Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
"User" sounds as if the blocks belong to the user; at most, the current
user might have modified them directly, but they might also have, for
example, run a Lua script that, unknown to them, modified comments.
Also, a file might have "user comments" added by a previous user, who
them wrote the file and and provided it to the current user.
"Modified" seems a bit clearer than "changed".
Mostly functioning proof of concept for #14329. This work is intended to
allow Wireshark to support multiple packet comments per packet.
Uses and expands upon the `wtap_block` API in `wiretap/wtap_opttypes.h`.
It attaches a `wtap_block` structure to `wtap_rec` in place of its
current `opt_comment` and `packet_verdict` members to hold OPT_COMMENT
and OPT_PKT_VERDICT option values.
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
Replace most instances of ws_debug_printf() except in
epan/dissectors and dissector plugins.
Some replacements use printf(), some use ws_debug(), and
some were removed because they were dead or judged to be
temporary.
Adds a pre-commit hook for detecting and replacing
occurrences of `g_malloc()` and `wmem_alloc()` with
`g_new()` and `wmem_new()`, to improve the
readability of Wireshark's code, and
occurrences of
`g_malloc(sizeof(struct myobj) * foo)`
with
`g_new(struct myobj, foo)`
to prevent integer overflows
Also fixes all existing occurrences across
the codebase.
Systemd journal entries aren't file-type-specific; they're found in both
systemd journal entry blocks in pcapng files and in systemd journal
export files. Give it a record type, for use with both file types.
This fixes#16955.
It also means that you can open a systemd journal export file and save
it as a pcapng file.
Move the maximum number of tree items and maximum tree depth to
preferences instead of hardcoded values. Refer to issue #12584 for
an example VNC capture where real data exceeds the current limit.
FT_STRINGZPAD is for null-*padded* strings, where the field is in an
area of specified length, and, if the string is shorter than that
length, all bytes past the end of the string are NULs.
FT_STRINGZTRUNC is for null-*truncated* strings, where the field is in
an area of specified length and, if the string is shorter than that
length, there's a null character (which might be more than one byte, for
UCS-2, UTF-16, or UTF-32), and anything after that is not guaranteed to
have any particular value.
Use IS_FT_STRING() in some places rather than enumerating all the string
types, so that those places get automatically changed if the set of
string types changes.
The matched entry is bubbled to the head of the list for
faster future search.
Change-Id: I47375515f43387adbe0652556c03f0979a8dbe85
Reviewed-on: https://code.wireshark.org/review/37395
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This is done to limit parsing errors.
Update documentation of function parameters to remove confusion with dissectors.
Bug: 16106
Change-Id: I6b2cd0badaaf6217fb80bdc411a86cad5e6b07ca
Reviewed-on: https://code.wireshark.org/review/35267
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
These environment variables are read very frequently, read them once to
globals for performance improvment.
Change-Id: I4f05a5edca85b370674cc5f85fce40bd1af695cb
Reviewed-on: https://code.wireshark.org/review/34449
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a simple helper function to get the dissector handle that's
currently selected in a given payload dissector table.
We have similar functions already for string and uint dissector tables.
Change-Id: Ia1092fe2b8d038bae2b26db99fd08cd9d6979fcd
Reviewed-on: https://code.wireshark.org/review/33933
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Some patches have done one same thing, that is checking the
existence of both handle and dissector before further operating.
Based on this, one missed spot was found.
Bug: 15852
Change-Id: I11ef51aa1aa3fab305203df931882a19cd6670f8
Reviewed-on: https://code.wireshark.org/review/33706
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The TLS dissector relies on a stable value for pinfo->curr_layer_num
between passes to enable handshake reassembly and decryption. A mismatch
could occur if the subdissector accepted the data (len is non-zero), but
did not add any tree items (tree->tree_data->count remains unchanged).
The original change added the check for tree->tree_data->count in order
to remove protocol names that are not visible in the tree. This could
for example occur when the HTTP dissector accepts the data but requests
more data for reassembly.
This desire to hide protocols is understandable, so simply reverting the
change would not be ok. Checking pinfo->desegment_offset is also not
stable. So that leaves the current approach.
Change-Id: I247adafbaa6d23ab9397eadacabaed9e1bfde997
Ping-Bug: 15625
Fixes: v2.5.0rc0-1206-gcd90f732a1 ("Improve frame.protocols accuracy.")
Reviewed-on: https://code.wireshark.org/review/32919
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to specify maximum function counts for each group to
checkAPIs. Add maximum counts for the "termoutput" and "abort" groups
where needed. Show summaries in various checkAPI targets.
Switch uses of ws_g_warning back to plain g_warning.
Change-Id: I5cbddc8c671729e424eed8551f69116d16491976
Reviewed-on: https://code.wireshark.org/review/29721
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
IPv4 and v6 name resolution are bound to a capture file. Using a lua
script, it is possible to trigger a name resolution when no capture file
is open. This crashes Wireshark as the hash tables for name resolution
are not initialized at this time.
