 fdata = fdata->next;
1916 fdata = cf->plist; /* wrap around */
1921 /* Is this packet in the display? */
1922 if (fdata->flags.passed_dfilter) {
1923 /* Yes. Load its data. */
1924 if (!wtap_seek_read(cf->wth, fdata->file_off, &cf->pseudo_header,
1925 cf->pd, fdata->cap_len, &err)) {
1926 /* Read error. Report the error, and go back to the frame
1927 where we started. */
1928 simple_dialog(ESD_TYPE_CRIT, NULL,
1929 file_read_error_message(err), cf->filename);
1934 /* Does it match the search criterion? */
1935 if ((*match_function)(cf, fdata, criterion)) {
1937 break; /* found it! */
1941 if (fdata == start_fd) {
1942 /* We're back to the frame we were on originally, and that frame
1943 doesn't match the search filter. The search failed. */
1948 /* We're done scanning the packets; destroy the progress bar if it
1950 if (progbar != NULL)
1951 destroy_progress_dlg(progbar);
1954 if (new_fd != NULL) {
1955 /* We found a frame. Find what row it's in. */
1956 row = packet_list_find_row_from_data(new_fd);
1957 g_assert(row != -1);
1959 /* Select that row, make it the focus row, and make it visible. */
1960 packet_list_set_selected_row(row);
1961 return TRUE; /* success */
1963 return FALSE; /* failure */
1967 goto_frame(capture_file *cf, guint fnumber)
1972 for (fdata = cf->plist; fdata != NULL && fdata->num < fnumber; fdata = fdata->next)
1975 if (fdata == NULL) {
1976 /* we didn't find a frame with that frame number */
1977 simple_dialog(ESD_TYPE_CRIT, NULL,
1978 "There is no frame with that frame number.");
1979 return FALSE; /* we failed to go to that frame */
1981 if (!fdata->flags.passed_dfilter) {
1982 /* that frame currently isn't displayed */
1983 /* XXX - add it to the set of displayed frames? */
1984 simple_dialog(ESD_TYPE_CRIT, NULL,
1985 "That frame is not currently being displayed.");
1986 return FALSE; /* we failed to go to that frame */
1989 /* We found that frame, and it's currently being displayed.
1990 Find what row it's in. */
1991 row = packet_list_find_row_from_data(fdata);
1992 g_assert(row != -1);
1994 /* Select that row, make it the focus row, and make it visible. */
1995 packet_list_set_selected_row(row);
1996 return TRUE; /* we got to that frame */
1999 /* Select the packet on a given row. */
2001 select_packet(capture_file *cf, int row)
2006 /* Get the frame data struct pointer for this frame */
2007 fdata = (frame_data *)packet_list_get_row_data(row);
2009 if (fdata == NULL) {
2010 /* XXX - if a GtkCList's selection mode is GTK_SELECTION_BROWSE, when
2011 the first entry is added to it by "real_insert_row()", that row
2012 is selected (see "real_insert_row()", in "gtk/gtkclist.c", in both
2013 our version and the vanilla GTK+ version).
2015 This means that a "select-row" signal is emitted; this causes
2016 "packet_list_select_cb()" to be called, which causes "select_packet()"
2019 "select_packet()" fetches, above, the data associated with the
2020 row that was selected; however, as "gtk_clist_append()", which
2021 called "real_insert_row()", hasn't yet returned, we haven't yet
2022 associated any data with that row, so we get back a null pointer.
2024 We can't assume that there's only one frame in the frame list,
2025 either, as we may be filtering the display.
2027 We therefore assume that, if "row" is 0, i.e. the first row
2028 is being selected, and "cf->first_displayed" equals
2029 "cf->last_displayed", i.e. there's only one frame being
2030 displayed, that frame is the frame we want.
