as BGP is a protocol on top of TCP, it may have trouble parsing
out-of-sync data (in most cases data is aligned on packet, it seems).
svn path=/trunk/; revision=843
for converting IPv[46] numeric notation to/from binary form.
recent BIND includes those functions so fallback is not necessary on
most of the platforms.
sorry if it raises any portability problem on other platforms.
remove partial inclusion of inet_ntop() in packet-ipv6.c.
move ip6_to_str() to packet.c, it fits better there than packet-ipv6.c.
svn path=/trunk/; revision=829
for ip.ip_p and ip6.ip6_nxt (and other IPv6 header chain).
use val_to_str() as much as possible in dissect_{ipv6,pim,ripng}().
make --disable-zlib a default for netbsd (temporary workaround).
svn path=/trunk/; revision=827
the base for numbers to be displayed in, bitmasks for bitfields, and blurbs
(which are one or two sentences describing the field).
proto_tree_add*() routines now automatically handle bitfields. You tell
it which header field you are adding, and just pass it the value of the
entire field, and the proto_tree routines will do the masking and shifting
for you.
This means that bitfields are more naturally filtered via dfilter now.
Added Phil Techau's support for signed integers in dfilters/proto_tree.
Added the beginning of the SNA dissector. It's not complete, but I'm
committing it now because it has example after example of how to use
bitfields with the new header_field_info struct and proto_tree routines.
It was the impetus to change how header_field_info works.
svn path=/trunk/; revision=815
Also added first pass of state keeping. I am using glib's hash
functions.
Modelled after packet-ncp.c.
We will need to standardize the <proto>_init_protocol functions called in
file.c at some stage ...
I will have a couple of more goes at the state keeping before I am finished.
At the moment, the infrastructure is there but I do nothing with it.
svn path=/trunk/; revision=798
1. Fix some silly errors.
2. Dont decode beyond Word Count if errcode > 0
3. Decode a bunch mode SMBs
Next is to keep state so we can do a better job ...
svn path=/trunk/; revision=758
specified number of bytes of captured data in the frame at the specified
offset, and a "IS_DATA_IN_FRAME()" macro, to test whether there are any
bytes of captured data in the frame at the specified offset, and convert
some bounds checks to use them.
Add a dissector for the Internet Printing Protocol.
svn path=/trunk/; revision=685
the "File/Print" dialog box; "Expand all levels" means that all levels
of the protocol tree should be printed, while "Print as displayed" means
that only those levels shown in the display should be printed.
Free the table of column widths once printing is done.
svn path=/trunk/; revision=671
prints the protocol tree, and summary prints the fields in the summary
clist, with a header line at the beginning of the printout.
Print only packets selected by the current packet filter.
Just have "ARP" and "RARP" in the "Protocol" field for ARP packets;
whether it's a request or a reply can be seen in the "Info" field.
Add to the "Frame" section of the protocol tree the time between the
current packet and the previous displayed packet, and the packet number.
Have FT_RELATIVE_TIME fields be a "struct timeval", and display them as
seconds and fractional seconds (we didn't have any fields of that type,
and that type of time fits the delta time above).
Add an FT_DOUBLE field type (although we don't yet have anything using
it).
svn path=/trunk/; revision=666
Move some defines that would be used even by a non-GTK+-based Ethereal
from "gtk/main.h" to "globals.h".
Remove the byte-order #defines from "packet.h", as they're now in
"globals.h" (having been moved there from "gtk/main.h").
Fix up some files that use those #defines to include "globals.h".
"resolv.c" doesn't use any GTK stuff, so it needn't include <gtk/gtk.h>
nor "gtk/main.h" - it only did so to get the byte-order #defines for the
benefit of "packet-ipv6.h", and "packet-ipv6.h" now includes them
itself.
svn path=/trunk/; revision=649
Frame protocol (that being what this dissects).
If you're cutting up something into bitfields, the bitfield dissection
returned by "dissect_bitfield_XXX()" should be the first text on the
line - if not, then if the text items that come before the various
bitfields aren't all the same length, the bits don't line up.
