Addresses CIDs 1398222 and 1398221.
Fix the previous fix while we're at it.
Change-Id: I6fe54e6ad115ac05154291b76de316426db72139
Reviewed-on: https://code.wireshark.org/review/21176
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's more consistent.
Handle the "libpcap" names for backwards compatibility.
Change-Id: I819404d69bddd733b7ee38e23d3ddc71110c0faf
Reviewed-on: https://code.wireshark.org/review/21172
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The only place the time stamp precision is used is in the libpcap code,
where it determines whether to write out microsecond-precision or
nanosecond-precision time stamps; we can determine that by looking at
the type/subtype field, which is also part of that structure, so do
that.
We weren't setting it consistently - we were only setting it in libpcap
and a few other capture file writers, and not in other capture file
writers - and none of the writers other than libpcap used it.
Change-Id: If53779cf4823ca936b8bf3e8a7dbcfea5850e652
Reviewed-on: https://code.wireshark.org/review/21171
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The chances that they won't, in this case, are slim to none, as the time
is after the Epoch, but this squelches CID 1398223.
We'll change the master branch to require an err_info string for
WTAP_ERR_INTERNAL and to display it in a future commit.
Change-Id: Ifb51076b25117efc53ba3ad8b434e36c71f7600f
Reviewed-on: https://code.wireshark.org/review/21169
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Avoid anachronisms, however; there was no "macOS 10.0" or even "OS X
10.0", for example. It was "Mac OS X" until 10.8 (although 10.7 was
sometimes called "OS X" and sometimes called "Mac OS X"), and it was "OS
X" from 10.8 to 10.11.
Change-Id: Ie4a848997dcc6c45c2245c1fb84ec526032375c3
Reviewed-on: https://code.wireshark.org/review/20933
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The loop was using bytes_read, but wasn't setting it. Go back to
something similar to the previous loop condition, but don't lose the
error tests.
Fixes Coverity CID 1403388.
Change-Id: I557cbfa6e9ad81491af4fc90e85ce87c71fec8aa
Reviewed-on: https://code.wireshark.org/review/20776
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Makes Windows vscodeanalysis a little happier.
Change-Id: Ie744e91ab3f2a9744ae21c932ab6ea25467ad2fa
Reviewed-on: https://code.wireshark.org/review/20724
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Changed to use correct option_id when reading IDB.
Change-Id: Id3a3b3cd95f9d7bcf51de001cfe246beb98590ad
Reviewed-on: https://code.wireshark.org/review/20663
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also, if we return WTAP_OPEN_ERROR from an open routine after we've set
our close routine, that routine is called, which frees up our private
data structures; don't free them ourselves before returning
WTAP_OPEN_ERROR.
Change-Id: I03eebe1a1677e2161fdacec8de14668093cf03a3
Reviewed-on: https://code.wireshark.org/review/20522
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 13478
Change-Id: I6be2972979ff7cabf27e70d236c581d539d6ddac
Reviewed-on: https://code.wireshark.org/review/20515
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The maximum record length is 255*128 + 127 = 32767; that fits in a
guint32, which is large enough to support the biggest packet we'd ever
support without stretching several size values to 64 bits.
It's not a size of an object in memory, so it doesn't have to be a
size_t, and a size_t could be too large to fit in the record sizes we're
using.
Just cast to guint32.
Change-Id: Ie664fda3ce9945893fd992bbb9a81a5d632a3fcb
Reviewed-on: https://code.wireshark.org/review/20479
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When vmnames are included in the header of a netscaler packet trace,
number of bytes equal to the size of vmnames is omitted from the packet,
by the dissector.
Bug: 13459
Change-Id: I0f907e9c2e08c1cbebd47f7e50d8284a6aaade59
Reviewed-on: https://code.wireshark.org/review/20446
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It warns that a 32-bit value is being shifted left and then converted to
a 64-bit type; presumably it means "this might overflow and not give you
the result you expect". That's unlikely to be the case here, as few
UN*X file systems have a recommended I/O block size > 2^30, but we might
as well throw in a cast so the convert-to-a-64-bit-type is done first.
Change-Id: Id6ab11d750d5cf4cc03d060d63edc01b66cd179d
Reviewed-on: https://code.wireshark.org/review/20352
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We're now comparing an unsigned with an expression made mostly of
unsigned, so there's no need to cast the expression to long to squelch
signed vs. unsigned warnings.
Change-Id: I3b8c6f6faf26a9c252eb55d9e69fb298a3ad4c3b
Reviewed-on: https://code.wireshark.org/review/20347
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The record size fields are guint8, but NSPR_V20RECORDSIZE_2BYTES was
0x80, which has type int, promoting the result to int. Make it 0x80U,
which means everything is unsigned.
This squelches a compiler warning.
Change-Id: I1c63e485352a90c7f675ab0dacaaeba794235b35
Reviewed-on: https://code.wireshark.org/review/20344
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do the check early in the process of processing the record, and do it
for all record types.
Bug: 13429
Change-Id: Id7f4d12415c6740241850d8f873cff52909e7110
Reviewed-on: https://code.wireshark.org/review/20330
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Records in a properly formatted NetScaler file shouldn't go past the end
of a page, but nothing guarantees that a NetScaler file will be properly
formatted.
NetScaler 3.x files allow record bodies to go past the end of a page,
but 1.x and 2.x files don't, so treat record headers that go past the
end of a page, and record bodies in 1.x and 2.x files that go past the
end of a page, as errors.
Clean up some stuff while we're at it.
Bug: 13430
Change-Id: I3b1d56086e3bb14b246406f306e3d730df337561
Reviewed-on: https://code.wireshark.org/review/20326
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I8c339e7484d410460d499dd2923641630b482ebe
Reviewed-on: https://code.wireshark.org/review/20303
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
If plugin_list was NULL, plugin_types didn't get cleaned.