2032 This means we have to set "cf->first_displayed" and
2033 "cf->last_displayed" before adding the row to the
2034 GtkCList; see the comment in "add_packet_to_packet_list()". */
2036 if (row == 0 && cf->first_displayed == cf->last_displayed)
2037 fdata = cf->first_displayed;
2040 /* Get the data in that frame. */
2041 if (!wtap_seek_read (cf->wth, fdata->file_off, &cf->pseudo_header,
2042 cf->pd, fdata->cap_len, &err)) {
2043 simple_dialog(ESD_TYPE_CRIT, NULL,
2044 file_read_error_message(err), cf->filename);
2048 /* Record that this frame is the current frame. */
2049 cf->current_frame = fdata;
2051 /* Create the logical protocol tree. */
2052 if (cf->edt != NULL) {
2053 epan_dissect_free(cf->edt);
2056 /* We don't need the columns here. */
2057 cf->edt = epan_dissect_new(TRUE, TRUE);
2058 epan_dissect_run(cf->edt, &cf->pseudo_header, cf->pd, cf->current_frame,
2061 /* Display the GUI protocol tree and hex dump.
2062 XXX - why do we dump core if we call "proto_tree_draw()"
2063 before calling "add_byte_views()"? */
2064 add_main_byte_views(cf->edt);
2065 main_proto_tree_draw(cf->edt->tree);
2067 /* A packet is selected. */
2068 set_menus_for_selected_packet(cf);
2071 /* Unselect the selected packet, if any. */
2073 unselect_packet(capture_file *cf)
2075 /* Destroy the epan_dissect_t for the unselected packet. */
2076 if (cf->edt != NULL) {
2077 epan_dissect_free(cf->edt);
2081 /* Clear out the display of that packet. */
2082 clear_tree_and_hex_views();
2084 /* No packet is selected. */
2085 cf->current_frame = NULL;
2086 set_menus_for_selected_packet(cf);
2088 /* No protocol tree means no selected field. */
2092 /* Unset the selected protocol tree field, if any. */
2094 unselect_field(capture_file *cf)
2096 statusbar_pop_field_msg();
2097 cf->finfo_selected = NULL;
2098 set_menus_for_selected_tree_row(cf);
2102 * Mark a particular frame.
2105 mark_frame(capture_file *cf, frame_data *frame)
2107 frame->flags.marked = TRUE;
2112 * Unmark a particular frame.
2115 unmark_frame(capture_file *cf, frame_data *frame)
2117 frame->flags.marked = FALSE;
2122 freeze_plist(capture_file *cf)
2126 /* Make the column sizes static, so they don't adjust while
2127 we're reading the capture file (freezing the clist doesn't
2128 seem to suffice). */
2129 for (i = 0; i < cf->cinfo.num_cols; i++)
2130 packet_list_set_column_auto_resize(i, FALSE);
2131 packet_list_freeze();
2135 thaw_plist(capture_file *cf)
2139 for (i = 0; i < cf->cinfo.num_cols; i++) {
2140 if (get_column_resize_type(cf->cinfo.col_fmt[i]) == RESIZE_MANUAL) {
2141 /* Set this column's width to the appropriate value. */
2142 packet_list_set_column_width(i, cf->cinfo.col_width[i]);
2144 /* Make this column's size dynamic, so that it adjusts to the
2145 appropriate size. */
2146 packet_list_set_column_auto_resize(i, TRUE);
2151 /* Hopefully, the columns have now gotten their appropriate sizes;
2152 make them resizeable - a column that auto-resizes cannot be
2153 resized by the user, and *vice versa*. */
2154 for (i = 0; i < cf->cinfo.num_cols; i++)
2155 packet_list_set_column_resizeable(i, TRUE);
2159 * Save a capture to a file, in a particular format, saving either
2160 * all packets, all currently-displayed packets, or all marked packets.
2162 * Returns TRUE if it succeeds, FALSE otherwise; if it fails, it pops
2163 * up a message box for the failure.
2166 cf_save(char *fname, capture_file *cf, gboolean save_filtered,
2167 gboolean save_marked, guint save_format)
2169 gchar *from_filename;
2170 gchar *name_ptr, *save_msg, *save_fmt = " Saving: %s...";
2176 struct wtap_pkthdr hdr;
2177 union wtap_pseudo_header pseudo_header;
2179 struct stat infile, outfile;
2181 name_ptr = get_basename(fname);
2182 msg_len = strlen(name_ptr) + strlen(save_fmt) + 2;
2183 save_msg = g_malloc(msg_len);
2184 snprintf(save_msg, msg_len, save_fmt, name_ptr);
2185 statusbar_push_file_msg(save_msg);
2189 * Check that the from file is not the same as to file
2190 * We do it here so we catch all cases ...
