From 5d39e361983e19fd237ed2e35016b082b5f74ad8 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Fri, 12 Mar 2021 23:31:08 -0800 Subject: [PATCH] doc: Clean up lists of file types. Add missing entries, regularize the descriptions, etc.. Note that pcap and pcapng are the native formats. Fix various issues. Update the editcap -F output to match urrent reality. While we're at it, sort the libwiretap modules, putting observer.c in the right place. --- doc/wireshark.pod.template | 81 +++++++++++------ docbook/faq.adoc | 71 ++++++++++----- docbook/wsug_src/WSUG_chapter_advanced.adoc | 28 +++--- docbook/wsug_src/WSUG_chapter_io.adoc | 98 ++++++++++++++++----- docbook/wsug_src/editcap-F.txt | 2 +- org.wireshark.Wireshark-mime.xml | 4 +- packaging/macosx/Info.plist.in | 8 +- wiretap/CMakeLists.txt | 2 +- 8 files changed, 204 insertions(+), 90 deletions(-) diff --git a/doc/wireshark.pod.template b/doc/wireshark.pod.template index e2c31f8368..d097f4cf6d 100644 --- a/doc/wireshark.pod.template +++ b/doc/wireshark.pod.template @@ -22,34 +22,29 @@ S<[ EinfileE ]> B is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a -previously saved capture file. B's native capture file format -is B format, or B which is also the format used by B and -various other tools. +previously saved capture file. B's native capture file +formats are B format and B format; it can read and write +both formats.. B format is also the format used by B and +various other tools; B, when using newer verions of the +B library, can also read some pcapng files, and, on newer +versions of macOS, can read all pcapng files and can write them as well. -B can read / import the following file formats: +B can also read / import the following file formats: =over 4 =item * -pcap - captures from B/B/B, B, -and various other tools using libpcap's/Npcap's/WinPcap's/tcpdump's/WinDump's -capture format +Oracle (previously Sun) B and B captures =item * -pcapng - "next-generation" successor to pcap format - -=item * -B and B captures - -=item * -Shomiti/Finisar B captures - -=item * -Novell B captures +Finisar (previously Shomiti) B captures =item * Microsoft B captures +=item * +Novell B captures + =item * AIX's B captures @@ -57,25 +52,27 @@ AIX's B captures Cinco Networks B captures =item * -Network Associates Windows-based B captures +NETSCOUT (previously Network Associates/Network General) Windows-based +B captures =item * -Network General/Network Associates DOS-based B (compressed or uncompressed) captures +Network General/Network Associates DOS-based B captures +(compressed or uncompressed) =item * -AG Group/WildPackets/Savvius B/B/B/B/B captures +LiveAction (previously WildPackets/Savvius) B<*Peek>/B/B captures =item * B's WAN/LAN analyzer captures =item * -Network Instruments/JDSU/Viavi B version 9 captures +Viavi (previously Network Instruments) B captures =item * B router debug output =item * -files from HP-UX's B +captures from HP-UX B =item * B ISDN routers dump output @@ -84,10 +81,10 @@ B ISDN routers dump output the output from B from the ISDN4BSD project =item * -traces from the B USB S0. +traces from the B USB S0 =item * -the output in B format from the Cisco Secure Intrusion Detection System +the B format output from the Cisco Secure Intrusion Detection System =item * B (pppdump format) @@ -105,7 +102,7 @@ Visual Networks' B traffic capture the output from B L2 debug =item * -the output from InfoVista's B<5View> LAN agents +the output from InfoVista (previously Accellent) B<5View> LAN agents =item * Endace Measurement Systems' ERF format captures @@ -141,17 +138,47 @@ Textronix K12 text file format captures Apple PacketLogger files =item * -Files from Aethra Telecommunications' PC108 software for their test +Captures from Aethra Telecommunications' PC108 software for their test instruments +=item * +Citrix NetScaler Trace files + +=item * +Android Logcat binary and text format logs + +=item * +Colasoft Capsa and PacketBuilder captures + +=item * +Micropross mplog files + +=item * +Unigraf DPA-400 DisplayPort AUX channel monitor traces + +=item * +802.15.4 traces from Daintree's Sensor Network Analyzer + =item * MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 +=item * +Log files from the _candump_ utility + +=item * +Logs from the BUSMASTER tool + +=item * +Ixia IxVeriWave raw captures + =item * Rabbit Labs CAM Inspector files =item * -Colasoft Capsa files + _systemd_ journal files + +=item * +3GPP TS 32.423 trace files =back diff --git a/docbook/faq.adoc b/docbook/faq.adoc index 4dca0fbd89..ba1dc3a3c4 100644 --- a/docbook/faq.adoc +++ b/docbook/faq.adoc @@ -200,34 +200,59 @@ update the wiki page accordingly. It can also read a variety of capture file formats, including: -* AG Group/WildPackets/Savvius -EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures -* AIX's iptrace captures -* Accellent's 5Views LAN agent output -* Cinco Networks NetXRay captures -* Cisco Secure Intrusion Detection System IPLog output -* CoSine L2 debug output -* DBS Etherwatch VMS text output -* Endace Measurement Systems' ERF format captures -* EyeSDN USB S0 traces -* HP-UX nettl captures -* ISDN4BSD project i4btrace captures -* Linux Bluez Bluetooth stack hcidump -w traces -* Lucent/Ascend router debug output +* pcap, used by libpcap, tcpdump and various other tools +* Oracle (previously Sun) snoop and atmsnoop captures +* Finisar (previously Shomiti) Surveyor captures * Microsoft Network Monitor captures -* Network Associates Windows-based Sniffer captures -* Network General/Network Associates DOS-based Sniffer (compressed or -uncompressed) captures -* Network Instruments/JDSU/Viavi Observer version 9 captures * Novell LANalyzer captures +* AIX's iptrace captures +* Cinco Networks NetXRay captures +* NETSCOUT (previously Network Associates/Network General) Windows-based +Sniffer captures +* Network General/Network Associates DOS-based Sniffer captures +(compressed or uncompressed) +* LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/Packet Grabber +captures * RADCOM's WAN/LAN analyzer captures -* Shomiti/Finisar Surveyor captures +* Viavi (previously Network Instruments) Observer captures +* Lucent/Ascend router debug output * Toshiba's ISDN routers dump output -* VMS TCPIPtrace/TCPtrace/UCX$TRACE output +* captures from HP-UX nettl +* the output from i4btrace from the ISDN4BSD project +* traces from the EyeSDN USB S0 +* the IPLog format output from the Cisco Secure Intrusion Detection System +* pppd logs (pppdump format) +* the text output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities +* the text output from the DBS Etherwatch VMS utility * Visual Networks' Visual UpTime traffic capture -* libpcap, tcpdump and various other tools using tcpdump's capture -format -* snoop and atmsnoop output +* the output from CoSine L2 debug +* the output from InfoVista (formerly Accellent) 5Views LAN agents +* Endace Measurement Systems' ERF format captures +* Linux Bluez Bluetooth stack hcidump -w traces +* Catapult DCT2000 .out files +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) +* Juniper Netscreen snoop files +* Symbian OS btsnoop files +* TamoSoft CommView files +* Textronix K12xx 32bit .rf5 format files +* Textronix K12 text file format captures +* Apple PacketLogger files +* Files from Aethra Telecommunications' PC108 software for their test +instruments +* Citrix NetScaler Trace files +* Android Logcat binary and text format logs +* Colasoft Capsa and Packet Builder captures +* Micropross mplog files +* Unigraf DPA-400 DisplayPort AUX channel monitor traces +* 802.15.4 traces from Daintree's Sensor Network Analyzer +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 +* Log files from the _candump_ utility +* Logs from the BUSMASTER tool +* Ixia IxVeriWave raw captures +* Rabbit Labs CAM Inspector files +* systemd journal files +* 3GPP TS 32.423 trace files so that it can read traces from various network types, as captured by other applications or equipment, even if it cannot itself capture on diff --git a/docbook/wsug_src/WSUG_chapter_advanced.adoc b/docbook/wsug_src/WSUG_chapter_advanced.adoc index 91bad9520b..e16fc4dd5c 100644 --- a/docbook/wsug_src/WSUG_chapter_advanced.adoc +++ b/docbook/wsug_src/WSUG_chapter_advanced.adoc @@ -806,19 +806,23 @@ for a lot more), for examples see {ntp-main-url}. So what’s the relationship between Wireshark and time zones anyway? -Wireshark’s native capture file format (libpcap format), and some other capture -file formats, such as the Windows Sniffer, EtherPeek, AiroPeek, and Sun snoop -formats, save the arrival time of packets as UTC values. UN*X systems, and -“Windows NT based” systems represent time internally as UTC. When Wireshark is -capturing, no conversion is necessary. However, if the system time zone is not -set correctly, the system’s UTC time might not be correctly set even if the -system clock appears to display correct local time. When capturing, Npcap has -to convert the time to UTC before supplying it to Wireshark. If the system’s -time zone is not set correctly, that conversion will not be done correctly. +Wireshark’s native capture file format (libpcap format), and some +other capture file formats, such as the Windows Sniffer, *Peek, Sun +snoop formats, and newer versions of the Microsoft Network Monitor and +Network Instruments/Viavi Observer formats, save the arrival time of +packets as UTC values. UN*X systems, and “Windows NT based” systems +represent time internally as UTC. When Wireshark is capturing, no +conversion is necessary. However, if the system time zone is not set +correctly, the system’s UTC time might not be correctly set even if +the system clock appears to display correct local time. When capturing, +Npcap has to convert the time to UTC before supplying it to Wireshark. +If the system’s time zone is not set correctly, that conversion will +not be done correctly. -Other capture file formats, such as the Microsoft Network Monitor, -DOS-based Sniffer, and Network Instruments/JDSU/Viavi Observer formats, -save the arrival time of packets as local time values. +Other capture file formats, such as the OOS-based Sniffer format and +older versions of the Microsoft Network Monitor and Network +Instruments/Viavi Observer formats, save the arrival time of packets as +local time values. Internally to Wireshark, time stamps are represented in UTC. This means that when reading capture files that save the arrival time of packets as local time diff --git a/docbook/wsug_src/WSUG_chapter_io.adoc b/docbook/wsug_src/WSUG_chapter_io.adoc index ebf40ff029..da68d59841 100644 --- a/docbook/wsug_src/WSUG_chapter_io.adoc +++ b/docbook/wsug_src/WSUG_chapter_io.adoc @@ -96,15 +96,19 @@ This is the common Qt file open dialog along with some Wireshark extensions. ==== Input File Formats -The following file formats from other capture tools can be opened by Wireshark: +The native capture file formats used by Wireshark are: -* pcapng. A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later - save files as pcapng by default. Versions prior to 1.8 used libpcap. - -* libpcap. The default format used by the _libpcap_ packet capture library. Used +* pcap. The default format used by the _libpcap_ packet capture library. Used by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools. -* Oracle (previously Sun) _snoop_ and _atmsnoop_ +* pcapng. A flexible, extensible successor to the pcap format. + Wireshark 1.8 and later save files as pcapng by default. Versions + prior to 1.8 used pcap. Used by Wireshark and by _tcpdump_ in newer + versions of macOS. + +The following file formats from other capture tools can be opened by Wireshark: + +* Oracle (previously Sun) _snoop_ and _atmsnoop_ captures * Finisar (previously Shomiti) _Surveyor_ captures @@ -116,27 +120,30 @@ The following file formats from other capture tools can be opened by Wireshark: * Cinco Networks NetXray captures -* Network Associates Windows-based Sniffer and Sniffer Pro captures +* NETSCOUT (previously Network Associates/Network General) Windows-based + Sniffer and Sniffer Pro captures -* Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures +* Network General/Network Associates DOS-based Sniffer captures + (compressed or uncompressed) captures -* AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures +* LiveAction (previously WildPackets/Savvius) + *Peek/EtherHelp/PacketGrabber captures * RADCOM’s WAN/LAN Analyzer captures -* Network Instruments/JDSU/Viavi Observer version 9 captures +* Viavi (previously Network Instruments)i Observer captures * Lucent/Ascend router debug output -* HP-UX’s nettl +* captures from HP-UX nettl * Toshiba’s ISDN routers dump output -* ISDN4BSD _i4btrace_ utility +* output from _i4btrace_ from the ISDN4BSD project * traces from the EyeSDN USB S0 -* IPLog format from the Cisco Secure Intrusion Detection System +* the IPLog format output from the Cisco Secure Intrusion Detection System * pppd logs (pppdump format) @@ -148,7 +155,7 @@ The following file formats from other capture tools can be opened by Wireshark: * the output from CoSine L2 debug -* the output from Accellent’s 5Views LAN agents +* the output from InfoVista (previously Accellent) 5Views LAN agents * Endace Measurement Systems’ ERF format captures @@ -174,6 +181,32 @@ The following file formats from other capture tools can be opened by Wireshark: * Captures from Aethra Telecommunications’ PC108 software for their test instruments +* Citrix NetScaler Trace files + +* Android Logcat binary and text format logs + +* Colasoft Capsa and PacketBuilder captures + +* Micropross mplog files + +* Unigraf DPA-400 DisplayPort AUX channel monitor traces + +* 802.15.4 traces from Daintree's Sensor Network Analyzer + +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 + +* Log files from the _candump_ utility + +* Logs from the BUSMASTER tool + +* Ixia IxVeriWave raw captures + +* Rabbit Labs CAM Inspector files + +* _systemd_ journal files + +* 3GPP TS 32.423 trace files + New file formats are added from time to time. It may not be possible to read some formats dependent on the packet types @@ -266,20 +299,24 @@ The following file formats can be saved by Wireshark (with the known file extens libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap. -* libpcap, tcpdump and various other tools using tcpdump’s capture - format ({asterisk}.pcap,{asterisk}.cap,{asterisk}.dmp) +* pcap ({asterisk}.pcap). The default format used by the _libpcap_ + packet capture library. Used by _tcpdump, _Snort_, _Nmap_, _Ntop_, + and many other tools. * Accellent 5Views ({asterisk}.5vw) -* HP-UX’s nettl ({asterisk}.TRC0,{asterisk}.TRC1) +* captures from HP-UX nettl ({asterisktrc0,{asterisk}.trc1) * Microsoft Network Monitor - NetMon ({asterisk}.cap) -* Network Associates Sniffer - DOS ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,*fdc,{asterisk}.syc) +* Network Associates Sniffer - DOS + ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,{asterisk}.fdc,{asterisk}.syc) + +* Cinco Networks NetXray captures ({asterisk}.cap) * Network Associates Sniffer - Windows ({asterisk}.cap) -* Network Instruments/Viavi Observer version 9 ({asterisk}.bfr) +* Network Instruments/Viavi Observer ({asterisk}.bfr) * Novell LANalyzer ({asterisk}.tr1) @@ -287,6 +324,26 @@ The following file formats can be saved by Wireshark (with the known file extens * Visual Networks Visual UpTime traffic ({asterisk}.