Microsoft Network Monitor lets you capture on an 802.11 adapter either
in monitor mode or in non-monitor mode; frames captured in non-monitor
mode may have the Protected bit set in the 802.11 header, but are
decrypted and don't incclude encryption information, and may have the
A-MSDU Present flag set in the QoS Control field, but have just a
regular frame payload, not a sequence of A-MSDUs, in the payload field.
Dissect those frames correctly.
Bug: 16758
Change-Id: I42b7e9ce52faa80222692403fa7276c039644343
Reviewed-on: https://code.wireshark.org/review/38082
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add a tsprec value to the wtap_dump_params structure, giving the
per-file time stamp precision.
In wtap_dump_init_dumper(), when constructing a dummy IDB for files that
don't have one, fill in the tsprecision and time_units_per_second values
based on the tsprec value in the wtap_dump_params structure.
Change-Id: I3708b144d4d0ac0dfbe32bd1c16768a75c942141
Reviewed-on: https://code.wireshark.org/review/37979
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It generates a fake IDB for files that don't have interface information
and that have a per-file encapsulation type, snapshot length, and time
stamp precision, and adds it to the file's list of IDBs.
Use it for libpcap.
We will use it later for other file formats, so that code such as the
mergecap code to merge into a pcapng file can handle input files that
don't have interface information.
(We should have a way to indicate whether the IDBs are real or fake, so
that capinfos and Statistics > Capture File Properties don't report
meaningless IDB information and make it look as if it's known that the
capture was done on one interface with the properties in question.)
Change-Id: Iec124bf3c7cbd4c69ec2ac7d0dd776e5287f8576
Reviewed-on: https://code.wireshark.org/review/37982
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Also note that the record header might have additional stuff at the end,
although not all record headers do (the header length will indicate
what's there).
Change-Id: I5a9ff1f9cd592448bcc45d18808f4b651cdb2f0d
Reviewed-on: https://code.wireshark.org/review/37921
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add support to read/write the new EPB options, epb_packetid,
epb_queue and epb_verdict, from/to pcap files.
In addition, it updates the packet-frame dissector to dissect
these new fields.
More details on the options can be found in the PcapNG
specification: https://github.com/pcapng/pcapng
An application using these new fields can be found here:
https://github.com/chaudron/xdp-tools/tree/dev/pcapngII/xdp-dump
Change-Id: I761b8114b437fe573dd2c750e35586ad88494938
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-on: https://code.wireshark.org/review/37412
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 16255 - support HE MCS to rate conversion
Change-Id: I4a4a6c3d62c167b654d150c397047a55f287e6c8
Reviewed-on: https://code.wireshark.org/review/37255
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Make wtap_file_get_shb() take a section number argument, and update code
that called it. In most cases, we convert the code to iterate over
sections; in cases where a big code change would be required, we
temporarily pass it 0 and mark the code as "needs to be updated for
multiple sections".
Eliminate cf_read_section_comment(); in calls outside file.c, other code
directly calls the libwiretap routines it calls and, inside file.c, we
just transplant the code and then fix it not to assume a single SHB.
Change-Id: I85e94d0a4fc878e9d937088759be04cb004e019b
Reviewed-on: https://code.wireshark.org/review/37000
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Allows opening MP4 (ISO/IEC 14496-12) media files in Wireshark and
viewing their structure.
Change-Id: Ie20b8b89dc69bb52d6faa890e547d90317adecf6
Reviewed-on: https://code.wireshark.org/review/35804
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Apparently, at least in some regulatory domains, the DMG PHY now goes
above 66 GHz or may do so in the future; the new/future top appears to
be 71 GHz.
Change-Id: I1ee3f9cff177eed269ccc8318b5c952dbeb526ff
Reviewed-on: https://code.wireshark.org/review/35529
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It turned out that 1 MiB is not enough as atleast the URBs sent by
Android fastbool tools are greater than 1 MiB (1 MiB payload + USBPcap
pseudoheader). Raise the maximum packet size all the way up to 128 MiB.
128 MiB is the upper bound of maximum packet that can be captured by
all official USBPcap releases.
Bug: 15985
Change-Id: Ibbf41f7efae6e0f841e36d39664394e8a8eae77d
Reviewed-on: https://code.wireshark.org/review/34793
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissect raw USB Packets. The actual USB packets to transaction conversion
(which is needed to pass the data to existing USB URB dissector) is not
implemented yet.
Ping-Bug: 15908
Change-Id: Ia75d58882d770fdd8650622d318241743069ad8f
Reviewed-on: https://code.wireshark.org/review/34006
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There may need to be more of these.
Bug: 15740
Change-Id: I5d3a97ed50d66dfcb85df0ab7053e8a44c531134
Reviewed-on: https://code.wireshark.org/review/33280
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
That makes it - and the routines that implement it - work more like the
seek-read routine.
Change-Id: I0cace2d0e4c9ebfc21ac98fd1af1ec70f60a240d
Reviewed-on: https://code.wireshark.org/review/32727
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
209 is LINKTYPE_IPMB_LINUX; add _LINUX/_linux to the WTAP_ENCAP_ name
and function/structure names, to clarify that it's not I2C in general,
it's I2C with a particular pseudo-header.
199 is now LINKTYPE_IPMB_KONTRON, not LINKTYPE_IPMB, as it doesn't have
raw I2C packets, it has I2C packets with a pseudo-header. Change the
WTAP_ENCAP_ name, and add a dissector for it.
Change-Id: Ie097f4317b03d2b2adfd9b81a4b11caf6268399e
Reviewed-on: https://code.wireshark.org/review/32539
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
New link type for IEEE 802.15.4 with pseudo-header and optional
meta-data TLVs, PHY payload exactly as it appears in the spec (no
padding, no nothing), and FCS if specified by FCS Type TLV.
Specification at https://github.com/jkcko/ieee802.15.4-tap
Bug: 15429
Change-Id: I67bd154891ad5818be9a1630aa5cbb863b55509a
Reviewed-on: https://code.wireshark.org/review/32141
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add macros to extract the direction, reception type, and FCS length
fields of the pack_flags field, and add definitions for different
directions and reception types.
Add a macro to construct a pack_flags field value from subfields; this
is for use by non-pcapng file readers (the pack_flags field is just a
copy of the EPB flags option, so that's not needed for pcapng).
Move some #defines for that field from packet-frame.c to wtap.h, and
rename them to match the new macros.
Use the macros rather than rolling our own code.
Fix a variable name in text2pcap.c that apparently had the wrong name,
given the value that was being tested.
Change-Id: Ia788ca4e9f5fabd8d24e6ead5ff1817509f54827
Reviewed-on: https://code.wireshark.org/review/32010
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a dissector for http://fd.io vpp graph dispatch traces. The file
format is described in detail here:
https://fdio-vpp.readthedocs.io/en/latest/gettingstarted\
/developers/vnet.html#graph-dispatcher-pcap-tracing
Fuzz-tested with good results.
Bug: 15411
Change-Id: I3b040bb072ce43fb2fb646a9e473c5486654906a
Signed-off-by: Dave Barach <dave@barachs.net>
Reviewed-on: https://code.wireshark.org/review/31466
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
What we were calling the "name" is actually a description to show to
users; what were calling the "short name" is just the name to use on the
command line.
Rename some routines and structure members, and put the name first and
description second in the table.
Expand some descriptions to give more details (e.g., to be more than
just a capitalized version of the name).
Fix the CamelCase capitalization of InfiniBand.
Change-Id: I060b8bd86573880efd0fab044401b449469563eb
Reviewed-on: https://code.wireshark.org/review/31472
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ie5ab56f1ee80d14032969cbe7f31e086fb2b4b91
Reviewed-on: https://code.wireshark.org/review/31159
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Support reading and writing pcapng files with DSBs. A DSB may occur
multiple times but should appear before packets that need those
decryption secrets (so it cannot be moved to the end like NRB). The TLS
dissector will be updated in the future to make use of these secrets.
pcapng spec update: https://github.com/pcapng/pcapng/pull/54
As DSBs may be interleaved with packets, do not even try to read it in
pcapng_open (as is done for IDBs). Instead process them during the
sequential read, appending them to the 'wtap::dsbs' array.
Writing is more complicated, secrets may initially not be available when
'wtap_dumper' is created. As they may become available in 'wtap::dsbs'
as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference
this array. This saves every user from checking/dumping DSBs.
If the wtap user needs to insert extra DSBs (while preserving existing
DSBs), they can set the 'wtap_dumper::dsbs_initial' field.
The test file was creating using a patched editcap (future patch) and
combined using mergecap (which required a change to preserve the DSBs).
Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9
Ping-Bug: 15252
Reviewed-on: https://code.wireshark.org/review/30692
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Move all the compressed-file type stuff to wiretap/file_wrappers.c.
Rename wtap_compressed_file_extension() to
wtap_compression_type_extension() for consistency with the other
compression-type-extension routine names.
Move the declarations of the compression-type-extension routines in the
header file.
wtap_compression_type_extension() now returns NULL for
WTAP_UNCOMPRESSED; there's no need to special-case it.
Get rid of the now-unused wtap_compression_type_supported() and
WTAP_NUM_COMPRESSION_TYPES.
Change-Id: Ib93874079bea669a0c87104513dba0d21390455a
Reviewed-on: https://code.wireshark.org/review/30729
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_compressed_file_extension(), which returns NULL for
WTAP_UNCOMPRESSED and the appropriate file extension for other
compression types.
Add wtap_compression_type_supported(), which returns TRUE for
WTAP_UNCOMPRESSED and all supported compression types and FALSE
otherwise. ("Supported" means "the code can decompmress files in that
compression format and can write files in that compression format", so
WTAP_GAIP_COMPRESSED is supported iff libwiretap is built with zlib.)
In MainWindow::fileAddExtension, instead of checking for
WTAP_GZIP_COMPRESSED and using ".gz" as the extension, use the extension
returned by wtap_compressed_file_extension() for the compression type.
Change-Id: I47cb0eca8c887ada3562df30b54e76509008180f
Reviewed-on: https://code.wireshark.org/review/30707
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_compression_type_description(), which returns NULL for
WTAP_UNCOMPRESSED and a descriptive string for other compression types.
Instead of checking for WTAP_GZIP_COMPRESSED and appending "(gzip
compressed)", just pass the compression type to
wtap_compression_type_description() and, if the result is non-null,
append its result, wrapped in parentheses, with a space before the left
parenthesis.
Change-Id: I79a999c7838a883953795d5cbab009966e14b65e
Reviewed-on: https://code.wireshark.org/review/30666
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This:
1) means that we don't have to flag the compression argument with a
comment to indicate what it means (FALSE doesn't obviously say "not
compressed", WTAP_UNCOMPRESSED does);
2) leaves space in the interfaces in question for additional compression
types.
(No, this is not part 1 of an implementation of additional compression
types, it's just an API cleanup. Implementing additional compression
types involves significant work in libwiretap, as well as UI changes to
replace "compress the file" checkboxes with something to indicate *how*
to compress the file, or to always use some other form of compression).
Change-Id: I1d23dc720be10158e6b34f97baa247ba8a537abf
Reviewed-on: https://code.wireshark.org/review/30660
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use it for all the per-file information, including the per-file
link-layer type and the per-file snapshot length.
Change-Id: Id75687c7faa6418a2bfcf7f8198206a9f95db629
Reviewed-on: https://code.wireshark.org/review/30616
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Have the routines always take a parameters pointer; pass either null or
a pointer to an initialized-to-nothing structure in cases where we were
calling the non-_ng versions.
Change-Id: I23b779d87f3fbd29306ebe1df568852be113d3b2
Reviewed-on: https://code.wireshark.org/review/30590
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Four variants of wtap_dump_open_ng exists, each of them take the same
three parameters for the SHB, IDB and NRB blocks that has to be written
before packets are even written. Similarly, a lot of tools always create
these arguments based on an existing capture file session (wth).
Address the former duplication by creating a new data structure to hold
the arguments. Address the second issue by creating new helper functions
to initialize the parameters based on a wth. This refactoring should
make it easier to add the new Decryption Secrets Block (DSB).
No functional change intended.
Change-Id: I42c019dc1d48a476773459212ca213de91a55684
Reviewed-on: https://code.wireshark.org/review/30578
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The radiotap spec says "dB antenna signal" and "dB antenna noise" are
unsigned. Make it universally so.
Change-Id: Iea2c5360d7352ca5e84862ea338d1fc689272191
Reviewed-on: https://code.wireshark.org/review/30410
Reviewed-by: Guy Harris <guy@alum.mit.edu>
While we're at it, only set the RSSI column once - no need to do it at
the beginning and later when we're setting fields.
Change-Id: Ia729019e5e6dfbe1cdad61f1f8397b0a3a171996
Reviewed-on: https://code.wireshark.org/review/30405
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Either it's TRUE, meaning sent, or it's FALSE, meaning received. Make
it a gboolean and get rid of the #defines for it. ("Unknown" is handled
by the WTAP_ENCAP_ value not *having* a p2p pseudo-header.)
Change-Id: I650d7213523b49e7531d9555a98cde1be519a294
Reviewed-on: https://code.wireshark.org/review/29836
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not just for X.25, it's for anything that has the notion of Data
Terminal Equipment and Data Communications Equipment; call it "dte_dce",
not "x25".
Change-Id: I3d51fec8b424e91ffd6d59895f50fc5ece791b08
Reviewed-on: https://code.wireshark.org/review/29834
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a file parser and dissector that can handle the output of
`journalctl -o export`. From here we can add a systemd journal extcap
and possibly support for the JSON and binary formats.
Change-Id: I01576959b2c347ce7ac9aa57cdb5c119c81d61e9
Reviewed-on: https://code.wireshark.org/review/29311
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We call that dissector even for zero-length PSDUs, so the radio
information is shown. We also show the zero-length PSDU type.
We don't call the 802.11 dissector for zero-length PSDU frames.
That way, you don't have to open up the radiotap information to find out
about zero-length PSDU frames, we can support zero-length PSDU
information for other pseudo-headers and file types if they support it,
and taps using the radio information can get zero-length PSDU frame
information.
Change-Id: I7d5da4ea978d8ca4889fc76160f11e3416b4d036
Reviewed-on: https://code.wireshark.org/review/29034
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do some renaming.
Change-Id: If8fa85370014f9618df38d97048dd1c52a4c389f
Reviewed-on: https://code.wireshark.org/review/28918
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have the Wiretap code just do a heuristic test to see if the file looks
like a RFC 7468 file and just had the entire blob of raw file data to
the caller, with an encapsulation type of WTAP_ENCAP_RFC7468.
Have a file-rfc7468.c dissector that processes the lines of the file,
displaying all of them. Have it extract the label from the
pre-encapsulation boundary line, and, after it's decoded the
base64-encoded data lines into a blob of data, try handing the tvbuff
with the blob to dissectors that have registered in the
"pem.preeb_label" dissector table with the appropriate label value, and
hand it to the raw BER dissector only if that fails.
This allows some files to have the content dissected as more than just a
raw blob of BER-encoded data.
Change-Id: I98db9f0beb86e5694fb8e886005a2df4fc96ba71
Reviewed-on: https://code.wireshark.org/review/28914
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Strip off only extensions that correspond to file types we know about;
QFileInfo::baseName() strips off *all* extensions, where "extension" is
"anything preceded by a .", so it turns foo.bar.pcap.gz into foo, not
foo.bar. We don't want that; instead, we strip off only those
extensions that correspond to file types we know how to read, so we'd
strip off .pcap.gz in foo.bar.pcap.gz, and strip off .pcap in
foo.bar.pcap, leaving foo.bar in both cases.
Change-Id: I5385921ad2f0fef815d52e9902fef15735fd9dae
Reviewed-on: https://code.wireshark.org/review/28636
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This should squelch warnings from Ida7b98af8c44a52ddac2c4ab0702db2519a0c4af.
Change-Id: I6803001981c63ddf76a735341ab2cc8dccdb8ab0
Reviewed-on: https://code.wireshark.org/review/28573
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix indentation, and note that the comment "description" (contents) are
RTF (as opposed to plain text).
Change-Id: I668a08c06e39a32318454d2ee73933083c5cb516
Reviewed-on: https://code.wireshark.org/review/28279
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissector for the VESA DisplayPort AUX channel protocol.
Bug: 14651
Change-Id: I5c0c7668bda969086d9d6e5069aad87e929f6340
Reviewed-on: https://code.wireshark.org/review/27311
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit dfd6eb5d68.
This change cannot be submitted without change I5c0c7668bda969086d9d6e5069aad87e929f6340.
Change-Id: Ieb22f4e9afa1742db861a291202a2790a4784e1b
Reviewed-on: https://code.wireshark.org/review/27387
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Wiretap support for reading the Unigraf DPA-400 DisplayPort
AUX channel monitor logfiles.
Bug: 14651
Change-Id: I8d3c50575c9806dd04b40053db45564404bad103
Reviewed-on: https://code.wireshark.org/review/27312
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's only being used as a working buffer to hold the raw options data we
read in.
Change-Id: I17b812e447f575ad92394b9f957658fc655cdf8e
Reviewed-on: https://code.wireshark.org/review/25701
Reviewed-by: Guy Harris <guy@alum.mit.edu>
No need for len, and call caplen event_filelen and move it after
event_len.
Change-Id: I8b3825d4022ee083ee52f83f7a69f22829ed9fc4
Reviewed-on: https://code.wireshark.org/review/25698
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There are events, there are reports, and there are "here's metadata that
doesn't correspond to something that happened at this point in the
capture"; IDBs and NRBs are the third type.
Change-Id: I89e4f9bf51dc1be5766e8df61c6337ed3e484577
Reviewed-on: https://code.wireshark.org/review/25587
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If we aren't built with libz, report a new "decompression not supported"
error if the file is gzipped; the problem isn't that it's a new capture
file format we don't support, it's that a *compressed* capture file, in
some format, but we don't support the *compression* format used.
This can be extended if we add support for other compression formats.
Change-Id: I19239525d4e02357e3ca7189996556839af8fce2
Reviewed-on: https://code.wireshark.org/review/25315
Reviewed-by: Guy Harris <guy@alum.mit.edu>
g995812c5f1 moved wiretap plugins registration from applications to
wiretap library init function.
As we do not want to load plugins for all users of libwiretap, let's
make it configurable.
Bug: 14314
Change-Id: Id8fdcc484e2d0d31d3ab0bd357d3a6678570f700
Reviewed-on: https://code.wireshark.org/review/25194
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The check that the pcapng code does is "do we have a non-null
addrinfo_lists_t * and, if so, does it have a non-null ipv4_addr_list or
ipv6_addr_list"?
The check that the file-save code was using was just "do we have a
non-null addrinfo_lists_t *", so sometimes it'd think we couldn't do a
"quick save" even though we had no name resolution information to write
out to the capture file.
Make a routine that does that check, and use it in *both* places.
Change-Id: Id4720f4fe4940354320b2b7621ca5e37e45ec1f3
Reviewed-on: https://code.wireshark.org/review/25055
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put different types of plugins (libwiretap, libwireshark) in different
subdirectories, give libwiretap and libwireshark init routines that
load the plugins, and have them scan the appropriate subdirectories
so that we don't even *try* to, for example, load libwireshark plugins
in programs that only use libwiretap.
Compiled plugins are stored in subfolders of the plugin folders, with
the subfolder name being the Wireshark minor version number (X.Y). There is
another hierarchical level for each Wireshark library (libwireshark, libwscodecs
and libwiretap).
The folder names are respectively plugins/X.Y/{epan,codecs,wiretap}.
Currently we only distribute "epan" (libwireshark) plugins.
Change-Id: I3438787a6f45820d64ba4ca91cbe3c8864708acb
Reviewed-on: https://code.wireshark.org/review/23983
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Bug: 14195
Change-Id: Ic6be8e1f8169968c48376984c0d1a1a69c67f32a
Reviewed-on: https://code.wireshark.org/review/24415
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
For a sane plugin build environment. Include config.h as the first
header in the .c file instead.
Fix by moving required compiler attribute macros to a new
"ws_attributes.h" API header.
Change-Id: I34f58a927f68c1a0e59686c14d214825149749e1
Reviewed-on: https://code.wireshark.org/review/23400
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Normally a .cap file contains a network type that when masked with 0xFFF
will convert to a pcap LINKTYPE_ value. However, Microsoft Analyzer
used 0xE080-0xE08A for their own purposes within a .cap file.
Add support for the WPFCapture formats and give a "not supported" error
message to the few left unsupported.
Bug: 10556
Change-Id: I321a75ce769fdec75bdc6b595936c25932950a97
Reviewed-on: https://code.wireshark.org/review/23386
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 4221
Change-Id: I59aff777c364af1a064e1e99ea9ac6692a4cedfa
Reviewed-on: https://code.wireshark.org/review/23333
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The NetMon wiretap reads the title and description comment fields from a
NetMon file and saves it in the wiretap private structure. Then when
it's time to make a frame, the comment fields are added to a NetMon
pseudoheader with a new WTAP ENCAP type, with the potential for netmon
pseudoheader to contain pseudoheader data from "base" wiretap. Then the
netmon_header dissector displays the comment fields and passes any "base"
wiretap pseudoheader data when calling the wtap_encap dissector table
that the frame dissector normally calls.
Bug: 4225
Change-Id: I8f772bc9494364c98434c78b61eb5a64012ff3b9
Reviewed-on: https://code.wireshark.org/review/23210
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Assigned a WTAP_ENCAP value (WTAP_ENCAP_NETMON_NET_NETEVENT) for the
dissection of Event Tracing records inside a NetworkMonitor file.
Ping-Bug: 6520
Ping-Bug: 6694
Change-Id: Ib100f3779095842e78f9b7741e80258aa866d818
Reviewed-on: https://code.wireshark.org/review/23278
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use this for nordic_ble dissection.
Change-Id: I5323cbd8c244c4e3b645825c60d040e1ae8f3b81
Reviewed-on: https://code.wireshark.org/review/23219
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Support per-packet comments in ERF_TYPE_META through a new Anchor ID
extension header with per-Host unique 48-bit Anchor ID which links an
ERF_TYPE_META record with a packet record. There may be more than one
Anchor ID associated with a packet, where they are grouped by Host ID
extension header in the extension header list. Like other ERF_TYPE_META
existing comments should not be overwritten and instead a new record
generated. See erf_write_anchor_meta_update_phdr() for detailed comments
on the extension header stack required.
As Wireshark only supports one comment currently, use the one one with
the latest metadata generation time (gen_time). Do this for capture
comment too.
Write various wtap metadata in periodic per-second ERF_TYPE_META records
if non-WTAP_ENCAP_ERF or we have an updated capture comment.
Refactor erf_dump to create fake ERF header first then follow common
pseudoheadr and payload write code rather than two separate code paths.
Support an ERF_HOST_ID environment variable to define Wireshark's Host
ID when writing. Defaults to 0 for now.
ERF dissector updates to support Anchor ID extension header with basic
frame linking.
Update ERF_TYPE_META naming and descriptions to official name
(Provenance)
Core changes:
Add has_comment_changed to wtap_pkthdr, TRUE when a packet
opt_comment has unsaved changes by the user.
Add needs_reload to wtap_dumper which forces a full reload of the file
on save, otherwise wireshark gets confused by additional packets being
written.
Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c
Ping-Bug: 12303
Reviewed-on: https://code.wireshark.org/review/21873
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A linktype was recently assigned to Linux vsock in libpcap commit
cfdded36ddcf5d01e1ed9f5d4db596b744a6cda5 ("added DLT_VSOCK for
http://qemu-project.org/Features/VirtioVsock").
The Wireshark vsock dissector can now be automatically applied when
wtap_encap matches the new WTAP_ENCAP_VSOCK constant.
This patch makes Wireshark dissect vsock packet captures without
manually specifying the dissector.
Change-Id: If252071499a61554f624c9ce0ce45a0ccfa88d7a
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-on: https://code.wireshark.org/review/22611
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
It needed to be done:
https://github.com/shirriff/pup-wireshark
(And, yes, there really *is* a DLT_/LINKTYPE_ for it! The original DLT_
values were ARP hardware types, and 3MB Ethernet was assigned an ARP
hardware type of 2.)
Change-Id: I60d96c28e67854adcb28c7e3579ae5dd1f07df4b
Reviewed-on: https://code.wireshark.org/review/22336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add support for handling LoRaTap (https://github.com/eriknl/LoRaTap) DLT in
wiretap and add dissector for LoRaTap headers.
Exposes Syncword for subdissectors to dissect frame payload.
Change-Id: Ie4ba2189964376938f45eb3da93f2c3376042e85
Reviewed-on: https://code.wireshark.org/review/21915
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Either 1) it can be determined from the libwiretap encapsulation type,
in which case it's redundant information or 2) there *is* no pcap/pcapng
link-layer header type for that encapsulation type, in which case you
need to check for the attempt to determine it failing and handle that
failure appropriately.
Change-Id: Ie9557b513365c1fc8c6df74b9c8239e29aad46bc
Reviewed-on: https://code.wireshark.org/review/21924
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Idad8f7eeed968eeed9f553fef98d58453f328afb
Reviewed-on: https://code.wireshark.org/review/21421
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Tested-by: Michael Mann <mmann78@netscape.net>
The cleanup routine has been added to exit section of the applications.
Those which required a exit restyle have been patched as well.
Change-Id: I3a8787f0718ac7fef00dc58176869c7510fda7b1
Reviewed-on: https://code.wireshark.org/review/19949
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Have programs that use libwiretap call that routine rather than
separately calling some or all of init_open_routines(),
wtap_register_plugin_types(), and wtap_opttypes_initialize().
Also don't have routines internal to libwiretap call those. Yes, this
means doing some initialization work when it isn't necessary, but
scattering on-demand calls throughout the code is a great way to forget
to make those calls.
Change-Id: I5828e1c5591c9d94fbb3eb0a0e54591e8fc61710
Reviewed-on: https://code.wireshark.org/review/19069
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Mirrors the behavior of wtap_close.
Change-Id: I1a04878fdd0409fa74931737332f9b8a1ae77fb1
Reviewed-on: https://code.wireshark.org/review/17620
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
We support reading some types of files that aren't capture files, in
case we have a dissector for that file format (because, for example,
it's often transported over HTTP). Don't include them in the set of
files "All Capture Files" matches; you can still look for them as they
have individual entries in the drop-down menu of file type patterns.
Ultimately, there should be Fileshark/TFileshark programs to read those
files - and other file types, and even capture files if the goal is to
look at the file structure rather than at the packets - and *that's* the
program that should offer the ability to load JPEGs and so on.
(No, this does not reduce the "All Capture Files" list down to a level
that makes the problem in bug 12837 go away. The right way to fix
*that* is to arrange, somehow, that the "All Capture Files" entry not
actually list all the suffixes it matches.)
Change-Id: I705bff5fcd0694c6c6a11892621a195aa7cd0264
Reviewed-on: https://code.wireshark.org/review/17619
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Libpcap just backed out the "host-endian" SocketCAN LINKTYPE_ value; we
don't need it any more.
