If the first byte of the file is 31, and we advance to the next byte but
find it's not 139, back up to the first byte before falling through and
treating the file as uncompressed.
Add/expand some comments while we're at it.
Bug: 16252
Change-Id: I292b51f9cc04173482a43b26b0ce73c9e7aee570
Reviewed-on: https://code.wireshark.org/review/35315
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When using wiretap to create a pcapng file,
the drop_count field from the wtap_packet_header
in wiretap/wtap.h is not being dumped to the file
in pcapng_write_enhanced_packet_block function.
Bug: 16062
Change-Id: Id9b8dbd1f7406e019fab00ff7a4167ab27543f62
Reviewed-on: https://code.wireshark.org/review/34836
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It turned out that 1 MiB is not enough as atleast the URBs sent by
Android fastbool tools are greater than 1 MiB (1 MiB payload + USBPcap
pseudoheader). Raise the maximum packet size all the way up to 128 MiB.
128 MiB is the upper bound of maximum packet that can be captured by
all official USBPcap releases.
Bug: 15985
Change-Id: Ibbf41f7efae6e0f841e36d39664394e8a8eae77d
Reviewed-on: https://code.wireshark.org/review/34793
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use g_get_real_time() to get real time because GTimeVal and g_get_current_time()
was deprecated in glib 2.62.
Change-Id: I78fee34e2f5b634c91c6420b01915cfc070f38a4
Reviewed-on: https://code.wireshark.org/review/34468
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When writing a capture as a commview file the header written is two
bytes longer than the specification. Even though we count 24, we
actually write 26. This makes the commview file corrupt, as is apparent
when reading such file, eg., after using Save As... with this format.
Replace writing 2 bytes for the last two fields in the header by 1 byte
each, as per the header specification.
Change-Id: I9436f7837b2e3617a389619884bf93ad146e95f3
Reviewed-on: https://code.wireshark.org/review/34450
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check the time stamp microseconds field; it must be < 10^6.
Check the first few packets, not just the first packet.
Change-Id: I35a58a79d48db13daee937374caae40bc320e9e7
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34437
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
On a big-endian machine, if the upper 16 bits of the length are non-zero
and the lower 16 bits are zero, that means that the length is
*little*-endian.
What we really care about is whether the file is in the reading host's
native format, so we can just fetch integral values without swapping, or
not in that format, in which case we have to byte-swap integral values.
Rename the variable and redo the code to match.
(This may have caused the PacketLogger reader to fail on big-endian
machines.)
Change-Id: Ie1a82a7d40e2c58c0b8d482d7c95ab60061ca980
Ping-Bug: 10861
Reviewed-on: https://code.wireshark.org/review/34434
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no point in trying to read more packets to check the file type.
Change-Id: Ic2c5a7692b60fab8a0022503338a40befe00d358
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34433
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check some more field values, and fix some tests to check against the
maximum possible value given in the i4b_trace.h file rather than against
that value + 1. (> max, or >= max+1, are both reasonable, but > max+1
isn't.)
Check the first few packets, not just the first packet.
Make some header fields unsigned, as that's how we treat them in most
cases; that way we treat them that way by default.
Change-Id: I8c2d28af048c676a3dbae367bbb49c886e0dc566
Ping-Bug: 16031
Reviewed-on: https://code.wireshark.org/review/34432
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
log3gpp.c:459:10: warning: no previous prototype for function 'log3gpp_dump[|open|finish]' [-Wmissing-prototypes]
Change-Id: I1d896f90d91dc04b68b12f48ae06526556a428d4
Reviewed-on: https://code.wireshark.org/review/33963
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The pointer returned by create_tempfile() must not be freed. As the
wtap_dump_open_tempfile() callers are freeing the returned filename,
duplicate the string so it can be freed.
Bug: 15377
Change-Id: Ib0b23aaee748ef67600ef3f7d40610ebbbec721c
Reviewed-on: https://code.wireshark.org/review/34272
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
You either have to set it to 1 or 0 if you know whether it's shifted
time or set it to -1 if you don't.
Should address Coverity CID 1452227.
Change-Id: I7d435bb6b7dd8897b44bf5103578e3db1a30379e
Reviewed-on: https://code.wireshark.org/review/34175
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Only CAN protocol is supported. Extra information available in J1939
entries is ignored since the J1939 wireshark dissector works with
raw CAN frames and makes no use of this extra information.
The log format may also encapsulate LIN messages which are not
supported by wireshark and thus are ignored.