Add test and set of open_info_arr.
Change-Id: I7669e3ba86039fb2b26ff2da64f51896053c5e68
Reviewed-on: https://code.wireshark.org/review/20195
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I76ea675625ef2812f51bad0c37f6c58060897f55
Reviewed-on: https://code.wireshark.org/review/20172
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The packet length field gives the length of the *entire* packet, so, by
definition, it must not be zero. Make sure it's at least big enough for
the packet header itself plus one segment header.
Bug: 13416
Change-Id: I625bd5c0ce75ab1200b3becf12fc1c819fefcd63
Reviewed-on: https://code.wireshark.org/review/20133
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's a non-null pointer to a character string with the value "NULL".
You want just NULL, with no quotes.
Change-Id: I51bfb73a3002f46f13a8f513d07b1ddc009a14cb
Reviewed-on: https://code.wireshark.org/review/20123
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The cleanup routine has been added to exit section of the applications.
Those which required a exit restyle have been patched as well.
Change-Id: I3a8787f0718ac7fef00dc58176869c7510fda7b1
Reviewed-on: https://code.wireshark.org/review/19949
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
V6.0 only has one space after "ETHERWATCH", not two so heuristics fail.
"ETHERWATCH " (one space) still seems like enough of a distinction.
Bug: 13093
Change-Id: Ib8786f6e2f5f595a4cab710b91cf78d175a6ab88
Reviewed-on: https://code.wireshark.org/review/19673
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
The current mechanism that reads the first 20 blocks looking for a headerd
oesn't work in all cases. I was given sample files that consist of
data blocks only and have no header.
Use a new approach to detect a .camins file by searching for pairs of
size high + size low blocks, either read or write. Go through the
entire file. If we have significantly more pairs than single, non-matching
blocks, this is a camins file.
Change-Id: Ic91e7db7149b105e26896d1a89cad4a2a73d0f13
Reviewed-on: https://code.wireshark.org/review/19603
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
Check the length of the line first.
Bug: 13246
Change-Id: I906bb652594898061afb4b2cd4edb916af354161
Reviewed-on: https://code.wireshark.org/review/19273
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have programs that use libwiretap call that routine rather than
separately calling some or all of init_open_routines(),
wtap_register_plugin_types(), and wtap_opttypes_initialize().
Also don't have routines internal to libwiretap call those. Yes, this
means doing some initialization work when it isn't necessary, but
scattering on-demand calls throughout the code is a great way to forget
to make those calls.
Change-Id: I5828e1c5591c9d94fbb3eb0a0e54591e8fc61710
Reviewed-on: https://code.wireshark.org/review/19069
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is similar to what we have for opening a dump file - one API that
uses the file name as specified, one that creates a temporary file and
provides the file name, and one that uses the standard output.
All of those APIs handle closing the output file.
Change-Id: I56beea7be347402773460b9148ab31a8f8bc51e1
Reviewed-on: https://code.wireshark.org/review/19059
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way, we can close the resulting wtap_dumper the same way we close
any other wtap_dumper, including closing the FD, rather than trying to
do everything *except* closing the FD (which is tricky for a FILE *).
Change-Id: I8cb66e32784d73e598b2e8720a12f9bdab1c6205
Reviewed-on: https://code.wireshark.org/review/19054
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way, if we #define anything for large file support, that's done
before we include any system header files that either depend on that
definition or that define it themselves if it's not already defined.
Change-Id: I9b07344151103be337899dead44d6960715d6813
Reviewed-on: https://code.wireshark.org/review/19035
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
packet-erf: Fix Host ID/Source ID showing for all extension header types.
Only show generated Host ID/Source ID when there is a Host ID extension header
or there was not one on the record.
Assumes there is only one Source ID if multiple Flow ID extension headers (unlikely)
and that it matches the one in the Host ID header. This is consistent with other tools.
Does support multiple Host ID extension headers though.
Fix dag_version tag short name. Was clashing with another tag due to typo.
ERF wiretap: Don't conflate Host ID 0 with implicit Host ID.
While the implicit Host ID defaults to 0, it is not the same thing as seeing
a packet with Host ID explicitly 0 in the extension header which means
explicitly unknown source.
Store the initial (unknown) implicit Host ID interface mapping in it's own
special mapping table entry rather than 0.
Noticed we can currently get duplicate interfaces in the unusual event of mixed
implicit and explicit Host ID packet extension headers for the same ID before
we discover that mapping.
Consistently abandon the implicit version for consistency with the dissector
linking behaviour and mark the interface as unmatched in the description. In
2 pass mode (including normal Wireshark file open) the abandoned interface ends
up with no packets. In the common cases (all Host ID or no Host ID on packet
records) this duplicate interface will not be created in the first place.
Change-Id: Ic5d0b2ce9aae973f1693a247cf240ef1324ff70a
Ping-Bug: 12303
Reviewed-on: https://code.wireshark.org/review/18704
Reviewed-by: Stephen Donnelly
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
And some comments in the case where we're converting the result of
time() - if your machine's idea of time predates January 1, 1970,
00:00:00 UTC, it'll crash on Windows, but that's not a case where a
*file* can cause the problem due either to a bad file time stamp or bad
time stamps in the file.
Change-Id: I837a438e4b875dd8c4f3ec2137df7a16ee4e9498
Reviewed-on: https://code.wireshark.org/review/18369
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They break the check by not including header files for custom types
and they are not part of the API anyway.
Bug: 13018
Change-Id: Ia0f81f861251b5659af723b9da795daeb7454eb3
Reviewed-on: https://code.wireshark.org/review/18297
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris