osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/epan/dissectors/file-pcapng.c

2399 lines
103 KiB
C
Raw Normal View History

File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
/* file-pcapng.c
* Routines for PCAPNG File Format
Point to GitHub for the pcapng specification. Change-Id: I33faa41e8b0f36ee49d29fe391feafd94d0a7e80 Reviewed-on: https://code.wireshark.org/review/10245 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-25 01:46:56 +00:00
* https://github.com/pcapng/pcapng
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
*
* Copyright 2015, Michal Labedzki for Tieto Corporation
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
dissectors: use SPDX identifiers. Change-Id: I92c94448e6641716d03158a5f332c8b53709423a Reviewed-on: https://code.wireshark.org/review/25756 Petri-Dish: Dario Lombardo <lomato@gmail.com> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-02-12 11:23:27 +00:00
* SPDX-License-Identifier: GPL-2.0-or-later
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
*/
#include "config.h"
#include <epan/packet.h>
#include <epan/prefs.h>
#include <epan/expert.h>
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
#include <epan/exceptions.h>
#include <epan/show_exception.h>
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
#include <epan/addr_resolv.h>
#include <epan/wmem/wmem.h>
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
#include <wiretap/secrets-types.h>
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Have a separate dissector for pcap/pcapng-format packet data. Put that dissector into its own file, and get handles for it from the pcap and pcapng file dissectors. Put the value_string of pcap/pcapng LINKTYPE_ values there, and have the pcap and pcapng file dissectors import it. Expand that table to include all LINKTYPE_ values in the current libpcap. Change-Id: I9397035efa5711e8a18a26e056d3b54494fd3148 Reviewed-on: https://code.wireshark.org/review/12000 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-11-21 02:52:02 +00:00
#include <epan/dissectors/packet-pcap_pktdata.h>
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int proto_pcapng = -1;
Have a separate dissector for pcap/pcapng-format packet data. Put that dissector into its own file, and get handles for it from the pcap and pcapng file dissectors. Put the value_string of pcap/pcapng LINKTYPE_ values there, and have the pcap and pcapng file dissectors import it. Expand that table to include all LINKTYPE_ values in the current libpcap. Change-Id: I9397035efa5711e8a18a26e056d3b54494fd3148 Reviewed-on: https://code.wireshark.org/review/12000 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-11-21 02:52:02 +00:00
static dissector_handle_t pcap_pktdata_handle;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int hf_pcapng_block = -1;
static int hf_pcapng_block_type = -1;
static int hf_pcapng_block_type_vendor = -1;
static int hf_pcapng_block_type_value = -1;
static int hf_pcapng_block_length = -1;
static int hf_pcapng_block_data = -1;
static int hf_pcapng_section_header_byte_order_magic = -1;
static int hf_pcapng_section_header_major_version = -1;
static int hf_pcapng_section_header_minor_version = -1;
static int hf_pcapng_section_header_section_length = -1;
static int hf_pcapng_options = -1;
static int hf_pcapng_option = -1;
static int hf_pcapng_option_code = -1;
static int hf_pcapng_option_code_section_header = -1;
static int hf_pcapng_option_code_interface_description = -1;
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
static int hf_pcapng_option_code_enhanced_packet = -1;
static int hf_pcapng_option_code_packet = -1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int hf_pcapng_option_code_interface_statistics = -1;
static int hf_pcapng_option_code_name_resolution = -1;
static int hf_pcapng_option_length = -1;
static int hf_pcapng_option_data = -1;
static int hf_pcapng_option_data_comment = -1;
static int hf_pcapng_option_data_section_header_hardware = -1;
static int hf_pcapng_option_data_section_header_os = -1;
static int hf_pcapng_option_data_section_header_user_application = -1;
static int hf_pcapng_option_data_interface_description_name = -1;
static int hf_pcapng_option_data_interface_description_description = -1;
static int hf_pcapng_option_data_ipv4 = -1;
static int hf_pcapng_option_data_ipv4_mask = -1;
static int hf_pcapng_option_data_ipv6 = -1;
static int hf_pcapng_option_data_ipv6_mask = -1;
static int hf_pcapng_option_data_mac_address = -1;
static int hf_pcapng_option_data_eui_address = -1;
static int hf_pcapng_option_data_interface_speed = -1;
static int hf_pcapng_option_data_interface_timestamp_resolution = -1;
static int hf_pcapng_option_data_interface_timestamp_resolution_base = -1;
static int hf_pcapng_option_data_interface_timestamp_resolution_value = -1;
static int hf_pcapng_option_data_interface_timezone = -1;
static int hf_pcapng_option_data_interface_filter = -1;
static int hf_pcapng_option_data_interface_os = -1;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
static int hf_pcapng_option_data_interface_hardware = -1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int hf_pcapng_option_data_interface_fcs_length = -1;
static int hf_pcapng_option_data_interface_timestamp_offset = -1;
static int hf_pcapng_option_data_packet_drop_count = -1;
static int hf_pcapng_option_data_packet_hash_algorithm = -1;
static int hf_pcapng_option_data_packet_hash_data = -1;
static int hf_pcapng_option_data_packet_flags = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_symbol = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_preamble = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_start_frame_delimiter = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_unaligned_frame = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_wrong_inter_frame_gap = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_short = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_long = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_crc_error = -1;
static int hf_pcapng_option_data_packet_flags_link_layer_errors_reserved = -1;
static int hf_pcapng_option_data_packet_flags_reserved = -1;
static int hf_pcapng_option_data_packet_flags_fcs_length = -1;
static int hf_pcapng_option_data_packet_flags_reception_type = -1;
static int hf_pcapng_option_data_packet_flags_direction = -1;
static int hf_pcapng_option_data_dns_name = -1;
static int hf_pcapng_option_data_start_time = -1;
static int hf_pcapng_option_data_end_time = -1;
static int hf_pcapng_option_data_interface_received = -1;
static int hf_pcapng_option_data_interface_dropped = -1;
static int hf_pcapng_option_data_interface_accepted_by_filter = -1;
static int hf_pcapng_option_data_interface_dropped_by_os = -1;
static int hf_pcapng_option_data_interface_delivered_to_user = -1;
static int hf_pcapng_option_padding = -1;
static int hf_pcapng_interface_description_link_type = -1;
static int hf_pcapng_interface_description_reserved = -1;
static int hf_pcapng_interface_description_snap_length = -1;
static int hf_pcapng_packet_block_interface_id = -1;
static int hf_pcapng_packet_block_drops_count = -1;
static int hf_pcapng_captured_length = -1;
static int hf_pcapng_packet_length = -1;
static int hf_pcapng_packet_data = -1;
static int hf_pcapng_packet_padding = -1;
static int hf_pcapng_interface_id = -1;
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
static int hf_pcapng_timestamp_high = -1;
static int hf_pcapng_timestamp_low = -1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int hf_pcapng_timestamp = -1;
static int hf_pcapng_records = -1;
static int hf_pcapng_record = -1;
static int hf_pcapng_record_code = -1;
static int hf_pcapng_record_length = -1;
static int hf_pcapng_record_data = -1;
static int hf_pcapng_record_ipv4 = -1;
static int hf_pcapng_record_ipv6 = -1;
static int hf_pcapng_record_name = -1;
static int hf_pcapng_record_padding = -1;
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
static int hf_pcapng_dsb_secrets_type = -1;
static int hf_pcapng_dsb_secrets_length = -1;
static int hf_pcapng_dsb_secrets_data = -1;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
static int hf_pcapng_darwin_process_id = -1;
static int hf_pcapng_option_code_darwin_process_info = -1;
static int hf_pcapng_option_darwin_process_name = -1;
static int hf_pcapng_option_darwin_process_uuid = -1;
static int hf_pcapng_option_data_packet_darwin_dpeb_id = -1;
static int hf_pcapng_option_data_packet_darwin_svc_class = -1;
static int hf_pcapng_option_data_packet_darwin_edpeb_id = -1;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
static expert_field ei_invalid_byte_order_magic = EI_INIT;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
static expert_field ei_block_length_too_short = EI_INIT;
static expert_field ei_block_length_not_multiple_of_4 = EI_INIT;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static expert_field ei_invalid_option_length = EI_INIT;
static expert_field ei_invalid_record_length = EI_INIT;
pcapng: expert info when packet or ISB appear without interfaces A valid pcapng file must have an IDB before any EPB/SPB/PB/ISB. So check our interface count when we parse the first such block of a section, and add expert info if there are no interfaces. Discovered during work on Bug #16526. Ping-Bug: 16526 Change-Id: I23ff452fd163a0e4472e0658a905f85ab85d5e9d Reviewed-on: https://code.wireshark.org/review/36986 Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl> Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-04-30 12:32:44 +00:00
static expert_field ei_missing_idb = EI_INIT;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static gint ett_pcapng = -1;
static gint ett_pcapng_section_header_block = -1;
static gint ett_pcapng_block_data = -1;
static gint ett_pcapng_options = -1;
static gint ett_pcapng_option = -1;
static gint ett_pcapng_records = -1;
static gint ett_pcapng_record = -1;
static gint ett_pcapng_packet_data = -1;
Fix the type of arrays of pointers to hf_ values for bitfield routines. The static arrays are supposed to be arrays of const pointers to int, not arrays of non-const pointers to const int. Fixing that means some bugs (scribbling on what's *supposed* to be a const array) will be caught (see packet-ieee80211-radiotap.c for examples, the first of which inspired this change and the second of which was discovered while testing compiles with this change), and removes the need for some annoying casts. Also make some of those arrays static while we're at it. Update documentation and dissector-generator tools. Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc Reviewed-on: https://code.wireshark.org/review/37517 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-06-19 01:14:46 +00:00
static int * const hfx_pcapng_option_data_interface_timestamp_resolution[] = {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
&hf_pcapng_option_data_interface_timestamp_resolution_base,
&hf_pcapng_option_data_interface_timestamp_resolution_value,
NULL
};
Fix the type of arrays of pointers to hf_ values for bitfield routines. The static arrays are supposed to be arrays of const pointers to int, not arrays of non-const pointers to const int. Fixing that means some bugs (scribbling on what's *supposed* to be a const array) will be caught (see packet-ieee80211-radiotap.c for examples, the first of which inspired this change and the second of which was discovered while testing compiles with this change), and removes the need for some annoying casts. Also make some of those arrays static while we're at it. Update documentation and dissector-generator tools. Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc Reviewed-on: https://code.wireshark.org/review/37517 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-06-19 01:14:46 +00:00
static int * const hfx_pcapng_option_data_packet_flags_link_layer_errors[] = {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
&hf_pcapng_option_data_packet_flags_link_layer_errors_symbol,
&hf_pcapng_option_data_packet_flags_link_layer_errors_preamble,
&hf_pcapng_option_data_packet_flags_link_layer_errors_start_frame_delimiter,
&hf_pcapng_option_data_packet_flags_link_layer_errors_unaligned_frame,
&hf_pcapng_option_data_packet_flags_link_layer_errors_wrong_inter_frame_gap,
&hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_short,
&hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_long,
&hf_pcapng_option_data_packet_flags_link_layer_errors_crc_error,
&hf_pcapng_option_data_packet_flags_link_layer_errors_reserved,
NULL
};
