Wiretap require registration right now. Do it.
Change-Id: I7ec4c4a4c6d3fa6625fff970f7f39f1ab74e3ef5
Reviewed-on: https://code.wireshark.org/review/14761
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Idee028bb6962a7a50d13ec45b41b71410fb92c6e
Reviewed-on: https://code.wireshark.org/review/14799
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
master-branch libpcap now generates a reentrant Flex scanner and
Bison/Berkeley YACC parser for capture filter expressions, so it
requires versions of Flex and Bison/Berkeley YACC that support that.
We might as well do the same. For libwiretap, it means we could
actually have multiple K12 text or Ascend/Lucent text files open at the
same time. For libwireshark, it might not be as useful, as we only read
configuration files at startup (which should only happen once, in one
thread) or on demand (in which case, if we ever support multiple threads
running libwireshark, we'd need a mutex to ensure that only one file
reads it), but it's still the right thing to do.
We also require a version of Flex that can write out a header file, so
we change the runlex script to generate the header file ourselves. This
means we require a version of Flex new enough to support --header-file.
Clean up some other stuff encountered in the process.
Change-Id: Id23078c6acea549a52fc687779bb55d715b55c16
Reviewed-on: https://code.wireshark.org/review/14719
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is consistent with what the rest of the files do, and doesn't
require that the compiler explicitly be told to treat the current
directory as an include directory.
Change-Id: Iefaedd2acc936f45d5095546f8dea7167d2e88c8
Reviewed-on: https://code.wireshark.org/review/14797
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Replace getenv() calls in filesystem.c too for consistency.
Change-Id: I31425179290e556e6696953531989d93777adf92
Reviewed-on: https://code.wireshark.org/review/14752
Petri-Dish: João Valverde <j@v6e.pt>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: João Valverde <j@v6e.pt>
Reviewed-by: Michael Mann <mmann78@netscape.net>
When the state pointer is NULL it's defensively coded against by a
NULL pointer check. Variable initialization before should then not
dereference that pointer.
Change-Id: I0ed09e2f22be5651324f43fc3fd339d2f95684c0
Reviewed-on: https://code.wireshark.org/review/14776
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Do not try to recover from truncated tvbs for fragment_add_seq-like
functions:
- If it is the first block and the dissector requested frag_data_len
number of bytes, we should not lie and pretend that we are fully
reassembled.
- For other blocks, returning NULL as no reassembly was possible makes
sense. But other fragments in the list should not be cleared as there
may be partial fragments which were returned before.
It seems that this special behavior was introduced in
b2c11b5e13 (freeing fragments and
returning NULL as an optimization when fragments are deemed not needed
anymore) and faeb2c2ee1 (for returning
fd_head for the first fragment, "so the first fragment gets dissected as
fragmented packet").
Now in theory unused fragments could stick around, but that also
possible with the normal fragment_add functions.
Bug: 11799
Change-Id: I20829c54e1b2eee25a91fe4de51b19b1458c7789
Reviewed-on: https://code.wireshark.org/review/14082
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Either use "wtap.h", if it's only for files in the wiretap directory, or
<wiretap/wtap.h>, if it's also a header that stuff outside libwiretap
can include.
Change-Id: If1c71b3dae9a3c0d64661ae1734f925319e447d1
Reviewed-on: https://code.wireshark.org/review/14788
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I0950f61e90af5bb21c0017204de0c0b509616e5c
Reviewed-on: https://code.wireshark.org/review/14747
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
When deregister_dissector is called by Lua, the protocol was not
property removed from the dependent dissectors list. Fix this and also
duplicate the memory for keys and values since these strings might be
dynamically allocated.
Fixes a use-after-free after reloading Lua dissectors that use
DissectorTable:add() and opening a new/closing an existing capture file.
Change-Id: If2ae02f155e7ab8fc653c08003755897471f9be0
Reviewed-on: https://code.wireshark.org/review/14735
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Previously, changing a packet in the packet list would lose the
currently selected field item in the packet tree. After this patch, this
issue no longer occurs because the selected field is focussed again.
The approach is to remember the header field ID on the path from a field
to its root. Limitations of the current simple approach is that multiple
fields/trees under a tree might result in the wrong selection. This is
better than nothing though.
This patch greatly helps analyzing a capture file which has the same
format, except that I need to check a data source for decrypted data.
Previously I would have to scroll down and select the field to see the
data source which also made it impossible to quickly switch between
packets and compare them.
Change-Id: Ic113ca9245fd9faa10f91182794c50cfde8d10f4
Reviewed-on: https://code.wireshark.org/review/14697
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Do not remove byte view on closing a capture file. For this to work, the
tree items must also be remembered.
Change-Id: Ice5cd1006b957e2d1331effc15c4c0a9de89916d
Reviewed-on: https://code.wireshark.org/review/14715
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Use wmem_strdup and wmem_strconcat instead of wmem_strdup_printf.
This shaves a small amount of time off of register_all_protocols on
Windows according to the Visual Studio profiler.
Change-Id: Ib6991e8de5b4fc30e960c513a3028c09dfe6a0a4
Reviewed-on: https://code.wireshark.org/review/14770
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Trying to find interfaces every androiddump run use
a lot of system resources so Wireshark can hang for a while.
Back to old behaviour and register interfaces only when
list them.
Change-Id: Ib63cad05fb47722d3b9de24abf28a86e614417cd
Reviewed-on: https://code.wireshark.org/review/14764
Reviewed-by: Michael Mann <mmann78@netscape.net>
For Broadcast address use FT_ETHER with FF:FF:FF:FF:FF:FF address
instead of string address "Broadcast".
