forked from osmocom/wireshark
tshark: improve robustness for PCAPNGs not starting with IDBs
The PCAPNG code assumes that PCAPNGs start with IDBs, which might not be true. This patch adds a workaround for Tshark to process such files.
This commit is contained in:
Dr. Lars Völker
A Wireshark GitLab Utility
parent
800524131f
commit
ef43fd48b4
18
tshark.c
18
tshark.c
|
|
@ -3625,11 +3625,24 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type,
|
|||
wtap_dump_params params = WTAP_DUMP_PARAMS_INIT;
|
||||
char *shb_user_appl;
|
||||
pass_status_t first_pass_status, second_pass_status;
|
||||
gboolean pcapng_pcapng_workaround = false;
|
||||
wtapng_iface_descriptions_t if_tmp;
|
||||
|
||||
if (save_file != NULL) {
|
||||
/* Set up to write to the capture file. */
|
||||
wtap_dump_params_init_no_idbs(¶ms, cf->provider.wth);
|
||||
|
||||
/* workaround for pcapng -> pcapng (e.g., when pcapng starts with a custom block) */
|
||||
if (out_file_type == wtap_pcapng_file_type_subtype() && params.encap == WTAP_ENCAP_UNKNOWN) {
|
||||
pcapng_pcapng_workaround = true;
|
||||
params.encap = WTAP_ENCAP_PER_PACKET;
|
||||
params.dont_copy_idbs = true; /* make sure this stay true */
|
||||
if (params.idb_inf->interface_data != NULL) {
|
||||
/* lets fake an interface, which is not copied anyway */
|
||||
g_array_insert_val(params.idb_inf->interface_data, 0, if_tmp);
|
||||
}
|
||||
}
|
||||
|
||||
/* If we don't have an application name add TShark */
|
||||
if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
|
||||
/* this is free'd by wtap_block_unref() later */
|
||||
|
|
@ -3653,6 +3666,11 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type,
|
|||
&err, &err_info);
|
||||
}
|
||||
|
||||
if (pcapng_pcapng_workaround) {
|
||||
/* remove the fake interface before it will be used */
|
||||
g_array_remove_index((params.idb_inf->interface_data), 0);
|
||||
}
|
||||
|
||||
g_free(params.idb_inf);
|
||||
params.idb_inf = NULL;
|
||||
|
||||
|
|
|
|||
|
|
@ -3530,6 +3530,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
|||
ws_debug("Check for more IDBs, block_type 0x%08x",
|
||||
bh.block_type);
|
||||
|
||||
/* XXX - This code expects that the PCAPNG Sections start with IDBs but the PCAPNG RFC does not say that!? */
|
||||
if (bh.block_type != BLOCK_TYPE_IDB) {
|
||||
break; /* No more IDBs */
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue