A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
For the upcoming 4.0 release, switch the default file format for
text2pcap to pcapng from pcap, to match other tools and the GUI
behavior. Update the documentation and release notes appropriately.
Deprecate the old -n flag; since pcapng is the default this has no
effect. Changing the output capture file format is supported with
the -F option, consistent with the other command line tools.
Related to #18009.
This allows the "needs to be reloaded" indication to be set in the close
process, as is the case for ERF; having a routine that returns the value
of that indication is not useful if it gets seet in the close process,
as the handle for the wtap_dumper is no longer valid after
wtap_dump_close() finishes.
We also get rid of wtap_dump_get_needs_reload(), as callers should get
that information via the added argument to wtap_dump_close().
Fixes#17989.
Add an option to text2pcap to specify the encapsulation type
via wiretap encapsulation type short names instead of pcap
link layer types, similar to editcap.
Update the documentation to reflect this.
In text2pcap and Import from Hex Dump, allow fake IP headers with
the appropriate versions when the Raw IP, Raw IPv4, and Raw IPv6
encapsulations are specified. In such cases, do not add a dummy
Ethernet header.
Continue to reject other encapsulations besides these, Ethernet,
and Wireshark Upper PDU when appropriate. Add some checks for the
encapsulation type in text_import as well, instead of just assuming
that the callers handle it correctly.
Support all possible file formats that wiretap writes, using the
same "-F" flag that other CLI tools like editcap, mergecap, and tshark
support. Default is still pcap for now; a future commit will switch
to pcapng and remove the "-n" option, to match other CLI tools.
Add support in text2pcap for the regex mode added to "Import from
Hex Dump" in 3.6.0 The input and output indicators cannot (yet?)
be configured, and are set to the default of allowing any of "iI<"
for inbound and "oO>" for outbound. This reaches feature parity
between text2pcap and Import from Hex Dump, fixes#16724.
(There might be some more cleanups to do, including docs.)
Move the parameter setup to text_import, so that later it can
be called from the GUI, including the interface name. (This has
to be a separate function because these parameters need to be
set before the call to wtap_dump_open, which is different for
regular files vs temp files vs stdout.)
Remove the '-d' option from text2pcap, and move the two levels
of debug messages in text2pcap and text_import to either
LOG_LEVEL_DEBUG or LOG_LEVEL_NOISY as appropriate.
Add a checkbox for the extra detection for ASCII in a hex+ASCII
hexdump even when the text looks like hexbytes to Import from Hex
Dump. Save and restore it from the settings. Work towards #16724.
Based on Gerald's !5562.
Use ws_strtou8() rather than doing all the error checking ourselves.
Have a common routine to call when an IP "next protocol" value is set;
it does all the necessary work, and could also check for colliding
settings, such as combining "-i 99" with "-s", "-S", "-u", or "-T", or
combining "-u" with "-T", or....
A bunch of the globals are simply copied from the input parameter
text_import_info_t, just use them directly.
Move the count for packets read and written into the info type,
so that callers like text2pcap can access them as results.
Since we're using wtap_dump_open[_stdout] from file_access.c now,
we don't need to include io.h or fcntl.h on Windows anymore, and
we don't need to include pcapio either.
Use wtap_dump instead of the pcapio functions for writing files.
This makes it easier to unify with text_import, and also makes it
easier to eventually write other file formats (with a similar option
to the other CLI programs), and allows using the standard CLI error
messages.
Also move some of the option validation before attempting to open
the output file.
Besides the obvious limitation of being unavailable on Windows,
the standard is vague about getopt() and getopt_long() has many
non-portable pitfalls and buggy implementations, that increase
the maintainance cost a lot. Also the GNU libc code currently
in the tree is not suited for embedding and is unmaintainable.
Own maintainership for getopt_long() and use the musl implementation
everywhere. This way we don't need to worry if optreset is available,
or if the $OPERATING_SYSTEM version behaves in subtly different ways.
The API is under the Wireshark namespace to avoid conflicts with
system headers.
Side-note, the Mingw-w64 9.0 getopt_long() implementation is buggy
with opterr and known to crash. In my experience it's a headache to
use the embedded getopt implementation if the system provides one.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
Version info is an aspect of UI implementation so move it to
a more appropriate place, such as ui/. This also helps declutter
the top-level.
A static library is appropriate to encapsulate the dependencies
as private and it is better supported by CMake than object libraries.
Also version_info.h should not be installed as a public header.
Instead of receiving the program name from GLib, pass it explicitly
to ws_log_init() instead and use that to initialize the GLib program
name.
ws_log_parse_args() will now exit the program when it encounters an
argument error if exit_failure >= 0.
Most of the time, the return value tells us nothing useful, as we've
already decided that we're perfectly willing to live with string
truncation. Hopefully this keeps Coverity from whining that those
routines could return an error code (NARRATOR: They don't) and thus that
we're ignoring the possibility of failure (as indicated, we've already
decided that we can live with string truncation, so truncation is *NOT*
a failure).
Ensure that public text in error messages and dialogs point to https.
Ensure that the generated PDML files include scripts over https.
Change-Id: I75d42704c2bbb33b05492261b3e1d45dc6e301f9
Reviewed-on: https://code.wireshark.org/review/34027
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
No need to do our own copying loop.
Change-Id: Ia3f5065c7b24c5a11e6fa289aef7ca54187fe67e
Reviewed-on: https://code.wireshark.org/review/32385
Reviewed-by: Guy Harris <guy@alum.mit.edu>
hdr_ethernet is a flag indicating whether we should add a fake Ethernet
header or not; make it a Boolean.
Move number_of_padding_bytes() closer to where it is in
ui/text_import.c, and make it more like the version there.
Shift the direction flag to put it in the right bit position - or, at
least, throw in the shift constant to clarify that we're trying to put
it there, even if it's already in the right position (i.e., the shift
constant happens to be 0, as it happens to be in the low-order bits).
Fix a comment.
Change-Id: Ia643d9ab2188951a682bf773239d0175c0d578c2
Reviewed-on: https://code.wireshark.org/review/32337
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add macros to extract the direction, reception type, and FCS length
fields of the pack_flags field, and add definitions for different
directions and reception types.
Add a macro to construct a pack_flags field value from subfields; this
is for use by non-pcapng file readers (the pack_flags field is just a
copy of the EPB flags option, so that's not needed for pcapng).
Move some #defines for that field from packet-frame.c to wtap.h, and
rename them to match the new macros.
Use the macros rather than rolling our own code.
Fix a variable name in text2pcap.c that apparently had the wrong name,
given the value that was being tested.
Change-Id: Ia788ca4e9f5fabd8d24e6ead5ff1817509f54827
Reviewed-on: https://code.wireshark.org/review/32010
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Restore the "main" name since that is used everywhere else except for
Windows. On Windows, "main" is renamed via a macro to avoid a conflict
with "wmain" and to allow it to be called in cli_main.c.
For those wondering, GUI applications (such as Qt) have a different
entry point, namely WinMain. In Qt5, src/winmain/qtmain_win.cpp defines
WinMain, but seems to convert its arguments from Unicode to CP_ACP
(ASCII). It might not support UTF-8, but I did not verify this.
Change-Id: I93fa59324eb2ef95a305b08fc5ba34d49cc73bf0
Reviewed-on: https://code.wireshark.org/review/31208
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The pcapng file format specification speaks of a secion block, not
a session block. Let the function name reflect the proper name of
the block it writes.
Change-Id: Id399fae3648c93f4750fedaa297b18f95f2bb96f
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/31099
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
João Valverde