2191 * Unfortunately, the file requester gives us an absolute file
2192 * name and the read file name may be relative (if supplied on
2193 * the command line). From Joerg Mayer.
2195 infile.st_ino = 1; /* These prevent us from getting equality */
2196 outfile.st_ino = 2; /* If one or other of the files is not accessible */
2197 stat(cf->filename, &infile);
2198 stat(fname, &outfile);
2199 if (infile.st_ino == outfile.st_ino) {
2200 simple_dialog(ESD_TYPE_CRIT, NULL,
2201 "Can't save over current capture file: %s!",
2206 if (!save_filtered && !save_marked && save_format == cf->cd_t) {
2207 /* We're not filtering packets, and we're saving it in the format
2208 it's already in, so we can just move or copy the raw data. */
2210 if (cf->is_tempfile) {
2211 /* The file being saved is a temporary file from a live
2212 capture, so it doesn't need to stay around under that name;
2213 first, try renaming the capture buffer file to the new name. */
2215 if (rename(cf->filename, fname) == 0) {
2216 /* That succeeded - there's no need to copy the source file. */
2217 from_filename = NULL;
2220 if (errno == EXDEV) {
2221 /* They're on different file systems, so we have to copy the
2224 from_filename = cf->filename;
2226 /* The rename failed, but not because they're on different
2227 file systems - put up an error message. (Or should we
2228 just punt and try to copy? The only reason why I'd
2229 expect the rename to fail and the copy to succeed would
2230 be if we didn't have permission to remove the file from
2231 the temporary directory, and that might be fixable - but
2232 is it worth requiring the user to go off and fix it?) */
2233 simple_dialog(ESD_TYPE_CRIT, NULL,
2234 file_rename_error_message(errno), fname);
2240 from_filename = cf->filename;
2243 /* It's a permanent file, so we should copy it, and not remove the
2246 from_filename = cf->filename;
2250 /* Copy the file, if we haven't moved it. */
2251 if (!copy_binary_file(from_filename, fname))
2255 /* Either we're filtering packets, or we're saving in a different
2256 format; we can't do that by copying or moving the capture file,
2257 we have to do it by writing the packets out in Wiretap. */
2258 pdh = wtap_dump_open(fname, save_format, cf->lnk_t, cf->snap, &err);
2260 simple_dialog(ESD_TYPE_CRIT, NULL,
2261 file_open_error_message(err, TRUE, save_format), fname);
2265 /* XXX - have a way to save only the packets currently selected by
2266 the display filter or the marked ones.
2268 If we do that, should we make that file the current file? If so,
2269 it means we can no longer get at the other packets. What does
2271 for (fdata = cf->plist; fdata != NULL; fdata = fdata->next) {
2272 /* XXX - do a progress bar */
2273 if ((!save_filtered && !save_marked) ||
2274 (save_filtered && fdata->flags.passed_dfilter && !save_marked) ||
2275 (save_marked && fdata->flags.marked && !save_filtered) ||
2276 (save_filtered && save_marked && fdata->flags.passed_dfilter &&
2277 fdata->flags.marked)) {
2279 - we're saving all frames, or
2280 - we're saving filtered frames and this one passed the display filter or
2281 - we're saving marked frames (and it has been marked) or
2282 - we're saving filtered _and_ marked frames,
2284 hdr.ts.tv_sec = fdata->abs_secs;
2285 hdr.ts.tv_usec = fdata->abs_usecs;
2286 hdr.caplen = fdata->cap_len;
2287 hdr.len = fdata->pkt_len;
2288 hdr.pkt_encap = fdata->lnk_t;
2289 if (!wtap_seek_read(cf->wth, fdata->file_off, &pseudo_header,
2290 pd, fdata->cap_len, &err)) {
2291 simple_dialog(ESD_TYPE_CRIT, NULL,
2292 file_read_error_message(err), cf->filename);
2293 wtap_dump_close(pdh, &err);
2297 if (!wtap_dump(pdh, &hdr, &pseudo_header, pd, &err)) {
2298 simple_dialog(ESD_TYPE_CRIT, NULL,
2299 file_write_error_message(err), fname);
2300 wtap_dump_close(pdh, &err);
2306 if (!wtap_dump_close(pdh, &err)) {
2307 simple_dialog(ESD_TYPE_WARN, NULL,
2308 file_close_error_message(err), fname);
2313 /* Pop the "Saving:" message off the status bar. */
2314 statusbar_pop_file_msg();
2315 if (!save_filtered && !save_marked) {
2316 /* We saved the entire capture, not just some packets from it.
