Use ws_strtou64 to convert __REALTIME_TIMESTAMP= and other timestamps,
which should work across platforms.
Bug: 16664
Change-Id: I371f2b60e1957e57dbbdbbc3ded5ad49e8eb79d1
Reviewed-on: https://code.wireshark.org/review/37849
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add support to read/write the new EPB options, epb_packetid,
epb_queue and epb_verdict, from/to pcap files.
In addition, it updates the packet-frame dissector to dissect
these new fields.
More details on the options can be found in the PcapNG
specification: https://github.com/pcapng/pcapng
An application using these new fields can be found here:
https://github.com/chaudron/xdp-tools/tree/dev/pcapngII/xdp-dump
Change-Id: I761b8114b437fe573dd2c750e35586ad88494938
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-on: https://code.wireshark.org/review/37412
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This moves us closer to fixing bug 16531; it addresses the second issue
there, as the right snapslen is used for packets in the second section,
so we no longer get errors reading the file.
It still doesn't fix the *names* of the interfaces, and it doesn't - and
*shouldn't* - show the interfaces with different interface numbers, as
the numbers are per-section rather than global.
Change-Id: Ia3aa3309b75a4bcd9f229048ddce6a981b9409b1
Ping-Bug: 16531
Reviewed-on: https://code.wireshark.org/review/36985
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Have pcapng_read_block() take two pointers to a section_info_t as
arguments - one for the current section, if any, and one to something to
fill in, as information for the new section, if the block is an SHB.
The first of them is null when we're trying to read the first block;
that serves as an indication that "not an SHB" means "this file isn't a
pcapng file" rather than "this pcapng file is bad".
Change-Id: I1b0a8bfacde982b819e548847bcc9412d30788f3
Reviewed-on: https://code.wireshark.org/review/36984
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Move the byte order - and version - fields out of the per-file pcapng_t
structure and put them in a per-section section_info_t structure that
also contains the file offset of the SHB at the beginning of the
section.
Have a GArray of section_info_t structures pointed to by the pcapng_t
structure; update it as Section Header Blocks are read sequentially,
adding new structures.
In the random read routine, search backwards through the array of
section_info_t structures, looking for the first section where the SHB
is at or before the offset from which we're reading.
Change-Id: Iad06c8d1ff10595707b73f297f073803b5a0c8e5
Ping-Bug: 15707
Reviewed-on: https://code.wireshark.org/review/36981
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
When using wiretap to create a pcapng file,
the drop_count field from the wtap_packet_header
in wiretap/wtap.h is not being dumped to the file
in pcapng_write_enhanced_packet_block function.
Bug: 16062
Change-Id: Id9b8dbd1f7406e019fab00ff7a4167ab27543f62
Reviewed-on: https://code.wireshark.org/review/34836
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We were using fields in the pcapng_t that weren't set yet to report the
version number in question; use the variables we were checking.
Change-Id: Ib03bafe62d8c7b1aa54b2ef22640e3b00722142a
Ping-Bug: 15862
Reviewed-on: https://code.wireshark.org/review/33671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use the local one *only* while we're trying to determine whether we have
a pcapng file or not; once we know we have a pcapng file, and have
allocated a pcapng_t and attached it to the wtap structure, pass *that*
one to pcapng_read_block(), so if it changes anything in the pcapng_t,
it changes the one we're using.
Change-Id: I53b32595276be97957a0b6056171471878fa40c4
Reviewed-on: https://code.wireshark.org/review/33226
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There is no FCS length information for a pcapng file; there's FCS length
information for each interface.
Change-Id: I3abb1a35b28475aa3ad6f126060140d0a524bbca
Reviewed-on: https://code.wireshark.org/review/33215
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it - and the routines that implement it - work more like the
seek-read routine.
Change-Id: I0cace2d0e4c9ebfc21ac98fd1af1ec70f60a240d
Reviewed-on: https://code.wireshark.org/review/32727
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add macros to extract the direction, reception type, and FCS length
fields of the pack_flags field, and add definitions for different
directions and reception types.
Add a macro to construct a pack_flags field value from subfields; this
is for use by non-pcapng file readers (the pack_flags field is just a
copy of the EPB flags option, so that's not needed for pcapng).
Move some #defines for that field from packet-frame.c to wtap.h, and
rename them to match the new macros.
Use the macros rather than rolling our own code.
Fix a variable name in text2pcap.c that apparently had the wrong name,
given the value that was being tested.
Change-Id: Ia788ca4e9f5fabd8d24e6ead5ff1817509f54827
Reviewed-on: https://code.wireshark.org/review/32010
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The memory ownership of wtap_rec::opt_comment was not clear. Users of
wtap were leaking memory (editcap.c). wtap readers were not sure about
freeing old comments (erf) or simply ignored memleaks (pcapng).
To fix this, ensure opt_comment is owned by wtap_rec and free it with
wtap_rec_cleanup. The erf issue was already addressed since
cf_get_packet_comment properly duplicates wth.opt_comment memory.
- wtap file formats (readers):
- Should allocate memory for new comments.
- Should free a comment from an earlier read before writing a new one.
- Users of wth:
- Can only assume that opt_comment remains valid until the next read.
- Can assume that wtap_dump does not modify the comment.
- For random access (wtap_seek_read): should call wtap_rec_cleanup
to free the comment.
The test_tshark_z_expert_comment and test_text2pcap_sip_pcapng tests now
pass when built with ASAN.
This change was created by carefully looking at all users opt
"opt_comment" and cf_get_packet_comment. Thanks to Vasil Velichkov for
an initial patch which helped validating this version.
