Commit Graph

2364 Commits (master)

Author SHA1 Message Date
Guy Harris 778fc283a7 dumpcap: add some more documentation of "-i TCP@<host>:<port>".
Add a mention of the meaning of the "TCP@<host>:<port>" syntax in the
text about the -i option.
2022-01-31 16:45:31 -08:00
Gerald Combs c49f63b5f5 Docs: Update markup in the text2pcap man page.
Add an EditorConfig entry as well.
2022-01-25 09:52:17 -08:00
John Thacker d2fd2eeb31 text2pcap: encap types option (instead of link type)
Add an option to text2pcap to specify the encapsulation type
via wiretap encapsulation type short names instead of pcap
link layer types, similar to editcap.

Update the documentation to reflect this.
2022-01-16 04:27:03 +00:00
Martin Mathieson 559df3c620 Fix some spelling errors 2022-01-15 23:11:47 +00:00
Jim Young b5f89dbe2d tshark: Add new long option --hexdump <hexoption> 2022-01-13 01:18:38 +00:00
John Thacker f85f077b54 text_import: Allow fake IP headers with Raw IP encapsulation
In text2pcap and Import from Hex Dump, allow fake IP headers with
the appropriate versions when the Raw IP, Raw IPv4, and Raw IPv6
encapsulations are specified. In such cases, do not add a dummy
Ethernet header.

Continue to reject other encapsulations besides these, Ethernet,
and Wireshark Upper PDU when appropriate. Add some checks for the
encapsulation type in text_import as well, instead of just assuming
that the callers handle it correctly.
2022-01-11 08:46:44 -05:00
John Thacker b5c51f396a text2pcap: Use RFC 3849 addresses for documentation
Use the RFC 3849 IPv6 address prefix reserved for documentation
for the documentation and examples
2022-01-11 01:28:23 +00:00
John Thacker 21465962fd text2pcap: Use common capture type flag
Support all possible file formats that wiretap writes, using the
same "-F" flag that other CLI tools like editcap, mergecap, and tshark
support. Default is still pcap for now; a future commit will switch
to pcapng and remove the "-n" option, to match other CLI tools.
2022-01-03 16:42:15 +00:00
Gerald Combs 17e4032e81 [Automatic update for 2022-01-02]
Update manuf, services enterprise numbers, translations, and other items.
2022-01-02 16:39:07 +00:00
John Thacker ab347ea14e text2pcap: add regex
Add support in text2pcap for the regex mode added to "Import from
Hex Dump" in 3.6.0 The input and output indicators cannot (yet?)
be configured, and are set to the default of allowing any of "iI<"
for inbound and "oO>" for outbound. This reaches feature parity
between text2pcap and Import from Hex Dump, fixes #16724.
(There might be some more cleanups to do, including docs.)
2022-01-02 01:01:51 +00:00
João Valverde 019bb06268 Docs: Add some content about different equality operators
Add information about the different kind of comparisons with
multiple fields to the wireshark-filter man page.

Add some minimal information to the user guide. It would be
nice to have a section dedicated to this with some examples.
2021-12-31 15:33:32 +00:00 6c9cb8f3fa Prefs/Extcap: Added support for password which is never stored on the disk 2021-12-30 16:03:15 +00:00
John Thacker 021c25e22c text2pcap: Use standard log debug level
Remove the '-d' option from text2pcap, and move the two levels
of debug messages in text2pcap and text_import to either
2021-12-30 01:17:06 +00:00
Pascal Quantin dcbd456e69 doc: fix a copy/paste error and a typo 2021-12-27 13:01:42 +00:00
Gerald Combs b851a9fbc6 Docs: Remove unneeded markup in the Wireshark man page.
Remove empty list continuations and continuations around single lines of
2021-12-27 08:25:52 +00:00
Gerald Combs 87eca12c38 Docs: Document our diagnostic output options.
Add docs/diagnostic-options.adoc, which is a snippet that documents our
various --log-* options. Include it in the dumpcap, rawshark, and tshark
man pages.

Make the ws_log_print_usage output more consistent.
2021-12-27 08:04:25 +00:00
John Thacker 0dfc6414e0 text2pcap: Add Export PDU
Support Export PDU functionality from text2pcap. Related to #16724.
2021-12-26 14:07:37 -05:00
John Thacker 8cafcfa5a9 text2pcap: Support OFFSET_NONE 2021-12-25 09:19:07 -05:00
Moshe Kaplan 69d54d6f8e Corrects repeated words throughout the code.
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
2021-12-22 11:01:11 +00:00
João Valverde 9a52634c5f Add ws_version.h to wireshark.h 2021-12-21 23:00:04 +00:00
João Valverde 4448b6494e Add a ws_posix_compat.h header
Currently used to define ssize_t on platforms that lack it.

Fix some Windows build errors caused by moving the definition into a
separate header.

Fix some narrowing warnings on Windows x64 from changing the definition
of ssize_t from long int to int64_t.

The casts in dumpcap are ugly but necessary. The whole code needs
to be rewritten for portability, or the warnings disabled.
2021-12-21 01:30:06 +00:00
Jaap Keuter 4a7053e880 Documentation: simplify protocol tree function documentation intro 2021-12-20 06:50:38 +00:00
João Valverde fe5248717f Replace g_snprintf() with snprintf()
Use macros from inttypes.h with format strings.
2021-12-19 20:06:13 +00:00
Martin Mathieson 3319d994b5 README.heuristic: minor updates 2021-12-19 08:03:04 +00:00
João Valverde 2f572659f5 Docs: Fix a README.developer code example
Remove spurious "int".

