Hello all,
I've recently had the need to filter out some data from the 3.7G
sniffer-format capture, and
before I figured out that gzipping that file could have done the trick
as it would have been smaller than 2G (although still not sure of
that), I patched the my source of wiretap/tethereal to tackle this big
trace. (the 0.10.7 version)
By doing this I figured I might describe what I did and check with you
whether this might be with some addition become a useful contribution
to get the ">2G file" support or not in the ethereal (well, probably
not the GUI-based ethereal, but the CLI utils might benefit)
1. What I've done
a) patch the wiretap library.
Pretty much change every occurence of "long" into the "off_t".
there are a few places where the "long" gets used in the timestamps
which prevented the work to be done by the find/sed combo.
Also, change the call to fseek() to fseeko()
b) patch one place in main ethereal tree where it explicitly mentions
"should be off_t, but wiretap should be converted to it first".
c) configure with:
CFLAGS="-g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" ./configure
--disable-ethereal --without-plugins --without-zlib
2. Observations
Interop with zlib would obviously need some more work - I did not deal
with it since I did not have the explicit need - but is this the only
obstacle or there is something more fundamental that I have missed ?
Any comments/education will be appreciated. Please don't shoot too
hard - I am not a pro in coding, but given that googling revealed
quite a few posts of people asking for long file support in ethereal,
thought to check if the quick hack I made is in the right direction
and whether I could transform it into something eventually useable
which could be clean enough to get committed.
thanks,
andrew
