Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
That can just be done at the end of libpcap_open(), rather than in
wtap_open_offline() immediately after the open routine - which, in this
case, would be libpcap_open() - returns. That's cleaner, as it puts
capture-file-type-dependent code in the capture-file-type-specific code.
Note, though, that it's a bit weird for LINKTYPE_ERF files (and it was
equally weird before this change), and that other capture file types
should be doing this as well.
Change-Id: Ida94779a2e1021c81314f82655ec1d0f2f14e960
Reviewed-on: https://code.wireshark.org/review/37022
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wiretap/erf_record.h has declarations for records in ERF files and in
LINKTYPE_ERF packets in pcap and pcapng files.
wiretap/erf-common.h has declarations of routines to be called by
pcap/pcapng reader code when processing LINKTYPE_ERF packets.
wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with
the tables of file readers and writers.
Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa
Reviewed-on: https://code.wireshark.org/review/37021
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
I guess the "replace" part of "TODO: Replace uses in pcapng and pcap
with erf_read_header() and/or erf_populate_interface_from_header() and
delete." has been done, so we do the "delete" part.
Change-Id: Icd691aa8c3defdd68c306ad9eaf1379a8ba6ec0f
Reviewed-on: https://code.wireshark.org/review/37020
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The time stamps are calculated by sequential processing, not read from a
value in the packet record, so we don't supply them when reading
randomly. Make sure the presence flags are 0 in that case (our callers
currently don't look at time stamps when reading randomly, because
some other file formats also don't supply time stamps for random reads,
but we should make it clean).
Change-Id: I494acc5bdf60e0a1de5cf002c3ea8403afce8a07
Reviewed-on: https://code.wireshark.org/review/37008
Reviewed-by: Guy Harris <gharris@sonic.net>
The time stamps are calculated by sequential processing, not read from a
value in the packet record, so we don't supply them when reading
randomly. Make sure the presence flags are 0 in that case (our callers
currently don't look at time stamps when reading randomly, because
some other file formats also don't supply time stamps for random reads,
but we should make it clean).
Change-Id: Ic035cc7d4eb36f76beefcfd98a389af09365d363
Reviewed-on: https://code.wireshark.org/review/37004
Reviewed-by: Guy Harris <gharris@sonic.net>
Make wtap_file_get_shb() take a section number argument, and update code
that called it. In most cases, we convert the code to iterate over
sections; in cases where a big code change would be required, we
temporarily pass it 0 and mark the code as "needs to be updated for
multiple sections".
Eliminate cf_read_section_comment(); in calls outside file.c, other code
directly calls the libwiretap routines it calls and, inside file.c, we
just transplant the code and then fix it not to assume a single SHB.
Change-Id: I85e94d0a4fc878e9d937088759be04cb004e019b
Reviewed-on: https://code.wireshark.org/review/37000
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
This moves us closer to fixing bug 16531; it addresses the second issue
there, as the right snapslen is used for packets in the second section,
so we no longer get errors reading the file.
It still doesn't fix the *names* of the interfaces, and it doesn't - and
*shouldn't* - show the interfaces with different interface numbers, as
the numbers are per-section rather than global.
Change-Id: Ia3aa3309b75a4bcd9f229048ddce6a981b9409b1
Ping-Bug: 16531
Reviewed-on: https://code.wireshark.org/review/36985
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Have pcapng_read_block() take two pointers to a section_info_t as
arguments - one for the current section, if any, and one to something to
fill in, as information for the new section, if the block is an SHB.
The first of them is null when we're trying to read the first block;
that serves as an indication that "not an SHB" means "this file isn't a
pcapng file" rather than "this pcapng file is bad".
Change-Id: I1b0a8bfacde982b819e548847bcc9412d30788f3
Reviewed-on: https://code.wireshark.org/review/36984
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Move the byte order - and version - fields out of the per-file pcapng_t
structure and put them in a per-section section_info_t structure that
also contains the file offset of the SHB at the beginning of the
section.
Have a GArray of section_info_t structures pointed to by the pcapng_t
structure; update it as Section Header Blocks are read sequentially,
adding new structures.
In the random read routine, search backwards through the array of
section_info_t structures, looking for the first section where the SHB
is at or before the offset from which we're reading.
Change-Id: Iad06c8d1ff10595707b73f297f073803b5a0c8e5
Ping-Bug: 15707
Reviewed-on: https://code.wireshark.org/review/36981
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fix dead store (Dead assignement/Dead increment) Warning found by Clang
Change-Id: I6316d82fec8ee87f56cabe27e269cc7ef98cedc8
Reviewed-on: https://code.wireshark.org/review/36842
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure the summary record is large enough; if not, report it as a bad
file.
If it's *too* large, skip the added data.
Clean up the length check for the header records - use sizeof, as we
later use sizeof when subtracting the fixed length portion's length.