Bug: 7515
Change-Id: If3152d1391e7e0d9860f04f3bc2ec41a1f6cc54b
Reviewed-on: https://code.wireshark.org/review/31713
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Vasil Velichkov <vvvelichkov@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Manually checked all callers of wtap_seek_read to ensure that
wtap_rec_cleanup is called. Added missing wtap_rec_cleanup to:
- Completion of sequential read: wtap_sequential_close
- Callers of wtap_seek_read:
- users of cf_read_record_r:
- PacketListRecord::dissect
This fixes one of the two ASAN memleak reports while running
test_tshark_z_expert_comment and test_text2pcap_sip_pcapng (the other is
about opt_comment which is still unfixed).
Vasil Velichkov also found this issue and came up with a similar fix.
Change-Id: I54a6aa70bfdb42a816d03ad4861d0ad821d0ef88
Reviewed-on: https://code.wireshark.org/review/31709
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
After redissection, the TLS dissector did not remember the DSB secrets
anymore. Since the secrets callback is only invoked on the sequential
read in wtap, be sure to reapply the existing DSBs to the new session.
Bug: 15252
Change-Id: I125f095acb8d577c2439a10e3e65c8b3cfd976b9
Reviewed-on: https://code.wireshark.org/review/31584
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
What we were calling the "name" is actually a description to show to
users; what were calling the "short name" is just the name to use on the
command line.
Rename some routines and structure members, and put the name first and
description second in the table.
Expand some descriptions to give more details (e.g., to be more than
just a capitalized version of the name).
Fix the CamelCase capitalization of InfiniBand.
Change-Id: I060b8bd86573880efd0fab044401b449469563eb
Reviewed-on: https://code.wireshark.org/review/31472
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a new secrets API to the core, one that can outlive the lifetime of
a single capture file. Expose decryption secrets from wiretap through a
callback and let the secrets API route it to a dissector.
Bug: 15252
Change-Id: Ie2f1867bdfd265bad11fc58f1e8d8e7295c0d1e7
Reviewed-on: https://code.wireshark.org/review/30705
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Support reading and writing pcapng files with DSBs. A DSB may occur
multiple times but should appear before packets that need those
decryption secrets (so it cannot be moved to the end like NRB). The TLS
dissector will be updated in the future to make use of these secrets.
pcapng spec update: https://github.com/pcapng/pcapng/pull/54
As DSBs may be interleaved with packets, do not even try to read it in
pcapng_open (as is done for IDBs). Instead process them during the
sequential read, appending them to the 'wtap::dsbs' array.
Writing is more complicated, secrets may initially not be available when
'wtap_dumper' is created. As they may become available in 'wtap::dsbs'
as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference
this array. This saves every user from checking/dumping DSBs.
If the wtap user needs to insert extra DSBs (while preserving existing
DSBs), they can set the 'wtap_dumper::dsbs_initial' field.
The test file was creating using a patched editcap (future patch) and
combined using mergecap (which required a change to preserve the DSBs).
Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9
Ping-Bug: 15252
Reviewed-on: https://code.wireshark.org/review/30692
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add an sdjournal extcap, which reads journal entries using the
sd-journal API and dumps them as journal Export Format records.
Change-Id: I17ccfa88ab5d053c16c869cd26e580d84022502e
Reviewed-on: https://code.wireshark.org/review/29479
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We shouldn't set any rec_header.syscall_header fields in
pcapng_read_systemd_journal_export_block.
Change-Id: I920accdbcdcdbf6d71324c8d9d6d562511f6a9d1
Reviewed-on: https://code.wireshark.org/review/29895
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Either pcap_process_pseudo_header() returns -1, in which case we fail,
or it returns the exact same value as pcap_get_phdr_size(). If we don't
fail, don't bother to check whether the values are the same.
Change-Id: I18191cc3de2a1c2144ca9b508ed17b2f593fc835
Reviewed-on: https://code.wireshark.org/review/29879
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We always tell pcap_process_pseudo_header() to check to make sure the
pseudo-header isn't bigger than the captured data; no need for a flag
argument to tell it to do so.
Change-Id: I8310bb06a390a7f4a7a232ad140ae07955d52da1
Reviewed-on: https://code.wireshark.org/review/29833
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to specify maximum function counts for each group to
checkAPIs. Add maximum counts for the "termoutput" and "abort" groups
where needed. Show summaries in various checkAPI targets.
Switch uses of ws_g_warning back to plain g_warning.
Change-Id: I5cbddc8c671729e424eed8551f69116d16491976
Reviewed-on: https://code.wireshark.org/review/29721
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Support for writing it in live captures will come later; this change,
but not that one, will be backported so older versions of Wireshark
won't remove it when writing a file out.
Change-Id: I9fd4067991acfd2d18c03d0a373ce8337a9f3a76
Reviewed-on: https://code.wireshark.org/review/29064
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Those should always be reported, as they indicate that a block type
plugin is trying to do something we don't allow.
We should probably have a mechanism by which ws_g_warning() messages are
logged to the standard error for command-line programs, logged to an
error message window for GUI programs, and logged to some form of system
log for daemons. For now, it's a good way to log non-fatal errors that
should always be shown in *some* fashion, as well as to mark messages
that should be handled in the form described in the previous sentence.
Change-Id: Ieedf87fc2dd3184a4466ae69af01f799165c1b70
Reviewed-on: https://code.wireshark.org/review/27519
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do it before we even *try* to read the block, so that it's done in one
place rather than having to be done in every routine to handle
particular block types.
The check was missing in the routine to read sysdig event blocks, so if
we got a huge sysdig even block we'd try to allocate a huge amount of
memory.
Bug: 14403
Change-Id: Iff0fb0387e4499420598361be6d241f2832042d7
Reviewed-on: https://code.wireshark.org/review/25702
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's only being used as a working buffer to hold the raw options data we
read in.
Change-Id: I17b812e447f575ad92394b9f957658fc655cdf8e
Reviewed-on: https://code.wireshark.org/review/25701
Reviewed-by: Guy Harris <guy@alum.mit.edu>
No need for len, and call caplen event_filelen and move it after
event_len.
Change-Id: I8b3825d4022ee083ee52f83f7a69f22829ed9fc4
Reviewed-on: https://code.wireshark.org/review/25698
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Go back to having pcapng_read_block() and
pcapng_read_section_header_block() treating SHB read errors that might
be due to the file not being a pcapng file separately from other errors.
This keeps us from treating pcapng files with malformed SHBs as not
being pcapng files, making us dissect them using the pcapng file
dissector rather than reporting the malformation.
Change-Id: I1d92cc4ac521668b88638b2b3ed5257340451798
Ping-Bug: 14402
Reviewed-on: https://code.wireshark.org/review/25675
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some blocks should be returned by wtap_read(), others are just processed
internally. Add a Boolean flag to wtapng_block_t, have the routines
that read particular block types set it appropriately, and have the read
and seek-read routines check that flag rather than checking for the
block types that should be returned. Pass a pointer to the
wtapng_block_t to packet type plugin read routines, rather than passing
it some members of the wtapng_block_t.
This means that 1) for new block types, we don't have to update any
tests and 2) plugin handlers for block types can indicate whether they
processed the block internally and the caller shouldn't see it or 2) the
block should be provided to the caller.
Bug: 14388
Change-Id: Iccc2031a277f55c7fa8b4f692c776b482b792b4f
Reviewed-on: https://code.wireshark.org/review/25609
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It either returns "OK" or "fail", so we might as well make it a Boolean.
While we're at it, in pcapng_open(), handle EOF/short read and "invalid
file" errors when trying to read the first block differently; for the
first of those, we don't need to free *err_info, and this may be a bit
safer in case *err_info didn't happen to be set to NULL somewhere along
the line.
Change-Id: If8135624e3efb7838dceeb28e30e5c8c4b064786
Reviewed-on: https://code.wireshark.org/review/25608
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It either returns "OK" or "fail", so we might as well make it a Boolean,
just as is the case with read routines for other block types.
Update some comments while we're at it.
Change-Id: I40b378d4e3c3cfb96687298b22a6f8f9f78d9240
Reviewed-on: https://code.wireshark.org/review/25607
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check for "is an error" rather than "isn't OK".
Change-Id: Ib8f4ac44f70d71ff44658801e01807344032dd60
Reviewed-on: https://code.wireshark.org/review/25603
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have pcapng_read_section_header_block(),
pcapng_read_section_header_block(), and pcapng_read_block() just return
errors when they get errors or get a non-SHB block; let pcap_open() turn
EOF, short read, and "bad file" into "not a pcapng file" rather than
"read error".
Change-Id: If018d21ffe3de3fe7eb1f8f2973f80f685c89274
Reviewed-on: https://code.wireshark.org/review/25601
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't allow overriding of the block types we support in libwiretap - it
won't work anyway, as we check for those types first, and only look for
plugins for types we don't support.
Don't allow registering for any of the reserved types; if you aren't
going to use a local type, you have to get your type registered.
We *do* allow registering plugins for types that are registered but that
we don't support natively.
Change-Id: I2046d297b0503d3a77c83166b07ca226c0b18e82
Reviewed-on: https://code.wireshark.org/review/25583
Reviewed-by: Guy Harris <guy@alum.mit.edu>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The check that the pcapng code does is "do we have a non-null
addrinfo_lists_t * and, if so, does it have a non-null ipv4_addr_list or
ipv6_addr_list"?
The check that the file-save code was using was just "do we have a
non-null addrinfo_lists_t *", so sometimes it'd think we couldn't do a
"quick save" even though we had no name resolution information to write
out to the capture file.
Make a routine that does that check, and use it in *both* places.
Change-Id: Id4720f4fe4940354320b2b7621ca5e37e45ec1f3
Reviewed-on: https://code.wireshark.org/review/25055
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Either 1) it can be determined from the libwiretap encapsulation type,
in which case it's redundant information or 2) there *is* no pcap/pcapng
link-layer header type for that encapsulation type, in which case you
need to check for the attempt to determine it failing and handle that
failure appropriately.
Change-Id: Ie9557b513365c1fc8c6df74b9c8239e29aad46bc
Reviewed-on: https://code.wireshark.org/review/21924
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Avoid anachronisms, however; there was no "macOS 10.0" or even "OS X
10.0", for example. It was "Mac OS X" until 10.8 (although 10.7 was
sometimes called "OS X" and sometimes called "Mac OS X"), and it was "OS
X" from 10.8 to 10.11.
Change-Id: Ie4a848997dcc6c45c2245c1fb84ec526032375c3
Reviewed-on: https://code.wireshark.org/review/20933
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Changed to use correct option_id when reading IDB.
Change-Id: Id3a3b3cd95f9d7bcf51de001cfe246beb98590ad
Reviewed-on: https://code.wireshark.org/review/20663
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Allow file_read() to take a null pointer as a buffer argument; a null
argument means "do everything except copy the bytes from the file to the
user buffer". That means that wtap_read_bytes() and
wtap_read_bytes_or_eof() also support a null pointer as a buffer
argument.
Use wtap_read_bytes() with a null buffer argument rather than
file_skip() to skip forward over data.
This fixes some places where files were mis-identified as ERF files, as
the ERF open heuristics now get a short "read" error if they try to skip
over more bytes than exist in the file.
Change-Id: I4f73499d877c1f582e2bcf9b045034880cb09622
Reviewed-on: https://code.wireshark.org/review/17974
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcapng_open and pcapng_read have 'wblock' allocated on the stack, so if
they return, they do not have to set wblock.block to NULL.
pcapng_read_block always sets wblock->block to NULL and may initialize
it for SHB, IDB, NRB and ISB. Be sure to release the memory for IDB and
ISB. It is better to have more wtap_block_free calls on a NULL value
than missing them as this would be a memleak (on the other hand, do not
release memory that is stored elsewhere such as SHB and NRB).
Ping-Bug: 12790
Change-Id: I081f841addb36f16e3671095a919d357f4bc16c5
Reviewed-on: https://code.wireshark.org/review/17362
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Also, rename routines that write out an option write_wtap_XXb_option()
from write_wtap_XXb_block().
Change-Id: I4884a2f5275a5e2e32137b47255fac6995f311ef
Reviewed-on: https://code.wireshark.org/review/16566
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way, we don't have to worry about multiple instances of an option
pointing to the same data. and having to worry about freeing data that's
pointed to by another instance.
Change-Id: I3470a9eebf346023713fd0d6ff2451d727c25089
Reviewed-on: https://code.wireshark.org/review/16471
Reviewed-by: Guy Harris <guy@alum.mit.edu>
A block can have zero or more instances of a given option. We
distinguish between "one instance only" options, where a block can have
zero or one instance, and "multiple instances allowed" options, where a
block can have zero or more instances.
For "one instance only" options:
"add" routines add an instance if there isn't one already
and fail if there is;
"set" routines add an instance if there isn't one already
and change the value of the existing instance if there is one;
"set nth" routines fail;
"get" routines return the value of the instance if there is one
and fail if there isn't;
"get nth" routines fail.
For "multiple instances allowed" options:
"add" routines add an instance;
"set" routines fail;
"set nth" routines set the value of the nth instance if there is
one and fail otherwise;
"get" routines fail;
"get nth" routines get the value if the nth instance if there is
one and fail otherwise.
Rename "optionblock" to just "block"; it describes the contents of a
block, including both mandatory items and options.
Add some support for NRB options, including IPv4 and IPv6 option types.
Change-Id: Iad184f668626c3d1498b2ed00c7f1672e4abf52e
Reviewed-on: https://code.wireshark.org/review/16444
Reviewed-by: Guy Harris <guy@alum.mit.edu>
VS Code analysis considers them hardcoded values so the if statement is either
always true or always false.
Change-Id: Iabb8462b66f728195bf378ae26c79a783feddb03
Reviewed-on: https://code.wireshark.org/review/16422
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add REC_TYPE_SYSCALL to wiretap and use it for Sysdig events. Call the
Sysdig event dissector from the frame dissector. Create a "syscall"
protocol for system calls, but add "frame" items to it for now.
Add the ability to write Sysdig events. This lets us merge packet
capture and syscall capture files.
Change-Id: I12774ec69c89d8e329b6130c67f29aade4e3d778
Reviewed-on: https://code.wireshark.org/review/15078
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That's not "the biggest record we're willing to write", it's "the
biggest record the pcapng format supports, as the record length is a
16-bit field".
Change-Id: Icbd5e0cc4ed8e2a3a0d474245a9b9ed2c999d520
Reviewed-on: https://code.wireshark.org/review/15818
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(cherry picked from commit 09de28933f9a17d4472206e1ac4b7c92001e44f5)
Reviewed-on: https://code.wireshark.org/review/15820
The IPv6 comments gave more details.
Change-Id: I4e4d865feadbabfd625cdf2b2b162b99c4f23efa
Reviewed-on: https://code.wireshark.org/review/15815
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The data is not applied anywhere, just stored. The first Section Header block
is still the only one that is used to read a pcapng file.
Change-Id: If9546401101d2fe79b2325bacbd597b92127e86e
Reviewed-on: https://code.wireshark.org/review/15705
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
This doesn't try to use any data from multiple Name Resolution blocks, it
just converts single Name Resolution block usage into a GArray, so the
potential is there to then use/support multiple Name Resolution blocks
within a file format (like pcapng)
Change-Id: Ib0b584af0bd263f183bd6d31ba18275ab0577d0c
Reviewed-on: https://code.wireshark.org/review/15684
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This doesn't try to use any data from multiple Section Header blocks, it
just converts single Section Header block usage into a GArray, so the
potential is there to then use/support multiple Section Header blocks
within a file format (like pcapng)
Change-Id: I6ad1f7b8daf4b1ad7ba0eb1ecf2e170421505486
Reviewed-on: https://code.wireshark.org/review/15636
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The write functionality was too PCAPNG-specific and the intention is to
keep the option blocks as generic as possible.
So moved the write functionality back to pcapng.c and added a
wtap_opttype API to loop through all options in the block
(wtap_optionblock_foreach_option)
Change-Id: Iaf49126a1a3e2ed60ae02c52878ca22671dac335
Reviewed-on: https://code.wireshark.org/review/15525
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also add a length parameter to wtap_optionblock_set_option_string
Change-Id: I8c7bbc48aa96b5c2a91ab9a17980928d6894f1ee
Reviewed-on: https://code.wireshark.org/review/15505
Reviewed-by: Anthony Coddington <anthony.coddington@endace.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
git/epan/dissectors/packet-a21.c:478:25: error: 'item' was marked unused but was used
[-Werror,-Wused-but-marked-unused]
proto_item_append_text(item, "%s", val_to_str_const(event_id, a21_event_vals, "Unknown"));
^
Added manual change id because file-jpeg.c forced the use of commit -n
Change-Id: Iffff53d6253758c8454d9583f0a11f317c8390cb
Reviewed-on: https://code.wireshark.org/review/14666
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
Make a more formal method for registering options within a block and do it all with a single function (wtap_optionblock_add_block).
Add ability for block to be able to write itself, refactored out of pcapng.c. This was implemented for SHB, ISB, and IDB blocks. Name resolution (NRB), while possible, seemed a little messy for the moment.
