That makes them work as input to a mergecap that writes pcapng files.
File types that don't have a single per-file encapsulation type need
more work, with multiple fake IDBs, one for each packet encapsulation
type seen in the file, unless we can generate real IDBs.
Change-Id: I2859e4f7fb15ec0c0f31a4044dc15638e5db7826
Reviewed-on: https://code.wireshark.org/review/37983
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
It generates a fake IDB for files that don't have interface information
and that have a per-file encapsulation type, snapshot length, and time
stamp precision, and adds it to the file's list of IDBs.
Use it for libpcap.
We will use it later for other file formats, so that code such as the
mergecap code to merge into a pcapng file can handle input files that
don't have interface information.
(We should have a way to indicate whether the IDBs are real or fake, so
that capinfos and Statistics > Capture File Properties don't report
meaningless IDB information and make it look as if it's known that the
capture was done on one interface with the properties in question.)
Change-Id: Iec124bf3c7cbd4c69ec2ac7d0dd776e5287f8576
Reviewed-on: https://code.wireshark.org/review/37982
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The packet information for a packet includes an interface name prefix
and an interface unit number (e.g., "en0", with a prefix of "en" and a
unit number of 0). Keep a hash table of prefixes, unit numbers, and
link-layer header types (as an interface must have only one link-layer
header type), and, for each packet, look up that information from the
packet information to get the interface ID; if that fails, construct a
new entry, with a new interface ID, and an IDB for the interface.
Change-Id: I3f2dafcc8926fe96fe4ffd6875f583397b1582b6
Reviewed-on: https://code.wireshark.org/review/37975
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Call the "iptrace X.Y" string we read in the version string, rather than
the name.
Get rid of the structures defining various parts of the file format.
Instead, have #defines for offsets.
Read the record header - the first 8 octets - first. Check the record
length, to make sure it's large enough to include the packet information
structure, before we try to read that structure.
Note that one octet in the packet information structure is the unit
number for the interface on which the packet arrived, the field that was
called the name is the prefix of the name (in the sense that, for
example, in "en0", "en" is the prefix and "0" is the unit number), and
that what was called the "description" isn't as simple as a description
of the interface on which the packet arrived.
Pass the field that was called the "description" to
fill_in_pseudo_header(), as, for ATM PDUs, it contains, among other
things, an indication of the VPI and VCI for the PDU, as well as a
direction indication.
Change-Id: I8703b046142dd41ca96bda00c2fa3d2edb66b837
Reviewed-on: https://code.wireshark.org/review/37974
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Have the ISDN dissector take the ISDN pseudo-header through its data
argument, rather than assuming it's in pinfo->pseudo_header, so it can
be used if the link-layer type of the capture isn't ISDN.
Have it add the direction to its protocol tree, so it's there for all
ISDN packets.
Have more versions of the LAPD dissector:
one where the ISDN direction information is available through
an ISDN pseudo-header passed as its data argument;
one for use when the link-layer type *is* LAPD, where the ISDN
direction information may be available through the direction
part of the packet flags.
Pass more flags to the routine that does LAPD dissection to indicate the
direction (user->network or network->user) and whether the user or
network side is on another machine; set those appropriately in the
dissector routines that call it. To set those flags:
in the routine that handles WTAP_ENCAP_LAPD, check the direction
flags in pinfo->rec->rec_header.packet_header.pack_flags;
in the routine that handles WTAP_ENCAP_LINUX_LAPD, check the SLL
header;
in the routine that's called from the ISDN dissector and other
dissectors that can supply an ISDN pseudo-header, check the
struct isdn_phdr passed to it via the data argument;
for the routine that's to be called from L2TP pseudowire type
and SCTP dissector tables, pass nothing, as there's currently
no direction indication supplied - if that information is
available from the encapsulating protocol in some fashion, we
should make changes to supply that information.
Have the AudioCodes Trunk trace protocol dissector call the
LAPD-with-pseudoheader dissector, handing it an ISDN pseudo-header with
a direction indication from the direction field (and a channel of 0 to
indicate the D channel).
Have the Ascend text dump reader in libwiretap use WTAP_ENCAP_ASCEND for
all packets, even Ethernet and ISDN packets, and have the Ascend text
dump dissector handle that, calling the "no FCS" version of the Ethernet
dissector and calling the LAPD-with-pseudoheader dissector with a
pseudo-header filled in with the direction (and a channel of 0).
Have the Catapult DCT 2000 text dump dissector call the
LAPD-with-pseudoheader dissector with the pseudo-header supplied by
libwireshark.
Have the V5 envelope function frame get its ISDN pseudo-header from its
data argument, and call the LAPD-with-pseudoheader dissector with that
pseudo-header.
Have the ISDN dissector treat its data argument as pointing to the ISDN
pseudo-header, rather than assuming it's the one in
pinfo->pseudo_header->isdn - the latter is the one supplied by
libwiretap, but there's no guarantee that an ISDN pseudo-header was
supplied by libwiretap, as the lowest-level protocol layer might not
have been ISDN.
Change-Id: I9f702b879bbc3fb42bcb43c28f797bfc327562c6
Reviewed-on: https://code.wireshark.org/review/37953
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Also note that the record header might have additional stuff at the end,
although not all record headers do (the header length will indicate
what's there).
Change-Id: I5a9ff1f9cd592448bcc45d18808f4b651cdb2f0d
Reviewed-on: https://code.wireshark.org/review/37921
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Use ws_strtou64 to convert __REALTIME_TIMESTAMP= and other timestamps,
which should work across platforms.
Bug: 16664
Change-Id: I371f2b60e1957e57dbbdbbc3ded5ad49e8eb79d1
Reviewed-on: https://code.wireshark.org/review/37849
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
iso14443 packets can now be up to 4k long.
Change-Id: I120e18146cc40c0e9230c654cc31072e03ad3489
Reviewed-on: https://code.wireshark.org/review/37691
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
As we're now checking the first *few* packets of the file, we must allow
*all* Packetlogger packet types when checking whether the purported
packet type is valid.
