wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
Extract it as a string, not a number, and determine the resolution based
on the length of the string, i.e. on the number of digits presented.
(If you base it on the numerical value, leading zeroes will not be taken
into account, but they aren't any different from other digits when
determining the resolution.) The resolution is 1/10^ndigits seconds, so
we have to multiply it by 10^(9-ndigits) to convert the number to
nanoseconds.
svn path=/trunk/; revision=45627
Process several different flavors of header lines the same: "IP Header",
"IPv6 Header", "ARP Header", "TCP Header", "UDP Header", "ICMP Header",
"ICMPv6 Hdr", "Option Hdr" - the hex data for all of them should be
included in the packet data. Process continuation lines if those
headers wrap over more than one line.
Do not assume, or require, that *any* of those be present; there is no
guarantee that "IP Header" or "IPv6 Header" will be present (there's at
least one IBM page showing a packet with "ARP Header" in a trace), and
there is no guarantee that "TCP Header" will be present (there are
traces with "UDP Header" and "ICMPv6 Hdr").
Do not impose limits, other than the overall line limit, on the amount
of hex data in header or data lines; there is no guarantee that, for
example, a TCP header is 20 bytes long (if there are TCP options, it
*will* have more than 20 bytes).
Make sure we have an even number of hex digits.
Set "caplen" to the actual number of bytes we've read, even if that's
less than the purported packet length.
svn path=/trunk/; revision=45626
which could use lseek() and were thus expensive due to system call
overhead. To avoid making a system call for every packet on a
sequential read, we maintained a data_offset field in the wtap structure
for sequential reads.
It's now a routine that just returns information from the FILE_T data
structure, so it's cheap. Use it, rather than maintaining the data_offset
field.
Readers for some file formats need to maintain file offset themselves;
have them do so in their private data structures.
svn path=/trunk/; revision=42423
by Wiretap, to indicate whether certain fields in that structure
actually have data in them.
Use the "time stamp present" flag to omit showing time stamp information
for packets (and "packets") that don't have time stamps; don't bother
working very hard to "fake" a time stamp for data files.
Use the "interface ID present" flag to omit the interface ID for packets
that don't have an interface ID.
We don't use the "captured length, separate from packet length, present"
flag to omit the captured length; that flag might be present but equal
to the packet length, and if you want to know if a packet was cut short
by a snapshot length, comparing the values would be the way to do that.
More work is needed to have wiretap/pcapng.c properly report the flags,
e.g. reporting no time stamp being present for a Simple Packet Block.
svn path=/trunk/; revision=41185
form of corruption/bogosity in a file, including in a file header as
well as in records in the file. Change the error message
wtap_strerror() returns for it to reflect that.
Use it for some file header problems for which it wasn't already being
used - WTAP_ERR_UNSUPPORTED shouldn't be used for that, it should only
be used for files that we have no reason to believe are invalid but that
have a version number we don't know about or some other
non-link-layer-encapsulation-type value we don't know about.
svn path=/trunk/; revision=40175
This is significant update to the existing iseries wiretap module. It adds
support for IPv6 (formatted & unformatted comms traces), in addition I've
tidied up the sscanf routines to better handle traces files with offset lines.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5957
svn path=/trunk/; revision=37466
by the gunzipping code. Have it also supply a err_info string, and
report it. Have file_error() supply an err_info string.
Put "the file" - or, for WTAP_ERR_DECOMPRESS, "the compressed file", to
suggest a decompression error - into the rawshark and tshark errors,
along the lines of what other programs print.
Fix a case in the Netscaler code where we weren't fetching the error
code on a read failure.
svn path=/trunk/; revision=36748
file_read(buf, bsize, count, file) macro is compilant with fread
function and takes elements count+ size of each element, however to make
it compilant with gzread() it always returns number of bytes.
In wiretap file_read() this is not really used, file_read is called
either with bsize set to 1 or count to 1.
Attached patch remove bsize argument from macro.
svn path=/trunk/; revision=36491
wtap-int.h, and change the unions of pointers to those private data
structures into just void *'s.
Have the generic wtap close routine free up the private data, rather
than the type-specific close routine, just as the wtap_dumper close
routine does for its private data. Get rid of close routines that don't
do anything any more.
svn path=/trunk/; revision=32015
iSeries capture processor. Parse the start date into year/month/day at
the time we see it, rather than for every packet; that means we don't
need to allocate a buffer to hold the date as a string (a buffer which
we weren't ever freeing).
svn path=/trunk/; revision=31981
do *not* modify the string handed to them - they g_mallocate a new
string and return it.
Create routines that *do* ASCII-only case mapping in place, and use them
instead.
Clean up indentation.
svn path=/trunk/; revision=26131
argument, as
1) it doesn't modify the string that argument points to
and
2) it's a buffer of "char".
Use g_ascii_xdigit_value() and put the values of the two bytes together
ourselves; strtoul() is a bit of overkill for two-hex-digit pairs.
While we're at it, check for invalid hex digits, and for bytes where
only one hex digit is present.
svn path=/trunk/; revision=25392
since rev 17756, meant that attempts to read iSeries files would fail in the
"Make sure it [pkt_encap] is not WTAP_ENCAP_PER_PACKET" assertion in
wtap_read().
Also set file_encap to WTAP_ENCAP_ETHERNET (instead of WTAP_ENCAP_PER_PACKET)
since it seems that all the packets in iSeries files are Ethernet (or at least
this module currently only supports Ethernet).
svn path=/trunk/; revision=25388
Attached is a small patch that correct an issue with reading certain IBM
iSeries Comms traces.
Traces where data has been dropped for whatever reason now have the
packet number suffixed with an asterix "*", this causes the current
iSeries wiretap routine to report a "bad" header. The attached patch
simply scans the packet number field and removes any "* characters prior
to scanning, the fact that data may be missing is more than adequately
reported later by current wireshark packet processing.
Regards .. Martin
svn path=/trunk/; revision=23000
Check for a case where, conceivably, the on-the-wire packet length (from
the IP header) could be shorter than the captured data length (due to
Ethernet padding), and handle it by making sure the on-the-wire length
is always >= the captured data length.
svn path=/trunk/; revision=21490
The patch addresses issues with higher precision packet
timings on top end iSeries hardware and should enable the iseries wiretap to handle timings in both micro and nano seconds.
svn path=/trunk/; revision=19428
> I've attached a fix that cleans up this code, actually since my last
> update of this module the particular call in question was fairly
> redundant so I just went ahead and removed it and updated the constant
> that specifies the maximum possible line length instead.
>
> Thanks for bring this to my attention.
svn path=/trunk/; revision=17737
Following my last submitted patch I did some further investigation on the different types of iSeries Comms Traces, although the field formats are constant, things such as page throws and line spacing vary depending on the tool used to pull the trace form the iSeries spool.
This patch should better handle the different formats and more importantly exit in a graceful manner if an unknown format is encountered.
svn path=/trunk/; revision=17699
Guy Harris