we weren't even able to start a capture, rather than delivering a fake
"capture start" indication and relying on a later "capture file closed"
indication - for a capture that was never opened in the first place - to
handle GUI cleanups.
Don't deliver any GUI indications in cf_close() if we didn't have a
capture file open in the first place.
Clear the status bar and welcome header if that indication is delivered.
If we start a capture from the command line with the -k flag, don't show
the captured packet information unless the capture actually starts.
svn path=/trunk/; revision=41521
clickable to open an edit window.
- Add checks for NULL pointers.
Help with a different color LED possibly with Jeff's (c) in it apreceated.
Should the LED be placed elsewhere or the whole thing done differently?
svn path=/trunk/; revision=41242
make Save-As/Displayed/All-Packets save not only the displayed packets but
also any other packets needed (e.g., for reassembly) to fully dissect the
displayed packets.
This works only for the "All packets" case; choosing only the Selected packet,
the Marked packets, or a range of packets would require actually storing which
packets depend on which (too much memory) or going through the packet list many
times (too slow). Also, this behavior is always the case: you can't save the
displayed packets without their dependencies (I don't see why this would be
desirable).
So far this is done for SCTP and things using the reassembly routines (TCP has
been tested).
The Win32 dialog was modified but hasn't been tested yet.
One confusing aspect of the UI is that the Displayed count in the Save-As
dialog does not match the number of displayed packets. (I tried renaming the
button "Displayed + Dependencies" but it looked too big.) The tooltip tries
to explain this and the fact that this works only in the All-Packets case;
suggestions for improvement are welcome.
Implementation details:
Dissectors (or the reassembly code) can list frames which were needed to
build the current frame's tree. If the current frame passes the display
filter then each listed frame is marked as "depended upon" (this takes up the
last free frame_data flag).
When performing a Save-As/Displayed/All-Packets then choose packets which
passed the dfilter _or_ are depended upon.
svn path=/trunk/; revision=41216
the details of what in particular is unsupported; report it in TShark
and Wireshark.
Handle WTAP_ERR_RANDOM_OPEN_PIPE in TShark.
Handle WTAP_ERR_COMPRESSION_NOT_SUPPORTED in TShark, and have its error
message in Wireshark not speak of gzip, in case we support compressed
output in other formats in the future.
If we see a second section header block in a pcap-NG file, don't report
it as "the file is corrupted", report it as "the file uses a feature we
don't support", as that's the case - and don't free up the interface
data array, as the file remains open, and Wireshark might still try to
access the packets we were able to read.
svn path=/trunk/; revision=41041
This is POC we may want to have more efficient use of the frame data
structure etc. But this allows for work to be done on the GUI to actually add comments.
svn path=/trunk/; revision=40969
the ui directory. (Perhaps some other files that would be used by all
flavors of Wireshark, for any GUI toolkit or for someting such as
ncurses, and not for any command-line tool such as TShark, should be
moved there as well.)
Shuffle some #includes to put the "ui/XXX.h" includes together.
svn path=/trunk/; revision=40529
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
to return a pointer to the merge_in_file_t that got the error. Set *err
to 0 on success and an error code on an err, treat a null return as an
EOF indication, and if we don't get a null return check for a non-zero
error code and treat that as an I/O error.
svn path=/trunk/; revision=39964
type" when writing out a capture file (i.e., writing a
per-packet-encapsulation capture to a file type that supports it but
doesn't support one of the packet's encapsulations), report the packet
number and, when doing this in a merge operation, report the file from
which it came.
When reporting "sorry, that file can't be written to a file of that
type, period", show the file type rather than the input file link-layer
type that causes the problem. (We could show both. We could be
*really* ambitious and iterate through all possible file types and show
the ones that will or at least might work....)
file_write_error_message() is documented as handling only UNIX-style
errnos, and libwireshark should be usable without libwiretap, so leave
it up to its callers to handle Wiretap errors such as
WTAP_ERR_SHORT_WRITE.
Clean up indentation.
svn path=/trunk/; revision=39949
My attachment adds a link to a XSLT file to the preamble of the PDML.
The XSLT will transform the PDML to a HTML page, and the HTML page
features a look similar to Wireshark. See
http://cubic.org/~doj/ebay/a.pdml for an example.
The patch also contains a small perl program which converts the
Wireshark colortable into javascript code which is used in the XSLT
file. If you want to use a different color scheme you would execute the
perl program and insert the generated javascript function into your XSLT
file.
To view the HTML you could either place the PDML and XSLT file on your
webserver and verify that your webserver sends the PDML file as
"text/xml". Then your webbrowser will find the linked XSLT file,
download that as well and convert the PDML to HTML on the fly.
You could also use an XSLT processor like xsltproc to convert the PDML
and XSLT into a static HTML file.
From me:
Minor fixups.
svn path=/trunk/; revision=37298
the file, rather than the offset in the uncompressed data stream. That
way we don't get the "hey, we're more than 100% into the file, better
refigure this" surprise.
svn path=/trunk/; revision=37025
sequence of frame_data structures, indexed by the frame number. Extract
the relevant bits of the capture_file data structure and move them to
the frame_data_sequence, and move the relevant code from cfile.c and
tweak it to handle frame_data_sequence structures.
Have a possibly-null pointer to a frame_data_sequence structure in the
capture_file structure; if it's null, we aren't keeping a sequence of
frame_data structures (we don't keep that sequence when we're doing
one-pass processing in TShark).
Nothing in libwireshark should care about a capture_file structure; get
rid of some unnecessary includes of cfile.h.
svn path=/trunk/; revision=36881
This lets us get rid of the per-frame_data-structure prev and next
pointers, saving memory (at least according to Activity Monitor's report
of the virtual address space size on my Snow Leopard machine, it's a
noticeable saving), and lets us look up frame_data structures by frame
number in O(log2(number of frames)) time rather than O(number of frames)
time. It seems to take more CPU time when reading in the file, but
seems to go from "finished reading in all the packets" to "displaying
the packets" faster and seems to free up the frame_data structures
faster when closing the file.
It *is* doing more copying, currently, as we now don't allocate the
frame_data structure until after the packet has passed the read filter,
so that might account for the additional CPU time.
(Oh, and, for what it's worth, on an LP64 platform, a frame_data
structure is exactly 128 bytes long. However, there's more stuff to
remove, so the power-of-2 size is not guaranteed to remain, and it's not
a power-of-2 size on an ILP32 platform.)
It also means we don't need GLib 2.10 or later for the two-pass mode in
TShark.
It also means some code in the TCP dissector that was checking
pinfo->fd->next to see if it's NULL, in order to see if this is the last
packet in the file, no longer works, but that wasn't guaranteed to work
anyway:
we might be doing a one-pass read through the capture in TShark;
we might be dissecting the frame while we're reading in the
packets for the first time in Wireshark;
we might be doing a live capture in Wireshark;
in which case packets might be prematurely considered "the last packet".
#if 0 the no-longer-working tests, pending figuring out a better way of
doing it.
svn path=/trunk/; revision=36849
Make the loops that scan through all the packets do so by frame number,
to abstract away the "next" and "previous" pointers in the frame_data
structure. Add a routine to cfile.c to map frame numbers to frame_data
structures, and put in some special case handling so scanning forward or
backward through the packets is O(N) rather than O(N^2).
svn path=/trunk/; revision=36846
so get rid of the select_flag argument, and rename it
new_packet_list_select_row_from_data().
It's also always passed a frame_data *, so make its argument a
frame_data *.
Its return value is used only to detect whether the packet was found in
the display or not, so make it a gboolean. Check it in *all* cases
where it's called, and change the dialog message a bit (the most likely
cause is that the user cancelled a redissection of the packets, so not
all packets in the capture file are in the display.
Also, in the find case, pass it the new packet we found.
svn path=/trunk/; revision=36839
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
may happen if, when reading a compressed file, we find an error in the
file's contents past the last packet (e.g., the file being cut short so
that we can't get a full buffer worth of compressed data), and that
reporting of that error is delayed (so that you can get all of the
packets that we *can* decompress). Check for those errors, at least on
the sequential read pass (the only errors we should see when closing the
random stream are errors we've already seen in the sequential stream).
svn path=/trunk/; revision=36576
support; TShark has read+write support. Additionally TShark can read a
"hosts" file and write those records to a capture file.
This uses "struct addrinfo" in many places and probably won't compile on
some platforms.
svn path=/trunk/; revision=36318
pointers, as there's code that assumes that if they're not set to null
pointers, they're set correctly, and doesn't bother setting them to the
right value.
svn path=/trunk/; revision=36252
ruengeler