Fix the type of arrays of pointers to hf_ values for bitfield routines. The static arrays are supposed to be arrays of const pointers to int, not arrays of non-const pointers to const int. Fixing that means some bugs (scribbling on what's *supposed* to be a const array) will be caught (see packet-ieee80211-radiotap.c for examples, the first of which inspired this change and the second of which was discovered while testing compiles with this change), and removes the need for some annoying casts. Also make some of those arrays static while we're at it. Update documentation and dissector-generator tools. Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc Reviewed-on: https://code.wireshark.org/review/37517 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-06-19 01:14:46 +00:00
static int * const hfx_pcapng_option_data_packet_flags[] = {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
&hf_pcapng_option_data_packet_flags_reserved,
&hf_pcapng_option_data_packet_flags_fcs_length,
&hf_pcapng_option_data_packet_flags_reception_type,
&hf_pcapng_option_data_packet_flags_direction,
NULL
};
Fix the type of arrays of pointers to hf_ values for bitfield routines. The static arrays are supposed to be arrays of const pointers to int, not arrays of non-const pointers to const int. Fixing that means some bugs (scribbling on what's *supposed* to be a const array) will be caught (see packet-ieee80211-radiotap.c for examples, the first of which inspired this change and the second of which was discovered while testing compiles with this change), and removes the need for some annoying casts. Also make some of those arrays static while we're at it. Update documentation and dissector-generator tools. Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc Reviewed-on: https://code.wireshark.org/review/37517 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-06-19 01:14:46 +00:00
static int * const hfx_pcapng_block_type[] = {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
&hf_pcapng_block_type_vendor,
&hf_pcapng_block_type_value,
NULL
};
struct info {
pcapng: give a structure member an appropriate name. An entire pcapng file is dissected as a unit, so there's only one file; the "file_number" field counts Section Header Blocks, so it's a section number, not a file number. Rename it to "section_number". Change-Id: I3ee477c9aa0ee4cdfa7496935b2be915c31a4644 Reviewed-on: https://code.wireshark.org/review/36977 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-30 01:20:12 +00:00
guint32 section_number;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
guint32 interface_number;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
guint32 darwin_process_event_number;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
guint32 frame_number;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
guint encoding;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
wmem_array_t *interfaces;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
wmem_array_t *darwin_process_events;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
};
struct interface_description {
guint32 link_type;
MIME/pcapng: use snap length to get SPB data length The "Original Packet Length" field of a Simple Packet Block can be greater than the amount of data actually captured; the Interface Description Block's snap length must be checked as well. To enable this in the MIME Files Format dissector, the `interface_description` needs to store the snap length. This allows the appropriate section of `dissect_block()` to access it via the `info` parameter. The "Captured Length" field from EPB/PB dissection is added to SPB dissection as a generated field to clarify the difference between it and the field labelled "Packet Length". Bug: 16526 Change-Id: I27f2fccc9ed2f682377059931b18d7e42d7ff0a3 Reviewed-on: https://code.wireshark.org/review/37095 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-04 12:50:45 +00:00
guint32 snap_len;
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
guint64 timestamp_resolution;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
guint64 timestamp_offset;
};
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
struct darwin_process_event_description {
guint32 process_id;
};
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static gboolean pref_dissect_next_layer = FALSE;
#define BLOCK_INTERFACE_DESCRIPTION 0x00000001
#define BLOCK_PACKET 0x00000002
#define BLOCK_SIMPLE_PACKET 0x00000003
#define BLOCK_NAME_RESOLUTION 0x00000004
#define BLOCK_INTERFACE_STATISTICS 0x00000005
#define BLOCK_ENHANCED_PACKET 0x00000006
#define BLOCK_IRIG_TIMESTAMP 0x00000007
#define BLOCK_ARINC_429 0x00000008
file-pcapng.c: Add the names of block types we know about. Change-Id: I2c4edbac1cda370b0079492c5775330f9553d5a6 Reviewed-on: https://code.wireshark.org/review/29958 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-01 12:52:50 +00:00
#define BLOCK_SYSTEMD_JOURNAL 0x00000009
#define BLOCK_DSB 0x0000000a
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
#define BLOCK_SECTION_HEADER 0x0A0D0D0A
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
#define BLOCK_DARWIN_PROCESS 0x80000001
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static const value_string block_type_vals[] = {
{ 0x00000001, "Interface Description Block" },
{ 0x00000002, "Packet Block" },
{ 0x00000003, "Simple Packet Block" },
{ 0x00000004, "Name Resolution Block" },
{ 0x00000005, "Interface Statistics Block" },
{ 0x00000006, "Enhanced Packet Block" },
{ 0x00000007, "IRIG Timestamp Block" },
file-pcapng.c: Add the names of block types we know about. Change-Id: I2c4edbac1cda370b0079492c5775330f9553d5a6 Reviewed-on: https://code.wireshark.org/review/29958 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-10-01 12:52:50 +00:00
{ 0x00000008, "Arinc 429 in AFDX Encapsulation Information Block" },
{ 0x00000009, "systemd Journal Export Block" },
{ 0x0000000A, "Decryption Secrets Block" },
{ 0x00000204, "Sysdig Event Block" },
{ 0x00000208, "Sysdig Event Block with flags" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0x0A0D0D0A, "Section Header Block" },
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ 0x80000001, "Darwin Process Event Block" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
/*
* Apple's Pcapng Darwin Process Event Block
*
* A Darwin Process Event Block (DPEB) is an Apple defined container
* for information describing a Darwin process.
*
* Tools that write / read the capture file associate an incrementing
* 32-bit number (starting from '0') to each Darwin Process Event Block,
* called the DPEB ID for the process in question. This number is
* unique within each Section and identifies a specific DPEB; a DPEB ID
* is only unique inside the current section. Two Sections can have different
* processes identified by the same DPEB ID values. DPEB ID are referenced
* by Enhanced Packet Blocks that include options to indicate the Darwin
* process to which the EPB refers.
*
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +---------------------------------------------------------------+
* 0 | Block Type = 0x80000001 |
* +---------------------------------------------------------------+
* 4 | Block Total Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 8 | Process ID |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 12 / /
* / Options (variable) /
* / /
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Block Total Length |
* +---------------------------------------------------------------+
*
* Figure XXX.1: Darwin Process Event Block
*
* The meaning of the fields are:
*
* o Block Type: The block type of a Darwin Process Event Block is 2147483649.
*
* Note: This specific block type number falls into the range defined
* for "local use" but has in fact been available publically since Darwin
* 13.0 for pcapng files generated by Apple's tcpdump when using the PKTAP
* enhanced interface.
*
* o Block Total Length: Total size of this block, as described in
* Pcapng Section 3.1 (General Block Structure).
*
* o Process ID: The process ID (PID) of the process.
*
* Note: It is not known if this field is officially defined as a 32 bits
* (4 octets) or something smaller since Darwin PIDs currently appear to
* be limited to maximum value of 100000.
*
* o Options: A list of options (formatted according to the rules defined
* in Section 3.5) can be present.
*
* In addition to the options defined in Section 3.5, the following
* Apple defined Darwin options are valid within this block:
*
* +------------------+------+----------+-------------------+
* | Name | Code | Length | Multiple allowed? |
* +------------------+------+----------+-------------------+
* | darwin_proc_name | 2 | variable | no |
* | darwin_proc_uuid | 4 | 16 | no |
* +------------------+------+----------+-------------------+
*
* Table XXX.1: Darwin Process Description Block Options
*
* darwin_proc_name:
* The darwin_proc_name option is a UTF-8 string containing the
* name of a process producing or consuming an EPB.
*
* Examples: "mDNSResponder", "GoogleSoftwareU".
*
* Note: It appears that Apple's tcpdump currently truncates process
* names to a maximum of 15 octets followed by a NUL character.
* Multi-byte UTF-8 sequences in process names might be truncated
* resulting in an invalid final UTF-8 character.
*
Why you only get 16 bytes of process name. Change-Id: I719706e04668aa50ed0eb6184681943718b67f00 Reviewed-on: https://code.wireshark.org/review/20164 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-02-18 08:41:53 +00:00
* This is probably because the process name comes from the
* p_comm field in a proc structure in the kernel; that field
* is MAXCOMLEN+1 bytes long, with the +1 being for the NUL
* terminator. That would give 16 characters, but the
* proc_info kernel interface has a structure with a
* process name field of only MAXCOMLEN bytes.
*
* This all ultimately dates back to the "kernel accounting"
* mechanism that appeared in V7 UNIX, with an "accounting
* file" with entries appended whenever a process exits; not
* surprisingly, that code thinks a file name is just a bunch
* of "char"s, with no multi-byte encodings (1979 called, they
* want their character encoding back), so, yes, this can
* mangle UTF-8 file names containing non-ASCII characters.
*
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
* darwin_proc_uuid:
* The darwin_proc_uuid option is a set of 16 octets representing
* the process UUID.
*
* Enhanced Packet Block (EPB) options for supporting Darwin process information
*
* Enhanced Packet Blocks may be augmented with an Apple defined Darwin
* process event block id option (dpeb_id) and / or an effective Darwin
* process event block id option (edpeb_id) that refer to particular
* Darwin processes via the supplied DPEB ID option payload value. There
* must be a Darwin Process Event Block for each Darwin process to which an
* augmented EPB references. If the file does not contain any EPBs that
* contain any Darwin dpeb_id or edpeb_id options then the file does not need
* to have any DPEBs.
*
* A Darwin Process Event Block is valid only inside the section to which
* it belongs. The structure of a Darwin Process Event Block is shown in
* Figure XXX.1 below.
*
* An Enhanced Packet Block (EPB) may be augmented with any or all of the
* following block options for Darwin process information:
*
* +------------------+-------+--------+-------------------+
* | Name | Code | Length | Multiple allowed? |
* +------------------+-------+--------+-------------------+
* | darwin_dpeb_id | 32769 | 4 | no? |
* | darwin_svc_class | 32770 | 4 | no? |
* | darwin_edpeb_id | 32771 | 4 | no? |
* +------------------+------+---------+-------------------+
*
* Table XXX.2: Darwin options for Enhanced Packet Blocks
*
* darwin_dpeb_id:
* The darwin_dpeb_id option specifies the Darwin Process Event
* Block ID for the process (proc) this packet is associated with;
* the correct DPEB will be the one whose DPEB ID (within the
* current Section of the file) is identified by the same number
* (see Section XXX.X) of this field. The DPEB ID MUST be valid,
* which means that a matching Darwin Process Event Block MUST
* exist.
*
* darwin_srv_class:
* The darwin_svc_class option is a number that maps to a
* specific Darwin Service Class mnemonic that the packet is
* associated with.
*
* The following Darwin Service Class values are defined:
*
* +---------------------+------------------------+
* | Service Class Value | Service Class Mnemonic |
* +---------------------+------------------------+
* | 0 | BE |
* | 100 | BK_SYS |
* | 200 | BK |
* | 300 | RD |
* | 400 | OAM |
* | 500 | AV |
* | 600 | RV |
* | 700 | VI |
* | 800 | VO |
* | 900 | CTL |
* +---------------------+------------------------+
*
* Table XXX.3: Darwin Service Class Option Values
*
* darwin_edpeb_id:
* The darwin_edpeb_id option specifies the Darwin Process Event
* Block ID for the effective process (eproc) this packet is
* associated with; the correct DPEB will be the one whose DPEB
* ID (within the current Section of the file) is identified by
* the same number (see Section XXX.X) of this field. The DPEB
* ID MUST be valid, which means that a matching Darwin Process
* Event Block MUST exist.
