if they're not. Also report an error for zero-length names.
Handle multiple names per IP address - the pcap-NG spec says "one or
more zero-terminated strings containing the DNS entries for that
address."
Use a Buffer to hold NRB records, so there's no maximum size (well,
there is a maximum size, because the record length is 16 bits, but let's
not allocate 64KiB on the stack if we don't have to).
svn path=/trunk/; revision=41332
pcap_read_simple_packet_block(), not in pcap_read() - the way the fields
are filled in differs between simple and non-simple packet blocks.
Clean up white space.
svn path=/trunk/; revision=41284
by Wiretap, to indicate whether certain fields in that structure
actually have data in them.
Use the "time stamp present" flag to omit showing time stamp information
for packets (and "packets") that don't have time stamps; don't bother
working very hard to "fake" a time stamp for data files.
Use the "interface ID present" flag to omit the interface ID for packets
that don't have an interface ID.
We don't use the "captured length, separate from packet length, present"
flag to omit the captured length; that flag might be present but equal
to the packet length, and if you want to know if a packet was cut short
by a snapshot length, comparing the values would be the way to do that.
More work is needed to have wiretap/pcapng.c properly report the flags,
e.g. reporting no time stamp being present for a Simple Packet Block.
svn path=/trunk/; revision=41185
That means we don't need to do the block length check in
pcapng_read_block(); each block type reader, including the one for
unknown block types, does a check that's as stringent as that block
length check or more stringent, which means any block whose length is
less than the minimum will fail with the same error in both cases.
Fix the message for a too-short NRB.
svn path=/trunk/; revision=41152
1) contain the block length fields and block type field;
2) contain that plus the fixed-length portion of the block;
3) for blocks that have a variable-length portion other than the
options, contain that variable-length portion.
Fixes a crash we're seeing with a bad pcap-NG file in the Wireshark
menagerie (7799-lastPacketWithoutComment.pcapng - the last packet's
block length is 128, but it claims to have 98 bytes of packet data,
which requires a 132-byte block).
Clean up white space (use 8-space tabs).
svn path=/trunk/; revision=41143
block, which could be the case even in a *valid* file (consider a file
with an SHB, an NRB, an IDB, and a packet block, in that order); even if
there's no IDB before the first packet block, that should be reported to
the user as "interface N not less than interface count M", to more
precisely indicate the problem.
(Yes, the loop should probably keep going until it finds a packet block,
not just a non-IDB block.)
svn path=/trunk/; revision=41132
so if we later get a short read, we have to return -1 and set *err to
WTAP_ERR_SHORT_READ. Otherwise, we'll try other file types and, if none
of them match, we'll try to close the wtap structure, which crashes.
svn path=/trunk/; revision=41102
the details of what in particular is unsupported; report it in TShark
and Wireshark.
Handle WTAP_ERR_RANDOM_OPEN_PIPE in TShark.
Handle WTAP_ERR_COMPRESSION_NOT_SUPPORTED in TShark, and have its error
message in Wireshark not speak of gzip, in case we support compressed
output in other formats in the future.
If we see a second section header block in a pcap-NG file, don't report
it as "the file is corrupted", report it as "the file uses a feature we
don't support", as that's the case - and don't free up the interface
data array, as the file remains open, and Wireshark might still try to
access the packets we were able to read.
svn path=/trunk/; revision=41041
This is POC we may want to have more efficient use of the frame data
structure etc. But this allows for work to be done on the GUI to actually add comments.
svn path=/trunk/; revision=40969
> WTAP_MAX_PACKET_SIZE, either that should be caught above the
per-file-type layer in Wiretap or should be handled by the caller.
We've recently fixed at least one problem with reported lengths > 2^31 -
1 (by clamping the length to 2^31 - 1), so let's just remove the check
from the pcap-NG reader, to squelch some complaints we're getting from
the buildbot (bug 6673 and its duplicates).
(The pcap reader uses it to cope with some of the botched libpcap
formats that changed the per-packet header without changing the magic
number; I'll look at trying to preserve those heuristics while still
allowing reported lengths > WTAP_MAX_PACKET_SIZE.)
svn path=/trunk/; revision=40207
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
same.
Add to wiretap/pcap-common.c a routine to fill in the pseudo-header for
ATM (by looking at the VPI, VCI, and packet data, and guessing) and
Ethernet (setting the FCS length appropriately). Use it for both pcap
and pcap-ng files.
svn path=/trunk/; revision=38840
which we read the data to be written doesn't record the snapshot
length". A snapshot length of 0 in a pcap or pcap-ng file is not
handled well by many programs reading those files; for pcap files, we
write out WTAP_MAX_PACKET_SIZE as the snapshot length in that case, so
do so for pcap-ng files as well.
svn path=/trunk/; revision=38790
If an EnhancedPacketBlock in a pcapng file contains a comment option the
content isn't displayed. Instead "Malformed packet" is displayed with the
reason Exception occurred.