Also prefer "g_string_printf", just for stylistic reasons.
2021-12-18 21:13:20 +00:00
Martin Mathieson 4901eefaa5 README.tapping: Some minor updates 2021-12-18 14:47:57 +00:00
João Valverde a8acda8fcc Docs: Add more info about transitioning to C99 fixed-width types 2021-12-18 07:24:46 +00:00
João Valverde 06e6f7d922 Docs: First pass to update README.developer to C11
Update to reflect the transition from C99 to C11. Remove obsolete
comments and recommendations. Add a bit about transitioning to C
fixed width types.

Related to #17768.
2021-12-16 04:59:04 +00:00
John Thacker 69641adfca doc: Add lbmr_* -z stats to tshark manual
Add some more undocumented -z statistics. Ping #8353.
2021-12-12 14:21:15 +00:00
John Thacker 61b402cbe9 doc: Update tshark documents of stat options
Lost one option when updating in the previous commit, restore
2021-12-10 08:12:57 -05:00
John Thacker c0933a18da doc: Update tshark manual for undocumented -z statistics
This commit includes all statistics / taps that exist up through the
3.4.x release. Another commit will handle the ones added in the 3.6
branch. Mention that statistics are unaffected by the display filter
(but are affected by capture and read filters, and usually have their
own filters) at the top rather than repeating the same boilerplate
in half the options.

Ping #8353
2021-12-10 00:20:44 +00:00
João Valverde 19dcb725b6 epan: Remove STR_ASCII and STR_UNICODE
These display bases work to replace unprintable characters so the
name is a misnomer. In addition they are the same option and this
display behaviour is not something that is configurable.

This does not affect encodings because all our internal text strings
need to be valid UTF-8 and the source encoding is specified using

Remove the assertion for valid UTF-8 in proto.c because
tvb_get_*_string() must return a valid UTF-8 string, always, and we
don't need to assert that, it is expensive.
2021-12-03 04:35:56 +00:00
Jörg Mayer a0173cd7cf text2pcap: Support parsing of iso-8601 dates 2021-12-02 19:34:45 +00:00
John Thacker fd1c9b75ba doc: Update stats_tree README
Update README.stats_tree including the sample implementation for
changes in the API, such as the enum return value and needing to
set the node datatype as either int or float.

Also update the comments in the stats_tree header to make it clear
that abbrev and name refer to the abbreviation used in the tshark -z
option, and the name of the menu and window in the GUI for the stats
2021-11-23 22:20:16 -05:00
João Valverde b657396d44 plugins.example: Add missing header
Fixes 9bdccce574.
2021-11-23 17:16:27 +00:00
John Thacker b5917d0182 wmem: Add a multimap
A number of protocols have IDs that can be reused that are used as
lookup keys. In most cases the frame number should be used as well
to differentiate repeat appearances of an ID. For response/request
matching, it is frequently useful to find the most recent frame number
(greatest value less than or equal to the current one) that contained
an ID.

We can achieve that by using a multimap that stores values with a given
ID in a tree keyed with the frame number. This works better than using
a map or a tree alone:

1) A map isn't ordered, so doesn't allow for less than or equal comparison.
2) Using a tree requires an ordering on all the ID components, and then
   having to test all the components other than the frame number separately
   for equality after retrieval.

Currently the multimap does not support inserting items without specifying
the tree key (and having the multimap generate a key), because the total
capacity of trees (including deleted nodes) is not tracked. If other use
cases are needed, this could be added later along with more generic
multimap support.

Use a multimap in ANSI MAP, ANSI TCAP, and GSM SMS, all of which need to
match lookup IDs that can be reused. Fix #7653.
2021-11-21 07:16:55 -05:00
Gerald Combs e2703507c2 Update a bunch of GLib documentation links.
Change our URLs to The official documentation for GLib
appears to be at, but it has a different
layout than the content (and is surprisingly resistant to
exploration IMHO). We can switch to using a
simple substitution and it still seems to be updated, so do that for
2021-11-20 21:33:17 +00:00
Martin Mathieson 263189e23d Fix some spelling errors. 2021-11-18 04:43:51 +00:00
Guy Harris 6d96d8bbc2 Don't include config.h in the example plugin.
Wireshark's config.h isn't available to third-party plugins, and the
developers of the plugin might not even have their own config.h, so
don't include it in the example (if it *does* have its own config.h, the
developers will presumbly know that they should include it).
2021-11-12 12:53:21 -08:00
Guy Harris 2445180fa7 Don't use HAVE_CONFIG_H in sample code in the documentation.
We require config.h and don't define HAVE_CONFIG_H - it should *always*
be included.
2021-11-12 11:23:06 -08:00
João Valverde 237efe7b00 README.dissector: Reinforce a style recommendation. 2021-11-09 22:04:21 +00:00
João Valverde 070aeddf76 Lift restriction on upper case protocol display filter names
Unlike other header fields in filter expressions protocol names
cannot contain upper-case letters. Remove that restriction. This
should make start-up slightly faster as it remove an extra loop
for each protocol filter name.

This was added in 9ead15a6eb but
I don't see a reason to have different rules for protocols and
fields, it seems the README.developer was just being vague and

The recommendation for lower case is a style recommendation,
and it's a good one, but it should be applied uniformly. As
long as we are not enforcing this for all field filter values
there is no point in enforcing it just for protocol names and
actually it is detrimental, e.g:


It's weird and unexpected to have this difference and there is
no technical reason to require it. What we should probably do
is not include the protocol name in the FIELDFILTERNAME and
have the registration mechanism append it to the PROTOFILTERNAME.

Also disallow leading '-' everywhere in filter names, not just
protocol filter names. It's a universal requirement.
2021-11-02 08:35:24 +00:00
Guy Harris 1cf1684504 README.developer: put items about Windows together.
Move the item about MinGW-w64 up after the earlier item about Windows
portability in general.
2021-11-01 13:38:36 -07:00
João Valverde 4ff22025e8 README.developer: Add note about portability on Windows 2021-11-01 20:01:11 +00:00
João Valverde d635ff4933 dfilter: Remove redundant STTYPE_CHARCONST syntax node
A charconst uses the same semantic rules as unparsed so just
use the latter to avoid redundancies.

We keep the use of TOKEN_CHARCONST as an optimization to avoid
an unnecessary name resolution (lookup for a registered field with
the same name as the charconst).
2021-10-31 20:33:31 +00:00
John Thacker 6d52bf07a7 docs: Update wireshark-filter.adoc for recent filter changes.
Commas in sets, changes to != and ~=, changes to contains and matches,
changes to implicit conversions/comparisons to unquoted values.
Also fix #15392.
2021-10-31 08:56:48 +00:00
João Valverde e996c4f060 docs: Add some notes about project APIs 2021-10-26 20:30:18 +00:00
João Valverde c9abbde287 docs: Update wireshark-filter man page about "!="
Update man page to remove obsolete information about "!=".
2021-10-26 14:53:20 +00:00
João Valverde 59c082c046 Add new global header wireshark.h with guideline
Remove ws_diag_control.h from config.h because that was a workaround
for the lack of a public global header. Fix the resultant build errors.
2021-10-22 06:41:44 +00:00
Chuck Craft a541fcb528 docs/tshark: proper name is lopsided CamelCase (TShark)
This is a first pass that covers the WSDG, WSUG, man page, a code
comment and a README. Plenty left to do in the Debian files, a few
Lua examples and other misc files.
2021-10-21 19:54:20 +00:00
Gerald Combs 2c3b13834d CMake: Place all of the documentation in the "Documentation" folder. 2021-10-21 00:21:17 +00:00
Gerald Combs 44bd3a7d79 CMake+Docs: Update our man page targets.
Remove the generate_*_pages targets that were recently introduced,
since they're not really needed. Only add the "manpages" target
if we have Asciidoctor.
2021-10-20 19:29:08 +00:00
Martin Mathieson 54ac7b4424 Fix some spelling errors 2021-10-20 10:00:12 +01:00
Gerald Combs 01b0d9e077 Docs: Move includes to the top of our man pages.
Move our attributes.adoc includes to the very top of each man page.
Older versions of Asciidoctor complain if it's not at the top. and
additionally generate <file>.man instead of <file>.<section> if we don't
explictly supply an output file.
2021-10-19 16:26:37 -07:00
Gerald Combs b8a45f3638 CMake+Docs: Generate man pages all at once.
Asciidoctor lets us generate multiple documents at once, so do so for
our man pages. If we're using AsciidoctorJ this minimizes the number
of JVM instances we have to spin up. This reduces the build time on my
Windows VM here quite a bit, and will hopefully do so on the CI builders.

Add a .editorconfig file in cmake/modules.
2021-10-19 22:06:45 +00:00
Chuck Craft 947d3ff819 dftest: update man page and README.display_filter 2021-10-19 07:41:31 +00:00
Gerald Combs 1bcd51e34a CMake+Docs: Try to build our man pages in parallel.
Make sure man pages are included in the default build. Have the docs
and copy_data_files targets explicitly depend on the man page generator
2021-10-19 01:05:27 +00:00
Gerald Combs 46f27973ca CMake: Partially revert recent docs changes.
Revert recent "docs" target changes. It made that target build faster,
but broke other dependencies. Keep the AsciidoctorJ changes.

Revert "doc: fix the macOS build."

This reverts commit 119667d886.

Revert "CMake: Try to make our man page builds faster."

This reverts commit 74747c4d2f.
2021-10-14 19:34:18 +00:00
Guy Harris 119667d886 doc: fix the macOS build.
BUNDLE_RESOURCE_SHARE_MAN[14]_FILES shouold *not* have the generate_
prefixes; names with those prefixes are fake targets, not names of files
that we generate, so attempting to copy files with those names fails.

It should, however, have "doc/" before the names of the man pages, as
they're generated into the doc directory of the top-level build
2021-10-14 00:30:08 -07:00
Gerald Combs 74747c4d2f CMake: Try to make our man page builds faster.
Depend on our generator targets instead of the generated files, which
allows parallel builds outside of Ninja. Don't reserve JRE memory when
building HTML and man page targets. This reduces the "docs" target build
time on my Windows VM here from over two minutes to under one.
2021-10-13 23:10:35 +00:00
Chuck Craft 1e18f79373 captype: add options to Usage: and man page 2021-10-13 22:54:20 +00:00
Chuck Craft ade523d7ba docs: -z stats - bootp now dhcp; not all in man page 2021-10-12 21:17:25 +00:00
Chuck Craft 07143b1c47 docs: -z stats - bootp now dhcp; not all in man page 2021-10-12 21:17:25 +00:00
Chuck Craft 1998e7f34b capinfos: man page typos; add longopts to Usage:
The verbiage for first/last packets and start/end times seem
to not be consistent. Changing will also require a change to
Capture File Statistics in the Wireshark Gui. Future MR.
2021-10-12 20:35:15 +00:00
Martin Mathieson a5df18e51e Fix some spelling errors 2021-10-11 04:44:49 +00:00
Evan Huus 0eda51a646 to_str: scope tvb_ip6_to_str 2021-10-07 13:31:23 -04:00
Evan Huus 07f5472aa7 to_str: scope tvb_ip_to_str 2021-10-07 10:25:12 -04:00
AndersBroman 60899ed216 Update README.developer 2021-10-05 05:40:16 +00:00
João Valverde 6898210ded docs: Add section about architecture to README.developer 2021-10-05 05:40:16 +00:00
Gerald Combs cfc3212ae2 Docs: Miscellaneous man page updates.
Add the program version to more commonly-used commands. We were labeling
output with "Output" and "Example output". Use "Example output"
everywhere. Other miscellaneous updates.
2021-10-01 23:57:21 +00:00
Gerald Combs 8705dfbe74 Docs: Update some man page markup and remove
Remove since it's no longer needed. Add versions to the
Wireshark, TShark, and Dumpcap man pages. Use definition lists in the
TShark glossary descriptions. Other minor fixes.
2021-10-01 19:24:59 +00:00
Gerald Combs 84ab55cf75 Docs+Packaging: Convert our man pages to Asciidoctor.
Convert doc/*.pod to Asciidoctor. This:

