Change-Id: I5d8797b68c53168d4c00be8c3c3a3325b370e38c
Reviewed-on: https://code.wireshark.org/review/25492
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Free state.bb in error path.
Found by clang.
Change-Id: Ic9f2e1383a5219de465a6f22f7b382ac8b1f9cbf
Reviewed-on: https://code.wireshark.org/review/25443
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Instead, just:
assume a file with the regular pcap magic number is a regular pcap
file, not an unhelpfully-modified-without-changing-the-magic-number
format such as one of the (fortunately, short-lived) memory-mapped
capture formats or the Nokia format;
reject a file with the memory-mapped-capture-finally-changed-the-
magic-number magic number, as they then changed the *new* format
without changing its magic number;
and don't even leave a provision for multiple formats using the
"nanosecond pcap" magic number - not even when reading from a file -
so we can punish bad behavior (which is what changing the format
without changing the magic number is).
This should get rid of the last place where, when reading a pcap file
from a pipe, the first packet isn't displayed as soon as it arrives.
Bug: 14345
Change-Id: I2fcb3354dc84cdd2d8ec749a0db883e56971c4b4
Reviewed-on: https://code.wireshark.org/review/25383
Reviewed-by: Guy Harris <guy@alum.mit.edu>
out.next is initialized to point to the beginning of the buffer when a
FILE_T is created, so it won't be null.
Change-Id: Ib29f713ab3c524c9c7d83e8d9f3bef89fde1d5b5
Reviewed-on: https://code.wireshark.org/review/25380
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't loop trying to read a full buffer from the input file.
If you're reading from a file, on UN*X or Windows, you should get the
entire read count unless you're fewer than buffer-size bytes from the
end of the file, in which case you should get what remains in the file.
If you're reading from a pipe, however, that could cause you to block
longer than necessary waiting for a full buffer rather than just for the
next chunk of data from the pipe - which might not be a bufferful, if
the program writing to the file is itself writing less-than-bufferful
chunks, as may be the case in, for example, a pipeline coming from a
live capture and with the intent that TShark display the packets as they
arrive.
While we're at it, if we're trying to do a seek and the seek takes place
within the buffer of uncompressed data, just adjust the position within
that buffer for forward seeks as well as backward seeks; this
substantially reduces the number of ws_lseek64() calls when making a
sequential pass through the file in Wireshark (e.g., running a tap or
filtering the display) and, as we purge the buffer after the
ws_lseek64(), substantically reduces the number of ws_read() calls in
that situation as well.
Have a data structure for a file data buffer, and use it for both the
"input" (compressed data) and "output" (uncompressed data) buffers.
Rename raw_read() to buf_read(), as it reads into a buffer.
Change-Id: I7982b3499a7613a993913a6db887054730764160
Ping-Bug: 14345
Reviewed-on: https://code.wireshark.org/review/25358
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Found via CID 1427615.
Change-Id: I519b3905d33b0b2aa3ce164810b9e6358f6df1bd
Reviewed-on: https://code.wireshark.org/review/25347
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
That makes it clearer what's being tested, and makes the tests more
consistent, so we're always, not just sometimes, testing that way.
Change-Id: Ifac4a86d16d0652d04db3dec572c11e1335c945d
Reviewed-on: https://code.wireshark.org/review/25318
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If we aren't built with libz, report a new "decompression not supported"
error if the file is gzipped; the problem isn't that it's a new capture
file format we don't support, it's that a *compressed* capture file, in
some format, but we don't support the *compression* format used.
This can be extended if we add support for other compression formats.
Change-Id: I19239525d4e02357e3ca7189996556839af8fce2
Reviewed-on: https://code.wireshark.org/review/25315
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make plugins.c the source of truth for plugin names. Where plugins
reside and what they do are two different things, so split the plugin
directory and description into two separate elements.
CMake creates portable[1] builds on Windows and macOS. That is, the
build-time directory layout is the same as the installation directory
layout. Adjust various plugin paths macOS accordingly.
[1] You have to run osx-app.sh on macOS to prepare the application
bundle, but the goal is to create a directory/bundle that can be moved
or copied to a different system and run in the new location.
Change-Id: Icf9d02e61918fdf1404468baf52542910edf2743
Reviewed-on: https://code.wireshark.org/review/25166
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Move the signature timestamp bounds checks inside get_signature_ts. Fix
what appears to be an off-by-one error.
Bug: 14297
Change-Id: I9ca1762a8418e47153f270a1a62b2d0d3a800130
Reviewed-on: https://code.wireshark.org/review/25229
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
g995812c5f1 moved wiretap plugins registration from applications to
wiretap library init function.
