Each "packet" in the USB encapsulation formats for at least
Linux and Darwin corresponds to an OS-level USB request, so
the packets can be much larger than a USB-level packet.
The default max packet length of 256 KiB prevents Wireshark
from loading capture files that contain requests >256 KiB.
(Saving such a capture already works fine.)
Fix this by making the Linux, Darwin, and FreeBSD formats
use the same max packet length as the USBPCap format, which
is 128 MiB.
/home/pi/wireshark/wiretap/file_wrappers.c: In function ‘file_fdopen’:
/home/pi/wireshark/wiretap/file_wrappers.c:1136:27: error: comparison of integer expressions of different signedness: ‘__blksize_t’ {aka ‘long int’} and ‘unsigned int’ [-Werror=sign-compare]
if (st.st_blksize <= MAX_READ_BUF_SIZE)
^~
cc1: all warnings being treated as errors
Very large 64 bit files are supported, so the CAM Inspector and
Ixia Veriwave heuristics, which are fairly weak and either always
(CAM Inspector) or possibly (Veriwave) try to read the entire file
should stop their heuristics and make a decision after some reasonable
length.
Without this, the GUI freezes for seconds, minutes, or even hours
by merely clicking on a large file in the file chooser, as
wtap_open_offline attempts to determine the file type. The same issue
occurs in capinfos, captype, tshark, editcap, etc.
In addition, previously the CAM Inspector heuristics could give the wrong
result on very large files, because 10 * invalid_pairs could overflow
its guint32 and then end up comparing as less than valid_pairs.
Fix#17620
Support reloading a Lua FileHandler when this is in use for a
loaded capture file. Prompt to save the file if having unsaved
changes because the file must be reloaded.
Fixes#17615
The file type/subtype for built-in types are <=
wtap_num_builtin_file_types_subtypes - the plugin types are given
type/subtype values after the last built-in type/subtype value.
Fixes#17614.
If the *first* read for a packet gets an EOF, it means that there is an
EOF right at the point where you're reading, which means "no more
packets".
If you get an EOF on any *subsequent* reads for the packet, it means the
file was cut off in the middle of the packet's record, which is an error.
ws_debug() inserts the file name, line number, and function name into
the ws_debug() message (assuming the function name can be obtained from
a macro), so there's no need to include it in the text of the message
(we don't do so elsewhere).
This has a few effects on the behavior of wtap_get_compression_type()
and wtap_get_all_compression_type_extensions():
Make capinfos correctly report the compression type (instead of
saying gzip compressed for zstd and lz4 compressed files).
Makes files with the .zstd and .lz4 extension show up in the file
chooser when "Files of type" is set to something other than "All Files",
such as "All Capture Files" or "Wireshark/... pcapng"
Makes the UI not default to gzip compression when saving a file
compressed as zstd or lz4 (write support for zstd and lz4 doesn't
exist yet, and the GUI doesn't have hooks for it anyway, though
this can help as a prerequisite for later support for writing.)
Also replace a couple of assert() with ws_assert().
Update the PURPOSE in CMakeLists for zstd and lz4 to note that they
can be used to read compressed capture files.
The Ubuntu build commented on some spelling errors in executable code
files. Fix the errors that don't come from external files containing
the spelling errors (USB product and vendor IDs, PCI IDs, ASN.1
specifications), and fix some errors that don't show up in the
executable code files (e.g., in comments and variable names).
Use the same style of message for too-short block errors ("pcapng: total
block length XXX of {a,an} XXX is too small...").
Add an additional check for the "skip" Netflix cutom block, to make sure
it has enough room for the 4-byte "skipped" value.
wblock->internal is not initialized on pcapng_read_custom_block function
pcapng.c:3747:9: warning: Branch condition evaluates to a garbage value [core.uninitialized.Branch]
nettrace_3gpp_32_423.c:256:2: warning: Value stored to 'prev_pos' is never read [deadcode.DeadStores]
nettrace_3gpp_32_423.c:295:2: warning: Value stored to 'next_msg_pos' is never read [deadcode.DeadStores]
nettrace_3gpp_32_423.c:487:4: warning: Value stored to 'port_type_defined' is never read [deadcode.DeadStores]
Use compute_options_size() to get the total size of all the options, and
use write_options() to write out the options for those blocks, as we do
for other blocks.
Get rid of wtap_block_option_get_value_size() and
wtap_block_get_options_size_padded(); they're no longer needed, and
their notion of an option's "size" is "size in a pcapng file", so that
doesn't belong in code that's intended to support all file types.
Have a routine to read the Sniffer record header, and call that in
ngsniffer_read() and ngsniffer_seek_read(). Only call
ngsniffer_process_record() for frame records that we understand, so that
we only allocate a block for those rather than for records we don't
understand or for EOF records, potentially leaking them.
Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.
Move the extraction of the option value from the option content from the
callers of pcapng_process_uint32_option() to
pcapng_process_uint32_option() itself.
That way, add-on modules to handle block types not handled by the core
pcapng code can use pcap_process_options() to process a block's options
and can use the routines to handle the "standard" option value types to
handle particular options.
Also, allow both everything-is-little-endian and
everything-is-big-endian Custom Block types in pcap_process_options().
Have wsutil/exported_pdu_tlvs.h define the LINKTYPE_WIRESHARK_UPPER_PDU
TLV type and length values, as well as the port type values written to
files in EXP_PDU_TAG_PORT_TYPE TLVs.
Update the comment that describes the LINKTYPE_WIRESHARK_UPPER_PDU TLVs
to more completely and correctly reflect reality (it was moved from
epan/exported_pdu.h to wsutil/exported_pdu_tlvs.h).