*/
Remove space that snuck in during editing. Change-Id: Iea196ecb3c236c5257ce57fcff1401a6386c95f9 Reviewed-on: https://code.wireshark.org/review/36601 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:40:32 +00:00
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static const value_string option_code_section_header_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 2, "Hardware Description" },
{ 3, "OS Description" },
{ 4, "User Application" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
static const value_string option_code_interface_description_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
{ 2, "Interface Name" },
{ 3, "Interface Description" },
{ 4, "IPv4 Address" },
{ 5, "IPv6 Address" },
{ 6, "MAC Address" },
{ 7, "EUI Address" },
{ 8, "Speed" },
{ 9, "Timestamp Resolution" },
{ 10, "Timezone" },
{ 11, "Filter" },
{ 12, "OS" },
{ 13, "FCS Length" },
{ 14, "Timestamp Offset" },
{ 15, "Hardware" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
static const value_string option_code_enhanced_packet_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 2, "Flags" },
{ 3, "Hash" },
{ 4, "Drop Count" },
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ 32769, "Darwin DPEB ID" },
{ 32770, "Darwin Service Class" },
{ 32771, "Darwin Effective DPEB ID" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
static const value_string option_code_packet_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 2, "Flags" },
{ 3, "Hash" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
static const value_string option_code_name_resolution_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 2, "DNS Name" },
{ 3, "DNS IPv4 Address" },
{ 4, "DNS IPv6 Address" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
static const value_string option_code_interface_statistics_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
{ 2, "Start Time" },
{ 3, "End Time" },
{ 4, "Number of Received Packets" },
{ 5, "Number of Dropped Packets" },
{ 6, "Number of Accepted Packets" },
{ 7, "Number of Packets Dropped by OS" },
{ 8, "Number of Packets Delivered to the User" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
static const value_string option_code_darwin_process_info_vals[] = {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 0, "End of Options" },
{ 1, "Comment" },
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ 2, "Darwin Process Name" },
{ 4, "Darwin Process UUID" },
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ 0, NULL }
};
static const value_string option_code_darwin_svc_class_vals[] = {
{ 0x0000, "BE" },
{ 0x0064, "BK_SYS" },
{ 0x00C8, "BK" },
{ 0x012C, "RD" },
{ 0x0190, "OAM" },
{ 0x01F4, "AV" },
{ 0x0258, "RV" },
{ 0x02BC, "VI" },
{ 0x0320, "VO" },
{ 0x0384, "CTL" },
{ 0, NULL }
};
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static const value_string record_code_vals[] = {
{ 0x0000, "End of Records" },
{ 0x0001, "IPv4 Record" },
{ 0x0002, "IPv6 Record" },
{ 0, NULL }
};
static const value_string timestamp_resolution_base_vals[] = {
{ 0x0000, "Power of 10" },
{ 0x0001, "Power of 2" },
{ 0, NULL }
};
static const value_string packet_hash_algorithm_vals[] = {
pcapng: show some fields in decimal, not hexadecimal. The interface ID is just an ordinal; there's no reason to show it as hex (we don't show it as hex if we're treating a pcapng file as a capture rather than a file to be dissected). The packet drops count is just a count, so, again, there's no reason to show it as hex. The hash algorithms numbers are given in decimal in the pcapng spec, so display it as decimal. Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af Reviewed-on: https://code.wireshark.org/review/37072 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 18:56:44 +00:00
{ 0, "2's complement" },
{ 1, "XOR" },
{ 2, "CRC32" },
{ 3, "MD5" },
{ 4, "SHA1" },
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ 0, NULL }
};
static const value_string packet_flags_direction_vals[] = {
{ 0x00, "Information Not Available" },
{ 0x01, "Inbound" },
{ 0x02, "Outbound" },
{ 0, NULL }
};
static const value_string flags_reception_type_vals[] = {
{ 0x00, "Not Specified" },
{ 0x01, "Unicast" },
{ 0x02, "Multicast" },
{ 0x03, "Broadcast" },
{ 0x04, "Promiscuous" },
{ 0, NULL }
};
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
static const value_string dsb_secrets_types_vals[] = {
Add support for embedding WireGuard keys in a pcapng file pcapng spec update is here: https://github.com/pcapng/pcapng/pull/62 Bug: 15571 Change-Id: I2f1921b1da70ac0bab8c38dd5138a9dfe7843fea Reviewed-on: https://code.wireshark.org/review/33300 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2019-05-21 17:06:49 +00:00
{ SECRETS_TYPE_TLS, "TLS Key Log" },
{ SECRETS_TYPE_WIREGUARD, "WireGuard Key Log" },
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
{ 0, NULL }
};
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
void proto_register_pcapng(void);
void proto_reg_handoff_pcapng(void);
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
#define BYTE_ORDER_MAGIC_SIZE 4
static const guint8 pcapng_big_endian_magic[BYTE_ORDER_MAGIC_SIZE] = {
0x1A, 0x2B, 0x3C, 0x4D
};
static const guint8 pcapng_little_endian_magic[BYTE_ORDER_MAGIC_SIZE] = {
0x4D, 0x3C, 0x2B, 0x1A
};
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static gint dissect_options(proto_tree *tree, packet_info *pinfo,
guint32 block_type, tvbuff_t *tvb, guint encoding, void *user_data)
{
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree *options_tree;
proto_item *options_item;
proto_tree *option_tree;
proto_item *option_item;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
proto_item *option_length_item;
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_item *p_item;
gint offset = 0;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
guint32 option_code;
guint32 option_length;
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
gint hfj_pcapng_option_code;
const guint8 *str = NULL;
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
wmem_strbuf_t *strbuf;
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
address addr;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
address addr_mask;
const value_string *vals = NULL;
union value {
guint32 u32;
guint64 u64;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
guint16 u16;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
guint8 u8;
} value;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
e_guid_t uuid;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (tvb_reported_length(tvb) <= 0)
return 0;
options_item = proto_tree_add_item(tree, hf_pcapng_options, tvb, offset, -1, ENC_NA);
options_tree = proto_item_add_subtree(options_item, ett_pcapng_options);
file-pcapng: fix dissection of options in blocks - fix the loop logic - flags in EPB include link-layer-dependent errors Change-Id: Iae0b4869b556abbf3c14f3b865d0f23cee182c84 Reviewed-on: https://code.wireshark.org/review/10132 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2015-08-19 19:48:46 +00:00
while (tvb_captured_length_remaining(tvb, offset)) {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
str = NULL;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
option_item = proto_tree_add_item(options_tree, hf_pcapng_option, tvb, offset, -1, ENC_NA);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
option_tree = proto_item_add_subtree(option_item, ett_pcapng_option);
switch (block_type) {
case BLOCK_SECTION_HEADER:
hfj_pcapng_option_code = hf_pcapng_option_code_section_header;
vals = option_code_section_header_vals;
break;
case BLOCK_INTERFACE_DESCRIPTION:
hfj_pcapng_option_code = hf_pcapng_option_code_interface_description;
vals = option_code_interface_description_vals;
break;
case BLOCK_ENHANCED_PACKET:
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
hfj_pcapng_option_code = hf_pcapng_option_code_enhanced_packet;
vals = option_code_enhanced_packet_vals;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
case BLOCK_PACKET:
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
hfj_pcapng_option_code = hf_pcapng_option_code_packet;
vals = option_code_packet_vals;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
case BLOCK_NAME_RESOLUTION:
hfj_pcapng_option_code = hf_pcapng_option_code_name_resolution;
vals = option_code_name_resolution_vals;
break;
case BLOCK_INTERFACE_STATISTICS:
hfj_pcapng_option_code = hf_pcapng_option_code_interface_statistics;
vals = option_code_interface_statistics_vals;
break;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
case BLOCK_DARWIN_PROCESS:
hfj_pcapng_option_code = hf_pcapng_option_code_darwin_process_info;
vals = option_code_darwin_process_info_vals;
break;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
default:
hfj_pcapng_option_code = hf_pcapng_option_code;
}
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
proto_tree_add_item_ret_uint(option_tree, hfj_pcapng_option_code, tvb, offset, 2, encoding, &option_code);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (vals)
proto_item_append_text(option_item, ": %s", val_to_str_const(option_code, vals, "Unknown"));
offset += 2;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
option_length_item = proto_tree_add_item_ret_uint(option_tree, hf_pcapng_option_length, tvb, offset, 2, encoding, &option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 2;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
if (option_code == 0) {
if (option_length != 0)
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
proto_item_set_len(option_item, option_length + 2 * 2);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
} else if (option_code == 1) {
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_comment, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
} else switch (block_type) {
case BLOCK_SECTION_HEADER:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_section_header_hardware, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_section_header_os, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_section_header_user_application, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
break;
case BLOCK_INTERFACE_DESCRIPTION: {
struct interface_description *interface_description = (struct interface_description *) user_data;
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_interface_description_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_interface_description_description, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr, AT_IPv4, 4, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv4_mask, tvb, offset, 4, ENC_BIG_ENDIAN);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr_mask, AT_IPv4, 4, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
str = wmem_strdup_printf(wmem_packet_scope(), "%s/%s",
address_to_display(wmem_packet_scope(), &addr),
address_to_display(wmem_packet_scope(), &addr_mask));
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 5:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 17) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv6, tvb, offset, 16, ENC_NA);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr, AT_IPv6, 16, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 16;
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv6_mask, tvb, offset, 1, ENC_NA);
offset += 1;
str = wmem_strdup_printf(wmem_packet_scope(), "%s/%u",
address_to_display(wmem_packet_scope(), &addr), (unsigned int) tvb_get_guint8(tvb, offset - 1));
break;;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 6:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 6) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_mac_address, tvb, offset, 6, encoding);
str = tvb_get_ether_name(tvb, offset);
offset += 6;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 7:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_eui_address, tvb, offset, 8, encoding);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr, AT_EUI64, 8, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 8;
str = address_to_display(wmem_packet_scope(), &addr);
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 8:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
p_item = proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_speed, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
if (value.u64 == 10000000) {
str = "10 Mbps";
proto_item_append_text(p_item, "%s", str);
} else if (value.u64 == 100000000) {
str = "100 Mbps";
proto_item_append_text(p_item, "%s", str);
} else if (value.u64 == 1000000000) {
str = "1 Gbps";
proto_item_append_text(p_item, "%s", str);
} else {
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
}
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 9:
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
{
guint32 base;
guint32 exponent;
guint32 i;
guint64 resolution;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 1) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_interface_timestamp_resolution, ett_pcapng_option, hfx_pcapng_option_data_interface_timestamp_resolution, ENC_NA);
value.u8 = tvb_get_guint8(tvb, offset);
offset += 1;
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
if (value.u8 & 0x80) {
base = 2;
} else {
base = 10;
}
exponent = value.u8 & 0x7F;
strbuf = wmem_strbuf_new(wmem_packet_scope(), "");
wmem_strbuf_append_printf(strbuf, "%u^-%u", base, exponent);
resolution = 1;
for (i = 0; i < exponent; i += 1)
resolution *= base;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (interface_description) {
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
interface_description->timestamp_resolution = resolution;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
switch (resolution) {
case 0:
/* Overflow */
wmem_strbuf_append(strbuf, " (overflow)");
break;
case 1:
wmem_strbuf_append(strbuf, " (seconds)");
break;
case 10:
wmem_strbuf_append(strbuf, " (.1 seconds)");
break;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
case 100:
wmem_strbuf_append(strbuf, " (.01 seconds)");
break;
case 1000:
wmem_strbuf_append(strbuf, " (milliseconds)");
break;
case 10000:
wmem_strbuf_append(strbuf, " (.1 milliseconds)");
break;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
case 100000:
wmem_strbuf_append(strbuf, " (.01 milliseconds)");
break;
case 1000000:
wmem_strbuf_append(strbuf, " (microseconds)");
break;
case 10000000:
wmem_strbuf_append(strbuf, " (.1 microseconds)");
break;
case 100000000:
wmem_strbuf_append(strbuf, " (.01 microseconds)");
break;
case 1000000000:
wmem_strbuf_append(strbuf, " (nanoseconds)");
break;
case 10000000000:
wmem_strbuf_append(strbuf, " (.1 nanoseconds)");
break;
case 100000000000:
wmem_strbuf_append(strbuf, " (.01 nanoseconds)");
break;
case 1000000000000:
wmem_strbuf_append(strbuf, " (picoseconds)");
break;
case 10000000000000:
wmem_strbuf_append(strbuf, " (.1 picoseconds)");
break;
case 100000000000000:
wmem_strbuf_append(strbuf, " (.01 picoseconds)");
break;
}
str = wmem_strbuf_finalize(strbuf);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
}
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 10:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 4) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
/* TODO: Better timezone decoding */
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_timezone, tvb, offset, 4, encoding);
value.u32 = tvb_get_guint32(tvb, offset, encoding);
offset += 4;
str = wmem_strdup_printf(wmem_packet_scope(), "%u", value.u32);
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 11:
