Commit Graph

2364 Commits (master)

Author SHA1 Message Date
João Valverde a2bc5bd012 doc: Update header preamble for dissector skeleton 2023-02-22 07:09:36 +00:00
Jaap Keuter 455b9a470f sshdump: add capability to use doas on remote host 2023-02-19 13:41:24 +00:00
Jaap Keuter 864e8f1f5f Man: Update extcap argument type documentation 2023-02-08 20:12:27 +00:00
João Valverde 02238edf92 Do not require using wsgcrypt.h
The reason to use wsgcrypt.h was to wrap it around DIAG_OFF()
macros and that should no longer be necessary.
2023-02-06 15:52:10 +00:00
David Perry 9b797e97a2 allow creating plugin
Tweak the script used for creating a new skeleton dissector, to allow it
to create the dissector in `plugins/epan/PROTOSHORTNAME` instead of in
`epan/dissectors`. Handles modifying the appropriate CMake file in the
appropriate way, and generates the plugin's `CMakeLists.txt` if needed.
2023-02-06 14:32:55 +00:00
Guy Harris b4ef671fba Clean up some man pages.
Consistently speak of "UNIX-compatible systems" when comparing UN*Xes
and Windows, and, the first time we mention "UNIX-compatible systems" in
a section or a list item, enumerate the not-dead-or-moribund ones.
(HP-UX is deemed moribund given that Itanium processors are no longer
being manufactured and HPE are apparently not porting HP-UX to x86-64,
choosing instead to run HP-UX Itanium applications in a compatibility
environment under Linux on x86-64.)

For the -D option, don't bother mentioning ifconfig -a or ip link show,
as there's no reason not to use -D if you want to know what you can
caputre on - for one thing, -D may list devices *other* than the network
interfaces listed by ifconfig -a or ip link show.  In addition, don't
speak of code testing whether the interface can be opened, as recent
versions of libpcap don't check that, and neither do any of the programs
in the Wireshark release.  (This was done so that, if there's an
itnerface that shows up in the enumeration but that can't be opened,
it'll be offered to the user, and they'll get a message if they try to
capture on it, indicating either that they need to somehow get the
necessary permissions or should report a bug.)

For the -i option, don't mention ifconfig -a or ip link show, as the
user should, again, use -D.

Give more detail when describing files and directories under the global
or personal preferences directory, calling out macOS specially for the
global preferences directory, as it's in the app bundle, and taking into
account that Wireshark might be installed under /usr rather than
/usr/local (for example, if it's installed from a package that's part of
a Linux distribution).

Replace the "Overrides XXX' description of some environment variables
with a more verbose description similar to what's used for other
environment variables.
2023-01-26 22:55:49 -08:00
João Valverde c66fc43e5b GUI: Ship authors as a Qt resource file 2023-01-20 13:35:03 +00:00
João Valverde 74909f1499 Install PDML files to DOCDIR
Add README because this stuff is somewhat obscure and move XSLT
file to DOCDIR because it is not used by wireshark directly.
2023-01-19 17:08:36 +00:00
João Valverde 06519be205 Install documentation (HTML manuals) to DOCDIR
Install documentation to DOCDIR instead of DATADIR.
The code must be fixed to open the Help URLs from
this new path.

This only affects Unix-like FHS platforms. Windows
installation does its own thing.

Needs testing with macOS packaging.
2023-01-19 01:40:59 +00:00
João Valverde 9e6faf4169 Remove dftest man page
DFTest is a private test utility and isn't installed anywhere.

I don't think it makes sense to maintain a man page. Certainly
doesn't make sense to ship it.

The doc file is understandably minimal so just nuke it.
2023-01-19 00:17:56 +00:00
Gerald Combs 5a9812ab61 AppRun: Set various paths
Set our ld library path and our data, extcap, and plugin directories.
might want to set our various directories relative to the program path.
2023-01-18 20:37:08 +00:00
John Thacker ffdf332f24 docs: Explain the FT_FRAMENUM use of the strings field
Add a section about FRAMENUM_TYPE to the 'strings' field
section of README.dissector
2023-01-17 09:27:29 +00:00
Michal Ruprich 2a285b75a1 capinfos: Removing RIPEMD160 hashes
When reading a packet capture with capinfos on a system with
FIPS 140-2 enabled, libgcrypt will abort for any non approved
algorithm. In this case the RIPEMD 160.
2023-01-12 18:07:41 +00:00
João Valverde 25d4a099f7 Remove WS_DISABLE_ASSERT
Assertions can be enabled/disabled using WS_DISABLE_DEBUG. The extra
granularity afforded by WS_DISABLE_ASSERT seems unnecessary.
2023-01-12 00:59:15 +00:00
Jonas Falkevik 3e2c04fe78 editcap: flag to set unused bytes in SLL headers
Unused bytes in SLL Link Layer address can be random bytes.
Which makes the duplicate check think the packets are different.
Even if the unused bytes was the only difference.