{asterisk}) +* Symbian OS btsnoop captures ({asterisk}.log) + +* Tamosoft CommView captures ({asterisk}.ncf) + +* Catapult DCT2000 .out files ({asterisk}.out) + +* Endace Measurement Systems’ ERF format capture({asterisk}.erf) + +* EyeSDN USB S0 traces ({asterisk}.trc) + +* Textronix K12 text file format captures ({asterisk}.txt) + +* Textronix K12xx 32bit .rf5 format captures ({asterisk}.rf5) + +* Android Logcat binary logs ({asterisk}.logcat) + +* Android Logcat text logs ({asterisk}.{asterisk}) + +* Citrix NetScaler Trace files ({asterisk}.cap) + New file formats are added from time to time. Whether or not the above tools will be more helpful than Wireshark is a different question ;-) @@ -296,7 +353,8 @@ Whether or not the above tools will be more helpful than Wireshark is a differen ==== Wireshark examines a file’s contents to determine its type. Some other protocol analyzers only look at a filename extensions. For example, you might need to use -the `.cap` extension in order to open a file using _Sniffer_. +the `.cap` extension in order to open a file using the Windows version +of _Sniffer_. ==== [[ChIOMergeSection]] diff --git a/docbook/wsug_src/editcap-F.txt b/docbook/wsug_src/editcap-F.txt index 96023290fc..e618aaf000 100644 --- a/docbook/wsug_src/editcap-F.txt +++ b/docbook/wsug_src/editcap-F.txt @@ -24,13 +24,13 @@ editcap: The available capture file types for the "-F" flag are: ngsniffer - Sniffer (DOS) ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 ngwsniffer_2_0 - Sniffer (Windows) 2.00x - niobserver - Network Instruments Observer nokiapcap - Nokia tcpdump - pcap nsecpcap - Wireshark/tcpdump/... - nanosecond pcap nstrace10 - NetScaler Trace (Version 1.0) nstrace20 - NetScaler Trace (Version 2.0) nstrace30 - NetScaler Trace (Version 3.0) nstrace35 - NetScaler Trace (Version 3.5) + observer - Viavi Observer rf5 - Tektronix K12xx 32-bit .rf5 format rh6_1pcap - RedHat 6.1 tcpdump - pcap snoop - Sun snoop diff --git a/org.wireshark.Wireshark-mime.xml b/org.wireshark.Wireshark-mime.xml index 567a858cf7..0b21080619 100644 --- a/org.wireshark.Wireshark-mime.xml +++ b/org.wireshark.Wireshark-mime.xml @@ -113,7 +113,7 @@ - Packet Capture (Savvius Etherpeek/Airopeek/Omnipeek tagged/v9) + Packet Capture (WildPackets/Savvius/LiveAction *Peek) @@ -137,7 +137,7 @@ - Packet Capture (Viavi Observer) + Packet Capture (Network Instruments/Viavi Observer) diff --git a/packaging/macosx/Info.plist.in b/packaging/macosx/Info.plist.in index 1b78d90294..bde3de1122 100644 --- a/packaging/macosx/Info.plist.in +++ b/packaging/macosx/Info.plist.in @@ -23,7 +23,7 @@ CFBundleTypeIconFile Wiresharkdoc.icns CFBundleTypeName - InfoVista 5View Packet Capture + InfoVista/Accellent 5View Packet Capture CFBundleTypeRole Viewer @@ -42,7 +42,7 @@ CFBundleTypeIconFile Wiresharkdoc.icns CFBundleTypeName - Savvius EtherPeek/TokenPeek/AiroPeek/OmniPeek Packet Capture + LiveAction/Savvius/WildPackets *Peek Packet Capture CFBundleTypeRole Viewer @@ -55,7 +55,7 @@ CFBundleTypeIconFile Wiresharkdoc.icns CFBundleTypeName - Viavi Observer Packet Capture + Viavi/Network Instruments Observer Packet Capture CFBundleTypeRole Viewer @@ -159,7 +159,7 @@ CFBundleTypeIconFile Wiresharkdoc.icns CFBundleTypeName - Tektronix Packet Capture + Tektronix K12 Packet Capture CFBundleTypeRole Viewer diff --git a/wiretap/CMakeLists.txt b/wiretap/CMakeLists.txt index c9615122f7..4b557cd0d5 100644 --- a/wiretap/CMakeLists.txt +++ b/wiretap/CMakeLists.txt @@ -70,9 +70,9 @@ set(WIRETAP_C_MODULE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/netscreen.c ${CMAKE_CURRENT_SOURCE_DIR}/nettl.c ${CMAKE_CURRENT_SOURCE_DIR}/nettrace_3gpp_32_423.c - ${CMAKE_CURRENT_SOURCE_DIR}/observer.c ${CMAKE_CURRENT_SOURCE_DIR}/netxray.c ${CMAKE_CURRENT_SOURCE_DIR}/ngsniffer.c + ${CMAKE_CURRENT_SOURCE_DIR}/observer.c ${CMAKE_CURRENT_SOURCE_DIR}/packetlogger.c ${CMAKE_CURRENT_SOURCE_DIR}/pcap-common.c ${CMAKE_CURRENT_SOURCE_DIR}/peekclassic.c