As we do not want to load plugins for all users of libwiretap, let's
make it configurable.
Bug: 14314
Change-Id: Id8fdcc484e2d0d31d3ab0bd357d3a6678570f700
Reviewed-on: https://code.wireshark.org/review/25194
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This check has been alreay done in line 433: since then packet_size
is only decreased, then the check is redudant.
Change-Id: I8ede5c733867ccc98ab2d470181d1e4a29ae5b49
Reviewed-on: https://code.wireshark.org/review/25023
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
The check that the pcapng code does is "do we have a non-null
addrinfo_lists_t * and, if so, does it have a non-null ipv4_addr_list or
ipv6_addr_list"?
The check that the file-save code was using was just "do we have a
non-null addrinfo_lists_t *", so sometimes it'd think we couldn't do a
"quick save" even though we had no name resolution information to write
out to the capture file.
Make a routine that does that check, and use it in *both* places.
Change-Id: Id4720f4fe4940354320b2b7621ca5e37e45ec1f3
Reviewed-on: https://code.wireshark.org/review/25055
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We can just call file_tell() before reading the line when doing
sequential reads.
Change-Id: Ide36d0b7d99ef3e76dbe1ddfad6c99972c04739a
Reviewed-on: https://code.wireshark.org/review/25027
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Existence of in_file has been checked in line 908.
Change-Id: Ida6c06362a1f88caec40701be7f3e42133ce404a
Reviewed-on: https://code.wireshark.org/review/24994
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Put different types of plugins (libwiretap, libwireshark) in different
subdirectories, give libwiretap and libwireshark init routines that
load the plugins, and have them scan the appropriate subdirectories
so that we don't even *try* to, for example, load libwireshark plugins
in programs that only use libwiretap.
Compiled plugins are stored in subfolders of the plugin folders, with
the subfolder name being the Wireshark minor version number (X.Y). There is
another hierarchical level for each Wireshark library (libwireshark, libwscodecs
and libwiretap).
The folder names are respectively plugins/X.Y/{epan,codecs,wiretap}.
Currently we only distribute "epan" (libwireshark) plugins.
Change-Id: I3438787a6f45820d64ba4ca91cbe3c8864708acb
Reviewed-on: https://code.wireshark.org/review/23983
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Reads pcapng blocks from a pipe. Section header blocks are parsed for
endianess. All other blocks only have the general block header parsed
for type and length, and then endianess converted if necessary.
Outputs all blocks using the original endianess format so none of the
other block types or options require parsing.
Change-Id: I2f4f0175013d8fc2cda42a63e7deacad537951e3
Bug: 11370
Reviewed-on: https://code.wireshark.org/review/24536
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This sets the scope of the static build option to Wireshark support
libraries only.
Before the patch:
Static plugins don't work with CMake and autotools.
autotools static build is broken, and most likely will always be, as
building Wireshark all-static is difficult and time-consuming.
After the patch:
For CMake Wireshark will be built with static or shared libraries and
dynamic plugins. Everything just works. CMake apparently doesn't want
you building static and shared libraries at the same time.
For autotools Wireshark will be built with shared libraries by default.
--disable-shared and --enable-static options work as usual. Dlopened
plugins are not built if --disable-shared is given to configure (to
disable shared libraries). This is a limitations imposed by libtool.
Tested on Linux. This removes broken support for building plugins
statically.
Change-Id: Ib8e8176976f136eea93a2ce8f9857b6cf9bec64c
Reviewed-on: https://code.wireshark.org/review/24241
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Bug: 14195
Change-Id: Ic6be8e1f8169968c48376984c0d1a1a69c67f32a
Reviewed-on: https://code.wireshark.org/review/24415
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
The "internal" port type has been serialized by export PDU functionality
and nettrace_3gpp_32_423 wiretap. To better support "endpoint" functionality
the port types will be removed/updated and that changes the implicit values
from the port_type enum.
Take a snapshot of the current port_type values and use those specific values
when reading/writing export PDU data and provide conversion functions that can
be modified when port_types are removed. Do the same for nettrace_3gpp_32_423
wiretap.
Change-Id: I770bd0cab22e84f3cf49032fc86c5927bf85263f
Reviewed-on: https://code.wireshark.org/review/24169
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That allows a parallel typedef of ws_in4_addr for guint32.
Change-Id: I03b230247065e0e3840eb87635315a8e523ef562
Reviewed-on: https://code.wireshark.org/review/24073
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If we're building on Windows we're going to have windows.h and
winsock2.h. Don't bother checking for them.