Cope with packets from one of Gilbert's captures, where the sender
"name" in some NBF datagrams isn't a NetBIOS name, it's 10 octets of 0
followed by a MAC address!
The "name type" in the "Data2" field of NBF frames is 0x00 for unique
names and 0x01 for group names, not a "16th character of a NetBIOS name"
name type.
Fix up various other things.
svn path=/trunk/; revision=633
in the IPX header, and have the dissectors it calls use it rather than
being passed the length as an argument.
Treat both packet type 20 ("WAN Broadcast") and 4 ("IPX", although 3 is
also "IPX", according to Network Monitor) as potentially being NetBIOS
packets.
The packet types for the IPX NetBIOS socket (0x0455) and the NWLink
sockets (0x0551 and 0x0553) are different (perhaps because there's one
socket for the 0x0455 NBIPX, so you have to do name service and datagram
service and have the packet types distinguish them, but NWLink has
separate sockets for name service and datagram service).
The packet type for name service and for datagram service are at
*different locations* in the packet, which is unfortunate if you want to
use the packet type to distinguish name service and datagram service
packets. Use the packet length, for now, to distinguish them, with
socket 0x0455.
Dissect datagram packets differently from name service packets.
Export "packet-netbios.c"'s "netbios_add_name()" routine, and use it
when dissecting NBIPX packets as well.
Label NBIPX packets as "NBIPX" rather than "NetBIOS".
svn path=/trunk/; revision=627
of option code, one octet of length (which includes the two option code
and length bytes), followed by 0 or more octets of option data, with
some options being fixed-length and some being variable-length. Put
some stuff from the PPP control protocol option parsing code into the
IP-and-TCP option parsing code, and use the latter instead of the
former.
(That code might also be usable for CDP as well, with some stuff added
to it.)
Shuffle the arguments to "dissect_ip_tcp_options()" to resemble those of
various other dissectors (i.e., with the "proto_tree *" at the end).
Add in code to dissect a pile of PPP options documented in various RFCs.
svn path=/trunk/; revision=601
Add in the Identification and Time Remaining codes for LCP.
Add in a pile of other LCP options, albeit without anything more than
names for now.
Don't say "1 bytes", say "1 byte".
Don't use "dissect_data()" to dissect part of a *CP packet, and don't
dissect opaque data if there're zero bytes of it.
svn path=/trunk/; revision=578
Have a common routine to parse both LCP and IPCP, as IPCP is based on
LCP.
Have only one "value_string" array of PPP protocol types, with all the
types we know about.
svn path=/trunk/; revision=577
Don't treat the CDP header as an in-memory data structure; that might
cause problems if it's not aligned on a 2-byte boundary.
Make the type and length fields of a TLV unsigned.
Correctly check for the end of the (captured part of the) frame.
Show most TLVs as "expandable" entries, where they expand into type,
length, and data entries.
Dissect "unknown" TLVs.
svn path=/trunk/; revision=573
"FDDI with the MAC addresses bit-swapped"; whether the MAC addresses are
bit-swapped is a property of the machine on which the capture was taken,
not of the machine on which the capture is being read - right now, none
of the capture file formats we read indicate whether FDDI MAC addresses
are bit-swapped, but this does let us treat non-"libpcap" captures as
being bit-swapped or not bit-swapped independent of the machine on which
they're being read (and of the machine on which they were captured, but
I have the impression they're bit-swapped on most platforms), and allows
us to, if, as, and when we implement packet capture in Wiretap, mark
packets in a capture file written in Wiretap-native format based on the
machine on which they are captured (assuming the rule "Ultrix, Alpha,
and BSD/OS are the only platforms that don't bit-swap", or some other
compile-time rule, gets the right answer, or that some platform has
drivers that can tell us whether the addresses are bit-swapped).
(NOTE: if, for any of the capture file formats used only on one
platform, FDDI MAC addresses aren't bit-swapped, the code to read that
capture file format should be fixed to flag them as not bit-swapped.)
