Tshark poorly handles printing when using -T options where a field
contains newline, carriage return, or other special characters such as tab.
Bug: 14907
Change-Id: I94a797bb98b94aac254bcd2e6911b37192e9c91f
Reviewed-on: https://code.wireshark.org/review/28442
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
For each occurrence, if there was already an occurrence in the array, we
were just removing it. not freeing what it pointed to.
While we're at it, expand comments. and always check the array size with
"!= 0", not "> 0" - the value is unsigned, so they're equivalent, but
this makes the code more self-consistent.
Change-Id: I538f46b296a7721a39ba4366c2f6269e7e097b0d
Reviewed-on: https://code.wireshark.org/review/26328
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some oddities with regard to file permissions have crept into
the repository. Reset execute rights on various files which do
not need them.
Change-Id: Ib05658072925d59fc682173673c5638d157a269a
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/25490
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I5b2006a74e95759afce518aaadfe47c54978476a
Reviewed-on: https://code.wireshark.org/review/24215
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Collects multiple values of the same field into an array.
Empty protocols are now written as empty objects to not conflict
with the same protocols in other packets.
Remove _score since it has no effect.
Bug: 12958
Change-Id: Ibe8ea9bc1e3e63dea1fe4eaf522fa38cad88a17f
Reviewed-on: https://code.wireshark.org/review/24171
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When using the Elasticsearch output but only printing the packet
summary with -P a segfault will occur because the empty packet
tree is not properly handled in this case.
Change-Id: I0c91314ae013785ae6dceabd6af33db4b836d1b2
Reviewed-on: https://code.wireshark.org/review/24153
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Currently, the Elasticsearch output exports the packet details and,
if -x is specified, the raw hex data.
This change adds the option of exporting the packet summary as well.
The default stays the same (packet details only), but now the existing
-P switch turns on printing of the packet summary. It also turns off
printing packet details, which can be turned back on with -V to print
both, and combined with -x to print all three: summary, details and
raw hex.
The packet summary is especially useful when exploring and visualizing
the data in Kibana, e.g. by displaying the summary "Info" field/column
in a table, as in the Wireshark GUI.
Change-Id: I2030490cfdd905572397bc3d5457ba49d805a5c4
Reviewed-on: https://code.wireshark.org/review/22716
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Refactors the ES output to use hash tables and lists in preparation
of deduplicating fields. ES 5.x allows those, but will only store
the last instance and discard any other without warning.
ES 6.x altogether refuses to accept documents containing
duplicate fields.
This change should not change the output of Tshark in any way.
A subsequent change will introduce the actual deduplication.
Bug: 12958
Change-Id: I329ef0878e33b42d65a53bcac977429d87cde3ca
Reviewed-on: https://code.wireshark.org/review/23042
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's not installed so like most other files it doesn't need or benefit
from the prefix.
Change-Id: I01517e06f12b3101fee21b68cba3bc6842bbef5c
Reviewed-on: https://code.wireshark.org/review/23751
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
It's not available at the old URL any more.
Change-Id: Id8baba5e02cf0e3227365f53a11caa054ef2c40f
Reviewed-on: https://code.wireshark.org/review/23165
Reviewed-by: Guy Harris <guy@alum.mit.edu>
color_t is 16-bit per channel, the print string assumes the usual 8-bit.
Use 8-bit per channel as per older patches proposed for bug 6682 via
color_t_to_rgb().
Change-Id: I7d71bc04e52376c0ecb598aedafa066f982de840
Ping-Bug: 6682
Reviewed-on: https://code.wireshark.org/review/23154
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Adds the --no-duplicate-keys option to tshark. If -T json is specified,
this option can be specified in order to transform the duplicate keys
produced by -T json into single keys with as value a json array of all
separate values.
Specifying --no-duplicate-keys changes the function which groups node
children that is passed to write_json_proto_tree. Instead of a function
that puts each node in a separate group (proto_node_group_children_by_unique)
a function is passed that groups children that have the same json key
together (proto_node_group_children_by_json_key). This will lead to
some groups having multiple values. Groups with multiple values are
written to the output as a json array. This includes normal json keys
but also keys with the "_raw" and "_tree" suffix.
If --no-duplicate-keys is specified with an option other than "-T json"
or "-T jsonraw" or without -T an error is shown and tshark will exit.
"Export Packet Dissections -> As JSON" in the GUI is hardcoded to use
the duplicated keys format.
Fixes one regression in the output where a filtered json key (-j) with
both a value and children would not have the "_tree" suffix added to the
json key containing the children.
Includes a little code cleanup (removes one instance of code
duplication and simplifies a while loop).
Fixes a memory leak (I thought this fix was already included in the
previous refactor patch but something must have gone wrong when updating
the patch so I'm including it again in this patch).
Bug: 12958
Change-Id: I401f8fc877b5c590686567c3c44cdb832e9e7dfe
Reviewed-on: https://code.wireshark.org/review/22166
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Refactors the print.c json output functions to be more intuitive and
to allow easy switching to single json keys with a json array of values
instead of duplicate json keys. With this commit the json output does
not change at all.
These changes have been tested on multiple decrypted http2 traces with
the following testing method:
- Save the pcap file as json with a build of the current master branch.
- Save the pcap file as json with a build of the master branch + this
commit.
- Compare the files for changes with the "cmp" utility.
No differences were found between files for multiple different decrypted
http2 traces. Printing with the "-x" or "-j" options also does not
produce any changes either.
