2021-11-30 04:27:19 +00:00
|
|
|
/** @file
|
|
|
|
|
*
|
2002-09-06 23:14:04 +00:00
|
|
|
* capture_file definition & GUI-independent manipulation
|
|
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
2002-09-06 23:14:04 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
2018-02-07 11:26:45 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
2002-09-06 23:14:04 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __CFILE_H__
|
|
|
|
|
#define __CFILE_H__
|
|
|
|
|
|
2017-12-04 05:33:59 +00:00
|
|
|
#include <epan/epan.h>
|
|
|
|
|
#include <epan/column-info.h>
|
|
|
|
|
#include <epan/dfilter/dfilter.h>
|
|
|
|
|
#include <epan/frame_data.h>
|
|
|
|
|
#include <epan/frame_data_sequence.h>
|
|
|
|
|
#include <wiretap/wtap.h>
|
2011-04-27 02:54:44 +00:00
|
|
|
|
2011-12-29 00:08:47 +00:00
|
|
|
#ifdef __cplusplus
|
|
|
|
|
extern "C" {
|
|
|
|
|
#endif /* __cplusplus */
|
|
|
|
|
|
2002-09-06 23:14:04 +00:00
|
|
|
/* Current state of file. */
|
|
|
|
|
typedef enum {
|
2022-02-20 19:39:37 +00:00
|
|
|
FILE_CLOSED, /* No file open */
|
|
|
|
|
FILE_READ_IN_PROGRESS, /* Reading a file we've opened */
|
|
|
|
|
FILE_READ_ABORTED, /* Read aborted by user */
|
|
|
|
|
FILE_READ_DONE /* Read completed */
|
2002-09-06 23:14:04 +00:00
|
|
|
} file_state;
|
|
|
|
|
|
2018-06-28 00:28:06 +00:00
|
|
|
/* Requested packets rescan action. */
|
|
|
|
|
typedef enum {
|
2022-02-20 19:39:37 +00:00
|
|
|
RESCAN_NONE = 0, /* No rescan requested */
|
|
|
|
|
RESCAN_SCAN, /* Request rescan without full redissection. */
|
|
|
|
|
RESCAN_REDISSECT /* Request full redissection. */
|
2018-06-28 00:28:06 +00:00
|
|
|
} rescan_type;
|
|
|
|
|
|
Get rid of the EBCDIC stuff in the find dialog - it's not supported yet,
so we shouldn't torment the users by offering it.
Check the string type and convert it to an internal representation in
the GUI code; have the search code deal only with the internal
representation.
Save the case-sensitivity flag, and the indication of where string
searches look, along with other search parameters.
Upper-casify the string, for case-insensitive searches, in the GUI code;
don't save the upper-casified string, so it doesn't SHOUT at you when
you next pop up a "find" dialog.
Convert the hex value string to raw binary data in the GUI code, rather
than doing so in the search code. Check that it's a valid string.
Connect the signals to the radio buttons after the pointers have been
attached to various GUI items - the signal handlers expect some of those
pointers to be attached, and aren't happy if they're not.
Have "find_packet()" contain a framework for searching, but not contain
the matching code; instead, pass it a pointer to a matching routine and
an opaque pointer to be passed to the matching routine. Have all the
routines that do different types of searching have their own matching
routines, and use the common "find_packet()" code, rather than
duplicating that code.
Search for the Info column by column type, not by name (the user can
change the name).
When matching on the protocol tree, don't format the entire protocol
tree into a big buffer - just have a routine that matches the text
representation of a protocol tree item against a string, and, if it
finds a match, sets a "we found a match flag" and returns; have that
routine not bother doing any more work if that flag is set.
(Unfortunately, you can't abort "g_node_children_foreach()" in the
middle of a traversal.)
