Most of our sites are now HTTPS-only. Update URLs accordingly. Update
other URLs while we're at it. Remove or comment out dead links.
Change-Id: I7c4f323e6585d22760bb90bf28fc0faa6b893a33
Reviewed-on: https://code.wireshark.org/review/7621
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Create TIMEDEFV10() and, for it and for V20, V21, and V22, undefine the
ones used for the read routine and define dummy ones for the read-seek
routines (as those record formats have relative, not absolute, times).
Have all of them set presence_flags.
That way:
1) if we *can* set the time stamps in the seek-read routine, we do;
2) we always set presence_flags in read and seek-read routines.
Change-Id: I837507245e8a0cbc68c7c5fd8365f474d085488e
Reviewed-on: https://code.wireshark.org/review/7445
Reviewed-by: Guy Harris <guy@alum.mit.edu>
time_t suffices in that case.
Change-Id: Ica7a79fb6f8c7cc7fb6decd5fcd391dccfdb3fc6
Reviewed-on: https://code.wireshark.org/review/7440
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use nstime_t rather than struct timeval when we want
seconds-and-fractions, so that, when writing the file, we can handle
nanosecond-resolution time stamps. Calculate the relative time stamp as
a 64-bit integer rather than using floating-point.
Use time_t rather than struct timeval if we only want seconds.
Have the routines that write out 16-bit and 32-bit numbers convert them
to little-endian themselves, rather than having to be passed a
little-endian number.
Have a routine that writes out 48-bit values in little-endian order, and
use that to write out packet time stamps.
Change-Id: Ia6e047079e48915647502178e0a1c61177010c62
Reviewed-on: https://code.wireshark.org/review/7438
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Provide {FULL,PART}SIZEDEFV10 macros, similar to what's provided for the
other versions, containing the code to set the packet length and
captured data length, and use the TRACE_V10_REC_LEN_OFF() macro directly
after that to set the various length and offset values in the
pseudo-header.
Change-Id: I3513371057601b44821d89ebaa7565ab370a67f5
Reviewed-on: https://code.wireshark.org/review/7393
Reviewed-by: Guy Harris <guy@alum.mit.edu>
No need to export them outside this file, and making them constants
might convince the compiler not to bother fetching their values from
memory when referring to them.
Change-Id: Ib8605bf0bb9091721a51827c45fe75d19a15ba26
Reviewed-on: https://code.wireshark.org/review/7378
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way it'll set the captured length and reported length the same way
it's done in the read routine.
Change-Id: I8b1f2d0d8fa688f44b6f61f16dc2e21b5648fc12
Reviewed-on: https://code.wireshark.org/review/7376
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rename the V10 PACKET_DESCRIBE()'s "fpp" argument to "type", and have it
declare the pointer variable.
Change-Id: I3ac52ebdef0aec7bc95052277537185132886b57
Reviewed-on: https://code.wireshark.org/review/7374
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Move it in the argument list, and use it instead of a hard-coded 10
(even though it's always passed as 10), to match the other
PACKET_DESCRIBE() macros.
Change-Id: Idd0a23a58cc6bb0d2de799b039db776d279cc03e
Reviewed-on: https://code.wireshark.org/review/7372
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The name "type" is thrown around to mean both a version number and a
part of a structure member, and some other macros use "ver" for the
version number; try to make things a little less inconsistent.
Change-Id: I61405cf41cca43fe607154af7498944c5ec0ef11
Reviewed-on: https://code.wireshark.org/review/7370
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Makes the various flavors of that macro more similar.
Change-Id: Ie95ee8db0b226458146b055b54b7d61835f1e508
Reviewed-on: https://code.wireshark.org/review/7368
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A bit of regularization.
Change-Id: I60e0bd50891e1ba3e9c40f8d1d14d63534e08138
Reviewed-on: https://code.wireshark.org/review/7364
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use that rather than TYPE or acttype (to indicate that it's a header
version number to use as the "xxx" in NSPR_HEADER_VERSIONxxx, and to use
the same name throughout).
Change-Id: I14cfc819e44ce4388c27d521a1256dec8d80df2e
Reviewed-on: https://code.wireshark.org/review/7361
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Just like the read routine.
Change-Id: If6bd98bea15f1c8dc7454a5dac0ea57920bddc8c
Reviewed-on: https://code.wireshark.org/review/7355
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it even more like V2x and V3x and slightly less unclear.
Change-Id: I798ead123ba6418be0252067773a951390e26ce8
Reviewed-on: https://code.wireshark.org/review/7353
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have it set the record type and initialize the presence bits.
That makes it a bit more like V2x and V3x, and makes the code slightly
less unclear.
Change-Id: Ibfbe2143b24a68c3fa3f576616fde81918b01feb
Reviewed-on: https://code.wireshark.org/review/7351
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This makes the code slightly less unclear. (You are in a maze of twisty
little C macros, all different.)
Change-Id: I9f1bcc7a9a1a7afe87ede8b1ba513e3d8e53845c
Reviewed-on: https://code.wireshark.org/review/7349
Reviewed-by: Guy Harris <guy@alum.mit.edu>
gcc5 complains about the issue below, so add a trivial fixup.
CC libwiretap_la-pcap-common.lo
pcap-common.c: In function 'pcap_byteswap_nflog_pseudoheader':
pcap-common.c:1290:30: error: logical not is only applied to the left hand side of comparison [-Werror=logical-not-parentheses]
if (!(nfhdr->nflog_version) == 0) {
^
cc1: all warnings being treated as errors
Change-Id: I9f5b090ffd564f203cc3fb4ff302f2e4752865f0
Reviewed-on: https://code.wireshark.org/review/7336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If a file type has a list of "typical" extensions, and a file has an
extension that is *not* one of those extensions, the file is unlikely to
be of that type.
For files that have extensions, after we try the heuristics that have a
list of "typical" extensions that includes the file's extension, try the
heuristics that have no such list, and after that try the heuristics
that have such a list but where the list *doesn't* include the file's
extension.
This fixes, for example, some cases where non-PacketLogger files were
getting identified as PacketLogger files.
Change-Id: I2d8c3b983ed6ccd692beb888668f77eb9b5f437b
Reviewed-on: https://code.wireshark.org/review/7315
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We don't want to encourage people to add to those lists, we want to
encourage people to subtract *from* those lists (either by fixing
warnings or, if an infelicitous API, or an infelicitous declaration of
an API on some platforms, or a program generator that doesn't take
sufficient care to avoid warnings - I'm looking at *you*, Flex - makes
it impossible to fix without introducing other problems, using the
DIAG_OFF()/DIAG_ON() macros if possible). Eliminate the empty lists, to
make it harder to fill them up again.
