When reading memory-mapped Linux capture files, fix up the "real" length
field, in case the file was written by a program doing a capture done
with a version of libpcap with a bug that causes it to incorrectly set
the "real" length for isochronous transfers.
USB 2.0/1.1/1.0 devices (or 3.x and newer when connected to hosts that
are not Super-Speed capable) operate at one of three speeds:
* Low-Speed (1.5 Mbps)
* Full-Speed (12 Mbps)
* High-Speed (480 Mbps)
Supporting speed specific linktypes allows speed specific dissection
without the need for user to manually set the speed.
Each "packet" in the USB encapsulation formats for at least
Linux and Darwin corresponds to an OS-level USB request, so
the packets can be much larger than a USB-level packet.
The default max packet length of 256 KiB prevents Wireshark
from loading capture files that contain requests >256 KiB.
(Saving such a capture already works fine.)
Fix this by making the Linux, Darwin, and FreeBSD formats
use the same max packet length as the USBPCap format, which
is 128 MiB.
Replace all instances of "Nordic BLE Sniffer" with
"nRF Sniffer for Bluetooth LE" which is the name used by
nordic semiconductor for the development tool on the homepage.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
LINKTYPE_ERF pcap files are really ERF files inside a thin pcap wrapper
(don't even ask what a pcapng file with some or all interfaces being
LINKTYPE_ERF is...), so the time stamp comes from the ERF record, not
from the pcap packet header or pcapng block header.
The time stamp reslution for the record should reflect that, so set it
to WTAP_TSPREC_NSEC (ERF time stamps are fractional-power-of-2, not
fractional-power-of-10, so that's the best we can do).
The secs field is a time_t, which is not necessarily 32 bits. If it's
not, casting away the upper bits, by casting to guint32, introduces a
Y2.038K bug.
Either cast to time_t or, if you're assigning a time_t to it, don't
bother with the cast.
Register the pcap and pcapng file types/subtypes rather than hardwiring
them into the table.
Call the registration routines for them directly, rather than through a
generated table; they're always supposed to be there, as some code in
Wireshark either writes only one of those formats or defaults to writing
one of those formats. Don't run their source code through the
registration-routine-finder script.
Have the file type/subtype codes for them be directly exported to the
libwiretap core, and provide routines to return each of them, to be used
by the aforementioned code.
When reporting errors with cfile_write_failure_message(), use
wtap_dump_file_type_subtype() to get the file type/subtype value for the
wtap_dumper to which we're writing, rather than hardcoding it.
Have the "export PDU" code capable of supporting arbitrary file
types/subtypes, although we currently only use pcapng.
Get rid of declarations of now-static can_write_encap and
dump_open routines in various headers.
It corresponds to LINKTYPE_ETW in pcap and pcapng files; the structures
in the record format come from the Event Tracing for Windows (ETW) API
rather than directly from Event Trace Log files.
While we're at it, explain what extcap/etl does.
New link type DLT_ETW is added for write and read Event Trace on Windows.
This change updates MBIM dissector to decode a MBIM message from
a DLT_ETW packet.
I guess Coverity gets upset because, the way GUINT32_TO_BE() works when
building with Coverity, there's at least one test done the result of
which is always the same.
Calculate the "native" value of the direction, and then put it into
big-endian order, in two separate statements.
This should squelch Coverity CID 1457345.
Change-Id: I1ccd6fd848e6abc91f16fa375c98efcab9c5bf60
Reviewed-on: https://code.wireshark.org/review/37370
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wiretap/erf_record.h has declarations for records in ERF files and in
LINKTYPE_ERF packets in pcap and pcapng files.
wiretap/erf-common.h has declarations of routines to be called by
pcap/pcapng reader code when processing LINKTYPE_ERF packets.
wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with
the tables of file readers and writers.
Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa
Reviewed-on: https://code.wireshark.org/review/37021
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fall back on the Wayback Machine for some links.
Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842
Reviewed-on: https://code.wireshark.org/review/34103
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissect raw USB Packets. The actual USB packets to transaction conversion
(which is needed to pass the data to existing USB URB dissector) is not
implemented yet.
Ping-Bug: 15908
Change-Id: Ia75d58882d770fdd8650622d318241743069ad8f
Reviewed-on: https://code.wireshark.org/review/34006
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
209 is LINKTYPE_IPMB_LINUX; add _LINUX/_linux to the WTAP_ENCAP_ name
and function/structure names, to clarify that it's not I2C in general,
it's I2C with a particular pseudo-header.
199 is now LINKTYPE_IPMB_KONTRON, not LINKTYPE_IPMB, as it doesn't have
raw I2C packets, it has I2C packets with a pseudo-header. Change the
WTAP_ENCAP_ name, and add a dissector for it.
Change-Id: Ie097f4317b03d2b2adfd9b81a4b11caf6268399e
Reviewed-on: https://code.wireshark.org/review/32539
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
New link type for IEEE 802.15.4 with pseudo-header and optional
meta-data TLVs, PHY payload exactly as it appears in the spec (no
padding, no nothing), and FCS if specified by FCS Type TLV.
Specification at https://github.com/jkcko/ieee802.15.4-tap
Bug: 15429
Change-Id: I67bd154891ad5818be9a1630aa5cbb863b55509a
Reviewed-on: https://code.wireshark.org/review/32141
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a dissector for http://fd.io vpp graph dispatch traces. The file
format is described in detail here:
https://fdio-vpp.readthedocs.io/en/latest/gettingstarted\
/developers/vnet.html#graph-dispatcher-pcap-tracing
Fuzz-tested with good results.
Bug: 15411
Change-Id: I3b040bb072ce43fb2fb646a9e473c5486654906a
Signed-off-by: Dave Barach <dave@barachs.net>
Reviewed-on: https://code.wireshark.org/review/31466
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ie5ab56f1ee80d14032969cbe7f31e086fb2b4b91
Reviewed-on: https://code.wireshark.org/review/31159
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Keeping them together might increase the likelihood that all of them get
updated when a new pcap/pcapng link-layer type whose pseudo-header is
first processed here rather than by a dissector.
Change-Id: Ia6f45c38e9530b7c6a53d006fbc01b3040e9a014
Reviewed-on: https://code.wireshark.org/review/29868
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sort the cases to match the order in other routines.
That turned up a missing case for WTAP_ENCAP_NFC_LLCP, so add it.
Change-Id: I500731322ae93c6d2efc368f16cf468f589910f3
Reviewed-on: https://code.wireshark.org/review/29858
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have pcap_read_erf_pseudoheader() do all the work of reading an ERF
pseudo-header.
Add pcap_write_erf_pseudoheader() as a routine to do all the work of
writing an ERF pseudo-header.
Change-Id: If53ae50fcee35a45113ca0f0c64f69848e044cbd
Reviewed-on: https://code.wireshark.org/review/29847
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put the cases in pcap_write_phdr() into the same order as the cases in
pcap_process_pseudo_header().
Doing so revealed that there wasn't a case for WTAP_ENCAP_NFC_LLCP in
pcap_write_phdr(), so NFC LLCP captures wouldn't be saved correctly.
Add pcap_write_llcp_pseudoheader() and use it.
Change-Id: I2728a96e63d2e0606ae0bb480f97fe124ab48d17
Reviewed-on: https://code.wireshark.org/review/29841
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For each pseudo-header type, put a routine to write the pseudo-header
after the routine to read it.
Change-Id: Iffc010c1bf97acc5eb834a388e328ad3c2310351
Reviewed-on: https://code.wireshark.org/review/29840
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not as if 0 means received, 1 means sent, and anything else is
invalid; treat all non-zero values as meaning "sent" when reading, and
write out 1 for "sent".
Change-Id: Iaf5eb327a6b87b893a203475c8730452c51a38e9
Reviewed-on: https://code.wireshark.org/review/29839
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put all the #defines and structure declarations for a particular
pseudo-header before the function to read the pseudo-header.
Change-Id: I11013ff99d72832f49e9bea56dbc07f5cd8618f3
Reviewed-on: https://code.wireshark.org/review/29838
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That centralizes knowledge of the particular pseudo-header into its read
routine.
Change-Id: I4931d03a20a1b648af3ab6b92a034659c55d1ba3
Reviewed-on: https://code.wireshark.org/review/29837
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For file formats, say "pcap/pcapng" or "pcap and pcapng" instead; this
code handles both formats. Use just "pcap_" in structure types.
Change-Id: I2c0e096855ac3736bbfd72480ed4221b3a2f25d1
Reviewed-on: https://code.wireshark.org/review/29835
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We always tell pcap_process_pseudo_header() to check to make sure the
pseudo-header isn't bigger than the captured data; no need for a flag
argument to tell it to do so.
Change-Id: I8310bb06a390a7f4a7a232ad140ae07955d52da1
Reviewed-on: https://code.wireshark.org/review/29833
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissector for the VESA DisplayPort AUX channel protocol.
Bug: 14651
Change-Id: I5c0c7668bda969086d9d6e5069aad87e929f6340
Reviewed-on: https://code.wireshark.org/review/27311
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>