Beispiel #1
0
void
epan_dissect_run_with_taps(epan_dissect_t *edt, struct wtap_pkthdr *phdr,
        const guint8* data, frame_data *fd, column_info *cinfo)
{
	tap_queue_init(edt);
	dissect_packet(edt, phdr, data, fd, cinfo);
	tap_push_tapped_queue(edt);

	/* free all memory allocated */
	ep_free_all();
}
Beispiel #2
0
void
epan_dissect_file_run_with_taps(epan_dissect_t *edt, struct wtap_pkthdr *phdr,
        tvbuff_t *tvb, frame_data *fd, column_info *cinfo)
{
	wmem_enter_packet_scope();
	tap_queue_init(edt);
	dissect_file(edt, phdr, tvb, fd, cinfo);
	tap_push_tapped_queue(edt);

	/* free all memory allocated */
	wmem_leave_packet_scope();
}
/**
 * Given a handle on a capture file, and an offset within that file,
 * this function will read a packet and decide if it matches the display
 * filter.  If it does, it calls proto_tree_get_fields() to read specific fields
 * into stdata.
 * 
 * @return passed a boolean describing whether the packet matched the filter.
 */
gboolean process_packet(capture_file *cf, gint64 offset, st_data_t *stdata)
{
  frame_data fdata;
  epan_dissect_t edt;
  gboolean passed;

  const struct wtap_pkthdr *whdr = wtap_phdr(cf->wth);
  union wtap_pseudo_header *pseudo_header = wtap_pseudoheader(cf->wth);
  const guchar *pd = wtap_buf_ptr(cf->wth);

  /* Count this packet.
     NB: the frame dissector uses this to determine frame.number
  */
  cf->count++;

  /**
   * Initialize dissector tree
   */
  epan_dissect_init(&edt, TRUE, TRUE);

  frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);

  frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
                                &first_ts, &prev_dis_ts, &prev_cap_ts);

  passed = TRUE;

  // AB: prime the epan_dissect_t with the dfilter.
  if(cf->rfcode)
    {
      epan_dissect_prime_dfilter(&edt, cf->rfcode);
    }

  tap_queue_init(&edt);

  /**
   * Run the dissector on this packet
   */
  epan_dissect_run(&edt, pseudo_header, pd, &fdata, NULL);

  tap_push_tapped_queue(&edt);
  
  // AB: Run the read filter
  if(cf->rfcode)
    {
      passed = dfilter_apply_edt(cf->rfcode, &edt);
    }
  else
    {
      passed = TRUE;
    }

  if(passed)
    {
      frame_data_set_after_dissect(&fdata, &cum_bytes, &prev_dis_ts);

      // stdata could be NULL if we are just counting packets
      if(stdata != NULL)
        proto_tree_get_fields(stdata, &edt);
    }

  epan_dissect_cleanup(&edt);
  frame_data_cleanup(&fdata);

  return passed;
}
Beispiel #4
0
static gboolean
process_packet(capture_file *cf, gint64 offset, const struct wtap_pkthdr *whdr,
               const guchar *pd)
{
  frame_data fdata;
  gboolean create_proto_tree;
  epan_dissect_t edt;
  gboolean passed;
  union wtap_pseudo_header pseudo_header;
  int i;

  if(whdr->len == 0)
  {
	  /* The user sends an empty packet when he wants to get output from us even if we don't currently have
	     packets to process. We spit out a line with the timestamp and the text "void"
	  */
	  printf("%lu %lu %lu void -\n", (unsigned long int)cf->count,
		  (unsigned long int)whdr->ts.secs,
		  (unsigned long int)whdr->ts.nsecs);

	  fflush(stdout);

	  return FALSE;
  }

  memset(&pseudo_header, 0, sizeof(pseudo_header));

  /* Count this packet. */
  cf->count++;

  /* If we're going to print packet information, or we're going to
     run a read filter, or we're going to process taps, set up to
     do a dissection and do so. */
  fill_in_fdata(&fdata, cf, whdr, offset);

  passed = TRUE;
  create_proto_tree = TRUE;

  /* The protocol tree will be "visible", i.e., printed, only if we're
     printing packet details, which is true if we're in verbose mode ("verbose"
     is true). */
  epan_dissect_init(&edt, create_proto_tree, FALSE);

  /* If we're running a read filter, prime the epan_dissect_t with that
     filter. */
  if (n_rfilters > 0) {
    for(i = 0; i < n_rfcodes; i++) {
      epan_dissect_prime_dfilter(&edt, rfcodes[i]);
    }
  }

  tap_queue_init(&edt);

  printf("%lu", (unsigned long int)cf->count);

  /* We only need the columns if we're printing packet info but we're
     *not* verbose; in verbose mode, we print the protocol tree, not
     the protocol summary. */
  epan_dissect_run(&edt, &pseudo_header, pd, &fdata, &cf->cinfo);

  tap_push_tapped_queue(&edt);

  for(i = 0; i < n_rfilters; i++) {
    /* Run the read filter if we have one. */
    if (rfcodes[i])
      passed = dfilter_apply_edt(rfcodes[i], &edt);
    else
      passed = TRUE;

    /* Print a one-line summary */
    printf(" %u", passed ? 1 : 0);
  }

  printf(" -\n");

  /* The ANSI C standard does not appear to *require* that a line-buffered
     stream be flushed to the host environment whenever a newline is
     written, it just says that, on such a stream, characters "are
     intended to be transmitted to or from the host environment as a
     block when a new-line character is encountered".

     The Visual C++ 6.0 C implementation doesn't do what is intended;
     even if you set a stream to be line-buffered, it still doesn't
     flush the buffer at the end of every line.

     So, if the "-l" flag was specified, we flush the standard output
     at the end of a packet.  This will do the right thing if we're
     printing packet summary lines, and, as we print the entire protocol
     tree for a single packet without waiting for anything to happen,
     it should be as good as line-buffered mode if we're printing
     protocol trees.  (The whole reason for the "-l" flag in either
     tcpdump or Rawshark is to allow the output of a live capture to
     be piped to a program or script and to have that script see the
     information for the packet as soon as it's printed, rather than
     having to wait until a standard I/O buffer fills up. */
  if (line_buffered)
    fflush(stdout);

  if (ferror(stdout)) {
    show_print_file_io_error(errno);
    exit(2);
  }

  epan_dissect_cleanup(&edt);
  clear_fdata(&fdata);

  return passed;
}