Free the generated display filter code after a find-by-display-filter
finishes.
svn path=/trunk/; revision=8306
2003-08-29 04:03:46 +00:00
|
|
|
/* Character set for text search. */
|
|
|
|
|
typedef enum {
|
2022-02-20 19:39:37 +00:00
|
|
|
SCS_NARROW_AND_WIDE,
|
|
|
|
|
SCS_NARROW,
|
|
|
|
|
SCS_WIDE
|
|
|
|
|
/* add EBCDIC when it's implemented */
|
Get rid of the EBCDIC stuff in the find dialog - it's not supported yet,
so we shouldn't torment the users by offering it.
Check the string type and convert it to an internal representation in
the GUI code; have the search code deal only with the internal
representation.
Save the case-sensitivity flag, and the indication of where string
searches look, along with other search parameters.
Upper-casify the string, for case-insensitive searches, in the GUI code;
don't save the upper-casified string, so it doesn't SHOUT at you when
you next pop up a "find" dialog.
Convert the hex value string to raw binary data in the GUI code, rather
than doing so in the search code. Check that it's a valid string.
Connect the signals to the radio buttons after the pointers have been
attached to various GUI items - the signal handlers expect some of those
pointers to be attached, and aren't happy if they're not.
Have "find_packet()" contain a framework for searching, but not contain
the matching code; instead, pass it a pointer to a matching routine and
an opaque pointer to be passed to the matching routine. Have all the
routines that do different types of searching have their own matching
routines, and use the common "find_packet()" code, rather than
duplicating that code.
Search for the Info column by column type, not by name (the user can
change the name).
When matching on the protocol tree, don't format the entire protocol
tree into a big buffer - just have a routine that matches the text
representation of a protocol tree item against a string, and, if it
finds a match, sets a "we found a match flag" and returns; have that
routine not bother doing any more work if that flag is set.
(Unfortunately, you can't abort "g_node_children_foreach()" in the
middle of a traversal.)
Free the generated display filter code after a find-by-display-filter
finishes.
svn path=/trunk/; revision=8306
2003-08-29 04:03:46 +00:00
|
|
|
} search_charset_t;
|
|
|
|
|
|
Instead of using a Boolean for the search direction, use an enum, so
that you can tell from examination whether the search is forward or
backward.
Make the cf_find_packet routines take the direction as an explicit
argument, rather than, in the cases where you don't want to permanently
set the direction, saving the direction in the capture_file structure,
changing it, doing the search, and restoring the saved direction. Give
more information in the Doxygen comments for those routines.
Add a cf_find_packet_dfilter_string() routine, which takes a filter
string rather than a compiled filter as an argument. Replace
find_previous_next_frame_with_filter() with it.
Have cf_read_frame_r() and cf_read_frame() pop up the error dialog if
the read fails, rather than leaving that up to its caller. That lets us
eliminate cf_read_error_message(), by swallowing its code into
cf_read_frame_r(). Add Doxygen comments for cf_read_frame_r() and
cf_read_frame().
Don't have find_packet() read the packet before calling the callback
routine; leave that up to the callback routine.
Add cf_find_packet_marked(), to find the next or previous marked packet,
and cf_find_packet_time_reference(), to find the next or previous time
reference packet. Those routines do *not* need to read the packet data
to see if it matches; that lets them run much faster.
Clean up indentation.
svn path=/trunk/; revision=33791
2010-08-13 07:39:46 +00:00
|
|
|
typedef enum {
|
2022-02-20 19:39:37 +00:00
|
|
|
SD_FORWARD,
|
|
|
|
|
SD_BACKWARD
|
Instead of using a Boolean for the search direction, use an enum, so
that you can tell from examination whether the search is forward or
backward.
Make the cf_find_packet routines take the direction as an explicit
argument, rather than, in the cases where you don't want to permanently
set the direction, saving the direction in the capture_file structure,
changing it, doing the search, and restoring the saved direction. Give
more information in the Doxygen comments for those routines.
Add a cf_find_packet_dfilter_string() routine, which takes a filter
string rather than a compiled filter as an argument. Replace
find_previous_next_frame_with_filter() with it.
Have cf_read_frame_r() and cf_read_frame() pop up the error dialog if
the read fails, rather than leaving that up to its caller. That lets us
eliminate cf_read_error_message(), by swallowing its code into
cf_read_frame_r(). Add Doxygen comments for cf_read_frame_r() and
cf_read_frame().