Put a note in the Packetlogger dissector so that, if anybody adds a new
packet type, they know that they have to add it to the reader code as
well.
Bug: 16670
Change-Id: Id83493f678182fd3e1b5537f4dfa295fe26dfcb1
Reviewed-on: https://code.wireshark.org/review/37675
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add support to read/write the new EPB options, epb_packetid,
epb_queue and epb_verdict, from/to pcap files.
In addition, it updates the packet-frame dissector to dissect
these new fields.
More details on the options can be found in the PcapNG
specification: https://github.com/pcapng/pcapng
An application using these new fields can be found here:
https://github.com/chaudron/xdp-tools/tree/dev/pcapngII/xdp-dump
Change-Id: I761b8114b437fe573dd2c750e35586ad88494938
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-on: https://code.wireshark.org/review/37412
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
I guess Coverity gets upset because, the way GUINT32_TO_BE() works when
building with Coverity, there's at least one test done the result of
which is always the same.
Calculate the "native" value of the direction, and then put it into
big-endian order, in two separate statements.
This should squelch Coverity CID 1457345.
Change-Id: I1ccd6fd848e6abc91f16fa375c98efcab9c5bf60
Reviewed-on: https://code.wireshark.org/review/37370
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The erf_dump function in erf.c keeps the header intact and
ignores the adjusted time.
This adds a section for checking if the timestamp is changed
and updating the header accordingly.
Bug: 16578
Change-Id: I14468a302e746c7a84cf5619b73b94850142d930
Reviewed-on: https://code.wireshark.org/review/37301
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 16255 - support HE MCS to rate conversion
Change-Id: I4a4a6c3d62c167b654d150c397047a55f287e6c8
Reviewed-on: https://code.wireshark.org/review/37255
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
That can just be done at the end of libpcap_open(), rather than in
wtap_open_offline() immediately after the open routine - which, in this
case, would be libpcap_open() - returns. That's cleaner, as it puts
capture-file-type-dependent code in the capture-file-type-specific code.
Note, though, that it's a bit weird for LINKTYPE_ERF files (and it was
equally weird before this change), and that other capture file types
should be doing this as well.
Change-Id: Ida94779a2e1021c81314f82655ec1d0f2f14e960
Reviewed-on: https://code.wireshark.org/review/37022
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wiretap/erf_record.h has declarations for records in ERF files and in
LINKTYPE_ERF packets in pcap and pcapng files.
wiretap/erf-common.h has declarations of routines to be called by
pcap/pcapng reader code when processing LINKTYPE_ERF packets.
wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with
the tables of file readers and writers.
Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa
Reviewed-on: https://code.wireshark.org/review/37021
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
I guess the "replace" part of "TODO: Replace uses in pcapng and pcap
with erf_read_header() and/or erf_populate_interface_from_header() and
delete." has been done, so we do the "delete" part.
Change-Id: Icd691aa8c3defdd68c306ad9eaf1379a8ba6ec0f
Reviewed-on: https://code.wireshark.org/review/37020
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The time stamps are calculated by sequential processing, not read from a
value in the packet record, so we don't supply them when reading
randomly. Make sure the presence flags are 0 in that case (our callers
currently don't look at time stamps when reading randomly, because
some other file formats also don't supply time stamps for random reads,
but we should make it clean).
Change-Id: I494acc5bdf60e0a1de5cf002c3ea8403afce8a07
Reviewed-on: https://code.wireshark.org/review/37008
Reviewed-by: Guy Harris <gharris@sonic.net>
The time stamps are calculated by sequential processing, not read from a
value in the packet record, so we don't supply them when reading
randomly. Make sure the presence flags are 0 in that case (our callers
currently don't look at time stamps when reading randomly, because
some other file formats also don't supply time stamps for random reads,
but we should make it clean).
Change-Id: Ic035cc7d4eb36f76beefcfd98a389af09365d363
Reviewed-on: https://code.wireshark.org/review/37004
Reviewed-by: Guy Harris <gharris@sonic.net>
Make wtap_file_get_shb() take a section number argument, and update code
that called it. In most cases, we convert the code to iterate over
sections; in cases where a big code change would be required, we
temporarily pass it 0 and mark the code as "needs to be updated for
multiple sections".
Eliminate cf_read_section_comment(); in calls outside file.c, other code
directly calls the libwiretap routines it calls and, inside file.c, we
just transplant the code and then fix it not to assume a single SHB.
Change-Id: I85e94d0a4fc878e9d937088759be04cb004e019b
Reviewed-on: https://code.wireshark.org/review/37000
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
This moves us closer to fixing bug 16531; it addresses the second issue
there, as the right snapslen is used for packets in the second section,
so we no longer get errors reading the file.
It still doesn't fix the *names* of the interfaces, and it doesn't - and
*shouldn't* - show the interfaces with different interface numbers, as
the numbers are per-section rather than global.
Change-Id: Ia3aa3309b75a4bcd9f229048ddce6a981b9409b1
Ping-Bug: 16531
Reviewed-on: https://code.wireshark.org/review/36985
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Have pcapng_read_block() take two pointers to a section_info_t as
arguments - one for the current section, if any, and one to something to
fill in, as information for the new section, if the block is an SHB.
The first of them is null when we're trying to read the first block;
that serves as an indication that "not an SHB" means "this file isn't a
pcapng file" rather than "this pcapng file is bad".
Change-Id: I1b0a8bfacde982b819e548847bcc9412d30788f3
Reviewed-on: https://code.wireshark.org/review/36984
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Move the byte order - and version - fields out of the per-file pcapng_t
structure and put them in a per-section section_info_t structure that
also contains the file offset of the SHB at the beginning of the
section.
Have a GArray of section_info_t structures pointed to by the pcapng_t
structure; update it as Section Header Blocks are read sequentially,
adding new structures.
In the random read routine, search backwards through the array of
section_info_t structures, looking for the first section where the SHB
is at or before the offset from which we're reading.
