1999-06-22 22:02:39 +00:00
|
|
|
/* summary.c
|
1999-12-10 04:21:04 +00:00
|
|
|
* Routines for capture file summary info
|
1999-06-22 22:02:39 +00:00
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
1999-06-22 22:02:39 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
2017-11-08 15:43:53 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0+
|
1999-06-22 22:02:39 +00:00
|
|
|
*/
|
|
|
|
|
|
2014-08-22 21:13:05 +00:00
|
|
|
#include <config.h>
|
1999-06-22 22:02:39 +00:00
|
|
|
|
2012-05-28 00:31:27 +00:00
|
|
|
#include <wiretap/pcap-encap.h>
|
2016-01-26 01:17:21 +00:00
|
|
|
#include <wiretap/wtap_opttypes.h>
|
|
|
|
|
#include <wiretap/pcapng.h>
|
2012-05-28 00:31:27 +00:00
|
|
|
|
2002-01-21 07:37:49 +00:00
|
|
|
#include <epan/packet.h>
|
2005-02-04 19:29:27 +00:00
|
|
|
#include "cfile.h"
|
2018-02-07 09:07:03 +00:00
|
|
|
#include "ui/summary.h"
|
1999-06-22 22:02:39 +00:00
|
|
|
|
1999-12-10 04:21:04 +00:00
|
|
|
static void
|
|
|
|
|
tally_frame_data(frame_data *cur_frame, summary_tally *sum_tally)
|
|
|
|
|
{
|
1999-06-22 22:02:39 +00:00
|
|
|
double cur_time;
|
|
|
|
|
|
1999-12-29 21:30:28 +00:00
|
|
|
sum_tally->bytes += cur_frame->pkt_len;
|
2003-09-02 22:10:32 +00:00
|
|
|
if (cur_frame->flags.passed_dfilter){
|
1999-12-29 21:30:28 +00:00
|
|
|
sum_tally->filtered_count++;
|
2012-02-26 08:02:02 +00:00
|
|
|
sum_tally->filtered_bytes += cur_frame->pkt_len;
|
2003-09-02 22:10:32 +00:00
|
|
|
}
|
2007-11-28 01:09:02 +00:00
|
|
|
if (cur_frame->flags.marked){
|
2000-08-21 18:20:19 +00:00
|
|
|
sum_tally->marked_count++;
|
2012-02-26 08:02:02 +00:00
|
|
|
sum_tally->marked_bytes += cur_frame->pkt_len;
|
2007-11-28 01:09:02 +00:00
|
|
|
}
|
2009-12-17 12:05:13 +00:00
|
|
|
if (cur_frame->flags.ignored){
|
|
|
|
|
sum_tally->ignored_count++;
|
|
|
|
|
}
|
2012-02-26 08:02:02 +00:00
|
|
|
|
|
|
|
|
if (cur_frame->flags.has_ts) {
|
|
|
|
|
/* This packet has a time stamp. */
|
|
|
|
|
cur_time = nstime_to_sec(&cur_frame->abs_ts);
|
|
|
|
|
|
|
|
|
|
sum_tally->packet_count_ts++;
|
|
|
|
|
if (cur_time < sum_tally->start_time) {
|
|
|
|
|
sum_tally->start_time = cur_time;
|
|
|
|
|
}
|
|
|
|
|
if (cur_time > sum_tally->stop_time){
|
|
|
|
|
sum_tally->stop_time = cur_time;
|
|
|
|
|
}
|
|
|
|
|
if (cur_frame->flags.passed_dfilter){
|
|
|
|
|
sum_tally->filtered_count_ts++;
|
|
|
|
|
/*
|
|
|
|
|
* If we've seen one filtered packet, this is the first
|
|
|
|
|
* one.
|
|
|
|
|
*/
|
|
|
|
|
if (sum_tally->filtered_count == 1){
|
|
|
|
|
sum_tally->filtered_start= cur_time;
|
|
|
|
|
sum_tally->filtered_stop = cur_time;
|
|
|
|
|
} else {
|
|
|
|
|
if (cur_time < sum_tally->filtered_start) {
|
|
|
|
|
sum_tally->filtered_start = cur_time;
|
|
|
|
|
}
|
|
|
|
|
if (cur_time > sum_tally->filtered_stop) {
|
|
|
|
|
sum_tally->filtered_stop = cur_time;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (cur_frame->flags.marked){
|
|
|
|
|
sum_tally->marked_count_ts++;
|
|
|
|
|
/*
|
|
|
|
|
* If we've seen one marked packet, this is the first
|
|
|
|
|
* one.