Don't have find_packet() read the packet before calling the callback
routine; leave that up to the callback routine.
Add cf_find_packet_marked(), to find the next or previous marked packet,
and cf_find_packet_time_reference(), to find the next or previous time
reference packet. Those routines do *not* need to read the packet data
to see if it matches; that lets them run much faster.
Clean up indentation.
svn path=/trunk/; revision=33791
2010-08-13 07:39:46 +00:00
|
|
|
} search_direction;
|
|
|
|
|
|
2017-12-08 03:31:43 +00:00
|
|
|
/*
|
|
|
|
|
* Packet provider for programs using a capture file.
|
|
|
|
|
*/
|
2017-12-08 04:33:22 +00:00
|
|
|
struct packet_provider_data {
|
2022-02-20 19:39:37 +00:00
|
|
|
wtap *wth; /* Wiretap session */
|
|
|
|
|
const frame_data *ref;
|
|
|
|
|
frame_data *prev_dis;
|
|
|
|
|
frame_data *prev_cap;
|
|
|
|
|
frame_data_sequence *frames; /* Sequence of frames, if we're keeping that information */
|
|
|
|
|
GTree *frames_modified_blocks; /* BST with modified blocks for frames (key = frame_data) */
|
2017-12-08 03:31:43 +00:00
|
|
|
};
|
|
|
|
|
|
2017-12-04 05:33:59 +00:00
|
|
|
typedef struct _capture_file {
|
2022-02-20 19:39:37 +00:00
|
|
|
epan_t *epan;
|
|
|
|
|
file_state state; /* Current state of capture file */
|
|
|
|
|
gchar *filename; /* Name of capture file */
|
|
|
|
|
gchar *source; /* Temp file source, e.g. "Pipe from elsewhere" */
|
|
|
|
|
gboolean is_tempfile; /* Is capture file a temporary file? */
|
|
|
|
|
gboolean unsaved_changes; /* Does the capture file have changes that have not been saved? */
|
|
|
|
|
gboolean stop_flag; /* Stop current processing (loading, searching, etc.) */
|
|
|
|
|
|
|
|
|
|
gint64 f_datalen; /* Size of capture file data (uncompressed) */
|
|
|
|
|
guint16 cd_t; /* File type of capture file */
|
|
|
|
|
unsigned int open_type; /* open_routine index+1 used, if selected, or WTAP_TYPE_AUTO */
|
|
|
|
|
wtap_compression_type compression_type; /* Compression type of the file, or uncompressed */
|
|
|
|
|
int lnk_t; /* File link-layer type; could be WTAP_ENCAP_PER_PACKET */
|
|
|
|
|
GArray *linktypes; /* Array of packet link-layer types */
|
|
|
|
|
guint32 count; /* Total number of frames */
|
|
|
|
|
guint64 packet_comment_count; /* Number of comments in frames (could be >1 per frame... */
|
|
|
|
|
guint32 displayed_count; /* Number of displayed frames */
|
|
|
|
|
guint32 marked_count; /* Number of marked frames */
|
|
|
|
|
guint32 ignored_count; /* Number of ignored frames */
|
|
|
|
|
guint32 ref_time_count; /* Number of time referenced frames */
|
|
|
|
|
gboolean drops_known; /* TRUE if we know how many packets were dropped */
|
|
|
|
|
guint32 drops; /* Dropped packets */
|
|
|
|
|
nstime_t elapsed_time; /* Elapsed time */
|
|
|
|
|
int snap; /* Maximum captured packet length; 0 if unknown */
|
|
|
|
|
dfilter_t *rfcode; /* Compiled read filter program */
|
|
|
|
|
dfilter_t *dfcode; /* Compiled display filter program */
|
|
|
|
|
gchar *dfilter; /* Display filter string */
|
|
|
|
|
gboolean redissecting; /* TRUE if currently redissecting (cf_redissect_packets) */
|
|
|
|
|
gboolean read_lock; /* TRUE if currently processing a file (cf_read) */
|
|
|
|
|
rescan_type redissection_queued; /* Queued redissection type. */
|
|
|
|
|
/* search */
|
|
|
|
|
gchar *sfilter; /* Filter, hex value, or string being searched */
|
|
|
|
|
gboolean hex; /* TRUE if "Hex value" search was last selected */
|
|
|
|
|
gboolean string; /* TRUE if "String" search was last selected */
|
|
|
|
|
gboolean summary_data; /* TRUE if "String" search in "Packet list" (Info column) was last selected */
|
|
|
|
|
gboolean decode_data; /* TRUE if "String" search in "Packet details" was last selected */
|
|
|
|
|
gboolean packet_data; /* TRUE if "String" search in "Packet data" was last selected */
|
|
|
|
|
guint32 search_pos; /* Byte position of last byte found in a hex search */
|
|
|
|
|
guint32 search_len; /* Length of bytes matching the search */
|
|
|
|
|
gboolean case_type; /* TRUE if case-insensitive text search */
|
2022-07-27 06:12:27 +00:00
|
|
|
ws_regex_t *regex; /* Set if regular expression search */
|
2022-02-20 19:39:37 +00:00
|
|
|
search_charset_t scs_type; /* Character set for text search */
|
|
|
|
|
search_direction dir; /* Direction in which to do searches */
|
|
|
|
|
gboolean search_in_progress; /* TRUE if user just clicked OK in the Find dialog or hit <control>N/B */
|
|
|
|
|
/* packet provider */
|
|
|
|
|
struct packet_provider_data provider;
|
|
|
|
|
/* frames */
|
|
|
|
|
guint32 first_displayed; /* Frame number of first frame displayed */
|
|
|
|
|
guint32 last_displayed; /* Frame number of last frame displayed */
|
|
|
|
|
/* Data for currently selected frame */
|
|
|
|
|
column_info cinfo; /* Column formatting information */
|
|
|
|
|
frame_data *current_frame; /* Frame data */
|
|
|
|
|
epan_dissect_t *edt; /* Protocol dissection */
|
|
|
|
|
field_info *finfo_selected; /* Field info */
|
|
|
|
|
wtap_rec rec; /* Record header */
|
|
|
|
|
Buffer buf; /* Record data */
|
|
|
|
|
|
|
|
|
|
gpointer window; /* Top-level window associated with file */
|
|
|
|
|
gulong computed_elapsed; /* Elapsed time to load the file (in msec). */
|
|
|
|
|
|
|
|
|
|
guint32 cum_bytes;
|
2017-12-04 05:33:59 +00:00
|
|
|
} capture_file;
|
2002-09-06 23:14:04 +00:00
|
|
|
|
Store the frame_data structures in a tree, rather than a linked list.
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
2011-04-25 19:01:05 +00:00
|
|
|
extern void cap_file_init(capture_file *cf);
|
2002-09-06 23:14:04 +00:00
|
|
|
|
2017-12-08 04:33:22 +00:00
|
|
|
const char *cap_file_provider_get_interface_name(struct packet_provider_data *prov, guint32 interface_id);
|
|
|
|
|
const char *cap_file_provider_get_interface_description(struct packet_provider_data *prov, guint32 interface_id);
|
2021-07-08 05:43:29 +00:00
|
|
|
wtap_block_t cap_file_provider_get_modified_block(struct packet_provider_data *prov, const frame_data *fd);
|
|
|
|
|
void cap_file_provider_set_modified_block(struct packet_provider_data *prov, frame_data *fd, const wtap_block_t new_block);
|
2017-12-08 03:31:43 +00:00
|
|
|
|
2011-12-29 00:08:47 +00:00
|
|
|
#ifdef __cplusplus
|
|
|
|
|
}
|
|
|
|
|
#endif /* __cplusplus */
|
|
|
|
|
|
2014-10-14 19:58:21 +00:00
|
|
|
#endif /* cfile.h */
|