Change-Id: Iad06c8d1ff10595707b73f297f073803b5a0c8e5
Ping-Bug: 15707
Reviewed-on: https://code.wireshark.org/review/36981
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fix dead store (Dead assignement/Dead increment) Warning found by Clang
Change-Id: I6316d82fec8ee87f56cabe27e269cc7ef98cedc8
Reviewed-on: https://code.wireshark.org/review/36842
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure the summary record is large enough; if not, report it as a bad
file.
If it's *too* large, skip the added data.
Clean up the length check for the header records - use sizeof, as we
later use sizeof when subtracting the fixed length portion's length.
Change-Id: I70697804eaa0cbbb1fb074eadf6457d237f26876
Reviewed-on: https://code.wireshark.org/review/36814
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Get rid of leftover duplicate code setting up the wtap structure and
private data before we've found a summary record.
If we find no data records, break out of the loop, so we fall into the
code that sets up the wtap structure and private data.
Change-Id: I00652bb7f3cb52b6c7c2088c6dd5fe5ec9a012a7
Reviewed-on: https://code.wireshark.org/review/36806
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wtap_read_bytes() returns TRUE on *success*, so if we're in the loop,
the last read succeeded, and no error code was supplied. When we *exit*
the loop, the read didn't succeed; check for the status then. If we got
a short read, we ran out of file data, so check the heuristics (even if
it's not an integral number of 2-byte blocks, treat it as a CAM
Inspector file - it might have gotten cut short); if we got a real read
error, report that to our caller.
Bug: 16458
Change-Id: Ia1e838006744dadbc2883459aec16d0d11b732e1
Reviewed-on: https://code.wireshark.org/review/36795
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
If it has none, we don't know what link-layer header type it has, nor do
we have a start time to use for time stamps.
If it has more than one, we don't know which one to believe.
Bug: 16459
Change-Id: I306ec45171f9de4643699a53a4d837f4f7750c69
Reviewed-on: https://code.wireshark.org/review/36791
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Trivial, mostly just redundant assignments or
format specifiers.
Change-Id: Iaf33f24d2af5a48a5e1b797e582bf936914c8daa
Reviewed-on: https://code.wireshark.org/review/36154
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Only the change to packet-imap.c really represents a bug.
Change-Id: Ie270f97f3d94c338ea3c84a712f8f4d43ffd36f4
Reviewed-on: https://code.wireshark.org/review/36115
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There are some deltas between the UN*X epoch and other epochs that are
used in a number of places; put them into a header.
Change-Id: Ia2d9d69b9d91352d730d97d9e4897518635b4861
Reviewed-on: https://code.wireshark.org/review/35895
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The call must ensure enough bytes are in the buffer for subsequent
casts. Next cast is for nspr_pktracefull_v20_t.
Change-Id: I8b77aa243f528f82786af1047e8d26100f306a07
Reviewed-on: https://code.wireshark.org/review/35837
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Include string.h as suggested by clang:
../wiretap/mp4.c:33:4: error: implicitly declaring library function 'memcmp' with type 'int (const void *, const void *, unsigned long)' [-Werror,-Wimplicit-function-declaration]
memcmp(magic_buf + 4, mp4_magic, sizeof (mp4_magic)))
^
../wiretap/mp4.c:33:4: note: include the header <string.h> or explicitly provide a declaration for 'memcmp'
Change-Id: I2369ad140f95ca10f22c176b9e2646950b1a8f65
Reviewed-on: https://code.wireshark.org/review/35814
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Allows opening MP4 (ISO/IEC 14496-12) media files in Wireshark and
viewing their structure.
Change-Id: Ie20b8b89dc69bb52d6faa890e547d90317adecf6
Reviewed-on: https://code.wireshark.org/review/35804
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
n is used to address the buffers, but the check condition
follows its use. Fix the code by inverting the two of them
Bug: 16283
Change-Id: I7cba868979982946f99cfe787a7b5f86d2db1b70
Reviewed-on: https://code.wireshark.org/review/35538
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Apparently, at least in some regulatory domains, the DMG PHY now goes
above 66 GHz or may do so in the future; the new/future top appears to
be 71 GHz.
Change-Id: I1ee3f9cff177eed269ccc8318b5c952dbeb526ff
Reviewed-on: https://code.wireshark.org/review/35529
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Much better to use a known library than create it ourselves.
Also remove get_tempfile_path as it's not used.
Bug: 15992
Change-Id: I17b9bd879e8bdb540f79db83c6c138f8ee724764
Reviewed-on: https://code.wireshark.org/review/34420
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
If the first byte of the file is 31, and we advance to the next byte but
find it's not 139, back up to the first byte before falling through and
treating the file as uncompressed.
Add/expand some comments while we're at it.
Bug: 16252
Change-Id: I292b51f9cc04173482a43b26b0ce73c9e7aee570
Reviewed-on: https://code.wireshark.org/review/35315
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When using wiretap to create a pcapng file,
the drop_count field from the wtap_packet_header
in wiretap/wtap.h is not being dumped to the file
in pcapng_write_enhanced_packet_block function.
Bug: 16062
Change-Id: Id9b8dbd1f7406e019fab00ff7a4167ab27543f62
Reviewed-on: https://code.wireshark.org/review/34836
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It turned out that 1 MiB is not enough as atleast the URBs sent by
Android fastbool tools are greater than 1 MiB (1 MiB payload + USBPcap
pseudoheader). Raise the maximum packet size all the way up to 128 MiB.
128 MiB is the upper bound of maximum packet that can be captured by
all official USBPcap releases.
Bug: 15985
Change-Id: Ibbf41f7efae6e0f841e36d39664394e8a8eae77d
Reviewed-on: https://code.wireshark.org/review/34793
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use g_get_real_time() to get real time because GTimeVal and g_get_current_time()
was deprecated in glib 2.62.
Change-Id: I78fee34e2f5b634c91c6420b01915cfc070f38a4
Reviewed-on: https://code.wireshark.org/review/34468
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When writing a capture as a commview file the header written is two
bytes longer than the specification. Even though we count 24, we
actually write 26. This makes the commview file corrupt, as is apparent
when reading such file, eg., after using Save As... with this format.
Replace writing 2 bytes for the last two fields in the header by 1 byte
each, as per the header specification.