Change-Id: Ie855c8550c7c7d96cfc188c0cd90bfbc4d5f0ee8
Reviewed-on: https://code.wireshark.org/review/14357
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 12173
Change-Id: Ifff28491073d50e088b26847830a3bc8835f4282
Reviewed-on: https://code.wireshark.org/review/14180
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 12174
Change-Id: I82eb0ac75f2e03f15c2f016e9b7ff72fdc7044f5
Reviewed-on: https://code.wireshark.org/review/14179
Reviewed-by: Michael Mann <mmann78@netscape.net>
If it's 0x1A2B3C4D, that means it has the same byte order as the
instruction set for which Wireshark was built[*]; if it's 0x4D3C2B1A, it
means it has the opposite byte order. (We assume no "middle-endian"
machines here; it's extremely unlikely that any of this code will ever
work on a PDP-11.)
Wireshark *does* work on big-endian machines (if there are any places
where it doesn't, those are bugs that must be fixed), so we can't assume
that "same byte order as our instruction set" means "little-endian".
[*]If, for example, you run a PowerPC binary under Rosetta, it'll act as
if big-endian is the native byte order, even though it's running on a
little-endian machine.
Change-Id: Ic438bd85c034f1fba276408ba30214d7078121d1
Reviewed-on: https://code.wireshark.org/review/14133
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't use the byte order from any previously-seen SHB, as it might be
different.
Bug: 12167
Change-Id: I19a81f81f2e8115938387487e2682b8b11a100fe
Reviewed-on: https://code.wireshark.org/review/14131
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We don't need to allocate an WTAP_OPTION_BLOCK_IF_DESCR option block;
don't use the value we allocated.
We must not allocate an WTAP_OPTION_BLOCK_IF_STATS option block until we
need it, as we may have to allocate *more than one* of them here! The
old code would reuse the same block, adding it more than once, causing a
"freeing already freed data"/"freeing non-allocated data" error on some
platforms.
Change-Id: I8582627c1f5deecfd4f6490dcdf8c31ee3809d12
Reviewed-on: https://code.wireshark.org/review/14130
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This was inspired by https://code.wireshark.org/review/9729/, but takes it in a different direction where all options are put into an array, regardless of whether they are "standard" or "custom". It should be easier to add "custom" options in this design. Some, but not all blocks have been converted.
Descriptions of some of the block options have been moved from wtap.h to pcapng.h as it seems to be the one that implements the description of the blocks.
Also what could be added/refactored is registering block behavior.
Change-Id: I3dffa38f0bb088f98749a4f97a3b7655baa4aa6a
Reviewed-on: https://code.wireshark.org/review/13667
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Include the pcapng block name in every error message to give user a better hint as to where the error is
Bug: 8798
Change-Id: Idd80a8541ac37a42b9bd2e988fa8da1ce7bc91a0
Reviewed-on: https://code.wireshark.org/review/13310
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
pcapng.c:461:31: warning: ISO C forbids passing argument 3 of 'g_hash_table_insert' between function pointer and 'void *' [-Wpedantic]
pcapng.c:1404:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
pcapng.c:1918:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
Change-Id: I535633098cc5d37442732dd92e8c9d3cda36631a
Reviewed-on: https://code.wireshark.org/review/12161
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
It doesn't actually *close* any handle, so it's best called a "finish"
routine rather than a "close" routine.
In libwiretap modules, don't bother setting the finish routine pointer
to null - it's already initialized to null (it's probably best not to
require modules to set it).
Change-Id: I19554f3fb826db495f17b36600ae36222cbc21b0
Reviewed-on: https://code.wireshark.org/review/11659
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(And with #defines of read as _read and write as _write on Windows,
which might make structure members have surprising names if you try to
look at them in a debugger.)
Change-Id: Iaab5622cbde216d5fedd4bc014c83e4eef95f8a0
Reviewed-on: https://code.wireshark.org/review/11631
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Move the definitions of hashipv4_t and hashipv6_t to wiretap/wtap.h, as
that's the main place they're used. Change them a bit not to depend on
other stuff from libwireshark, and change the code as required by those
changes.
This should fix the Solaris build; apparently, the Sun^WOracle compiler
is generating code for static inline functions even if they're never
called, so that libwiretap ends up including code that calls tvbuff and
wmem functions.
There's probably further cleanup that could be done here, but this
should at least fix the build, as well as getting rid of a dependency
between two libraries that are at least somewhat independent (libwiretap
should *not* depend on libwireshark, as some programs use libwiretap but
not libwireshark, and, ultimately, we probably want it to be possible to
use libwireshark without libwiretap but that'd be more work).
Change-Id: I91c745282f17d7c8bff7809aa277eab2b3cf47c1
Reviewed-on: https://code.wireshark.org/review/11537
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Remove variadic macros restriction (c99, c++11 feature) from
README.developer. GCC, Clang, MSVC 2005 all support it.
Enable -Wno-variadic-macros in configure.ac and CMakeLists.txt when
-Wpedantic is enabled (which would enable -Wvariadic-macros).
For all files matching 'define\s*\w+[0-9]\(', replace "FOO[0-9]" by
"FOO" and adjust the macro definition accordingly. The nbap dissector
was regenerated after adjusting its template and .cnf file. The
generated code is the same since all files disabled the debug macros.
Discussed at:
https://www.wireshark.org/lists/wireshark-dev/201209/msg00142.htmlhttps://www.wireshark.org/lists/wireshark-dev/201510/msg00012.html
Change-Id: I3b2e22487db817cbbaac774a592669a4f44314b2
Reviewed-on: https://code.wireshark.org/review/10781
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If a pcapng Name Resolution Block has options, they should not screw up the
pcapng reader and cause it to fail to read the file.
Bug: 11485
Change-Id: Ic27cba937b6d93a3d9ed92522ed6b39ae2daeb8f
Reviewed-on: https://code.wireshark.org/review/10307
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Per the spec, it's always encoded in network order (4 separate bytes), and
thus should not be swapped on read.
Bug: 11484
Change-Id: I6a650896b324f42bfd2e05759c84e87ace733372
Reviewed-on: https://code.wireshark.org/review/10304
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
An IDB snaplen of 0 means no limit, so a Simple Packet Block's capture
length should be the same as its encoded packet length in such a case.
Bug: 11483
Change-Id: I8856d6c6a669a0048ea64b3adbd23c37a598431d
Reviewed-on: https://code.wireshark.org/review/10303
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
*Especially* don't stuff the amount of remaining data in a block into an
int that will then be passed to file_skip() as an amount to skip ahead,
as a Really Large Value will turn into a negative value and produce
various forms of bizarre and tricky-to-debug behavior.
Change-Id: I4d0a6b36fe50df84925690ad688a3ab0433ceb17
Reviewed-on: https://code.wireshark.org/review/10299
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If a host name is *so* long that an entry for it won't fit in a
65535-byte Name Resolution Block record, ignore the entry for that host.
Use more appropriate data types (guint32 for sizes that are 32-bit
unsigned integers, guint16 for the host name length as it'd better fit
in 16 bits).
Clean up some comments.
Remove a _U_ that's applied to a variable that *is* used.
Change-Id: I153d5aa885105149c62a5e5d2b78b54cf6ed7b4e
Reviewed-on: https://code.wireshark.org/review/9917
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make pcapng decode options in an NRB during read, and store the comment
option, and write it back out as well. Also make it handle plugin handlers
for unknown options in received NRB(s).
Change-Id: I81863ef8d85cb1c8b5ba6673ba0e562efe77714f
Reviewed-on: https://code.wireshark.org/review/9723
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It points to an array of bytes, not a character string.
Add some casts to squelch other Sun/Oracle C warnings.
Clean up some comments while we're at it.
Change-Id: Id0908178cb00d537e95569b9ce6f745c8fd6d716
Reviewed-on: https://code.wireshark.org/review/8369
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Most of our sites are now HTTPS-only. Update URLs accordingly. Update
other URLs while we're at it. Remove or comment out dead links.
Change-Id: I7c4f323e6585d22760bb90bf28fc0faa6b893a33
Reviewed-on: https://code.wireshark.org/review/7621
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Due to an off-by-one error an invalid ISB interface ID could make us
fetch past the end of a GArray. Found using American Fuzzy Lop.
Bug: 10895
Change-Id: I7d4049ad7a386ae7e8013b8e741d54a31f353f1f
Reviewed-on: https://code.wireshark.org/review/6798
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
That indicates that it's a problem specific to *writing* capture files;
we've already converted some errors to that style, and added a new one
in that style.
Change-Id: I8268316fd8b1a9e301bf09ae970b4b1fbcb35c9d
Reviewed-on: https://code.wireshark.org/review/5826
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For cases where record (meta)data is something that can't be written out
in a particular file format, return WTAP_ERR_UNWRITABLE_REC_DATA along
with an err_info string.
Report (and free) that err_info string in cases where
WTAP_ERR_UNWRITABLE_REC_DATA is returned.
Clean up some other error reporting cases, and flag with an XXX some
cases where we aren't reporting errors at all, while we're at it.
Change-Id: I91d02093af0d42c24ec4634c2c773b30f3d39ab3
Reviewed-on: https://code.wireshark.org/review/5823
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: Icc5c9cff43be6c073f0467607555fa7138c5d074
Reviewed-on: https://code.wireshark.org/review/5797
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcapng_read_block() never sets *err_info if it returns
PCAPNG_BLOCK_NOT_SHB - that happens on an EOF, a short read, or on a
successful read of something that doesn't look like an SHB.
Change-Id: I23ad6aa1c95d800b068a798a4aad1d70d07ac281
Reviewed-on: https://code.wireshark.org/review/5686
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We only create hash tables if somebody puts a handler in one, so we need
to check whether the hash table exists first, to avoid run-time warnings.
Change-Id: I739d2d808935e651b11bd44b258f168a42ca4b7c
Reviewed-on: https://code.wireshark.org/review/5683
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up a comment and indentation while we're at it.
Change-Id: Ia2b0a3f642849dcd464e04cdca13ff05c2fbe2e6
Reviewed-on: https://code.wireshark.org/review/4717
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Nothing from the SHB gets stored in the interfaces array - it's filled
in from IDBs - so it doesn't need to exist when we read the first SHB,
and thus doesn't need to be freed if the attempt to read the SHB gets an
error or a "this isn't a pcap-ng file" indication.
Update a comment while we're at it.
Change-Id: Ie67edb52dcf13c974607e95e290661bf48be68ae
Reviewed-on: https://code.wireshark.org/review/4711
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The block read routines don't need to return a "bytes read" amount any
more.
Have pcapng_read_block() just return an indication:
PCAPNG_BLOCK_OK - the read succeeded;
PCAPNG_BLOCK_NOT_SHB - the read failed in a fashion that
indicates that we might just not be reading a pcap-ng file;
PCAPNG_BLOCK_ERROR - the read failed in some other fashion
(i.e., we already have concluded that the file is a pcap-ng
file, or we got an I/O error).
In the cases where it needs to know whether it's reading the first block
for an open, have it check the shb_read flag, rather than being passed a
separate Boolean argument.
This means that pcapng_read_section_header_block() should return such an
indication as well.
Make the other block-reading routines return a Boolean success/failure
indication.
Change-Id: Id371457018a008ece9058d6042da44d631e51889
Reviewed-on: https://code.wireshark.org/review/4710
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't check a possibly-byte-swapped length against the minimum SHB size;
it'll probably look huge if it's byte-swapped, so the test won't fail
even if it is too small, and a really huge SHB's length could look too
small if it's byte-swapped.
