if they're not. Also report an error for zero-length names.
Handle multiple names per IP address - the pcap-NG spec says "one or
more zero-terminated strings containing the DNS entries for that
address."
Use a Buffer to hold NRB records, so there's no maximum size (well,
there is a maximum size, because the record length is 16 bits, but let's
not allocate 64KiB on the stack if we don't have to).
svn path=/trunk/; revision=41332
and should not contain the extension in the default_file_extension
member - that's why the name starts with "additional".
svn path=/trunk/; revision=41293
pcap_read_simple_packet_block(), not in pcap_read() - the way the fields
are filled in differs between simple and non-simple packet blocks.
Clean up white space.
svn path=/trunk/; revision=41284
clickable to open an edit window.
- Add checks for NULL pointers.
Help with a different color LED possibly with Jeff's (c) in it apreceated.
Should the LED be placed elsewhere or the whole thing done differently?
svn path=/trunk/; revision=41242
by Wiretap, to indicate whether certain fields in that structure
actually have data in them.
Use the "time stamp present" flag to omit showing time stamp information
for packets (and "packets") that don't have time stamps; don't bother
working very hard to "fake" a time stamp for data files.
Use the "interface ID present" flag to omit the interface ID for packets
that don't have an interface ID.
We don't use the "captured length, separate from packet length, present"
flag to omit the captured length; that flag might be present but equal
to the packet length, and if you want to know if a packet was cut short
by a snapshot length, comparing the values would be the way to do that.
More work is needed to have wiretap/pcapng.c properly report the flags,
e.g. reporting no time stamp being present for a Simple Packet Block.
svn path=/trunk/; revision=41185
That means we don't need to do the block length check in
pcapng_read_block(); each block type reader, including the one for
unknown block types, does a check that's as stringent as that block
length check or more stringent, which means any block whose length is
less than the minimum will fail with the same error in both cases.
Fix the message for a too-short NRB.
svn path=/trunk/; revision=41152
1) contain the block length fields and block type field;
2) contain that plus the fixed-length portion of the block;
3) for blocks that have a variable-length portion other than the
options, contain that variable-length portion.
Fixes a crash we're seeing with a bad pcap-NG file in the Wireshark
menagerie (7799-lastPacketWithoutComment.pcapng - the last packet's
block length is 128, but it claims to have 98 bytes of packet data,
which requires a 132-byte block).
Clean up white space (use 8-space tabs).
svn path=/trunk/; revision=41143
block, which could be the case even in a *valid* file (consider a file
with an SHB, an NRB, an IDB, and a packet block, in that order); even if
there's no IDB before the first packet block, that should be reported to
the user as "interface N not less than interface count M", to more
precisely indicate the problem.
(Yes, the loop should probably keep going until it finds a packet block,
not just a non-IDB block.)
svn path=/trunk/; revision=41132
you provide NULL when you call it via wtap_dump_open.
This does not make the buildbots happy, but at least
tshark doesn't crash anymore.
svn path=/trunk/; revision=41111
so if we later get a short read, we have to return -1 and set *err to
WTAP_ERR_SHORT_READ. Otherwise, we'll try other file types and, if none
of them match, we'll try to close the wtap structure, which crashes.
svn path=/trunk/; revision=41102
the details of what in particular is unsupported; report it in TShark
and Wireshark.
Handle WTAP_ERR_RANDOM_OPEN_PIPE in TShark.
Handle WTAP_ERR_COMPRESSION_NOT_SUPPORTED in TShark, and have its error
message in Wireshark not speak of gzip, in case we support compressed
output in other formats in the future.
If we see a second section header block in a pcap-NG file, don't report
it as "the file is corrupted", report it as "the file uses a feature we
don't support", as that's the case - and don't free up the interface
data array, as the file remains open, and Wireshark might still try to
access the packets we were able to read.
svn path=/trunk/; revision=41041
For WTAP_ENCAP_ERF files if we find an Extension and/or Multi-Channel header,
ensure that the size of the full pseudoheader is smaller than the packet size
to avoid an underflow and subsequent attempt to allocate a rather large amount
of memory.
svn path=/trunk/; revision=41008
This is POC we may want to have more efficient use of the frame data
structure etc. But this allows for work to be done on the GUI to actually add comments.
svn path=/trunk/; revision=40969
encapsulation value and returns a GArray containing all the file types
that could be used to save a file of that file type and that
encapsulation value (which could be WTAP_ENCAP_PER_PACKET), with the
input file type first if that can be used and pcap or pcap-ng first if
not and if one of them can be used, and with pcap and pcap-ng clustered
together if they're among the file types that can be used.
Use that routine for the GTK+ file save dialog.
svn path=/trunk/; revision=40685
Fix an out-of-array-bounds warning from OpenBSD's compiler. (Note: this is
actually a false positive since adequate memory is allocated.)
From me: some additional code simplification.
svn path=/trunk/; revision=40680
a field that gives the default extension for the file type,
*without* a leading "." (i.e., just the extension, not the "."
that separates it from the rest of the file name), which is NULL
if there are no known extensions;
a field that gives a semicolon-separated list of *other*
extensions, without "*." or ".", which is NULL if there are no
known extensions or there are no known extensions other than the
default.
Rename wtap_file_extension_default_string() to
wtap_default_file_extension() (matches the name of the field).
svn path=/trunk/; revision=40678
extensions at all.
For file types that are plain text and that don't already have
extensions, add "txt" as the extension.
svn path=/trunk/; revision=40657
GSList of extensions for a file type, including extensions for the
compressed versions of those file types that we can read.
svn path=/trunk/; revision=40623
select only files of that type; you might as well use "All Files (*.*)"
for that.
The default suffix is a suffix, not a pattern, so it shouldn't be
"*.{something}".
We only use the patterns on Windows, where file names are
case-insensitive, so there's no point in capital letters in suffixes.
svn path=/trunk/; revision=40621
Wireshark distribution, give us code to read it. If somebody wants it
in their private version of Wireshark, they can manage that themselves.
(We should support plugins for file types at some point; I think we
already have support for Lua file readers.)
svn path=/trunk/; revision=40620
directly to k12text_set_pseudo_header(), so that it's passed the right
encapsulation for seek-and-read as well as for read. Fixes the
"malformed frames when reading some K12 text files" problem for which
we're using bug 6735.
svn path=/trunk/; revision=40508
Move pcap-NG right after standard pcap in the list of file types, so
that it shows up early in the list of output file types in the "Save
As..." dialog box (if, that is, it's supported; if not, neither is pcap,
as they use the same link-layer header type values).
svn path=/trunk/; revision=40493
WTAP_ENCAP_ARCNET_LINUX; update various tables mapping Wiretap
encapsulations to file-type encapsulations. Get rid of some trailing
"sorry, that's not supported" entries while we're at it.
svn path=/trunk/; revision=40274
> WTAP_MAX_PACKET_SIZE, either that should be caught above the
per-file-type layer in Wiretap or should be handled by the caller.
We've recently fixed at least one problem with reported lengths > 2^31 -
1 (by clamping the length to 2^31 - 1), so let's just remove the check
from the pcap-NG reader, to squelch some complaints we're getting from
the buildbot (bug 6673 and its duplicates).
(The pcap reader uses it to cope with some of the botched libpcap
formats that changed the per-packet header without changing the magic
number; I'll look at trying to preserve those heuristics while still
allowing reported lengths > WTAP_MAX_PACKET_SIZE.)
svn path=/trunk/; revision=40207
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
out in version 2.1 of the file format (the minimum version to support
that).
Change some data types to avoid having file offsets that are before the
beginning of the file.
Clean up some other data types and some comments.
svn path=/trunk/; revision=39898
100-nanosecond resolution, but that's still better than microsecond
resolution).
For NetMon 1.x format, only claim to support millisecond resolution, as
that's all you get.
Fix handling of negative time deltas in NetMon 2.x format.
When writing a NetMon file, trim the time of the first packet to
millisecond precision to get the capture start time, so that the start
time written to the file (which has millisecond precision) is the same
as the start time used to calculate the deltas written to the packet
headers.
svn path=/trunk/; revision=39886
routines blowing up if handed a too-large time_t.
While we're at it, also check for dates that can't be represented in DOS
format (pre-1980 dates).
svn path=/trunk/; revision=39883
link" records, including stuff that's from a G.704 PRI frame but not
from a D or H channel in that frame. Handle them (currently, we ignore
them).
The low-order bit of the flags field for "packet" records" is "network
to user" (NT->TE), not "user to network" (TE->NT).
svn path=/trunk/; revision=39663
bytes of what we thought was a version string appears to be an 8-byte
record of some sort in the captures we originally looked at, and appears
to be a non-8-byte record in another capture. If we treat that as a
record, the version string field appears to be null-padded and 41 bytes
long.
svn path=/trunk/; revision=39645
might be a record type, with 0 being a "Stop Monitor" record and 1 being
a packet. Ignore records other than packet records.
svn path=/trunk/; revision=39590
software. More work is needed:
we don't know where the capture start time is yet;
we aren't handling the "stop capture" record;
we don't know where the ISDN channel is;
there might be non-ISDN file formats;
but this at least is easier than trying to text2pcap hex dumps from that
software into pcap files.
svn path=/trunk/; revision=39588
I found a heap-based buffer overflow, when parsing ERF file format.
The overflow seems to be controlled by the values read from the file,
and hence seems exploitable to me.
svn path=/trunk/; revision=39508
This patch extends the ATM parser so as to allow GPRS NS traffic encapsulated
in ATM AAL5.
Additionally, added support for this into the 'Meta' dissector.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6447
svn path=/trunk/; revision=39394
First bug: The Network Instruments Observer file format abbreviation is
incorrect. It is "niobserverv" instead of "niobserver", which is probably a
vestige from 1.4 when the abbreviation was "niobserverv9".
Second bug: The packet header magic number field is correctly swapped the first
time when reading the entire packet header. It is incorrectly swapped yet again
when reporting an invalid value. Both swaps use GUINT_FROM_LE, which is a no-op
on little-endian platforms. But the error message that is displayed to users of
big-endian platforms will contain a byte-reversed value.
svn path=/trunk/; revision=39392
Allows the saving of packets with snapped length to ERF. Prevents the adding of
automatic CRC and rounds down to the nearest 8 bytes instead of up, adding
zeros.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6409
svn path=/trunk/; revision=39247
same.
Add to wiretap/pcap-common.c a routine to fill in the pseudo-header for
ATM (by looking at the VPI, VCI, and packet data, and guessing) and
Ethernet (setting the FCS length appropriately). Use it for both pcap
and pcap-ng files.
svn path=/trunk/; revision=38840
Set the pseudo-header when doing the sequential read as well as when
doing random reads.
When writing packets to a CommView file, use a slightly less contorted
way to get the year/month/day/hour/minute/second values.
commview_dump() uses the pseudo_header argument; don't mark it as
unused.
svn path=/trunk/; revision=38833
know it'll fit in a gint16. (alignbytes really shouldn't need to be 64
bits, as if we have 2^63-1 bytes of alignment, We Have A Problem; fixing
that may involve calculating it differently earlier in that routine.)
svn path=/trunk/; revision=38828
which we read the data to be written doesn't record the snapshot
length". A snapshot length of 0 in a pcap or pcap-ng file is not
handled well by many programs reading those files; for pcap files, we
write out WTAP_MAX_PACKET_SIZE as the snapshot length in that case, so
do so for pcap-ng files as well.
svn path=/trunk/; revision=38790
If an EnhancedPacketBlock in a pcapng file contains a comment option the
content isn't displayed. Instead "Malformed packet" is displayed with the
reason Exception occurred.
The reason for the problem is a bug in the pcapng.c, where for enhanced packet
blocks, interface description blocks and interface statistics blocks the wrong
union members are used to set the comment. This way required fields in the
structures are overwritten.
The attached patch solves the problem.
svn path=/trunk/; revision=38491
header bytes read, as we're reading the two header fields separately and
checking the byte count for each read. We *do*, however, know that the
record header is 4 bytes long, so we can just seek back 4 bytes.
svn path=/trunk/; revision=37953
pcap. Add a "-P" capture option which tries to use pcap instead of
pcap-ng ("-P" seemed to be the best option but we may want to use a
different letter).
Update the documentation and release notes.
svn path=/trunk/; revision=37696
pointer to a string to a non-const pointer discards qualifiers; make the
err_info member of the wtap_reader structure a const pointer.
svn path=/trunk/; revision=37671
<zlib.h> there, rather than wtap-int.h. That obviates the need to
include config.h earlier in ascend_scanner.l; revert the previous
change, so we don't require a version of Flex that supports %top.
svn path=/trunk/; revision=37640
This is significant update to the existing iseries wiretap module. It adds
support for IPv6 (formatted & unformatted comms traces), in addition I've
tidied up the sscanf routines to better handle traces files with offset lines.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5957
svn path=/trunk/; revision=37466
structure include a file descriptor. Add a wtap_fstat() for the file
readers that use file times to generate time stamps (we really need a
way to say "this file has no time stamps" or "this file has only
relative time stamps).
svn path=/trunk/; revision=37026
the file, rather than the offset in the uncompressed data stream. That
way we don't get the "hey, we're more than 100% into the file, better
refigure this" surprise.
svn path=/trunk/; revision=37025
