It only registers one file type/subtype, so rename it to
wtap_register_file_type_subtype().
That will also force plugins to be recompiled; that will produce compile
errors for some plugins that didn't change to match the new contents of
the file_type_subtype_info structure.
Also check to make sure that the registered file type/subtype supports
at least one type of block; a file type/subtype that doesn't return
*any* blocks and doesn't permit *any* block types to be written is not
very useful. That should also catch most if not all other plugins that
didn't change to match the new contents of the file_type_subtype_info
structure.
Don't make errors registering a file type/subtype fatal; just complain,
don't register the bogus file type/subtype, and drive on.
Instead of a "supports name resolution" Boolean and bitflags for types of
comments supported, provide a list of block types that the file
type/subtype supports, with each block type having a list of options
supported. Indicate whether "supported" means "one instance" or
"multiple instances".
"Supports" doesn't just mean "can be written", it also means "could be
read".
Rename WTAP_BLOCK_IF_DESCRIPTION to WTAP_BLOCK_IF_ID_AND_INFO, to
indicate that it provides, in addition to information about the
interface, an ID (implicitly, in pcapng files, by its ordinal number)
that is associated with every packet in the file. Emphasize that in
comments - just because your capture file format can list the interfaces
on which a capture was done, that doesn't mean it supports this; it
doesn't do so if the file doesn't indicate, for every packet, on which
of those interfaces it was captured (I'm looking at *you*, Microsoft
Network Monitor...).
Use APIs to query that information to do what the "does this file
type/subtype support name resolution information", "does this file
type/subtype support all of these comment types", and "does this file
type/subtype support - and require - interface IDs" APIs did.
Provide backwards compatibility for Lua.
This allows us to eliminate the WTAP_FILE_TYPE_SUBTYPE_ values for IBM's
iptrace; do so.
Provide a wiretap routine to get an array of all savable file
type/subtypes, sorted with pcap and pcapng at the top, followed by the
other types, sorted either by the name or the description.
Use that routine to list options for the -F flag for various commands
Rename wtap_get_savable_file_types_subtypes() to
wtap_get_savable_file_types_subtypes_for_file(), to indicate that it
provides an array of all file type/subtypes in which a given file can be
saved. Have it sort all types, other than the default type/subtype and,
if there is one, the "other" type (both of which are put at the top), by
the name or the description.
Don't allow wtap_register_file_type_subtypes() to override any existing
registrations; have them always register a new type. In that routine,
if there are any emply slots in the table, due to an entry being
unregistered, use it rather than allocating a new slot.
Don't allow unregistration of built-in types.
Rename the "dump open table" to the "file type/subtype table", as it has
entries for all types/subtypes, even if we can't write them.
Initialize that table in a routine that pre-allocates the GArray before
filling it with built-in types/subtypes, so it doesn't keep getting
reallocated.
Get rid of wtap_num_file_types_subtypes - it's just a copy of the size
of the GArray.
Don't have wtap_file_type_subtype_description() crash if handed an
file type/subtype that isn't a valid array index - just return NULL, as
we do with wtap_file_type_subtype_name().
In wtap_name_to_file_type_subtype(), don't use WTAP_FILE_TYPE_SUBTYPE_
names for the backwards-compatibility names - map those names to the
current names, and then look them up. This reduces the number of
uses of hardwired WTAP_FILE_TYPE_SUBTYPE_ values.
Clean up the type of wtap_module_count - it has no need to be a gulong.
Have built-in wiretap file handlers register names to be used for their
file type/subtypes, rather than building the table in init.lua.
Add a new Lua C function get_wtap_filetypes() to construct the
wtap_filetypes table, based on the registered names, and use it in
init.lua.
Add a #define WSLUA_INTERNAL_FUNCTION to register functions intended
only for internal use in init.lua, so they can be made available from
Lua without being documented.
Get rid of WTAP_NUM_FILE_TYPES_SUBTYPES - most code has no need to use
it, as it can just request arrays of types, and the space of
type/subtype codes can be sparse due to registration in any case, so
code has to be careful using it.
wtap_get_num_file_types_subtypes() is no longer used, so remove it. It
returns the number of elements in the file type/subtype array, which is
not necessarily the name of known file type/subtypes, as there may have
been some deregistered types, and those types do *not* get removed from
the array, they just get cleared so that they're available for future
allocation (we don't want the indices of any registered types to changes
if another type is deregistered, as those indicates are the type/subtype
values, so we can't shrink the array).
