Add support for Entropy Extension header, currently with one field. Uses
a conversion function to convert representation to bits.
Add various entropy and tap mode Provenance (ERF_TYPE_META) tags.
The only complex tag is ext_hdrs_added/removed. This tag consist of up
to 4 big endian uint32 bitfields, with each bit representing an
extension header number. ehdr_type_vals and a new ehdr_type_vals_short
are used to generate the tags. Custom printing is used for the header
line to display unknown values as integer and support the special case
of <All>: all supplied bits 1 meaning all extension headers removed.
Storage for the up to 4 subtree header_field id entries is in the first
4 extra hf_values[] for now, the ett value is reused.
Increase erfmeta_tag_info_ext_t ERF_HF_VALUES_PER_TAG to 32. A better
solution is needed sooner rather than later but the structure is only
allocated for tags that need it.
Change-Id: I9e359f044131bce2afc189bebc21239eed429b21
Reviewed-on: https://code.wireshark.org/review/26111
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The parser is what declares the local yylval, and that's generated below
all the user-specified code, so we have to turn diagnostics off at the
bottom.
Change-Id: I33d5f53c1fd67014ae7fe2b851d45d0c5e80becd
Reviewed-on: https://code.wireshark.org/review/26086
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Berkeley YACC generates a global declaration of yylval, or the
appropriately prefixed version of yylval, in the .h file, *even though
it's been told to generate a pure parser, meaning it doesn't have any
global variables*. Bison doesn't do this.
That causes a warning due to the local declaration in the parser
shadowing the global declaration.
So, if this is Berkeley YACC, and we have _Pragma, and have pragmas to
suppress diagnostics, we use it to turn off -Wshadow warnings.
Change-Id: Ia3fecd99fa18ca9b85f6b25f53ed36c60730fad9
Reviewed-on: https://code.wireshark.org/review/26080
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We no longer use different compiler flags for generated and
non-generated files, so we don't need to put them into separate
libraries and then add the files from the generated library into the
main library.
Change-Id: Idbd35510ccb8c9107b4de4199c8b1bcaa6f7a060
Reviewed-on: https://code.wireshark.org/review/25831
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use AM_CFLAGS for everything except for libdirtydissectors in
epan/dissectors. Rename GENERATED_CFLAGS/GENERATED_CXXFLAGS to
DIRTY_CFLAGS/DIRTY_CXXFLAGS, as it doesn't apply to all generated files.
Change-Id: I702b53e185d6972c08d68ef31c05df7b03669daa
Reviewed-on: https://code.wireshark.org/review/25829
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add warning C4267 (size_t to int conversion) with MSVC to DIAG_OFF_FLEX.
Addd -Wshorten-64-to-32 with Clang and GCC to DIAG_OFF_FLEX.
Don't explicitly use #pragma to turn off warnings; use DIAG_OFF_FLEX for
all of them.
If we use DIAG_OFF_FLEX, use DIAG_ON_FLEX, even if we have no section of
entirely included code at the end.
Change-Id: Ibfd44e8954704e9a8bcb1bd8e54f31d28357fffb
Reviewed-on: https://code.wireshark.org/review/25817
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Now that we're suppressing warnings that come from Flex generating
insufficiently fussy code, just treat many of the Lex-generated files as
clean; we don't seem to be getting warnings from Lemon-generated ones.
Change-Id: Ib53ced6d8cb80645234929afca343d047d30f7f7
Reviewed-on: https://code.wireshark.org/review/25813
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do it before we even *try* to read the block, so that it's done in one
place rather than having to be done in every routine to handle
particular block types.
The check was missing in the routine to read sysdig event blocks, so if
we got a huge sysdig even block we'd try to allocate a huge amount of
memory.
Bug: 14403
Change-Id: Iff0fb0387e4499420598361be6d241f2832042d7
Reviewed-on: https://code.wireshark.org/review/25702
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's only being used as a working buffer to hold the raw options data we
read in.
Change-Id: I17b812e447f575ad92394b9f957658fc655cdf8e
Reviewed-on: https://code.wireshark.org/review/25701
Reviewed-by: Guy Harris <guy@alum.mit.edu>
No need for len, and call caplen event_filelen and move it after
event_len.