Use the encapsulation type to decide whether to bit-swap addresses in
"dissect_fddi()".
svn path=/trunk/; revision=557
file, instead of throwing out all but LANE or RFC 1483 data frames and
pretending that the former are just Ethernet or Token-Ring frames.
Add some level of decoding for ATM LANE, but not all of it; the rest,
including decoding non-LANE frames, is left as an exercise for somebody
who has captures they want to decode, an interest in decoding them, ATM
expertise, and time....
svn path=/trunk/; revision=523
bunch of source files.
Replace the "payload" field of a "packet_info" structure with "len" and
"captured_len" fields, which contain the total packet length and total
captured packet length (including all headers) at the current protocol
layer (i.e., if a given layer has a length field, and that length field
says its shorter than the length we got from the capture, reduce the
"pi.len" and "pi.captured_len" values appropriately). Those fields can
be used in the future if we add checks to make sure a field we're
extracting from a packet doesn't go past the end of the packet, or past
the captured part of the packet.
Get rid of the additional payload argument to some dissection functions;
use "pi.captured_len - offset" instead.
Have the END_OF_FRAME macro use "pi.captured_len" rather than
"fd->cap_len", so that "dissect the rest of the frame" becomes "dissect
the rest of the packet", and doesn't dissect end-of-frame padding such
as padding added to make an Ethernet frame 60 or more octets long. (We
might want to rename it END_OF_PACKET; if we ever want to label the
end-of-frame padding for the benefit of people curious what that extra
gunk is, we could have a separate END_OF_FRAME macro that uses
"fd->cap_len".)
svn path=/trunk/; revision=506
N^2 in the ultimate size of the list (as "g_list_append()" is linear in
the size of the list, at least when used in the way the GLib
documentation says to use it); instead, maintain our own linked list of
"frame_data" structures for all packets read, including a pointer to the
last element.
"gtk_clist_set_row_data()" is linear in the row number, so if it's used
to attach a pointer to the "frame_data" structure for a packet to the
packet list GtkClist row for each packet, that's also N^2 in the number
of packets in that packet list; instead, store the row number in the
"frame_data" structure, and find the packet for a given row by scanning
the list for it (we were already scanning the list linearly to find that
packet's index in the list of all packets; that's only done when a
packet's selected, so it's not *too* bad, but it might be nice to avoid
having to do that scan).
svn path=/trunk/; revision=457
SDLC-derived protocols such as HDLC and derivatives of it such as LAPB,
IEEE 802.2 LLC, and so on. Have the LLC and LAPB dissectors use it.
Make "dissect_numeric_bitfield()" put the low-order bit of the bitfield
in the low-order bit of an integer when printing it, so that the right
value is printed.
svn path=/trunk/; revision=434
wiretap support for RADCOM Ltd.'s WAN/LAN analyzers (see
http://www.radcom-inc.com/
). Note: as I remember, IEEE 802.2/ISO 8022 LLC has somewhat of an SDLC
flavor to it, just as I think LAP, LAPB, LAPD, and so on do, so we may
be able to combine some of the LLC dissection and the LAPB dissection
into common code that could, conceivably be used for other SDLC-flavored
protocols.
Make "S" a mnemonic for "Summary" in the "Tools" menu.
Move the routine, used for the "Tools/Summary" display, that turns a
wiretap file type into a descriptive string for it into the wiretap
library itself, expand on some of its descriptions, and add an entry for
files from a RADCOM analyzer.
Have "Tools/Summary" display the snapshot length for the capture.
svn path=/trunk/; revision=416
string pointer from the result of ip_to_str (statically allocated string).
Use the ip_src and the new field ip_dst in follow.c to build a correct
string display filter.
svn path=/trunk/; revision=408
COL_INFO columns resize automatically even during a live
capture;
columns showing network addresses never resize automatically;
other columns resize only when a capture is done;
and make all columns resizeable by hand (once they've resized, for
auto-resizeable columns).
svn path=/trunk/; revision=394
problems with single bit fields when declared as an enumerated field.