Change-Id: I9436f7837b2e3617a389619884bf93ad146e95f3
Reviewed-on: https://code.wireshark.org/review/34450
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check the time stamp microseconds field; it must be < 10^6.
Check the first few packets, not just the first packet.
Change-Id: I35a58a79d48db13daee937374caae40bc320e9e7
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34437
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
On a big-endian machine, if the upper 16 bits of the length are non-zero
and the lower 16 bits are zero, that means that the length is
*little*-endian.
What we really care about is whether the file is in the reading host's
native format, so we can just fetch integral values without swapping, or
not in that format, in which case we have to byte-swap integral values.
Rename the variable and redo the code to match.
(This may have caused the PacketLogger reader to fail on big-endian
machines.)
Change-Id: Ie1a82a7d40e2c58c0b8d482d7c95ab60061ca980
Ping-Bug: 10861
Reviewed-on: https://code.wireshark.org/review/34434
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no point in trying to read more packets to check the file type.
Change-Id: Ic2c5a7692b60fab8a0022503338a40befe00d358
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34433
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check some more field values, and fix some tests to check against the
maximum possible value given in the i4b_trace.h file rather than against
that value + 1. (> max, or >= max+1, are both reasonable, but > max+1
isn't.)
Check the first few packets, not just the first packet.
Make some header fields unsigned, as that's how we treat them in most
cases; that way we treat them that way by default.
Change-Id: I8c2d28af048c676a3dbae367bbb49c886e0dc566
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34432
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
log3gpp.c:459:10: warning: no previous prototype for function 'log3gpp_dump[|open|finish]' [-Wmissing-prototypes]
Change-Id: I1d896f90d91dc04b68b12f48ae06526556a428d4
Reviewed-on: https://code.wireshark.org/review/33963
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The pointer returned by create_tempfile() must not be freed. As the
wtap_dump_open_tempfile() callers are freeing the returned filename,
duplicate the string so it can be freed.
Bug: 15377
Change-Id: Ib0b23aaee748ef67600ef3f7d40610ebbbec721c
Reviewed-on: https://code.wireshark.org/review/34272
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
You either have to set it to 1 or 0 if you know whether it's shifted
time or set it to -1 if you don't.
Should address Coverity CID 1452227.
Change-Id: I7d435bb6b7dd8897b44bf5103578e3db1a30379e
Reviewed-on: https://code.wireshark.org/review/34175
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Only CAN protocol is supported. Extra information available in J1939
entries is ignored since the J1939 wireshark dissector works with
raw CAN frames and makes no use of this extra information.
The log format may also encapsulate LIN messages which are not
supported by wireshark and thus are ignored.
The only limitation is that relative timestamp format is not
supported. If a file defines relative format of timestamps, packets
are extracted, but timestamps are omitted, since random access deems
impossible without reparsing the whole file up to the packet of
interest. In order to support relative timestamps we need to parse
the whole file at once on open and either dump into a temporary
PCAP file or keep messages in a private list and provide access
to them on read()/seek_read().
The change also creates a separate header for CAN frame structure
definitions which are used by several file readers (candump and
busmaster for now).
Bug: 15939
Change-Id: I87c5555e4e5e1b142b9984b24544b2591d494fbc
Reviewed-on: https://code.wireshark.org/review/34083
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fall back on the Wayback Machine for some links.
Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842
Reviewed-on: https://code.wireshark.org/review/34103
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Microsoft reshuffled their documentation - almost all of it moved from
msdn.microsoft.com to docs.microsoft.com. Some blogs moved to
devblogs.microsoft.com; the comments *didn't* move, so in one case we go
to the Wayback Machine - the link isn't dead, but it formats horribly,
at least on my browser, but the archived version formats OK.
Use the Wayback Machine for some URLs, and update others.
Update the sections for MS-ADTS.
Point to the HTML versions of some RFCs and I-Ds.
Change-Id: I344b20f880de63f1ae2a4e3f9ff98af78a7fe139
Reviewed-on: https://code.wireshark.org/review/34101
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissect raw USB Packets. The actual USB packets to transaction conversion
(which is needed to pass the data to existing USB URB dissector) is not
implemented yet.
Ping-Bug: 15908
Change-Id: Ia75d58882d770fdd8650622d318241743069ad8f
Reviewed-on: https://code.wireshark.org/review/34006
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's broken, unmaintained, poorly implemented and obsoleted by saner
debug-info methods.
Note: To do the compliance check properly would require much more
extensive work to clearly define public and private interfaces (without
manual bookeeping of files or symbols either, of course, because who
would want that...).
Change-Id: Ib801f3c152ca2369f95ca1f4af4d37cd8cc7c47a
Reviewed-on: https://code.wireshark.org/review/33928
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: João Valverde <j@v6e.pt>
It's preferable to parse text files and generate packets on demand,
rather than generate a temporary PCAP file and dump all available
packets into it.
Parsing on the fly has a benefit of handling damaged files up to the
point of damage, while the approach with a temporary file doesn't
allow either to report that the original file is damaged or perform
conversion in the first place.
This version works faster than the previous one.
Command:
time ./run/tshark -r ./candump-2019-07-01_111120.log.gz > /dev/null
The test file is attached to the bug 15889
The current version:
real 0m0,597s
user 0m0,533s
sys 0m0,118s
The previous version:
real 0m2,176s
user 0m1,966s
sys 0m0,100s
Bug: 15889
Change-Id: I862ce47752531c2e9d9459f5d865c1fc08f32fea
Reviewed-on: https://code.wireshark.org/review/34007
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
candump_open() may be called with non-empty error code and string.
The error code is not reset upon success in run_candump_parser() which may
mislead the caller function thus affecting opening the file.
yy_fatal_error(), yy_alloc(), yy_realloc() and yy_free() make no use
of the yyscanner argument, which results in warnings on OSX.
In order to get rid of those warning we provide our own
implementations of memory allocation functions and hack
YY_EXIT_FAILURE macro in order to pretend using the argument.
