diff options
| author | John Thacker <johnthacker@gmail.com> | 2023-01-26 00:42:10 -0500 |
|---|---|---|
| committer | John Thacker <johnthacker@gmail.com> | 2023-01-30 13:29:49 +0000 |
| commit | 67a01bdf263aff8581defea55a74c2e8c29df468 (patch) | |
| tree | 84f08d58bf1e24730b65a462ac70cf8d5310e6ec /tshark.c | |
| parent | 3ff9f075c625b93bade74490ca360e191df017c4 (diff) | |
wiretap: Preserve NRBs with editcap, mergecap, and tshark
Use a pointer to the growing array of NRBs from the source
file, as with DSBs, so as to handle reading NRBs in the middle
of a file in one-pass mode.
Write NRBs when reading a file with editcap, or in tshark when
not dissecting packets and writing our own NRB. Continue not
to write the NRB if we're supplying our own list of address info
instead.
If we have already read the entire source file in (such as in
two-pass tshark), move all the NRBs to the beginning of the file
before packets, as done with DSBs.
When merging files with mergecap, write both sets of NRBs. (There
is no attempt to merge the NRBs by looking for common entries.)
Check for name resolution data in the middle of dumping a file,
not just at the end, and check for DSBs at the end of a file,
after all the packets. This means that Wireshark no longer writes
the NRB at the very end of the file after all the packets (which
is worse for future one-pass reads), and DSBs after all packets
are preserved.
Ping #15502
Diffstat (limited to 'tshark.c')
| -rw-r--r-- | tshark.c | 20 |
1 files changed, 20 insertions, 0 deletions
@@ -3826,6 +3826,26 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type, if (save_file != NULL) { if (second_pass_status != PASS_WRITE_ERROR) { if (pdh && out_file_name_res) { + /* XXX: This doesn't work as expected. First, it should be + * moved to between the first and second passes (if doing + * two-pass mode), so that the new NRB appears before packets, + * which is better for subsequent one-pass mode. It never works + * well in one-pass mode. + * + * Second, it only writes hosts that we've done lookups for, + * which means unless packet details are printed (or there's + * a display filter that matches something that will do a host + * lookup, e.g. -Y "ip") it doesn't actually have anything + * in the list to save. Notably, that includes the case of + * "tshark [-2] -H hosts.txt -r <infile> -w <outfile>", + * which a user would certainly expect to dissect packets, + * lookup hostnames, and add them to an NRB for later use. + * A workaround is if "-V > /dev/null" is added, but who + * expects that? + * + * A third issue is that name resolution blocks aren't + * written for live captures. + */ if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) { cmdarg_err("The file format \"%s\" doesn't support name resolution information.", wtap_file_type_subtype_name(out_file_type)); |