Clean up white space and remove some comments that shouldn't have been
added.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
Adds a pre-commit hook for detecting and replacing
occurrences of `g_malloc()` and `wmem_alloc()` with
`g_new()` and `wmem_new()`, to improve the
readability of Wireshark's code, and
occurrences of
`g_malloc(sizeof(struct myobj) * foo)`
with
`g_new(struct myobj, foo)`
to prevent integer overflows
Also fixes all existing occurrences across
the codebase.
That makes them work as input to a mergecap that writes pcapng files.
File types that don't have a single per-file encapsulation type need
more work, with multiple fake IDBs, one for each packet encapsulation
type seen in the file, unless we can generate real IDBs.
Change-Id: I2859e4f7fb15ec0c0f31a4044dc15638e5db7826
Reviewed-on: https://code.wireshark.org/review/37983
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it - and the routines that implement it - work more like the
seek-read routine.
Change-Id: I0cace2d0e4c9ebfc21ac98fd1af1ec70f60a240d
Reviewed-on: https://code.wireshark.org/review/32727
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The information given by the person who provided the change to do so for
V7 files seems to indicate that 1) V5 and V6 files have the same file
header and 2) the protoNum field shouldn't be used for this purpose.
It also provided information about the bits in the flags and status
field, so add that.
The first three of those bits appear to match the first three bits of
the flags field in Peek tagged files, so note that in the Peek tagged
reader, in case the other bits also match.
Change-Id: I492afd594676efc14b487b3030c861bf5feb2d23
Reviewed-on: https://code.wireshark.org/review/30647
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If the seek forward is just skipping record content that's not
(currently) interesting, use wtap_read_bytes() with a null buffer
pointer; it catches short "reads" and requires less seeking, so it may
work better when reading from a pipe.
Change-Id: Ifb07d20e0391a8ed97da85149d971b4e9ef093a8
Reviewed-on: https://code.wireshark.org/review/17976
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Allow file_read() to take a null pointer as a buffer argument; a null
argument means "do everything except copy the bytes from the file to the
user buffer". That means that wtap_read_bytes() and
wtap_read_bytes_or_eof() also support a null pointer as a buffer
argument.
Use wtap_read_bytes() with a null buffer argument rather than
file_skip() to skip forward over data.
This fixes some places where files were mis-identified as ERF files, as
the ERF open heuristics now get a short "read" error if they try to skip
over more bytes than exist in the file.
Change-Id: I4f73499d877c1f582e2bcf9b045034880cb09622
Reviewed-on: https://code.wireshark.org/review/17974
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
The use of a flag field here is aesthetically unpleasing when the flags
are referred to frequently. Convert these into bitfield entries.
Change-Id: I6f47e31558439dfd343ec7f856d04480366a1237
Reviewed-on: https://code.wireshark.org/review/12511
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
OK, where's NSS for the presumably-one-and-only user hiding for 11ac?
Change-Id: I53eb216c5d209dc5bb46c1d0aca7f8a200161e3e
Reviewed-on: https://code.wireshark.org/review/9512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add more fields to the metadata to handle everything radiotap has, and
show them.
Call the FEC type field just "FEC", and have it be an integer field with
0 meaning BCC and 1 meaning LDPC, rather than a Boolean.
11ac doesn't have *an* MCS, it can have up to 4, one per user.
Label the 11ac bandwidth values the same way we do in the radiotap
dissector.
Change-Id: I2c2415baff3e5d68d49dda497980e8271d26b1f6
Reviewed-on: https://code.wireshark.org/review/9176
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Just for completeness' sake.
Change-Id: I1ed609431c8bc62a79ebbf837fa2fc62f627a002
Reviewed-on: https://code.wireshark.org/review/9157
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have a field that holds the PHY type but nothing else. Have
a union with structures holding PHY-type-specific information, as a
bunch of attributes are PHY-specific.
If we have a channel and band, but don't have the frequency, attempt to
calculate the frequency, and add that to the radio information if we
succeed. If we have the frequency, but don't have the channel, attempt
to calculate the channel, and add that to the radio information if we
succeed.
Handle FHSS information, 11a "half/quarter-clocked" and turbo
information, 11g normal vs. Super G, additional 11n and 11ac
information, and the "short preamble" flag for 11b and 11g.
Add a PHY type for 11 legacy DSSS and detect it if possible.
Clean up the AVS dissector - make all fields wlancap. fields (if you
want generic fields, use the wlan_radio. fields).
Set more fields when writing out Commview Wi-Fi files.
Change-Id: I691ac59f5e9e1a23779b56a65124049914b72e69
Reviewed-on: https://code.wireshark.org/review/9146
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Provide that information so that the "802.11 radio information" protocol
can indicate whether a packet was 802.11 legacy/11b/11a/11g/11n/11ac,
and possibly whether it's 2.4 GHz or 5 GHz 11n. (Sometimes the center
frequency might not be supplied, so the band information can be useful.)
Also, provide some 11ac information, now that we can distinguish between
11n and 11ac. Don't calculate the data rate from the MCS index unless
it's 11n; we don't yet have code to calculate it for 11ac.
For radiotap, only provide guard interval information for 11n and 11ac,
not for earlier standards.
Handle the 11ac flag in the Peek remote protocol.
For Peek tagged files, the "extension flags" are 11n/11ac flags, so we
don't have to check for the "MCS used" bit in order to decide that the
packet is 11n or 11ac or to decide whether to provide the "bandwidth" or
"short GI" information.
Change-Id: Ia8a1a9b11a35243ed84eb4e72c384cc77512b098
Reviewed-on: https://code.wireshark.org/review/9032
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have dissectors of various forms of radio information headers in the
packets fill in a struct ieee_802_11_phdr with radio information as
appropriate, and call the "802.11 radio information" dissector rather
than the raw 802.11 dissector.
This means that the radio information can be found in a
protocol-independent and encapsulation-independent form when you're
looking at the packet; that information can be presented in a form
somewhat easier to read than the raw metadata header format.
It also enables having a single "radio information" tap that allows
statistics to handle all different sorts of radio information
encapsulation.
In addition, it lets us clean up some of the arguments passed to the
common 802.11 dissector routine, by having it pull that information from
the struct ieee_802_11_phdr.
Ensure that the right structure gets passed to that routine, and that
all the appropriate parts of that structure are filled in.
Rename the 802.11 radio protocol to "wlan_radio", rather than just
"radio", as it's 802.11-specific. Give all its fields "wlan_radio."
names rather than "wlan." names.
Change-Id: I78d79afece0ce0cf5fc17293c1e29596413b31c8
Reviewed-on: https://code.wireshark.org/review/8992
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a variant of filetime_to_nstime() that takes a value that's like a
FILETIME but in units of nanoseconds rather than tenths of a
microsecond, and use that. (It looks as if they might just get FILETIME
values from the OS and multiply them by 100, as the nanosecond-FILETIME
values appear to be multiples of 100 in the captures I've seen, but they
might have chosen nanosecond resolution in case they need to support a
higher-resolution time stamp source, so we don't assume that the values
will always be a multiple of 100.)
Change-Id: If6a1cb2cb673688b042eb113b79cfd267f5454a5
Reviewed-on: https://code.wireshark.org/review/8150
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix errors found by American Fuzzy Lop's afl-gcc
(http://lcamtuf.coredump.cx/afl/):
peektagged.c:
error: 'fileVersion' may be used uninitialized in this function
packet-h223.c:
error: variable 'circuit_id' might be clobbered by 'longjmp' or 'vfork'
wslua_proto.c:
error: variable 'd' might be clobbered by 'longjmp' or 'vfork'
wslua_proto.c:
error: variable 'dt' might be clobbered by 'longjmp' or 'vfork'
Change-Id: Idd74a3ad7b236d3a8756c1e7e917b1c74143f381
Reviewed-on: https://code.wireshark.org/review/6767
Reviewed-by: Gerald Combs <gerald@wireshark.org>
WTAP_ERR_UNSUPPORTED_ENCAP means "I can't *write* that particular
encapsulation type to a file of this format", which mainly means "that
file format simply can't handle packets of that type";
WTAP_ERR_UNSUPPORTED means "this file can't currently be supported by
Wireshark, as there's some feature in the file - such as a file or
per-packet encapsulation type - that we don't (yet) handle".
Change-Id: I53cadf9913d20efb2bccb29f61877b71d53807be
Reviewed-on: https://code.wireshark.org/review/5794
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Another case where the compiler didn't figure out that the variables
aren't used if they're not set.
Change-Id: I70bfb06c6d86d41a266a087ece971c40cd697ee9
Reviewed-on: https://code.wireshark.org/review/4994
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also, we don't care how much tagged value data we've read, we just care
whether we've read any or not (EOF reading the first one means "end of
file", EOF reading any of the subsequent ones means "short read").
Change-Id: I2edc54494967b3a88bcc2c79d97eedfded00150d
Reviewed-on: https://code.wireshark.org/review/4993
Reviewed-by: Guy Harris <guy@alum.mit.edu>
To check whether data_rate_or_mcs_index is set, check
saw_data_rate_or_mcs_index; we might see a value of 0 for that field
(it's a valid MCS index), so we can't use it as an out-of-band value
meaning "not set".
Change-Id: I75d7fdb4a90836538c82f56f2afb05c0603278a5
Reviewed-on: https://code.wireshark.org/review/4991
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a number of fields corresponding to components of the radiotap MCS
field, add presence bits for them, and set and dissect the fields
supported by Peek tagged files.
Change-Id: I3fc801a3bc180e1c174d074a794af0f3d338f249
Reviewed-on: https://code.wireshark.org/review/4989
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use the "MCS index used" extended flag bit to indicate whether the "data
rate or MCS index" field is a data rate or MCS index.
Display the MCS index value if it's present.
(More to come - MCS indices, plus other information, should be used to
calculate the data rate for 11n and beyond.)
Get rid of the hdr_info_t structure while we're at it; just use local
variables for each of the fields.
Change-Id: I546f53a8ebd89078d5f23e1290557b97348aff38
Reviewed-on: https://code.wireshark.org/review/4988
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a set of presence bits, so we can indicate which bits of radio
metadata we do and don't have.
Fill in more radio metadata from capture files, and display it.
(More to come.)
Change-Id: Idea2c05442c74af17c14c4d5a8d8025ab27fbd15
Reviewed-on: https://code.wireshark.org/review/4987
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Useful if we try to provide some "standard" 802.11 metadata header that
can support both radiotap and Peek tagged (and perhaps others).
Change-Id: Ibac9829e3411670a439db7cb77e1694a5641b0a5
Reviewed-on: https://code.wireshark.org/review/4970
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That bug includes a capture and a screendump of OmniPeek's dissection of
the packet in that capture; this lets us identify some tags as the
center frequency of the 802.11 channel and a set of extended flags used
for 802.11n and 802.11ac.
Show some flags from bug 9586, under the assumption that certain fields
in the Peek tagged header correspond to certain fields in the remote
Peek protocol.
Change-Id: I0f3c2e6638d6cf5f6ec470d65bd574171a2d958d
Reviewed-on: https://code.wireshark.org/review/4969
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It returns the length of the string it read, so only treat 0 and -1 as
errors. (0 either means "EOF" or "string is zero length", but this is
only in the code that reads numbers, and a number needs at least 1
digit, so both EOF and "zero-length string" mean "this isn't a valid
Peek tagged file".)
Change-Id: Ib83eb2f1e53d912a2138be01480e2b464cf936db
Reviewed-on: https://code.wireshark.org/review/4591
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They happen to be, at least now, but that's not valid in C++, and it's
probably unwise in any case.
Change-Id: Ifd49920cfaa376e5e7788329ee83db3956a7cdff
Reviewed-on: https://code.wireshark.org/review/4585
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up some things we ran across while making those changes.
Change-Id: Ic0d8943d36e6e120d7af0a6148fad98015d1e83e
Reviewed-on: https://code.wireshark.org/review/4581
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Pcap-ng files don't have a per-file time stamp resolution, they have a
per-interface time stamp resolution. Add new time stamp resolution
types of "unknown" and "per-packet", add the time stamp resolution to
struct wtap_pkthdr, have the libwiretap core initialize it to the
per-file time stamp resolution, and have pcap-ng do the same thing with
the resolution that it does with the packet encapsulation.
Get rid of the TS_PREC_AUTO_XXX values; just have TS_PREC_AUTO, which
means "use the packet's resolution to determine how many significant
digits to display". Rename all the WTAP_FILE_TSPREC_XXX values to
WTAP_TSPREC_XXX, as they're also used for per-packet values.
Change-Id: If9fd8f799b19836a5104aaa0870a951498886c69
Reviewed-on: https://code.wireshark.org/review/4349
Reviewed-by: Guy Harris <guy@alum.mit.edu>