file-pcapng: fix capture filter dissection The pcapng spec[1] suggests that the first octet marks the filter type, but it is not clear whether this other types are implemented. Just skip over the byte for now. [1]: https://github.com/pcapng/pcapng/blob/c0dd7a7391/draft-tuexen-opsawg-pcapng.xml#L1083 Change-Id: I272dac55ea9ca3798e1fea45ce92023f7aa82564 Reviewed-on: https://code.wireshark.org/review/22043 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2017-06-08 17:00:20 +00:00
if (option_length == 0) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
file-pcapng: fix capture filter dissection The pcapng spec[1] suggests that the first octet marks the filter type, but it is not clear whether this other types are implemented. Just skip over the byte for now. [1]: https://github.com/pcapng/pcapng/blob/c0dd7a7391/draft-tuexen-opsawg-pcapng.xml#L1083 Change-Id: I272dac55ea9ca3798e1fea45ce92023f7aa82564 Reviewed-on: https://code.wireshark.org/review/22043 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2017-06-08 17:00:20 +00:00
break;
}
/* Skip over filter type (0 is libpcap, others are unspecified.) */
offset++;
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_interface_filter, tvb, offset, option_length - 1, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
offset += option_length - 1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 12:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_interface_os, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 13:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 1) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_fcs_length, tvb, offset, 1, ENC_NA);
value.u8 = tvb_get_guint8(tvb, offset);
str = wmem_strdup_printf(wmem_packet_scope(), "%u", (guint32) value.u8);
offset += 1;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 14:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_timestamp_offset, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
if (interface_description) {
interface_description->timestamp_offset = value.u64;
}
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
break;
case 15:
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_interface_hardware, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
offset += option_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
}
break;
case BLOCK_PACKET:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 4) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
if (encoding == ENC_LITTLE_ENDIAN) {
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags, ett_pcapng_option, hfx_pcapng_option_data_packet_flags, encoding);
offset += 2;
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags_link_layer_errors, ett_pcapng_option, hfx_pcapng_option_data_packet_flags_link_layer_errors, encoding);
offset += 2;
} else {
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags_link_layer_errors, ett_pcapng_option, hfx_pcapng_option_data_packet_flags_link_layer_errors, encoding);
offset += 2;
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags, ett_pcapng_option, hfx_pcapng_option_data_packet_flags, encoding);
offset += 2;
}
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_hash_algorithm, tvb, offset, 1, ENC_NA);
offset += 1;
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_hash_data, tvb, offset, option_length - 1, ENC_NA);
offset += option_length - 1;
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
break;
case BLOCK_NAME_RESOLUTION:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
tvb_get_string_enc + proto_tree_add_item = proto_tree_add_item_ret_string Also some other tricks to remove unnecessary tvb_get_string_enc calls. Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914 Reviewed-on: https://code.wireshark.org/review/16158 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-06-26 14:52:37 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_data_dns_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 4) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr, AT_IPv4, 4, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
*_stdup_printf -> strdup for "single string only" formatting. Done for performance improvements. This could probably be done in checkAPIs.pl, but this was just a quick manual check with grepping. Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d Reviewed-on: https://code.wireshark.org/review/15751 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2016-06-06 02:24:47 +00:00
str = address_to_display(wmem_packet_scope(), &addr);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 16) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_ipv6, tvb, offset, 16, ENC_NA);
Remaining ADDRESS macro to address function conversions Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788 Reviewed-on: https://code.wireshark.org/review/11463 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 03:12:53 +00:00
set_address_tvb(&addr, AT_IPv6, 16, tvb, offset);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 16;
*_stdup_printf -> strdup for "single string only" formatting. Done for performance improvements. This could probably be done in checkAPIs.pl, but this was just a quick manual check with grepping. Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d Reviewed-on: https://code.wireshark.org/review/15751 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2016-06-06 02:24:47 +00:00
str = address_to_display(wmem_packet_scope(), &addr);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
break;
case BLOCK_INTERFACE_STATISTICS:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_start_time, tvb, offset, 8, encoding);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_end_time, tvb, offset, 8, encoding);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_received, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 5:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_dropped, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 6:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_accepted_by_filter, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 7:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_dropped_by_os, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 8:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_interface_delivered_to_user, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
break;
case BLOCK_ENHANCED_PACKET:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 4) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
file-pcapng: fix dissection of options in blocks - fix the loop logic - flags in EPB include link-layer-dependent errors Change-Id: Iae0b4869b556abbf3c14f3b865d0f23cee182c84 Reviewed-on: https://code.wireshark.org/review/10132 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2015-08-19 19:48:46 +00:00
if (encoding == ENC_LITTLE_ENDIAN) {
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags, ett_pcapng_option, hfx_pcapng_option_data_packet_flags, encoding);
offset += 2;
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags_link_layer_errors, ett_pcapng_option, hfx_pcapng_option_data_packet_flags_link_layer_errors, encoding);
offset += 2;
} else {
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags_link_layer_errors, ett_pcapng_option, hfx_pcapng_option_data_packet_flags_link_layer_errors, encoding);
offset += 2;
proto_tree_add_bitmask(option_tree, tvb, offset, hf_pcapng_option_data_packet_flags, ett_pcapng_option, hfx_pcapng_option_data_packet_flags, encoding);
offset += 2;
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 3:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_hash_algorithm, tvb, offset, 1, ENC_NA);
offset += 1;
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_hash_data, tvb, offset, option_length - 1, ENC_NA);
offset += option_length - 1;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4:
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (option_length != 8) {
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
expert_add_info(pinfo, option_length_item, &ei_invalid_option_length);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += option_length;
break;
}
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_drop_count, tvb, offset, 8, encoding);
value.u64 = tvb_get_guint64(tvb, offset, encoding);
str = wmem_strdup_printf(wmem_packet_scope(), "%"G_GUINT64_FORMAT, value.u64);
offset += 8;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
break;
case 32769: /* Darwin DPEB ID */
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_darwin_dpeb_id, tvb, offset, option_length, encoding);
value.u32 = tvb_get_guint32(tvb, offset, encoding);
offset += option_length;
str = wmem_strdup_printf(wmem_packet_scope(), "%u", value.u32);
break;
case 32770: /* Darwin Service Type */
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_darwin_svc_class, tvb, offset, option_length, encoding);
value.u32 = tvb_get_guint32(tvb, offset, encoding);
offset += option_length;
str = wmem_strdup_printf(wmem_packet_scope(), "%s", val_to_str_const(value.u32, option_code_darwin_svc_class_vals, "Unknown"));
break;
case 32771: /* Darwin Effective DPEB ID */
proto_tree_add_item(option_tree, hf_pcapng_option_data_packet_darwin_edpeb_id, tvb, offset, option_length, encoding);
value.u32 = tvb_get_guint32(tvb, offset, encoding);
offset += option_length;
str = wmem_strdup_printf(wmem_packet_scope(), "%u", value.u32);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
break;
case BLOCK_DARWIN_PROCESS:
switch (option_code) {
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 2: /* Darwin Process Name */
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
proto_tree_add_item_ret_string(option_tree, hf_pcapng_option_darwin_process_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, wmem_packet_scope(), &str);
offset += option_length;
break;
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
case 4: /* Darwin Process UUID */
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
proto_tree_add_item(option_tree, hf_pcapng_option_darwin_process_uuid, tvb, offset, option_length, ENC_BIG_ENDIAN);
tvb_get_guid(tvb, offset, &uuid, ENC_BIG_ENDIAN);
offset += option_length;
str = guid_to_str(wmem_packet_scope(), &uuid);
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
break;
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
default:
proto_tree_add_item(option_tree, hf_pcapng_option_data, tvb, offset, option_length, ENC_NA);
offset += option_length;
}
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
if ((option_length % 4) != 0) {
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
proto_item_set_len(option_item, option_length + 2 * 2 + (4 - option_length % 4));
option_length = 4 - option_length % 4;
proto_tree_add_item(option_tree, hf_pcapng_option_padding, tvb, offset, option_length, ENC_NA);
offset += option_length;
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
} else
proto_item_set_len(option_item, option_length + 2 * 2);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
if (str)
proto_item_append_text(option_item, " = %s", str);
}
return offset;
}
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
static void
pcapng_add_timestamp(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
int offset, guint encoding,
struct interface_description *interface_description)
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
{
proto_tree_add_item(tree, hf_pcapng_timestamp_high, tvb, offset, 4, encoding);
proto_tree_add_item(tree, hf_pcapng_timestamp_low, tvb, offset + 4, 4, encoding);
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
if (interface_description != NULL) {
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
nstime_t timestamp;
guint64 ts;
proto_item *ti;
ts = ((guint64)(tvb_get_guint32(tvb, offset, encoding))) << 32 |
tvb_get_guint32(tvb, offset + 4, encoding);
ts += interface_description->timestamp_offset;
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
if (interface_description->timestamp_resolution == 0) {
/* This overflowed, so we can't calculate the time stamp */
pinfo->presence_flags &= ~PINFO_HAS_TS;
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
} else {
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
timestamp.secs = (time_t)(ts / interface_description->timestamp_resolution);
Fix calculation of fractional part of time stamps. Do it the same way that wiretap/pcapng.c does it. Bug: 16440 Change-Id: Ied811e5d10d4219de718f4f74254440b324f0ed1 Reviewed-on: https://code.wireshark.org/review/37132 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-04 21:27:58 +00:00
timestamp.nsecs = (int)(((ts % interface_description->timestamp_resolution) * 1000000000) / interface_description->timestamp_resolution);
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
ti = proto_tree_add_time(tree, hf_pcapng_timestamp, tvb, offset, 8, &timestamp);
epan: Convert our PROTO_ITEM_ macros to inline functions. Convert our various PROTO_ITEM_ macros to inline functions and document them. Change-Id: I070b15d4f70d2189217a177ee8ba2740be36327c Reviewed-on: https://code.wireshark.org/review/32706 Reviewed-by: Gerald Combs <gerald@wireshark.org> Petri-Dish: Gerald Combs <gerald@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2019-04-03 21:32:30 +00:00
proto_item_set_generated(ti);
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
Don't crash if an IDB resolution value is too high. When dissecting an if_tsresol option in an IDB, calculate the resolution from the base and the offset. If the result overflows, mark it as an overflow; otherwise, mark it with the units for more values than 1 microsecond. Store the calculated resolution, which we initialize to the default of 1 microsecond. When displaying time stamps in blocks, use the calculated resolution, rather than re-calculating it. If it's 0, it means the resolution is too high, so don't calculate it and end up dividing by zero. Bug: 14402 Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f Reviewed-on: https://code.wireshark.org/review/25673 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-02-07 22:07:24 +00:00
pinfo->abs_ts = timestamp;
}
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
}
}
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
static struct interface_description *
get_interface_description(struct info *info, guint interface_id,
packet_info *pinfo, proto_tree *tree)
{
if (interface_id >= wmem_array_get_count(info->interfaces)) {
expert_add_info(pinfo, tree, &ei_missing_idb);
return NULL;
}
return (struct interface_description *) wmem_array_index(info->interfaces, interface_id);
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
/*
* This is tricky - for most blocks, we can dissect this first, but, for
* a Section Header Block, we must dissect it *after* determining the
* byte order.
*
* So we extract it into a routine and call it at the appropriate time.
*/
static proto_tree *
dissect_block_length(proto_tree *block_tree, packet_info *pinfo,
tvbuff_t *tvb, int offset, guint32 *block_data_length_p,
guint encoding)
{
proto_item *block_length_item;
proto_item *block_data_item;
block_length_item = proto_tree_add_item_ret_uint(block_tree, hf_pcapng_block_length, tvb, offset, 4, encoding, block_data_length_p);
if (*block_data_length_p < 3*4)
expert_add_info(pinfo, block_length_item, &ei_block_length_too_short);
/*
* To quote the current pcapng spec, "Block Total Length (32 bits) ...
* This value MUST be a multiple of 4."
*/
if ((*block_data_length_p % 4) != 0)
expert_add_info(pinfo, block_length_item, &ei_block_length_not_multiple_of_4);
/*
* Subtract the per-block overhead (block type, block length, trailing
* block length).
