frame_data* CaptureFile::readPacket(int *err, gchar **err_info, gint64* data_offset) { count++; gboolean ret; frame_data *fdata; /* Wireshark function extracts next packet for dissection */ ret = wtap_read(wth, err, err_info, data_offset); fill_in_fdata(fdata, *data_offset); if (ret) return fdata; else return NULL; }
static gboolean process_packet(capture_file *cf, gint64 offset, const struct wtap_pkthdr *whdr, const guchar *pd) { frame_data fdata; gboolean create_proto_tree; epan_dissect_t edt; gboolean passed; union wtap_pseudo_header pseudo_header; int i; if(whdr->len == 0) { /* The user sends an empty packet when he wants to get output from us even if we don't currently have packets to process. We spit out a line with the timestamp and the text "void" */ printf("%lu %lu %lu void -\n", (unsigned long int)cf->count, (unsigned long int)whdr->ts.secs, (unsigned long int)whdr->ts.nsecs); fflush(stdout); return FALSE; } memset(&pseudo_header, 0, sizeof(pseudo_header)); /* Count this packet. */ cf->count++; /* If we're going to print packet information, or we're going to run a read filter, or we're going to process taps, set up to do a dissection and do so. */ fill_in_fdata(&fdata, cf, whdr, offset); passed = TRUE; create_proto_tree = TRUE; /* The protocol tree will be "visible", i.e., printed, only if we're printing packet details, which is true if we're in verbose mode ("verbose" is true). */ epan_dissect_init(&edt, create_proto_tree, FALSE); /* If we're running a read filter, prime the epan_dissect_t with that filter. */ if (n_rfilters > 0) { for(i = 0; i < n_rfcodes; i++) { epan_dissect_prime_dfilter(&edt, rfcodes[i]); } } tap_queue_init(&edt); printf("%lu", (unsigned long int)cf->count); /* We only need the columns if we're printing packet info but we're *not* verbose; in verbose mode, we print the protocol tree, not the protocol summary. */ epan_dissect_run(&edt, &pseudo_header, pd, &fdata, &cf->cinfo); tap_push_tapped_queue(&edt); for(i = 0; i < n_rfilters; i++) { /* Run the read filter if we have one. */ if (rfcodes[i]) passed = dfilter_apply_edt(rfcodes[i], &edt); else passed = TRUE; /* Print a one-line summary */ printf(" %u", passed ? 1 : 0); } printf(" -\n"); /* The ANSI C standard does not appear to *require* that a line-buffered stream be flushed to the host environment whenever a newline is written, it just says that, on such a stream, characters "are intended to be transmitted to or from the host environment as a block when a new-line character is encountered". The Visual C++ 6.0 C implementation doesn't do what is intended; even if you set a stream to be line-buffered, it still doesn't flush the buffer at the end of every line. So, if the "-l" flag was specified, we flush the standard output at the end of a packet. This will do the right thing if we're printing packet summary lines, and, as we print the entire protocol tree for a single packet without waiting for anything to happen, it should be as good as line-buffered mode if we're printing protocol trees. (The whole reason for the "-l" flag in either tcpdump or Rawshark is to allow the output of a live capture to be piped to a program or script and to have that script see the information for the packet as soon as it's printed, rather than having to wait until a standard I/O buffer fills up. */ if (line_buffered) fflush(stdout); if (ferror(stdout)) { show_print_file_io_error(errno); exit(2); } epan_dissect_cleanup(&edt); clear_fdata(&fdata); return passed; }