Change-Id: I0004c44d7364ab3f41682f34b8c84cd8617c9603
Reviewed-on: https://code.wireshark.org/review/24068
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's been broken for over a year, needs to be modernized and as
implemented it's a maintenance nightmare. Get rid of it.
Ping-Bug: 13036
Change-Id: I34a6e4c28b6d3b96dd6550dd21e9cbeaf050d58f
Reviewed-on: https://code.wireshark.org/review/23967
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Autotools has the very useful feature by design of allowing the user
to override the default build flags (you break it you keep it).
Apparently CMake applies COMPILE_OPTIONS target property after
CMAKE_{C,CXX}_FLAGS so that doesn't work here. Prepend our flags to those
variables instead to make it work then.
Specific target flag overrides can still be added with COMPILER_OPTIONS
(e.g: generated files with -Wno-warning) but this is less effective and
then we're back at the point where this overrides user flags. It's less
of a concern though.
Change-Id: I44761a79be4289238e02d4e781fef0099628817b
Reviewed-on: https://code.wireshark.org/review/23675
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
It's not installed so like most other files it doesn't need or benefit
from the prefix.
Change-Id: I01517e06f12b3101fee21b68cba3bc6842bbef5c
Reviewed-on: https://code.wireshark.org/review/23751
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Add a CMake target that dumps the help output for our command line tools
to individual files. Include those files in the tools appendix instead
of pasting them in manually.
Fixup the output of some tools so that they pass the pre-commit checks.
Change-Id: I925f24818422a190927a96531c21f4d16d3fe5b5
Reviewed-on: https://code.wireshark.org/review/23737
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
NetMon apparently didn't zero out the file header, so those fields have
random values in pre-2.2.
Change-Id: I3aeede6ab273d57ca937a5e18e67223fb4ed18da
Reviewed-on: https://code.wireshark.org/review/23666
Reviewed-by: Guy Harris <guy@alum.mit.edu>
IXIA^WKeysight Technologies's vitual IxNetwork version 8.30 will
create capture files in a modified format: It uses a different magic
and adds the total size of all records, i.e. the filesize minus the
headersize. Add support for this.
v2: Different file types use different magic numbers.
Not yet tested/supported: The default fileending is .lcap
Bug: 14073
Change-Id: Ida90b188ca66a78ff22dca237e4fd6b22e02dc14
Reviewed-on: https://code.wireshark.org/review/23614
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If we're not going to subtract 4 from actual_octets, there's no reason
to treat actual_octets < 4 as an error.
This makes the "subtract 4 octets of crap" code similar in all cases,
hopefully further reducing the opacity of the code.
Change-Id: I41cda101b321422ce5fd4474fb6903bfe471cb63
Reviewed-on: https://code.wireshark.org/review/23534
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(In the hope of making the code slightly less opaque.)
Change-Id: Ic635eedac4eb9fb764b3633c9003608b9b4ae3df
Reviewed-on: https://code.wireshark.org/review/23533
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Be consistent in the treatment of those 4 octets.
Change-Id: If35c94bd299c3e7ec76306daf325d5aa5e3a19b9
Reviewed-on: https://code.wireshark.org/review/23530
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There may be some amount of bogosity involved but initialize the
variables and add a default case to prevent the noise and the build
from breaking with -Werror.
Change-Id: I20432ea74a1e5edc28be75a97077c9aa7bc87a35
Reviewed-on: https://code.wireshark.org/review/23426
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
It's just a WTAP_ENCAP_IEEE_802_11
Change-Id: I7369fac06a7d63812bb7ce7b3c16b9fe606f544c
Reviewed-on: https://code.wireshark.org/review/23418
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
For a sane plugin build environment. Include config.h as the first
header in the .c file instead.
Fix by moving required compiler attribute macros to a new
"ws_attributes.h" API header.
Change-Id: I34f58a927f68c1a0e59686c14d214825149749e1
Reviewed-on: https://code.wireshark.org/review/23400
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Normally a .cap file contains a network type that when masked with 0xFFF
will convert to a pcap LINKTYPE_ value. However, Microsoft Analyzer
used 0xE080-0xE08A for their own purposes within a .cap file.
Add support for the WPFCapture formats and give a "not supported" error
message to the few left unsupported.
Bug: 10556
Change-Id: I321a75ce769fdec75bdc6b595936c25932950a97
Reviewed-on: https://code.wireshark.org/review/23386
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 4221
Change-Id: I59aff777c364af1a064e1e99ea9ac6692a4cedfa
Reviewed-on: https://code.wireshark.org/review/23333
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There isn't a place at the moment that uses it, but prepare
that use by parsing out the process info table and placing
it the netmon private data.