Change-Id: I70697804eaa0cbbb1fb074eadf6457d237f26876
Reviewed-on: https://code.wireshark.org/review/36814
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Get rid of leftover duplicate code setting up the wtap structure and
private data before we've found a summary record.
If we find no data records, break out of the loop, so we fall into the
code that sets up the wtap structure and private data.
Change-Id: I00652bb7f3cb52b6c7c2088c6dd5fe5ec9a012a7
Reviewed-on: https://code.wireshark.org/review/36806
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wtap_read_bytes() returns TRUE on *success*, so if we're in the loop,
the last read succeeded, and no error code was supplied. When we *exit*
the loop, the read didn't succeed; check for the status then. If we got
a short read, we ran out of file data, so check the heuristics (even if
it's not an integral number of 2-byte blocks, treat it as a CAM
Inspector file - it might have gotten cut short); if we got a real read
error, report that to our caller.
Bug: 16458
Change-Id: Ia1e838006744dadbc2883459aec16d0d11b732e1
Reviewed-on: https://code.wireshark.org/review/36795
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
If it has none, we don't know what link-layer header type it has, nor do
we have a start time to use for time stamps.
If it has more than one, we don't know which one to believe.
Bug: 16459
Change-Id: I306ec45171f9de4643699a53a4d837f4f7750c69
Reviewed-on: https://code.wireshark.org/review/36791
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Trivial, mostly just redundant assignments or
format specifiers.
Change-Id: Iaf33f24d2af5a48a5e1b797e582bf936914c8daa
Reviewed-on: https://code.wireshark.org/review/36154
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Only the change to packet-imap.c really represents a bug.
Change-Id: Ie270f97f3d94c338ea3c84a712f8f4d43ffd36f4
Reviewed-on: https://code.wireshark.org/review/36115
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There are some deltas between the UN*X epoch and other epochs that are
used in a number of places; put them into a header.
Change-Id: Ia2d9d69b9d91352d730d97d9e4897518635b4861
Reviewed-on: https://code.wireshark.org/review/35895
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The call must ensure enough bytes are in the buffer for subsequent
casts. Next cast is for nspr_pktracefull_v20_t.
Change-Id: I8b77aa243f528f82786af1047e8d26100f306a07
Reviewed-on: https://code.wireshark.org/review/35837
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Include string.h as suggested by clang:
../wiretap/mp4.c:33:4: error: implicitly declaring library function 'memcmp' with type 'int (const void *, const void *, unsigned long)' [-Werror,-Wimplicit-function-declaration]
memcmp(magic_buf + 4, mp4_magic, sizeof (mp4_magic)))
^
../wiretap/mp4.c:33:4: note: include the header <string.h> or explicitly provide a declaration for 'memcmp'
Change-Id: I2369ad140f95ca10f22c176b9e2646950b1a8f65
Reviewed-on: https://code.wireshark.org/review/35814
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Allows opening MP4 (ISO/IEC 14496-12) media files in Wireshark and
viewing their structure.
Change-Id: Ie20b8b89dc69bb52d6faa890e547d90317adecf6
Reviewed-on: https://code.wireshark.org/review/35804
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
n is used to address the buffers, but the check condition
follows its use. Fix the code by inverting the two of them
Bug: 16283
Change-Id: I7cba868979982946f99cfe787a7b5f86d2db1b70
Reviewed-on: https://code.wireshark.org/review/35538
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Apparently, at least in some regulatory domains, the DMG PHY now goes
above 66 GHz or may do so in the future; the new/future top appears to
be 71 GHz.
Change-Id: I1ee3f9cff177eed269ccc8318b5c952dbeb526ff
Reviewed-on: https://code.wireshark.org/review/35529
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Much better to use a known library than create it ourselves.
Also remove get_tempfile_path as it's not used.
Bug: 15992
Change-Id: I17b9bd879e8bdb540f79db83c6c138f8ee724764
Reviewed-on: https://code.wireshark.org/review/34420
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
If the first byte of the file is 31, and we advance to the next byte but
find it's not 139, back up to the first byte before falling through and
treating the file as uncompressed.
Add/expand some comments while we're at it.
Bug: 16252
Change-Id: I292b51f9cc04173482a43b26b0ce73c9e7aee570
Reviewed-on: https://code.wireshark.org/review/35315
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When using wiretap to create a pcapng file,
the drop_count field from the wtap_packet_header
in wiretap/wtap.h is not being dumped to the file
in pcapng_write_enhanced_packet_block function.
Bug: 16062
Change-Id: Id9b8dbd1f7406e019fab00ff7a4167ab27543f62
Reviewed-on: https://code.wireshark.org/review/34836
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It turned out that 1 MiB is not enough as atleast the URBs sent by
Android fastbool tools are greater than 1 MiB (1 MiB payload + USBPcap
pseudoheader). Raise the maximum packet size all the way up to 128 MiB.