It shows an unknown ... Damn ... Can't see what the problem is.
svn path=/trunk/; revision=353
new proto_tree routines. I also removed the check for lex and yacc from
wiretap's configure script. The IP dissector now uses
proto_register_field_array().
svn path=/trunk/; revision=348
mechanism that is built into ethereal. Wiretap is now used to read all
file formats. Libpcap is used only for capturing.
svn path=/trunk/; revision=342
changed by updating those columns showing the time in the
"command-line-specified" format, not by redoing the entire packet list
display; that way, the display continues to show the same packets and
any packet the user selected remains selected. (It's also less work to
do that - you don't have to re-dissect the packet.)
Turn "redisplay_packets()" into "filter_packets()", and do some other
cleanups.
svn path=/trunk/; revision=325
"gtk_toggle_button_set_active()" to set the state of radio buttions;
"gtk_toggle_button_set_active()" doesn't exist in GTK+ 1.0[.x], and
"gtk_toggle_button_set_state()" is an alias for it in GTK+ 1.2[.x].
Compute the column widths in the summary display based on the longest
string in the column; recompute it whenever we update the columns.
svn path=/trunk/; revision=319
to use the decode_*_bitfield() routines. This needed to happen anyway, but
I finally made the change so that I can figure out how I'm going to handle
bitfield fields in my experiment of changing the implementation of the
protocol tree in ethereal.
svn path=/trunk/; revision=311
doesn't modify anything pointed to by that argument, and that keeps us
from getting complaints if we pass a "const gchar *" to it.
svn path=/trunk/; revision=306
the NCP field table structure so that it is easier to add new request/reply
types. I even added a new type myself. There's still more work to be done;
so for now ignore the warnings that gcc emits.
svn path=/trunk/; revision=287
if you have the UCD or CMU SNMP library available. If you have the SNMP
library but do not with to have SNMP support, use the
./configure --disable-snmp
option. Otherwise 'configure' finds the SNMP library and uses it.
svn path=/trunk/; revision=281
can be used by dissectors other than ARP to display byte arrays as
strings of hex digits.
Add a routine to extract a null-terminated Unicode string and turn it
into an ISO 8859-1 string for display. (Ultimately, we should determine
what character sets the X server or printer or whatever can handle, and
turn it into the appropriate character set.)
Display the challenge in "core-to-LANMAN-2.1" Negotiate Protocol
responses as a string of hex digits - but only if the length is
non-zero. (It's a counted array, not a null-terminated string.)
Display some additional security mode bits in an NT LM 0.12 Negotiate
Protocol response.
Display some additional bits in the "capabilities" field of the
Negotiate Protocol response.
Display the challenge in an NT LM 0.12 Negotiate Protocol response as a
string of hex digits (it's a counted array, not a null-terminated
string).
Display the domain name as Unicode in an NT LM 0.12 Negotiate Protocol
response if the capabilities field has the "supports Unicode" bit set
(no, not the "Unicode" bit in the "flags2" field - NT doesn't set that
in the response, even though it sends the domain name over in Unicode!).
Display some additional bits in the "flags2" field of an SMB.
svn path=/trunk/; revision=275
the table of dissect functions that IPX needs only needs to store pointers to
on type of function. Now all super-IPX protocols have an 'int max_data' argument.
svn path=/trunk/; revision=267
Squelch another "variable may be used without being initialized"
complaint (also due to insufficiently sophisticated dataflow analysis by
EGCS 1.1), and a number of "unused variable" complaints, as well as
"assigning a 'const XXX *' to an 'XXX *'" complaints.
svn path=/trunk/; revision=266
but not the responses, and do not handle the ANDX part yet,
but I have a Linux course to develop, so that is enough for
now.