Change-Id: I638d3d6a1baa9c965dd0a9f548cedbd81af3ec5b
Reviewed-on: https://code.wireshark.org/review/14767
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
pcap files and snoop files have different headers, so there's no
IP_OVER_IB encapsulation type, there are separate types for pcap and
snoop.
Change-Id: I00146e478d05bb11c634df0c386329db8de5635d
Reviewed-on: https://code.wireshark.org/review/14774
Reviewed-by: Guy Harris <guy@alum.mit.edu>
According to the Visual Studio 2013 profiler here, we spend about 4% of
our startup time creating the Capture Interfaces dialog. Hold off on
doing that until the user wants to see the dialog. Do the same for the
File Set dialog.
While we're here, make sure MainWindow has fewer children when setupUi
is called. setupUi calls connectSlotsByName, which iterates over all
child objects.
Change-Id: I253e6dc5b7e73a6cb7b7036637e336f449449c4a
Reviewed-on: https://code.wireshark.org/review/14732
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Limit the amount of event processing SplashOverlay does. Let QWidget
take care of painting.
Change-Id: I9176baeba2cc9203e50c02029d85689f8908daba
Reviewed-on: https://code.wireshark.org/review/14771
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
ERF Dissector:
Add dissection for ERF_TYPE_META, Host ID and Flow ID extension headers.
Rename ERF extension header defines to ERF_EXT_HDR* and put in erf.h.
The Flow ID extension header has an improved 32-bit Flow Hash with a Hash Type
field describing what the hash was computed over. The Host ID extension header
contains a 48-bit organizationally unique Host Identifier. Both extension
headers contain the same 8-bit Source ID used for distinguishing records from
multiple sources in the same file and for metadata linking to ERF_TYPE_META
records. Host ID is used to identify the capturing host and can also be used to
distinguish records from multiple hosts in the same file.
ERF_TYPE_META records have a payload consisting of TLV metadata, divided into
sections which define the context of the TLV tag. The dissector registers
a field for each tag for each section type based on a template.
ERF_TYPE_META records generally have a Host ID extension header used to link
metadata to packet records with the same Host ID and Source ID. The associated
Host ID can either be explicit on all records, or implicit where the Host ID
extension header is only present on MetaERF records and other records are
associated using only the Source ID in the Flow ID extension header.
Includes per-record generated Source summary and frame linking. These have the
'correct' Host ID and Source IDs from either extension header, including
applying the Implicit Host ID, and links to the most recent ERF_TYPE_META
record. Relies on Wireshark doing more than one pass to associate the correct
implicit Host ID tree items for records before the first ERF_TYPE_META record.
The metadata is technically not associated at that point anyway.
ERF Wiretap:
Add per-HostID/per-SourceID wtap interfaces and basic ERF_TYPE_META support.
Adds read support for displaying some fields of the 'first'
ERF_TYPE_META record in the Capture File Properties screen. Concatenates
and merges some summary fields to provide more useful information and
attempt to combine ERF sources, streams and interfaces into wtap interfaces.
Interface naming gracefully degrades when Host ID and Source ID are not present
and is intended to be parseable for use by DAG software.
Supports Implicit Host ID, but assumes it does not change.
NOTE: Now only ERF interfaces that are present in the file are added.
Only works with native ERF files for now. Written such that it is easily
adapted for use by pcap dissector.
Some support for setting REC_TYPE_FT_SPECIFIC_REPORT on MetaERF records.
Disabled for now as this breaks pcapng_dump saving of ERF_TYPE_META
and ft_specific_record_phdr clashes with erf_mc_phdr.
Only when native ERF file (as uses wth->file_type_subtype).
Register packet-erf as a dissector of WTAP_FILE_TYPE_SUBTYPE_ERF.
Bug: 12303
Change-Id: I6a697cdc851319595da2852f3a977cef8a42431d
Reviewed-on: https://code.wireshark.org/review/14510
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add some comments as well.
Change-Id: I308aec7af187b917fbaa318712c82e3d9187cf1b
Reviewed-on: https://code.wireshark.org/review/14745
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 12300
Change-Id: I636c086d2dd9c950c35724d3e6b8dbf712e9e147
Reviewed-on: https://code.wireshark.org/review/14744
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
global_capture_opts.ifaces store the interfaces that were added for the
next capture and must always be marked as selected.
Fixes regression from 92a2661.
Bug: 11939
Change-Id: Ib3dcd1b228b7a9681439e172d934e0ce66de6c0f
Reviewed-on: https://code.wireshark.org/review/14725
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
When a conversation starts with SSL (Client Hello) but gets a HTTP
response back, then the first SSL request should be preserved.
Bug: 12132
Change-Id: I3f9b5c8828bc5c6680945d7cf71740584dd463ab
Reviewed-on: https://code.wireshark.org/review/14726
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Restrict the list of possible (sub)elements to avoid deep recursion.
Bug: 11824
Bug: 12187
Change-Id: I12deb9956c6ba9b6113cf45da4ee919e33ff8567
Reviewed-on: https://code.wireshark.org/review/14114
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
luaL_error never returns, free memory before.
Change-Id: Ibcdbdb6afea5d2dab7be6a16c4c2536dcf14220a
Reviewed-on: https://code.wireshark.org/review/14734
Reviewed-by: Michael Mann <mmann78@netscape.net>
Pass the reassembled fragment instead of the current record.
Bug: 11477
Change-Id: Id49fac8fa3f9e1b1904a75ab6c7512306f2071b0
Reviewed-on: https://code.wireshark.org/review/14727
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
João Valverde