128 MiB is the upper bound of maximum packet that can be captured by
all official USBPcap releases.
Bug: 15985
Change-Id: Ibbf41f7efae6e0f841e36d39664394e8a8eae77d
Reviewed-on: https://code.wireshark.org/review/34793
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use g_get_real_time() to get real time because GTimeVal and g_get_current_time()
was deprecated in glib 2.62.
Change-Id: I78fee34e2f5b634c91c6420b01915cfc070f38a4
Reviewed-on: https://code.wireshark.org/review/34468
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When writing a capture as a commview file the header written is two
bytes longer than the specification. Even though we count 24, we
actually write 26. This makes the commview file corrupt, as is apparent
when reading such file, eg., after using Save As... with this format.
Replace writing 2 bytes for the last two fields in the header by 1 byte
each, as per the header specification.
Change-Id: I9436f7837b2e3617a389619884bf93ad146e95f3
Reviewed-on: https://code.wireshark.org/review/34450
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check the time stamp microseconds field; it must be < 10^6.
Check the first few packets, not just the first packet.
Change-Id: I35a58a79d48db13daee937374caae40bc320e9e7
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34437
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
On a big-endian machine, if the upper 16 bits of the length are non-zero
and the lower 16 bits are zero, that means that the length is
*little*-endian.
What we really care about is whether the file is in the reading host's
native format, so we can just fetch integral values without swapping, or
not in that format, in which case we have to byte-swap integral values.
Rename the variable and redo the code to match.
(This may have caused the PacketLogger reader to fail on big-endian
machines.)
Change-Id: Ie1a82a7d40e2c58c0b8d482d7c95ab60061ca980
Ping-Bug: 10861
Reviewed-on: https://code.wireshark.org/review/34434
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no point in trying to read more packets to check the file type.
Change-Id: Ic2c5a7692b60fab8a0022503338a40befe00d358
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34433
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check some more field values, and fix some tests to check against the
maximum possible value given in the i4b_trace.h file rather than against
that value + 1. (> max, or >= max+1, are both reasonable, but > max+1
isn't.)
Check the first few packets, not just the first packet.
Make some header fields unsigned, as that's how we treat them in most
cases; that way we treat them that way by default.
Change-Id: I8c2d28af048c676a3dbae367bbb49c886e0dc566
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34432
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
log3gpp.c:459:10: warning: no previous prototype for function 'log3gpp_dump[|open|finish]' [-Wmissing-prototypes]
Change-Id: I1d896f90d91dc04b68b12f48ae06526556a428d4
Reviewed-on: https://code.wireshark.org/review/33963
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The pointer returned by create_tempfile() must not be freed. As the
wtap_dump_open_tempfile() callers are freeing the returned filename,
duplicate the string so it can be freed.
Bug: 15377
Change-Id: Ib0b23aaee748ef67600ef3f7d40610ebbbec721c
Reviewed-on: https://code.wireshark.org/review/34272
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
You either have to set it to 1 or 0 if you know whether it's shifted
time or set it to -1 if you don't.
Should address Coverity CID 1452227.
Change-Id: I7d435bb6b7dd8897b44bf5103578e3db1a30379e
Reviewed-on: https://code.wireshark.org/review/34175
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Only CAN protocol is supported. Extra information available in J1939
entries is ignored since the J1939 wireshark dissector works with
raw CAN frames and makes no use of this extra information.
The log format may also encapsulate LIN messages which are not
supported by wireshark and thus are ignored.
The only limitation is that relative timestamp format is not
supported. If a file defines relative format of timestamps, packets
are extracted, but timestamps are omitted, since random access deems
impossible without reparsing the whole file up to the packet of
interest. In order to support relative timestamps we need to parse
the whole file at once on open and either dump into a temporary
PCAP file or keep messages in a private list and provide access
to them on read()/seek_read().
The change also creates a separate header for CAN frame structure
definitions which are used by several file readers (candump and
busmaster for now).
Bug: 15939
Change-Id: I87c5555e4e5e1b142b9984b24544b2591d494fbc
Reviewed-on: https://code.wireshark.org/review/34083
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fall back on the Wayback Machine for some links.
Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842
Reviewed-on: https://code.wireshark.org/review/34103
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Microsoft reshuffled their documentation - almost all of it moved from
msdn.microsoft.com to docs.microsoft.com. Some blogs moved to
devblogs.microsoft.com; the comments *didn't* move, so in one case we go
to the Wayback Machine - the link isn't dead, but it formats horribly,
at least on my browser, but the archived version formats OK.
Use the Wayback Machine for some URLs, and update others.
Update the sections for MS-ADTS.
Point to the HTML versions of some RFCs and I-Ds.
Change-Id: I344b20f880de63f1ae2a4e3f9ff98af78a7fe139
Reviewed-on: https://code.wireshark.org/review/34101
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Guy Harris