2317 Open and read the file we saved it to.
2319 XXX - this is somewhat of a waste; we already have the
2320 packets, all this gets us is updated file type information
2321 (which we could just stuff into "cf"), and having the new
2322 file be the one we have opened and from which we're reading
2323 the data, and it means we have to spend time opening and
2324 reading the file, which could be a significant amount of
2325 time if the file is large. */
2326 cf->user_saved = TRUE;
2328 if ((err = cf_open(fname, FALSE, cf)) == 0) {
2329 /* XXX - report errors if this fails?
2330 What should we return if it fails or is aborted? */
2331 switch (cf_read(cf, &err)) {
2335 /* Just because we got an error, that doesn't mean we were unable
2336 to read any of the file; we handle what we could get from the
2341 /* The user bailed out of re-reading the capture file; the
2342 capture file has been closed - just return (without
2343 changing any menu settings; "cf_close()" set them
2344 correctly for the "no capture file open" state). */
2347 set_menus_for_unsaved_capture_file(FALSE);
2353 /* Pop the "Saving:" message off the status bar. */
2354 statusbar_pop_file_msg();
2359 file_open_error_message(int err, gboolean for_writing, int file_type)
2362 static char errmsg_errno[1024+1];
2366 case WTAP_ERR_NOT_REGULAR_FILE:
2367 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
2370 case WTAP_ERR_RANDOM_OPEN_PIPE:
2371 /* Seen only when opening a capture file for reading. */
2372 errmsg = "The file \"%s\" is a pipe or FIFO; Ethereal cannot read pipe or FIFO files.";
2375 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
2376 case WTAP_ERR_UNSUPPORTED:
2377 /* Seen only when opening a capture file for reading. */
2378 errmsg = "The file \"%s\" is not a capture file in a format Ethereal understands.";
2381 case WTAP_ERR_CANT_WRITE_TO_PIPE:
2382 /* Seen only when opening a capture file for writing. */
2383 snprintf(errmsg_errno, sizeof(errmsg_errno),
2384 "The file \"%%s\" is a pipe, and %s capture files cannot be "
2385 "written to a pipe.", wtap_file_type_string(file_type));
2386 errmsg = errmsg_errno;
2389 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
2390 /* Seen only when opening a capture file for writing. */
2391 errmsg = "Ethereal does not support writing capture files in that format.";
2394 case WTAP_ERR_UNSUPPORTED_ENCAP:
2395 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
2397 errmsg = "Ethereal cannot save this capture in that format.";
2399 errmsg = "The file \"%s\" is a capture for a network type that Ethereal doesn't support.";
2402 case WTAP_ERR_BAD_RECORD:
2403 errmsg = "The file \"%s\" appears to be damaged or corrupt.";
2406 case WTAP_ERR_CANT_OPEN:
2408 errmsg = "The file \"%s\" could not be created for some unknown reason.";
2410 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
2413 case WTAP_ERR_SHORT_READ:
2414 errmsg = "The file \"%s\" appears to have been cut short"
2415 " in the middle of a packet or other data.";
2418 case WTAP_ERR_SHORT_WRITE:
2419 errmsg = "A full header couldn't be written to the file \"%s\".";
2424 errmsg = "The path to the file \"%s\" does not exist.";
2426 errmsg = "The file \"%s\" does not exist.";
2431 errmsg = "You do not have permission to create or write to the file \"%s\".";
2433 errmsg = "You do not have permission to read the file \"%s\".";
2437 errmsg = "\"%s\" is a directory (folder), not a file.";
2441 snprintf(errmsg_errno, sizeof(errmsg_errno),
2442 "The file \"%%s\" could not be %s: %s.",
2443 for_writing ? "created" : "opened",
2444 wtap_strerror(err));
2445 errmsg = errmsg_errno;
2452 file_rename_error_message(int err)
2455 static char errmsg_errno[1024+1];
2460 errmsg = "The path to the file \"%s\" does not exist.";
2464 errmsg = "You do not have permission to move the capture file to \"%s\".";
2468 snprintf(errmsg_errno, sizeof(errmsg_errno),
2469 "The file \"%%s\" could not be moved: %s.",
2470 wtap_strerror(err));
2471 errmsg = errmsg_errno;
2478 file_read_error_message(int err)
2480 static char errmsg_errno[1024+1];
2482 snprintf(errmsg_errno, sizeof(errmsg_errno),
2483 "An error occurred while reading from the file \"%%s\": %s.",
2484 wtap_strerror(err));
2485 return errmsg_errno;
2489 file_write_error_message(int err)
2492 static char errmsg_errno[1024+1];
2497 errmsg = "The file \"%s\" could not be saved because there is no space left on the file system.";
2502 errmsg = "The file \"%s\" could not be saved because you are too close to, or over, your disk quota.";
2507 snprintf(errmsg_errno, sizeof(errmsg_errno),
2508 "An error occurred while writing to the file \"%%s\": %s.",
2509 wtap_strerror(err));
2510 errmsg = errmsg_errno;
2516 /* Check for write errors - if the file is being written to an NFS server,
2517 a write error may not show up until the file is closed, as NFS clients
2518 might not send writes to the server until the "write()" call finishes,
2519 so that the write may fail on the server but the "write()" may succeed. */
2521 file_close_error_message(int err)
2524 static char errmsg_errno[1024+1];
2528 case WTAP_ERR_CANT_CLOSE:
2529 errmsg = "The file \"%s\" couldn't be closed for some unknown reason.";
2532 case WTAP_ERR_SHORT_WRITE:
2533 errmsg = "Not all the packets could be written to the file \"%s\".";
2537 errmsg = "The file \"%s\" could not be saved because there is no space left on the file system.";
2542 errmsg = "The file \"%s\" could not be saved because you are too close to, or over, your disk quota.";
2547 snprintf(errmsg_errno, sizeof(errmsg_errno),
2548 "An error occurred while closing the file \"%%s\": %s.",
2549 wtap_strerror(err));
2550 errmsg = errmsg_errno;
2557 /* Copies a file in binary mode, for those operating systems that care about
2559 * Returns TRUE on success, FALSE on failure. If a failure, it also
2560 * displays a simple dialog window with the error message.
2563 copy_binary_file(char *from_filename, char *to_filename)
2565 int from_fd, to_fd, nread, nwritten, err;
2568 /* Copy the raw bytes of the file. */
2569 from_fd = open(from_filename, O_RDONLY | O_BINARY);
2572 simple_dialog(ESD_TYPE_CRIT, NULL,
2573 file_open_error_message(err, TRUE, 0), from_filename);
2577 /* Use open() instead of creat() so that we can pass the O_BINARY
2578 flag, which is relevant on Win32; it appears that "creat()"
2579 may open the file in text mode, not binary mode, but we want
2580 to copy the raw bytes of the file, so we need the output file
2581 to be open in binary mode. */
2582 to_fd = open(to_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2585 simple_dialog(ESD_TYPE_CRIT, NULL,
2586 file_open_error_message(err, TRUE, 0), to_filename);
2591 while ((nread = read(from_fd, pd, sizeof pd)) > 0) {
2592 nwritten = write(to_fd, pd, nread);
2593 if (nwritten < nread) {
2597 err = WTAP_ERR_SHORT_WRITE;
2598 simple_dialog(ESD_TYPE_CRIT, NULL,
2599 file_write_error_message(err), to_filename);
2607 simple_dialog(ESD_TYPE_CRIT, NULL,
2608 file_read_error_message(err), from_filename);
2614 if (close(to_fd) < 0) {
2616 simple_dialog(ESD_TYPE_CRIT, NULL,
2617 file_close_error_message(err), to_filename);