Bug: 4224
Ping-Bug: 1184
Change-Id: I6186b3dce0333042357089d8517c8b47b5ff7f70
Reviewed-on: https://code.wireshark.org/review/23316
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The NetMon wiretap reads the title and description comment fields from a
NetMon file and saves it in the wiretap private structure. Then when
it's time to make a frame, the comment fields are added to a NetMon
pseudoheader with a new WTAP ENCAP type, with the potential for netmon
pseudoheader to contain pseudoheader data from "base" wiretap. Then the
netmon_header dissector displays the comment fields and passes any "base"
wiretap pseudoheader data when calling the wtap_encap dissector table
that the frame dissector normally calls.
Bug: 4225
Change-Id: I8f772bc9494364c98434c78b61eb5a64012ff3b9
Reviewed-on: https://code.wireshark.org/review/23210
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Assigned a WTAP_ENCAP value (WTAP_ENCAP_NETMON_NET_NETEVENT) for the
dissection of Event Tracing records inside a NetworkMonitor file.
Ping-Bug: 6520
Ping-Bug: 6694
Change-Id: Ib100f3779095842e78f9b7741e80258aa866d818
Reviewed-on: https://code.wireshark.org/review/23278
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use this for nordic_ble dissection.
Change-Id: I5323cbd8c244c4e3b645825c60d040e1ae8f3b81
Reviewed-on: https://code.wireshark.org/review/23219
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Undo most of the changes, but turn the return at the end of the default
case into a break.
Change-Id: I022b62a85254ff188f19fd3d7c3fe40b0789b3d2
Reviewed-on: https://code.wireshark.org/review/22695
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit 74a2ae4aba.
No, that's just Coverity not understanding macros *again*, and thinking a particular expanded instance of a macro is the result of some human being silly rather than of the arguments being such that some computations can be elided at compile time.
Change-Id: I40f2ad8bf018b0df02d90ed0e272505be68dae7e
Reviewed-on: https://code.wireshark.org/review/22693
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The default case ends with return, so the pointer won't be null by the
time out exit the case statement - either a non-default case is
processed and tag_ptr hasn't been set to null, or the default case is
processed and you return before getting there.
That also means we don't need to set tag_ptr to null in that case.
Fixes CIDs 1415436.
Change-Id: I21ada7a308d888b4cbb8557197a2e30bda118f44
Reviewed-on: https://code.wireshark.org/review/22691
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Convert it to a 4-byte value and byte-swap *that*.
Fixes CID 1415438.
Change-Id: I5cf0b5905f5dd2086c5d8ed6b13b1921bdb69a84
Reviewed-on: https://code.wireshark.org/review/22689
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The default case ends with return, so the pointer won't be null by the
time out exit the case statement - either a non-default case is
processed and tag_ptr hasn't been set to null, or the default case is
processed and you return before getting there.
That also means we don't need to set tag_ptr to null in that case.
Fixes CID 1415439.
Change-Id: Id2609c0828561c560820f9cb5e6b5a0ae614aead
Reviewed-on: https://code.wireshark.org/review/22686
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The array of headers has MAX_ERF_EHDR entries, and the additional
entries are appended after the first entry, so that leaves room for at
most MAX_ERF_EHDR - 1.
Fixes CID 1415440.
Change-Id: Iaa2c3577bbff429bcc1301e4cfdf1961f067be93
Reviewed-on: https://code.wireshark.org/review/22684
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A packet time stamp is an nstime_t, and the seconds part of an nstime_t
is a time_t.
Change-Id: Id2452ceb2f33f43e4a040436d7b3ea1a5c4a0be3
Reviewed-on: https://code.wireshark.org/review/22673
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Support per-packet comments in ERF_TYPE_META through a new Anchor ID
extension header with per-Host unique 48-bit Anchor ID which links an
ERF_TYPE_META record with a packet record. There may be more than one
Anchor ID associated with a packet, where they are grouped by Host ID
extension header in the extension header list. Like other ERF_TYPE_META
existing comments should not be overwritten and instead a new record
generated. See erf_write_anchor_meta_update_phdr() for detailed comments
on the extension header stack required.
As Wireshark only supports one comment currently, use the one one with
the latest metadata generation time (gen_time). Do this for capture
comment too.
Write various wtap metadata in periodic per-second ERF_TYPE_META records
if non-WTAP_ENCAP_ERF or we have an updated capture comment.
Refactor erf_dump to create fake ERF header first then follow common
pseudoheadr and payload write code rather than two separate code paths.
Support an ERF_HOST_ID environment variable to define Wireshark's Host
ID when writing. Defaults to 0 for now.