Rename those port type values from OLD_PT_ to EXP_PDU_PT_; there is
nothing "old" about them - yes, they originally had the same numerical
values as the PT_ enum values in libwireshark, but that's no longer the
case, and the two are now defined independently. Rename routines that
map between libwireshark PT_ values and EXP_PDU_PT_ values to remove
"old" from the name while we're at it.
Don't include epan/exported_pdu.h if we only need the
LINKTYPE_WIRESHARK_UPPER_PDU definitions - just include
wsutil/exported_pdu_tlvs.h.
In extcap/udpdump.c, include wsutil/exported_pdu_tlvs.h rather than
defining the TLV types ourselves.
Bug 17478 was caused by `wtap_rec.block` being allocated for each
packet, but not freed when it was done being used -- typically at the
end of a loop.
Rather than requiring each caller of `wtap_read()` to know to free a
member of `rec`, I added a new function `wtap_rec_reset()` for a
slightly cleaner API. Added calls to it everywhere that seemed to make
sense.
Fixes#17478
Initialize name_str right before we fill it in if the name is present,
and note what we're doing, to make it a bit clearer what the
initializing code is doing.
Within wiretap/nettrace_3gpp_32_423.c,
set the first byte of the buffer
to a null byte to avoid potentially
accessing uninitiliazed memory.
Fixes Coverity 1471685.
We free it, but what wtap_block_get_nth_string_option_value() returns is
what's stored in the block, and it might get freed up out from under us.
Save a copy of it, so that when we free it, we're not double-freeing.
Introduces two new dissector tables can.id and can.extended_id to enable a
more precise control of subdissectors dependent on the can id which is often
used to identify the the payload.
Since standard CAN IDs and extended IDs can be used in the same network and
their ranges overlap it is necessary to have two different dissector tables.
Existing Decode as dissector table can.subdissector stays as is to prevent a
breaking change. But new dissector tables can.id and can.extended_id get
priority over can.subdissector since they are more specific. Id they get a
match can.subdissector won't be called.
New dissector tables can.id and can.extended_id are accessible in lua scripts
via DissectorTable:add() while can.subdissector unfortunately is not.
For related Discussion see MR !3405
Spell out "DESCRIPTION" for the IDB description option, as it's spelled
out in the pcapng spec.
Put the #defines for various options in the same order as the block
types for them are in the pcapng spec.
For iptrace files, there's always a direction indication (which also
means that the flags field will never be zero - "outbound" and "inbound"
both have non-zero values - so the test for non-zero always succeeds, so
it's not even a useful test).
For Sniffer Ethernet/FDDI/synchronous serial line files, and for Peek
classic files, there are always flags; they might be zero if there were
no errors, but that doesn't mean that the lack of errors shouldn't be
noted with a flags field.
While we're at it, shuffle creating of the block next to the setting of
the record type - the block and record type should match, so the two
operations are doing related things.
"User" sounds as if the blocks belong to the user; at most, the current
user might have modified them directly, but they might also have, for
example, run a Lua script that, unknown to them, modified comments.
Also, a file might have "user comments" added by a previous user, who
them wrote the file and and provided it to the current user.
"Modified" seems a bit clearer than "changed".
Mostly functioning proof of concept for #14329. This work is intended to
allow Wireshark to support multiple packet comments per packet.
Uses and expands upon the `wtap_block` API in `wiretap/wtap_opttypes.h`.
It attaches a `wtap_block` structure to `wtap_rec` in place of its
current `opt_comment` and `packet_verdict` members to hold OPT_COMMENT
and OPT_PKT_VERDICT option values.
Note that OPT_CUSTOM_STR_COPY is, specifically, a UTF-8 string.
Fix the comment for OPT_CUSTOM_STR_NO_COPY to say it's a UTF-8 string,
not binary data.
Consistently use pcapng_compute_XXX_option_size() for routines to
compute the size of an option of type XXX and pcapng_write_XXX_option()
for routins to write out an option of type XXX.
Sort the routines by the order in which their option type values are
defined.
Have common routines that iterate over all the options, processing
comment and custom options in common code (as they're defined
independently of particular block types), with callbacks to handle the
options for particular block types.
Replace all instances of "Nordic BLE Sniffer" with
"nRF Sniffer for Bluetooth LE" which is the name used by
nordic semiconductor for the development tool on the homepage.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Have the routine it calls return a Boolean value, with "true" meaning
"keep going" and "false" meaning "stop iterating and return a failure
indication". If the callback routine never returns "false", the routine
returns "true" as a success indication.
It's not that Wireshark only supports one copy of some block options,
it's that *the pcapng specification* only supports one instance of some
block options, and it's not that wtap_block_set_*_value() fails on
non-string values, it's that the set_XXX_option_value routines currently
only support changing the value of an existing option, not adding a new
instance of an option - the latter requires the add_XXX_option_value
routine.
LINKTYPE_ERF pcap files are really ERF files inside a thin pcap wrapper
(don't even ask what a pcapng file with some or all interfaces being
LINKTYPE_ERF is...), so the time stamp comes from the ERF record, not
from the pcap packet header or pcapng block header.
The time stamp reslution for the record should reflect that, so set it
to WTAP_TSPREC_NSEC (ERF time stamps are fractional-power-of-2, not
fractional-power-of-10, so that's the best we can do).
Have them take error code and error information string arguments and,
for various failures, fill them in as "internal error" indications.
Check their return codes to see if they got an error.
Don't assume the default is correct, because there's no guarantee of
that - in fact, there's currently a guarantee that it's not, as it's
initialized to 0, which is WTAP_TSPREC_SECS.
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.