the details of what in particular is unsupported; report it in TShark
and Wireshark.
Handle WTAP_ERR_RANDOM_OPEN_PIPE in TShark.
Handle WTAP_ERR_COMPRESSION_NOT_SUPPORTED in TShark, and have its error
message in Wireshark not speak of gzip, in case we support compressed
output in other formats in the future.
If we see a second section header block in a pcap-NG file, don't report
it as "the file is corrupted", report it as "the file uses a feature we
don't support", as that's the case - and don't free up the interface
data array, as the file remains open, and Wireshark might still try to
access the packets we were able to read.
svn path=/trunk/; revision=41041
For WTAP_ENCAP_ERF files if we find an Extension and/or Multi-Channel header,
ensure that the size of the full pseudoheader is smaller than the packet size
to avoid an underflow and subsequent attempt to allocate a rather large amount
of memory.
svn path=/trunk/; revision=41008
This is POC we may want to have more efficient use of the frame data
structure etc. But this allows for work to be done on the GUI to actually add comments.
svn path=/trunk/; revision=40969
encapsulation value and returns a GArray containing all the file types
that could be used to save a file of that file type and that
encapsulation value (which could be WTAP_ENCAP_PER_PACKET), with the
input file type first if that can be used and pcap or pcap-ng first if
not and if one of them can be used, and with pcap and pcap-ng clustered
together if they're among the file types that can be used.
Use that routine for the GTK+ file save dialog.
svn path=/trunk/; revision=40685
Fix an out-of-array-bounds warning from OpenBSD's compiler. (Note: this is
actually a false positive since adequate memory is allocated.)
From me: some additional code simplification.
svn path=/trunk/; revision=40680
a field that gives the default extension for the file type,
*without* a leading "." (i.e., just the extension, not the "."
that separates it from the rest of the file name), which is NULL
if there are no known extensions;
a field that gives a semicolon-separated list of *other*
extensions, without "*." or ".", which is NULL if there are no
known extensions or there are no known extensions other than the
default.
Rename wtap_file_extension_default_string() to
wtap_default_file_extension() (matches the name of the field).
svn path=/trunk/; revision=40678
extensions at all.
For file types that are plain text and that don't already have
extensions, add "txt" as the extension.
svn path=/trunk/; revision=40657
GSList of extensions for a file type, including extensions for the
compressed versions of those file types that we can read.
svn path=/trunk/; revision=40623
select only files of that type; you might as well use "All Files (*.*)"
for that.
The default suffix is a suffix, not a pattern, so it shouldn't be
"*.{something}".
We only use the patterns on Windows, where file names are
case-insensitive, so there's no point in capital letters in suffixes.
svn path=/trunk/; revision=40621
Wireshark distribution, give us code to read it. If somebody wants it
in their private version of Wireshark, they can manage that themselves.
(We should support plugins for file types at some point; I think we
already have support for Lua file readers.)
svn path=/trunk/; revision=40620
directly to k12text_set_pseudo_header(), so that it's passed the right
encapsulation for seek-and-read as well as for read. Fixes the
"malformed frames when reading some K12 text files" problem for which
we're using bug 6735.
svn path=/trunk/; revision=40508
Move pcap-NG right after standard pcap in the list of file types, so
that it shows up early in the list of output file types in the "Save
As..." dialog box (if, that is, it's supported; if not, neither is pcap,
as they use the same link-layer header type values).
svn path=/trunk/; revision=40493
WTAP_ENCAP_ARCNET_LINUX; update various tables mapping Wiretap
encapsulations to file-type encapsulations. Get rid of some trailing
"sorry, that's not supported" entries while we're at it.
svn path=/trunk/; revision=40274
> WTAP_MAX_PACKET_SIZE, either that should be caught above the
per-file-type layer in Wiretap or should be handled by the caller.
We've recently fixed at least one problem with reported lengths > 2^31 -
1 (by clamping the length to 2^31 - 1), so let's just remove the check
from the pcap-NG reader, to squelch some complaints we're getting from
the buildbot (bug 6673 and its duplicates).
(The pcap reader uses it to cope with some of the botched libpcap
formats that changed the per-packet header without changing the magic
number; I'll look at trying to preserve those heuristics while still
allowing reported lengths > WTAP_MAX_PACKET_SIZE.)
svn path=/trunk/; revision=40207
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
out in version 2.1 of the file format (the minimum version to support
that).