|
|
|
|
|
*/
|
|
|
|
|
if (sum_tally->marked_count == 1){
|
|
|
|
|
sum_tally->marked_start= cur_time;
|
|
|
|
|
sum_tally->marked_stop = cur_time;
|
|
|
|
|
} else {
|
|
|
|
|
if (cur_time < sum_tally->marked_start) {
|
|
|
|
|
sum_tally->marked_start = cur_time;
|
|
|
|
|
}
|
|
|
|
|
if (cur_time > sum_tally->marked_stop) {
|
|
|
|
|
sum_tally->marked_stop = cur_time;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
1999-06-22 22:02:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2005-02-04 19:29:27 +00:00
|
|
|
summary_fill_in(capture_file *cf, summary_tally *st)
|
1999-12-10 04:21:04 +00:00
|
|
|
{
|
1999-06-22 22:02:39 +00:00
|
|
|
frame_data *first_frame, *cur_frame;
|
Store the frame_data structures in a tree, rather than a linked list.
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
2011-04-25 19:01:05 +00:00
|
|
|
guint32 framenum;
|
2012-05-28 01:17:48 +00:00
|
|
|
iface_options iface;
|
|
|
|
|
guint i;
|
|
|
|
|
wtapng_iface_descriptions_t* idb_info;
|
2016-07-14 23:01:57 +00:00
|
|
|
wtap_block_t wtapng_if_descr;
|
2016-01-26 01:17:21 +00:00
|
|
|
wtapng_if_descr_mandatory_t *wtapng_if_descr_mand;
|
2016-07-14 23:01:57 +00:00
|
|
|
wtap_block_t if_stats;
|
2016-01-26 01:17:21 +00:00
|
|
|
guint64 isb_ifdrop;
|
|
|
|
|
char* if_string;
|
|
|
|
|
wtapng_if_descr_filter_t* if_filter;
|
1999-06-22 22:02:39 +00:00
|
|
|
|
2012-02-26 08:02:02 +00:00
|
|
|
st->packet_count_ts = 0;
|
1999-12-29 21:30:28 +00:00
|
|
|
st->start_time = 0;
|
|
|
|
|
st->stop_time = 0;
|
1999-06-22 22:02:39 +00:00
|
|
|
st->bytes = 0;
|
1999-07-07 22:52:57 +00:00
|
|
|
st->filtered_count = 0;
|
2012-02-26 08:02:02 +00:00
|
|
|
st->filtered_count_ts = 0;
|
2003-09-02 22:10:32 +00:00
|
|
|
st->filtered_start = 0;
|
2007-11-28 01:09:02 +00:00
|
|
|
st->filtered_stop = 0;
|
2003-09-02 22:10:32 +00:00
|
|
|
st->filtered_bytes = 0;
|
2000-08-21 18:20:19 +00:00
|
|
|
st->marked_count = 0;
|
2012-02-26 08:02:02 +00:00
|
|
|
st->marked_count_ts = 0;
|
2007-11-28 01:09:02 +00:00
|
|
|
st->marked_start = 0;
|
|
|
|
|
st->marked_stop = 0;
|
|
|
|
|
st->marked_bytes = 0;
|
2009-12-17 12:05:13 +00:00
|
|
|
st->ignored_count = 0;
|
1999-06-22 22:02:39 +00:00
|
|
|
|
1999-12-29 21:30:28 +00:00
|
|
|
/* initialize the tally */
|
Store the frame_data structures in a tree, rather than a linked list.
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
2011-04-25 19:01:05 +00:00
|
|
|
if (cf->count != 0) {
|
2017-12-08 03:31:43 +00:00
|
|
|
first_frame = frame_data_sequence_find(cf->provider.frames, 1);
|
Store the frame_data structures in a tree, rather than a linked list.
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
2011-04-25 19:01:05 +00:00
|
|
|
st->start_time = nstime_to_sec(&first_frame->abs_ts);
|
2005-08-24 21:31:56 +00:00
|
|
|
st->stop_time = nstime_to_sec(&first_frame->abs_ts);
|
1999-12-29 21:30:28 +00:00
|
|
|
|
Store the frame_data structures in a tree, rather than a linked list.
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
2011-04-25 19:01:05 +00:00
|
|
|
for (framenum = 1; framenum <= cf->count; framenum++) {
|
2017-12-08 03:31:43 +00:00
|
|
|
cur_frame = frame_data_sequence_find(cf->provider.frames, framenum);
|
1999-12-29 21:30:28 +00:00
|
|
|
tally_frame_data(cur_frame, st);
|
|
|
|
|
}
|
1999-08-10 04:13:37 +00:00
|
|
|
}
|
1999-06-22 22:02:39 +00:00
|
|
|
|
2005-02-04 19:29:27 +00:00
|
|
|
st->filename = cf->filename;
|
2005-08-19 01:17:24 +00:00
|
|
|
st->file_length = cf->f_datalen;
|
2008-10-14 22:55:16 +00:00
|
|
|
st->file_type = cf->cd_t;
|
2012-05-24 05:05:29 +00:00
|
|
|
st->iscompressed = cf->iscompressed;
|
2011-07-15 20:45:28 +00:00
|
|
|
st->is_tempfile = cf->is_tempfile;
|
2012-06-15 23:54:05 +00:00
|
|
|
st->file_encap_type = cf->lnk_t;
|
|
|
|
|
st->packet_encap_types = cf->linktypes;
|
2005-02-04 19:29:27 +00:00
|
|
|
st->snap = cf->snap;
|
2005-08-24 21:31:56 +00:00
|
|
|
st->elapsed_time = nstime_to_sec(&cf->elapsed_time);
|
2005-02-04 19:29:27 +00:00
|
|
|
st->packet_count = cf->count;
|
|
|
|
|
st->drops_known = cf->drops_known;
|
|
|
|
|
st->drops = cf->drops;
|
|
|
|
|
st->dfilter = cf->dfilter;
|
1999-06-22 22:02:39 +00:00
|
|
|
|
2011-07-05 20:34:03 +00:00
|
|
|
st->ifaces = g_array_new(FALSE, FALSE, sizeof(iface_options));
|
2017-12-08 03:31:43 +00:00
|
|
|
idb_info = wtap_file_get_idb_info(cf->provider.wth);
|
2014-05-15 21:39:12 +00:00
|
|
|
for (i = 0; i < idb_info->interface_data->len; i++) {
|
2016-07-14 23:01:57 +00:00
|
|
|
wtapng_if_descr = g_array_index(idb_info->interface_data, wtap_block_t, i);
|
|
|
|
|
wtapng_if_descr_mand = (wtapng_if_descr_mandatory_t*)wtap_block_get_mandatory_data(wtapng_if_descr);
|
|
|
|
|
if (wtap_block_get_custom_option_value(wtapng_if_descr, OPT_IDB_FILTER, (void**)&if_filter) == WTAP_OPTTYPE_SUCCESS) {
|
|
|
|
|
iface.cfilter = g_strdup(if_filter->if_filter_str);
|
|
|
|
|
} else {
|
|
|
|
|
iface.cfilter = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (wtap_block_get_string_option_value(wtapng_if_descr, OPT_IDB_NAME, &if_string) == WTAP_OPTTYPE_SUCCESS) {
|
|
|
|
|
iface.name = g_strdup(if_string);
|
|
|
|
|
} else {
|
|
|
|
|
iface.name = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (wtap_block_get_string_option_value(wtapng_if_descr, OPT_IDB_DESCR, &if_string) == WTAP_OPTTYPE_SUCCESS) {
|
|
|
|
|
iface.descr = g_strdup(if_string);
|
|
|
|
|
} else {
|
|
|
|
|
iface.descr = NULL;
|
|
|
|
|
}
|
2012-05-28 01:17:48 +00:00
|
|
|
iface.drops_known = FALSE;
|
|
|
|
|
iface.drops = 0;
|
2016-01-26 01:17:21 +00:00
|
|
|
iface.snap = wtapng_if_descr_mand->snap_len;
|
|
|
|
|
iface.encap_type = wtapng_if_descr_mand->wtap_encap;
|
2015-08-29 23:14:13 +00:00
|
|
|
iface.isb_comment = NULL;
|
2016-01-26 01:17:21 +00:00
|
|
|
if(wtapng_if_descr_mand->num_stat_entries == 1){
|
2012-05-28 01:17:48 +00:00
|
|
|
/* dumpcap only writes one ISB, only handle that for now */
