sequence of frame_data structures, indexed by the frame number. Extract
the relevant bits of the capture_file data structure and move them to
the frame_data_sequence, and move the relevant code from cfile.c and
tweak it to handle frame_data_sequence structures.
Have a possibly-null pointer to a frame_data_sequence structure in the
capture_file structure; if it's null, we aren't keeping a sequence of
frame_data structures (we don't keep that sequence when we're doing
one-pass processing in TShark).
Nothing in libwireshark should care about a capture_file structure; get
rid of some unnecessary includes of cfile.h.
svn path=/trunk/; revision=36881
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
Make the loops that scan through all the packets do so by frame number,
to abstract away the "next" and "previous" pointers in the frame_data
structure. Add a routine to cfile.c to map frame numbers to frame_data
structures, and put in some special case handling so scanning forward or
backward through the packets is O(N) rather than O(N^2).
svn path=/trunk/; revision=36846
so get rid of the select_flag argument, and rename it
new_packet_list_select_row_from_data().
It's also always passed a frame_data *, so make its argument a
frame_data *.
Its return value is used only to detect whether the packet was found in
the display or not, so make it a gboolean. Check it in *all* cases
where it's called, and change the dialog message a bit (the most likely
cause is that the user cancelled a redissection of the packets, so not
all packets in the capture file are in the display.
Also, in the find case, pass it the new packet we found.
svn path=/trunk/; revision=36839
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
may happen if, when reading a compressed file, we find an error in the
file's contents past the last packet (e.g., the file being cut short so
that we can't get a full buffer worth of compressed data), and that
reporting of that error is delayed (so that you can get all of the
packets that we *can* decompress). Check for those errors, at least on
the sequential read pass (the only errors we should see when closing the
random stream are errors we've already seen in the sequential stream).
svn path=/trunk/; revision=36576
support; TShark has read+write support. Additionally TShark can read a
"hosts" file and write those records to a capture file.
This uses "struct addrinfo" in many places and probably won't compile on
some platforms.
svn path=/trunk/; revision=36318
pointers, as there's code that assumes that if they're not set to null
pointers, they're set correctly, and doesn't bother setting them to the
right value.
svn path=/trunk/; revision=36252
pointers to null strings, rather than a bunch of null pointers, so that
if an exception is thrown before we set any of the columns, or some
other problem occurs, we don't end up with null pointers that could
later cause a crash.
Fix indentation.
svn path=/trunk/; revision=36234
In convert_string_case() use g_utf8_strup() instead of converting each
character by hand. Hopefully this won't cause any unexpected changes in
behavior.
svn path=/trunk/; revision=36006
use GTK+ data types, so, at least in theory, it could be implemented
atop another toolkit.
Make statusbar_push_temporary_msg() take a format string and format
arguments. Use it instead of simple_status(), and change one call to
just take a format string and arguments rather than to take the result
of using that format string and arguments with g_strdup_printf() and
passing the result to statusbar_push_temporary_msg().
svn path=/trunk/; revision=35041
Continue to use the data offset ((uncompressed) bytes read) as our progress
indicator, at least until we get a progress value greater than 1.0. Then,
in addition to checking if the size of the file changed, check our position in
the file and use that as our progress indicator.
This optimizes uncompressed file accesses (avoiding an lseek()) at the "expense"
of switching progress measures (from data read to position in the file) while
loading a file. Tests have shown that the progress bar never shows the data
offset number when loading a compressed file, so this should be okay.
svn path=/trunk/; revision=34563
1. Restore the functionality of <Ctrl>A and <Ctrl>X to the filter textbox.
2. Assign intuitive shortcuts without consuming any new shortcut letters.
3. Add 'Un-Time Reference All Packets' to the menu.
4. Disallow the marking or ignoring of all packets in the capture.
5. Make the Mark/Ignore/Time Reference-related menu items context sensitive.
6. Add 'ref_time_count' to the capture_file structure
7. Utilize marked/ignored/ref_time_count vars to prevent needless looping thru
the entire packet list by exiting the loop when it becomes zero.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5115
svn path=/trunk/; revision=33817
that you can tell from examination whether the search is forward or
backward.
Make the cf_find_packet routines take the direction as an explicit
argument, rather than, in the cases where you don't want to permanently
set the direction, saving the direction in the capture_file structure,
changing it, doing the search, and restoring the saved direction. Give
more information in the Doxygen comments for those routines.
Add a cf_find_packet_dfilter_string() routine, which takes a filter
string rather than a compiled filter as an argument. Replace
find_previous_next_frame_with_filter() with it.
Have cf_read_frame_r() and cf_read_frame() pop up the error dialog if
the read fails, rather than leaving that up to its caller. That lets us
eliminate cf_read_error_message(), by swallowing its code into
cf_read_frame_r(). Add Doxygen comments for cf_read_frame_r() and
cf_read_frame().
Don't have find_packet() read the packet before calling the callback
routine; leave that up to the callback routine.
Add cf_find_packet_marked(), to find the next or previous marked packet,
and cf_find_packet_time_reference(), to find the next or previous time
reference packet. Those routines do *not* need to read the packet data
to see if it matches; that lets them run much faster.
Clean up indentation.
svn path=/trunk/; revision=33791
updates are off and which sets the capture file state to a value that
won't cause an assertion when the user stops capturing. Fixes bug 4035.
svn path=/trunk/; revision=33005
we can use it in the main window title during and after capture. Add a
"-X" option for providing a description for stdin.
svn path=/trunk/; revision=32357
As now, when Wireshark save capture files, it show "Loading" in status bar and
in the dialog box, warning many users of lost them packets. Saving work as expected.
Is simply a GUI use interaction problem.
svn path=/trunk/; revision=31269
statusbar. This lets us notify the user about something significant
without having to pop up an annoying window. Replace a few dialogs with
statusbar messages.
svn path=/trunk/; revision=30810
Seting focus in new_packet_list_moveto_end() seems also to be needed to make it work properly I'm not 100% sure if it should be done differently.
svn path=/trunk/; revision=30074
cleanup_dissection() calls se_free_all(); And after that fdata->col_text (which is allocated using se_alloc0()) no longer points to valid memory.
svn path=/trunk/; revision=29920
- Calculate the progess before checking if progress bar should be
created or not.
- Dont update the progress to often on small files.
- Use data_offset rather than reading file_pos.
svn path=/trunk/; revision=29648
This patch fixes the "Decode as" crash. We now freeze the packetlist before
attempting to clear it. This way we don't have to issue a row deleted signal
either.
svn path=/trunk/; revision=29238
to store (most) of the underlying data rather than the strings in the store and render it when we need it, thuss saving storage space and loading time.
Idealy we should not store the complete fdata or pinfo structures
but rather just the data relevant to the currently selected/used columns. I'm not entierly sure how to accomplish that however.
Dynamically allocated array to hold pointers to the actual data?
svn path=/trunk/; revision=29237
enabling/disabling the coloring of the packet list from the menus, the user
has to drag the mouse cursor over each displayed row to take away/add the
coloring. Dragging the scroll bar up or down will also take care of this as
only the displayed rows are colored.
svn path=/trunk/; revision=29142
To use the GTK2 based packet list, define NEW_PACKET_LIST when compiling.
To do this with gcc, set the environment variable CPPFLAGS to
"-DNEW_PACKET_LIST" and re-run configure.
Many features do not yet work. This work began with prototypes by Ulf
quite a while back. I've put quite a bit of work into this so far and
as discussed with a few of the core team members at Sharkfest09 and it was
decided that it would be best to commit what I have so far to allow others to
help work on this.
svn path=/trunk/; revision=28892
a protocol tree;
the column values.
This includes stats-tree listeners.
Have the routines to build the packet list, and to retap packets, honor
those requirements. This means that cf_retap_packets() no longer needs
an argument to specify whether to construct the column values or not, so
get rid of that argument.
This also means that there's no need for a tap to have a fake filter
to ensure that the protocol tree will be built, so don't set up a fake
"frame" filter.
While we're at it, clean up some cases where "no filter" was represented
as a null string rather than a null pointer.
Have a routine to return an indication of the number of tap listeners
with filters; use that rather than the global num_tap_filters.
Clean up some indentation and some gboolean vs. gint items.
svn path=/trunk/; revision=28645
This patch downgrades the g_assert() to a proper if statement. This is needed
because we can end up with a match but _without_ any valid row attached to it.
This is the case when the user has aborted while dissecting.
svn path=/trunk/; revision=28555
when loading files > 50 MB wireshark redraws the first pane on each
update_progress_dlg(). If auto_scroll_live is not set that's mean it redraws
the same rows again and again.
The patch attached only redraws it once or if cf->displayed_count < 1000, in
case you have a very big screen.
svn path=/trunk/; revision=28475
up (99 44/100% of which were assignments of double-precision
floating-point constants to floats). Hopefully this will catch at least
some P64 issues on UN*X.
svn path=/trunk/; revision=28108
routines handled by epan/report_err.c.
