This allows the "needs to be reloaded" indication to be set in the close
process, as is the case for ERF; having a routine that returns the value
of that indication is not useful if it gets seet in the close process,
as the handle for the wtap_dumper is no longer valid after
wtap_dump_close() finishes.
We also get rid of wtap_dump_get_needs_reload(), as callers should get
that information via the added argument to wtap_dump_close().
Fixes#17989.
Add asterisks to doxygen generates for existing
supported_block_type comments.
Add < to #define's so that doxygen associates comments
with the #define above, instead of below.
Extract the FCS length information from that field, and reject captures
that have a non-zero "class" field (the 10-bit reserved field that was
once intended to allow other "classes" of link layer type, with class 0
being "LINKTYPE_ values", but the original use case doesn't appear ever
to have been used).
The block is lightweight and doesn't have any options so the create
function doesn't really do anything, but it needs to be registered
so that when systemd journal files are opened, the wtap_block_create()
call works and doesn't segfault. Fix#17875
It's common to put multiple certificates in one RFC 7468 file in order to store
a certificate chain, as described in the introduction to RFC 7468 itself.
Support this usage by presenting each such certificate (or any other encoded
structure - the code doesn't discriminate) as a separate packet.
The new parsing code supports arbitrary line lengths, so update the detection
code to support arbitrary line lengths as well. Instead of probing up to 20
lines, we now try to find the first pre-encapsulation boundary in the first
2048 bytes of the file. I chose this new limit so that it works roughly the
same in practice as the old one (it's equal to 20 lines times 80 characters
per line, rounded to a power of two).
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
Currently used to define ssize_t on platforms that lack it.
Fix some Windows build errors caused by moving the definition into a
separate header.
Fix some narrowing warnings on Windows x64 from changing the definition
of ssize_t from long int to int64_t.
The casts in dumpcap are ugly but necessary. The whole code needs
to be rewritten for portability, or the warnings disabled.
In wtap_dump_init_dumper(), when constructing a dummy IDB for files
that don't have one, if the tsprecision value is anything other than
the default, then the OPT_IDB_TSRESOL option also needs to be set.
Without it, for a pcapng the timestamps will be written according to the
tsprecision and time_units_per_second values, but when it is read,
the values will be interpreted incorrectly.
It would probably be better if the consistency of these values were enforced.
In addition to setting tsprecision and time_units_per_second, add
the OPT_IDB_TSRESOL option as well, because pcapng expects that to
be set if tsprecision is anything other than the default.
Rcv.Wind.Shift and Snd.Wind.Shift were not displayed correctly by
the BBLog dissector and the TCP dissector was not using the
information about the shift values available in the BBLog file.
Each "packet" in the USB encapsulation formats for at least
Linux and Darwin corresponds to an OS-level USB request, so
the packets can be much larger than a USB-level packet.
The default max packet length of 256 KiB prevents Wireshark
from loading capture files that contain requests >256 KiB.
(Saving such a capture already works fine.)
Fix this by making the Linux, Darwin, and FreeBSD formats
use the same max packet length as the USBPCap format, which
is 128 MiB.
/home/pi/wireshark/wiretap/file_wrappers.c: In function ‘file_fdopen’:
/home/pi/wireshark/wiretap/file_wrappers.c:1136:27: error: comparison of integer expressions of different signedness: ‘__blksize_t’ {aka ‘long int’} and ‘unsigned int’ [-Werror=sign-compare]
if (st.st_blksize <= MAX_READ_BUF_SIZE)
^~
cc1: all warnings being treated as errors
Very large 64 bit files are supported, so the CAM Inspector and
Ixia Veriwave heuristics, which are fairly weak and either always
(CAM Inspector) or possibly (Veriwave) try to read the entire file
should stop their heuristics and make a decision after some reasonable
length.
Without this, the GUI freezes for seconds, minutes, or even hours
by merely clicking on a large file in the file chooser, as
wtap_open_offline attempts to determine the file type. The same issue
occurs in capinfos, captype, tshark, editcap, etc.
In addition, previously the CAM Inspector heuristics could give the wrong
result on very large files, because 10 * invalid_pairs could overflow
its guint32 and then end up comparing as less than valid_pairs.
Fix#17620
Support reloading a Lua FileHandler when this is in use for a
loaded capture file. Prompt to save the file if having unsaved
changes because the file must be reloaded.
Fixes#17615
The file type/subtype for built-in types are <=
wtap_num_builtin_file_types_subtypes - the plugin types are given
type/subtype values after the last built-in type/subtype value.
Fixes#17614.
If the *first* read for a packet gets an EOF, it means that there is an
EOF right at the point where you're reading, which means "no more
packets".
If you get an EOF on any *subsequent* reads for the packet, it means the
file was cut off in the middle of the packet's record, which is an error.
ws_debug() inserts the file name, line number, and function name into
the ws_debug() message (assuming the function name can be obtained from
a macro), so there's no need to include it in the text of the message
(we don't do so elsewhere).
This has a few effects on the behavior of wtap_get_compression_type()
and wtap_get_all_compression_type_extensions():
Make capinfos correctly report the compression type (instead of
saying gzip compressed for zstd and lz4 compressed files).
Makes files with the .zstd and .lz4 extension show up in the file
chooser when "Files of type" is set to something other than "All Files",
such as "All Capture Files" or "Wireshark/... pcapng"
Makes the UI not default to gzip compression when saving a file
compressed as zstd or lz4 (write support for zstd and lz4 doesn't
exist yet, and the GUI doesn't have hooks for it anyway, though
this can help as a prerequisite for later support for writing.)
Also replace a couple of assert() with ws_assert().
Update the PURPOSE in CMakeLists for zstd and lz4 to note that they
can be used to read compressed capture files.
The Ubuntu build commented on some spelling errors in executable code
files. Fix the errors that don't come from external files containing
the spelling errors (USB product and vendor IDs, PCI IDs, ASN.1
specifications), and fix some errors that don't show up in the
executable code files (e.g., in comments and variable names).
Use the same style of message for too-short block errors ("pcapng: total
block length XXX of {a,an} XXX is too small...").
Add an additional check for the "skip" Netflix cutom block, to make sure
it has enough room for the 4-byte "skipped" value.
wblock->internal is not initialized on pcapng_read_custom_block function
pcapng.c:3747:9: warning: Branch condition evaluates to a garbage value [core.uninitialized.Branch]
nettrace_3gpp_32_423.c:256:2: warning: Value stored to 'prev_pos' is never read [deadcode.DeadStores]
nettrace_3gpp_32_423.c:295:2: warning: Value stored to 'next_msg_pos' is never read [deadcode.DeadStores]
nettrace_3gpp_32_423.c:487:4: warning: Value stored to 'port_type_defined' is never read [deadcode.DeadStores]
Use compute_options_size() to get the total size of all the options, and
use write_options() to write out the options for those blocks, as we do
for other blocks.
Get rid of wtap_block_option_get_value_size() and
wtap_block_get_options_size_padded(); they're no longer needed, and
their notion of an option's "size" is "size in a pcapng file", so that
doesn't belong in code that's intended to support all file types.
Have a routine to read the Sniffer record header, and call that in
ngsniffer_read() and ngsniffer_seek_read(). Only call
ngsniffer_process_record() for frame records that we understand, so that
we only allocate a block for those rather than for records we don't
understand or for EOF records, potentially leaking them.
Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.