Do the check *after* we've read the fixed-length portion of the block;
yes, that means we've read past the purported size of the block at that
point, but if that read succeeds, that doesn't matter, and if that read
fails, it just means we'll report "file cut short" rather than "bad SHB
length", *both* of which are problems with the file.
Change-Id: Ie3b5700662f2a6da40d373a84f00a8fc2cf0ce1b
Reviewed-on: https://code.wireshark.org/review/4692
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Recent changes must have made it not do so in some cases, and
our current version of file_tell(), unlike ftell() around which the
older file_tell() was a wrapper, is known to be cheap (ftell() would
make a system call to get the position). Just use file_tell() before
each read.
(Further cleanup is called for.)
Bug: 10568
Change-Id: Ib92057b2b87ec6eb16fd612bc91baeb668d1e1c7
Reviewed-on: https://code.wireshark.org/review/4691
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check whether the block-type hash table exists before trynig to look
up anything in it.
Change-Id: I0aeb7f6454903bfcbdd0716909a0b72851d87233
Reviewed-on: https://code.wireshark.org/review/4689
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up some things we ran across while making those changes.
Change-Id: Ic0d8943d36e6e120d7af0a6148fad98015d1e83e
Reviewed-on: https://code.wireshark.org/review/4581
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Unlike the standard I/O routines, the code we introduced that supports
fast random seeking on gzipped files will always supply some specific
error code for read errors, so we don't need WTAP_ERR_CANT_READ.
Add WTAP_ERR_CANT_WRITE for writing, as we're still using the standard
I/O routines for that. Set errno to WTAP_ERR_CANT_WRITE before calling
fwrite() in wtap_dump_file_write(), so that it's used if fwrite() fails
without setting errno.
Change-Id: I6bf066a6838284a532737aa65fd0c9bb3639ad63
Reviewed-on: https://code.wireshark.org/review/4540
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Pcap-ng files don't have a per-file time stamp resolution, they have a
per-interface time stamp resolution. Add new time stamp resolution
types of "unknown" and "per-packet", add the time stamp resolution to
struct wtap_pkthdr, have the libwiretap core initialize it to the
per-file time stamp resolution, and have pcap-ng do the same thing with
the resolution that it does with the packet encapsulation.
Get rid of the TS_PREC_AUTO_XXX values; just have TS_PREC_AUTO, which
means "use the packet's resolution to determine how many significant
digits to display". Rename all the WTAP_FILE_TSPREC_XXX values to
WTAP_TSPREC_XXX, as they're also used for per-packet values.
Change-Id: If9fd8f799b19836a5104aaa0870a951498886c69
Reviewed-on: https://code.wireshark.org/review/4349
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The dump of the address info list must be differed to the end of the processing so as to know which host name was actually used in the capture
Bug: 10507
Change-Id: I44dbfae918d4ae92f9740c309804c7ff21bb4e1b
Reviewed-on: https://code.wireshark.org/review/4327
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Make sure to zero the *entire* thing, and only access it as a given type when
that's the type indicated by the (non-union) type field.
Bug: 10498
Change-Id: I3e94a9c5d399d3ee4aedcd49f1aa2d7678ecf7ce
Reviewed-on: https://code.wireshark.org/review/4273
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
Should fix the remaining test suite failures.
Change-Id: I50a6cb1bf57bd6a973d4777349708b75aeb41620
Reviewed-on: https://code.wireshark.org/review/4264
Reviewed-by: Evan Huus <eapache@gmail.com>
I *think* I got all the cases; I got most of them, at any rate, and enough to
shut up valgrind in all the test cases I ran.
Change-Id: I393bac0756f577b65e400b792f6719fa6ec4056a
Reviewed-on: https://code.wireshark.org/review/4244
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Evan Huus <eapache@gmail.com>
The only place where a short read should be treated as an EOF is if the
read of the block header reads 0 bytes. All other short reads,
including reads of the block header returning at least 1 byte but not
enough for a complete block header, and any reads of the stuff
*following* the block header even if they return 0 bytes, should be
treated as "short read" errors.
If the option length is bigger than the option buffer size, treat that
as a bad file (I'm not sure that can happen, so maybe it should be
treated as an internal error instead).
Use file_skip() rather than file_seek() when skipping forward N bytes.
If it fails, treat that as an error under all circumstances.
When reading the first section header block in the open routine, have
pcap_read_block() return -2 if it doesn't look like an SHB (too short,
wrong block type, bad block length, unknown byte-order magic number), as
that means the file isn't a pcap-ng file and the open should return 0.
Return -1, not 0, for all errors in various block-reading routines.
file_seek() returning 0 is *not* an error. file_seek() returning -1 (or
any other negative number *is* an error; its return value is signed, so
don't assign it to an unsigned variable.
This might fix the test errors for the Lua file format handler tests.
Change-Id: Ifa7d9834c38bf238461c9cc9625a2aa761cb6ff2
Reviewed-on: https://code.wireshark.org/review/4238
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pcap_read_block() takes err and err_info arguments, and sets them on
error; no need to call file_error() if pcap_read_block() fails.
Change-Id: I33b96d31395bf7d66abdecbebd5cf775e8662004
Reviewed-on: https://code.wireshark.org/review/4209
Reviewed-by: Guy Harris <guy@alum.mit.edu>
In particular, epan/wslua/lrexlib.c has its own buffer_ routines,
causing some linker warnings on some platforms, as reported in bug
10332.
(Not to be backported to 1.12, as that would change the API and ABI of
libwsutil and libwiretap. We should also make the buffer_ routines in
epan/wslua/lrexlib.c static, which should also address this problem, but
the name change avoids other potential namespace collisions.)