This flag enables editcap to set the unused bytes to zeros to enable
the duplicate check to detect duplicates.
2023-01-04 09:40:03 +00:00
Gerald Combs cf4d88d320 [Automatic update for 2023-01-01]
Update manuf, services enterprise numbers, translations, and other items.
2023-01-02 12:15:00 +00:00
Bernhard Dick 75fb2e770c DECT-NWK: Add basic support for DECT charsets 2022-12-21 21:30:20 +00:00
Martin Mathieson b2572f3a35 Fix some spelling errors 2022-12-17 11:41:29 +00:00
Gerald Combs 48bb59d096 Docs: Remove some leftover Perl POD markup. 2022-12-08 17:01:22 +00:00
Dario Lombardo c2b59567d3 tshark: update man to explain why some fields are skipped in elastic-mapping. 2022-11-08 06:24:50 +00:00
Gerald Combs 5084857eed WSUG: Document the layer operator.
Copy over the "layer operator" section from the wireshark-filter man

Fix the "at operator" level in the wireshark-filter man page.
2022-11-03 14:23:12 +00:00
Martin Mathieson 3ac86775dc Fix some spelling errors 2022-11-02 20:54:24 +00:00
João Valverde 0853ddd1cb dfilter: Add support for raw (bytes) addressing mode
This adds new syntax to read a field from the tree as bytes, instead
of the actual type. This is a useful extension for example to match
matformed strings that contain unicode replacement characters. In
this case it is not possible to match the raw value of the malformed
string field. This extension fills this need and is generic enough
that it should be useful in many other situations.

The syntax used is to prefix the field name with "@". The following
artificial example tests if the HTTP user agent contains a particular
invalid UTF-8 sequence:

    @http.user_agent == "Mozill\xAA"

Where simply using "http.user_agent" won't work because the invalid byte
sequence will have been replaced with U+FFFD.

Considering the following programs:

    $ dftest '_ws.ftypes.string == "ABC"'
    Filter: _ws.ftypes.string == "ABC"

    Syntax tree:
     0 TEST_ANY_EQ:
       1 FIELD(_ws.ftypes.string <FT_STRING>)
       1 FVALUE("ABC" <FT_STRING>)

    00000 READ_TREE		_ws.ftypes.string <FT_STRING> -> reg#0
    00001 IF_FALSE_GOTO	3
    00002 ANY_EQ		reg#0 == "ABC" <FT_STRING>
    00003 RETURN

    $ dftest '@_ws.ftypes.string == "ABC"'
    Filter: @_ws.ftypes.string == "ABC"

    Syntax tree:
     0 TEST_ANY_EQ:
       1 FIELD(_ws.ftypes.string <RAW>)
       1 FVALUE(41:42:43 <FT_BYTES>)

    00000 READ_TREE		@_ws.ftypes.string <FT_BYTES> -> reg#0
    00001 IF_FALSE_GOTO	3
    00002 ANY_EQ		reg#0 == 41:42:43 <FT_BYTES>
    00003 RETURN

In the second case the field has a "raw" type, that equates directly to
FT_BYTES, and the field value is read from the protocol raw data.
2022-10-31 21:02:39 +00:00
Uli Heilmeier f90486246f README.plugins: Fix version variables
Fixes: #18507
2022-10-18 19:22:31 +00:00
João Valverde 597f020793 epan: Mark tvb_get_const_stringz() as deprecated
The function tvb_get_const_stringz() does not check for a string
encoding and returns a pointer to a byte array. For this reason
it should not be used. Prefer other functions that return a
valid UTF-8 string from a source encoding or use tvb_get_ptr()
to fetch a byte pointer.
2022-10-10 20:27:33 +00:00
Gerald Combs a1ec850894 falcodump: Prefill the Cloudtrail profile and region fields.
Make the cloudtrail-aws-profile and cloudtrail-aws-region settings
prefilled selection lists. Make them editable as well.
2022-10-07 17:01:17 +00:00
Gerald Combs 2b4fcae31f Qt+extcap: Add editable extcap selectors.
Add an "editselector" argument type, which lets the user override a
predefined selection list with a custom value.
2022-10-07 17:01:17 +00:00
João Valverde 91f7762fad wslua: Use wiretap introspection 2022-10-07 10:28:47 +01:00
Gerald Combs 28a26096fb falcodump: Add support for selection options.
If a plugin has an "enum" + array in its configuration, convert it to a
selector option.

Start adding plugin sections to the falcodump man page.
2022-09-29 16:44:21 +00:00
João Valverde b7d15d0767 wslog: Add option to make a list of domains fatal
Add a command line option --log-fatal-domains= and environment variable
WIRESHARK_LOG_FATAL_DOMAINS that aborts the programs if a domain in
the list is logged to.