* Means we use the same markup for our man pages, the guides, and
  release notes.
* Lets us add versions to our man pages.
* Gives us more formatting options, e.g. AsciiDoc supports `commands`,
  nested lists and makes it easy to include version information. The
  manpage backend doesn't seem to support tables very well,

Convert our CMake configuration to produce *roff and html man pages
using Asciidoctor. Add a "manarg" block macro which makes our synopses
wrap correctly.

Similar to the release notes, guides, and FAQ, if Asciidoctor isn't
found the man pages won't be generated or installed.

Move Asciidoctor to the list of package build dependencies in various

This commit includes the conversion script (, which will be
removed later.

Line count sanity check:

Man page         .pod .adoc
androiddump       260  280
asn2deb            93  105
capinfos          401  471
captype            54   55
ciscodump         241  269
dftest             42   42
dpauxmon          153  169
dumpcap           464  534
editcap           528  583
etwdump           136  156
extcap            157  181
idl2deb            91  103
idl2wrs           120  100
mergecap          206  207
mmdbresolve        75   75
randpkt           107  111
randpktdump       158  184
rawshark          558  610
reordercap         76   78
sdjournal         145  157
sshdump           272  302
text2pcap         274  312
tshark           2135 2360
udpdump           133  151
wireshark-filter  486  479
wireshark        2967 3420
2021-10-01 16:42:34 +00:00
Gerald Combs 9f1607ab47 Docs: Prep for POD to Asciidoctor conversion.
[skip ci]

Rename each of our .pod files to .adoc. Add, which converts
POD markup to Asciidoctor, along with customizations specific to us.
2021-10-01 16:42:34 +00:00
Gerald Combs 440bbd37a0 Docs: More POD markup cleanup. 2021-09-28 16:41:32 +00:00
João Valverde eba84d06e4 docs: Fix fatal log level description 2021-09-25 17:45:33 +01:00
Martin Mathieson b84aa6b243 Fix some spelling errors. 2021-09-23 21:22:46 +00:00
Gerald Combs da817af974 Docs: More POD markup cleanup. 2021-09-23 13:35:05 -07:00
Gerald Combs 9d10838314 Docs: Clean up wireshark.pod markup.
Clean up some list items and a quote.
2021-09-23 07:02:36 +00:00
John Thacker 07330b392e documentation: update PDML/PSML doc
Provide Internet Archive links for dead URLs.
Update to note that PSML output is supported by tshark and not
a future feature (true since 17 years ago, when it was still tethereal).
Note "fake-field-wrapper" protocol for top level fields (including data,
which is converted from a protocol to a field for PDML).
Note "" protocol replaced by field, as with data.
Note that some dissectors place subdissected protocols in subtrees
instead of at the top level, and that this is _not_ changed, violating
the PDML spec.
Fix #10588.
2021-09-22 21:19:55 -04:00
Gerald Combs 2cb684c92d [Automatic update for 2021-09-19]
Update manuf, services enterprise numbers, translations, and other items.
2021-09-19 16:52:44 +00:00
Gerald Combs 05b91f5aaf Docs: Fix some POD markup.
Fix and normalize some of our POD markup.
2021-09-18 05:49:03 +00:00
Juha Takala 8bc52f542b Add tshark ringbuffer option '-b nametimenum:value'
This is used to select ringbuffer savefile name template.  Choose one of two
savefile name templates:

If value is 1, make running file number part before start time part; this is
the original and default behaviour (e.g. log_00001_20210828164426.pcap).

If value is greater than 1, make start time part before running number part
(e.g. log_20210828164426_00001.pcap).

The latter makes alphabetical sortig order equal to creation time order, and
keeps related multiple file sets in same directory close to each other (e.g.
while browsing in wireshark "Open file" dialog).

Signed-off-by: Juha Takala <>
2021-09-14 04:52:09 +00:00
David Perry 5076aee044 [#17517] capinfos: machine-readable filetype/encap 2021-09-10 04:25:13 +00:00
Martin Mathieson fb02f423b1 Some spelling fixes 2021-09-03 22:45:06 +00:00
Erik Rigtorp 5844c469f0 Add support for ZSTD and LZ4 decompression
- Describe zstd and lz4 support in man pages
- Update AUTHORS
- Update mime types to recognize zstd and lz4
2021-09-01 20:59:07 +02:00
Triton Circonflexe d4de52690f Thrift: Complete handling of Binary & Compact protocols
- Make sure reassembly requests & errors are properly propagated from
  any point in the PDU, no matter how many sub-structure levels.
- Handle the sub-dissection methods as well:
  - Ensure the sub-dissection methods handle errors from previous calls.
  - Reduce the error handling needed in sub-dissector implementations.
  - Add missing sub-dissection methods for list, set, and map.
  - Add the handling of sub-structure.
- Handle Compact protocol in addition to the existing binary protocol.
  - Include and improve MR !3171
  - Handle reassembly the same way as for binary protocol.
  - Handle sub-dissection with the same functions.
    => Sub-dissectors only depend on .thrift files.