Bug: 12958
Change-Id: Ibd3d39119c3a08906389aa8bbf4e2a2b21dd824e
Reviewed-on: https://code.wireshark.org/review/22064
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 6682
Change-Id: I19330d06aa3d5692503c61369c3c650d595971f5
Reviewed-on: https://code.wireshark.org/review/22077
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Some hf_ variables were "cached" in print.c to break dependency on (frame)
dissectors. They are no longer used (and check*.pl scripts found them)
Change-Id: Ib46e5f5e58da54b6d7a3f85586581507f653c55a
Reviewed-on: https://code.wireshark.org/review/22078
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Packet ranges are used only in the UI; move the packet range stuff into
libui.
Don't pass a print_args_t structure to libwireshark packet-printing
routines, just pass the few parameters they need. Move the declaration
of print_args_t into file.h.
Change-Id: Icff5991eea7d7d56f33b4716105895263d275bcf
Reviewed-on: https://code.wireshark.org/review/21308
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Modified tshark -T json -x output
Added tshark -T jsonraw output
json2pcap.py (can be used for basic packet editing by modifying json)
The modification in tshark -T json -x and new tshark -T jsonraw output
add into hex-data output in JSON also information on which position
each field is dissected in the original frame, what is the field length,
bitmask (for not byte aligned fields) and type. This information can be
used for latter processing. One use-case is json2pcap script which
assembles the protocol layers back together from upper to lowers layers,
which allows the basic packet modification/editing/rewriting.
Change-Id: Ibf948eb8fc7e3b0b51c12df6c3855f705a9c7925
Reviewed-on: https://code.wireshark.org/review/19990
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Modified epan/print.c to use function print_indent
Change-Id: Iefcb1e3c7813919c6af70d57a4f8a6f921595360
Reviewed-on: https://code.wireshark.org/review/20060
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The check*.pl scripts presume that files with the prefix "packet-"
are dissector files and therefore have different rules than other
files. Rather than trying to clarify that more with additional
directory information, just make any non-dissector file with
"packet-" filename prefix conform if it fails a "dissector specific"
check from the scripts.
Change-Id: I7cb52e1fad4ea62320492bb690904260f958aeb4
Reviewed-on: https://code.wireshark.org/review/19304
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 13192
Change-Id: Ibb2b3913716d31a3d5f600e1b6400fdf14a69ca4
Reviewed-on: https://code.wireshark.org/review/19075
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For fields that contain both a value and a subtree, print the value and
then create a new item with a _tree suffix for the subtree content
Bug: 13086
Change-Id: I5a3c96bf9895d87faff3925d439bb54b73769a3e
Reviewed-on: https://code.wireshark.org/review/18663
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kacer <kacer.martin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
- reinitialize the variable used to insert comma between packets when
performing a new export
- ensure that escaped ASCII characters are code on 4 digits characters
Change-Id: Ib557da4843f6b98f793b60e417260ebb27a38b99
Ping-Bug: 13073
Reviewed-on: https://code.wireshark.org/review/18598
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
And some comments in the case where we're converting the result of
time() - if your machine's idea of time predates January 1, 1970,
00:00:00 UTC, it'll crash on Windows, but that's not a case where a
*file* can cause the problem due either to a bad file time stamp or bad
time stamps in the file.
Change-Id: I837a438e4b875dd8c4f3ec2137df7a16ee4e9498
Reviewed-on: https://code.wireshark.org/review/18369
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I57dbb27cbf935dd31342639b315d1fc98bd27d77
Reviewed-on: https://code.wireshark.org/review/17895
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This prevents tshark from crashing when run with "-T fields -e data".
I5778b08c52119b5be1ec482be9417b3c4ba8ed62 mistakenly removed this line (this
'data' is a write_field_data_t rather than the print_data structure that
change was cleaning up).
Bug: 12616
Change-Id: I773e47f12f852e19a20ec29a43eb3a0953923173
Reviewed-on: https://code.wireshark.org/review/16415
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Description:
when -T json,ed or pdml used in conjunction with -e fields they would
always miss the last field.
in case of json and ek, if some fields in the middle are empty,
the generated json would be invalid.
sample for ek:
{ "_index": "packets-2016-06-30", "_type": "pcap_file",
"_score": null, "_source":
{ "layers": { "e212.mcc": ["255","262"] "frame.time_epoch":
["1426550400.004751510"], "e212.mnc": ["1","1"] } } }
command:
tshark -T ek -r C:\a.pcap -e e212.mcc -e frame.comment
-e frame.time_epoch -e e212.mnc > C:\test.json
note:
the comma is missing between e212.mcc and frame.time_epoch
Change-Id: I2efae0c48036cf6313e2a064453c8dbc49f38b09
Reviewed-on: https://code.wireshark.org/review/16226
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Martin Kacer <kacer.martin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
That makes failing to specify a format a compile-time error.
Change-Id: Iff0bda8be35b1e3acc97e4314657ceaff2b3d0be
Reviewed-on: https://code.wireshark.org/review/16218
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rename write_fields_proto_tree() to write_specified_fields(), and make
it static. Make write_fields_proto_tree() a wrapper around
write_specified_fields() that sets the format to FORMAT_CSV. Have
write_specified_fields() fail with an assertion if fields->format isn't
one of the known formats, to catch problems such as this in the future.
Don't fill in the "data" structure if we're not going to use it.
Change-Id: I11dbf448d72ca389f0e5fb8558a41b7eecf7c9a4
Reviewed-on: https://code.wireshark.org/review/16210
Reviewed-by: Guy Harris <guy@alum.mit.edu>
jmartin-usna