ERF dissector updates to support Anchor ID extension header with basic
frame linking.
Update ERF_TYPE_META naming and descriptions to official name
(Provenance)
Core changes:
Add has_comment_changed to wtap_pkthdr, TRUE when a packet
opt_comment has unsaved changes by the user.
Add needs_reload to wtap_dumper which forces a full reload of the file
on save, otherwise wireshark gets confused by additional packets being
written.
Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c
Ping-Bug: 12303
Reviewed-on: https://code.wireshark.org/review/21873
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A linktype was recently assigned to Linux vsock in libpcap commit
cfdded36ddcf5d01e1ed9f5d4db596b744a6cda5 ("added DLT_VSOCK for
http://qemu-project.org/Features/VirtioVsock").
The Wireshark vsock dissector can now be automatically applied when
wtap_encap matches the new WTAP_ENCAP_VSOCK constant.
This patch makes Wireshark dissect vsock packet captures without
manually specifying the dissector.
Change-Id: If252071499a61554f624c9ce0ce45a0ccfa88d7a
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-on: https://code.wireshark.org/review/22611
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
It needed to be done:
https://github.com/shirriff/pup-wireshark
(And, yes, there really *is* a DLT_/LINKTYPE_ for it! The original DLT_
values were ARP hardware types, and 3MB Ethernet was assigned an ARP
hardware type of 2.)
Change-Id: I60d96c28e67854adcb28c7e3579ae5dd1f07df4b
Reviewed-on: https://code.wireshark.org/review/22336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
In change 18a3b0659c, I moved the table
that uses it, but not the actual definition, from libpcap.c to
pcap-common.c; they both should have been moved. Make it so.
Change-Id: I266fce455df3848b873cdfadb12cecdbf9c8d4d3
Reviewed-on: https://code.wireshark.org/review/22216
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have them all be "usb-XXX", where XXX indicates the type of header.
Change-Id: I7f1bfea7e264b17c57f94c484d64d1cce91b9b78
Reviewed-on: https://code.wireshark.org/review/22147
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Correct some symbolic references in source file comments
and add a note about the CMake configuration options.
Change-Id: Idb670a2c798c2a52cdce142340ce8fc5a2022508
Reviewed-on: https://code.wireshark.org/review/22138
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add support for handling LoRaTap (https://github.com/eriknl/LoRaTap) DLT in
wiretap and add dissector for LoRaTap headers.
Exposes Syncword for subdissectors to dissect frame payload.
Change-Id: Ie4ba2189964376938f45eb3da93f2c3376042e85
Reviewed-on: https://code.wireshark.org/review/21915
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Either 1) it can be determined from the libwiretap encapsulation type,
in which case it's redundant information or 2) there *is* no pcap/pcapng
link-layer header type for that encapsulation type, in which case you
need to check for the attempt to determine it failing and handle that
failure appropriately.
Change-Id: Ie9557b513365c1fc8c6df74b9c8239e29aad46bc
Reviewed-on: https://code.wireshark.org/review/21924
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For HT mixed, set it the same way it's set for HT greenfield.
For pre-HT, set it to 0.
Also, for the "unknown" case, set rate_mcs_index to 0.
This should obviate the need to initialize either of those variables,
don't initialize them, so that failing to set them in an arm of the
switch statement shows up as an error if the compiler's dataflow
analysis actually bothers to check this.
Change-Id: I92703770dd5000a579b53609fb93a2085fd9fca3
Reviewed-on: https://code.wireshark.org/review/21573
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I don't know whether this is a bug in the software or a lack of support
in the hardware.
This at least notes the issue in CID 1405905.
Change-Id: I481454bc38842a0f877cb8b52b73e1156fd362b5
Reviewed-on: https://code.wireshark.org/review/21558
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's valid only for 3 or 6 spatial streams; return 0 as the bitrate
for all other values. Also, handle the 6 spatial streams case.
Give the conversion tables explicit sizes, to make it clear what
subscripts are valid.
Return 0 for an MCS > 9, for consistency with the other error return,
and to mark it as clearly wrong.
Fixes CID 1405908.
Change-Id: Icbf655c63c0e88fd6cec7c66bae85fd887a3bd9c
Reviewed-on: https://code.wireshark.org/review/21557
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That should remove the need to initialize them, make it clearer what
values are being used in the "RF only" case, and catch any cases where
they don't get set in the "not just RF" case in the future.
Change-Id: I10c3ecef608ed2f481111fb7bc32bb8494b68d27
Reviewed-on: https://code.wireshark.org/review/21536
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Prevents some compiler warnings
Change-Id: I9d62d0f3e6b7794c5ed43f37d52f86d81344a33c
Reviewed-on: https://code.wireshark.org/review/21531
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add some parentheses to make an expression clearer to people who haven't
memorized the table of C operator precedences.
Don't fiddle the nss variable in place; explicitly combine it with the
IS_TX value when we put it in the header, to make it clearer what's in
that header byte.
Change-Id: I870b892fb9dab2bc210956f923e0183f4e147989
Reviewed-on: https://code.wireshark.org/review/21530
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The packet-ixveriwave.c dissector appears to do so.
Change-Id: Ie02c4611ef18e83abcd3b625bbc40014080ffca1
Reviewed-on: https://code.wireshark.org/review/21525
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do the MCS -> NSS mapping for HT by a table lookup.
For VHT with Series II, do it the old way for now, under the assumption
that the MCS index and NSS are bit fields, but note that the MCS index
and NSS bit fields would overlap.
Change-Id: Ibc89590faf15900171b2a1b4ac1e50793ed70c32
Reviewed-on: https://code.wireshark.org/review/21523
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That maeks the code a little clearer.
It also makes it clearer that the "MCS index" is, for pre-HT, a rate
index, so rename some variables and macros.
Change-Id: I64b7bca073df0f837e5d968682345187000207fc
Reviewed-on: https://code.wireshark.org/review/21521
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They're not necessary for most hardware; remove the unnecessary checks,
and add comments indicating why they're not necessary (or fix the
"maximum value of actual_octets is" part of the comment).
They *are* necessary for Series III hardware; put in the check.
Change-Id: Idd64a74099d5cf7398a2ddb850442e53c9206724
Reviewed-on: https://code.wireshark.org/review/21491
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add some additional blank lines, remove some extra, blank lines, fix
indentation.
Make vVW510024_E_IS_VLAN 32-bits, to match the other flags.
Change-Id: Id1cd63ff2b75764907a44e9f8525b1537666fde1
Reviewed-on: https://code.wireshark.org/review/21488
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's only a 17-byte PLCP header with the Series III hardware.
Change-Id: Ice8dfbbc5daa0578ee4eb6588fc8a8b597806d0d
Reviewed-on: https://code.wireshark.org/review/21487
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it clearer that the Series I hardware doesn't do HT or VHT.
Change-Id: Ibeccfcba997555bef06098828f01951dc32a6d2c
Reviewed-on: https://code.wireshark.org/review/21486
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix "VHTPPDU" to be "VHT PPDU".
Move the code that processes the RSSI values before the code that
processes the next two bytes of the header, so it's done in order; that
makes it a bit easier to see the layout of that header (although 2 bytes
of it are processed below).
Fix the comment describing what the first 16 bytes of the record data
after the stats are. Don't use vVW510021_W_STATS_HEADER_LEN - that's
for the Series II hardware.
Fix some indentation.
Change-Id: If47c4a44fd5e72971a28daf6af88d5e19c53abbe
Reviewed-on: https://code.wireshark.org/review/21482
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(The dissector checks for it.)
Change-Id: Ic1456b263f3cbda2a630259a2b71b1f1015b5e3e
Reviewed-on: https://code.wireshark.org/review/21442
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Include the RF information length if there's RF information.
While we're at it:
Rename the variable holding the offset of the stats information from "j"
to "stats_offset", to make it clearer what it is.
Clean up whitespace.
Get rid of comments that no longer apply.
Improve the comment explaining the MPDU_OFF value for Series III.
Change-Id: I49e2926a80aa8bb11f87d97fdc628bcc9f1220e0
Reviewed-on: https://code.wireshark.org/review/21439
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add #defines for the remaining command types, based on some other
Get rid of the HEADER_IS_xxx #defines; they're the same for all
hardware, and the switch statement doesn't distinguish between different
hardware.
Set *IS_TX in the switch statement cases. While we're at it, set v_size
and *v_type in the default case; add a VT_UNKNOWN value for that case.
Change-Id: Ib17d1e435c99fcb746144b4735c160a5f22b7544
Reviewed-on: https://code.wireshark.org/review/21438
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There aren't any "4 Management bytes for OCTO version FPGA" in that
header.
Change-Id: I57f673dad5bc10b888fae22c2fb1a45af57ff493
Reviewed-on: https://code.wireshark.org/review/21434
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Idad8f7eeed968eeed9f553fef98d58453f328afb
Reviewed-on: https://code.wireshark.org/review/21421
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Tested-by: Michael Mann <mmann78@netscape.net>
Whitespace, remove now-irrelevant comments, add more comments, expand
some comments, make an if chain more straightforward.