The only limitation is that relative timestamp format is not
supported. If a file defines relative format of timestamps, packets
are extracted, but timestamps are omitted, since random access deems
impossible without reparsing the whole file up to the packet of
interest. In order to support relative timestamps we need to parse
the whole file at once on open and either dump into a temporary
PCAP file or keep messages in a private list and provide access
to them on read()/seek_read().
The change also creates a separate header for CAN frame structure
definitions which are used by several file readers (candump and
busmaster for now).
Bug: 15939
Change-Id: I87c5555e4e5e1b142b9984b24544b2591d494fbc
Reviewed-on: https://code.wireshark.org/review/34083
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fall back on the Wayback Machine for some links.
Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842
Reviewed-on: https://code.wireshark.org/review/34103
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Microsoft reshuffled their documentation - almost all of it moved from
msdn.microsoft.com to docs.microsoft.com. Some blogs moved to
devblogs.microsoft.com; the comments *didn't* move, so in one case we go
to the Wayback Machine - the link isn't dead, but it formats horribly,
at least on my browser, but the archived version formats OK.
Use the Wayback Machine for some URLs, and update others.
Update the sections for MS-ADTS.
Point to the HTML versions of some RFCs and I-Ds.
Change-Id: I344b20f880de63f1ae2a4e3f9ff98af78a7fe139
Reviewed-on: https://code.wireshark.org/review/34101
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissect raw USB Packets. The actual USB packets to transaction conversion
(which is needed to pass the data to existing USB URB dissector) is not
implemented yet.
Ping-Bug: 15908
Change-Id: Ia75d58882d770fdd8650622d318241743069ad8f
Reviewed-on: https://code.wireshark.org/review/34006
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's broken, unmaintained, poorly implemented and obsoleted by saner
debug-info methods.
Note: To do the compliance check properly would require much more
extensive work to clearly define public and private interfaces (without
manual bookeeping of files or symbols either, of course, because who
would want that...).
Change-Id: Ib801f3c152ca2369f95ca1f4af4d37cd8cc7c47a
Reviewed-on: https://code.wireshark.org/review/33928
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: João Valverde <j@v6e.pt>
It's preferable to parse text files and generate packets on demand,
rather than generate a temporary PCAP file and dump all available
packets into it.
Parsing on the fly has a benefit of handling damaged files up to the
point of damage, while the approach with a temporary file doesn't
allow either to report that the original file is damaged or perform
conversion in the first place.
This version works faster than the previous one.
Command:
time ./run/tshark -r ./candump-2019-07-01_111120.log.gz > /dev/null
The test file is attached to the bug 15889
The current version:
real 0m0,597s
user 0m0,533s
sys 0m0,118s
The previous version:
real 0m2,176s
user 0m1,966s
sys 0m0,100s
Bug: 15889
Change-Id: I862ce47752531c2e9d9459f5d865c1fc08f32fea
Reviewed-on: https://code.wireshark.org/review/34007
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
candump_open() may be called with non-empty error code and string.
The error code is not reset upon success in run_candump_parser() which may
mislead the caller function thus affecting opening the file.
yy_fatal_error(), yy_alloc(), yy_realloc() and yy_free() make no use
of the yyscanner argument, which results in warnings on OSX.
In order to get rid of those warning we provide our own
implementations of memory allocation functions and hack
YY_EXIT_FAILURE macro in order to pretend using the argument.
Change-Id: I672d374b26970b2699b9d789b6118e97ba660bdf
Reviewed-on: https://code.wireshark.org/review/33892
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Include string.h to fix implicitly declaring library function
'memcpy' with type 'void *(void *, const void *, unsigned long)'
Change-Id: Ia6796f1966db606f946e0935ed0e5b70702c88c9
Reviewed-on: https://code.wireshark.org/review/33891
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The change adds ability to import text logs produced by the candump
tool.
E.g.: candump -L can0 -or- candump -l can0
The whole file is read and converted into a temporary PCAPNG file with
Exported PDU packets containing SocketCAN frames.
Bug: 15889
Change-Id: I5ad93dca96d6e955a4b21cf624f0553e60f060f6
Reviewed-on: https://code.wireshark.org/review/33800
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It takes a yyscan_t as an argument, not a pointer to a yyscan_t; a
yyscan_t is a pointer to the scanner state. (A pointer to it is passed
to the init routine so that it can be set to point to the allocated
state, not because it's a structure itself.)
Change-Id: If80ca1caaa07d8a966df8d07f989b722869ac58b
Reviewed-on: https://code.wireshark.org/review/33814
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Lexer private structure is initialized but never destroyed or reused.