Move copy_binary_file() in file.c to epan/filesystem.c, and rename it to
copy_file_binary_mode() (to clarify that it *can* copy text files;
arguably, *all* files are "binary" unless you're on, say, an IBM 1401
:-)). Have it use the report_err.c routines, so it works in
console-mode programs.
Clean up some comments while we're at it.
svn path=/trunk/; revision=27456
Up till now every packet in the packet list got a copy of the pointer to the filter expressions for
the last packets' columns. Hence any 'Copy as Filter" on a column got the expression of the last
packet in the packet list. Instead every packet needs to get a pointer to the filter expressions
for its own columns. This requires making a copy of the filter expressions themselves.
Since this is a bug in 1.0 as well the GLIB1 code is provided for backporting, which can later be dropped from the development tree.
svn path=/trunk/; revision=27396
We might receive new packets while redissecting and don't want to
dissect those before the packet-list is fully rebuilt.
svn path=/trunk/; revision=26309
capture callbacks the capture_options * as its second argument in all
cases. This makes it a bit clearer what arguments callbacks take, and
means we can get rid of all global_capture_opts references in
gtk/main_statusbar.c.
Put the interface between gtk/main.c and gtk/main_statusbar.c into a
private header.
svn path=/trunk/; revision=25576
Not implemented for conversation relative and delta time yet, because this
will need a reload as they are set by the dissectors and does not exist in
the frame data.
svn path=/trunk/; revision=25452
g_mallocated string, so it's not const.
Fix a comment to reflect reality (err_info is some additional
information about the error returned by Wiretap, e.g. some gory details
about the error, mainly useful to developers and support people).
svn path=/trunk/; revision=25401
libwireshark (and the plugins using those functions) do not depend on
wiretap on Windows.
While doing that, rename the eth_* functions to ws_*.
svn path=/trunk/; revision=25354
Attached is a patch to export packets data as "C Arrays". I often have
the need to [re]send data captured with wireshark using a raw/pf_packet socket.
Output format is one char[] per packet, it looks like almost the same as
the one produced by "Follow TCP stream".
svn path=/trunk/; revision=24604
- Change apply / prepare / ... as filter to use the field's value, which
is now stored in fdata as well as cinfo. Now we don't have to reprocess
the entire packet list when using these features. This also prevents
the use of these features from overwriting custom column information.
(custom columns can now be used in apply / prepare ... as filter)
- Break col_expr and col_expr_val out into a struct that is included not only
in cinfo, but now also fdata.
- Have col_custom_set_fstr() quote FT_STRING & FT_STRINGZ when storing the
col_expr_val value (for filter creation).
svn path=/trunk/; revision=24511
type: Custom) that were backed out in SVN revision 24309.
Changes since that revision include a reworking of the handling of the
cfile/cinfo variables in epan/column-utils.c, addition of three new
functions to libwireshark.def and a bug fix to prevent a crash when no
custom columns were not in use.
Compilation verified locally on MacOS X, Linux and Windows.
svn path=/trunk/; revision=24317
filter name in the description field and it will display that field in the
packet list if it occurs in that packet. Note that the more common fields
are implemented, but a number of them remain to be implemented in
epan/proto.c. I will work on these other fields as I have time.
svn path=/trunk/; revision=24308
correctly reflect the auto scroll state. Re-enable the ability to use
the auto scroll toolbar button and menu item during a live capture.
svn path=/trunk/; revision=23777
"Automatic scrolling in live capture" are both enabled, make the scroll
bar behavior more natural. If the packet list is scrolled to the
bottom, scroll automatically. If the user scrolls back, keep the packet
list scrolled at that point instead of jumping back to the end.
svn path=/trunk/; revision=22277
These changes allow the packet list clist to be destroyed and recreated
with the new column titles/values/order that the user changed in the
preferences without restarting Wireshark.
svn path=/trunk/; revision=22038
routines and routines using those routines. GLib might use different
modifiers for 64-bit quantities than the platform's C library does.
svn path=/trunk/; revision=21990
Fix for bug #491: Unexpected frame.time_delta behavior
This patch ... fixes bug 491. It does this by changing the
behaviour of the frame.time_delta field so it reflects the delta
time between captured packets (tshark already did this). To keep
the delta time between displayed packets, the field
frame.time_delta_displayed is created.
svn path=/trunk/; revision=21154
directory and most of the plugins to match the same command
put in the Makefile.nmake files for Windows compliations. Fix
a few warnings when compiling under gcc 3.4.4 on FreeBSD. Create
new automake file variable called USING_GCC in configure.in and
wiretap/configure.in to acomplish the above -Werror addition.
svn path=/trunk/; revision=21127
and there are no formats in which the file can be saved by some means
other than copying the raw data; "Save As" isn't a very useful function
in that case, and that prevents us from having an empty list of formats
in which the file can be saved.
svn path=/trunk/; revision=21032
32-bit numbers. Separate signed and unsigned accessors have been
added and used where appropriate.
Definitely not for 0.99.5.
svn path=/trunk/; revision=20472
A BER-encoded file can be dissected as one of a number of registered syntaxes (registered using register_ber_syntax_dissector()).
Syntaxes may also be associated with OIDs (or other strings) using register_ber_oid_syntax().
A default syntax with which to dissect a BER-encoded file is determined from its filename (extension). For example, ".cer" and ".crt" files will be dissected as "Certificate".
svn path=/trunk/; revision=20414
allocate and release the dfcode program as needed instead of having it hang around in the capture file structure.
this will ensure that dfcode will not have longer than se scope lifetime in case we need that property of it later
svn path=/trunk/; revision=20251
As this was a huge internal change, new bugs are very probable - please report.
The implementation isn't still perfect, a new dialog internal list could possibly be removed again.
However, I want to check in at this condition, just in case I make things worse - again.
svn path=/trunk/; revision=19413
file.c
time reference menu callback doesn't set cf->filter, it dumps a core if
you have a file big enough in find next/ find prev.
addr_resolv.c
leak memory, break list chain when snooping address.
svn path=/trunk/; revision=17419
no longer needs util.c, so it no longer includes routines that use
host_ip_af(), so it no longer needs to define its own host_ip_af().
That also means dumpcap.c no longer needs to include <sys/socket.h>.
svn path=/trunk/; revision=17278
button"; "Stop" should be used for operations that can only be stopped
(meaning that what it's already done isn't undone), not cancelled
(meaning that whatever it's already done *is* undone), for which
"Cancel" is used.
Allow the merging process to be cancelled.
Clean up indentation.
Update some comments.
svn path=/trunk/; revision=16489
Anyone having objections to idea of stopping the load of a capture file
i.s.o. cancelling it? I'm refering to WishList Data I/O item #6.
It seems a very reasonable idea and easy to implement.
I've done some extensions:
-Improve the corresponding comment on the implications why this is useful
-added a new simple_dialog text to explain what's really going on (simply using the WTAP truncated packet message was a bit misleading)
svn path=/trunk/; revision=16441
to do this, I've added file_util.h to wiretap (would file_compat.h be a better name?), and provide compat_macros like eth_open() instead of open(). While at it, move other file related things there, like #include <io.h>, definition of O_BINARY and alike, so it's all in one place.
deleted related things from config.h.win32
As of these massive changes, I'm almost certain that this will break the Unix build. I'll keep an eye on the buildbot so hopefully everything is working again soon.
svn path=/trunk/; revision=16403
Rename some variables to make the names used in progress bars more
common. (Should more of that functionality be moved into common
progress bar code?)
svn path=/trunk/; revision=16347
rather than checking only on every progress bar update quantum, so that
if the update quantum is *very* large, we don't end up waiting longer
than the standard time for a dialog box before checking.
svn path=/trunk/; revision=16327
add a g_warning() call if an error occured while reading from capture file (while doing a live update), usually shouldn't happen but is difficult to debug *if* it happens
add a new log domain LOG_DOMAIN_MAIN and the standard log handler for it
add some (partly commented out) g_log() calls, useful for GUI sequence debugging
svn path=/trunk/; revision=16136
cf_cb_file_closing (called before closing a capture file) cf_cb_file_closed will be called afterwards, but both only if a file is really closed as cf_close is called more often ...
If we are closing large capture files (~20MB), the screen looks ugly while the file is closed. Change this so the screen will immediately go back to initial state and a dialog (without buttons) is shown that the file is currently closed. As the operation which takes most of the time to close the file is a single eth_clist_clear call, we can't use a progress bar here.
cf_cb_live_capture_stopping: called when the user wants to stop the capture (toolbar or menu clicked). At least on Win32, the time between this and the actual stop completed can be noticeable (1-2 seconds), so the user doesn't know if the button press did anything at all. Do something similar as above, show a dialog box without buttons to inform that the close is in progress.
svn path=/trunk/; revision=15891
currently limited to Ethereal and all the variants of libpcap filetypes only.
We might want to add output compression support to the other tools as well (tethereal, mergecap, ...).
We might also want to add support for the other filetypes, but this is only possible if the filetype functions doesn't use special output operations like fseek.
One bug is still left: if the input and output filetypes while saving are the same, Ethereal currently optimizes this by simply copy the binary file instead of using wiretap (so it will be faster but it will ignore the compress setting).
Don't know a good workaround for this, as I don't know a way to find out if the input file is currently compressed or not. One idea might be to use a heuristic on the filesize (compared to the packet size summmary). Another workaround I see is to remove this optimization, which is of course not the way I like to do it ...
svn path=/trunk/; revision=15804
generate columns; use cf_retap_packets instead of cf_redissect_packets()
when running taps (the general flow graph stat uses the Info column).
svn path=/trunk/; revision=15793
"unknown" for frame numbers. Note that in epan/frame_data.h, and make
the frame number in experts unsigned, and use 0 for "unknown", and
display it as an unsigned number - and, if it's 0, don't display it at
all.
Fix the signature of "expert_dlg_draw()" to match what a tap's draw
routine's signature is expected to be.
svn path=/trunk/; revision=15760
- automatic adjustment depending on file format
- manual adjustment through menu items
save the setting in the recent file
svn path=/trunk/; revision=15534
I've done more than a day to change the timestamp resolution from microseconds to nanoseconds. As I really don't want to loose those changes, I'm going to check in the changes I've done so far. Hopefully someone else will give me a helping hand with the things left ...
What's done: I've changed the timestamp resolution from usec to nsec in almost any place in the sources. I've changed parts of the implementation in nstime.s/.h and a lot of places elsewhere.
As I don't understand the editcap source (well, I'm maybe just too tired right now), hopefully someone else might be able to fix this soon.
Doing all those changes, we get native nanosecond timestamp resolution in Ethereal. After fixing all the remaining issues, I'll take a look how to display this in a convenient way...
As I've also changed the wiretap timestamp resolution from usec to nsec we might want to change the wiretap version number...
svn path=/trunk/; revision=15520
filter as an argument on the command line and have a dialog box to enter
the display filter through the GUI. Use it for all stats using
"gtk_tap_dfilter_dlg_cb()".
Add a top-level "stat_menu.h" file to declare "REGISTER_STAT_GROUP_E"
for the benefit of the declaration of "register_dfilter_stat()" in the
top-level "tap_dfilter_dlg.h". Rename the "stat_menu.h" in the gtk
directory to "gtk_stat_menu.h", so as not to have two headers with the
same name.
Get rid of headers not declaring any functions not being used in the
module.
svn path=/trunk/; revision=15493
(so if the file's gzipped, it's *NOT* the size of the file after
uncompressing), and an approximation of the amount of that data read
sequentially so far.
Use those for various progress bars and the like.
Make the fstat() in the Ascend trace reader directly use wth->fd, as
it's inside Wiretap; that gets rid of the last caller of wtap_fd() (as
we're no longer directly using fstat() or lseek() in Ethereal), so get
rid of wtap_fd().
svn path=/trunk/; revision=15437
data, so that "f_len" still keeps the size of the underlying file (which
is necessary in order to make the progress bar when files are being read
work correctly).
svn path=/trunk/; revision=15415
name of the file being loaded to "delayed_create_progress_dlg()". Get
rid of the pointless "g_strdup_printf()" call (which amounted to a
more-expensive "g_strdup()", and the variables it used.
svn path=/trunk/; revision=15248
-show the current capture file size, if capturing in real time mode.
-move the packet "Drops" count (if available) from file to packets statusbar part
svn path=/trunk/; revision=14130
If this is used together with an option where input files changes too fast (e.g. new file every second), capturing will be (hopefully) stopped.
I've replaced the former capture pipe message format into a somewhat more general format to remove a lot of confusion.
svn path=/trunk/; revision=14054
most notably:
- moved opening of safe_file to the capture child (capture_loop.c)
- removed save_file_fd from capture_opts (no longer need to have it global)
svn path=/trunk/; revision=13953
structures allocated by a dissection. Currently, it's the same as
"init_dissection()", but they should be split with "init_dissection()"
allocating the initial data structures and "cleanup_dissection()"
freeing them and *not* reallocating the initial data structures.
Use "cleanup_dissection()" in "cf_close()" to make it easier to find leaks.
svn path=/trunk/; revision=13881