to tethereal. It could be added to Ethereal, but the GUI changes to
allow the user to select PDML as a print format have not been added.
Provide a python module (EtherealXML.py) to help parse PDML.
Provide a sample app (msnchat) which uses tethereal and EtherealXML.py
to reconstruct MSN Chat sessions from packet capture files. It produces
a nice HTML report of the chat sessions.
Document tethereal's PDML and EtherealXML.py usage in doc/README.xml-output
Update tethereal's manpage to reflect the new [-T pdml|ps|text] option
svn path=/trunk/; revision=9180
argument, and puts the appropriate exception indication into the tree.
In "dissect_frame()", do a CATCH_ALL for exceptions, and pass the
exception code to "show_exception()".
svn path=/trunk/; revision=8758
One can now select a packet and mark it as a TimeReference packet using the menu.
A TimeReference packet will be indicated by having all timestamp related column entries replaced by the string *REF*
A TimeReference packet will always be displayed in the packet pane, and overrides any display filters.
When a frame is a TimeReference frame, all later frames will calculate the TimeRelativeToFirstPacket relative to the timestamp of the TimeReference frame instead of the first frame of the capture.
You can have any number of TimeReference frames you like.
svn path=/trunk/; revision=8459
Add a bunch of capture types discovered by stuffing them into Windows
Sniffer captures and seeing what a Sniffer thought they were. Add
support for writing at least some of them.
svn path=/trunk/; revision=7265
that have direction information.
Support writing WTAP_ENCAP_FRELAY_WITH_PHDR and WTAP_ENCAP_PPP_WITH_PHDR
captures out in libpcap format - we throw away the direction
information, but so it goes.
When reading/writing Windows Sniffer format, read and write the
direction flag.
svn path=/trunk/; revision=7052
WTAP_ENCAP_ISDN encapsulation type, which includes a pseudo-header
giving the direction (user-to-network or network-to-user) and the
channel number.
Add a new circuit type, using the ISDN channel number as the circuit ID.
Add an ISDN dissector to put the direction and channel number into the
protocol tree and to call the appropriate dissector for the payload
based on the channel (LAPD for the D channel; V.120, PPP, or data for B
channels, based on some heuristics).
svn path=/trunk/; revision=6521
One example extension is rpcstat.
Try -Z rpc,rtt,100003,3 as argument to tethereal when reading a capture
containing NFSv3 packets.
tap-rpcstat.[ch] is intended to demonstrate the api and can be used to
base other extensions on.
svn path=/trunk/; revision=6175
Put "bytes" after the byte counts for the frame sizes in the
top-level item for the "Frame" protocol, to make it clearer
what they refer to.
Put the source and destination MAC addresses into the top-level
item for Ethernet.
svn path=/trunk/; revision=6090
DOCSIS support, including support for "Ethernet" captures where
the raw frame is a DOCSIS frame rather than an Ethernet
frame (some Cisco cable-modem head-end gear can send out a
trace of all traffic on an Ethernet, but what it sends are
the raw bytes of DOCSIS frames, not Ethernet frames)
Get rid of second AUTHORS entry for Devin Heitmueller, merging its item
into the older entry.
Clean up the order of some lists of plugin items.
svn path=/trunk/; revision=5861
frame is marked, so that you can use Find Frame to find the next marked
frame, and can filter the display to show only marked frames.
Update the documentation to note that "frame.marked" is set on marked
frames.
svn path=/trunk/; revision=5377
WTAP_ENCAP_CHDLC; check whether it's null before using it.
Use FROM_DCE rather than 0x80 to check the "this is DCE->DTE" bit in
"x25.flags".
svn path=/trunk/; revision=5148
RPC and NDMP.
Show the RPC-over-TCP fragment header as a tree with bitfields below it.
Add a routine to show a reported bounds error as an "Unreassembled
Packet" or a "Malformed Packet" depending on whether "pinfo->fragmented"
is set, and have NBNS and RPC use that.
Add "ett_ndmp_file_stats" to the list of ett_ values to be initialized
(it wasn't in that list, and wasn't getting initialized).
When freeing up various hash tables and memory chunks in the RPC
dissector, zero out the pointers to them, just to make sure we don't try
to free them again.
Always destroy the TCP segment key and address memory chunks in
"tcp_desegment_init()", regardless of whether TCP desegmentation is
enabled - we don't *allocate* them if TCP desegmentation isn't enabled,
but we should free them even if it's not enabled. Also, when we free
them, set the pointers to them to null, so we don't double-free them.
Supply to subdissectors called from the TCP dissector the sequence
number of the first byte handed to the sub dissector.
svn path=/trunk/; revision=4753
arguments to "proto_tree_add_text()", and to "proto_tree_add_XXX()" calls
that add FT_NONE or FT_PROTO items to the protocol tree, with -1.
Replace some calls to "tvb_length()" or "tvb_length_remaining()" with
calls to "tvb_reported_length()" and "tvb_reported_length_remaining()",
as those give the actual length of the data in the packet, not just the
data that happened to be captured.
svn path=/trunk/; revision=4605
"epan/..." pathnames, so as to avoid collisions with header files in any
of the directories in which we look (e.g., "proto.h", as some other
package has its own "proto.h" file which it installs in the top-level
include directory).