Change-Id: I9772022247e2f0fdbfc676db9f0031bad7f8884d
Reviewed-on: https://code.wireshark.org/review/21423
Reviewed-by: Guy Harris <guy@alum.mit.edu>
You don't have to and the bitfield container with a mask and compare it
against the bit, you can just test the bit, which is a pretty standard C
idiom.
Change-Id: I87b3d84f802114199fb93357358412c623199ca2
Reviewed-on: https://code.wireshark.org/review/21422
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This makes stuff a bit clearer.
Also, add some comments, remove some redundant comments, fix some
comments, and use some #defines instead of hardcoded constants and
expressions.
And get rid of an unnecessary setting of *err to WTAP_ERR_SHORT_READ -
either it's a short read, in which case it was already set to
WTAP_ERR_SHORT_READ, or it's *not* a short read, in which case *err was
set to the appropriate error code, and we should leave it alone.
Change-Id: I657f505915854ac4a6b85e87b4021961b1a1c507
Reviewed-on: https://code.wireshark.org/review/21415
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's only called if vwr->FPGA_VERSION is S2_W_FPGA, so any code that's
run only if it's *not* S2_W_FPGA is dead code. Remove it, for clarity.
While we're at it, add some new comments, fix some comments, and get rid
of an unused argument to vwr_read_s2_W_rec().
Change-Id: I3e4bd5d7a79f36d8354a0bbf875ee87eeaf60d43
Reviewed-on: https://code.wireshark.org/review/21414
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The cfile_ error-reporting routines free err_info; the caller doesn't
have to and, in fact, mustn't do so themselves.
While we're at it, make sure wtap_seek_read() always zeroes out *err and
nulls out *err_info, so the latter either points to a freshly-allocated
string or is null.
Change-Id: Idfe05a3ba2fbf2647ba14e483187617ee53e3c69
Reviewed-on: https://code.wireshark.org/review/21407
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Attempt to make the various metadata headers, and the code that
constructs them, a bit clearer.
(Also, it's VeriWave; be consistent.)
Change-Id: I0bb7d70f547d492c4947ceb313888991f2d374f2
Reviewed-on: https://code.wireshark.org/review/21360
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have them just return the information needed for the caller to produce
an error message, and have the callers use the new cfile_ routines for
reporting errors.
This requires that the "write failure alert box" routine take the
*input* file name as an argument, so that, on a merge, if the problem is
that a record from a given input file can't be written out to the type
of output file we're generating, the input file name can be given, along
with the record number in that file.
Change-Id: If5a5e00539e7e652008a523dec92c0b359a48e71
Reviewed-on: https://code.wireshark.org/review/21257
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Addresses CIDs 1398222 and 1398221.
Fix the previous fix while we're at it.
Change-Id: I6fe54e6ad115ac05154291b76de316426db72139
Reviewed-on: https://code.wireshark.org/review/21176
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's more consistent.
Handle the "libpcap" names for backwards compatibility.
Change-Id: I819404d69bddd733b7ee38e23d3ddc71110c0faf
Reviewed-on: https://code.wireshark.org/review/21172
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The only place the time stamp precision is used is in the libpcap code,
where it determines whether to write out microsecond-precision or
nanosecond-precision time stamps; we can determine that by looking at
the type/subtype field, which is also part of that structure, so do
that.
We weren't setting it consistently - we were only setting it in libpcap
and a few other capture file writers, and not in other capture file
writers - and none of the writers other than libpcap used it.
Change-Id: If53779cf4823ca936b8bf3e8a7dbcfea5850e652
Reviewed-on: https://code.wireshark.org/review/21171
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The chances that they won't, in this case, are slim to none, as the time
is after the Epoch, but this squelches CID 1398223.
We'll change the master branch to require an err_info string for
WTAP_ERR_INTERNAL and to display it in a future commit.
Change-Id: Ifb51076b25117efc53ba3ad8b434e36c71f7600f
Reviewed-on: https://code.wireshark.org/review/21169
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Avoid anachronisms, however; there was no "macOS 10.0" or even "OS X
10.0", for example. It was "Mac OS X" until 10.8 (although 10.7 was
sometimes called "OS X" and sometimes called "Mac OS X"), and it was "OS
X" from 10.8 to 10.11.
Change-Id: Ie4a848997dcc6c45c2245c1fb84ec526032375c3
Reviewed-on: https://code.wireshark.org/review/20933
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The loop was using bytes_read, but wasn't setting it. Go back to
something similar to the previous loop condition, but don't lose the
error tests.
Fixes Coverity CID 1403388.
Change-Id: I557cbfa6e9ad81491af4fc90e85ce87c71fec8aa
Reviewed-on: https://code.wireshark.org/review/20776
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Makes Windows vscodeanalysis a little happier.
Change-Id: Ie744e91ab3f2a9744ae21c932ab6ea25467ad2fa
Reviewed-on: https://code.wireshark.org/review/20724
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Changed to use correct option_id when reading IDB.
Change-Id: Id3a3b3cd95f9d7bcf51de001cfe246beb98590ad
Reviewed-on: https://code.wireshark.org/review/20663
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also, if we return WTAP_OPEN_ERROR from an open routine after we've set
our close routine, that routine is called, which frees up our private
data structures; don't free them ourselves before returning
WTAP_OPEN_ERROR.
Change-Id: I03eebe1a1677e2161fdacec8de14668093cf03a3
Reviewed-on: https://code.wireshark.org/review/20522
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 13478
Change-Id: I6be2972979ff7cabf27e70d236c581d539d6ddac
Reviewed-on: https://code.wireshark.org/review/20515
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The maximum record length is 255*128 + 127 = 32767; that fits in a
guint32, which is large enough to support the biggest packet we'd ever
support without stretching several size values to 64 bits.
It's not a size of an object in memory, so it doesn't have to be a
size_t, and a size_t could be too large to fit in the record sizes we're
using.
Just cast to guint32.
Change-Id: Ie664fda3ce9945893fd992bbb9a81a5d632a3fcb
Reviewed-on: https://code.wireshark.org/review/20479
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When vmnames are included in the header of a netscaler packet trace,
number of bytes equal to the size of vmnames is omitted from the packet,
by the dissector.
Bug: 13459
Change-Id: I0f907e9c2e08c1cbebd47f7e50d8284a6aaade59
Reviewed-on: https://code.wireshark.org/review/20446
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It warns that a 32-bit value is being shifted left and then converted to
a 64-bit type; presumably it means "this might overflow and not give you
the result you expect". That's unlikely to be the case here, as few
UN*X file systems have a recommended I/O block size > 2^30, but we might
as well throw in a cast so the convert-to-a-64-bit-type is done first.
Change-Id: Id6ab11d750d5cf4cc03d060d63edc01b66cd179d
Reviewed-on: https://code.wireshark.org/review/20352
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We're now comparing an unsigned with an expression made mostly of
unsigned, so there's no need to cast the expression to long to squelch
signed vs. unsigned warnings.
Change-Id: I3b8c6f6faf26a9c252eb55d9e69fb298a3ad4c3b
Reviewed-on: https://code.wireshark.org/review/20347
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The record size fields are guint8, but NSPR_V20RECORDSIZE_2BYTES was
0x80, which has type int, promoting the result to int. Make it 0x80U,
which means everything is unsigned.
This squelches a compiler warning.
Change-Id: I1c63e485352a90c7f675ab0dacaaeba794235b35
Reviewed-on: https://code.wireshark.org/review/20344
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do the check early in the process of processing the record, and do it
for all record types.
Bug: 13429
Change-Id: Id7f4d12415c6740241850d8f873cff52909e7110
Reviewed-on: https://code.wireshark.org/review/20330
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Records in a properly formatted NetScaler file shouldn't go past the end
of a page, but nothing guarantees that a NetScaler file will be properly
formatted.
NetScaler 3.x files allow record bodies to go past the end of a page,
but 1.x and 2.x files don't, so treat record headers that go past the
end of a page, and record bodies in 1.x and 2.x files that go past the
end of a page, as errors.
Clean up some stuff while we're at it.
Bug: 13430
Change-Id: I3b1d56086e3bb14b246406f306e3d730df337561
Reviewed-on: https://code.wireshark.org/review/20326
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I8c339e7484d410460d499dd2923641630b482ebe
Reviewed-on: https://code.wireshark.org/review/20303
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
If plugin_list was NULL, plugin_types didn't get cleaned.
Add test and set of open_info_arr.
Change-Id: I7669e3ba86039fb2b26ff2da64f51896053c5e68
Reviewed-on: https://code.wireshark.org/review/20195
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I76ea675625ef2812f51bad0c37f6c58060897f55
Reviewed-on: https://code.wireshark.org/review/20172
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The packet length field gives the length of the *entire* packet, so, by
definition, it must not be zero. Make sure it's at least big enough for
the packet header itself plus one segment header.
Bug: 13416
Change-Id: I625bd5c0ce75ab1200b3becf12fc1c819fefcd63
Reviewed-on: https://code.wireshark.org/review/20133
Reviewed-by: Guy Harris <guy@alum.mit.edu>
João Valverde