doc: Clean up lists of file types.

Add missing entries, regularize the descriptions, etc.. Note that pcap and pcapng are the native formats. Fix various issues. Update the editcap -F output to match urrent reality. While we're at it, sort the libwiretap modules, putting observer.c in the right place.
2021-03-12 23:31:08 -08:00 · 2021-03-12 23:31:08 -08:00 · 5d39e36198
parent cc6a45420a
commit 5d39e36198
8 changed files with 204 additions and 90 deletions
--- a/doc/wireshark.pod.template
+++ b/doc/wireshark.pod.template
@ -22,34 +22,29 @@ S<[ E<lt>infileE<gt> ]>

 B<Wireshark> is a GUI network protocol analyzer.  It lets you
 interactively browse packet data from a live network or from a
-previously saved capture file.  B<Wireshark>'s native capture file format
-is B<pcapng> format, or B<pcap> which is also the format used by B<tcpdump> and
-various other tools.
+previously saved capture file.  B<Wireshark>'s native capture file
+formats are B<pcapng> format and B<pcap> format; it can read and write
+both formats..  B<pcap> format is also the format used by B<tcpdump> and
+various other tools; B<tcpdump>, when using newer verions of the
+B<libpcap> library, can also read some pcapng files, and, on newer
+versions of macOS, can read all pcapng files and can write them as well.

-B<Wireshark> can read / import the following file formats:
+B<Wireshark> can also read / import the following file formats:

 =over 4

 =item *
-pcap - captures from B<Wireshark>/B<TShark>/B<dumpcap>, B<tcpdump>,
-and various other tools using libpcap's/Npcap's/WinPcap's/tcpdump's/WinDump's
-capture format
+Oracle (previously Sun) B<snoop> and B<atmsnoop> captures

 =item *
-pcapng - "next-generation" successor to pcap format
-
-=item *
-B<snoop> and B<atmsnoop> captures
-
-=item *
-Shomiti/Finisar B<Surveyor> captures
-
-=item *
-Novell B<LANalyzer> captures
+Finisar (previously Shomiti) B<Surveyor> captures

 =item *
 Microsoft B<Network Monitor> captures

+=item *
+Novell B<LANalyzer> captures
+
 =item *
 AIX's B<iptrace> captures

@ -57,25 +52,27 @@ AIX's B<iptrace> captures
 Cinco Networks B<NetXRay> captures

 =item *
-Network Associates Windows-based B<Sniffer> captures
+NETSCOUT (previously Network Associates/Network General) Windows-based
+B<Sniffer> captures

 =item *
-Network General/Network Associates DOS-based B<Sniffer> (compressed or uncompressed) captures
+Network General/Network Associates DOS-based B<Sniffer> captures
+(compressed or uncompressed)

 =item *
-AG Group/WildPackets/Savvius B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>/B<PacketGrabber> captures
+LiveAction (previously WildPackets/Savvius) B<*Peek>/B<EtherHelp>/B<PacketGrabber> captures

 =item *
 B<RADCOM>'s WAN/LAN analyzer captures

 =item *
-Network Instruments/JDSU/Viavi B<Observer> version 9 captures
+Viavi (previously Network Instruments) B<Observer> captures

 =item *
 B<Lucent/Ascend> router debug output

 =item *
-files from HP-UX's B<nettl>
+captures from HP-UX B<nettl>

 =item *
 B<Toshiba's> ISDN routers dump output
@ -84,10 +81,10 @@ B<Toshiba's> ISDN routers dump output
 the output from B<i4btrace> from the ISDN4BSD project

 =item *
-traces from the B<EyeSDN> USB S0.
+traces from the B<EyeSDN> USB S0

 =item *
-the output in B<IPLog> format from the Cisco Secure Intrusion Detection System
+the B<IPLog> format output from the Cisco Secure Intrusion Detection System

 =item *
 B<pppd logs> (pppdump format)
@ -105,7 +102,7 @@ Visual Networks' B<Visual UpTime> traffic capture
 the output from B<CoSine> L2 debug

 =item *
-the output from InfoVista's B<5View> LAN agents
+the output from InfoVista (previously Accellent) B<5View> LAN agents

 =item *
 Endace Measurement Systems' ERF format captures
@ -141,17 +138,47 @@ Textronix K12 text file format captures
 Apple PacketLogger files

 =item *
-Files from Aethra Telecommunications' PC108 software for their test
+Captures from Aethra Telecommunications' PC108 software for their test
 instruments