Change-Id: I672d374b26970b2699b9d789b6118e97ba660bdf
Reviewed-on: https://code.wireshark.org/review/33892
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Include string.h to fix implicitly declaring library function
'memcpy' with type 'void *(void *, const void *, unsigned long)'
Change-Id: Ia6796f1966db606f946e0935ed0e5b70702c88c9
Reviewed-on: https://code.wireshark.org/review/33891
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The change adds ability to import text logs produced by the candump
tool.
E.g.: candump -L can0 -or- candump -l can0
The whole file is read and converted into a temporary PCAPNG file with
Exported PDU packets containing SocketCAN frames.
Bug: 15889
Change-Id: I5ad93dca96d6e955a4b21cf624f0553e60f060f6
Reviewed-on: https://code.wireshark.org/review/33800
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It takes a yyscan_t as an argument, not a pointer to a yyscan_t; a
yyscan_t is a pointer to the scanner state. (A pointer to it is passed
to the init routine so that it can be set to point to the allocated
state, not because it's a structure itself.)
Change-Id: If80ca1caaa07d8a966df8d07f989b722869ac58b
Reviewed-on: https://code.wireshark.org/review/33814
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Lexer private structure is initialized but never destroyed or reused.
Change-Id: I61d43b4cb14a2d3b3706267eb393e4562adb00f9
Reviewed-on: https://code.wireshark.org/review/33809
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We were using fields in the pcapng_t that weren't set yet to report the
version number in question; use the variables we were checking.
Change-Id: Ib03bafe62d8c7b1aa54b2ef22640e3b00722142a
Ping-Bug: 15862
Reviewed-on: https://code.wireshark.org/review/33671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There may need to be more of these.
Bug: 15740
Change-Id: I5d3a97ed50d66dfcb85df0ab7053e8a44c531134
Reviewed-on: https://code.wireshark.org/review/33280
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This value is used when checking if the file was generated on a
machine with different endianess. The error message changes from
"Unrecognized pcapng format or not pcapng data."
to
"dumpcap: Interface 0 is big endian but we're little endian."
Fix dumpcap.c and pcapio.c.
Ping-Bug: 15754
Change-Id: I3a31f873f01bcb3f1324410e70f29f285e56c715
Reviewed-on: https://code.wireshark.org/review/33274
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Use the local one *only* while we're trying to determine whether we have
a pcapng file or not; once we know we have a pcapng file, and have
allocated a pcapng_t and attached it to the wtap structure, pass *that*
one to pcapng_read_block(), so if it changes anything in the pcapng_t,
it changes the one we're using.
Change-Id: I53b32595276be97957a0b6056171471878fa40c4
Reviewed-on: https://code.wireshark.org/review/33226
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wth has been already checked in line 315.
Change-Id: Ib620e0b1e9262e5344feb934b024f7817cfda6fd
Reviewed-on: https://code.wireshark.org/review/33178
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There is no FCS length information for a pcapng file; there's FCS length
information for each interface.
Change-Id: I3abb1a35b28475aa3ad6f126060140d0a524bbca
Reviewed-on: https://code.wireshark.org/review/33215
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Ethernet packets without the CRC are 1514 bytes long, not 1500 bytes
long; using 1514 bytes will avoid a reallocation for a full-sized
Ethernet packet.
Change-Id: Ie8da3f13bf3df07e23e4478b7dcf84f06dec6a9d
Reviewed-on: https://code.wireshark.org/review/32761
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it - and the routines that implement it - work more like the
seek-read routine.
Change-Id: I0cace2d0e4c9ebfc21ac98fd1af1ec70f60a240d
Reviewed-on: https://code.wireshark.org/review/32727
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit c599e49028.
Reason for revert: This completely fails to recognize Unicode iSeries dumps.
Change-Id: Ie31141879b1bc3608a5dfdcba6887bb6f0018a47
Reviewed-on: https://code.wireshark.org/review/32568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
209 is LINKTYPE_IPMB_LINUX; add _LINUX/_linux to the WTAP_ENCAP_ name
and function/structure names, to clarify that it's not I2C in general,
it's I2C with a particular pseudo-header.
199 is now LINKTYPE_IPMB_KONTRON, not LINKTYPE_IPMB, as it doesn't have
raw I2C packets, it has I2C packets with a pseudo-header. Change the
WTAP_ENCAP_ name, and add a dissector for it.
Change-Id: Ie097f4317b03d2b2adfd9b81a4b11caf6268399e
Reviewed-on: https://code.wireshark.org/review/32539
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's what they are, and that's how other code in erf_open() treats
them; just use assignment to initialize prevts and to set prevts to ts.
Maybe this will keep the Clang static analyzer from calling prevts a
garbage value when compared with ts.
Change-Id: I2ee2376ced5c3efa6beab34276009a3177c94416
Reviewed-on: https://code.wireshark.org/review/32455
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That made PACKET_DESCRIBE() do nothing, causing warnings from the Clang
Static Humiliator.
Change-Id: I6f433cd193b6398d89038e95c7bf5deb24aa186d
Reviewed-on: https://code.wireshark.org/review/32437
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Move the read out of nspm_signature_version(), to make it a bit clearer
what file I/O we do in the open process; have nspm_signature_version()
just look for a signature in a single page.
In the loop in nspm_signature_version(), make sure we have enough of the
record header to look at the type and length fields in that header
before looking at them and, when we can look at them, make sure the
length of the record 1) fits in what remains of the page we're looking
at and 2) is big enough to be the length of a signature record.
Change-Id: I7d625859136e6f39c40b166067fc7efea806d9b0
Reviewed-on: https://code.wireshark.org/review/32426
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix more crashes found in the provided bug report.
Bug: 15497
Change-Id: If84498fa879ad56c8677f8c1442a8dc0e5906003
Reviewed-on: https://code.wireshark.org/review/32333
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When testing the signature field against a given version's signature:
we require that the signature field's size (size, not C
null-terminated string length) be at least the size of the
signature string (otherwise, it can't possibly match);
we check to make sure that the first N bytes of the signature
field, where N is the size of the version's signature string
(not including any terminating '\0' in that string), match the
version's signature string.