Change-Id: I61d43b4cb14a2d3b3706267eb393e4562adb00f9
Reviewed-on: https://code.wireshark.org/review/33809
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We were using fields in the pcapng_t that weren't set yet to report the
version number in question; use the variables we were checking.
Change-Id: Ib03bafe62d8c7b1aa54b2ef22640e3b00722142a
Ping-Bug: 15862
Reviewed-on: https://code.wireshark.org/review/33671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There may need to be more of these.
Bug: 15740
Change-Id: I5d3a97ed50d66dfcb85df0ab7053e8a44c531134
Reviewed-on: https://code.wireshark.org/review/33280
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This value is used when checking if the file was generated on a
machine with different endianess. The error message changes from
"Unrecognized pcapng format or not pcapng data."
to
"dumpcap: Interface 0 is big endian but we're little endian."
Fix dumpcap.c and pcapio.c.
Ping-Bug: 15754
Change-Id: I3a31f873f01bcb3f1324410e70f29f285e56c715
Reviewed-on: https://code.wireshark.org/review/33274
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Use the local one *only* while we're trying to determine whether we have
a pcapng file or not; once we know we have a pcapng file, and have
allocated a pcapng_t and attached it to the wtap structure, pass *that*
one to pcapng_read_block(), so if it changes anything in the pcapng_t,
it changes the one we're using.
Change-Id: I53b32595276be97957a0b6056171471878fa40c4
Reviewed-on: https://code.wireshark.org/review/33226
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wth has been already checked in line 315.
Change-Id: Ib620e0b1e9262e5344feb934b024f7817cfda6fd
Reviewed-on: https://code.wireshark.org/review/33178
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There is no FCS length information for a pcapng file; there's FCS length
information for each interface.
Change-Id: I3abb1a35b28475aa3ad6f126060140d0a524bbca
Reviewed-on: https://code.wireshark.org/review/33215
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Ethernet packets without the CRC are 1514 bytes long, not 1500 bytes
long; using 1514 bytes will avoid a reallocation for a full-sized
Ethernet packet.
Change-Id: Ie8da3f13bf3df07e23e4478b7dcf84f06dec6a9d
Reviewed-on: https://code.wireshark.org/review/32761
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it - and the routines that implement it - work more like the
seek-read routine.
Change-Id: I0cace2d0e4c9ebfc21ac98fd1af1ec70f60a240d
Reviewed-on: https://code.wireshark.org/review/32727
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit c599e49028.
Reason for revert: This completely fails to recognize Unicode iSeries dumps.
Change-Id: Ie31141879b1bc3608a5dfdcba6887bb6f0018a47
Reviewed-on: https://code.wireshark.org/review/32568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
209 is LINKTYPE_IPMB_LINUX; add _LINUX/_linux to the WTAP_ENCAP_ name
and function/structure names, to clarify that it's not I2C in general,
it's I2C with a particular pseudo-header.
199 is now LINKTYPE_IPMB_KONTRON, not LINKTYPE_IPMB, as it doesn't have
raw I2C packets, it has I2C packets with a pseudo-header. Change the
WTAP_ENCAP_ name, and add a dissector for it.
Change-Id: Ie097f4317b03d2b2adfd9b81a4b11caf6268399e
Reviewed-on: https://code.wireshark.org/review/32539
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's what they are, and that's how other code in erf_open() treats
them; just use assignment to initialize prevts and to set prevts to ts.
Maybe this will keep the Clang static analyzer from calling prevts a
garbage value when compared with ts.
Change-Id: I2ee2376ced5c3efa6beab34276009a3177c94416
Reviewed-on: https://code.wireshark.org/review/32455
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That made PACKET_DESCRIBE() do nothing, causing warnings from the Clang
Static Humiliator.
Change-Id: I6f433cd193b6398d89038e95c7bf5deb24aa186d
Reviewed-on: https://code.wireshark.org/review/32437
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Move the read out of nspm_signature_version(), to make it a bit clearer
what file I/O we do in the open process; have nspm_signature_version()
just look for a signature in a single page.
In the loop in nspm_signature_version(), make sure we have enough of the
record header to look at the type and length fields in that header
before looking at them and, when we can look at them, make sure the
length of the record 1) fits in what remains of the page we're looking
at and 2) is big enough to be the length of a signature record.
Change-Id: I7d625859136e6f39c40b166067fc7efea806d9b0
Reviewed-on: https://code.wireshark.org/review/32426
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix more crashes found in the provided bug report.
Bug: 15497
Change-Id: If84498fa879ad56c8677f8c1442a8dc0e5906003
Reviewed-on: https://code.wireshark.org/review/32333
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris