frame_data* CaptureFile::readPacket(int *err, gchar **err_info, gint64* data_offset) {
count++;
gboolean ret;
frame_data *fdata;
/* Wireshark function extracts next packet for dissection */
ret = wtap_read(wth, err, err_info, data_offset);
fill_in_fdata(fdata, *data_offset);
if (ret) return fdata;
else return NULL;
}
static gboolean
process_packet(capture_file *cf, gint64 offset, const struct wtap_pkthdr *whdr,
const guchar *pd)
{
frame_data fdata;
gboolean create_proto_tree;
epan_dissect_t edt;
gboolean passed;
union wtap_pseudo_header pseudo_header;
int i;
if(whdr->len == 0)
{
/* The user sends an empty packet when he wants to get output from us even if we don't currently have
packets to process. We spit out a line with the timestamp and the text "void"
*/
printf("%lu %lu %lu void -\n", (unsigned long int)cf->count,
(unsigned long int)whdr->ts.secs,
(unsigned long int)whdr->ts.nsecs);
fflush(stdout);
return FALSE;
}
memset(&pseudo_header, 0, sizeof(pseudo_header));
/* Count this packet. */
cf->count++;
/* If we're going to print packet information, or we're going to
run a read filter, or we're going to process taps, set up to
do a dissection and do so. */
fill_in_fdata(&fdata, cf, whdr, offset);
passed = TRUE;
create_proto_tree = TRUE;
/* The protocol tree will be "visible", i.e., printed, only if we're
printing packet details, which is true if we're in verbose mode ("verbose"
is true). */
epan_dissect_init(&edt, create_proto_tree, FALSE);
/* If we're running a read filter, prime the epan_dissect_t with that
filter. */
if (n_rfilters > 0) {
for(i = 0; i < n_rfcodes; i++) {
epan_dissect_prime_dfilter(&edt, rfcodes[i]);
}
}
tap_queue_init(&edt);
printf("%lu", (unsigned long int)cf->count);
/* We only need the columns if we're printing packet info but we're
*not* verbose; in verbose mode, we print the protocol tree, not
the protocol summary. */
epan_dissect_run(&edt, &pseudo_header, pd, &fdata, &cf->cinfo);
tap_push_tapped_queue(&edt);
for(i = 0; i < n_rfilters; i++) {
/* Run the read filter if we have one. */
if (rfcodes[i])
passed = dfilter_apply_edt(rfcodes[i], &edt);
else
passed = TRUE;
/* Print a one-line summary */
printf(" %u", passed ? 1 : 0);
}
printf(" -\n");
/* The ANSI C standard does not appear to *require* that a line-buffered
stream be flushed to the host environment whenever a newline is
written, it just says that, on such a stream, characters "are
intended to be transmitted to or from the host environment as a
block when a new-line character is encountered".
The Visual C++ 6.0 C implementation doesn't do what is intended;
even if you set a stream to be line-buffered, it still doesn't
flush the buffer at the end of every line.
So, if the "-l" flag was specified, we flush the standard output
at the end of a packet. This will do the right thing if we're
printing packet summary lines, and, as we print the entire protocol
tree for a single packet without waiting for anything to happen,
it should be as good as line-buffered mode if we're printing
protocol trees. (The whole reason for the "-l" flag in either
tcpdump or Rawshark is to allow the output of a live capture to
be piped to a program or script and to have that script see the
information for the packet as soon as it's printed, rather than
having to wait until a standard I/O buffer fills up. */
if (line_buffered)
fflush(stdout);
if (ferror(stdout)) {
show_print_file_io_error(errno);
exit(2);
}
epan_dissect_cleanup(&edt);
clear_fdata(&fdata);
return passed;
}
