Add a new tap flag to indicate that a tap listener is just a "dissector helper",
that is, a tap which is used by a dissector to help it do its dissection but
does not, itself, require dissection.
Use this new flag in the dissectors which register taps.
Remove the (now-unused) have_tap_listeners() function.
svn path=/trunk/; revision=37069
The supplied patch adds a new option -O, which specifies a list of protocols
(names can be found with the "-G protocols" option) to be fully decoded while
the others only show the layer header.
svn path=/trunk/; revision=36947
sequence of frame_data structures, indexed by the frame number. Extract
the relevant bits of the capture_file data structure and move them to
the frame_data_sequence, and move the relevant code from cfile.c and
tweak it to handle frame_data_sequence structures.
Have a possibly-null pointer to a frame_data_sequence structure in the
capture_file structure; if it's null, we aren't keeping a sequence of
frame_data structures (we don't keep that sequence when we're doing
one-pass processing in TShark).
Nothing in libwireshark should care about a capture_file structure; get
rid of some unnecessary includes of cfile.h.
svn path=/trunk/; revision=36881
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
may happen if, when reading a compressed file, we find an error in the
file's contents past the last packet (e.g., the file being cut short so
that we can't get a full buffer worth of compressed data), and that
reporting of that error is delayed (so that you can get all of the
packets that we *can* decompress). Check for those errors, at least on
the sequential read pass (the only errors we should see when closing the
random stream are errors we've already seen in the sequential stream).
svn path=/trunk/; revision=36576
support; TShark has read+write support. Additionally TShark can read a
"hosts" file and write those records to a capture file.
This uses "struct addrinfo" in many places and probably won't compile on
some platforms.
svn path=/trunk/; revision=36318
Global profiles can be installed in a "profiles" directory in the
Global configuration directory, and a global profile will be copied
to the users profiles on first time usage.
svn path=/trunk/; revision=36077
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
libwireshark into libwireshark, and call it only in programs linked with
libwireshark. That way, programs that don't link with libwireshark
don't have to link with libgcrypt or libgnutls solely so that they can
say that they're linked with a particular version of libgcrypt or
libgnutls.
Don't link dumpcap with libgcrypt or libgnutls any more.
svn path=/trunk/; revision=33531
so we give a non-zero exit status for invalid interfaces or capture
filters.
From me: don't exit immediately if dumpcap failed, print out information
from taps and the like.
svn path=/trunk/; revision=33393
The attached patch simply documents a long supported but hidden tshark -G
option.
Tshark's print_usage() has been augmented as well as the tshark man page.
svn path=/trunk/; revision=33253
taps, etc., so we at least print the statistics for the packets we
*could* read.
Also, if we're printing packet data, and the standard output and
standard error are going to the same place, before printing the error
message for that error, flush the standard output and print a newline to
the standard error, so the error appears after all the packet data, and
has a newline separating it from the packet data.
This fixes bug 4845.
svn path=/trunk/; revision=33124
back out the change to check its return value until we fix that.
Also back out the test suite changes to look for an error exit for
invalid capture filters and interfaces.
svn path=/trunk/; revision=33029
Return 2 for a capture error - we mainly use 1 for command-line syntax
errors (rather than, say, filter syntax errors or an invalid interface).
Now that TShark exits with an error status when given an invalid capture
filter or invalid interface, check for "error" rather than "success" as
an exit status.
svn path=/trunk/; revision=33006
is just an indication that the capture child exited; don't treat it as
an error, unless the child process exits with an abnormal status.
As tshark sends a "stop capture" indication to the child when it's
^C'ed, the child will exit and we'll get an EOF from the capture pipe;
don't make SIGINT etc. interrupt system calls, so they don't cause reads
from the capture pipe to get EINTR errors.
svn path=/trunk/; revision=32986
interface statistics, have its error messages come out as sync-pipe
errors, have it send a sync-pipe "success" message on success, and have
the callers get that message and display it.
svn path=/trunk/; revision=32843
build without libpcap, to make sure that works, and then do a build with
libpcap, to put into a binary release. It's the former that's failing;
I'll back out the previous change and then work on that.
svn path=/trunk/; revision=32801
if_capabilities_t - it doesn't fail on Snow Leopard, even if I undefine
HAVE_PCAP_CREATE, and doesn't fail on the Leopard PPC buildbot, either.
svn path=/trunk/; revision=32799
monitor mode at the same time that we fetch its list of link-layer
types. Support fetching that list in monitor mode, as the list may be
different in regular and monitor mode. If the interface supports
monitor mode, when printing the list of link-layer types, indicate
whether they're fetched in monitor mode or not, as tcpdump 4.1.x does.
svn path=/trunk/; revision=32789
libpcap/WinPcap and the capture mechanism atop which they run might
either silently limit the buffer size to a smaller value or raise it to
a higher value - that's the part that's platform-dependent.
svn path=/trunk/; revision=32718
the code to print the machine-readable format into dumpcap, and have the
code in capture_opts.c just print the human-readable format.
svn path=/trunk/; revision=32714
standard error and, in Wireshark on Windows, create a console if
necessary. Have the cmdarg_err routines use them.
Use *fprintf_stderr() to print the output of -L, rather than using
cmdarg_err_cont(), so that we don't get extra newlines in the output (it
should look similar to the output of tcpdump).
svn path=/trunk/; revision=32711
interface by running dumpcap, so that if you need privileges to open an
interface, and dumpcap has those privileges, neither TShark nor
Wireshark need them.
svn path=/trunk/; revision=32710
pcap_set_buffer_size() did as well, so there aren't any libpcap releases
with pcap_create() but not pcap_set_buffer_size().
Only do one check for pcap_create.
svn path=/trunk/; revision=32695
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=475
BUT not activating the check for
pcap_create()
pcap_set_buffer_size()
This should make it possible to build with support for setting the buffersize if not capturing 802.11 traffic.
The code for handling the 'B' option should be OK in any case.
svn path=/trunk/; revision=32688
If the user specifies -V or -x, turn on print_packet_info (-S) so they actually
get some output in case we're also writing to a file.
svn path=/trunk/; revision=32486
Note: This is a behavior change:
Given the default value for the console_log_level preference
tshark will now show ERROR, CRITICAL and WARNING level log messages.
Prior to this change tshark was hardwired to show only
ERROR and CRITICAL level messages.
Time will tell whether this change results in too much noise
in tshark output.
svn path=/trunk/; revision=29328
a protocol tree;
the column values.
This includes stats-tree listeners.
Have the routines to build the packet list, and to retap packets, honor
those requirements. This means that cf_retap_packets() no longer needs
an argument to specify whether to construct the column values or not, so
get rid of that argument.
This also means that there's no need for a tap to have a fake filter
to ensure that the protocol tree will be built, so don't set up a fake
"frame" filter.
While we're at it, clean up some cases where "no filter" was represented
as a null string rather than a null pointer.
Have a routine to return an indication of the number of tap listeners
with filters; use that rather than the global num_tap_filters.
Clean up some indentation and some gboolean vs. gint items.
svn path=/trunk/; revision=28645