Change some data types to avoid having file offsets that are before the
beginning of the file.
Clean up some other data types and some comments.
svn path=/trunk/; revision=39898
100-nanosecond resolution, but that's still better than microsecond
resolution).
For NetMon 1.x format, only claim to support millisecond resolution, as
that's all you get.
Fix handling of negative time deltas in NetMon 2.x format.
When writing a NetMon file, trim the time of the first packet to
millisecond precision to get the capture start time, so that the start
time written to the file (which has millisecond precision) is the same
as the start time used to calculate the deltas written to the packet
headers.
svn path=/trunk/; revision=39886
routines blowing up if handed a too-large time_t.
While we're at it, also check for dates that can't be represented in DOS
format (pre-1980 dates).
svn path=/trunk/; revision=39883
link" records, including stuff that's from a G.704 PRI frame but not
from a D or H channel in that frame. Handle them (currently, we ignore
them).
The low-order bit of the flags field for "packet" records" is "network
to user" (NT->TE), not "user to network" (TE->NT).
svn path=/trunk/; revision=39663
bytes of what we thought was a version string appears to be an 8-byte
record of some sort in the captures we originally looked at, and appears
to be a non-8-byte record in another capture. If we treat that as a
record, the version string field appears to be null-padded and 41 bytes
long.
svn path=/trunk/; revision=39645
might be a record type, with 0 being a "Stop Monitor" record and 1 being
a packet. Ignore records other than packet records.
svn path=/trunk/; revision=39590
software. More work is needed:
we don't know where the capture start time is yet;
we aren't handling the "stop capture" record;
we don't know where the ISDN channel is;
there might be non-ISDN file formats;
but this at least is easier than trying to text2pcap hex dumps from that
software into pcap files.
svn path=/trunk/; revision=39588
I found a heap-based buffer overflow, when parsing ERF file format.
The overflow seems to be controlled by the values read from the file,
and hence seems exploitable to me.
svn path=/trunk/; revision=39508
This patch extends the ATM parser so as to allow GPRS NS traffic encapsulated
in ATM AAL5.
Additionally, added support for this into the 'Meta' dissector.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6447
svn path=/trunk/; revision=39394
First bug: The Network Instruments Observer file format abbreviation is
incorrect. It is "niobserverv" instead of "niobserver", which is probably a
vestige from 1.4 when the abbreviation was "niobserverv9".
Second bug: The packet header magic number field is correctly swapped the first
time when reading the entire packet header. It is incorrectly swapped yet again
when reporting an invalid value. Both swaps use GUINT_FROM_LE, which is a no-op
on little-endian platforms. But the error message that is displayed to users of
big-endian platforms will contain a byte-reversed value.
svn path=/trunk/; revision=39392
Allows the saving of packets with snapped length to ERF. Prevents the adding of
automatic CRC and rounds down to the nearest 8 bytes instead of up, adding
zeros.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6409
svn path=/trunk/; revision=39247
same.
Add to wiretap/pcap-common.c a routine to fill in the pseudo-header for
ATM (by looking at the VPI, VCI, and packet data, and guessing) and
Ethernet (setting the FCS length appropriately). Use it for both pcap
and pcap-ng files.
svn path=/trunk/; revision=38840
Set the pseudo-header when doing the sequential read as well as when
doing random reads.
When writing packets to a CommView file, use a slightly less contorted
way to get the year/month/day/hour/minute/second values.
commview_dump() uses the pseudo_header argument; don't mark it as
unused.
svn path=/trunk/; revision=38833
know it'll fit in a gint16. (alignbytes really shouldn't need to be 64
bits, as if we have 2^63-1 bytes of alignment, We Have A Problem; fixing
that may involve calculating it differently earlier in that routine.)
svn path=/trunk/; revision=38828
which we read the data to be written doesn't record the snapshot
length". A snapshot length of 0 in a pcap or pcap-ng file is not
handled well by many programs reading those files; for pcap files, we
write out WTAP_MAX_PACKET_SIZE as the snapshot length in that case, so
do so for pcap-ng files as well.
svn path=/trunk/; revision=38790
If an EnhancedPacketBlock in a pcapng file contains a comment option the
content isn't displayed. Instead "Malformed packet" is displayed with the
reason Exception occurred.
The reason for the problem is a bug in the pcapng.c, where for enhanced packet
blocks, interface description blocks and interface statistics blocks the wrong
union members are used to set the comment. This way required fields in the
structures are overwritten.