Change-Id: I298d07952c0cb1842a4ea71ba7e07c68e94a04e9
Reviewed-on: https://code.wireshark.org/review/7229
Reviewed-by: Guy Harris <guy@alum.mit.edu>
libjsmn has also been moved from epan/ to wsutil/ to make it visible from wiretap.
Change-Id: I59abb3419acb1baa83194b38152d3651ed5c123c
Bug: 10878
Reviewed-on: https://code.wireshark.org/review/6716
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
That's a little cleaner, and lets us preserve the LINKTYPE_ value for
DLT_LOOP captures. ("Preserve" here doesn't mean "write files with a
link-layer header type of 12", as that's ambiguous; we write it with a
link-layer header type of LINKTYPE_LOOP, i.e. 108. If programs on
OpenBSD don't recognize that as DLT_LOOP, that's a bug in OpenBSD's
libpcap or in the program.)
Change-Id: I48a2e04aed41c013823ffb5c588d2a8e8b376e15
Reviewed-on: https://code.wireshark.org/review/7143
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Instead, explicitly check for particular build platforms. This means
that the interpretation of the link-layer type values with different
meanings on different platforms won't be dependent on the particular
version of libpcap with which Wireshark happens to be built, and also
means that we don't have to fix pcap-common.c to include pcap.h or
net/bpf.h.
Fix some comments while we're at it.
Bug: 10956
Change-Id: If331d9b92081fb0bdf416620fb2ad8dce57dea6b
Reviewed-on: https://code.wireshark.org/review/7140
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: If7a6f2697be732ae4f94ed8b845fd293c32510f7
Also: tabs-stops should be 8
Reviewed-on: https://code.wireshark.org/review/7100
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Due to an off-by-one error an invalid ISB interface ID could make us
fetch past the end of a GArray. Found using American Fuzzy Lop.
Bug: 10895
Change-Id: I7d4049ad7a386ae7e8013b8e741d54a31f353f1f
Reviewed-on: https://code.wireshark.org/review/6798
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Fix errors found by American Fuzzy Lop's afl-gcc
(http://lcamtuf.coredump.cx/afl/):
peektagged.c:
error: 'fileVersion' may be used uninitialized in this function
packet-h223.c:
error: variable 'circuit_id' might be clobbered by 'longjmp' or 'vfork'
wslua_proto.c:
error: variable 'd' might be clobbered by 'longjmp' or 'vfork'
wslua_proto.c:
error: variable 'dt' might be clobbered by 'longjmp' or 'vfork'
Change-Id: Idd74a3ad7b236d3a8756c1e7e917b1c74143f381
Reviewed-on: https://code.wireshark.org/review/6767
Reviewed-by: Gerald Combs <gerald@wireshark.org>
CMake now generates local copies of .rc files for all the Windows
components and uses the files in the build of the components.
The .rc.in files that include an icon were modified to allow the icon
path to be set by CMake. The path is removed for nmake builds.
Updated build architecture detection, required for wireshark.manifest.in
Change-Id: I7b1ff43050e9b0efb861d1041636fb4aef49a4f8
Reviewed-on: https://code.wireshark.org/review/6482
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Instead, have a special macro using the size of the header structure to
find the offset of the packet data.
This means that:
1) you don't have to throw "-{size of data member}" into the
macros that calculate the sizes of the header structures;
2) you don't have a bunch of randomly-chosen data field sizes;
3) you don't have sizes of 0, which cause problems with
compilers that don't support zero-length arrays;
4) you don't have some apparently-incorrect "-{size of data
member}" values (if they're correct, please fix the structure
definitions).
Change-Id: Iea368b83fa2d184bd6df453d51756e4749714e2c
Reviewed-on: https://code.wireshark.org/review/6082
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bluetooth dissector is used to add ability to filter all bluetooth
payload from capture files (there are many transport like:
hci_h4, hci_h1, hci_usb, hci_mon, btle). Also it is used to placeholder for
all data tree used to store additional informations like bd_addrs, names, etc.
Finally it is used to be one point for Bluetooth
Endpoints/Conversation filtering what is enabled now.
Also add Master/Slave Role and Connection Mode tracking.
Change-Id: I67048080fb8ee16fa0f4ec429c1257de81ddd737
Reviewed-on: https://code.wireshark.org/review/5771
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
That indicates that it's a problem specific to *writing* capture files;
we've already converted some errors to that style, and added a new one
in that style.
Change-Id: I8268316fd8b1a9e301bf09ae970b4b1fbcb35c9d
Reviewed-on: https://code.wireshark.org/review/5826
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For cases where record (meta)data is something that can't be written out
in a particular file format, return WTAP_ERR_UNWRITABLE_REC_DATA along
with an err_info string.
Report (and free) that err_info string in cases where
WTAP_ERR_UNWRITABLE_REC_DATA is returned.
Clean up some other error reporting cases, and flag with an XXX some
cases where we aren't reporting errors at all, while we're at it.
Change-Id: I91d02093af0d42c24ec4634c2c773b30f3d39ab3
Reviewed-on: https://code.wireshark.org/review/5823
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: I22d407efe3ae9fba7aa25f08f050317549866442
Reviewed-on: https://code.wireshark.org/review/5798
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: Icc5c9cff43be6c073f0467607555fa7138c5d074
Reviewed-on: https://code.wireshark.org/review/5797
Reviewed-by: Guy Harris <guy@alum.mit.edu>
WTAP_ERR_UNSUPPORTED_ENCAP means "I can't *write* that particular
encapsulation type to a file of this format", which mainly means "that
file format simply can't handle packets of that type";
WTAP_ERR_UNSUPPORTED means "this file can't currently be supported by
Wireshark, as there's some feature in the file - such as a file or
per-packet encapsulation type - that we don't (yet) handle".
Change-Id: I53cadf9913d20efb2bccb29f61877b71d53807be
Reviewed-on: https://code.wireshark.org/review/5794
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fail with an "unsupported encapsulation" error for MTP2 and SSCOP,
rather than just returning "unknown encapsulation", and fail with that
if the encapsulation isn't filled in as well, although that might be a
deeper problem.
(Not that people should be handing text output files from K12 analyzers
anyway - they should hand us RF5 files and, if we can't handle their
file, file a bug and give us the file so we can further reverse-engineer
the format.)
Change-Id: I6bbd5f81787d69bd3b41eaedf2893d179f11ad6a
Reviewed-on: https://code.wireshark.org/review/5792
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcapng_read_block() never sets *err_info if it returns
PCAPNG_BLOCK_NOT_SHB - that happens on an EOF, a short read, or on a
successful read of something that doesn't look like an SHB.
Change-Id: I23ad6aa1c95d800b068a798a4aad1d70d07ac281
Reviewed-on: https://code.wireshark.org/review/5686
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We only create hash tables if somebody puts a handler in one, so we need
to check whether the hash table exists first, to avoid run-time warnings.