Negative matches for fatal log domains not implemented for now,
pending a relevant use-case.
2022-09-28 17:14:44 +01:00
John Thacker d4327d42b0 GTPv2: Add Service Response Time statistics, similar to GTPv1
Add a Service Response Time table for GTPv2, similar to that
for GTPv1. Update the tshark docs to mention it.
2022-09-27 22:06:45 +00:00
João Valverde e28ef20c8b README.Developer: Add notes about string encoding and best-practices 2022-09-27 17:04:44 +00:00
Guy Harris e5951765d8 Dissector names are not protocol names.
A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question.  For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.

Dissectors can handle this in various ways:

For example, the dissector could attempt to determine the protocol over
which the packet was transported.

Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.

Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.

Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.

An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code.  Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols.  This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.

Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.


emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and

We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.

We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags.  (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)

We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.

We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used.  (We continue to use the
dissector name in debugging messages, to indicate which dissector was
2022-09-10 22:37:11 -07:00
Gerald Combs b984e6e29d CMake: Split more Wireshark/Logray variables.
Split our macOS application bundle variables into Wireshark- and
Logray-specific ones. Make sure Logray's PkgInfo and CFBundleSignature
2022-09-01 09:05:58 -07:00
Gerald Combs 5243ffa4c2 extcap: Add falcodump.
Add an extcap that fetches a scap from a Falco/libsinsp plugin. Tested
using the cloudtrail plugin.
2022-08-29 15:35:19 -07:00
Roland Knall 645b9ab7f4 Qt6: Adapt various docs 2022-08-23 10:37:14 +00:00
Martin Mathieson b809e73f7c Fix some spelling errors 2022-08-19 17:46:34 +01:00
John Thacker e33bc8d5bf docs: Update the sample dissector
Update the sample dissector for some best practices,
and avoid some deprecated behavior.

Use register_protocol instead of creating an anonymous
dissector handle, so that Lua, Export PDU, custom
User DLT disection, etc. can find it. (See #5612)

Use auto preferences and prefer port ranges when possible
(See #14319)
2022-08-15 04:53:58 +00:00
Jaap Keuter 34ab3f308a sshdump: add option to select dumpcap as remote capture command 2022-08-10 17:26:49 +00:00
Gerald Combs 95069d8f78 Docs: Clean up some Python references.
Make sure we captitalize Python and use its HTTPS URL.
2022-08-08 16:34:45 +00:00
João Valverde 80f16015e2 epan: Refactor floating point display types
Remove the redundant BASE_FLOAT field display type. The name
BASE_FLOAT is meaningless and the value aliased to BASE_NONE.

Require BASE_NONE instead of BASE_FLOAT (corresponding to
the printf() %g format).

Add new float display types using BASE_DEC, BASE_HEX and BASE_EXP
corresponfing to %f, %a and %e respectively.

Add support for BASE_CUSTOM with floats.
2022-08-02 13:16:46 +00:00
Gerald Combs e2b0140edb Docs: extcap man page fixups. 2022-07-31 08:43:37 +00:00
Gerald Combs 6857e1ed04 Docs: Fix our man page dependencies.
Dependencies need to be set via add_custom_command.
2022-07-29 18:52:07 +00:00
Stig Bjørlykke f7a5efe87b doc: Update README.display_filter
Update fvalue_t definition in README.display_filter.
2022-07-26 12:08:57 +02:00
Gerald Combs a1c83a901b docbook: Port make-wsluarm to Python3
Port the script that creates docbook/wsluarm_src/*.adoc to Python3.
Ping #18152.
2022-07-23 20:51:24 +00:00
Jirka Novak 1e53e49a54 ciscodump: Added support for IOS XE and ASA
- The tool now recognizes which software is running on a device - IOS, IOS XE
  or ASA. Based on it, it uses correct sequence of commands to setup
  capture, read captured packets and clear the capture.
- The tool reads packets on the fly so you don't have to wait till
  --remote-count of packets is reached.
- The tool reads timestamps from capture on the device for IOS and ASA (on
  IOS-XE, there is no timestamp in dump).
- Except Windows platform the tool handles early stop of capture on the device
  and clear of capture buffer on the device (it finish the capture).
- There are special interface names to allow the tool to generate
  specific capture types.
- Documentation updated.

Closes #17672.
2022-07-22 15:55:28 +00:00
Roland Knall 64549654db ExtcapExample: Harden and alternate mac address
Harden the code a little and alternate the mac address to allow
the code to be used for testing conversation and endpoint dialog.

Also transmit integer values not as ascii representations and include
a data packet that allows for reassembly to be tested
2022-07-13 18:40:57 +00:00
Martin Mathieson eab62aa768 Fix some spellings. 2022-07-06 09:02:37 +01:00
Gerald Combs eaae2d0ee7 Minor Python3 script fixups.
Make some scripts executable and use the shebang line recommended at
2022-06-27 16:46:55 +00:00
Gerald Combs 4153af1dc7 wslua: Port make-init-lua to Python3
Port the script that creates init.lua to Python3. The generated init.lua
removes one newline and adds another, otherwise the output is identical
to the Perl version.
Ping #18152.
2022-06-27 16:28:36 +00:00