Move the extraction of the option value from the option content from the
callers of pcapng_process_uint32_option() to
pcapng_process_uint32_option() itself.
That way, add-on modules to handle block types not handled by the core
pcapng code can use pcap_process_options() to process a block's options
and can use the routines to handle the "standard" option value types to
handle particular options.
Also, allow both everything-is-little-endian and
everything-is-big-endian Custom Block types in pcap_process_options().
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
Update the pcap-ng reader and sysdig event dissector to support the second version of the sysdig event block, which was introduced after Wireshark's original implementation
The options get unmarshalled (deserialized) when you read them; they
need to get marshalled (serialized) when you write them. This requires
an option handler to have more than one function.
While we're at it, in the declarations for function types for *block*
reader and writer plugins, add names to the prototype function
arguments, to make it a bit clearer what those arguments are.
Support reading and writing pcapng files with DSBs. A DSB may occur
multiple times but should appear before packets that need those
decryption secrets (so it cannot be moved to the end like NRB). The TLS
dissector will be updated in the future to make use of these secrets.
pcapng spec update: https://github.com/pcapng/pcapng/pull/54
As DSBs may be interleaved with packets, do not even try to read it in
pcapng_open (as is done for IDBs). Instead process them during the
sequential read, appending them to the 'wtap::dsbs' array.
Writing is more complicated, secrets may initially not be available when
'wtap_dumper' is created. As they may become available in 'wtap::dsbs'
as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference
this array. This saves every user from checking/dumping DSBs.
If the wtap user needs to insert extra DSBs (while preserving existing
DSBs), they can set the 'wtap_dumper::dsbs_initial' field.
The test file was creating using a patched editcap (future patch) and
combined using mergecap (which required a change to preserve the DSBs).
Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9
Ping-Bug: 15252
Reviewed-on: https://code.wireshark.org/review/30692
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Some blocks should be returned by wtap_read(), others are just processed
internally. Add a Boolean flag to wtapng_block_t, have the routines
that read particular block types set it appropriately, and have the read
and seek-read routines check that flag rather than checking for the
block types that should be returned. Pass a pointer to the
wtapng_block_t to packet type plugin read routines, rather than passing
it some members of the wtapng_block_t.
This means that 1) for new block types, we don't have to update any
tests and 2) plugin handlers for block types can indicate whether they
processed the block internally and the caller shouldn't see it or 2) the
block should be provided to the caller.
Bug: 14388
Change-Id: Iccc2031a277f55c7fa8b4f692c776b482b792b4f
Reviewed-on: https://code.wireshark.org/review/25609
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't allow overriding of the block types we support in libwiretap - it
won't work anyway, as we check for those types first, and only look for
plugins for types we don't support.
Don't allow registering for any of the reserved types; if you aren't
going to use a local type, you have to get your type registered.
We *do* allow registering plugins for types that are registered but that
we don't support natively.
Change-Id: I2046d297b0503d3a77c83166b07ca226c0b18e82
Reviewed-on: https://code.wireshark.org/review/25583
Reviewed-by: Guy Harris <guy@alum.mit.edu>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcapng.c:461:31: warning: ISO C forbids passing argument 3 of 'g_hash_table_insert' between function pointer and 'void *' [-Wpedantic]
pcapng.c:1404:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
pcapng.c:1918:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
Change-Id: I535633098cc5d37442732dd92e8c9d3cda36631a
Reviewed-on: https://code.wireshark.org/review/12161
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
*Especially* don't stuff the amount of remaining data in a block into an
int that will then be passed to file_skip() as an amount to skip ahead,
as a Really Large Value will turn into a negative value and produce
various forms of bizarre and tricky-to-debug behavior.
Change-Id: I4d0a6b36fe50df84925690ad688a3ab0433ceb17
Reviewed-on: https://code.wireshark.org/review/10299
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make pcapng decode options in an NRB during read, and store the comment
option, and write it back out as well. Also make it handle plugin handlers
for unknown options in received NRB(s).
Change-Id: I81863ef8d85cb1c8b5ba6673ba0e562efe77714f
Reviewed-on: https://code.wireshark.org/review/9723
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We rename "file format" plugins to "libwiretap" plugins, as they can
register as read handlers for a new file type, read/write handlers for a
pcap-ng block type (or both).
To register as a pcap-ng block type handler, in the
register_wtap_module() routine of your plugin, call
register_pcapng_block_type_handler() with the pcap-ng block type and
pointers to your routines to read and write those blocks. Those
routines should read and write REC_TYPE_FILE_TYPE_SPECIFIC records, with
the block type in the pseudo-header for the record in the struct
wtap_pkthdr structure, with time stamps stored in that structure, and
with a blob of data for the rest of the record.
This is for bug 8590.
Change-Id: I71847d834854a29ceb85894fd094c2ae91a04273
Reviewed-on: https://code.wireshark.org/review/1775
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Moshe Kaplan