The attached patch solves the problem.
svn path=/trunk/; revision=38491
header bytes read, as we're reading the two header fields separately and
checking the byte count for each read. We *do*, however, know that the
record header is 4 bytes long, so we can just seek back 4 bytes.
svn path=/trunk/; revision=37953
pcap. Add a "-P" capture option which tries to use pcap instead of
pcap-ng ("-P" seemed to be the best option but we may want to use a
different letter).
Update the documentation and release notes.
svn path=/trunk/; revision=37696
pointer to a string to a non-const pointer discards qualifiers; make the
err_info member of the wtap_reader structure a const pointer.
svn path=/trunk/; revision=37671
<zlib.h> there, rather than wtap-int.h. That obviates the need to
include config.h earlier in ascend_scanner.l; revert the previous
change, so we don't require a version of Flex that supports %top.
svn path=/trunk/; revision=37640
This is significant update to the existing iseries wiretap module. It adds
support for IPv6 (formatted & unformatted comms traces), in addition I've
tidied up the sscanf routines to better handle traces files with offset lines.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5957
svn path=/trunk/; revision=37466
structure include a file descriptor. Add a wtap_fstat() for the file
readers that use file times to generate time stamps (we really need a
way to say "this file has no time stamps" or "this file has only
relative time stamps).
svn path=/trunk/; revision=37026
the file, rather than the offset in the uncompressed data stream. That
way we don't get the "hey, we're more than 100% into the file, better
refigure this" surprise.
svn path=/trunk/; revision=37025
This patch incorporates the following fixes from the patch attached to
bug 5671 with changes as noted below:
1.) Files where the packet header and packet data are noncontiguous are
handled improperly, resulting in read misalignment and ultimately the
error message, "Observer: bad record: Invalid magic number 0xXXXXXXXX."
This bug is caused by not obeying the packet_entry_header.offset_to_frame
field.
2.) Daylight savings time is not properly accounted for in files using
local time encoding.
3.) As of Observer/GigaStor v13.10 (bug 5671 incorrectly stated v14),
timestamps in the file format changed from local time encoding to GMT
encoding. Wiretap has been changed to support reading both formats.
Patch submitted with bug 5671 added a separate file type to allow
writing local format. This patch does not add the separate file type
and always writes GMT.
4.) The wtap_dumper.bytes_dumped field is not being properly incremented
as data is written to files.
This patch also incorporates the following additional enhancements /
fixes not in bug 5671:
1.) Support for reading BFR files which contain Fibre Channel captures.
Test file Fibre_Channel_Capture.bfr attached.
2.) Support for modified file header used in upcoming v15. New header
file format takes an unused byte from the version string to allow for a
larger offset to the first packet to be specified. Test file
V15_Lrg_Hdr_Test.bfr is attached, it is also a fuzz test as the number
of TLV items given in the header is less then the actual.
3.) It was found that if the number of TLV items given in the header was
larger then present it would fail to open the file. Test file
V9_Num_TLVs_Too_Big.bfr is attached.
svn path=/trunk/; revision=36970
From me:
- #include <stdlib.h> not needed;
- Use consistent indentation;
- use #if 0/#endif to comment out code rather than /* */
svn path=/trunk/; revision=36884
From me:
- remove unneeded #include <stdlib.h>;
- fix some indentation;
- use #if 0/#endif rather that /* */ to comment out some code
svn path=/trunk/; revision=36883
we can cast not-necessarily-aligned pointers to pointers to those
structures without risk of compiler warnings *or* the underlying problem
the compiler's trying to warn us about (no, you can't always dereference
an unaligned pointer - SPARC traps, and at least some ARM processors may
do something other than what you want, for example).
This also caught some cases where we were not even properly
byte-swapping on big-endian platforms.
This also lets us not muck around with splitting 64-bit times into two
32-bit fields - we have pletohll(), after all.
svn path=/trunk/; revision=36787
file before doing any writes - it starts out at the beginning of the
file. This means that you *can* write a Network Instruments capture
file to a pipe, or write it out in compressed form, now that its
dump_open routine no longer seeks.
NetXRay format and K12 binary format, however, *do* require a seek when
writing them.
svn path=/trunk/; revision=36776
don't have an "additional information" string.
Get rid of WTAP_ERR_ZLIB; just report an internal error with
WTAP_ERR_INTERNAL instead. (If they start happening, we can think about
supplying an "additional information" string for compression errors on
output.)
svn path=/trunk/; revision=36774
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
has semantics similar to getc().
If it fails due to an EOF, set state->err to WTAP_ERR_SHORT_READ to
report a premature EOF; otherwise, raw_read() has already set
state->err, so don't set state->err to something else - that loses the
errno value in favor of a generic "bad data" error.
svn path=/trunk/; revision=36744
*", and some compilers complain when you cast that pointer to something
requiring stricter alignment. Maybe the intent is to nudge you into
thinking about whether the pointer really is properly aligned, but....
svn path=/trunk/; revision=36739
in which case ENOMEM is the right error, or we're running on Windows but
using UN*Xy routines, in which case ENOMEM is the right error; unlike
zlib, we don't have to run on a whole pile of OSes.)
svn path=/trunk/; revision=36648
analyzer warnings.
Return an actual error if we're failing because we're trying to write to
the standard output in compressed mode.
svn path=/trunk/; revision=36636
keeps GCC 4.6.0 from complaining about them and failing to build with
-Werror, and may also squelch some Coverity (and other static analyzer)
complaints.
svn path=/trunk/; revision=36599
In the end-of-stream code, when we're checking the CRC and length, don't
check the CRC or length if we failed to read them, and don't check the
length if the CRC is bad.
We define O_BINARY as 0 on UN*X in <wsutil/file_util.h>, so we don't
need to avoid using it on UN*X.
In file_gets(), check for delayed errors.
svn path=/trunk/; revision=36590
zran.c example in the zlib source.
This means that problems in the file's contents might not be reported
when a packet is read, as long as there's no problem in the contents of
the file up to the last bit of compressed data for the packet; we now
check for errors after finishing the sequential read of the file, at
least in some programs, so that shouldn't be an issue (the other
programs need to be changed to do so as well). This is necessary in
order to be able to read all the packets we saw in the sequential pass;
it also lets us get a few more packets from truncated files in some
cases.
svn path=/trunk/; revision=36577
may happen if, when reading a compressed file, we find an error in the
file's contents past the last packet (e.g., the file being cut short so
that we can't get a full buffer worth of compressed data), and that
reporting of that error is delayed (so that you can get all of the
packets that we *can* decompress). Check for those errors, at least on
the sequential read pass (the only errors we should see when closing the
random stream are errors we've already seen in the sequential stream).
svn path=/trunk/; revision=36576
can't be saved in compress form" are both equivalent to "this file file
format requires seeking when writing it". Change the "can compress"
Boolean in the file format table to "writing requires seeking", give all
the entries the proper value, and do the checks for attempting to write
a file format to a pipe or write it in compressed format to common code.
This means we don't need to pass the "can't seek" flag to the dump open
routines.
svn path=/trunk/; revision=36575
this frees us from worrying about zlib large file issues on the write
side, and also lets us clean up a few other things.
svn path=/trunk/; revision=36563
support it.
Rename ws_lseek to ws_lseek64, as it should be given a 64-bit offset,
and have it use _lseeki64 on Windows, to try to get 64-bit offset
support; AC_SYS_LARGEFILE should cause lseek() to support 64-bit offsets
on UN*X if possible.
svn path=/trunk/; revision=36542
wiretap/file_wrappers.c; nothing outside of file_wrappers.c needs to
know what it looks like, it just passes around pointers to it.
svn path=/trunk/; revision=36538
calls that use it, cast it to whatever it's supposed to be. Making it a
gzFile means you can't use any stdio macros that reach inside the
structure; making it a FILE *, as it used to be, amounts to trying to
use a FILE * as a void * if we're writing a compressed file out.
svn path=/trunk/; revision=36521
unsigned int - to match file_read(). Shrink some arguments, variables,
and structure members appropriately.
Fix an incorrect sizeof - sizeof a pointer is the size of the pointer,
not the size of what it points to.
svn path=/trunk/; revision=36515
ws_lseek() to the appropriate type for the second argument to _lseek()
for Windows or lseek() for UN*X; ultimately, we want to call the
appropriate 64-bit-offset seek routine if available, otherwise cast the
value down and hand it to the 32-bit-offset seek routine.
svn path=/trunk/; revision=36514
Introduce file_clearerr
I'm unsure of this patch,
gzclearerr() is used to clear the end-of-file mark, but for FILE
there's function which do the same (clearerr).
I created test program if clearerr() is needed for tailing file.
and it seems to work without it (at least on Linux, so for
!HAVE_LIBZ I commented it out).
For now this patch introduce file_clearerr macro, and define it
only when EOF marking must be cleared (i.e. when HAVE_LIBZ and
HAVE_GZCLEARERR are defined).
So everything works like before, patch just to keep same prefix
for file interface :)
svn path=/trunk/; revision=36510
file-wrappers.[ch] is used only for reading files, and mode is always
"rb".
Attached patch removes 'mode' argument from file_open() & filed_open().
svn path=/trunk/; revision=36493
file_read(buf, bsize, count, file) macro is compilant with fread
function and takes elements count+ size of each element, however to make
it compilant with gzread() it always returns number of bytes.
In wiretap file_read() this is not really used, file_read is called
either with bsize set to 1 or count to 1.
Attached patch remove bsize argument from macro.
svn path=/trunk/; revision=36491
Coverity 789-790.
Since we've been keeping track of how many bytes we put in the buffer,
use that value instead of calling strlen() find it again.
Also, some white space/indentation cleanup.
svn path=/trunk/; revision=36397
support; TShark has read+write support. Additionally TShark can read a
"hosts" file and write those records to a capture file.
This uses "struct addrinfo" in many places and probably won't compile on
some platforms.
svn path=/trunk/; revision=36318
netscreen_read(), checking the return value of
parse_netscreen_hex_dump() against -1 and explicitly returning FALSE if
it's -1, otherwise driving on.
svn path=/trunk/; revision=36237
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5654
From me:
- Entry for DVBCI added to wtap.c encap_table_base[];
- Some code simplification with respect to the use of col_...() for COL_INFO;
- Certain tests for "enough bytes available" not really needed;
- (Other minor tweaks);
- #include<stdio.h> not req'd;
- Minor reformatting and whitespace cleanup;
svn path=/trunk/; revision=36149
either the VC++ analyzer can't determine that or it *can*, in fact,
happen). Pick an error code that's not too far off.
svn path=/trunk/; revision=35957
pseudo-header, and hence there's no direction indication. Don't set
pinfo->p2p_dir for it. Use WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR, not
WTAP_ENCAP_BLUETOOTH_H4, for capture files where we have the direction.
Don't assume pinfo->p2p_dir is either P2P_DIR_SENT or P2P_DIR_RECV when
setting the info column in various Bluetooth dissectors; it might be
unknown.
In the HCI H4 dissector, put the direction into the info column
regardless of whether we have a type match or not; the dissectors for
HCI packet types appear to assume it's been set (as they put a blank at
the beginning of the stuff they append to the direction).
svn path=/trunk/; revision=35933
Get rid of debugging printouts that are equivalent to the "additional
error information" messages.
Return additional error info for all WTAP_ERR_BAD_RECORD errors.
svn path=/trunk/; revision=35800
- Define macros for certain CFLAGS in config.nmake iso of having defs in each makefile;
a. -DHAVE_CONFIG_H and -D_U_="" are now part of a macro named STANDARD_CFLAGS;
b. -WX has been replaced by WARNINGS_ARE_ERRORS (defined as -WX in config.nmake)
(This allows disabling "Warnings as Errors" by just changing config.nmake)
c. CVARSDLL definitions (not usage) have been removed from the various makefiles.
XXX: It appears the usage of CVARSDLL can also be removed (not yet done) since:
-DWIN32 and -DNULL=0 do not appear to be needed (any more);
-D_MT and _D_DLL are not needed since /MP causes these definitions.
d. Define a macro WARNINGS_CFLAGS with additional specific compiler (level4) warnings to be enabled.
E.G., 4295: array is too small to include a terminating null character
- config.nmake: reformat some long lines for readability;
- plugins\Makefile.nmake: clean-deps does nothing: remove it (and usage in top-level makefile);
- dissectors/Makefile.nmake: test to enable packet-rrc.obj target needs to include MSVC2010 ...
svn path=/trunk/; revision=35747
will see random crap as the error code.
However, if we're skipping a "TCPIPTRACE-W-BUFFERSFUL" error, if the
"error" we get is an end-of-file indication, that's *not* an error.
It is, however, ultimately a "we dropped some packets" indication; add a
comment noting that we should eventually treat it as such.
svn path=/trunk/; revision=35337