I.e., we require that the version's signature string is a prefix of the
signature string in the file.
This does not require that the signature string in the file be
null-terminated.
It also doesn't allow the file's signature string to be a substring of
the version's signature string, as that's *NOT* sufficient to identify
the file as a NetScaler trace file, especially if we forcibly
null-terminate the file's signature string and we trucate it to be
zero-length, as, in that case, it's *always* a prefix of the version's
signature string, and the file is incorrectly identified as a NetScaler
trace file.
(While we're at it, we make the nspm_signature_isvXXX() routines return
true if it *is* and false if it *isn't*, rather than the reverse; having
a routine with a name containing "is", and not "isnt", return true if it
*isn't* is confusing.)
Change-Id: I3694773a71b8b63d280e42f146698c82a0f0c332
Ping-Bug: 15601
Reviewed-on: https://code.wireshark.org/review/32403
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We're defining it now based on whether there's an st_blksize member of
struct stat. We're currently testing _STATBUF_ST_BLKSIZE, but that's
not guaranteed to be defined on platforms that have an st_blksize member
of struct stat (it's not defined on macOS, for example).
Change-Id: I4e6011a7668da94cf1ca6328e29c50924dd1d8b0
Reviewed-on: https://code.wireshark.org/review/32381
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Libpcap's done that for a while; we should do so as well.
(Ideally, we should use those bits, but there's an issue with pcapng,
where the FCS length in the IDB is described as being in units of bits,
but where we're treating it as being in units of bytes, that I'd like to
resolve first.)
Change-Id: Ibcb82f1dcaa8baae5bba55636cea8852a6af814e
Reviewed-on: https://code.wireshark.org/review/32303
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That tells then what name they *can't* use for their file-type plugin,
because it's already a built-in file type name in Wireshark.
Change-Id: Ibbbfda21e1109cf46275008a46b8ea65c8fcf4b5
Reviewed-on: https://code.wireshark.org/review/32291
Reviewed-by: Guy Harris <guy@alum.mit.edu>
New link type for IEEE 802.15.4 with pseudo-header and optional
meta-data TLVs, PHY payload exactly as it appears in the spec (no
padding, no nothing), and FCS if specified by FCS Type TLV.
Specification at https://github.com/jkcko/ieee802.15.4-tap
Bug: 15429
Change-Id: I67bd154891ad5818be9a1630aa5cbb863b55509a
Reviewed-on: https://code.wireshark.org/review/32141
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Multiple bugs have been found in the provided bug. Some of them have
been fixed in gefe920a, others here. The main problem is when malformed
files give wrong lenghts to the code, that casts and dereference it
without checking, causing oob reads. The fix introduces a check function
that prevents to go beyond the limits, early returning with a malformed
file message.
Other bugs have been fixed by forcing the string terminator that allows
the use of strlen() and MIN() that prevent wrong reads.
Bug: 15497
Change-Id: I8411208b5ea0f1a0720a17b882f704d03296d1c4
Reviewed-on: https://code.wireshark.org/review/32194
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
When reading a malformed packet, it can occur that we go close to
the end of the buffer. We need to check if we have 2 bytes before
reading a uint16.
Bug: 15497
Change-Id: I2b00f44933ca11b925ffbf05b9855684feebcda5
Reviewed-on: https://code.wireshark.org/review/32028
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add macros to extract the direction, reception type, and FCS length
fields of the pack_flags field, and add definitions for different
directions and reception types.
Add a macro to construct a pack_flags field value from subfields; this
is for use by non-pcapng file readers (the pack_flags field is just a
copy of the EPB flags option, so that's not needed for pcapng).
Move some #defines for that field from packet-frame.c to wtap.h, and
rename them to match the new macros.
Use the macros rather than rolling our own code.
Fix a variable name in text2pcap.c that apparently had the wrong name,
given the value that was being tested.
Change-Id: Ia788ca4e9f5fabd8d24e6ead5ff1817509f54827
Reviewed-on: https://code.wireshark.org/review/32010
Reviewed-by: Guy Harris <guy@alum.mit.edu>
No UTF-8 patterns are in use. To avoid potential crashes on invalid
input, treat all lines as binary data in the dissector to match wiretap.
Change-Id: I10735c2246536fb4b2fdb9236cdbf7917d2e816c
Ping-Bug: 14905
Reviewed-on: https://code.wireshark.org/review/31938
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
User guides are installed to doc/Wireshark. Use doc/wireshark instead.
Remove leftover variable CPACK_PACKAGE_NAME.
Change-Id: I9a1d6bdc7d8f0b48c61e43679285d5ba83904a63
Reviewed-on: https://code.wireshark.org/review/31851
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
The two failure modes are 1) no byte has the low-order bit set, so we
didn't even find the end of the DLCI or 2) the byte at the end of the
packet has the low-order bit set, so that it's all DLCI with no control
byte after it.
Expand a comment.
Bug: 15463
Change-Id: Ib76686391213dd56c06d665aa87a188621fe6816
Reviewed-on: https://code.wireshark.org/review/31828
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If we found no bytes with the low-order bit set in the packet data,
there's no point in checking the non-existent "next" byte to see if it's
a HDLC-style UI control byte (0x03).
Bug: 15463
Change-Id: Ibfd186e5b81d8ce229362e23f00b31a27900831a
Reviewed-on: https://code.wireshark.org/review/31824
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The memory ownership of wtap_rec::opt_comment was not clear. Users of
wtap were leaking memory (editcap.c). wtap readers were not sure about
freeing old comments (erf) or simply ignored memleaks (pcapng).
To fix this, ensure opt_comment is owned by wtap_rec and free it with
wtap_rec_cleanup. The erf issue was already addressed since
cf_get_packet_comment properly duplicates wth.opt_comment memory.
- wtap file formats (readers):
- Should allocate memory for new comments.
- Should free a comment from an earlier read before writing a new one.
- Users of wth:
- Can only assume that opt_comment remains valid until the next read.
- Can assume that wtap_dump does not modify the comment.
