void
epan_dissect_run_with_taps(epan_dissect_t *edt, struct wtap_pkthdr *phdr,
const guint8* data, frame_data *fd, column_info *cinfo)
{
tap_queue_init(edt);
dissect_packet(edt, phdr, data, fd, cinfo);
tap_push_tapped_queue(edt);
/* free all memory allocated */
ep_free_all();
}
void
epan_dissect_file_run_with_taps(epan_dissect_t *edt, struct wtap_pkthdr *phdr,
tvbuff_t *tvb, frame_data *fd, column_info *cinfo)
{
wmem_enter_packet_scope();
tap_queue_init(edt);
dissect_file(edt, phdr, tvb, fd, cinfo);
tap_push_tapped_queue(edt);
/* free all memory allocated */
wmem_leave_packet_scope();
}
/**
* Given a handle on a capture file, and an offset within that file,
* this function will read a packet and decide if it matches the display
* filter. If it does, it calls proto_tree_get_fields() to read specific fields
* into stdata.
*
* @return passed a boolean describing whether the packet matched the filter.
*/
gboolean process_packet(capture_file *cf, gint64 offset, st_data_t *stdata)
{
frame_data fdata;
epan_dissect_t edt;
gboolean passed;
const struct wtap_pkthdr *whdr = wtap_phdr(cf->wth);
union wtap_pseudo_header *pseudo_header = wtap_pseudoheader(cf->wth);
const guchar *pd = wtap_buf_ptr(cf->wth);
/* Count this packet.
NB: the frame dissector uses this to determine frame.number
*/
cf->count++;
/**
* Initialize dissector tree
*/
epan_dissect_init(&edt, TRUE, TRUE);
frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
&first_ts, &prev_dis_ts, &prev_cap_ts);
passed = TRUE;
// AB: prime the epan_dissect_t with the dfilter.
if(cf->rfcode)
{
epan_dissect_prime_dfilter(&edt, cf->rfcode);
}
tap_queue_init(&edt);
/**
* Run the dissector on this packet
*/
epan_dissect_run(&edt, pseudo_header, pd, &fdata, NULL);
tap_push_tapped_queue(&edt);
// AB: Run the read filter
if(cf->rfcode)
{
passed = dfilter_apply_edt(cf->rfcode, &edt);
}
else
{
passed = TRUE;
}
if(passed)
{
frame_data_set_after_dissect(&fdata, &cum_bytes, &prev_dis_ts);
// stdata could be NULL if we are just counting packets
if(stdata != NULL)
proto_tree_get_fields(stdata, &edt);
}
epan_dissect_cleanup(&edt);
frame_data_cleanup(&fdata);
return passed;
}
static gboolean
process_packet(capture_file *cf, gint64 offset, const struct wtap_pkthdr *whdr,
const guchar *pd)
{
frame_data fdata;
gboolean create_proto_tree;
epan_dissect_t edt;
gboolean passed;
union wtap_pseudo_header pseudo_header;
int i;
if(whdr->len == 0)
{
/* The user sends an empty packet when he wants to get output from us even if we don't currently have
packets to process. We spit out a line with the timestamp and the text "void"
*/
printf("%lu %lu %lu void -\n", (unsigned long int)cf->count,
(unsigned long int)whdr->ts.secs,
(unsigned long int)whdr->ts.nsecs);
fflush(stdout);
return FALSE;
}
memset(&pseudo_header, 0, sizeof(pseudo_header));
/* Count this packet. */
cf->count++;
/* If we're going to print packet information, or we're going to
run a read filter, or we're going to process taps, set up to
do a dissection and do so. */
fill_in_fdata(&fdata, cf, whdr, offset);
passed = TRUE;
create_proto_tree = TRUE;
/* The protocol tree will be "visible", i.e., printed, only if we're
printing packet details, which is true if we're in verbose mode ("verbose"
is true). */
epan_dissect_init(&edt, create_proto_tree, FALSE);
/* If we're running a read filter, prime the epan_dissect_t with that
filter. */
if (n_rfilters > 0) {
for(i = 0; i < n_rfcodes; i++) {
epan_dissect_prime_dfilter(&edt, rfcodes[i]);
}
}
tap_queue_init(&edt);
printf("%lu", (unsigned long int)cf->count);
/* We only need the columns if we're printing packet info but we're
*not* verbose; in verbose mode, we print the protocol tree, not
the protocol summary. */
epan_dissect_run(&edt, &pseudo_header, pd, &fdata, &cf->cinfo);
tap_push_tapped_queue(&edt);
for(i = 0; i < n_rfilters; i++) {
/* Run the read filter if we have one. */
if (rfcodes[i])
passed = dfilter_apply_edt(rfcodes[i], &edt);
else
passed = TRUE;
/* Print a one-line summary */
printf(" %u", passed ? 1 : 0);
}
printf(" -\n");
/* The ANSI C standard does not appear to *require* that a line-buffered
stream be flushed to the host environment whenever a newline is
written, it just says that, on such a stream, characters "are
intended to be transmitted to or from the host environment as a
block when a new-line character is encountered".
The Visual C++ 6.0 C implementation doesn't do what is intended;
even if you set a stream to be line-buffered, it still doesn't
flush the buffer at the end of every line.
So, if the "-l" flag was specified, we flush the standard output
at the end of a packet. This will do the right thing if we're
printing packet summary lines, and, as we print the entire protocol
tree for a single packet without waiting for anything to happen,
it should be as good as line-buffered mode if we're printing
protocol trees. (The whole reason for the "-l" flag in either
tcpdump or Rawshark is to allow the output of a live capture to
be piped to a program or script and to have that script see the
information for the packet as soon as it's printed, rather than
having to wait until a standard I/O buffer fills up. */
if (line_buffered)
fflush(stdout);
if (ferror(stdout)) {
show_print_file_io_error(errno);
exit(2);
}
epan_dissect_cleanup(&edt);
clear_fdata(&fdata);
return passed;
}