The reason for the problem is a bug in the pcapng.c, where for enhanced packet
blocks, interface description blocks and interface statistics blocks the wrong
union members are used to set the comment. This way required fields in the
structures are overwritten.
The attached patch solves the problem.
svn path=/trunk/; revision=38491
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
can't be saved in compress form" are both equivalent to "this file file
format requires seeking when writing it". Change the "can compress"
Boolean in the file format table to "writing requires seeking", give all
the entries the proper value, and do the checks for attempting to write
a file format to a pipe or write it in compressed format to common code.
This means we don't need to pass the "can't seek" flag to the dump open
routines.
svn path=/trunk/; revision=36575
file_read(buf, bsize, count, file) macro is compilant with fread
function and takes elements count+ size of each element, however to make
it compilant with gzread() it always returns number of bytes.
In wiretap file_read() this is not really used, file_read is called
either with bsize set to 1 or count to 1.
Attached patch remove bsize argument from macro.
svn path=/trunk/; revision=36491
support; TShark has read+write support. Additionally TShark can read a
"hosts" file and write those records to a capture file.
This uses "struct addrinfo" in many places and probably won't compile on
some platforms.
svn path=/trunk/; revision=36318
Get rid of debugging printouts that are equivalent to the "additional
error information" messages.
Return additional error info for all WTAP_ERR_BAD_RECORD errors.
svn path=/trunk/; revision=35800
everybody use it; the places using the old wtap_dump_file_write() were
using it in the same way the old wtap_dump_file_write_all() did.
That also lets us get rid of wtap_dump_file_ferror().
Also, have the new wtap_dump_file_write() check for errors from
gzwrite() and fwrite() differently - the former returns 0 on error, the
latter can return a short write on error.
svn path=/trunk/; revision=33113
Support PPP-over-USB.
Don't remove the USB pseudo-header from the packet data for
Linux USB packets, just byte-swap it if necessary and have the
USB dissector fetch the pseudo-header from the raw packet data.
Update USB language ID values.
svn path=/trunk/; revision=32534
1) if it's not an SHB, just say "this is not a pcap-ng file",
don't try to process it (we can't process it, as we haven't
finished setting up all the state information yet);
2) if it has the right SHB type code, but isn't a valid SHB,
just say "this is not a pcap-ng file".
For all other SHB's, treat anything that renders it invalid as an error.
svn path=/trunk/; revision=32393
wtap-int.h, and change the unions of pointers to those private data
structures into just void *'s.
Have the generic wtap close routine free up the private data, rather
than the type-specific close routine, just as the wtap_dumper close
routine does for its private data. Get rid of close routines that don't
do anything any more.
svn path=/trunk/; revision=32015
wtap_wtap_encap_to_pcap_encap() to wiretap/pcap-encap.h. Include it
where it's needed; don't include other Wiretap headers where they're not
needed.
Include pcapng.h in pcapng.c, to declare the functions defined in
pcapng.c. Add some casts to squelch some warnings, and add to a comment
to indicate one of the problems.
svn path=/trunk/; revision=31960
This fixes a bug reported by Tyson Key as a follow up of Bug 3560.
Also some cleanups and debug output improvements.
Thanks to Tyson Key for reporting the bug and providing a tracefile.
This fix will be included in Wireshark 1.2.1 and higher.
svn path=/trunk/; revision=28868
text2pcap uses 102400.
This fixes bug 3620. Thanks to Tyson Key for reporting the bug
and providing capture files.
This fix should be included in Wireshark 1.2.1 and higher.
svn path=/trunk/; revision=28866
encapsulations.
This fixes a bug reported by Sake during the
Sharkfest 09. Thanks for providing a
Netscreen tracefile with multiple link layer
types.
This patch will be included in Wireshark 1.2.1
and higher.
svn path=/trunk/; revision=28862
* adds an encapsulation argument to pcap_write_phdr.
* writes the pseudo header when writing pcapng files.
This fixes a bug where you could not write pcapng files
when using encapsulations requiring pseudo headers.
svn path=/trunk/; revision=28859
this a the file encapsulation.
This fixes a bug where you can not save a file
in libpcap format when you captured it as a
pcapng one.
This fix will be scheduled for Wireshark 1.2.1
and higher.
svn path=/trunk/; revision=28858
* adds an encap argument to pcap_process_pseudo_header.
* adds support for reading pseudo headers.
It fixes Bug 3560.
Thanks to Tyson Key for reporting the bug and providing
trace files. This fix will be scheduled for inclusion in
Wireshark 1.2.1 and higher.
svn path=/trunk/; revision=28857
* Initialize pseudoheader.
* Add some input validation / protection code.
* Fix some return values.
* Clean up some whitespaces.
This fixes Bug 3565. Thanks to Tyson Key how reported
the issue and provided capture files for debugging.
This fix is scheduled for inclusion in Wireshark 1.2.1
and higher.
svn path=/trunk/; revision=28850