1) The default build configuration is to select PCAPNG as
output format, but it can be selected as PCAP. Some of the
command line tools have the option to select the output
format and default towards the build configuration.
This has to be reflected in their help output also.
2) Various documentation files are still stating that PCAP is
the default format of various tools. With the default build
configuration being PCAPNG these have to be adjusted as well.
(with lack of dynamic content the documentation can only refer
to the default build configuration format).
Change-Id: I51d19642a7ed8c99817971c1f25d20972095021e
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/30951
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a new secrets API to the core, one that can outlive the lifetime of
a single capture file. Expose decryption secrets from wiretap through a
callback and let the secrets API route it to a dissector.
Bug: 15252
Change-Id: Ie2f1867bdfd265bad11fc58f1e8d8e7295c0d1e7
Reviewed-on: https://code.wireshark.org/review/30705
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The (optional) JSON-GLib library adds dependencies on GObject, GIO. For
statically linked oss-fuzz builds it also adds libffi and more. To avoid
these dependencies, replace JSON-GLib by some custom code. This allows
`tshark -G elastic-mapping` to be enabled by default without extra deps.
API design goals of the new JSON dumper library:
- Small interface without a lot of abstraction.
- Avoid memory allocations if possible (currently none, but maybe
json_puts_string will be replaced to improve UTF-8 support).
- Do not implement parsing, this is currently handled by jsmn.
Methods to open/close array/objects and to set members are inspired by
the JsonGlib interface. The interfaces to write values is inspired by
the sharkd code (json_puts_string is also borrowed from that).
The only observed differences in the tshark output:
- JSON-GLib ignores duplicates, json_dumper does not and may produce
duplicates and currently print two "ip.opt.sec_prot_auth_unassigned".
- JSON-GLib adds a space before a colon (unimportant formatting detail).
- (Not observed, but UTF-8 strings will be wrong like bug 14948.)
A test was added to catch changes in the tshark output. I also fuzzed
json_dumper with libFuzzer + UBSAN/ASAN and fixed an off-by-one error.
Change-Id: I0c85b18777b04d1e0f613a3d59935ec59be87ff4
Link: https://www.wireshark.org/lists/wireshark-dev/201811/msg00052.html
Reviewed-on: https://code.wireshark.org/review/30732
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The test_tshark_io_direct_stdout test was failing because the command
"tshark -r test/captures/dhcp.pcap -w - > some.pcap" produced a corrupt
capture file which has the packet information appended at the end.
Change-Id: I1a79e98f1475c29d7dad3ff90d4cb689f46b0e57
Fixes: 57389a0c69 ("make tshark compile and work also when pcap is not available")
Reviewed-on: https://code.wireshark.org/review/30668
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This:
1) means that we don't have to flag the compression argument with a
comment to indicate what it means (FALSE doesn't obviously say "not
compressed", WTAP_UNCOMPRESSED does);
2) leaves space in the interfaces in question for additional compression
types.
(No, this is not part 1 of an implementation of additional compression
types, it's just an API cleanup. Implementing additional compression
types involves significant work in libwiretap, as well as UI changes to
replace "compress the file" checkboxes with something to indicate *how*
to compress the file, or to always use some other form of compression).
Change-Id: I1d23dc720be10158e6b34f97baa247ba8a537abf
Reviewed-on: https://code.wireshark.org/review/30660
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use it for all the per-file information, including the per-file
link-layer type and the per-file snapshot length.
Change-Id: Id75687c7faa6418a2bfcf7f8198206a9f95db629
Reviewed-on: https://code.wireshark.org/review/30616
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Using WTAP_ENCAP_PER_PACKET if there's more than one interface forces a
format supporting multiple encapsulations even if all interfaces use the
same encapsulation; there's no reason to force that - you might as well
let the user specify pcap format, for example, if that's what they
really want.
(If there are multiple interfaces and they have different
encapsulations, the file encapsulation will be WTAP_ENCAP_PER_PACKET
*anyway*.)
Change-Id: I0e65c06e1ae3ff159ccd27f72cc63014e30a58f3
Reviewed-on: https://code.wireshark.org/review/30658
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It means "snapshot length unknown".
For most file formats, the snapshot length isn't recorded (even for
formats that support slicing - all they record is the on-the-network
length, and length after slicing, for each packet), so it's ignored in
the dumper.
The one exception is pcap, which records it in the file header; if it's
unknown, the pcap-writing code picks the maximum supported snapshot
length for the file's link-layer header type.
Change-Id: Ieda5dfe34c4bac63e43fdadeff31799ac3c908de
Reviewed-on: https://code.wireshark.org/review/30657
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have the routines always take a parameters pointer; pass either null or
a pointer to an initialized-to-nothing structure in cases where we were
calling the non-_ng versions.
Change-Id: I23b779d87f3fbd29306ebe1df568852be113d3b2
Reviewed-on: https://code.wireshark.org/review/30590
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Four variants of wtap_dump_open_ng exists, each of them take the same
three parameters for the SHB, IDB and NRB blocks that has to be written
before packets are even written. Similarly, a lot of tools always create
these arguments based on an existing capture file session (wth).
Address the former duplication by creating a new data structure to hold
the arguments. Address the second issue by creating new helper functions
to initialize the parameters based on a wth. This refactoring should
make it easier to add the new Decryption Secrets Block (DSB).
No functional change intended.
Change-Id: I42c019dc1d48a476773459212ca213de91a55684
Reviewed-on: https://code.wireshark.org/review/30578
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Call it from wmain() in the command-line tools, passing it the input
argument count and vector, and call it from main() in Wireshark, after
getting a UTF-16 argument vector from passing the result of
GetCommandLineW() to CommandLineToArgvW().
Change-Id: I0e51703c0a6c92f7892d196e700ab437bd702514
Reviewed-on: https://code.wireshark.org/review/30063
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Doing so for command-line programs means that the argument list doesn't
ever get converted to the local code page; converting to the local code
page can mangle file names that *can't* be converted to the local code
page.
Furthermore, code that uses setargv.obj rather than wsetargv.obj has
issues in some versions of Windows 10; see bug 15151.
That means that converting the argument list to UTF-8 is a bit simpler -
we don't need to call GetCommandLineW() or CommandLineToArgvW(), we just
loop over the UTF-16LE argument strings in argv[].
While we're at it, note in Wireshark's main() why we discard argv on
Windows (Qt does the same "convert-to-the-local-code-page" stuff); that
means we *do* need to call GetCommandLineW() and CommandLineToArgvW() in
main() (i.e., we duplicate what Qt's WinMain() does, but converting to
UTF-8 rather than to the local code page).
Change-Id: I35b57c1b658fb3e9b0c685097afe324e9fe98649
Ping-Bug: 15151
Reviewed-on: https://code.wireshark.org/review/30051
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add 'v' option for VLAN ID resolving and get rid of
deprecated 'C' option.
Bug: 14826
Change-Id: I63104f4a465d251048693ad02882ea7eb2c4d926
Reviewed-on: https://code.wireshark.org/review/30029
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We are exporting a registration function from libwireshark just
to have it passed back as a callback. Seems unnecessary.
Change-Id: I7621005c9be11691d319102326824c5e3520a6f3
Reviewed-on: https://code.wireshark.org/review/29328
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
In various places, <program>_epan_new was called before setting the
provider, so the wth field was null. This fix is necessary for the
next commit, adding Secrets Description Block, as it uses this field.
Change-Id: Ice8ee01c56b3e04fc71d7b2c659d9635cb366951
Reviewed-on: https://code.wireshark.org/review/28868
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
valgrind --tool=memcheck --leak-check=full ./run/tshark -r sctp.pcap -U "OSI layer 3" -w exported.pcap
13 bytes in 1 blocks are definitely lost in loss record 20 of 93
at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
by 0xB27B3C5: g_malloc (gmem.c:99)
by 0xB294D22: g_strdup (gstrfuncs.c:363)
by 0x117B5D: capture_opts_add_opt (capture_opts.c:889)
by 0x118C0E: main (tshark.c:1112)
Change-Id: I9b794015aa4d2626b43a5743864c2d732c6acaa1
Reviewed-on: https://code.wireshark.org/review/29125
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
In CI environments with no capture driver, the test_tshark_dump_glossary
test could fail because "tshark -G decodes" contains an error message.
Postpone the check until the moment where a capture is actually started.
It also no longer shows with tshark -L, -D, --version, etc.
Change-Id: I6674c6fe007c99576c777a025cd44b3f2e594b59
Reviewed-on: https://code.wireshark.org/review/28966
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Otherwise, the first N packets printed, for a value of N dependent on
various factors, won't get IP addresses resolved to names, even if the
user wants them resolved. Unlike Wireshark, which, when a name is
resolved in asynchronously, can go back and fix up the displayed packet
when the asynchronous operation completes, once TShark has written
packet data to the standard output, it can't go back and fix it if it
did name resolution asynchronously.
Bug: 14711
Change-Id: I8ebbd83103e5780c903b5560e01b7b92fa39c924
Reviewed-on: https://code.wireshark.org/review/27668
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Running tools/dfilter-test.py with LSan enabled resulted in 38 test
failures due to memory leaks from "fvalue_new". Problematic dfilters:
- Return values from functions, e.g. `len(data.data) > 8` (instruction
CALL_FUNCTION invoking functions from epan/dfilter/dfunctions.c)
- Slice operator: `data.data[1:2] == aa:bb` (function mk_range)
These values end up in "registers", but as some values (from READ_TREE)
reference the proto tree, a new tracking flag ("owns_memory") is added.
Add missing tests for some functions and try to improve documentation.
Change-Id: I28e8cf872675d0a81ea7aa5fac7398257de3f47b
Reviewed-on: https://code.wireshark.org/review/27132
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The generated elastic mapping file is huge and it can hassle softwares
like Kibana. This change adds the ability to append desired filters
that will appear in the mapping file.
This change adds the option --elastic-mapping-filter <protocols> to tshark.
Example: tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
make only those 3 protocols to appear in the mapping file.
Change-Id: Ie2dcd6e44be2d084e8e50cd6554bd90178da4e38
Reviewed-on: https://code.wireshark.org/review/27001
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
MaxMind is discontinuing its legacy databases in April in favor of
GeoIP2, which use a newer database format (MaxMind DB). The reference C
library (libmaxminddb) is available under the Apache 2.0 license which
isn't quite compatible with ours.
Add mmdbresolve, a utility that reads IPv4 and IPv6 addresses on stdin
and prints resolved information on stdout. Place it under a liberal
license (MIT) so that we can keep libmaxminddb at arm's length. Add
epan/maxmind_db.[ch], which spawns mmdbresolve and communicates with it
via stdio.
Migrate the preferences and documentation to MaxMindDB.
Change the IPv4 and IPv6 asnum fields to FT_UINT32s. Change the
geographic coordinate fields to FT_DOUBLEs.
Bug: 10658
Change-Id: I24aeed637bea1b41d173270bda413af230f4425f
Reviewed-on: https://code.wireshark.org/review/26214
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
One reason to do dissection is if a tap requires it, so we have to check
after starting the taps.
Change-Id: Ic7910449c3f85df2a52065e789986d970d13c253
Reviewed-on: https://code.wireshark.org/review/25904
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There are no "old" versions of them that we're keeping around.
Change-Id: I3c76a14d0ec1a06df39c547da37f4dea9987df4d
Reviewed-on: https://code.wireshark.org/review/25892
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We shouldn't do so until we have something on which to compute
statistics and until we're in file scope, as the taps may use
file-scoped memory, given that statistics pertain to a file.
Change-Id: Ifb568480a3cbbd4dc891015b3bb42da1511ca514
Reviewed-on: https://code.wireshark.org/review/25887
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
g995812c5f1 moved wiretap plugins registration from applications to
wiretap library init function.
As we do not want to load plugins for all users of libwiretap, let's
make it configurable.
Bug: 14314
Change-Id: Id8fdcc484e2d0d31d3ab0bd357d3a6678570f700
Reviewed-on: https://code.wireshark.org/review/25194
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The default value of kernel.unprivileged_bpf_disabled is 0 which means
this is enabling the BPF JIT compiler for unprivileged users. Given that
this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this
is not a setting that a utility should be tampering with.
Tshark's and dumpcap's help message is changed by Balint Reczey to suggest
enabling BPF manually after considering security-related implications.
Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885
Signed-off-by: Balint Reczey <balint.reczey@canonical.com>
Bug: 14313
Reviewed-on: https://code.wireshark.org/review/25192
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Balint Reczey <balint@balintreczey.hu>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Put different types of plugins (libwiretap, libwireshark) in different
subdirectories, give libwiretap and libwireshark init routines that
load the plugins, and have them scan the appropriate subdirectories
so that we don't even *try* to, for example, load libwireshark plugins
in programs that only use libwiretap.
Compiled plugins are stored in subfolders of the plugin folders, with
the subfolder name being the Wireshark minor version number (X.Y). There is
another hierarchical level for each Wireshark library (libwireshark, libwscodecs
and libwiretap).
The folder names are respectively plugins/X.Y/{epan,codecs,wiretap}.
Currently we only distribute "epan" (libwireshark) plugins.
Change-Id: I3438787a6f45820d64ba4ca91cbe3c8864708acb
Reviewed-on: https://code.wireshark.org/review/23983
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Have the routines that create them take a pointer to a struct
packet_provider_data, store that in the tvbuff data, and use it to get
the wtap from which packets are being read.
While we're at it, don't include globals.h in any header files, and
include it in source files iff the source file actually uses cfile. Add
whatever includes that requires.
Change-Id: I9f1ee391f951dc427ff62c80f67aa4877a37c229
Reviewed-on: https://code.wireshark.org/review/24733
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have separate packet_provider_data structures and packet_provider_funcs
structures; the latter holds a table of functions that libwireshark can
call for information about packets, the latter holds the data that those
functions use.
This means we no longer need to expose the structure of an epan_t
outside epan/epan.c; get rid of epan/epan-int.h.
Change-Id: I381b88993aa19e55720ce02c42ad33738e3f51f4
Reviewed-on: https://code.wireshark.org/review/24732
Reviewed-by: Guy Harris <guy@alum.mit.edu>
libwireshark now expects an epan_t to be created with a pointer to a
"packet provider" structure; that structure is opaque within
libwireshark, and a pointer to it is passed to the callbacks that
provide interface names, interface, descriptions, user comments, and
packet time stamps, and that set user comments. The code that calls
epan_new() is expected to provide those callbacks, and to define the
structure, which can be used by the providers. If none of the callbacks
need that extra information, the "packet provider" structure can be
null.
Have a "file" packet provider for all the programs that provide packets
from a file.
Change-Id: I4b5709a3dd7b098ebd7d2a7d95bcdd7b5903c1a0
Reviewed-on: https://code.wireshark.org/review/24731
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Embed one of those structures in a capture_file, and have a struct
epan_session point to that structure rather than to a capture_file.
Pass that structure to the routines that fetch data that libwireshark
uses when dissecting.
That separates the stuff that libwireshark expects from the stuff that
it doesn't look at.
Change-Id: Ia3cd28efb9622476437a2ce32204597fae720877
Reviewed-on: https://code.wireshark.org/review/24692
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Those fields weren't being used in TShark/TFShark/rawshark/sharkd, so we
can use them, instead of defining our own static variables.
This makes the non-Wireshark code paths a bit more like the Wireshark
code paths.
Change-Id: I55da4cf525e37598f314efca22f20d3e80cb547c
Reviewed-on: https://code.wireshark.org/review/24691
Reviewed-by: Guy Harris <guy@alum.mit.edu>