*/
*block_data_length_p -= 3*4;
/*
* Now that we know the block data length, create an item for its
* tree.
*/
offset += 4;
block_data_item = proto_tree_add_item(block_tree, hf_pcapng_block_data, tvb, offset, *block_data_length_p, ENC_NA);
return proto_item_add_subtree(block_data_item, ett_pcapng_block_data);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static gint dissect_block(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
struct info *info)
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{
proto_tree *block_tree;
proto_item *block_item;
proto_tree *block_data_tree;
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
proto_item *byte_order_magic_item;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
proto_item *packet_data_item;
gint offset = 0;
guint32 length;
guint32 captured_length;
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
guint32 reported_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
guint32 block_type;
guint32 block_data_length;
guint32 interface_id;
tvbuff_t *next_tvb;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
block_type = tvb_get_guint32(tvb, offset + 0, info->encoding);
length = tvb_get_guint32(tvb, offset + 4, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
block_item = proto_tree_add_item(tree, hf_pcapng_block, tvb, offset, length, ENC_NA);
block_tree = proto_item_add_subtree(block_item, ett_pcapng_section_header_block);
proto_item_append_text(block_item, ": %s", val_to_str_const(block_type, block_type_vals, "Unknown"));
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_bitmask_with_flags(block_tree, tvb, offset, hf_pcapng_block_type, ett_pcapng_option, hfx_pcapng_block_type, info->encoding, BMT_NO_APPEND);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (block_type == BLOCK_SECTION_HEADER) {
/* Section Header Block - this needs special byte-order handling */
gboolean byte_order_magic_bad = FALSE;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng: give a structure member an appropriate name. An entire pcapng file is dissected as a unit, so there's only one file; the "file_number" field counts Section Header Blocks, so it's a section number, not a file number. Rename it to "section_number". Change-Id: I3ee477c9aa0ee4cdfa7496935b2be915c31a4644 Reviewed-on: https://code.wireshark.org/review/36977 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-30 01:20:12 +00:00
proto_item_append_text(block_item, " %u", info->section_number);
info->section_number += 1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
info->interface_number = 0;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
info->darwin_process_event_number = 0;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
info->frame_number = 1;
MIME/pcapng: reset interface array on new SHB When reading a new SHB in a pcapng file, reset the array of interface descriptions to empty. No blocks that follow will be referring to interfaces from the previous section. Ping-Bug: 16526 Change-Id: Iaa4257e3392bb829445aab1f79b54334f5db0263 Reviewed-on: https://code.wireshark.org/review/37092 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-04 12:38:05 +00:00
if (info->interfaces != NULL) {
wmem_free(wmem_packet_scope(), info->interfaces);
}
info->interfaces = wmem_array_new(wmem_packet_scope(), sizeof(struct interface_description));
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (tvb_memeql(tvb, 8, pcapng_big_endian_magic, BYTE_ORDER_MAGIC_SIZE) == 0) {
info->encoding = ENC_BIG_ENDIAN;
} else if (tvb_memeql(tvb, 8, pcapng_little_endian_magic, BYTE_ORDER_MAGIC_SIZE) == 0) {
info->encoding = ENC_LITTLE_ENDIAN;
} else {
byte_order_magic_bad = TRUE;
}
block_data_tree = dissect_block_length(block_tree, pinfo, tvb, offset, &block_data_length, info->encoding);
offset += 4;
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
byte_order_magic_item = proto_tree_add_item(block_data_tree, hf_pcapng_section_header_byte_order_magic, tvb, offset, 4, ENC_NA);
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (byte_order_magic_bad) {
expert_add_info(pinfo, byte_order_magic_item, &ei_invalid_byte_order_magic);
return -1;
}
if (info->encoding == ENC_BIG_ENDIAN)
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
proto_item_append_text(byte_order_magic_item, " (Big-endian)");
else
proto_item_append_text(byte_order_magic_item, " (Little-endian)");
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_section_header_major_version, tvb, offset, 2, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 2;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_section_header_minor_version, tvb, offset, 2, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 2;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_section_header_section_length, tvb, offset, 8, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 8;
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 4 - 2 - 2 - 8);
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
} else {
/*
* Not an SHB, so we know the byte order.
*/
block_data_tree = dissect_block_length(block_tree, pinfo, tvb, offset, &block_data_length, info->encoding);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
switch (block_type) {
case BLOCK_INTERFACE_DESCRIPTION: {
struct interface_description interface_description;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
memset(&interface_description, 0, sizeof(struct interface_description));
interface_description.timestamp_resolution = 1000000; /* 1 microsecond resolution is the default */
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_item_append_text(block_item, " %u", info->interface_number);
info->interface_number += 1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_interface_description_link_type, tvb, offset, 2, info->encoding);
interface_description.link_type = tvb_get_guint16(tvb, offset, info->encoding);
offset += 2;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_interface_description_reserved, tvb, offset, 2, info->encoding);
offset += 2;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_interface_description_snap_length, tvb, offset, 4, info->encoding);
interface_description.snap_len = tvb_get_guint32(tvb, offset, info->encoding);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 2 - 2 - 4);
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, &interface_description);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
wmem_array_append_one(info->interfaces, interface_description);
}
break;
case BLOCK_PACKET: {
struct interface_description *interface_description;
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_item_append_text(block_item, " %u", info->frame_number);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_packet_block_interface_id, tvb, offset, 2, info->encoding);
interface_id = tvb_get_guint16(tvb, offset, info->encoding);
offset += 2;
interface_description = get_interface_description(info, interface_id,
pinfo, block_tree);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_packet_block_drops_count, tvb, offset, 2, info->encoding);
offset += 2;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pcapng_add_timestamp(block_data_tree, pinfo, tvb, offset, info->encoding, interface_description);
offset += 8;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_captured_length, tvb, offset, 4, info->encoding, &captured_length);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_packet_length, tvb, offset, 4, info->encoding, &reported_length);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
packet_data_item = proto_tree_add_item(block_data_tree, hf_pcapng_packet_data, tvb, offset, captured_length, info->encoding);
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (pref_dissect_next_layer && interface_description != NULL) {
proto_tree *packet_data_tree = proto_item_add_subtree(packet_data_item, ett_pcapng_packet_data);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pinfo->num = info->frame_number;
file-pcapng: always set pinfo->fd->num before calling next layer dissectors/file-pcapng Also fix an off by 1 error for EPB case Change-Id: I895d82a58ec02c577dcaa67a97d456b42460b947 Reviewed-on: https://code.wireshark.org/review/10149 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2015-08-20 13:06:41 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
TRY {
call_dissector_with_data(pcap_pktdata_handle, tvb_new_subset_length_caplen(tvb, offset, captured_length, reported_length),
pinfo, packet_data_tree, &interface_description->link_type);
}
CATCH_BOUNDS_ERRORS {
show_exception(tvb, pinfo, packet_data_tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
info->frame_number += 1;
offset += captured_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (captured_length % 4) {
proto_tree_add_item(block_data_tree, hf_pcapng_packet_padding, tvb, offset, ((captured_length % 4) ? (4 - (captured_length % 4)) : 0), ENC_NA);
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 2 - 2 - 8 - 4 - 4 - captured_length - ((captured_length % 4)?(4 - (captured_length % 4)):0));
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
}
break;
case BLOCK_SIMPLE_PACKET: {
struct interface_description *interface_description;
proto_item *ti;
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
interface_description = get_interface_description(info, 0,
pinfo, block_tree);
pcapng: expert info when packet or ISB appear without interfaces A valid pcapng file must have an IDB before any EPB/SPB/PB/ISB. So check our interface count when we parse the first such block of a section, and add expert info if there are no interfaces. Discovered during work on Bug #16526. Ping-Bug: 16526 Change-Id: I23ff452fd163a0e4472e0658a905f85ab85d5e9d Reviewed-on: https://code.wireshark.org/review/36986 Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl> Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-04-30 12:32:44 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_item_append_text(block_item, " %u", info->frame_number);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_packet_length, tvb, offset, 4, info->encoding, &reported_length);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
captured_length = reported_length;
if (interface_description && interface_description->snap_len != 0) {
captured_length = MIN(reported_length, interface_description->snap_len);
}
ti = proto_tree_add_uint(block_data_tree, hf_pcapng_captured_length, tvb, 0, 0, captured_length);
proto_item_set_generated(ti);
MIME/pcapng: use snap length to get SPB data length The "Original Packet Length" field of a Simple Packet Block can be greater than the amount of data actually captured; the Interface Description Block's snap length must be checked as well. To enable this in the MIME Files Format dissector, the `interface_description` needs to store the snap length. This allows the appropriate section of `dissect_block()` to access it via the `info` parameter. The "Captured Length" field from EPB/PB dissection is added to SPB dissection as a generated field to clarify the difference between it and the field labelled "Packet Length". Bug: 16526 Change-Id: I27f2fccc9ed2f682377059931b18d7e42d7ff0a3 Reviewed-on: https://code.wireshark.org/review/37095 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-04 12:50:45 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
packet_data_item = proto_tree_add_item(block_data_tree, hf_pcapng_packet_data, tvb, offset, captured_length, info->encoding);
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (pref_dissect_next_layer && interface_description != NULL) {
proto_tree *packet_data_tree = proto_item_add_subtree(packet_data_item, ett_pcapng_packet_data);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pinfo->num = info->frame_number;
file-pcapng: always set pinfo->fd->num before calling next layer dissectors/file-pcapng Also fix an off by 1 error for EPB case Change-Id: I895d82a58ec02c577dcaa67a97d456b42460b947 Reviewed-on: https://code.wireshark.org/review/10149 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2015-08-20 13:06:41 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
TRY {
call_dissector_with_data(pcap_pktdata_handle, tvb_new_subset_length(tvb, offset, captured_length),
pinfo, packet_data_tree, &interface_description->link_type);
}
CATCH_BOUNDS_ERRORS {
show_exception(tvb, pinfo, packet_data_tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
info->frame_number += 1;
offset += captured_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (captured_length % 4) {
proto_tree_add_item(block_data_tree, hf_pcapng_packet_padding, tvb, offset, ((captured_length % 4)?(4 - (captured_length % 4)):0), ENC_NA);
offset += ((captured_length % 4) ? (4 - (captured_length % 4)):0);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
}
break;
case BLOCK_NAME_RESOLUTION:
{
proto_tree *records_tree;
proto_item *records_item;
proto_tree *record_tree;
proto_item *record_item;
proto_item *record_length_item;
gint offset_record_start;
gint offset_string_start;
guint32 record_code;
guint32 record_length;
gint string_length;
gchar *str = NULL;
address addr;
records_item = proto_tree_add_item(block_data_tree, hf_pcapng_records, tvb, offset, block_data_length, ENC_NA);
records_tree = proto_item_add_subtree(records_item, ett_pcapng_records);
offset_record_start = offset;
while (block_data_length - (offset_record_start - offset) > 0) {
record_item = proto_tree_add_item(records_tree, hf_pcapng_record, tvb, offset, -1, ENC_NA);
record_tree = proto_item_add_subtree(record_item, ett_pcapng_record);
proto_tree_add_item_ret_uint(record_tree, hf_pcapng_record_code, tvb, offset, 2, info->encoding, &record_code);
proto_item_append_text(record_item, ": %s", val_to_str_const(record_code, record_code_vals, "Unknown"));
offset += 2;
record_length_item = proto_tree_add_item_ret_uint(record_tree, hf_pcapng_record_length, tvb, offset, 2, info->encoding, &record_length);
offset += 2;
if (record_code == 0) {
if (record_length != 0)
expert_add_info(pinfo, record_length_item, &ei_invalid_record_length);
proto_item_set_len(record_item, record_length + 2 * 2);
break;
} else switch (record_code) {
case 0x0001: /* IPv4 Record */
if (record_length < 5) {
expert_add_info(pinfo, record_length_item, &ei_invalid_record_length);
offset += record_length;
break;
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(record_tree, hf_pcapng_record_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
set_address_tvb(&addr, AT_IPv4, 4, tvb, offset);
offset += 4;
offset_string_start = offset;
while ((guint)(offset - offset_string_start) < record_length - 4) {
string_length = tvb_strnlen(tvb, offset, (offset - offset_string_start) + record_length - 4);
if (string_length >= 0) {
proto_tree_add_item(record_tree, hf_pcapng_record_name, tvb, offset, string_length + 1, info->encoding);
offset += string_length + 1;
} else {
/*
* XXX - flag with an error, as this means we didn't
* see a terminating NUL, but the spec says "zero
* or more zero-terminated UTF-8 strings containing
* the DNS entries for that address".
