A linktype was recently assigned to Linux vsock in libpcap commit
cfdded36ddcf5d01e1ed9f5d4db596b744a6cda5 ("added DLT_VSOCK for
http://qemu-project.org/Features/VirtioVsock").
The Wireshark vsock dissector can now be automatically applied when
wtap_encap matches the new WTAP_ENCAP_VSOCK constant.
This patch makes Wireshark dissect vsock packet captures without
manually specifying the dissector.
Change-Id: If252071499a61554f624c9ce0ce45a0ccfa88d7a
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-on: https://code.wireshark.org/review/22611
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
It needed to be done:
https://github.com/shirriff/pup-wireshark
(And, yes, there really *is* a DLT_/LINKTYPE_ for it! The original DLT_
values were ARP hardware types, and 3MB Ethernet was assigned an ARP
hardware type of 2.)
Change-Id: I60d96c28e67854adcb28c7e3579ae5dd1f07df4b
Reviewed-on: https://code.wireshark.org/review/22336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
In change 18a3b0659c, I moved the table
that uses it, but not the actual definition, from libpcap.c to
pcap-common.c; they both should have been moved. Make it so.
Change-Id: I266fce455df3848b873cdfadb12cecdbf9c8d4d3
Reviewed-on: https://code.wireshark.org/review/22216
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add support for handling LoRaTap (https://github.com/eriknl/LoRaTap) DLT in
wiretap and add dissector for LoRaTap headers.
Exposes Syncword for subdissectors to dissect frame payload.
Change-Id: Ie4ba2189964376938f45eb3da93f2c3376042e85
Reviewed-on: https://code.wireshark.org/review/21915
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Both of them need to have the CAN ID/flags field of the header
byte-swapped as necessary to make sure it's in the *reading* host's byte
order, not the *writing* host's byte order, if the two are different.
Change-Id: Iac1589fdd9fe4d9ee6fbac8d821b48694d68919b
Reviewed-on: https://code.wireshark.org/review/17333
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Libpcap just backed out the "host-endian" SocketCAN LINKTYPE_ value; we
don't need it any more.
Change-Id: I33a7dc21207a0009e20b4abaefe1119eb649c39a
Reviewed-on: https://code.wireshark.org/review/17327
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Unfortunately, only one libpcap code path puts the CAN ID in the
SocketCAN header in network byte order; the others leave it in host byte
order. Therefore, a new LINKTYPE_/DLT_ value was introduced, and
libpcap was changed to use that for the cases where the CAN ID is in
host byte order. Support them both.
This means we need to, when reading pcap and pcapng files, fix up the
CAN ID if the host that wrote the file has a different byte order from
ours (as libpcap also now does). This includes Linux "cooked" captures,
which can include CAN packets.
Change-Id: I75ff2d68d1fbdb42753ce85d18f04166f21736dd
Reviewed-on: https://code.wireshark.org/review/17155
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Set len and caplen in pcap_read_post_process to actual wlen/payload length like for native ERF.
This fixes padding incorrectly showing as an Ethernet trailer or equivalent as
well as packet length calculations being incorrect.
Fix up rlen when writing ENCAP_ERF so it isn't longer than the actual record
length. This differs from native ERF behaviour which pads the record instead
but there is currently no non-hackish way to do this for pcap/pcap-ng.
Note: This means records captured from a DAG card in Wireshark (or old
PCAP(-NG) files opened) will have padding stripped when saved as PCAP(-NG) and
thus cannot be transmitted when converted to native ERF without aligning first.
However, if the file is saved as native ERF originally the padding will be
preserved (and zeroed). Given that extension header write support was very
broken and transmission of PCAP(-NG) is not supported without conversion this
is not expected to have been common.
Ping-Bug: 3606
Change-Id: I49dce03984d7f07431b6eb7e16a993aeb571f288
Reviewed-on: https://code.wireshark.org/review/15359
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Write ERF subheader after extension headers, especially important for Ethernet
(other types predate extension headers for the most part).