Change-Id: I33a7dc21207a0009e20b4abaefe1119eb649c39a
Reviewed-on: https://code.wireshark.org/review/17327
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Unfortunately, only one libpcap code path puts the CAN ID in the
SocketCAN header in network byte order; the others leave it in host byte
order. Therefore, a new LINKTYPE_/DLT_ value was introduced, and
libpcap was changed to use that for the cases where the CAN ID is in
host byte order. Support them both.
This means we need to, when reading pcap and pcapng files, fix up the
CAN ID if the host that wrote the file has a different byte order from
ours (as libpcap also now does). This includes Linux "cooked" captures,
which can include CAN packets.
Change-Id: I75ff2d68d1fbdb42753ce85d18f04166f21736dd
Reviewed-on: https://code.wireshark.org/review/17155
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way, we don't have to worry about multiple instances of an option
pointing to the same data. and having to worry about freeing data that's
pointed to by another instance.
Change-Id: I3470a9eebf346023713fd0d6ff2451d727c25089
Reviewed-on: https://code.wireshark.org/review/16471
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A block can have zero or more instances of a given option. We
distinguish between "one instance only" options, where a block can have
zero or one instance, and "multiple instances allowed" options, where a
block can have zero or more instances.
For "one instance only" options:
"add" routines add an instance if there isn't one already
and fail if there is;
"set" routines add an instance if there isn't one already
and change the value of the existing instance if there is one;
"set nth" routines fail;
"get" routines return the value of the instance if there is one
and fail if there isn't;
"get nth" routines fail.
For "multiple instances allowed" options:
"add" routines add an instance;
"set" routines fail;
"set nth" routines set the value of the nth instance if there is
one and fail otherwise;
"get" routines fail;
"get nth" routines get the value if the nth instance if there is
one and fail otherwise.
Rename "optionblock" to just "block"; it describes the contents of a
block, including both mandatory items and options.
Add some support for NRB options, including IPv4 and IPv6 option types.
Change-Id: Iad184f668626c3d1498b2ed00c7f1672e4abf52e
Reviewed-on: https://code.wireshark.org/review/16444
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add REC_TYPE_SYSCALL to wiretap and use it for Sysdig events. Call the
Sysdig event dissector from the frame dissector. Create a "syscall"
protocol for system calls, but add "frame" items to it for now.
Add the ability to write Sysdig events. This lets us merge packet
capture and syscall capture files.
Change-Id: I12774ec69c89d8e329b6130c67f29aade4e3d778
Reviewed-on: https://code.wireshark.org/review/15078
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also make it use ws_inet_ntop6() (rather than implementing the string
conversion ourselves).
Remove ip6_to_str_buf_len().
Change-Id: I1eff3a8941e00987c2ff0c4dcfda13476af86191
Reviewed-on: https://code.wireshark.org/review/15692
Reviewed-by: João Valverde <j@v6e.pt>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This doesn't try to use any data from multiple Name Resolution blocks, it
just converts single Name Resolution block usage into a GArray, so the
potential is there to then use/support multiple Name Resolution blocks
within a file format (like pcapng)
Change-Id: Ib0b584af0bd263f183bd6d31ba18275ab0577d0c
Reviewed-on: https://code.wireshark.org/review/15684
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This doesn't try to use any data from multiple Section Header blocks, it
just converts single Section Header block usage into a GArray, so the
potential is there to then use/support multiple Section Header blocks
within a file format (like pcapng)
Change-Id: I6ad1f7b8daf4b1ad7ba0eb1ecf2e170421505486
Reviewed-on: https://code.wireshark.org/review/15636
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
the mplog format is used by some commercial logging tools that capture
ISO 14443 traffic between a card reader and a contactless smartcard
Change-Id: If359b8f0f671eb2a7c6315e2b8960a5bd581a9e9
Reviewed-on: https://code.wireshark.org/review/14950
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>