Change-Id: I739d2d808935e651b11bd44b258f168a42ca4b7c
Reviewed-on: https://code.wireshark.org/review/5683
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Doesn't change the behavior of the code, but makes it more consistent.
Change-Id: I6f07fbbb4c7d14d8a46ecfd1c419d951c356fd77
Reviewed-on: https://code.wireshark.org/review/5672
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The "extra data", according to the RF5 API manual I have, is "hardware
parameters", so change some names.
Report an error if the variable parts of the configuration event record
run past the record length.
Report an error if the hardware parameters are too short.
For the purportedly DS0 hardware parameters, don't assume they'll be
long enough for the mask; they might not be.
Change-Id: Ib63d042e4ede32216fb474c4ecdba84db1387abc
Reviewed-on: https://code.wireshark.org/review/5638
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There can be no space after pid colon if tid is big enough
in logcat long format.
Change-Id: I8e03e78c88e4bef1a5fdb3a04b77f58fa7d055bc
Reviewed-on: https://code.wireshark.org/review/5411
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
To avoid further duplication of work and bugfixing,
move regex strings to wiretap/logcat_text.h and include
this file in epan/dissectors/packet-logcat-text.c
Change-Id: I82773cda0e3240844139b104c68738ec82788014
Reviewed-on: https://code.wireshark.org/review/5410
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
In L, in line "-- beginning of /<buffer>" the "/" was removed.
This commit accomodates text logcat to that change.
Change-Id: I4cbfadf5a8169589f2848ce1a5793cea593ba459
Reviewed-on: https://code.wireshark.org/review/5405
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
This is needed for Lua File:seek("end").
Change-Id: I28fb23f2f29ca8083c77bf065db8816e039ae5a1
Reviewed-on: https://code.wireshark.org/review/4722
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Another case where the compiler didn't figure out that the variables
aren't used if they're not set.
Change-Id: I70bfb06c6d86d41a266a087ece971c40cd697ee9
Reviewed-on: https://code.wireshark.org/review/4994
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also, we don't care how much tagged value data we've read, we just care
whether we've read any or not (EOF reading the first one means "end of
file", EOF reading any of the subsequent ones means "short read").
Change-Id: I2edc54494967b3a88bcc2c79d97eedfded00150d
Reviewed-on: https://code.wireshark.org/review/4993
Reviewed-by: Guy Harris <guy@alum.mit.edu>
To check whether data_rate_or_mcs_index is set, check
saw_data_rate_or_mcs_index; we might see a value of 0 for that field
(it's a valid MCS index), so we can't use it as an out-of-band value
meaning "not set".
Change-Id: I75d7fdb4a90836538c82f56f2afb05c0603278a5
Reviewed-on: https://code.wireshark.org/review/4991
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a number of fields corresponding to components of the radiotap MCS
field, add presence bits for them, and set and dissect the fields
supported by Peek tagged files.
Change-Id: I3fc801a3bc180e1c174d074a794af0f3d338f249
Reviewed-on: https://code.wireshark.org/review/4989
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use the "MCS index used" extended flag bit to indicate whether the "data
rate or MCS index" field is a data rate or MCS index.
Display the MCS index value if it's present.
(More to come - MCS indices, plus other information, should be used to
calculate the data rate for 11n and beyond.)
Get rid of the hdr_info_t structure while we're at it; just use local
variables for each of the fields.
Change-Id: I546f53a8ebd89078d5f23e1290557b97348aff38
Reviewed-on: https://code.wireshark.org/review/4988
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a set of presence bits, so we can indicate which bits of radio
metadata we do and don't have.
Fill in more radio metadata from capture files, and display it.
(More to come.)
Change-Id: Idea2c05442c74af17c14c4d5a8d8025ab27fbd15
Reviewed-on: https://code.wireshark.org/review/4987
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Useful if we try to provide some "standard" 802.11 metadata header that
can support both radiotap and Peek tagged (and perhaps others).
Change-Id: Ibac9829e3411670a439db7cb77e1694a5641b0a5
Reviewed-on: https://code.wireshark.org/review/4970
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That bug includes a capture and a screendump of OmniPeek's dissection of
the packet in that capture; this lets us identify some tags as the
center frequency of the 802.11 channel and a set of extended flags used
for 802.11n and 802.11ac.
Show some flags from bug 9586, under the assumption that certain fields
in the Peek tagged header correspond to certain fields in the remote
Peek protocol.
Change-Id: I0f3c2e6638d6cf5f6ec470d65bd574171a2d958d
Reviewed-on: https://code.wireshark.org/review/4969
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I don't trust Packet Builder's ability to convert time stamps between
Capsa format and pcap.
Change-Id: I0ac2e14216e37127d81d5bf1c6d48a2c20841a8e
Reviewed-on: https://code.wireshark.org/review/4721
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up a comment and indentation while we're at it.
Change-Id: Ia2b0a3f642849dcd464e04cdca13ff05c2fbe2e6
Reviewed-on: https://code.wireshark.org/review/4717
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up the code to read the block according to that description.
Change-Id: Icb332e293c4b41d91989aa17a7546f298068e908
Reviewed-on: https://code.wireshark.org/review/4716
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Nothing from the SHB gets stored in the interfaces array - it's filled
in from IDBs - so it doesn't need to exist when we read the first SHB,
and thus doesn't need to be freed if the attempt to read the SHB gets an
error or a "this isn't a pcap-ng file" indication.
Update a comment while we're at it.
Change-Id: Ie67edb52dcf13c974607e95e290661bf48be68ae
Reviewed-on: https://code.wireshark.org/review/4711
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The block read routines don't need to return a "bytes read" amount any
more.
Have pcapng_read_block() just return an indication:
PCAPNG_BLOCK_OK - the read succeeded;
PCAPNG_BLOCK_NOT_SHB - the read failed in a fashion that
indicates that we might just not be reading a pcap-ng file;
PCAPNG_BLOCK_ERROR - the read failed in some other fashion
(i.e., we already have concluded that the file is a pcap-ng
file, or we got an I/O error).
In the cases where it needs to know whether it's reading the first block
for an open, have it check the shb_read flag, rather than being passed a
separate Boolean argument.
This means that pcapng_read_section_header_block() should return such an
indication as well.
Make the other block-reading routines return a Boolean success/failure
indication.
Change-Id: Id371457018a008ece9058d6042da44d631e51889
Reviewed-on: https://code.wireshark.org/review/4710
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't check a possibly-byte-swapped length against the minimum SHB size;
it'll probably look huge if it's byte-swapped, so the test won't fail
even if it is too small, and a really huge SHB's length could look too
small if it's byte-swapped.
Do the check *after* we've read the fixed-length portion of the block;
yes, that means we've read past the purported size of the block at that
point, but if that read succeeds, that doesn't matter, and if that read
fails, it just means we'll report "file cut short" rather than "bad SHB
length", *both* of which are problems with the file.
Change-Id: Ie3b5700662f2a6da40d373a84f00a8fc2cf0ce1b
Reviewed-on: https://code.wireshark.org/review/4692
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Recent changes must have made it not do so in some cases, and
our current version of file_tell(), unlike ftell() around which the
older file_tell() was a wrapper, is known to be cheap (ftell() would
make a system call to get the position). Just use file_tell() before
each read.
(Further cleanup is called for.)
Bug: 10568
Change-Id: Ib92057b2b87ec6eb16fd612bc91baeb668d1e1c7
Reviewed-on: https://code.wireshark.org/review/4691
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check whether the block-type hash table exists before trynig to look
up anything in it.
Change-Id: I0aeb7f6454903bfcbdd0716909a0b72851d87233
Reviewed-on: https://code.wireshark.org/review/4689
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The time stamps aren't known to be right, so don't provide them - that
way, instead of users reading Capsa files and getting the wrong idea
about the time stamps, they'll get no time stamps and have to ask for
our help, at which point we can ask them for *their* help in seeing what
Capsa thinks the time stamps are. (The joys of reverse-engineering.)
Change-Id: I77e12c09f2bc74b50a1b2b226fa6da3e8c0fedf9
Reviewed-on: https://code.wireshark.org/review/4685
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(So why can't GCC or Clang be taught to warn about *all* implicit
shortenings, as MSVC does, not just 64-bit-to-32-bit shortenings?)
Change-Id: I88c0b0aa2f1b306f58952589ff8bcae17bc29768
Reviewed-on: https://code.wireshark.org/review/4676
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(Yes, we should, on platforms with a 32-bit time_t, check to make sure
the time stamp fits and do something if it doesn't. Or we should make
the seconds part of an nstime_t be 64-bit and handle overly-large values
when converting them to year/month/day/hour/minute/second.)
Change-Id: If219534985dce29d00754ff151f6c4b5893080d8
Reviewed-on: https://code.wireshark.org/review/4675
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The time stamp origin is not correct. Capsa's absolute time stamp for
the sample captures from their Web site would be helpful.
Change-Id: I365daf7b42240e33f54df76939254f41ed57a9b2
Reviewed-on: https://code.wireshark.org/review/4671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fetch the count of records from one of the locations where it appears to
be, and, currently, require that it be equal to the count at the other
location where it appears to be; if they ever differ, we'll need the
file in order to reverse-engineer some more.
Fix the way we *write* .rf5 files - it turns out that we were
1) not writing the full file size;
2) not writing the packet count in the right location.
Detect files written by the old code, and get the packet count from the
right location for those files.
Change-Id: I7ce83afbc9dbbd300c81c96ef8f7785a0aeefa7a
Reviewed-on: https://code.wireshark.org/review/4608
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For open_info, use names based on the names in other lists.
Also, in comments, indicate what the three count 'em three tables are
used for, and clean up the type/subtype table.
Change-Id: I7a763119e790d5970f87dff05284f465eebfb7e7
Reviewed-on: https://code.wireshark.org/review/4599
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Version 3's time stamps are all absolute, so we can directly use the
value in the file; we don't need to keep track of the time in the
private data structure, and some compilers issue warnings due to setting
it and then not using the value to which we set it.
Change some names and indentation to match other file versions while
we're at it.
Change-Id: I97698d933b87a8ad58d9e88ceedd75004797df69
Reviewed-on: https://code.wireshark.org/review/4596
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It returns the length of the string it read, so only treat 0 and -1 as
errors. (0 either means "EOF" or "string is zero length", but this is
only in the code that reads numbers, and a number needs at least 1
digit, so both EOF and "zero-length string" mean "this isn't a valid
Peek tagged file".)
Change-Id: Ib83eb2f1e53d912a2138be01480e2b464cf936db
Reviewed-on: https://code.wireshark.org/review/4591
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They happen to be, at least now, but that's not valid in C++, and it's
probably unwise in any case.
Change-Id: Ifd49920cfaa376e5e7788329ee83db3956a7cdff
Reviewed-on: https://code.wireshark.org/review/4585
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sadly, the GTK+ folks decided not to use size_t for the size argument,
so it doesn't do the right thing on LLP64 platforms such as Windows.
Change-Id: I2aa9096215c488b48f1cf68d2a285a48abb6f07f
Reviewed-on: https://code.wireshark.org/review/4584
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up some things we ran across while making those changes.
Change-Id: Ic0d8943d36e6e120d7af0a6148fad98015d1e83e
Reviewed-on: https://code.wireshark.org/review/4581
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Distringuish "the compression data has a problem" from "the capture file
(not compressed, or after decompression) data has a problem", with
WTAP_ERR_DECOMPRESS used for the former (whether it's the gzipping
decoded by our gunzip code or the Sniffer compression) and
WTAP_ERR_BAD_FILE used for the latter.
Change-Id: I8e6bff7edb480deba00c52a9e5afff607492e085
Reviewed-on: https://code.wireshark.org/review/4568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Get rid of WTAP_ERR_UNC_TRUNCATED and WTAP_ERR_UNC_BAD_OFFSET, and lump
them under WTAP_ERR_BAD_FILE, with an error string; they're just another
form of "this file isn't a valid file of the type in question".
Change-Id: I0e9ac7c2ee66c8d789234a301c1dc2173aef1312
Reviewed-on: https://code.wireshark.org/review/4562
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Unlike the standard I/O routines, the code we introduced that supports
fast random seeking on gzipped files will always supply some specific
error code for read errors, so we don't need WTAP_ERR_CANT_READ.
Add WTAP_ERR_CANT_WRITE for writing, as we're still using the standard
I/O routines for that. Set errno to WTAP_ERR_CANT_WRITE before calling
fwrite() in wtap_dump_file_write(), so that it's used if fwrite() fails
without setting errno.
Change-Id: I6bf066a6838284a532737aa65fd0c9bb3639ad63
Reviewed-on: https://code.wireshark.org/review/4540
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Instead of reading the 16-byte blob and record length at the same time,
just read the 16-byte blob, and then fall through to the record-length
reading code.
Change-Id: Ib2819a2d654e2670233821882bac79d7cd656b12
Reviewed-on: https://code.wireshark.org/review/4480
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For code that's used in more than one place, use macros. This combines
a bunch of checks into the output macros.
Change-Id: Ic32dce75e1c531fd28bfed180856e230277bfe58
Reviewed-on: https://code.wireshark.org/review/4451
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Pcap-ng files don't have a per-file time stamp resolution, they have a
per-interface time stamp resolution. Add new time stamp resolution
types of "unknown" and "per-packet", add the time stamp resolution to
struct wtap_pkthdr, have the libwiretap core initialize it to the
per-file time stamp resolution, and have pcap-ng do the same thing with
the resolution that it does with the packet encapsulation.