svn path=/trunk/; revision=261
helper routines for packet dissecting, and away from "util.c", which is
now all GUI-related. (Among other things, this makes life more pleasant
for Gilbert Ramirez's "tethereal" stuff, although a lot more separation
of GUI from other stuff needs to be done to make that - or a
"curses"-based variant of Ethereal, or a variant using some other GUI
toolkit - work smoothly.)
svn path=/trunk/; revision=235
proto*() functions. The configure script tries to use ipv6 name resolution if
it knows the type of ipv6 stack the user has (this can be avoided with the
--disable-ipv6 switch) Additionally, the configure script now deals with wiretap
better. If the user doesn't want to compile wiretap, the wiretap is never
visited. A few unnecessary #includes were removed from some wiretap files, and
a CPP macro was moved from bpf.c to wtap.h.
svn path=/trunk/; revision=229
reference the protocol tree with struct proto_tree and struct proto_item
objects. That way, the packet decoding source code file can be used with
non-gtk packet decoders, like a curses-based ethereal, e.g. I also re-arranged
some of the information in packet.h to more appropriate places (like other
packet-*.[ch] files).
svn path=/trunk/; revision=223
"dissect_data"; if you call "dissect_data()" with an argument list of
the type expected by a "capture_XXX()" routine, it won't do the right
thing (and may do the wrong thing, e.g. crash).
Have "sap_capture_func()" (and "sap_dissect_func()") return function
pointers rather than "void *"s, so that I don't make a mistake like the
above in the future....
svn path=/trunk/; revision=219
of variable as a bit field container. ANSI specs only allow unsigned ints
to host bit fields; IBM's C compiler is very ANSI-strict.
svn path=/trunk/; revision=183
their arguments, so make those arguments pointers to 'const", so that we
don't get complaints if somebody hands them a pointer to "const".
svn path=/trunk/; revision=158
and NBNS requests.
Put the opcode in the COL_INFO field for DNS requests (it was already
there for NBNS requests).
Don't assume a DNS or NBNS request is neatly aligned on a 2-byte
boundary (it might not be if, for example, the packet is an FDDI
packet).
svn path=/trunk/; revision=153
This necessitated a change in ethereal because iptrace supports multi-NIC
packet capturing, including multi-datalink-type capturing.
svn path=/trunk/; revision=145
for the queries or replies first, then create and add the subtree and
populate it, and, when that's done, set the length of the item
appropriately; if you add the subtree later, the subtree's top-level
node appears to have level 0, rather than 1 greater than the tree of
which it's a subtree, which causes those trees not to print correctly.
svn path=/trunk/; revision=122
Use that routine in "ethertype()".
Have "dissect_arp()" handle hardware addresses that aren't
6-byte Ethernet addresses and protocol addresses that aren't
4-byte IPv4 addresses - currently, it just prints the first 16
hex digits, but it could be made to handle other types specially
just as it handles 6-byte Ethernet and 4-byte IPv4 addresses.
Have it decode a more complete set of hardware address types.
svn path=/trunk/; revision=78
1455.
Make the arguments to "val_to_str()" and "match_strval()" that
point to things those routines don't modify pointers to "const",
and make the "value_string" tables passed into those routines in
"packet-ip.c" "const".
svn path=/trunk/; revision=72
it returns NULL, formats the value with the format passed in as
an argument, and returns a pointer to that static buffer.
Change several "match_strval()" calls to use "val_to_str()".
In "dissect_ospf()", use "match_strval()" to look up the packet
type, and use "Unknown" if it doesn't find a match.
svn path=/trunk/; revision=66
* Hacks to the filter interface (Gerald)
* About box (Laurent)
* AppleTalk support (Simon)
* Mods to the match_strval routine (Gerald)
svn path=/trunk/; revision=61
Give a detailed display of the innards of NBNS-over-UDP packets. Export
some stuff from the DNS decoder for the use of the NBNS decoder (NBNS is
DNS-like).
Give a more detailed display of the innards of DNS packets as well.
Fix a couple of minor NBNS bugs.
svn path=/trunk/; revision=55