Additional changes:
- Use of constants instead of hard-coded values.
- Removed U64 support (never supported by thrift code generator, only
  referenced in the C++ thrift library header but not supported in reality.
- Removed references to UTF-8 and UTF-16 string for the same reason.
- Replaced references to UTF-7 string with just string (same reason).
- Replaced references to byte with i8 as the documentation explicitly
  states that byte is a compatibility name.

Documentation reference:

Closes #16244

Additional changes:
- Add authors and improve consistency
- Fix typo and clarify documentation
2021-08-27 06:04:17 +00:00
John Thacker 3c5168c874 editcap doc: Fix description of split output file names
The editcap documentation still refers to the pre 1.2.1 behavior
of determining output file names when splitting based on either
packet counts or time intervals. (See commit a8eb860103) Update
it to reflect the current behavior.
2021-08-10 08:05:39 +00:00
John Thacker 611013f98b captype docs: Fix name references
Fix a number of instances where the captype man page refers to
capinfos instead of captype. (Copy and paste-o.) Also add captype
to the SEE ALSO section of the capinfos man page.
2021-08-06 06:37:46 +00:00
Martin Mathieson 73a4ada071 A few documentation spelling fixes. 2021-08-02 17:40:55 +01:00
João Valverde 133b0c583f Move epan/wmem/wmem_scopes.h to epan/
This header was installed incorrectly to epan/wmem_scopes.h.

Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.

Now the header is installed *correctly* to epan/wmem_scopes.h.
2021-07-26 14:56:11 +00:00
Evan Huus d6d7dd1e56 First pass pinfo->pool conversion
Automated find/replace of wmem_packet_scope() with pinfo->pool in all
files where it didn't cause a build failure.

I also tweaked a few of the docs which got caught up.
2021-07-21 05:38:29 +00:00
Guy Harris 0a9ef601d2 Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.

This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.

Support writing multiple comments in dumpcap when capturing.

These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with

Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).

Update the man pages:

- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-15 05:43:36 +00:00
David Perry 67b54e8b66 tshark: allow --capture-comment when reading a file
Allows adding one or more capture comments to a new pcapng file when
tshark is reading from a file. Currently, tshark only allows setting one
capture comment, and that only when doing a live capture.

The use case for this feature is given in bug #15005.
I decided to allow multiple capture comments to match the same ability
in `editcap`.

To allow this change, I changed the function signature of
`process_cap_file()` so it takes a `capture_options` struct instead of
individual parameters that affect the capture.
2021-07-14 04:34:52 +00:00
João Valverde ffcfc83ecb Rename version.h to be more descriptive
Version.h is too generic. This is specific to VCSVERSION and that
should be made more obvious and discoverable.
2021-07-09 18:27:41 +00:00
Nardi Ivan c2d77d910d QUIC: improve "Follow QUIC Stream" support
This functionality has been added in d2a660d8, where its limitations
are described.
* the Substream index menu now properly filters for available stream numbers;
* Follow Stream selects the first stream in the current packet

Known issue (which is still there):  if a packet contains multiple QUIC
streams, then we will show data also from streams other than the selected
one (see #16093)

Note that there is no way to follow a QUIC connection.

Close #17453
2021-07-07 13:08:19 +00:00
Chuck Craft 1caa05116b docs: wireshark-filter - update man page 2021-06-29 18:00:59 +00:00
Chuck Craft 820faa1777 docs: wireshark-filter - update man page 2021-06-29 18:00:59 +00:00
Gerald Combs fe92029dd4 Docs: Remove sgml.doc.template.
It looks like we haven't used this since 2004: 556f1245e4.
2021-06-22 01:55:14 +00:00
João Valverde 2080661e88 wslog: Documentation fixups 2021-06-21 22:39:54 +01:00
Guy Harris 628fe2549a mergecap: improve the example.
Explain, in detail, exactly what it's trying to do and, for each of the
three commands in the example, what each step does, as well as
explaining what the calculation using the end time of one capture and
start time of another capture is doing.

(Where did this example come from?  What is the real-world goal of this
exercise?  And why is it an example in which all the fancy stuff is done
in commands *other* than mergecap?)
2021-06-20 23:50:25 +00:00
Gerald Combs 0ae9c3e8eb Docs: Remove the authors list from wireshark(1).
The AUTHORS section of wireshark(1) is about half the content of the man
page. While it's important to acknowledge the people who have
contributed to the project, the goal of the man page is to tell people
how to use Wireshark.

Replace the list of authors with text that acknowledges their
contributions along with pointers to the AUTHORS file and the list on
the main web site.
2021-06-17 18:33:09 -07:00
João Valverde c5b3842639 wslog: Add more documentation 2021-06-17 12:00:10 +01:00
João Valverde 586535bdb8 Add documentation for display filter raw string syntax 2021-06-07 18:58:49 +00:00
João Valverde e931336a2d doc: Replace link to pcrepattern(3) 2021-06-07 18:04:35 +00:00
John Thacker 17f2fc32f7 tshark: Correct documentation about name resolution.
The tshark help and documentation has been incorrect for at least
eight years, claiming that by default all name resolutions are
performed. Fixes #11762
2021-05-26 23:09:53 +00:00
Toff 2df04e5bb0 Follow stream: Modify YAML format, add timestamps and peers
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
2021-05-25 08:09:31 +00:00
João Valverde 8eacd615c8 Disable assertions for release builds
Currently our build generates very many warnings if
G_DISABLE_ASSERT is defined.

Add ws_assert() and ws_assert_not_reached() to incrementally
replace existing assertions and then disable them using

Assertions are disabled with CMake build type Release.
By default the build type is RelWithDebInfo so the current
behaviour of enabling assertions by default is (for now) preserved.

Add some notes to README.Developer.
2021-05-19 03:52:45 +01:00
Odysseus Yang c4b32c8f46 ETWDUMP: Update to support live capture
etwdump will read events from a live session with the params as the filter, also the params can be used as filter when reading from a etl file.
2021-05-13 21:17:09 +00:00
Chuck Craft 9f72d4ce60 DOC: tshark io,stat - function name not optional 2021-04-19 21:55:45 -05:00
Chuck Craft 8390771a56 Update README.plugins (typo - ENABLE_PLUGIN_IFDEMO) 2021-04-15 07:51:38 +00:00
Uli Heilmeier c2f3b654f7 Manpage tshark: Add option '-A'
This commit adds option '-A' for rpcap authentication.

Fixes: wireshark/wireshark#16674
2021-04-10 07:32:08 +00:00
João Valverde e4d4814168 Don't install HTML manuals twice.
Wireshark loads HTML files as resources from "/usr/share/wireshark"
on Unix-like systems and from the $build/run directory when run that
way. There are also other locations specific to other platforms and
packaging solutions and multi-config builds.

HTML manuals are installed both to "/usr/share/wireshark" and
"/usr/share/doc/wireshark" for Unix-like systems. For now install them
only to the former to avoid unnecessary clutter and duplication. The
manuals can be consulted using 'man' or launched in HTML format from
Wireshark's help menu (or found in $pkgdatadir instead of $docdir).

Eventually we may want to simplify that maze of locations for HTML
resources and have Wireshark load the manuals from $docdir instead
on Unix, and do the right thing for the other platforms, etc.
2021-03-29 20:20:11 +01:00
Guy Harris d18e1f19e9 Add dumpcap options to set the name and description for a capture source.
Add --ifname and --ifdescr to allow the name and description for an
interface or pipe to be set; this overrides the specified name or
reported description for an interface, and overrides the pipe path name
and provides a description for a pipe.

Provide those arguments when capturing from an extcap program.

This is mainly for extcaps, so you have something more meaningful than
some random path name as the interface name and something descriptive
for the description.
2021-03-25 07:34:37 +00:00
Guy Harris 9bd144b8ea tshark: clean u the way the -U option lists available taps.
Allow "-U ?" as well as an empty argument; an empty argument is a bit

Simplify the introductory line of output - asking for a list of taps
isn't an error in which the user failed to supply a tap name, it's a
case where the user suplied a request for a list of tap names.

Just use fprintf() to print the list, and indent the elements of the
list, as we do with other lists of valid arguments.

List the valid arguments if the user specified an invalid argument as
2021-03-13 15:32:14 -08:00
Guy Harris 5d39e36198 doc: Clean up lists of file types.
Add missing entries, regularize the descriptions, etc..

Note that pcap and pcapng are the native formats.

Fix various issues.

Update the editcap -F output to match urrent reality.

While we're at it, sort the libwiretap modules, putting observer.c in
the right place.
2021-03-13 10:02:02 +00:00
Guy Harris e0afa7f2a4 Observer is now a product of Viavi.
JDSU bought Network Instruments, and then split into Viavi and Lumentum,
with Viavi getting Observer.
2021-03-11 20:02:14 +00:00
João Valverde 73d793788c Remove and replace obsolete ws_snprintf() definition
Since fe94133f0d ws_snprintf()
and ws_vsnprintf() don't actually do anything anymore.

The return value of ws_[v]snprintf was discarded before,
now it too conforms to C99.
2021-02-28 22:03:42 +00:00
João Valverde 72dcf04a1b plugins.example: Be less terse in the README description 2021-02-26 16:19:51 +00:00
Gerald Combs eceff254b6 Docs: Recommend EditorConfig.
Note that we use EditorConfig in the WSDG and README.developer, and that
you should make sure your editor uses it. Recommend 4 space indentation
more strongly. Ping #17253.

Reorder and reword the coding style sections of each document while
we're here.
2021-02-25 09:37:49 -08:00
Nicolás Alvarez ebfbf958f6 Add ENC_TIME_NSECS timestamp encoding
Add a new timestamp encoding format ENC_TIME_NSECS, like ENC_TIME_SEC but
for nanosecond values. Needed for my work-in-progress dissector for Apple
push notifications.
2021-02-10 12:45:54 +00:00
João Valverde 89fee9321e Avoid exposing HAVE_PLUGINS in the public API
Instead *_register_plugin() is turned into a noop (with a warning).

The test suit is failing with ENABLE_PLUGINS=Off (it was already failing
before and this patch didn't affect that).

Closes #17202.
2021-02-06 16:35:51 +00:00
Nicolás Alvarez 981e662a0a Minor changes to ENC_TIME documentation
- Fix duplicate "are are".
- Fix NTP epoch year in ENC_TIME_NTP docs (572b80d2 fixed it in the README
  but not in proto.h).
- Remove completely redundant "(ie. )" clauses.
2021-02-04 10:13:36 +00:00
Nicolás Alvarez 0e86ea6c57 Update documentation for ENC_TIME_* constants
ENC_TIME_MIP6 and ENC_TIME_CLASSIC_MAC_OS_SECS were added recently by
factoring them out of specific dissectors, but they weren't documented.
I added documentation, based on comments in the dissector code they came
2021-02-03 21:03:11 -03:00
heinrich5991 5c3a651ea2 Fix doc/README.plugins mentioning the wrong symbols
Since 2.9.0, plugin_release has been split up into two different
variables, plugin_want_major and plugin_want_minor.
2021-02-03 02:46:32 +00:00
Chema Gonzalez 03baf65ae7 editcap: add support for epoch timestamps in `-A` and `-B` options
Inspired in


Timestamps on file used for comparison:
$ tshark -r test/captures/snakeoil-dtls.pcap -T fields -e frame.time_epoch

$ ./build/run/editcap -B 1150121069.3 test/captures/snakeoil-dtls.pcap -
editcap: "1150121069.3" isn't a valid date and time
$ ./build/run/editcap -A 1150121069.3 test/captures/snakeoil-dtls.pcap -
editcap: "1150121069.3" isn't a valid date and time
$ ./build/run/editcap -A 1150121069 test/captures/snakeoil-dtls.pcap -
editcap: "1150121069" isn't a valid date and time
$ ./build/run/editcap -B 1150121069 test/captures/snakeoil-dtls.pcap -
editcap: "1150121069" isn't a valid date and time

$ ./build/run/editcap -A 1150121069.3 test/captures/snakeoil-dtls.pcap - | tshark -r - -T fields -e frame.time_epoch
$ ./build/run/editcap -A 1150121069 test/captures/snakeoil-dtls.pcap - | tshark -r - -T fields -e frame.time_epoch
$ ./build/run/editcap -B 1150121069.3 test/captures/snakeoil-dtls.pcap - | tshark -r - -T fields -e frame.time_epoch
$ ./build/run/editcap -B 1150121069 test/captures/snakeoil-dtls.pcap - | tshark -r - -T fields -e frame.time_epoch
2021-01-11 18:01:08 +00:00
Eugene Adell 9b0c3f5eaf Just correct the documentation for this obvious mistake. Closes #17141. 2021-01-09 19:07:30 +01:00
David Perry b758fdaede Add iso8601_to_nstime() for editcap and nettrace
This adds a function to parse a string date-time in ISO 8601 format into
a `nstime_t` structure. It's based on code from epan/tvbuff.c and
wiretap/nettrace_3gpp_32_423.c and meant to eventually replace both.
(Currently only replaces the latter.)

Since most of Wireshark expects ISO 8601 date-times to fit a fairly
strict pattern, iso8601_to_nstime() currently rejects date-times without
separators between the components, even though ISO 8601 actually permits
this. This could be revisited later.

Also uses iso8601_to_nstime in editcap to parse the -A/-B options,
thus allowing the user to specify a time zone if desired. (See #17110)
2021-01-08 09:18:39 +00:00
Gerald Combs dfc05555eb [Automatic update for 2021-01-03]
Update manuf, services enterprise numbers, translations, and other items.
2021-01-03 17:38:31 +00:00
Jaap Keuter b3d6580b4f editcap: clarify relation between -A/-B and -r
Change wording so that the order of processing becomes more apparent.

Closes #17109
2020-12-31 10:50:17 +00:00
Jim Young 9fb22c1ec0 Four trivial comment typo fixes of ‘ad’ to ‘as’ 2020-12-06 19:07:08 +00:00
Odysseus Yang 2a5b34d8b0 MBIM: Update dissector to support DLT_ETW
New link type DLT_ETW is added for write and read Event Trace on Windows.
This change updates MBIM dissector to decode a MBIM message from
a DLT_ETW packet.
2020-12-02 09:05:11 +00:00
Martin Mathieson df651aca91 Spelling improvements
Improve script by ignoring common contractions, dealing with
e.g. \n within strings, and finding multiple concatenated words even
when no camelCase is used.

Also includes some actual spelling fixes.
2020-11-22 11:30:24 +00:00
John Thacker e20bd408de Use iconv to support GB 18030 and EUC-KR, allow future encodings
Add support internally to using iconv (always present with glib) to convert
strings from various encodings to UTF-8 (using REPLACEMENT CHARACTER as
recommended), and use that to support GB 18030 and EUC-KR. Replace call
directly to iconv in ANSI 637 for EUC-KR to new API. Update comments
and documentation around character encodings. It is possible to replace
the calls to iconv with an internal decoder later. Tested on Linux and
on Windows (including with illegal characters). Closes #16630.
2020-10-21 11:26:23 +00:00
Chuck Craft 90cd509d92 Consistent "Prepare as Filter" - menus and screenshots #16892 2020-10-15 09:18:56 +00:00
Роман Донченко 88b0370f86 Fix spelling errors in the documentation 2020-10-12 11:43:47 +00:00
Jeff Widman 46c9f2579d typo: is require --> is required 2020-10-07 17:32:54 -07:00
Jeff Widman 8d7ebc732e Fix issues discovered by common python linters
Fix some issues discovered by common python linters including:
* switch `None` comparisons to use `is` rather than `==`. Identity !=
equality, and I've spent 40+ hours before tracking down a subtle bug
caused by exactly this issue. Note that this may introduce a problem if
one of the scripts is depending on this behavior, in which case the
comparison should be changed to `True`/`False` rather than `None`.
* Use `except Exception:` as bare `except:` statements have been
discouraged for years. Ideally for some of these we'd examine if there
were specific exceptions that should be caught, but for now I simply
caught all. Again, this could introduce very subtle behavioral changes
under Python 2, but IIUC, that was all fixed in Python 3, so safe to
move to `except Exception:`.
* Use more idiomatic `if not x in y`--> `if x not in y`
* Use more idiomatic 2 blank lines. I only did this at the beginning,
until I realized how overwhelming this was going to be to apply, then I
* Add a TODO where an undefined function name is called, so will fail
whenever that code is run.
* Add more idiomatic spacing around `:`. This is also only partially
cleaned up, as I gave up when I saw how `` was clearly
infatuated with the construct.
* Various other small cleanups, removed some trailing whitespace and
improper indentation that wasn't a multiple of 4, etc.

There is still _much_ to do, but I haven't been heavily involved with
this project before, so thought this was a sufficient amount to put up
and see what the feedback is.

Linters that I have enabled which highlighted some of these issues
* `pylint`
* `flake8`
* `pycodestyle`
2020-09-26 04:38:18 +00:00
Martin Mathieson 906ead6993 Fix some more doc folder spelling errors. 2020-09-25 22:20:21 +01:00
Thomas Vogt acdaf33630 README.developer: Fix some quotation marks around function names 2020-09-25 15:29:14 +00:00
Gerald Combs 4a7be0aaa7 doc: Update wiki URLs in man pages. 2020-09-17 14:18:43 -07:00
Guy Harris 272502790b Add FT_STRINGZTRUNC.
FT_STRINGZPAD is for null-*padded* strings, where the field is in an
area of specified length, and, if the string is shorter than that
length, all bytes past the end of the string are NULs.

FT_STRINGZTRUNC is for null-*truncated* strings, where the field is in
an area of specified length and, if the string is shorter than that
length, there's a null character (which might be more than one byte, for
UCS-2, UTF-16, or UTF-32), and anything after that is not guaranteed to
have any particular value.

Use IS_FT_STRING() in some places rather than enumerating all the string
types, so that those places get automatically changed if the set of
string types changes.
2020-09-12 14:16:12 -07:00
Gerald Combs 188b4a655f README.developer: Note that sources can use UTF-8.
We started allowing source files to be encoded as UTF-8 in April 2019 in
bd75f5af0a. Update README.developer to match.

README.developer no longer has a "Code style" section, so update the
Developer's Guide to point to the "Portability" section.
2020-09-04 10:01:23 +00:00
Martin Mathieson 38d77e6c7c Fix some typos detected in man pages. 2020-09-03 21:07:35 +00:00
Gerald Combs 97dcaf97fc Convert Gerrit URLs to GitLab.
Convert various URLs to their equivalents.

Change-Id: I0150d1bd14208eb451a7de818dce6573363b1d27
2020-08-24 23:31:32 +00:00
Gerald Combs 9977ca2132 doc: Update README.dissector for GitLab.
Change-Id: I0fd52a17a80f3d4f6acc3c38d53c7d452e85382f
2020-08-24 04:58:11 +00:00
Guy Harris efd7cb38e6 doc: explain when to use FT_STRINGZ, and document FT_STRINGZPAD.
FT_STRINGZ should be used *ONLY* if the string is *ALWAYS* supposed to
have a null terminator, either because the length isn't otherwise
specified, so that it can only be determined by finding the terminating
null character, or because a character count *and* a NULL terminator are
both used (yes, there appear to be some cases where that's true).

FT_STRINGZPAD is null-padded rather than null-terminated; this is
typically used for fixed-length fields that contain a string value that
might be shorter than the fixed length.

Change-Id: Ifdf421ca666482583a4dfc76167eae6dc473f48a
Reviewed-by: Guy Harris <>
2020-08-12 09:03:54 +00:00
David Perry e4379f0ea1 Dumpcap: print closed ring-buffer file names
This proposal adds a new option '-b printname:<filename>' to dumpcap. If
used, dumpcap will print the name of each ring buffer file it creates
after it is closed. Allows the use of '-'/'stdout' and 'stderr'.

Use case: Since the file name is printed after the file is closed for
writing, an automated capture process can do something like the
following with the guarantee that the file in question will not be

    dumpcap -i eth0 -b files:2 -b printname:stdout [-b ...] | \
    while read cap_file_name ; do
        # Do something with $cap_file_name

This sort of scripting is difficult in dumpcap's current form. Dumpcap
prints the names of new files to stderr as it *opens* them, so a script
attempting to use this must sleep for "-b duration:value" seconds plus
some fudge time to be sure it's getting a closed, unchanging file.

Change-Id: Idb288cc7c8c30443256d35c8cd4460a2e3f0861c
Petri-Dish: Alexis La Goutte <>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <>
2020-08-08 08:04:13 +00:00
David Perry d24c9df384 editcap: add capture-file comments to output file
Add the `--capture-comment "comment"` option for appending pcapng
comments to the SHB of the output file(s).

Add the `--discard-capture-comment` option for removing pcapng comments
present in the input file SHB(s) before writing to the output file(s).

Supports multiple comments per SHB. Noted in the documentation that
Wireshark itself doesn't support multiple comments.

Bug: 15033
Change-Id: If07a4e7a93505438639018783a11343cd5992f2a
Petri-Dish: Anders Broman <>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <>
2020-08-07 08:24:19 +00:00
David Perry 555b89492a editcap: support fractional seconds in -A/-B opts
Allow user to specify time resolutions as fine as 1 nanosecond for the
start and stop times (-A and -B options) for editcap. Uses `nstime_t`
for the user options and `nstime_cmp()` to compare with packet

Change-Id: I2340bc4830c7d9a6b17a5e53fa4e8837e231bcb6
Petri-Dish: Anders Broman <>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <>
2020-08-05 21:32:45 +00:00
Peter Wu 40dee6eafb sshdump: clarify integration with Wireshark
The sshdump command is typically not invoked directly, and I need a
place to refer people to for configuring Wireshark.

Change-Id: I10fb3d88dbb3aea0bfcaf22aac90b36a7a8dc814
Petri-Dish: Peter Wu <>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Kaiser <>
Reviewed-by: Dario Lombardo <>
2020-07-19 20:29:54 +00:00