Get rid of the TS_PREC_AUTO_XXX values; just have TS_PREC_AUTO, which
means "use the packet's resolution to determine how many significant
digits to display". Rename all the WTAP_FILE_TSPREC_XXX values to
WTAP_TSPREC_XXX, as they're also used for per-packet values.
Change-Id: If9fd8f799b19836a5104aaa0870a951498886c69
Reviewed-on: https://code.wireshark.org/review/4349
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The dump of the address info list must be differed to the end of the processing so as to know which host name was actually used in the capture
Bug: 10507
Change-Id: I44dbfae918d4ae92f9740c309804c7ff21bb4e1b
Reviewed-on: https://code.wireshark.org/review/4327
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It was being checked against the wrong value, so some invalid records
passed the check.
Also, change one comparison (rec_size is in the range [0, 65535], even
though it's in an int, so we can safely cast it to guint) and fix the
metadata length value when reading Ethernet packets.
Bug: 10495
Change-Id: I2ce5c93fe50d836ec0accfcdef31654ba6b5b7c7
Reviewed-on: https://code.wireshark.org/review/4278
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's called both from the read and seek-read routines, so it shouldn't
always read from the sequential handle.
Change-Id: I8cb33b9f5b7219f335b0aeeef29c479916276f89
Reviewed-on: https://code.wireshark.org/review/4276
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make sure to zero the *entire* thing, and only access it as a given type when
that's the type indicated by the (non-union) type field.
Bug: 10498
Change-Id: I3e94a9c5d399d3ee4aedcd49f1aa2d7678ecf7ce
Reviewed-on: https://code.wireshark.org/review/4273
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
On errors *other* than a short read, we were driving on and processing
the non-data that we didn't read.
Change-Id: I6289ddf31ff7896918a030af9d1261bdc194e7d3
Reviewed-on: https://code.wireshark.org/review/4270
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Should fix the remaining test suite failures.
Change-Id: I50a6cb1bf57bd6a973d4777349708b75aeb41620
Reviewed-on: https://code.wireshark.org/review/4264
Reviewed-by: Evan Huus <eapache@gmail.com>
We can't use wtap_file_read_expected_bytes() in the _v7 version, as that
version returns an int, not a Boolean; just expand
wtap_file_read_expected_bytes() in the _v56 version, to make it look
similar to the _v7 version.
Change-Id: Id907bac265c123ad5821591c1cf081b5747724d8
Reviewed-on: https://code.wireshark.org/review/4262
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wtap_file_read_expected_bytes() is a macro that can return a Boolean
FALSE; it should not be used in routines that don't return a Boolean.
In addition, both EOF *and* a short read, in that routine, should be
treated as a "not an IPFIX file" indication.
While we're at it, a seek failure should be treated as an error.
Change-Id: I97815bc9e78169ded567b60835cc7bcf6a0e6f0c
Reviewed-on: https://code.wireshark.org/review/4261
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I *think* I got all the cases; I got most of them, at any rate, and enough to
shut up valgrind in all the test cases I ran.
Change-Id: I393bac0756f577b65e400b792f6719fa6ec4056a
Reviewed-on: https://code.wireshark.org/review/4244
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Evan Huus <eapache@gmail.com>
(If somebody wants to convert the entire file to 4-space indentation, go
ahead.)
Change-Id: I1e3829289ac67db79eea2eb16e6a4ba40c449a8d
Reviewed-on: https://code.wireshark.org/review/4250
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Most interesting are:
warning: cannot optimize loop, the loop counter may overflow [-Wunsafe-loop-optimizations]
warning: ISO C forbids zero-size array [-Wpedantic]
warning: ISO C90 doesn't support unnamed structs/unions [-Wpedantic]
warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual
warning: initializer element is not computable at load time [enabled by default]
Change-Id: I5573c6bdca856a304877d9bef643f8c0fa93cdaf
Reviewed-on: https://code.wireshark.org/review/3174
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
The only place where a short read should be treated as an EOF is if the
read of the block header reads 0 bytes. All other short reads,
including reads of the block header returning at least 1 byte but not
enough for a complete block header, and any reads of the stuff
*following* the block header even if they return 0 bytes, should be
treated as "short read" errors.
If the option length is bigger than the option buffer size, treat that
as a bad file (I'm not sure that can happen, so maybe it should be
treated as an internal error instead).
Use file_skip() rather than file_seek() when skipping forward N bytes.
If it fails, treat that as an error under all circumstances.
When reading the first section header block in the open routine, have
pcap_read_block() return -2 if it doesn't look like an SHB (too short,
wrong block type, bad block length, unknown byte-order magic number), as
that means the file isn't a pcap-ng file and the open should return 0.
Return -1, not 0, for all errors in various block-reading routines.
file_seek() returning 0 is *not* an error. file_seek() returning -1 (or
any other negative number *is* an error; its return value is signed, so
don't assign it to an unsigned variable.
This might fix the test errors for the Lua file format handler tests.
Change-Id: Ifa7d9834c38bf238461c9cc9625a2aa761cb6ff2
Reviewed-on: https://code.wireshark.org/review/4238
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcap_read_block() takes err and err_info arguments, and sets them on
error; no need to call file_error() if pcap_read_block() fails.
Change-Id: I33b96d31395bf7d66abdecbebd5cf775e8662004
Reviewed-on: https://code.wireshark.org/review/4209
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If file_read() doesn't return the exact number of bytes you asked for,
and you really need all those bytes to be there, you have to call
file_error() to find out what the problem is.
Change-Id: I4cc87bc1b6cc5a49bbcbf93b56106f57af290d20
Reviewed-on: https://code.wireshark.org/review/4205
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If it fails due to, for example, the file being gzipped and having a bad
gzip CRC, the error returned is WTAP_ERR_DECOMPRESS and, for that error,
err_info is expected to be set to a string giving details of the
problem, so we need to pass back to our caller the string in question.
Bug: 10484
Change-Id: I3aa2a92d04fcc08946ff073a40efa708079bbb3e
Reviewed-on: https://code.wireshark.org/review/4201
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I don't know why it was unavailable at some point, but it appears to be
available again. Update the comment to reflect that.
Change-Id: I7dc1fcb554e73d3b0fc2bd2fbdf6235e791a4253
Reviewed-on: https://code.wireshark.org/review/4200
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ied0778af9d5ff0e49c6efd4ea9411ae1a72cb8e5
Reviewed-on: https://code.wireshark.org/review/4190
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Add all logcat format like brief, threadtime, long, etc. when try to save
logcat logs where there is EXPORTED_PDU layer.
Change-Id: I338f0bbd46dd8db984efc1c03980c7e9c7401a44
Reviewed-on: https://code.wireshark.org/review/4164
Reviewed-by: Michal Orynicz <michal.orynicz@tieto.com>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
Check the input pointer in the while clause of the loop, so that we
handle an empty input buffer.