Add missing ERF_TYPE_MC_AAL2 and ERF_TYPE_COLOR_HASH_ETH.
Truncate final ERF extension header when too many. Rlen is not currently
adjusted so may be incorrect (see followup patch). Existing tools generally
check against PCAP incl_len anyway as there are other scenarios where this can
happen like naive snapping or Wireshark ERF-to-PCAP.
Properly fixing this will involve getting rid of the ERF pseudoheader.
Consistent with the ERF wiretap (except for different padding behaviour).
Bug: 3606
Change-Id: I6086cbc3fef948586fbad6f585f648d99adfff4f
Reviewed-on: https://code.wireshark.org/review/15358
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(There's also work needed in libpcap; that's also in progress.)
Change-Id: Iff5a34c139a000865e2d78cc17a4af5ff24fb44b
Reviewed-on: https://code.wireshark.org/review/14025
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It doesn't correspond to anything we support - and the old Linux USB
LINKTYPE_ value of 186 doesn't give enough information to dissect the
packets (it discards the event type, for example), so we drop the rest
of our support for it as well.
Change-Id: I6f537d9263174aba4320edf5140e1d1540e979c8
Reviewed-on: https://code.wireshark.org/review/14020
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wtap_read() and wtap_seek_read() now do so before calling the read or
seek-read routine, so there's no need to do so in those routines.
Rename hcidump_process_packet() to hcidump_read_packet() while we're at
it, as it doesn't just process an already-read packet, it does the
reading as well as the processing.
Change-Id: Ic13da6a2096e68550d80f2eff31f03d0edb58147
Reviewed-on: https://code.wireshark.org/review/13998
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Discovered by changing wtap_encap_requires_phdr() to use a switch
statement and comparing the case arms.
Change-Id: I2a23b86ddfbc88c1b3251a0e97f7f00ee93f630e
Reviewed-on: https://code.wireshark.org/review/13341
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The data before the Ethernet packet isn't a 16-bit little-endian
integer, it's two bytes, one byte of offset and one byte of padding.
Change-Id: I327b88f058dda184b79d3c2c6cf0dea52c0d28b1
Reviewed-on: https://code.wireshark.org/review/13254
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add support for Generic Framing Procedure. Generic Framing Procedure (GFP)
is used to map octet-aligned variable length payloads (e.g. Ethernet, MPLS,
octet-aligned PPP, IP) into octet-synchronous signals such as SONET/SDH
(ITU-T G.707) and OTN (ITU-T G.709). GFP is a telecommunications industry
standard defined in ITU-T G.7041/Y.1303.
(https://www.itu.int/rec/T-REC-G.7041/)
Bug: 11961
Change-Id: Idf5b311e82b051b1ee65bde5149b3de405537b02
Reviewed-on: https://code.wireshark.org/review/13043
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The use of a flag field here is aesthetically unpleasing when the flags
are referred to frequently. Convert these into bitfield entries.
Change-Id: I6f47e31558439dfd343ec7f856d04480366a1237
Reviewed-on: https://code.wireshark.org/review/12511
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
add DLT_ISO14443 to pcap_to_wtap_map[]
define WTAP_ENCAP_ISO14443, link it to the iso14443 dissector
Change-Id: Id837197c4d66071094f9336d60db36a371424807
Reviewed-on: https://code.wireshark.org/review/11959
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have dissectors of various forms of radio information headers in the
packets fill in a struct ieee_802_11_phdr with radio information as
appropriate, and call the "802.11 radio information" dissector rather
than the raw 802.11 dissector.
This means that the radio information can be found in a
protocol-independent and encapsulation-independent form when you're
looking at the packet; that information can be presented in a form
somewhat easier to read than the raw metadata header format.
It also enables having a single "radio information" tap that allows
statistics to handle all different sorts of radio information
encapsulation.
In addition, it lets us clean up some of the arguments passed to the
common 802.11 dissector routine, by having it pull that information from
the struct ieee_802_11_phdr.
Ensure that the right structure gets passed to that routine, and that
all the appropriate parts of that structure are filled in.
Rename the 802.11 radio protocol to "wlan_radio", rather than just
"radio", as it's 802.11-specific. Give all its fields "wlan_radio."
names rather than "wlan." names.
Change-Id: I78d79afece0ce0cf5fc17293c1e29596413b31c8
Reviewed-on: https://code.wireshark.org/review/8992
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Those aren't pseudo-headers exported from libwiretap, they're just
structures corresponding to the pseudo-headers for some pcap/pcap-ng
link-layer header types.
Change-Id: Iec37cfc162b64adacdeb57e14e546bced7b673fa
Reviewed-on: https://code.wireshark.org/review/8941
Reviewed-by: Guy Harris <guy@alum.mit.edu>
gcc5 complains about the issue below, so add a trivial fixup.
CC libwiretap_la-pcap-common.lo
pcap-common.c: In function 'pcap_byteswap_nflog_pseudoheader':
pcap-common.c:1290:30: error: logical not is only applied to the left hand side of comparison [-Werror=logical-not-parentheses]
if (!(nfhdr->nflog_version) == 0) {
^
cc1: all warnings being treated as errors
Change-Id: I9f5b090ffd564f203cc3fb4ff302f2e4752865f0
Reviewed-on: https://code.wireshark.org/review/7336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's a little cleaner, and lets us preserve the LINKTYPE_ value for
DLT_LOOP captures. ("Preserve" here doesn't mean "write files with a
link-layer header type of 12", as that's ambiguous; we write it with a
link-layer header type of LINKTYPE_LOOP, i.e. 108. If programs on
OpenBSD don't recognize that as DLT_LOOP, that's a bug in OpenBSD's
libpcap or in the program.)
Change-Id: I48a2e04aed41c013823ffb5c588d2a8e8b376e15
Reviewed-on: https://code.wireshark.org/review/7143
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Instead, explicitly check for particular build platforms. This means
that the interpretation of the link-layer type values with different
meanings on different platforms won't be dependent on the particular
version of libpcap with which Wireshark happens to be built, and also
means that we don't have to fix pcap-common.c to include pcap.h or
net/bpf.h.
Fix some comments while we're at it.
Bug: 10956
Change-Id: If331d9b92081fb0bdf416620fb2ad8dce57dea6b
Reviewed-on: https://code.wireshark.org/review/7140
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a set of presence bits, so we can indicate which bits of radio
metadata we do and don't have.
Fill in more radio metadata from capture files, and display it.
(More to come.)
Change-Id: Idea2c05442c74af17c14c4d5a8d8025ab27fbd15
Reviewed-on: https://code.wireshark.org/review/4987
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Unlike the standard I/O routines, the code we introduced that supports
fast random seeking on gzipped files will always supply some specific
error code for read errors, so we don't need WTAP_ERR_CANT_READ.
Add WTAP_ERR_CANT_WRITE for writing, as we're still using the standard
I/O routines for that. Set errno to WTAP_ERR_CANT_WRITE before calling
fwrite() in wtap_dump_file_write(), so that it's used if fwrite() fails
without setting errno.
Change-Id: I6bf066a6838284a532737aa65fd0c9bb3639ad63
Reviewed-on: https://code.wireshark.org/review/4540
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Added a mapping between DLT_IPMI_HPM_2 link-layer header type to the IPMI Trace Wiretap encapsulation.
Change-Id: I458d44ad0f51beecfe5589e0e9cb75f4771d866b
Reviewed-on: https://code.wireshark.org/review/2054
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This reverts commit 1abeb277f5.
This isn't building, and looks as if it requires significant work to fix.
Change-Id: I622b1bb243e353e874883a302ab419532b7601f2
Reviewed-on: https://code.wireshark.org/review/1568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Start of refactoring Wiretap and breaking structures down into "generally useful fields for dissection" and "capture specific". Since this in intended as a "base" for Wiretap and Filetap, the "wft" prefix is used for "common" functionality.
The "architectural" changes can be found in cfile.h, wtap.h, wtap-int.h and (new file) wftap-int.h. Most of the other (painstaking) changes were really just the result of compiling those new architecture changes.
bug:9607
Change-Id: Ife858a61760d7a8a03be073546c0e7e582cab2ae
Reviewed-on: https://code.wireshark.org/review/1485
Reviewed-by: Michael Mann <mmann78@netscape.net>
See IEEE Standard 802.3-2012 Section 5, Clause 65 and CableLabs DPoE
Security and Certificate Specification 1.0, Section 6.
Currently dissects 1G mode. 10G mode will be added when hardware is
available.
Change-Id: I6232af9bf6807644ef66a120d97e5fa5927988fe
Reviewed-on: https://code.wireshark.org/review/1284
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
It automatically works for LINKTYPE_PKTAP and, by default, for
LINKTYPE_USER2; if any other dissector is specified for LINKTYPE_USER2,
that dissector overrides PKTAP.
Change-Id: Ic00ac8a81c6101e45d638d337aef42df3920da12
Reviewed-on: https://code.wireshark.org/review/903
Reviewed-by: Evan Huus <eapache@gmail.com>
Adds support for BLUETOOTH_LE_LL_WITH_PHDR, dissector integrates with existing
BTLE dissector.
Fixes BTLE dissector to correctly extract packet CRC.
Adds CRC checking to BTLE dissector.
Provides optional context to BTLE dissector that allows RF captures to provide
link-layer hints for dissection details. Significantly, parameters for
determining CRC correctness are provided, as well as Access Address validity
information.
Change-Id: I7d4936b053353a7f9c524021c01f67f5828253fb
Reviewed-on: https://code.wireshark.org/review/310
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When capturing, they'll be in host byte order. The top of the libpcap
trunk and 1.5 branch, when reading a file, will, if necessary, byte-swap
the type and length values so that they're in the byte order of the host
reading the file (rather than the host that wrote the file).
Do the same when we read a file, and have the NFLOG dissector assume
host byte order for those fields.
Change-Id: I493aed1e07b626af1157d75f3bc293b0a694ad07
Reviewed-on: https://code.wireshark.org/review/148
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
BlueZ 5/Linux Kernel introduced new way to sniffing Bluetooth interfaces.
We are ready to use it. Libpcap provide new interface called
"bluetooth-monior".
Also fix trivial typos.
Change-Id: Ic608a3d8553bbebbb21f2733ec92c758cbf8f707
Reviewed-on: https://code.wireshark.org/review/253
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Combine the check for whether the field is within the packet data and
the swapping of the field into macros that do both, and use them.
Change-Id: I1db4c5fd76172edd44abc9fb111d79a2537c6c9d
Reviewed-on: https://code.wireshark.org/review/130
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
For some routines that take multiple arguments that come from a struct
wtap_pkthdr, pass a pointer to the struct wtap_pkthdr in question,
rather than the separate arguments. Do this even if we're passing
expressions that were earlier assigned to the struct wtap_pkthdr fields
in question. This simplifies the calling sequences and ensures that the
right values are picked up by the called routine; in at least one case
we were *not* passing the right values (the code to handle Simple Packet
Blocks in pcap-ng files).
Also, call the byte-swapping routines for pseudo-header fields only if
we need to do byte-swapping.
Change-Id: I3a8badfcfeb0237dfc1d1014185a67f18c0f2ebe
Reviewed-on: https://code.wireshark.org/review/119
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
From İbrahim Can Yüce
From me: Update to new tcp_dissect_pdus format, minor whitespace issues noticed in wiretap files.
svn path=/trunk/; revision=53669
subtypes, e.g. Network Monitor version 1 and Network Monitor version 2
are separate "file types", even though they both come from Network
Monitor.
Rename various functions, #defines, and variables appropriately.
svn path=/trunk/; revision=53166
Stefan Hajnoczi