|
2016-07-14 23:01:57 +00:00
|
|
|
if_stats = g_array_index(wtapng_if_descr_mand->interface_statistics, wtap_block_t, 0);
|
|
|
|
|
if (wtap_block_get_uint64_option_value(if_stats, OPT_ISB_IFDROP, &isb_ifdrop) == WTAP_OPTTYPE_SUCCESS) {
|
2015-08-29 23:14:13 +00:00
|
|
|
iface.drops_known = TRUE;
|
2016-01-26 01:17:21 +00:00
|
|
|
iface.drops = isb_ifdrop;
|
2015-08-29 23:14:13 +00:00
|
|
|
}
|
|
|
|
|
/* XXX: this doesn't get used, and might need to be g_strdup'ed when it does */
|
2016-07-14 23:01:57 +00:00
|
|
|
/* XXX - support multiple comments */
|
|
|
|
|
if (wtap_block_get_nth_string_option_value(if_stats, OPT_COMMENT, 0, &iface.isb_comment) != WTAP_OPTTYPE_SUCCESS) {
|
|
|
|
|
iface.isb_comment = NULL;
|
|
|
|
|
}
|
2012-05-28 01:17:48 +00:00
|
|
|
}
|
|
|
|
|
g_array_append_val(st->ifaces, iface);
|
|
|
|
|
}
|
|
|
|
|
g_free(idb_info);
|
2005-02-06 21:20:35 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-28 01:17:48 +00:00
|
|
|
#ifdef HAVE_LIBPCAP
|
2005-02-06 21:20:35 +00:00
|
|
|
void
|
2012-02-23 15:40:31 +00:00
|
|
|
summary_fill_in_capture(capture_file *cf,capture_options *capture_opts, summary_tally *st)
|
2005-02-06 21:20:35 +00:00
|
|
|
{
|
2011-07-05 20:34:03 +00:00
|
|
|
iface_options iface;
|
2017-08-24 14:16:34 +00:00
|
|
|
interface_t *device;
|
2011-07-05 20:34:03 +00:00
|
|
|
guint i;
|
|
|
|
|
|
2012-05-28 01:17:48 +00:00
|
|
|
if (st->ifaces->len == 0) {
|
2012-05-28 01:23:28 +00:00
|
|
|
/*
|
|
|
|
|
* XXX - do this only if we have a live capture.
|
|
|
|
|
*/
|
2012-02-24 13:05:33 +00:00
|
|
|
for (i = 0; i < capture_opts->all_ifaces->len; i++) {
|
2017-08-24 14:16:34 +00:00
|
|
|
device = &g_array_index(capture_opts->all_ifaces, interface_t, i);
|
|
|
|
|
if (!device->selected) {
|
2012-02-24 13:05:33 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2017-08-24 14:16:34 +00:00
|
|
|
iface.cfilter = g_strdup(device->cfilter);
|
|
|
|
|
iface.name = g_strdup(device->name);
|
|
|
|
|
iface.descr = g_strdup(device->display_name);
|
2012-02-24 13:05:33 +00:00
|
|
|
iface.drops_known = cf->drops_known;
|
|
|
|
|
iface.drops = cf->drops;
|
2017-08-24 14:16:34 +00:00
|
|
|
iface.snap = device->snaplen;
|
|
|
|
|
iface.encap_type = wtap_pcap_encap_to_wtap_encap(device->active_dlt);
|
2011-07-05 20:34:03 +00:00
|
|
|
g_array_append_val(st->ifaces, iface);
|
|
|
|
|
}
|
2011-07-15 20:45:28 +00:00
|
|
|
}
|
1999-12-10 04:21:04 +00:00
|
|
|
}
|
2012-05-28 01:17:48 +00:00
|
|
|
#endif
|
2014-10-12 18:56:12 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Editor modelines - http://www.wireshark.org/tools/modelines.html
|
|
|
|
|
*
|
|
|
|
|
* Local Variables:
|
|
|
|
|
* c-basic-offset: 2
|
|
|
|
|
* tab-width: 8
|
|
|
|
|
* indent-tabs-mode: nil
|
|
|
|
|
* End:
|
|
|
|
|
*
|
|
|
|
|
* ex: set shiftwidth=2 tabstop=8 expandtab:
|
|
|
|
|
* :indentSize=2:tabSize=8:noTabs=true:
|
|
|
|
|
*/
|