When reading a bit mask, check before fetching the bit mask that we have
two bytes of bit mask and the byte after it.
Before putting an uncompressed input byte into the output, make sure we
wouldn't run past the end of the output buffer.
Before copying an earlier string from the output buffer, make sure it
doesn't run past the end of the data we've decompressed so far.
Bug: 10461
Change-Id: I8bb8d0d291368ae8bf0ac26970ff54d3262a7e6e
Reviewed-on: https://code.wireshark.org/review/4083
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We probably won't get files that big, but let's at least be prepared;
that squelches some compiler warnings.
Change-Id: Ia43ff78af7df63c7204c41d8331fea946de63116
Reviewed-on: https://code.wireshark.org/review/4015
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When trying to guess what type of capture a file is, look for as many
bogosities (caplen > len, microseconds >= 10^6/nanoseconds >= 10^9,
too-high caplen, too-high original len, caplen > snapshort length), to
increase the chances of guessing correctly.
(Every time somebody uses 0xa1b2c3d4 as the magic number for a capture
file that isn't standard pcap format, God kills a kitten. Please, think
of the kittens.)
Change-Id: I3f397d598ed61dc82e2832be30452ebe8ace98e8
Reviewed-on: https://code.wireshark.org/review/3808
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's *NOT* an error; it's just a file that isn't a NetScaler file.
Otherwise, we report errors on files that should just be passed on to
other open routines.
Also, NetScaler files are *NOT* text files, and we should *NOT* use
".txt" as the suffix.
Change-Id: If001abbbbc3de3ea27439a44a47ce1d6071d38ae
Reviewed-on: https://code.wireshark.org/review/3678
Reviewed-by: Guy Harris <guy@alum.mit.edu>
-1 means "I got an error reading this file, so there's no point in
trying any more open routines". It doesn't mean "I couldn't find any
matching pattern in the text"; that's 0, for "this isn't my type of
file, but keep trying".
Change-Id: I9d2e8b8fe6720052cacf70f0bacdcbc1175202cc
Reviewed-on: https://code.wireshark.org/review/3674
Reviewed-by: Guy Harris <guy@alum.mit.edu>
* fix exporting "beginning of" frame logs into info field
* add missing "Failure" level to regexp in wiretap part
* remove usage of GDateTime from wiretap part
Change-Id: Ibdea730623241cccbbc1694a34daa308e48c0a89
Reviewed-on: https://code.wireshark.org/review/3493
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Wireshark already supports reading and writing logcat
logs saved in binary files. Binary format, although
better, is used less often than saving those logs to
text files.
This patch extends wireshark's support for android logcat
logs to reading and writing logcat logs in text files.
Features:
* support for tag, brief, process, thread, time, threadtime
and long formats
* saving in original format
* it's generally awesome
Change-Id: I013d6ac2da876d9a2b39b740219eb398d03830f6
Reviewed-on: https://code.wireshark.org/review/1802
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In particular, epan/wslua/lrexlib.c has its own buffer_ routines,
causing some linker warnings on some platforms, as reported in bug
10332.
(Not to be backported to 1.12, as that would change the API and ABI of
libwsutil and libwiretap. We should also make the buffer_ routines in
epan/wslua/lrexlib.c static, which should also address this problem, but
the name change avoids other potential namespace collisions.)
Change-Id: I1d42c7d1778c7e4c019deb2608d476c52001ce28
Reviewed-on: https://code.wireshark.org/review/3351
Reviewed-by: Guy Harris <guy@alum.mit.edu>
lseek returns an off_t type which is system-dependent. Use ws_lseek64 in
favor of lseek as that supports 64-bit quanities.
Use ws_fstat64 instead of stat to support 64-bit file sizes on Windows.
For the majority of the changes, this makes no difference as they do not
apply to Windows ("ifndef _WIN32"; availability of st_blksize).
There are no other users of "struct stat" besides the portability code
in wsutil. Forbid the use of fstat and lseek in checkAPIs.
Change-Id: I17b930ab9543f21a9d3100f3795d250c9b9ae459
Reviewed-on: https://code.wireshark.org/review/3198
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I really don't understand why MSVC would make the result of this computation an
int64 then complain about down-casting to an int16 when *all* of the
participating variables are int16 or smaller...
Change-Id: I2d9c27ac22b51b10e4872a6640881c8d0ec566e7
Reviewed-on: https://code.wireshark.org/review/3180
Reviewed-by: Evan Huus <eapache@gmail.com>
Exported PDU may contains (Binary) Logcat, so it is possible to
"export" logcat binary from it.
Change-Id: Ic6607126e739ea3972b46c2bf19f064597d4e970
Reviewed-on: https://code.wireshark.org/review/3001
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
Otherwise, if you link with both libwiretap and libfiletap, it's
anybody's guess which one you get. That means you're wasting memory
with two copies of its routines if they're identical, and means
surprising behavior if they're not (which showed up when I was debugging
a double-free crash - fixing libwiretap's buffer_free() didn't fix the
problem, because Wireshark happened to be calling libfiletap' unfixed
buffer_free()).
There's nothing *tap-specific about Buffers, anyway, so it really
belongs in wsutil.
Change-Id: I91537e46917e91277981f8f3365a2c0873152870
Reviewed-on: https://code.wireshark.org/review/3066
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That prevents some double-free issues (I got one when doing non-"Update
list of packets in real time" captures, if I do one such capture and
then another one).
Change-Id: Ia08034d9d1640bad21b74960efade8926dbfc5de
Reviewed-on: https://code.wireshark.org/review/3063
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The logcat version detector would crash with ASAN enabled because it did
not validate the payload length and hence a payload length of 0 would
trigger out-of-bounds access. (This happened on non-logcat data.)
This patch tries to get rid of all magic numbers by using a structure,
improves the version detector to validate the payload length and
prevents crashes due to missing nul-terminators in the input. Older
Android kernels would create entries with __pad with random contents, so
that cannot be used to determine version for v1. Instead, use heuristics
on the priority, tag and maybe the msg field.
Furthermore, Android is mostly (if not, always?) Little-Endian, so add
conversions where necessary (just in case WS supports BE arches).
"microseconds" has been renamed to "milliseconds" because that is what
they are, actually. A duplicate logcat_log loop has been refactored
such that one loop is sufficient, instead of separate buffers for each
log part, a single one is now used. get_priority does not really need
a pointer, just make it accept a character.
The output has been validated against v1 and v2 logcat binary formats
with __pad (hdr_size) equal to 0, and on attachment 9906.
Change-Id: I46c8813e76fe705b293ffdee85b4c1bfff7d8362
Reviewed-on: https://code.wireshark.org/review/2803
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
Pointed out by the Visual Studio code analyzer.