+=item *
+Citrix NetScaler Trace files
+
+=item *
+Android Logcat binary and text format logs
+
+=item *
+Colasoft Capsa and PacketBuilder captures
+
+=item *
+Micropross mplog files
+
+=item *
+Unigraf DPA-400 DisplayPort AUX channel monitor traces
+
+=item *
+802.15.4 traces from Daintree's Sensor Network Analyzer
+
 =item *
 MPEG-2 Transport Streams as defined in ISO/IEC 13818-1

+=item *
+Log files from the _candump_ utility
+
+=item *
+Logs from the BUSMASTER tool
+
+=item *
+Ixia IxVeriWave raw captures
+
 =item *
 Rabbit Labs CAM Inspector files

 =item *
-Colasoft Capsa files
+ _systemd_ journal files
+
+=item *
+3GPP TS 32.423 trace files

 =back

--- a/docbook/faq.adoc
+++ b/docbook/faq.adoc
@ -200,34 +200,59 @@ update the wiki page accordingly.

 It can also read a variety of capture file formats, including:

-* AG Group/WildPackets/Savvius
-EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures
-* AIX's iptrace captures
-* Accellent's 5Views LAN agent output
-* Cinco Networks NetXRay captures
-* Cisco Secure Intrusion Detection System IPLog output
-* CoSine L2 debug output
-* DBS Etherwatch VMS text output
-* Endace Measurement Systems' ERF format captures
-* EyeSDN USB S0 traces
-* HP-UX nettl captures
-* ISDN4BSD project i4btrace captures
-* Linux Bluez Bluetooth stack hcidump -w traces
-* Lucent/Ascend router debug output
+* pcap, used by libpcap, tcpdump and various other tools
+* Oracle (previously Sun) snoop and atmsnoop captures
+* Finisar (previously Shomiti) Surveyor captures
 * Microsoft Network Monitor captures
-* Network Associates Windows-based Sniffer captures
-* Network General/Network Associates DOS-based Sniffer (compressed or
-uncompressed) captures
-* Network Instruments/JDSU/Viavi Observer version 9 captures
 * Novell LANalyzer captures
+* AIX's iptrace captures
+* Cinco Networks NetXRay captures
+* NETSCOUT (previously Network Associates/Network General) Windows-based
+Sniffer captures
+* Network General/Network Associates DOS-based Sniffer captures
+(compressed or uncompressed)
+* LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/Packet Grabber
+captures
 * RADCOM's WAN/LAN analyzer captures
-* Shomiti/Finisar Surveyor captures
+* Viavi (previously Network Instruments) Observer captures
+* Lucent/Ascend router debug output
 * Toshiba's ISDN routers dump output
-* VMS TCPIPtrace/TCPtrace/UCX$TRACE output
+* captures from HP-UX nettl
+* the output from i4btrace from the ISDN4BSD project
+* traces from the EyeSDN USB S0
+* the IPLog format output from the Cisco Secure Intrusion Detection System
+* pppd logs (pppdump format)
+* the text output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
+* the text output from the DBS Etherwatch VMS utility
 * Visual Networks' Visual UpTime traffic capture
-* libpcap, tcpdump and various other tools using tcpdump's capture
-format
-* snoop and atmsnoop output
+* the output from CoSine L2 debug
+* the output from InfoVista (formerly Accellent) 5Views LAN agents
+* Endace Measurement Systems' ERF format captures
+* Linux Bluez Bluetooth stack hcidump -w traces
+* Catapult DCT2000 .out files
+* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
+* IBM Series (OS/400) Comm traces (ASCII & UNICODE)
+* Juniper Netscreen snoop files
+* Symbian OS btsnoop files
+* TamoSoft CommView files
+* Textronix K12xx 32bit .rf5 format files
+* Textronix K12 text file format captures
+* Apple PacketLogger files
+* Files from Aethra Telecommunications' PC108 software for their test
+instruments
+* Citrix NetScaler Trace files
+* Android Logcat binary and text format logs
+* Colasoft Capsa and Packet Builder captures
+* Micropross mplog files
+* Unigraf DPA-400 DisplayPort AUX channel monitor traces
+* 802.15.4 traces from Daintree's Sensor Network Analyzer
+* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
+* Log files from the _candump_ utility
+* Logs from the BUSMASTER tool
+* Ixia IxVeriWave raw captures
+* Rabbit Labs CAM Inspector files
+* systemd journal files
+* 3GPP TS 32.423 trace files

 so that it can read traces from various network types, as captured by
 other applications or equipment, even if it cannot itself capture on
--- a/docbook/wsug_src/WSUG_chapter_advanced.adoc
+++ b/docbook/wsug_src/WSUG_chapter_advanced.adoc
@ -806,19 +806,23 @@ for a lot more), for examples see {ntp-main-url}.