Change-Id: I1d42c7d1778c7e4c019deb2608d476c52001ce28
Reviewed-on: https://code.wireshark.org/review/3351
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Otherwise, if you link with both libwiretap and libfiletap, it's
anybody's guess which one you get. That means you're wasting memory
with two copies of its routines if they're identical, and means
surprising behavior if they're not (which showed up when I was debugging
a double-free crash - fixing libwiretap's buffer_free() didn't fix the
problem, because Wireshark happened to be calling libfiletap' unfixed
buffer_free()).
There's nothing *tap-specific about Buffers, anyway, so it really
belongs in wsutil.
Change-Id: I91537e46917e91277981f8f3365a2c0873152870
Reviewed-on: https://code.wireshark.org/review/3066
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have two different classes of file-type-specific records - "events" and
"reports". An "event" indicates something that happened in the capture
process, such as a status transition on the network; a "report" just
gives information not corresponding to something happening in the
capture process, such as capture statistics.
Note that both of those should be dissected and displayed like packets,
and leave open the possibility of file-type-specific records whose
contents should be processed and saved but not displayed in the packet
list.
Shorten "file_type_specific" to "ft_specific".
Change-Id: I2342d82ef992c794b76f354c057823dd5eb371e6
Reviewed-on: https://code.wireshark.org/review/1779
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We rename "file format" plugins to "libwiretap" plugins, as they can
register as read handlers for a new file type, read/write handlers for a
pcap-ng block type (or both).
To register as a pcap-ng block type handler, in the
register_wtap_module() routine of your plugin, call
register_pcapng_block_type_handler() with the pcap-ng block type and
pointers to your routines to read and write those blocks. Those
routines should read and write REC_TYPE_FILE_TYPE_SPECIFIC records, with
the block type in the pseudo-header for the record in the struct
wtap_pkthdr structure, with time stamps stored in that structure, and
with a blob of data for the rest of the record.
This is for bug 8590.
Change-Id: I71847d834854a29ceb85894fd094c2ae91a04273
Reviewed-on: https://code.wireshark.org/review/1775
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a "record type" field to "struct wtap_pkthdr"; currently, it can be
REC_TYPE_PACKET, for a record containing a packet, or
REC_TYPE_FILE_TYPE_SPECIFIC, for records containing file-type-specific
data.
Modify code that reads packets to be able to handle non-packet records,
even if that just means ignoring them.
Rename some routines to indicate that they handle more than just
packets.
We don't yet have any libwiretap code that supplies records other than
REC_TYPE_PACKET or that supporting writing records other than
REC_TYPE_PACKET, or any code to support plugins for handling
REC_TYPE_FILE_TYPE_SPECIFIC records; this is just the first step for bug
8590.
Change-Id: Idb40b78f17c2c3aea72031bcd252abf9bc11c813
Reviewed-on: https://code.wireshark.org/review/1773
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit c0c480d08c.
A better way to do this is to have the record type be part of struct wtap_pkthdr; that keeps the metadata for the record together and requires fewer API changes. That is in-progress.
Change-Id: Ic558f163a48e2c6d0df7f55e81a35a5e24b53bc6
Reviewed-on: https://code.wireshark.org/review/1741
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is the first step towards implementing the mechanisms requestd in
bug 8590; currently, we don't return any records other than packet
records from libwiretap, and just ignore non-packet records in the rest
of Wireshark, but this at least gets the ball rolling.
Change-Id: I34a45b54dd361f69fdad1a758d8ca4f42d67d574
Reviewed-on: https://code.wireshark.org/review/1736
Reviewed-by: Guy Harris <guy@alum.mit.edu>
While investigating an ASAN issue (fixed in
commit dcdd076ab0), I got greatly confused
by three different types having the same "interface_data" field name:
* pcapng_t *pn stores an array of interface_data_t objects.
* wtap *wth stores an array of wtapng_if_descr_t objects.
* pcapng_dump_t should store an array of interface_data_t objects.
pcapng_dump_t and friends are unused since
commit c7f1a431d2, so drop it.
To fix the confusion, rename the interface_data_t type to
interface_info_t type and use the local variable "iface_info"
everywhere. Rename interface_data of pcapng_t to "interfaces" and
add a comment what this exactly means (interfaces listed in the capture
file).
Drop the number_of_interfaces field for interfaces as the array
length is already available from GArray. Now interface_data is always
initialized for wth (which also gets copied to idb).
s/int/guint/g and replace cast at some places.
There are no regressions for the in-tree test suite.
Change-Id: I2d5985c9f1e43f8230dbb4a73bd1e243c4858170
Reviewed-on: https://code.wireshark.org/review/1656
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 1abeb277f5.
This isn't building, and looks as if it requires significant work to fix.
Change-Id: I622b1bb243e353e874883a302ab419532b7601f2
Reviewed-on: https://code.wireshark.org/review/1568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Start of refactoring Wiretap and breaking structures down into "generally useful fields for dissection" and "capture specific". Since this in intended as a "base" for Wiretap and Filetap, the "wft" prefix is used for "common" functionality.
The "architectural" changes can be found in cfile.h, wtap.h, wtap-int.h and (new file) wftap-int.h. Most of the other (painstaking) changes were really just the result of compiling those new architecture changes.
bug:9607
Change-Id: Ife858a61760d7a8a03be073546c0e7e582cab2ae
Reviewed-on: https://code.wireshark.org/review/1485
Reviewed-by: Michael Mann <mmann78@netscape.net>
We don't fail for other file types; there's no point in failing for
pcap-NG. wtap_read() will ensure that caplen <= len.
Make wtap_seek_read() ensure that caplen <= len as well.
Fixes bug 10037.
Change-Id: I41fbcf54341ea0429cef875442ea1f1377177a5f
Reviewed-on: https://code.wireshark.org/review/1353
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Gerald Combs