which could use lseek() and were thus expensive due to system call
overhead. To avoid making a system call for every packet on a
sequential read, we maintained a data_offset field in the wtap structure
for sequential reads.
It's now a routine that just returns information from the FILE_T data
structure, so it's cheap. Use it, rather than maintaining the data_offset
field.
Readers for some file formats need to maintain file offset themselves;
have them do so in their private data structures.
svn path=/trunk/; revision=42423
by Wiretap, to indicate whether certain fields in that structure
actually have data in them.
Use the "time stamp present" flag to omit showing time stamp information
for packets (and "packets") that don't have time stamps; don't bother
working very hard to "fake" a time stamp for data files.
Use the "interface ID present" flag to omit the interface ID for packets
that don't have an interface ID.
We don't use the "captured length, separate from packet length, present"
flag to omit the captured length; that flag might be present but equal
to the packet length, and if you want to know if a packet was cut short
by a snapshot length, comparing the values would be the way to do that.
More work is needed to have wiretap/pcapng.c properly report the flags,
e.g. reporting no time stamp being present for a Simple Packet Block.
svn path=/trunk/; revision=41185
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
First bug: The Network Instruments Observer file format abbreviation is
incorrect. It is "niobserverv" instead of "niobserver", which is probably a
vestige from 1.4 when the abbreviation was "niobserverv9".
Second bug: The packet header magic number field is correctly swapped the first
time when reading the entire packet header. It is incorrectly swapped yet again
when reporting an invalid value. Both swaps use GUINT_FROM_LE, which is a no-op
on little-endian platforms. But the error message that is displayed to users of
big-endian platforms will contain a byte-reversed value.
svn path=/trunk/; revision=39392
same.
Add to wiretap/pcap-common.c a routine to fill in the pseudo-header for
ATM (by looking at the VPI, VCI, and packet data, and guessing) and
Ethernet (setting the FCS length appropriately). Use it for both pcap
and pcap-ng files.
svn path=/trunk/; revision=38840
This patch incorporates the following fixes from the patch attached to
bug 5671 with changes as noted below:
1.) Files where the packet header and packet data are noncontiguous are
handled improperly, resulting in read misalignment and ultimately the
error message, "Observer: bad record: Invalid magic number 0xXXXXXXXX."
This bug is caused by not obeying the packet_entry_header.offset_to_frame
field.
2.) Daylight savings time is not properly accounted for in files using
local time encoding.
3.) As of Observer/GigaStor v13.10 (bug 5671 incorrectly stated v14),
timestamps in the file format changed from local time encoding to GMT
encoding. Wiretap has been changed to support reading both formats.
Patch submitted with bug 5671 added a separate file type to allow
writing local format. This patch does not add the separate file type
and always writes GMT.
4.) The wtap_dumper.bytes_dumped field is not being properly incremented
as data is written to files.
This patch also incorporates the following additional enhancements /
fixes not in bug 5671:
1.) Support for reading BFR files which contain Fibre Channel captures.
Test file Fibre_Channel_Capture.bfr attached.
2.) Support for modified file header used in upcoming v15. New header
file format takes an unused byte from the version string to allow for a
larger offset to the first packet to be specified. Test file
V15_Lrg_Hdr_Test.bfr is attached, it is also a fuzz test as the number
of TLV items given in the header is less then the actual.
3.) It was found that if the number of TLV items given in the header was
larger then present it would fail to open the file. Test file
V9_Num_TLVs_Too_Big.bfr is attached.
svn path=/trunk/; revision=36970
file before doing any writes - it starts out at the beginning of the
file. This means that you *can* write a Network Instruments capture
file to a pipe, or write it out in compressed form, now that its
dump_open routine no longer seeks.
NetXRay format and K12 binary format, however, *do* require a seek when
writing them.
svn path=/trunk/; revision=36776
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
can't be saved in compress form" are both equivalent to "this file file
format requires seeking when writing it". Change the "can compress"
Boolean in the file format table to "writing requires seeking", give all
the entries the proper value, and do the checks for attempting to write
a file format to a pipe or write it in compressed format to common code.
This means we don't need to pass the "can't seek" flag to the dump open
routines.
svn path=/trunk/; revision=36575
file_read(buf, bsize, count, file) macro is compilant with fread
function and takes elements count+ size of each element, however to make
it compilant with gzread() it always returns number of bytes.
In wiretap file_read() this is not really used, file_read is called
either with bsize set to 1 or count to 1.
Attached patch remove bsize argument from macro.
svn path=/trunk/; revision=36491
wtap_dump_file_write(). Replace various wrappers around fwrite() with
wtap_dump_file_write(), or at least make the wrappers call
wtap_dump_file_write().
svn path=/trunk/; revision=33116
wtap-int.h, and change the unions of pointers to those private data
structures into just void *'s.
Have the generic wtap close routine free up the private data, rather
than the type-specific close routine, just as the wtap_dumper close
routine does for its private data. Get rid of close routines that don't
do anything any more.
svn path=/trunk/; revision=32015
Put the code to read the packet header and the packet data into routines
(which also fixes some places where observer_seek_read() was using the
sequential file handle rather than the random file handle), make the
packet header reader skip over the TLVs,
Do some additional sanity checking.
Wiretap supports nanosecond resolution; provide nanosecond resolution
time stamps.
Rename some structure members to match their purpose (they're TLV
counts, not flags).
Remove the TLV header from the TLV structures (and eliminate TLV
structures if we don't have the contents or they're just a string); if
we process them, we'll probably end up reading the header and data
separately.
Add some information about some of the TLVs in expert information packets.
svn path=/trunk/; revision=17870
- automatic adjustment depending on file format
- manual adjustment through menu items
save the setting in the recent file
svn path=/trunk/; revision=15534
I've done more than a day to change the timestamp resolution from microseconds to nanoseconds. As I really don't want to loose those changes, I'm going to check in the changes I've done so far. Hopefully someone else will give me a helping hand with the things left ...
What's done: I've changed the timestamp resolution from usec to nsec in almost any place in the sources. I've changed parts of the implementation in nstime.s/.h and a lot of places elsewhere.
As I don't understand the editcap source (well, I'm maybe just too tired right now), hopefully someone else might be able to fix this soon.
Doing all those changes, we get native nanosecond timestamp resolution in Ethereal. After fixing all the remaining issues, I'll take a look how to display this in a convenient way...
As I've also changed the wiretap timestamp resolution from usec to nsec we might want to change the wiretap version number...
svn path=/trunk/; revision=15520
they have LF at the end of the line on UN*X and CR/LF on Windows;
hopefully this means that if a CR/LF version is checked in on Windows,
the CRs will be stripped so that they show up only when checked out on
Windows, not on UN*X.
svn path=/trunk/; revision=11400
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2000, 00:00:00 *local* time. The amount to add to that is just the UNIX
time stamp value for that point in time; get it with "mktime()".
svn path=/trunk/; revision=8854
get rid of the reference to its "tm_gmtoff" member - there are platforms
on which Ethereal runs that don't have "tm_gmtoff" in "struct tm". If
the time stamp in the packets is nanoseconds since midnight 2001-01-01
*local* time, we'd need to compute the offset between that and midnight
2000-01-01 GMT, and adjust the time with that.
svn path=/trunk/; revision=8842
Guy Harris