Don't add "-I" flags to search "epan", as that's no longer necessary
(and we want includes of "epan" headers to fail if the "epan/" is left
out, so that we don't re-introduce includes lacking "epan/").
svn path=/trunk/; revision=4586
setting the "pinfo->fragmented" flag.
If a ReportedBoundsError occurs, flag the frame as being an
unreassembled packet, not an unreassembled fragmented packet, as it may
have been segmented across TCP segment boundaries rather than being part
of an IPv4/IPv6/CLNP/etc. fragmented/segmented packet.
svn path=/trunk/; revision=4558
"dissect_frame()" to indicate whether a ReportedBoundsError was due to
the packet being malformed (i.e., the packet was shorter than it's
supposed to be, so the dissector went past the end trying to extract
fields that were supposed to be there) or due to it not being
reassembled (i.e., the packet was fragmented, and we didn't reassemble
it, but just treated the first fragment as the entire packet, so the
dissector went past the end trying to extract fields that were partially
or completely in fragments after that). Mark the latter as being
unreasembled rather than malformed.
Properly initialize, save, and restore that field, and properly set it,
so that works.
svn path=/trunk/; revision=4555
packet" rather than a "malformed frame" - the packet in question might
be part of a link-layer frame or might span more than one link-layer
frame.
svn path=/trunk/; revision=4497
structure to the "packet_info" structure; only stuff that's permanently
stored with each frame should be in the "frame_data" structure, and the
"column_info" structure is not guaranteed to hold the column values for
that frame at all times - it was only in the "frame_data" structure so
that it could be passed to dissectors, and, as all dissectors are now
passed a pointer to a "packet_info" structure, it could just as well be
put in the "packet_info" structure.
That saves memory, by shrinking the "frame_data" structure (there's one
of those per frame), and also lets us clean up the code a bit.
svn path=/trunk/; revision=4370
specifies how the selector values used as keys in those tables are to be
displayed, and the title to use when displaying the table.
Use that information in the code to display the initial and current
entries of various dissector tables.
Have the dissector for BACnet APDUs register itself by name, and have
the BACnet NPDU dissector call it iff the BAC_CONTROL_NET bit isn't set,
rather than doing it with a dissector table.
svn path=/trunk/; revision=4358
general packet analyzing, but useful when developing wiretap code or
other such low-level development.
Default preference is *not* to show File Offset.
svn path=/trunk/; revision=4120
protocols, in addition to adding structures to the list of filterable
fields. Give it an extra argument that specifies a "short name" for the
protocol, for use in such places as
pinfo->current_proto;
the dialog box for constructing filters;
the preferences tab for the protocol;
and so on (although we're not yet using it in all those places).
Make the preference name that appears in the preferences file and the
command line for the DIAMETER protocol "diameter", not "Diameter"; the
convention is that the name in question be all-lower-case.
Make some routines and variables that aren't exported static.
Update a comment in the ICP dissector to make it clear that the
dissector won't see fragments other than the first fragment of a
fragmented datagram.
svn path=/trunk/; revision=2810
or "[Malformed Frame]" to the Info column.
Make some dissectors set the Protocol column and clear the Info column
before fetching anything from the tvbuff they were handed, so that if
the frame is short or malformed, it'll be marked as being the right
top-level protocol, and the Info column won't have cruft left over from
the previous protocol.
svn path=/trunk/; revision=2800
dissect_fddi_not_bitswapped() and dissect_fddi_bitswapped(), both of which
use the standard 3-argument tvbuffified-dissector argument list.
Add a dissector table called "wtap_encap" which is used to call dissectors
from dissect_frame(). The switch() statement from this top-level dissector
is removed.
The link-layer dissectors register themselves with the "wtap_encap"
dissector table. The dissectors are now static where possible.
svn path=/trunk/; revision=2708
Add in stuff for a bunch of libpcap formats either in libpcap 0.5.2 or
in the current CVS version; we don't implement all of them in
Ethereal/Wiretap (those are "#if 0"ed out), but we do implement the IEEE
802.11 stuff (which isn't yet in libpcap or tcpdump, but the CVS version
of libpcap *does* reserve 105 as the encapsulation type number for
802.11).
svn path=/trunk/; revision=2646
"top-level" dissectors that libepan-users call, instead of dissect_packet().
The epan_dissect_t holds the tvbuff after dissection so that the tvbuff's
memory is not cleared until after the proto_tree is freed. (I might stuff
the proto_tree into the epan_dissect_t, too).
What remains of dissect_packet() in packet.c handles the tvbuff initialiation.
The real meat of dissect_packet() is now in dissect_frame(), in packet-frame.c
This means that "packet.c" is no longer a dissector, os it is no longer
passed to make-reg-dotc.
Once dissect_fddi() gets two wrapper functions (dissect_fddi_swapped()
and dissect_fddi_nonswapped()), the a dissector handoff routine could
be used instead of the switch statement in dissect_frame(). I'd register
a field like "wtap.encap"
svn path=/trunk/; revision=2478
Richard Sharpe