- For random access (wtap_seek_read): should call wtap_rec_cleanup
to free the comment.
The test_tshark_z_expert_comment and test_text2pcap_sip_pcapng tests now
pass when built with ASAN.
This change was created by carefully looking at all users opt
"opt_comment" and cf_get_packet_comment. Thanks to Vasil Velichkov for
an initial patch which helped validating this version.
Bug: 7515
Change-Id: If3152d1391e7e0d9860f04f3bc2ec41a1f6cc54b
Reviewed-on: https://code.wireshark.org/review/31713
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Vasil Velichkov <vvvelichkov@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Manually checked all callers of wtap_seek_read to ensure that
wtap_rec_cleanup is called. Added missing wtap_rec_cleanup to:
- Completion of sequential read: wtap_sequential_close
- Callers of wtap_seek_read:
- users of cf_read_record_r:
- PacketListRecord::dissect
This fixes one of the two ASAN memleak reports while running
test_tshark_z_expert_comment and test_text2pcap_sip_pcapng (the other is
about opt_comment which is still unfixed).
Vasil Velichkov also found this issue and came up with a similar fix.
Change-Id: I54a6aa70bfdb42a816d03ad4861d0ad821d0ef88
Reviewed-on: https://code.wireshark.org/review/31709
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
sscanf can consume less than 19 characters (e.g. given time format
1-1-1T1:1:1), be sure to reject such input. Fix some dead store warning
while at it.
Change-Id: I6148599048f1e89ea7aafdbdd6450574a97b22fd
Fixes: v2.9.1rc0-372-gd38f6025b0 ("nettrace: Handle beginTime with fractions of seconds.")
Reviewed-on: https://code.wireshark.org/review/31699
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Instead of using "$ORIGIN/../lib" just use "$ORIGIN".
Also be explicit in configuring the relative RPATH. We don't want
to assume a default relative path, in case more targets are addded,
out of caution.
Change-Id: I3b7f5e8de7be8bb30aca3b433212113d876c4163
Reviewed-on: https://code.wireshark.org/review/31647
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This is more explicit and easier to read with slightly better locality
while using less code.
Also less awkward when the package doesn't fit the narrow package list
expectations.
The ws_find_package() macro doesn't include all the status messages. The
choice was to rely on standard find_package() and feature_summary() output
and be less verbose.
Avoid polluting the CLI build interface. Per target include paths and
macro definitions are preferred.
Because this patch intentionally removes the global CMAKE_*_FLAGS
and include_directories() usage in favor of target properties, some
untested build configurations may inadvertently break because of
missing ${PACKAGE}_INCLUDE_DIRS or ${PACKAGE}_DEFINITIONS. This
required a manual review of dependencies that might have been
incomplete.
${PACKAGE_VAR}_LINK_FLAGS seems to be unused.
Changing the CMake Qt code to use more modern CMake component syntax
is left as future work.
Change-Id: I3ed75252189a6e05a23ed6e619088f519cd7ed78
Reviewed-on: https://code.wireshark.org/review/31496
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
After redissection, the TLS dissector did not remember the DSB secrets
anymore. Since the secrets callback is only invoked on the sequential
read in wtap, be sure to reapply the existing DSBs to the new session.
Bug: 15252
Change-Id: I125f095acb8d577c2439a10e3e65c8b3cfd976b9
Reviewed-on: https://code.wireshark.org/review/31584
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a dissector for http://fd.io vpp graph dispatch traces. The file
format is described in detail here:
https://fdio-vpp.readthedocs.io/en/latest/gettingstarted\
/developers/vnet.html#graph-dispatcher-pcap-tracing
Fuzz-tested with good results.
Bug: 15411
Change-Id: I3b040bb072ce43fb2fb646a9e473c5486654906a
Signed-off-by: Dave Barach <dave@barachs.net>
Reviewed-on: https://code.wireshark.org/review/31466
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Avoid including the precise version string in the pcapng file that is
created for 3GPP TS 32.423 formats. This avoids unnecessarily relinking
of applications depending on wiretap.
Change-Id: Ida1f3c0c998d811cbf85734bd83438bcbfc39cf4
Reviewed-on: https://code.wireshark.org/review/31513
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: João Valverde <j@v6e.pt>
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Some source files are duplicated via add_executable. Assuming that these
are not affected by target-specific preprocessor macros, they can be
built only once and shared among executables.
In one configuration, this reduces the number of object files by 55
(cli_main.c and version_info.c alone were built 15 times each).
Removes the version dependency from each target since the 'version_info'
target can now declare this dependency. Remove CLEAN_C_FILES from extcap
since it is not used to set -Werror. Due to removing some files from
wireshark_FILES (and others), these are no longer part of checkAPIs
though. Hopefully that is acceptable.
Change-Id: I0a3f1ffb950e70a6176c96d867f694fbc6476f58
Reviewed-on: https://code.wireshark.org/review/31509
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Petri-Dish: João Valverde <j@v6e.pt>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
What we were calling the "name" is actually a description to show to
users; what were calling the "short name" is just the name to use on the
command line.
Rename some routines and structure members, and put the name first and
description second in the table.
Expand some descriptions to give more details (e.g., to be more than
just a capitalized version of the name).
Fix the CamelCase capitalization of InfiniBand.
Change-Id: I060b8bd86573880efd0fab044401b449469563eb
Reviewed-on: https://code.wireshark.org/review/31472
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reloading Lua plugins did not actually remove registered FileHandler
instances which resulted in a use-after-free of lua_State. Fix this by
tracking instances and release them in wslua_deregister_filehandlers.
Other required fixes to allow reregistration after reloading:
- Fix END_FILEHANDLER_ROUTINE not to block all new registrations.
- wtap file subtypes are apparently persistent, even after
"unregistering". Fix this by looking up the previous subtype that
matches the FileHandler short name. Add a small sanity check to
wtap_register_file_type_subtypes to prevent internal handlers from
being overwritten.
This patch creates a potential memleak of registered_file_handlers as
wslua_deregister_filehandlers is not called on program exit (yet?).
Bug: 13264
Change-Id: I4f5935cde6ff8dc4de333359bad3efca96d4fb9b
Reviewed-on: https://code.wireshark.org/review/31068
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: Ie5ab56f1ee80d14032969cbe7f31e086fb2b4b91
Reviewed-on: https://code.wireshark.org/review/31159
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Setting LIBRARY_OUTPUT_DIRECTORY to Wireshark.app/Contents/Frameworks
for each of our libraries ends up installing a fully versioned .dylib
along with soversion and unversioned symlinks, which is more than we
want and which wastes disk space when osx-app.sh dsymifies our
libraries.
Leave LIBRARY_OUTPUT_DIRECTORY unset and depend on osx-app.sh to copy
our libraries into place.
Bug: 15361
Change-Id: If0fbaa796b4be806e2aa13887e511a330fe55df5
Reviewed-on: https://code.wireshark.org/review/31139
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Add temperature and power tags, represented using millidegrees/milliwatts.
Add attribute tag, allows generic reprsentation of dynamic path like key-value pairs in the format namespace.path.to.name=value where value can be a JSON-escaped string or an integer/float number.
Also fix a few implicit floating point conversions (confirmed values are the same).
Change-Id: Id8a858abfa8a56b44e9e7200b11adc562e67fb3b
Reviewed-on: https://code.wireshark.org/review/31136
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
With the change from Wireshark's default capture file format from
pcap to pcapng the suffix of the temporary file created in wiretap
was also changed from .pcap to .pcapng. This irrespective of the
actual file type requested. This change retrieves the registered
extension for the requested file type (in its uncompressed form)
and used that for the suffix. File types without a defined default
extension will get .tmp as suffix.
Change-Id: If809fef4325e483072c1fa4ee962125d991a197e
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/31065
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have a ws_init_version_info() routine that, given an application name
string:
constructs the app-name-and-version-information string, and
saves it;
adds the initial crash information on platforms that support it,
and saves it.
Have show_version() use the saved information and take no arguments.
Add a show_help_header() routine to print the header for --help
command-line options, given a description of the application; it prints
the application name and version information, the description, and the
"See {wireshark.org URL}" line.
Use those routines in various places, including providing the
"application name" string in pcapng SHBs.
Change-Id: I0042a8fcc91aa919ad5c381a8b8674a007ce66df
Reviewed-on: https://code.wireshark.org/review/31029
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
libwireshark and libwiretap have their INTERFACE link dependencies
changed to the required set.
libwsutil keeps a default public visibility. Further work may
show some unneeded link requirements.
The executable dependencies are adjusted accordingly.
Change-Id: I3a534f72403819cac136ae47a3d80acee76e0fb3
Reviewed-on: https://code.wireshark.org/review/30815
Reviewed-by: João Valverde <j@v6e.pt>
Pass the correct buffer size to find_signature so that we don't read
past it.
Bug: 15279
Change-Id: I822ed0fe8b48196dadd9c0062ed53fa1c4f6f404
Reviewed-on: https://code.wireshark.org/review/30809
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Install headers to support plugins development on Windows.
Change-Id: I3161bd2f730edf62ab44fee6ce4fedbb9aee0d31
Reviewed-on: https://code.wireshark.org/review/30776
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
As the comment says, this is a table of "File types that can be
identified by file extensions."; a file type that doesn't have an
extension that's used for files with that format obviously *can't* be
identified by a file extension and thus *doesn't* belong in this table.
Change-Id: Ic14dc55e6d9dbad4651e535cdf44293f8b449659
Reviewed-on: https://code.wireshark.org/review/30735
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a new secrets API to the core, one that can outlive the lifetime of
a single capture file. Expose decryption secrets from wiretap through a
callback and let the secrets API route it to a dissector.
Bug: 15252
Change-Id: Ie2f1867bdfd265bad11fc58f1e8d8e7295c0d1e7
Reviewed-on: https://code.wireshark.org/review/30705
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Support reading and writing pcapng files with DSBs. A DSB may occur
multiple times but should appear before packets that need those
decryption secrets (so it cannot be moved to the end like NRB). The TLS
dissector will be updated in the future to make use of these secrets.
pcapng spec update: https://github.com/pcapng/pcapng/pull/54
As DSBs may be interleaved with packets, do not even try to read it in
pcapng_open (as is done for IDBs). Instead process them during the
sequential read, appending them to the 'wtap::dsbs' array.
Writing is more complicated, secrets may initially not be available when
'wtap_dumper' is created. As they may become available in 'wtap::dsbs'
as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference
this array. This saves every user from checking/dumping DSBs.
If the wtap user needs to insert extra DSBs (while preserving existing
DSBs), they can set the 'wtap_dumper::dsbs_initial' field.
The test file was creating using a patched editcap (future patch) and
combined using mergecap (which required a change to preserve the DSBs).
Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9
Ping-Bug: 15252
Reviewed-on: https://code.wireshark.org/review/30692
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Rename wsjson_unescape_json_string to json_decode_string_inplace
(inspired by the g_base64_decode_inplace name). Rename
wsjson_is_valid_json to json_validate (inspired by g_unichar_validate).
Ideally json_parse is inlined with its user (sharkd_session.c), but that
requires exporting the jsmn_init and jsmn_parse functions... Hence the
dependency on jsmn.h remains in wsjson.h.
Change-Id: I7ecfe3565f15516e9115cbd7e025362df2da5416
Reviewed-on: https://code.wireshark.org/review/30731
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Move all the compressed-file type stuff to wiretap/file_wrappers.c.
Rename wtap_compressed_file_extension() to
wtap_compression_type_extension() for consistency with the other
compression-type-extension routine names.
Move the declarations of the compression-type-extension routines in the
header file.
wtap_compression_type_extension() now returns NULL for
WTAP_UNCOMPRESSED; there's no need to special-case it.
Get rid of the now-unused wtap_compression_type_supported() and
WTAP_NUM_COMPRESSION_TYPES.
Change-Id: Ib93874079bea669a0c87104513dba0d21390455a
Reviewed-on: https://code.wireshark.org/review/30729
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Guy Harris