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ip(\"1.1.1.1\"))" > bla.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla.lua
Segmentation fault
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ipv6(\"::1\"))" > bla6.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla6.lua
Segmentation fault
Make sure that the hash tables are available as long as the epan library
is initialized. Add a new function host_name_lookup_reset(), call this
function every time we set up dissection for a new capture file. This
way, we keep the name resolution results separate per capture file.
Reorder the steps in init_dissection(). Host name lookup is now
available at all times, there's no need to be in file scope when it's
initialized.
Change-Id: I9599100d5f378b6a0f73dc630e4c8af3b3ffb2cc
Reviewed-on: https://code.wireshark.org/review/29398
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a "contained length" to tvbuffs. For non-subset tvbuffs, that's the
same as the reported length. For a subset tvbuff, that's the amount of
the reported data that was actually present in the "contained data" of
the parent tvbuff.
This is unaffected by the *captured* length of any tvbuff; that differs
from the contained length only if the capture was cut short by a
snapshot length.
If a reference is within the reported data, but not within the contained
data, a ContainedBoundsError exception is thrown. This exception
represents a protocol error, rather than a reference past the captured
data in the packet; we treat it as such.
Change-Id: Ide87f81238eaeb89b3093f54a87bf7f715485af5
Reviewed-on: https://code.wireshark.org/review/27039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Iff833bf5c197959c8decb62d6ce794c6d0415fb7
Reviewed-on: https://code.wireshark.org/review/26978
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
pinfo->pkt_encap is jsut a copy of pinfo->phdr->pkt_encap; no need for
the copy.
Expand a comment while we're at it.
Change-Id: I5fcfe694ecba42507f1d629d01440da0a0989501
Reviewed-on: https://code.wireshark.org/review/25643
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some of the ASN.1 dissectors process their data indirectly through
dissector tables. Add dissector_try_string_new so that they can do so
without appending duplicate entries to frame.protocols.
Change-Id: If9e12d81f9d0cc5b3bf19816e675a0fb79d904a6
Reviewed-on: https://code.wireshark.org/review/24886
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is useful to implement language bindings (Lua, Python, etc) and
good practice in general.
Non-breaking change to the API.
Change-Id: I8d16c14880e5aa53212af8418c468a6ec3aa8954
Reviewed-on: https://code.wireshark.org/review/24814
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
DTLS decryption works for single-pass dissection, but breaks in the
second pass. Turns out that "curr_layer_num" has decremented in the
second pass, resulting in a failure to lookup the decrypted data.
This decryption issue was triggered by v2.3.0rc0-3740-ge1f84f985e
("Fix Decode As for protocols that may use tunneling.").
The first time the UDP dissector invokes "dissector_try_heuristic", the
second time "call_heur_dissector_direct". The first one increments
"curr_layer_num", so do the same in the second case.
Change-Id: I62679b817b02f42d073cfc07b88ec36d5bec5f04
Bug: 14243
Fixes: v1.11.4-rc1-468-g2cfda31ff0 ("Change the signature of dissector_try_heuristic() to return hdtbl_entry")
Reviewed-on: https://code.wireshark.org/review/24565
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Replace with conversation API that limits the "endpoint" to a single
uint32 value.
The intention is to eventually have "layered" endpoints, because circuit_id
was used in cases where src/dest port have already been populated (and
are used for layers above). Those src/dest ports should just be treated
as just another endpoint, but we currently only have support for one.
Change-Id: Ic6aa7ef0241275aa4dfde9459194369b48c72960
Reviewed-on: https://code.wireshark.org/review/24369
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Not used. Remove also weird pre-hash hash optimization in proto.c.
Change-Id: Ibebc12dbe90ac1d05fb1ba601d32fe98797fbd56
Reviewed-on: https://code.wireshark.org/review/24254
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: João Valverde <j@v6e.pt>
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
While we're at it, consistently use "name" as the name of the argument
giving the dissector table name.
Change-Id: Ied54c88d0d3dd467fe9067b008b49ead754c31a2
Reviewed-on: https://code.wireshark.org/review/24131
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Let's perform the check before potentially breaking the loop.
While we are at it, let's update the test to remove the last layer so as to
match the one used to add it.
Change-Id: I5807219de75c4e2c23b9435d6271ad60aec45783
Reviewed-on: https://code.wireshark.org/review/23844
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
During single-pass tshark dissection we can end up adding "Protocols in
frame: ...:tcp:http" to the tree even though we haven't dissected HTTP.
This may be true of other protocols as well.
Remove our last layer when we haven't added any items to the tree.
Decrement curr_layer_num as well. Update the layer logic in
dissector_try_heuristic to match call_dissector_work.
Change-Id: Ibc0591e774761e9496d056080c980243a0447066
Reviewed-on: https://code.wireshark.org/review/23508
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>