Change-Id: I8b3825d4022ee083ee52f83f7a69f22829ed9fc4
Reviewed-on: https://code.wireshark.org/review/25698
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Go back to having pcapng_read_block() and
pcapng_read_section_header_block() treating SHB read errors that might
be due to the file not being a pcapng file separately from other errors.
This keeps us from treating pcapng files with malformed SHBs as not
being pcapng files, making us dissect them using the pcapng file
dissector rather than reporting the malformation.
Change-Id: I1d92cc4ac521668b88638b2b3ed5257340451798
Ping-Bug: 14402
Reviewed-on: https://code.wireshark.org/review/25675
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This avoids an illegal pointer to free() on error.
Bug: 14397
Change-Id: Id6e535141c7a3ee7b3d1822875b571e2199a5387
Reviewed-on: https://code.wireshark.org/review/25660
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Not all do, so test the preference bits for them.
Change-Id: I62976f5d17de3611c4d2f9eb64a0763c0b698c8d
Reviewed-on: https://code.wireshark.org/review/25618
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Not everything wtap_read() returns is a packet.
Change-Id: I3784bbfa308da52f4c55db2a90f9b55f8bfbb2ef
Reviewed-on: https://code.wireshark.org/review/25617
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some blocks should be returned by wtap_read(), others are just processed
internally. Add a Boolean flag to wtapng_block_t, have the routines
that read particular block types set it appropriately, and have the read
and seek-read routines check that flag rather than checking for the
block types that should be returned. Pass a pointer to the
wtapng_block_t to packet type plugin read routines, rather than passing
it some members of the wtapng_block_t.
This means that 1) for new block types, we don't have to update any
tests and 2) plugin handlers for block types can indicate whether they
processed the block internally and the caller shouldn't see it or 2) the
block should be provided to the caller.
Bug: 14388
Change-Id: Iccc2031a277f55c7fa8b4f692c776b482b792b4f
Reviewed-on: https://code.wireshark.org/review/25609
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It either returns "OK" or "fail", so we might as well make it a Boolean.
While we're at it, in pcapng_open(), handle EOF/short read and "invalid
file" errors when trying to read the first block differently; for the
first of those, we don't need to free *err_info, and this may be a bit
safer in case *err_info didn't happen to be set to NULL somewhere along
the line.
Change-Id: If8135624e3efb7838dceeb28e30e5c8c4b064786
Reviewed-on: https://code.wireshark.org/review/25608
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It either returns "OK" or "fail", so we might as well make it a Boolean,
just as is the case with read routines for other block types.
Update some comments while we're at it.
Change-Id: I40b378d4e3c3cfb96687298b22a6f8f9f78d9240
Reviewed-on: https://code.wireshark.org/review/25607
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If it's either going to be -1 or 1, and any value > 0 is "valid but
empty", that's just a Boolean, with -1 corresponding to false and 1
corresponding to true. Make it so.
Change-Id: Ib7418fe7573b5d2cd1e2ef5de601c0262c8d9de1
Reviewed-on: https://code.wireshark.org/review/25605
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check for "is an error" rather than "isn't OK".
Change-Id: Ib8f4ac44f70d71ff44658801e01807344032dd60
Reviewed-on: https://code.wireshark.org/review/25603
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A short read isn't a clear error when you don't have a magic number and
are doing "does this look somewhat like a file of this type" test, it's
probably an indication that it's *not* a file of that type.
Change-Id: Iab2f32e7d169a777c50a36958eeb4e82a3809227
Reviewed-on: https://code.wireshark.org/review/25602
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have pcapng_read_section_header_block(),
pcapng_read_section_header_block(), and pcapng_read_block() just return
errors when they get errors or get a non-SHB block; let pcap_open() turn
EOF, short read, and "bad file" into "not a pcapng file" rather than
"read error".
Change-Id: If018d21ffe3de3fe7eb1f8f2973f80f685c89274
Reviewed-on: https://code.wireshark.org/review/25601
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There are events, there are reports, and there are "here's metadata that
doesn't correspond to something that happened at this point in the
capture"; IDBs and NRBs are the third type.
Change-Id: I89e4f9bf51dc1be5766e8df61c6337ed3e484577
Reviewed-on: https://code.wireshark.org/review/25587
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't allow overriding of the block types we support in libwiretap - it
won't work anyway, as we check for those types first, and only look for
plugins for types we don't support.
Don't allow registering for any of the reserved types; if you aren't
going to use a local type, you have to get your type registered.
We *do* allow registering plugins for types that are registered but that
we don't support natively.
Change-Id: I2046d297b0503d3a77c83166b07ca226c0b18e82
Reviewed-on: https://code.wireshark.org/review/25583
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If merge_open_in_files() is going to fail, free files array to avoid memleak.
Found by clang.
Change-Id: I156c5f1c041cd7779ff0a0095bc2810f50768ab6
Reviewed-on: https://code.wireshark.org/review/25421
Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Should fix clang warning created by https://code.wireshark.org/review/#/c/25492.
Change-Id: Iafa31e24cd786a510f3a953d615df4cbc3930fa6
Reviewed-on: https://code.wireshark.org/review/25508
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I5d8797b68c53168d4c00be8c3c3a3325b370e38c
Reviewed-on: https://code.wireshark.org/review/25492
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Free state.bb in error path.
Found by clang.
Change-Id: Ic9f2e1383a5219de465a6f22f7b382ac8b1f9cbf
Reviewed-on: https://code.wireshark.org/review/25443
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Instead, just:
assume a file with the regular pcap magic number is a regular pcap
file, not an unhelpfully-modified-without-changing-the-magic-number
format such as one of the (fortunately, short-lived) memory-mapped
capture formats or the Nokia format;
reject a file with the memory-mapped-capture-finally-changed-the-
magic-number magic number, as they then changed the *new* format
without changing its magic number;
and don't even leave a provision for multiple formats using the
"nanosecond pcap" magic number - not even when reading from a file -
so we can punish bad behavior (which is what changing the format
without changing the magic number is).
This should get rid of the last place where, when reading a pcap file
from a pipe, the first packet isn't displayed as soon as it arrives.
Bug: 14345
Change-Id: I2fcb3354dc84cdd2d8ec749a0db883e56971c4b4
Reviewed-on: https://code.wireshark.org/review/25383
Reviewed-by: Guy Harris <guy@alum.mit.edu>
out.next is initialized to point to the beginning of the buffer when a
FILE_T is created, so it won't be null.
Change-Id: Ib29f713ab3c524c9c7d83e8d9f3bef89fde1d5b5
Reviewed-on: https://code.wireshark.org/review/25380
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't loop trying to read a full buffer from the input file.
If you're reading from a file, on UN*X or Windows, you should get the
entire read count unless you're fewer than buffer-size bytes from the
end of the file, in which case you should get what remains in the file.
If you're reading from a pipe, however, that could cause you to block
longer than necessary waiting for a full buffer rather than just for the
next chunk of data from the pipe - which might not be a bufferful, if
the program writing to the file is itself writing less-than-bufferful
chunks, as may be the case in, for example, a pipeline coming from a
live capture and with the intent that TShark display the packets as they
arrive.
While we're at it, if we're trying to do a seek and the seek takes place
within the buffer of uncompressed data, just adjust the position within
that buffer for forward seeks as well as backward seeks; this
substantially reduces the number of ws_lseek64() calls when making a
sequential pass through the file in Wireshark (e.g., running a tap or
filtering the display) and, as we purge the buffer after the
ws_lseek64(), substantically reduces the number of ws_read() calls in
that situation as well.
Have a data structure for a file data buffer, and use it for both the
"input" (compressed data) and "output" (uncompressed data) buffers.
Rename raw_read() to buf_read(), as it reads into a buffer.
Change-Id: I7982b3499a7613a993913a6db887054730764160
Ping-Bug: 14345
Reviewed-on: https://code.wireshark.org/review/25358
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Found via CID 1427615.
Change-Id: I519b3905d33b0b2aa3ce164810b9e6358f6df1bd
Reviewed-on: https://code.wireshark.org/review/25347
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>