Change-Id: Idd429b4d0fb3db11ce171c3a5b38bdc55cc53c15
Reviewed-on: https://code.wireshark.org/review/2988
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit 28719a4e4e.
Most of the change to remove "lib" seems to work, but the list of libraries to sign appears not to be in the source repository, so I can't make that step work.
Change-Id: I32e400593e8a39f582cc702df34eea7f6e9e722a
Reviewed-on: https://code.wireshark.org/review/2972
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That combines more common code from the read and seek-read code
paths.
Also, separate out the individual metadata record types, with a comment
for each, to simplify the process of supporting some or all of them in
the future.
Change-Id: Ic8ded397d9550ec6013c1f5f138333b1ef5c37e5
Reviewed-on: https://code.wireshark.org/review/2869
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(Strong typing is for weak minds.
Human minds are weak.
Therefore, strong typing is for human minds.)
Change-Id: I2a973b6168235d5d1c7f2a5f8ac79b97b963d846
Reviewed-on: https://code.wireshark.org/review/2863
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This addresses part of, but not all of, the issues in bug ten thousand,
one hundred, and ninety:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10190
(I'm spelling it out to make sure Gerrit doesn't think this change
*does* address all the issues in that bug, and mark it as RESOLVED
FIXED; I feel like I have to treat Gerrit as a dog or small child from
whom I'm trying to keep a secret - "honey, I'm taking the dog to the
vee eee tee".)
Change-Id: Ic234130c1ea84cfaf47901485dca775e168f71d0
Reviewed-on: https://code.wireshark.org/review/2859
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The catapult dissector tripped on this random file I had. A quick look
at other dissectors which use a construct like "-1] *= '*\\[rn]" showed
packet-irda too, so fix that as well.
Change-Id: I4b5fadcacd0b09d0fb29bdefc3dd1f28aef9b593
Reviewed-on: https://code.wireshark.org/review/2802
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
"g_strlcpy" guarante that "dest" to be null-terminated.
Also cosmetic change from file_subtype to encap.
Change-Id: If188a08cf34dd9def4203404962571c273740636
Reviewed-on: https://code.wireshark.org/review/2718
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Also, make the block of code containing that comment intended
consistently with spaces.
Change-Id: I8e8eb346833662f15c53ece5869b12cc430bad11
Reviewed-on: https://code.wireshark.org/review/2661
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Libpcap 1.6/tcpdump 4.6 will support up to 131072, as the MTU on the
Linux loopback device is 65536 on at least some versions of the kernel,
and that doesn't count the fake Ethernet header, so the maximum packet
size is 65549; they went to the next power of 2 up.
Change-Id: Ibfc66d01ef8ef7387887a75c2b567159bb78ac0f
Reviewed-on: https://code.wireshark.org/review/2655
Reviewed-by: Guy Harris <guy@alum.mit.edu>
checkapi complains about C++-style comments, as some C compilers (IBM
XLC, for one) reject them by default, and gcc -pedantic might do so as
well.
Change-Id: I1719da03d2fed0fe97574e200dd79434b3d760cd
Reviewed-on: https://code.wireshark.org/review/2556
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some dump formats are not exactly what should be done,
so fix them and try to little improve them (mostly by space padding %-8s)
Change-Id: I8ee38479c848abc0a2eaff30ce733e4b60930ac4
Reviewed-on: https://code.wireshark.org/review/2550
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Applying part of Bug 7825
Change-Id: I460b5c61b04d793ccc27c25debbd5e8f08bc6974
Reviewed-on: https://code.wireshark.org/review/2280
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Added a mapping between DLT_IPMI_HPM_2 link-layer header type to the IPMI Trace Wiretap encapsulation.
Change-Id: I458d44ad0f51beecfe5589e0e9cb75f4771d866b
Reviewed-on: https://code.wireshark.org/review/2054
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Added KCS and TMode protocol dissectors.
Request/response logic has been revised.
Saved request data logic has been revised.
Added Get Message command response dissector.
Added missing PICMG command dissectors.
Added new PICMG command dissectors.
Added new PPS OEM command entries.
Added VITA 46.11 command dissectors.
From: Bill Meier:
- refs to value_strings/range_strings in hf[] entries, by convention, should use VALS/RVALS macros;
- refs to true_false_strings should use TFS(&...) macro.
also: true_false_string definitions should not be defined as arrays.
- remove some unneeded #includes (packet-ipmi.c).
- Do some re-indentation.
- Add editor-modelines as needed.
bug: 10004
Change-Id: Ib269b35784c0b70892d1e0111bcfb483ea64092c
Reviewed-on: https://code.wireshark.org/review/1185
Reviewed-by: Anders Broman <a.broman58@gmail.com>
So don't use the values.
This problem show up on pcapng files resulting from captures of
multiple interfaces.
Change-Id: I30b0598602b0b69233107d35be4360475d8648d8
Reviewed-on: https://code.wireshark.org/review/1950
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Open routines need to be initialized before try to open
capture or add/remove routine.
Change-Id: Ic3b88eef947ebd4a3dd2edf8120bb6bd8aec0765
Reviewed-on: https://code.wireshark.org/review/1874
Reviewed-by: Evan Huus <eapache@gmail.com>
Have two different classes of file-type-specific records - "events" and
"reports". An "event" indicates something that happened in the capture
process, such as a status transition on the network; a "report" just
gives information not corresponding to something happening in the
capture process, such as capture statistics.
Note that both of those should be dissected and displayed like packets,
and leave open the possibility of file-type-specific records whose
contents should be processed and saved but not displayed in the packet
list.
Shorten "file_type_specific" to "ft_specific".
Change-Id: I2342d82ef992c794b76f354c057823dd5eb371e6
Reviewed-on: https://code.wireshark.org/review/1779
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We rename "file format" plugins to "libwiretap" plugins, as they can
register as read handlers for a new file type, read/write handlers for a
pcap-ng block type (or both).
To register as a pcap-ng block type handler, in the
register_wtap_module() routine of your plugin, call
register_pcapng_block_type_handler() with the pcap-ng block type and
pointers to your routines to read and write those blocks. Those
routines should read and write REC_TYPE_FILE_TYPE_SPECIFIC records, with
the block type in the pseudo-header for the record in the struct
wtap_pkthdr structure, with time stamps stored in that structure, and
with a blob of data for the rest of the record.
This is for bug 8590.
Change-Id: I71847d834854a29ceb85894fd094c2ae91a04273
Reviewed-on: https://code.wireshark.org/review/1775
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a "record type" field to "struct wtap_pkthdr"; currently, it can be
REC_TYPE_PACKET, for a record containing a packet, or
REC_TYPE_FILE_TYPE_SPECIFIC, for records containing file-type-specific
data.
Modify code that reads packets to be able to handle non-packet records,
even if that just means ignoring them.
Rename some routines to indicate that they handle more than just
packets.
We don't yet have any libwiretap code that supplies records other than
REC_TYPE_PACKET or that supporting writing records other than
REC_TYPE_PACKET, or any code to support plugins for handling
REC_TYPE_FILE_TYPE_SPECIFIC records; this is just the first step for bug
8590.
Change-Id: Idb40b78f17c2c3aea72031bcd252abf9bc11c813
Reviewed-on: https://code.wireshark.org/review/1773
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit c0c480d08c.
A better way to do this is to have the record type be part of struct wtap_pkthdr; that keeps the metadata for the record together and requires fewer API changes. That is in-progress.
Change-Id: Ic558f163a48e2c6d0df7f55e81a35a5e24b53bc6
Reviewed-on: https://code.wireshark.org/review/1741
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is the first step towards implementing the mechanisms requestd in
bug 8590; currently, we don't return any records other than packet
records from libwiretap, and just ignore non-packet records in the rest
of Wireshark, but this at least gets the ball rolling.
Change-Id: I34a45b54dd361f69fdad1a758d8ca4f42d67d574
Reviewed-on: https://code.wireshark.org/review/1736
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wtap_dump_open() allocates an empty wtap_dumper struct such that
interface_data is not initialized. Fix this by adding the member back.
Regression from 3aee917058 ("wiretap:
remove unused code, drop number_of_interfaces").
Bug: 10113
Change-Id: Ia6259bf50b25d5e7aa837b0fb7396b07d5d3c72c
Reviewed-on: https://code.wireshark.org/review/1672
Reviewed-by: Evan Huus <eapache@gmail.com>
While investigating an ASAN issue (fixed in
commit dcdd076ab0), I got greatly confused
by three different types having the same "interface_data" field name:
* pcapng_t *pn stores an array of interface_data_t objects.
* wtap *wth stores an array of wtapng_if_descr_t objects.
* pcapng_dump_t should store an array of interface_data_t objects.
pcapng_dump_t and friends are unused since
commit c7f1a431d2, so drop it.
To fix the confusion, rename the interface_data_t type to
interface_info_t type and use the local variable "iface_info"
everywhere. Rename interface_data of pcapng_t to "interfaces" and
add a comment what this exactly means (interfaces listed in the capture
file).
Drop the number_of_interfaces field for interfaces as the array
length is already available from GArray. Now interface_data is always
initialized for wth (which also gets copied to idb).
s/int/guint/g and replace cast at some places.
There are no regressions for the in-tree test suite.
Change-Id: I2d5985c9f1e43f8230dbb4a73bd1e243c4858170
Reviewed-on: https://code.wireshark.org/review/1656
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 1abeb277f5.
This isn't building, and looks as if it requires significant work to fix.
Change-Id: I622b1bb243e353e874883a302ab419532b7601f2
Reviewed-on: https://code.wireshark.org/review/1568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit f5a0d7e897.
There's a lot more work needed to fix this change; that's not the only broken file. I'm going to be reverting the whole thing.
Change-Id: I8e9bb3902f7e398ccb71c66711869c3dd338271c
Reviewed-on: https://code.wireshark.org/review/1569
Reviewed-by: Guy Harris <guy@alum.mit.edu>
catapult_dct2000_dump() to the declared one.
Change-Id: Ib9b38fb35ace1e858e8105a54a192c044899b69a
Reviewed-on: https://code.wireshark.org/review/1567
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Start of refactoring Wiretap and breaking structures down into "generally useful fields for dissection" and "capture specific". Since this in intended as a "base" for Wiretap and Filetap, the "wft" prefix is used for "common" functionality.
The "architectural" changes can be found in cfile.h, wtap.h, wtap-int.h and (new file) wftap-int.h. Most of the other (painstaking) changes were really just the result of compiling those new architecture changes.
bug:9607
Change-Id: Ife858a61760d7a8a03be073546c0e7e582cab2ae
Reviewed-on: https://code.wireshark.org/review/1485
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I7e484de65c49060793a91cc11cb211effa2006db
Reviewed-on: https://code.wireshark.org/review/1494
Reviewed-by: Michael Mann <mmann78@netscape.net>
As caught by CppCheck, the conditions checking that n is in bounds should
occur *before* the conditions using n as an index so that if n is out of bounds
we don't try and use it anyways.
Change-Id: I107c983153aa12203f8c88b14e1addd3807d6b6e
Reviewed-on: https://code.wireshark.org/review/1415
Reviewed-by: Michael Mann <mmann78@netscape.net>
See IEEE Standard 802.3-2012 Section 5, Clause 65 and CableLabs DPoE
Security and Certificate Specification 1.0, Section 6.
Currently dissects 1G mode. 10G mode will be added when hardware is
available.
Change-Id: I6232af9bf6807644ef66a120d97e5fa5927988fe
Reviewed-on: https://code.wireshark.org/review/1284
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Then have the read and seek-read routines both use that routine.
Change-Id: I3d11df82644207d0ae59486231c91e1f044090ab
Reviewed-on: https://code.wireshark.org/review/1361
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We don't fail for other file types; there's no point in failing for
pcap-NG. wtap_read() will ensure that caplen <= len.
Make wtap_seek_read() ensure that caplen <= len as well.
Fixes bug 10037.
Change-Id: I41fbcf54341ea0429cef875442ea1f1377177a5f
Reviewed-on: https://code.wireshark.org/review/1353
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Always call $(top_srcdir)/tools/checkAPIs.pl with -sourcedir=$(srcdir)
from Makefile.am to allow out-of-source 'make checkapi'.
Change-Id: I60d7e0079984a8ededdacf4517a0738486fa7973
Reviewed-on: https://code.wireshark.org/review/1294
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It automatically works for LINKTYPE_PKTAP and, by default, for
LINKTYPE_USER2; if any other dissector is specified for LINKTYPE_USER2,
that dissector overrides PKTAP.
Change-Id: Ic00ac8a81c6101e45d638d337aef42df3920da12
Reviewed-on: https://code.wireshark.org/review/903
Reviewed-by: Evan Huus <eapache@gmail.com>
As the comment after the WTAP_ENCAP_ list says, "After adding new item
here, please also add new item to encap_table_base array".
Change-Id: I918603fa271978b3a81525466c5f4067efc7a783
Reviewed-on: https://code.wireshark.org/review/897
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(Using sed : sed -i '/^\# \$Id\$/,+1 d') (start with dash)
Change-Id: Ia4b5a6c2302f6a531f6a86c1ec3a2f8205c8c2dd
Reviewed-on: https://code.wireshark.org/review/881
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(Using sed : sed -i '/^\* \$Id\$/,+1 d') (no space before star)
Change-Id: I318968db2b8512ba1303b5fc5c624c66441658f0
Reviewed-on: https://code.wireshark.org/review/879
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Gerald Combs