*/
proto_tree_add_item(record_tree, hf_pcapng_record_data, tvb, offset, (record_length - 4) - (offset - offset_string_start), info->encoding);
offset += (record_length - 4) - (offset - offset_string_start);
}
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
str = address_to_display(wmem_packet_scope(), &addr);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
case 0x0002: /* IPv6 Record */
if (record_length < 17) {
expert_add_info(pinfo, record_length_item, &ei_invalid_record_length);
offset += record_length;
break;
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(record_tree, hf_pcapng_record_ipv6, tvb, offset, 16, ENC_NA);
set_address_tvb(&addr, AT_IPv6, 16, tvb, offset);
offset += 16;
offset_string_start = offset;
while ((guint)(offset - offset_string_start) < record_length - 16) {
string_length = tvb_strnlen(tvb, offset, (offset - offset_string_start) + record_length - 16);
if (string_length >= 0) {
proto_tree_add_item(record_tree, hf_pcapng_record_name, tvb, offset, string_length + 1, info->encoding);
offset += string_length + 1;
} else {
/*
* XXX - flag with an error, as this means we didn't
* see a terminating NUL, but the spec says "zero
* or more zero-terminated UTF-8 strings containing
* the DNS entries for that address".
*/
proto_tree_add_item(record_tree, hf_pcapng_record_data, tvb, offset, (record_length - 16) - (offset - offset_string_start), info->encoding);
offset += (record_length - 16) - (offset - offset_string_start);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
str = address_to_display(wmem_packet_scope(), &addr);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
break;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
default:
proto_tree_add_item(record_tree, hf_pcapng_record_data, tvb, offset, record_length, ENC_NA);
offset += record_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (record_code != 0 && record_length % 4) {
proto_item_set_len(record_item, record_length + 2 * 2 + (4 - record_length % 4));
record_length = 4 - record_length % 4;
proto_tree_add_item(record_tree, hf_pcapng_record_padding, tvb, offset, record_length, ENC_NA);
offset += record_length;
} else
proto_item_set_len(record_item, record_length + 2 * 2);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (str)
proto_item_append_text(record_item, " = %s", str);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - (offset - offset_record_start));
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
break;
case BLOCK_INTERFACE_STATISTICS: {
struct interface_description *interface_description;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_interface_id, tvb, offset, 4, info->encoding);
interface_id = tvb_get_guint32(tvb, offset, info->encoding);
offset += 4;
interface_description = get_interface_description(info, interface_id,
pinfo, block_tree);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pcapng_add_timestamp(block_data_tree, pinfo, tvb, offset, info->encoding, interface_description);
offset += 8;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 4 - 8);
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
}
break;
case BLOCK_ENHANCED_PACKET: {
struct interface_description *interface_description;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_item_append_text(block_item, " %u", info->frame_number);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_interface_id, tvb, offset, 4, info->encoding);
interface_id = tvb_get_guint32(tvb, offset, info->encoding);
offset += 4;
interface_description = get_interface_description(info, interface_id,
pinfo, block_tree);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pcapng_add_timestamp(block_data_tree, pinfo, tvb, offset, info->encoding, interface_description);
offset += 8;
pcapng: pull the interface ID handling into a single routine. Have a routine that takes an interface ID as an argument and: if it's within range, fetches the interface description and returns a pointer to it; if it's not within range, adds an expert info and returns NULL; and have the code to dissect blocks with interface IDs just call it. Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23 Reviewed-on: https://code.wireshark.org/review/37090 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 22:28:11 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_captured_length, tvb, offset, 4, info->encoding, &captured_length);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_packet_length, tvb, offset, 4, info->encoding, &reported_length);
offset += 4;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
packet_data_item = proto_tree_add_item(block_data_tree, hf_pcapng_packet_data, tvb, offset, captured_length, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (pref_dissect_next_layer && interface_description != NULL) {
proto_tree *packet_data_tree = proto_item_add_subtree(packet_data_item, ett_pcapng_packet_data);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
pinfo->num = info->frame_number;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
TRY {
call_dissector_with_data(pcap_pktdata_handle, tvb_new_subset_length_caplen(tvb, offset, captured_length, reported_length),
pinfo, packet_data_tree, &interface_description->link_type);
}
CATCH_BOUNDS_ERRORS {
show_exception(tvb, pinfo, packet_data_tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
}
info->frame_number += 1;
offset += captured_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (captured_length % 4) {
proto_tree_add_item(block_data_tree, hf_pcapng_packet_padding, tvb, offset, ((captured_length % 4)? (4 - (captured_length % 4)):0), ENC_NA);
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 4 - 8 - 4 - 4 - captured_length - ((captured_length % 4)?(4 - (captured_length % 4)):0));
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
break;
case BLOCK_DSB:
{
guint32 secrets_length;
proto_tree_add_item(block_data_tree, hf_pcapng_dsb_secrets_type, tvb, offset, 4, info->encoding);
offset += 4;
proto_tree_add_item_ret_uint(block_data_tree, hf_pcapng_dsb_secrets_length, tvb, offset, 4, info->encoding, &secrets_length);
offset += 4;
proto_tree_add_item(block_data_tree, hf_pcapng_dsb_secrets_data, tvb, offset, secrets_length, info->encoding);
offset += secrets_length;
guint32 padlen = (4 - (secrets_length & 3)) & 3;
if (padlen) {
proto_tree_add_item(block_data_tree, hf_pcapng_record_padding, tvb, offset, padlen, ENC_NA);
offset += padlen;
file-pcapng: differentiate captured length and reported length when calling next dissector and catch bound errors Otherwise dissection will fail when analyzing a capture with a snap length set Change-Id: If6714364efffdd1fbf88c947743929a71f75c663 Reviewed-on: https://code.wireshark.org/review/10135 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-08-19 19:57:25 +00:00
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
if (block_data_length > 4 + 4 + secrets_length + padlen) {
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 4 - 4 - secrets_length - padlen);
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
}
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
break;
case BLOCK_DARWIN_PROCESS:
proto_item_append_text(block_item, " %u", info->darwin_process_event_number);
info->darwin_process_event_number += 1;
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_data_tree, hf_pcapng_darwin_process_id, tvb, offset, 4, info->encoding);
offset += 4;
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
next_tvb = tvb_new_subset_length(tvb, offset, block_data_length - 4);
offset += dissect_options(block_data_tree, pinfo, block_type, next_tvb, info->encoding, NULL);
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
break;
case BLOCK_IRIG_TIMESTAMP:
case BLOCK_ARINC_429:
default:
offset += block_data_length;
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
}
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
proto_tree_add_item(block_tree, hf_pcapng_block_length, tvb, offset, 4, info->encoding);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
offset += 4;
return offset;
}
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
#define BLOCK_TYPE_SIZE 4
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
static int
dissect_pcapng(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
static const guint8 pcapng_premagic[BLOCK_TYPE_SIZE] = {
0x0A, 0x0D, 0x0D, 0x0A
};
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
gint offset = 0;
guint32 length;
guint32 encoding;
proto_tree *main_tree;
proto_item *main_item;
struct info info;
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
if (tvb_memeql(tvb, 0, pcapng_premagic, BLOCK_TYPE_SIZE) != 0)
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
return 0;
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
if (tvb_memeql(tvb, 8, pcapng_big_endian_magic, BYTE_ORDER_MAGIC_SIZE) == 0) {
encoding = ENC_BIG_ENDIAN;
} else if (tvb_memeql(tvb, 8, pcapng_little_endian_magic, BYTE_ORDER_MAGIC_SIZE) == 0) {
encoding = ENC_LITTLE_ENDIAN;
} else {
return 0;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
pcapng: give a structure member an appropriate name. An entire pcapng file is dissected as a unit, so there's only one file; the "file_number" field counts Section Header Blocks, so it's a section number, not a file number. Rename it to "section_number". Change-Id: I3ee477c9aa0ee4cdfa7496935b2be915c31a4644 Reviewed-on: https://code.wireshark.org/review/36977 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-30 01:20:12 +00:00
info.section_number = 1;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
info.interface_number = 0;
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
info.darwin_process_event_number = 0;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
info.frame_number = 1;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
info.encoding = encoding;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
info.interfaces = wmem_array_new(wmem_packet_scope(), sizeof(struct interface_description));
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
info.darwin_process_events = wmem_array_new(wmem_packet_scope(), sizeof(struct darwin_process_event_description));
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
main_item = proto_tree_add_item(tree, proto_pcapng, tvb, offset, -1, ENC_NA);
main_tree = proto_item_add_subtree(main_item, ett_pcapng);
while (tvb_captured_length_remaining(tvb, offset)) {
tvbuff_t *next_tvb;
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
int block_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
length = tvb_get_guint32(tvb, offset + 4, encoding);
next_tvb = tvb_new_subset_length(tvb, offset, length);
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
block_length = dissect_block(main_tree, pinfo, next_tvb, &info);
if (block_length == -1) {
/* Fatal error. */
break;
}
offset += block_length;
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
return offset;
}
static gboolean
dissect_pcapng_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
return dissect_pcapng(tvb, pinfo, tree, NULL) > 0;
}
void
proto_register_pcapng(void)
{
module_t *module;
expert_module_t *expert_module;
static hf_register_info hf[] = {
{ &hf_pcapng_block,
{ "Block", "pcapng.block",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_block_type,
{ "Block Type", "pcapng.block.type",
FT_UINT32, BASE_HEX, VALS(block_type_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_block_type_vendor,
{ "Block Type Vendor", "pcapng.block.type.vendor",
FT_BOOLEAN, 32, NULL, 0x80000000,
NULL, HFILL }
},
{ &hf_pcapng_block_type_value,
{ "Block Type Value", "pcapng.block.type.value",
FT_UINT32, BASE_HEX, VALS(block_type_vals), 0x7FFFFFFF,
NULL, HFILL }
},
{ &hf_pcapng_block_length,
{ "Block Length", "pcapng.block.length",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_block_data,
{ "Block Data", "pcapng.block.data",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_options,
{ "Options", "pcapng.options",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option,
{ "Option", "pcapng.options.option",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_code_interface_description,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, VALS(option_code_interface_description_vals), 0x00,
NULL, HFILL }
},
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
{ &hf_pcapng_option_code_enhanced_packet,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ "Code", "pcapng.options.option.code",
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
FT_UINT16, BASE_DEC, VALS(option_code_enhanced_packet_vals), 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
{ &hf_pcapng_option_code_packet,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ "Code", "pcapng.options.option.code",
file-pcapng: Undo some unnecessary changes. In commit 35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9 four existing objects were renamed for no good reason. Restore original names. Also remove unnessary Darwin options from packet block options and remove leftover include. Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c Reviewed-on: https://code.wireshark.org/review/20171 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Jim Young <jim.young.ws@gmail.com>
2017-02-18 18:28:43 +00:00
FT_UINT16, BASE_DEC, VALS(option_code_packet_vals), 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_code_name_resolution,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, VALS(option_code_name_resolution_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_code_interface_statistics,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, VALS(option_code_interface_statistics_vals), 0x00,
NULL, HFILL }
},
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ &hf_pcapng_option_code_darwin_process_info,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, VALS(option_code_darwin_process_info_vals), 0x00,
NULL, HFILL }
},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ &hf_pcapng_option_code,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_length,
{ "Length", "pcapng.options.option.length",
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
FT_UINT16, BASE_DEC, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data,
{ "Option Data", "pcapng.options.option.data",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_padding,
{ "Option Padding", "pcapng.options.option.padding",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_comment,
{ "Comment", "pcapng.options.option.data.comment",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_section_header_byte_order_magic,
{ "Byte Order Magic", "pcapng.section_header.byte_order_magic",
Fix handling of the byte order magic number. Just treat it as an array of bytes. When checking for whether it's a pcapng file, also determine whether it's big-endian or little-endian. Note that reading it in *host* byte order will tell you whether it's in your byte order or byte-swapped; you have to know your byte order to know whether that means little-endian or big-endian. Have a #define for the byte-order magic number size, as all byte order magic number values must be that size, and use that as the size of the magic-number arrays. Also use a #define for the SHB block type magic number. Get rid of a now-unused expert info. (If the magic number isn't something we recognize, we don't treat the file as a pcap file, so it can never be "unknown".) Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac Reviewed-on: https://code.wireshark.org/review/13494 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-01-23 01:14:50 +00:00
FT_BYTES, BASE_NONE, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_section_header_major_version,
{ "Major Version", "pcapng.section_header.version.major",
FT_UINT16, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_section_header_minor_version,
{ "Minor Version", "pcapng.section_header.version.minor",
FT_UINT16, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_section_header_section_length,
{ "Section Length", "pcapng.section_header.section_length",
FT_INT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_code_section_header,
{ "Code", "pcapng.options.option.code",
FT_UINT16, BASE_DEC, VALS(option_code_section_header_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_section_header_hardware,
{ "Hardware", "pcapng.options.option.data.hardware",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_section_header_os,
{ "OS", "pcapng.options.option.data.os",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_section_header_user_application,
{ "User Application", "pcapng.options.option.data.user_application",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_description_name,
{ "Name", "pcapng.options.option.data.interface.name",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_description_description,
{ "Description", "pcapng.options.option.data.interface.description",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_ipv4,
{ "IPv4", "pcapng.options.option.data.ipv4",
FT_IPv4, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_ipv4_mask,
{ "IPv4 Mask", "pcapng.options.option.data.ipv4_mask",
FT_IPv4, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_ipv6,
pcapng (dissector): fix 'pcapng.options.option.data.ipv4' exists multiple times with NOT compatible types: FT_IPv6 and FT_IPv4 Change-Id: I9f6e713a50e0c73d0ecc7a66b62dffe270d4a35f Reviewed-on: https://code.wireshark.org/review/13678 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2016-02-03 06:36:57 +00:00
{ "IPv6", "pcapng.options.option.data.ipv6",
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
FT_IPv6, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_ipv6_mask,
{ "IPv6 Mask", "pcapng.options.option.data.ipv6_mask",
FT_UINT8, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_mac_address,
{ "MAC Address", "pcapng.options.option.data.mac",
FT_ETHER, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_eui_address,
{ "EUI Address", "pcapng.options.option.data.eui",
FT_EUI64, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_speed,
{ "Speed", "pcapng.options.option.data.interface.speed",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_timestamp_resolution,
{ "Timestamp Resolution", "pcapng.options.option.data.interface.timestamp_resolution",
FT_UINT8, BASE_HEX, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_timestamp_resolution_base,
{ "Base", "pcapng.options.option.data.interface.timestamp_resolution.base",
FT_UINT8, BASE_HEX, VALS(timestamp_resolution_base_vals), 0x80,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_timestamp_resolution_value,
{ "Value", "pcapng.options.option.data.interface.timestamp_resolution.value",
FT_UINT8, BASE_DEC, NULL, 0x7F,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_timezone,
{ "Timezone", "pcapng.options.option.data.interface.timezone",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_filter,
{ "Filter", "pcapng.options.option.data.interface.filter",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_os,
{ "OS", "pcapng.options.option.data.interface.os",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
Add support for IDB option 15 - if_hardware, for hardware description. While we're at it, use decimal, rather than hex, for option numbers; they're given in decimal in the pcapng spec. And fix a typo. Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5 Reviewed-on: https://code.wireshark.org/review/36600 Reviewed-by: Guy Harris <gharris@sonic.net>
2020-03-28 02:34:18 +00:00
{ &hf_pcapng_option_data_interface_hardware,
{ "Hardware", "pcapng.options.option.data.interface.hardware",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ &hf_pcapng_option_data_interface_fcs_length,
{ "FCS Length", "pcapng.options.option.data.interface.fcs_length",
FT_UINT8, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_timestamp_offset,
{ "Timestamp Offset", "pcapng.options.option.data.interface.timestamp_offset",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_drop_count,
{ "Drop Count", "pcapng.options.option.data.packet.drop_count",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_hash_algorithm,
{ "Hash Algorithm", "pcapng.options.option.data.packet.hash.algorithm",
pcapng: show some fields in decimal, not hexadecimal. The interface ID is just an ordinal; there's no reason to show it as hex (we don't show it as hex if we're treating a pcapng file as a capture rather than a file to be dissected). The packet drops count is just a count, so, again, there's no reason to show it as hex. The hash algorithms numbers are given in decimal in the pcapng spec, so display it as decimal. Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af Reviewed-on: https://code.wireshark.org/review/37072 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 18:56:44 +00:00
FT_UINT8, BASE_DEC, VALS(packet_hash_algorithm_vals), 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_hash_data,
{ "Hash Data", "pcapng.options.option.data.packet.hash.data",
FT_BYTES, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors,
{ "Link Layer Errors", "pcapng.options.option.data.packet.flags.link_layer_errors",
FT_UINT16, BASE_HEX, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_symbol,
{ "Symbol Error", "pcapng.options.option.data.packet.flags.link_layer_errors.symbol",
FT_BOOLEAN, 16, NULL, 0x8000,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_preamble,
{ "Preamble Error", "pcapng.options.option.data.packet.flags.link_layer_errors.preamble",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_BOOLEAN, 16, NULL, 0x4000,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_start_frame_delimiter,
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
{ "Start Frame Delimiter Error", "pcapng.options.option.data.packet.flags.link_layer_errors.start_frame_delimiter",
FT_BOOLEAN, 16, NULL, 0x2000,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_unaligned_frame,
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
{ "Unaligned Frame Error", "pcapng.options.option.data.packet.flags.link_layer_errors.unaligned_frame",
FT_BOOLEAN, 16, NULL, 0x1000,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_wrong_inter_frame_gap,
{ "Wrong Inter Frame Gap", "pcapng.options.option.data.packet.flags.link_layer_errors.wrong_inter_frame_gap",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_BOOLEAN, 16, NULL, 0x0800,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_short,
{ "Packet Too Short", "pcapng.options.option.data.packet.flags.link_layer_errors.packet_too_short",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_BOOLEAN, 16, NULL, 0x0400,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_packet_too_long,
{ "Packet Too Long", "pcapng.options.option.data.packet.flags.link_layer_errors.packet_too_long",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_BOOLEAN, 16, NULL, 0x0200,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_crc_error,
{ "CRC Error", "pcapng.options.option.data.packet.flags.link_layer_errors.crc",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_BOOLEAN, 16, NULL, 0x0100,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_link_layer_errors_reserved,
{ "Reserved", "pcapng.options.option.data.packet.flags.link_layer_errors.reserved",
MIME based pcapng dissector: Fixup apparent copy-and-pasteos. The MIME based pcapng dissector incorrectly displayed the EPB Flags option's link layer error bits. Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac Reviewed-on: https://code.wireshark.org/review/23279 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-08-29 04:32:43 +00:00
FT_UINT16, BASE_HEX, NULL, 0x00FF,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags,
{ "Flags", "pcapng.options.option.data.packet.flags",
FT_UINT16, BASE_HEX, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_reserved,
{ "Reserved", "pcapng.options.option.data.packet.flags.reserved",
FT_UINT16, BASE_HEX, NULL, 0xFE00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_fcs_length,
{ "FCS Length", "pcapng.options.option.data.packet.flags.fcs_length",
FT_UINT16, BASE_DEC, NULL, 0x01E0,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_reception_type,
{ "Reception Type", "pcapng.options.option.data.packet.flags.reception_type",
FT_UINT16, BASE_HEX, VALS(flags_reception_type_vals), 0x001C,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_flags_direction,
{ "Direction", "pcapng.options.option.data.packet.flags.direction",
FT_UINT16, BASE_HEX, VALS(packet_flags_direction_vals), 0x0003,
NULL, HFILL }
},
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ &hf_pcapng_option_data_packet_darwin_dpeb_id,
{ "DPEB ID", "pcapng.options.option.data.packet.darwin.dpeb_id",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_darwin_svc_class,
{ "Darwin svc", "pcapng.options.option.data.packet.darwin.svc_class",
FT_UINT32, BASE_DEC, VALS(option_code_darwin_svc_class_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_packet_darwin_edpeb_id,
{ "Effective DPED ID", "pcapng.options.option.data.packet.darwin.edpeb_id",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ &hf_pcapng_option_data_dns_name,
{ "DNS Name", "pcapng.options.option.data.dns_name",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_start_time,
{ "Start Time", "pcapng.options.option.data.start_time",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_end_time,
{ "End Time", "pcapng.options.option.data.end_time",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_received,
{ "Number of Received Packets", "pcapng.options.option.data.interface.received",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_dropped,
{ "Number of Dropped Packets", "pcapng.options.option.data.interface.dropped",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_accepted_by_filter,
{ "Number of Accepted by Filter Packets", "pcapng.options.option.data.interface.accepted_by_filter",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_dropped_by_os,
{ "Number of Dropped Packets by OS", "pcapng.options.option.data.interface.dropped_by_os",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_data_interface_delivered_to_user,
{ "Number of Delivered to the User Packets", "pcapng.options.option.data.interface.delivered_to_user",
FT_UINT64, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_interface_description_link_type,
{ "Link Type", "pcapng.interface_description.link_type",
FT_UINT16, BASE_DEC_HEX, VALS(link_type_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_interface_description_reserved,
{ "Reserved", "pcapng.interface_description.reserved",
FT_UINT16, BASE_HEX, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_interface_description_snap_length,
{ "Snap Length", "pcapng.interface_description.snap_length",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_packet_block_interface_id,
{ "Interface", "pcapng.packet.interface_id",
pcapng: show some fields in decimal, not hexadecimal. The interface ID is just an ordinal; there's no reason to show it as hex (we don't show it as hex if we're treating a pcapng file as a capture rather than a file to be dissected). The packet drops count is just a count, so, again, there's no reason to show it as hex. The hash algorithms numbers are given in decimal in the pcapng spec, so display it as decimal. Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af Reviewed-on: https://code.wireshark.org/review/37072 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 18:56:44 +00:00
FT_UINT16, BASE_DEC, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_packet_block_drops_count,
{ "Drops Count", "pcapng.packet.drops_count",
pcapng: show some fields in decimal, not hexadecimal. The interface ID is just an ordinal; there's no reason to show it as hex (we don't show it as hex if we're treating a pcapng file as a capture rather than a file to be dissected). The packet drops count is just a count, so, again, there's no reason to show it as hex. The hash algorithms numbers are given in decimal in the pcapng spec, so display it as decimal. Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af Reviewed-on: https://code.wireshark.org/review/37072 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 18:56:44 +00:00
FT_UINT16, BASE_DEC, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_captured_length,
{ "Captured Length", "pcapng.packet.captured_length",
FT_UINT16, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_packet_length,
{ "Packet Length", "pcapng.packet.packet_length",
FT_UINT16, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_packet_data,
{ "Packet Data", "pcapng.packet.packet_data",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_packet_padding,
{ "Packet Padding", "pcapng.packet.padding",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_interface_id,
{ "Interface", "pcapng.interface_id",
pcapng: show some fields in decimal, not hexadecimal. The interface ID is just an ordinal; there's no reason to show it as hex (we don't show it as hex if we're treating a pcapng file as a capture rather than a file to be dissected). The packet drops count is just a count, so, again, there's no reason to show it as hex. The hash algorithms numbers are given in decimal in the pcapng spec, so display it as decimal. Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af Reviewed-on: https://code.wireshark.org/review/37072 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-03 18:56:44 +00:00
FT_UINT16, BASE_DEC, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
Clean up handling of time stamps. Use common code for all time stamps, so it's handled the same for the Packet Block, Enhanced Packet Block, and Interface Statistics Block. Show the high and low parts of the time stamp as fields; file dissectors should show the raw file details. Mark the calculated time stamp as generated, as it's not the raw file data. Get the 64-bit time stamp by shifting the high part left 32 bits and ORing in the low part; no need to play games with unions and byte order Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f Reviewed-on: https://code.wireshark.org/review/10116 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-08-18 19:14:07 +00:00
{ &hf_pcapng_timestamp_high,
{ "Timestamp (High)", "pcapng.timestamp_high",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_timestamp_low,
{ "Timestamp (Low)", "pcapng.timestamp_low",
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ &hf_pcapng_timestamp,
{ "Timestamp", "pcapng.timestamp",
FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_records,
{ "Records", "pcapng.records",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record,
{ "Record", "pcapng.records.record",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_code,
{ "Code", "pcapng.records.record.code",
FT_UINT16, BASE_DEC, VALS(record_code_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_length,
{ "Length", "pcapng.records.record.length",
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
FT_UINT16, BASE_DEC, NULL, 0x00,
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
NULL, HFILL }
},
{ &hf_pcapng_record_data,
{ "Record Data", "pcapng.records.record.data",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_padding,
{ "Record Padding", "pcapng.records.record.padding",
FT_NONE, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_ipv4,
{ "IPv4", "pcapng.records.record.data.ipv4",
FT_IPv4, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_ipv6,
{ "IPv6", "pcapng.records.record.data.ipv6",
FT_IPv6, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_record_name,
{ "Name", "pcapng.records.record.data.name",
FT_STRINGZ, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
{ &hf_pcapng_dsb_secrets_type,
{ "Secrets Type", "pcapng.dsb.secrets_type",
FT_UINT32, BASE_HEX, VALS(dsb_secrets_types_vals), 0x00,
NULL, HFILL }
},
{ &hf_pcapng_dsb_secrets_length,
file-pcapng: Fix name for Secrets Length Change-Id: Ie5ab30f0c667a9068d6aa1c18c519524b7ade140 Reviewed-on: https://code.wireshark.org/review/30737 Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
2018-11-20 09:25:39 +00:00
{ "Secrets Length", "pcapng.dsb.secrets_length",
wiretap: add read/write support for Decryption Secrets Block (DSB) Support reading and writing pcapng files with DSBs. A DSB may occur multiple times but should appear before packets that need those decryption secrets (so it cannot be moved to the end like NRB). The TLS dissector will be updated in the future to make use of these secrets. pcapng spec update: https://github.com/pcapng/pcapng/pull/54 As DSBs may be interleaved with packets, do not even try to read it in pcapng_open (as is done for IDBs). Instead process them during the sequential read, appending them to the 'wtap::dsbs' array. Writing is more complicated, secrets may initially not be available when 'wtap_dumper' is created. As they may become available in 'wtap::dsbs' as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference this array. This saves every user from checking/dumping DSBs. If the wtap user needs to insert extra DSBs (while preserving existing DSBs), they can set the 'wtap_dumper::dsbs_initial' field. The test file was creating using a patched editcap (future patch) and combined using mergecap (which required a change to preserve the DSBs). Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9 Ping-Bug: 15252 Reviewed-on: https://code.wireshark.org/review/30692 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-17 12:56:12 +00:00
FT_UINT32, BASE_DEC, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_dsb_secrets_data,
{ "Secrets Data", "pcapng.dsb.secrets_data",
FT_BYTES, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files This patch augments the MIME based file-pcapng dissector to allow one to more easily examine pcapng blocks that contain Darwin Process Information. With this patch one can dissect and inspect, albeit as a MIME object, the Darwin process information elements contained within an Apple augmented pcapng file: $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less Apple's macOS provides an enhanced tcpdump with a pktap interface option that supports the collection, display and storing of Darwin process and/or service class information related to each captured packet. Using Apple's pktap interface during a live capture the process information may be revealed using Apple's tcpdump -k [metadata] option. Apple's tcpdump -k option augments tcpdump's standard report with an additional parenthesized () set of information inserted after the packet timestamp. If the capture file actually contains Darwin process information, Apple's tcpdump -k could include the interface name (or interface id), process id, process name, process_uuid, service, and/or direction for each packet depending on the value of the -k's [metadata] argument provided (if any). If the Apple tcpdump trace is captured to disk, the Darwin based process and service information is saved in pcapng format augmented with several new Enhanced Packet Block options (32779, 32780, 32781) along with a new block type (0x80000001) called here a Darwin Process Event Block (DPEB). The Darwin Process Event Block is used in a manner similar to a pcapng IDB in that it contains process event information that is referenced by later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB ID (32871). EPBs may also include the Darwin Service Class option (32770) which includes a numeric value that maps to a mnemonic service class. A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump along and the help of its -k option to display the original Darwin Process Information. Packets collected using Apple's remote virtual interface (rvictl)[1] from iOS devices can also contain Darwin Process Information. Note: This is a first step to help determine what will be necessary to eventually display any available Darwin Process Information within the Frame tree when an Apple PKTAP enhanced pcapng file is opened naturally in Wireshark and not as a MIME object. [1] https://developer.apple.com/library/content/qa/qa1176/_index.html Ping-Bug: 13096 Ping-Bug: 12587 Change-Id: I180e661dab0b0096a711603b53270105390d05e2 Reviewed-on: https://code.wireshark.org/review/20157 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-02-17 02:27:05 +00:00
{ &hf_pcapng_darwin_process_id,
{ "Darwin Process ID", "pcapng.darwin.process_id",
FT_UINT32, BASE_DEC_HEX, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_darwin_process_name,
{ "Darwin Process Name", "pcapng.darwin.process_name",
FT_STRING, STR_ASCII, NULL, 0x00,
NULL, HFILL }
},
{ &hf_pcapng_option_darwin_process_uuid,
{ "Darwin Process UUID", "pcapng.darwin.process_uuid",
FT_GUID, BASE_NONE, NULL, 0x00,
NULL, HFILL }
},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
};
static ei_register_info ei[] = {
pcapng (dissector): don't assume the endianness doesn't change. Keep the endianness (as an ENC_ value) in the info structure we use while dissecting. When dissecting an SPB, peek ahead at the byte-order magic before dissecting the block length, to determine the byte order of all fields in that block *and* all other blocks in that section. Report an error and stop dissecting if the byte-order magic isn't valid. Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d Reviewed-on: https://code.wireshark.org/review/37138 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-05 01:03:26 +00:00
{ &ei_invalid_byte_order_magic, { "pcapng.invalid_byte_order_magic", PI_PROTOCOL, PI_ERROR, "The byte-order magic number is not valid", EXPFILL }},
Add additional checks, clean up some stuff. Add checks for bad block lengths - either too short or not a multiple of 4. (Yes, the pcapng spec requires it to be a multiple of 4. And there is at least one implementation that requires it.) For various structures with a length field, create the top-level tree field for the item with a "run to the end of the packet" length and, once we're finished dissecting it, set the length to its actual value. Fetch various field values using proto_tree_item_add_uint. Fix some incorrect field types based on errors reported by that. If an end-of-options option has a non-zero length, 1) don't treat it as not an end-of-options option and 2) report an error on its length. Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266 Reviewed-on: https://code.wireshark.org/review/36746 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-04-08 08:19:33 +00:00
{ &ei_block_length_too_short, { "pcapng.block_length_too_short", PI_PROTOCOL, PI_ERROR, "Block length is < 12 bytes", EXPFILL }},
{ &ei_block_length_not_multiple_of_4, { "pcapng.block_length_too_short", PI_PROTOCOL, PI_ERROR, "Block length is not a multiple of 4", EXPFILL }},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
{ &ei_invalid_option_length, { "pcapng.invalid_option_length", PI_PROTOCOL, PI_ERROR, "Invalid Option Length", EXPFILL }},
{ &ei_invalid_record_length, { "pcapng.invalid_record_length", PI_PROTOCOL, PI_ERROR, "Invalid Record Length", EXPFILL }},
pcapng: expert info when packet or ISB appear without interfaces A valid pcapng file must have an IDB before any EPB/SPB/PB/ISB. So check our interface count when we parse the first such block of a section, and add expert info if there are no interfaces. Discovered during work on Bug #16526. Ping-Bug: 16526 Change-Id: I23ff452fd163a0e4472e0658a905f85ab85d5e9d Reviewed-on: https://code.wireshark.org/review/36986 Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl> Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-04-30 12:32:44 +00:00
{ &ei_missing_idb, { "pcapng.no_interfaces", PI_PROTOCOL, PI_ERROR, "No Interface Description before block that requires it", EXPFILL }},
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
};
static gint *ett[] = {
&ett_pcapng,
&ett_pcapng_section_header_block,
&ett_pcapng_block_data,
&ett_pcapng_options,
&ett_pcapng_option,
&ett_pcapng_records,
&ett_pcapng_record,
&ett_pcapng_packet_data
};
proto_pcapng = proto_register_protocol("PCAPNG File Format", "File-PCAPNG", "file-pcapng");
proto_register_field_array(proto_pcapng, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
new_register_dissector -> register_dissector for dissector directory. Change-Id: Ie39ef054a4a942687bd079f3a4d8c2cc55d5f22c Reviewed-on: https://code.wireshark.org/review/12485 Petri-Dish: Michael Mann <mmann78@netscape.net> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-12-09 04:04:01 +00:00
register_dissector("file-pcapng", dissect_pcapng, proto_pcapng);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
module = prefs_register_protocol(proto_pcapng, NULL);
prefs_register_static_text_preference(module, "version",
"PCAPNG version: 1.0",
"Version of file-format supported by this dissector.");
prefs_register_bool_preference(module, "dissect_next_layer",
"Dissect next layer",
"Dissect next layer",
&pref_dissect_next_layer);
expert_module = expert_register_protocol(proto_pcapng);
expert_register_field_array(expert_module, ei, array_length(ei));
}
void
proto_reg_handoff_pcapng(void)
{
heur_dissector_add("wtap_file", dissect_pcapng_heur, "PCAPNG File", "pcapng_wtap", proto_pcapng, HEURISTIC_ENABLE);
Manually add protocol dependencies derived from find_dissector. Started by grepping call_dissector_with_data, call_dissector_only and call_dissector and traced the handles passed into them to a find_dissector within the dissector. Then replaced find_dissector with find_dissector_add_dependency and added the protocol id from the dissector. "data" dissector was not considered to be a dependency. Change-Id: I15d0d77301306587ef8e7af5876e74231816890d Reviewed-on: https://code.wireshark.org/review/14509 Petri-Dish: Michael Mann <mmann78@netscape.net> Reviewed-by: Michael Mann <mmann78@netscape.net>
2016-03-16 13:02:52 +00:00
pcap_pktdata_handle = find_dissector_add_dependency("pcap_pktdata", proto_pcapng);
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
}
/*
HTTPS (almost) everywhere. Change all wireshark.org URLs to use https. Fix some broken links while we're at it. Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c Reviewed-on: https://code.wireshark.org/review/34089 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2019-07-26 18:43:17 +00:00
* Editor modelines - https://www.wireshark.org/tools/modelines.html
File-format: Add PCAP and PCAPNG dissectors They have educational values and can be used to debugging some issues. Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG) in two modes: Capture (Traditional) and File-Format. Change-Id: I833b2464d11864f170923dc989a1925d3d217943 Reviewed-on: https://code.wireshark.org/review/10089 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2015-06-26 13:40:22 +00:00
*
* Local variables:
* c-basic-offset: 4
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* vi: set shiftwidth=4 tabstop=8 expandtab:
* :indentSize=4:tabSize=8:noTabs=true:
*/