 So what’s the relationship between Wireshark and time zones anyway?

-Wireshark’s native capture file format (libpcap format), and some other capture
-file formats, such as the Windows Sniffer, EtherPeek, AiroPeek, and Sun snoop
-formats, save the arrival time of packets as UTC values. UN*X systems, and
-“Windows NT based” systems represent time internally as UTC. When Wireshark is
-capturing, no conversion is necessary. However, if the system time zone is not
-set correctly, the system’s UTC time might not be correctly set even if the
-system clock appears to display correct local time. When capturing, Npcap has
-to convert the time to UTC before supplying it to Wireshark. If the system’s
-time zone is not set correctly, that conversion will not be done correctly.
+Wireshark’s native capture file format (libpcap format), and some
+other capture file formats, such as the Windows Sniffer, *Peek, Sun
+snoop formats, and newer versions of the Microsoft Network Monitor and
+Network Instruments/Viavi Observer formats, save the arrival time of
+packets as UTC values.  UN*X systems, and “Windows NT based” systems
+represent time internally as UTC.  When Wireshark is capturing, no
+conversion is necessary.  However, if the system time zone is not set
+correctly, the system’s UTC time might not be correctly set even if
+the system clock appears to display correct local time.  When capturing,
+Npcap has to convert the time to UTC before supplying it to Wireshark. 
+If the system’s time zone is not set correctly, that conversion will
+not be done correctly.

-Other capture file formats, such as the Microsoft Network Monitor,
-DOS-based Sniffer, and Network Instruments/JDSU/Viavi Observer formats,
-save the arrival time of packets as local time values.
+Other capture file formats, such as the OOS-based Sniffer format and
+older versions of the Microsoft Network Monitor and Network
+Instruments/Viavi Observer formats, save the arrival time of packets as
+local time values.

 Internally to Wireshark, time stamps are represented in UTC. This means that
 when reading capture files that save the arrival time of packets as local time
--- a/docbook/wsug_src/WSUG_chapter_io.adoc
+++ b/docbook/wsug_src/WSUG_chapter_io.adoc
@ -96,15 +96,19 @@ This is the common Qt file open dialog along with some Wireshark extensions.

 ==== Input File Formats

-The following file formats from other capture tools can be opened by Wireshark:
+The native capture file formats used by Wireshark are:

-* pcapng. A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later
-  save files as pcapng by default. Versions prior to 1.8 used libpcap.
-
-* libpcap. The default format used by the _libpcap_ packet capture library. Used
+* pcap. The default format used by the _libpcap_ packet capture library. Used
  by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools.

-* Oracle (previously Sun) _snoop_ and _atmsnoop_
+* pcapng.  A flexible, extensible successor to the pcap format. 
+  Wireshark 1.8 and later save files as pcapng by default.  Versions
+  prior to 1.8 used pcap.  Used by Wireshark and by _tcpdump_ in newer
+  versions of macOS.
+
+The following file formats from other capture tools can be opened by Wireshark:
+
+* Oracle (previously Sun) _snoop_ and _atmsnoop_ captures

 * Finisar (previously Shomiti) _Surveyor_ captures

@ -116,27 +120,30 @@ The following file formats from other capture tools can be opened by Wireshark:

 * Cinco Networks NetXray captures

-* Network Associates Windows-based Sniffer and Sniffer Pro captures
+* NETSCOUT (previously Network Associates/Network General) Windows-based
+  Sniffer and Sniffer Pro captures

-* Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
+* Network General/Network Associates DOS-based Sniffer captures
+  (compressed or uncompressed) captures

-* AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
+* LiveAction (previously WildPackets/Savvius)
+  *Peek/EtherHelp/PacketGrabber captures

 * RADCOM’s WAN/LAN Analyzer captures

-* Network Instruments/JDSU/Viavi Observer version 9 captures
+* Viavi (previously Network Instruments)i Observer captures

 * Lucent/Ascend router debug output

-* HP-UX’s nettl
+* captures from HP-UX nettl

 * Toshiba’s ISDN routers dump output

-* ISDN4BSD _i4btrace_ utility
+* output from _i4btrace_ from the ISDN4BSD project

 * traces from the EyeSDN USB S0

-* IPLog format from the Cisco Secure Intrusion Detection System
+* the IPLog format output from the Cisco Secure Intrusion Detection System

 * pppd logs (pppdump format)

@ -148,7 +155,7 @@ The following file formats from other capture tools can be opened by Wireshark:

 * the output from CoSine L2 debug

-* the output from Accellent’s 5Views LAN agents
+* the output from InfoVista (previously Accellent) 5Views LAN agents

 * Endace Measurement Systems’ ERF format captures

@ -174,6 +181,32 @@ The following file formats from other capture tools can be opened by Wireshark:

 * Captures from Aethra Telecommunications’ PC108 software for their test instruments

+* Citrix NetScaler Trace files
+
+* Android Logcat binary and text format logs
+
+* Colasoft Capsa and PacketBuilder captures
+
+* Micropross mplog files
+
+* Unigraf DPA-400 DisplayPort AUX channel monitor traces
+
+* 802.15.4 traces from Daintree's Sensor Network Analyzer
+
+* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
+
+* Log files from the _candump_ utility
+
+* Logs from the BUSMASTER tool
+
+* Ixia IxVeriWave raw captures
+
+* Rabbit Labs CAM Inspector files
+
+* _systemd_ journal files
+
+* 3GPP TS 32.423 trace files
+
 New file formats are added from time to time.

 It may not be possible to read some formats dependent on the packet types
@ -266,20 +299,24 @@ The following file formats can be saved by Wireshark (with the known file extens
  libpcap format. Wireshark 1.8 and later save files as pcapng by
  default. Versions prior to 1.8 used libpcap.

-* libpcap, tcpdump and various other tools using tcpdump’s capture
-  format ({asterisk}.pcap,{asterisk}.cap,{asterisk}.dmp)
+* pcap ({asterisk}.pcap).  The default format used by the _libpcap_
+  packet capture library.  Used by _tcpdump, _Snort_, _Nmap_, _Ntop_,
+  and many other tools.

 * Accellent 5Views ({asterisk}.5vw)

-* HP-UX’s nettl ({asterisk}.TRC0,{asterisk}.TRC1)
+* captures from HP-UX nettl ({asterisktrc0,{asterisk}.trc1)

 * Microsoft Network Monitor - NetMon ({asterisk}.cap)

-* Network Associates Sniffer - DOS ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,*fdc,{asterisk}.syc)
+* Network Associates Sniffer - DOS
+  ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,{asterisk}.fdc,{asterisk}.syc)
+
+* Cinco Networks NetXray captures ({asterisk}.cap)

 * Network Associates Sniffer - Windows ({asterisk}.cap)

-* Network Instruments/Viavi Observer version 9 ({asterisk}.bfr)
+* Network Instruments/Viavi Observer ({asterisk}.bfr)

 * Novell LANalyzer ({asterisk}.tr1)

@ -287,6 +324,26 @@ The following file formats can be saved by Wireshark (with the known file extens

 * Visual Networks Visual UpTime traffic ({asterisk}.{asterisk})

+* Symbian OS btsnoop captures ({asterisk}.log)
+
+* Tamosoft CommView captures ({asterisk}.ncf)
+
+* Catapult DCT2000 .out files ({asterisk}.out)
+
+* Endace Measurement Systems’ ERF format capture({asterisk}.erf)
+
+* EyeSDN USB S0 traces ({asterisk}.trc)
+
+* Textronix K12 text file format captures ({asterisk}.txt)
+
+* Textronix K12xx 32bit .rf5 format captures ({asterisk}.rf5)
+
+* Android Logcat binary logs ({asterisk}.logcat)
+
+* Android Logcat text logs ({asterisk}.{asterisk})
+
+* Citrix NetScaler Trace files ({asterisk}.cap)
+
 New file formats are added from time to time.

 Whether or not the above tools will be more helpful than Wireshark is a different question ;-)
@ -296,7 +353,8 @@ Whether or not the above tools will be more helpful than Wireshark is a differen
 ====
 Wireshark examines a file’s contents to determine its type. Some other protocol
 analyzers only look at a filename extensions. For example, you might need to use
-the `.cap` extension in order to open a file using _Sniffer_.
+the `.cap` extension in order to open a file using the Windows version
+of _Sniffer_.
 ====

 [[ChIOMergeSection]]
--- a/docbook/wsug_src/editcap-F.txt
+++ b/docbook/wsug_src/editcap-F.txt
@ -24,13 +24,13 @@ editcap: The available capture file types for the "-F" flag are:
    ngsniffer - Sniffer (DOS)
    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
    ngwsniffer_2_0 - Sniffer (Windows) 2.00x
-    niobserver - Network Instruments Observer
    nokiapcap - Nokia tcpdump - pcap
    nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    nstrace30 - NetScaler Trace (Version 3.0)
    nstrace35 - NetScaler Trace (Version 3.5)
+    observer - Viavi Observer
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1pcap - RedHat 6.1 tcpdump - pcap
    snoop - Sun snoop
--- a/org.wireshark.Wireshark-mime.xml
+++ b/org.wireshark.Wireshark-mime.xml
@ -113,7 +113,7 @@
  </mime-type>

  <mime-type type="application/x-etherpeek">
-    <comment>Packet Capture (Savvius Etherpeek/Airopeek/Omnipeek tagged/v9)</comment>
+    <comment>Packet Capture (WildPackets/Savvius/LiveAction *Peek)</comment>
    <generic-icon name="org.wireshark.Wireshark-mimetype"/>
    <magic>
      <match type="string" offset="0" value="\177ver"/>
@ -137,7 +137,7 @@
  </mime-type>

  <mime-type type="application/x-netinstobserver">
-    <comment>Packet Capture (Viavi Observer)</comment>
+    <comment>Packet Capture (Network Instruments/Viavi Observer)</comment>
    <generic-icon name="org.wireshark.Wireshark-mimetype"/>
    <magic>
      <match type="string" offset="0" value="ObserverPktBuffe"/>
--- a/packaging/macosx/Info.plist.in
+++ b/packaging/macosx/Info.plist.in
@ -23,7 +23,7 @@
 			<key>CFBundleTypeIconFile</key>
 			<string>Wiresharkdoc.icns</string>
 			<key>CFBundleTypeName</key>
-			<string>InfoVista 5View Packet Capture</string>
+			<string>InfoVista/Accellent 5View Packet Capture</string>
 			<key>CFBundleTypeRole</key>
 			<string>Viewer</string>
 		</dict>
@ -42,7 +42,7 @@
 			<key>CFBundleTypeIconFile</key>
 			<string>Wiresharkdoc.icns</string>
 			<key>CFBundleTypeName</key>
-			<string>Savvius EtherPeek/TokenPeek/AiroPeek/OmniPeek Packet Capture</string>
+			<string>LiveAction/Savvius/WildPackets *Peek Packet Capture</string>
 			<key>CFBundleTypeRole</key>
 			<string>Viewer</string>
 		</dict>
@ -55,7 +55,7 @@
 			<key>CFBundleTypeIconFile</key>
 			<string>Wiresharkdoc.icns</string>
 			<key>CFBundleTypeName</key>
-			<string>Viavi Observer Packet Capture</string>
+			<string>Viavi/Network Instruments Observer Packet Capture</string>
 			<key>CFBundleTypeRole</key>
 			<string>Viewer</string>
 		</dict>
@ -159,7 +159,7 @@
 			<key>CFBundleTypeIconFile</key>
 			<string>Wiresharkdoc.icns</string>
 			<key>CFBundleTypeName</key>
-			<string>Tektronix Packet Capture</string>
+			<string>Tektronix K12 Packet Capture</string>
 			<key>CFBundleTypeRole</key>
 			<string>Viewer</string>
 		</dict>
--- a/wiretap/CMakeLists.txt
+++ b/wiretap/CMakeLists.txt
@ -70,9 +70,9 @@ set(WIRETAP_C_MODULE_FILES
 	${CMAKE_CURRENT_SOURCE_DIR}/netscreen.c
 	${CMAKE_CURRENT_SOURCE_DIR}/nettl.c
 	${CMAKE_CURRENT_SOURCE_DIR}/nettrace_3gpp_32_423.c
-	${CMAKE_CURRENT_SOURCE_DIR}/observer.c
 	${CMAKE_CURRENT_SOURCE_DIR}/netxray.c
 	${CMAKE_CURRENT_SOURCE_DIR}/ngsniffer.c
+	${CMAKE_CURRENT_SOURCE_DIR}/observer.c
 	${CMAKE_CURRENT_SOURCE_DIR}/packetlogger.c
 	${CMAKE_CURRENT_SOURCE_DIR}/pcap-common.c
 	${CMAKE_CURRENT_SOURCE_DIR}/peekclassic.c