Pass the Capchild log domain (dumpcap's log domain) level from
the parent to dumpcap when setting up the pipe. Move a few of
the debugging level messagesi that previously required a #define
to be set from INFO to DEBUG.
This means that
"--log-debug Capchild" or "--log-level debug" can be used to get
DEBUG level log messages sent via the sync pipe to the parent and
then the console, without having to set a #define in dumpcap.
Related to #19519
Distinguish log messages from SP_ERROR_MSG; log messages don't
necessarily represent a failure, and they have a level. This
doesn't affect logging while capturing much, as SP_ERROR_MSGs
are just printed to the console, but it makes it possible to log
while retrieving interface information or the stats, where SP_ERROR_MSG
indicates that the command failed.
Don't use stderr for the sync pipe, because third party libraries
and functions sometimes pollute stderr with other information.
Instead, pass the information necessary to dumpcap as a parameter
to the special capture child option -Z.
On UN*X, that means passing the sync pipe write file descriptor, as
the child is created by fork + exec and shares the file descriptor table.
On Windows, the child process does not share the file descriptor table,
but it does share the HANDLE value for inherited handles, so pass that
instead. (The HANDLE is a void* and technically 64 bit, but only the
lower 32 bits are used for inherited handles that can be shared
and it is permissible to truncate:
https://learn.microsoft.com/en-us/windows/win32/procthread/inheritancehttps://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communicationhttps://learn.microsoft.com/en-us/windows/win32/WinProg64/rules-for-using-pointers
though perhaps in the future casting to an intptr_t makes more sense.)
Move the special Windows named signal pipe to its own long option
instead of using the parameter from the capture child option.
This means that we alter argv inside sync_pipe_open_command so change
the static functions and free argv there. Once glib 2.68 and later is
required a GStrvBuilder could be used instead.
Fix#12222
Treat errors beginning with "Is the server properly installed?" similarly
to "The other host terminated the connection.", and don't tell the user
to report them as Wireshark bugs.
This should clear up at least some of the Wireshark side of #14920.
(Libpcap should do a better job of reporting errors as well, although
that will ultimately involve better libpcap APIs, for which there are
other reasons as well.)
Allow dumpcap to have the "-D" "-L" and "-S" flags all specified.
This is a "welcome mode" that prints out the interfaces and their
capabilities, and then prints out the running statistics.
("-L" and "-S" without "-D" will just print the statistics, but
doesn't give an error.)
In capture child mode, the interface information is sent as a
message on the sync pipe before the success message; the statistics
are sent on the data pipe as usual.
Actually using this in Wireshark will be added next.
Related to #15082
Move get_pcap_failure_secondary_error_message from static
in dumpcap to capture-pcap-util-int.h This means that when
serializing the capabilities, we can just serialize the
open status enum and the open status string, and recover
the secondary status string when deserializing. This also
lets us make the secondary message a pointer to a const
char* instead of doing as much string copying.
Since we get both the non monitor mode and monitor mode
link types lists of interfaces that can support it, we can
allow the combination of retrieving the interface list and
capabilities at the same time, because we don't need the user
to specify whether to retrieve the list in or not in monitor
mode.
Allow any combination of retrieving the the interface list and
the two capability types to be retrieved, but don't allow them
in combination with the other run once arguments.
When not in machine readable mode, print the capability types
after the link lists (maybe we should interleave them). When
in machine readable mode, add them to the serialized JSON.
We don't yet pass both flags to dumpcap in capture child mode
from the other applications yet.
Related to #15082
This is slightly less efficient at the moment, but makes it easier
to change things to get and store the capabilities information
instead of repeatedly querying for it. Eventually we can retrieve
capabilities in the same dumpcap call as the interface list, and cache
the information.
Use JSON to serialize the machine readable interface list.
This removes any problems with embedded tabs in names and
descriptions, and makes it easier to later get the interface list
and the capabilities in one call (and possibly even a single call
that retrieves both and starts statistics.)
Related to #15082
Named pipes have special names on Windows
( https://learn.microsoft.com/en-us/windows/win32/ipc/pipe-names )
If we're on Windows, and the interface name given has such a name,
assume it is a pipe and don't bother retrieving the interface list.
Dumpcap and rawshark already have identical code for testing if an
interface name is a pipe. Move that into win32-utils and have
capture_opts, dumpcap, and rawshark all use the common function.
Fix#17721
Serialize the machine readable version of the interface capability
output as JSON, using an array to support multiple interfaces.
When querying multiple interfaces, try all of them, exit with
success (unless unexpected errors occur) and report any per-interface
errors and exit codes inside the JSON rather than stopping after
the first interface with error.
Update capture_get_if_capabilities to process the JSON. It (and
sync_if_capabilities_open) still only query a single interface at,
but this will allow modification to handle multiple interfaces at
once later.
Related to #16191, #15082
If the user gets the "failed to set hardware filter to promiscuous mode"
error, and they're running Npcap 1.71 to 1.73, recommend that they
upgrade to the current version of Npcap.
Clean up the helpful-hint generation code a bit while we're at it.
Some routines that are built only if libpcap 1.10.x is built with remote
capture support, but that are unconditionally declared in pcap/pcap.h,
now have stub implementations in macOS 14 that always fail and set the
error string to "not supported". (This was probably done because those
routines are now declared as "weakly linked symbols":
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/WeakLinking.html
om macOS 14.)
This means CMakeLists.txt finds them when you build on Sonoma, so we end
up calling them.
The only place where we didn't arrange that we *only* use them if the
device name begins with rpcap://, indicating that it's a remote-capture
URL, was the code in dumpcap that produces packet counts for the
sparklines in the Wireshark main screen. That meant that all opens
failed, and dumpcap reported that failure to Wireshark, so no sparklines
were drawn. Check for rpcap:// in that case as well, and use
pcap_open_live() if it's not present.
For all code that calls the routines in question, if the any of the
routines in question fail, check for an error string of "not supported",
and replace it with "Remote capture not supported", so as to make the
cause of failure clearer.
Fixes#19349.
Do that rather than having that code directly call
capture_interface_list(), with the programs providing their own versions
of capture_interface_list().
Give them all names beginning with sync_pipe_write_
Rename pipe_write_block() to sync_pipe_write_string_msg(), as it writes
a message containing a string, not a "block".
Add sync_pipe_write_uint_msg(), which takes an unsigned integer as an
argument and writes a message containing its value (as a string) as the
body.
Make sync_pipe_write_header() and SP_DECISIZE local to
sync_pipe_write.c, as they're no longer used outside that file.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes#19230.
If we have Linux capabilities, and dumpcap gets a permission error,
suggest that the user add the CAP_NET_RAW and CAP_NET_ADMIN capabilities
that dumpcap needs if Wireshark was not installed by a package.
(Distribution packages should set the capabilities.)
Fix#18279
snprintf(), sensibly, takes a size_t argument specifying the size of the
buffer. g_snprintf(), bogusly, takes a gulong argument specifying the
size of the buffer, so we had to do casts to avoid narrowing complaints,
but we're just using snprintf() now (as we require C11 or later), and
don't need the casts any more.
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix#19080
On Linux, look for an error message of "socket: Address family not
supported by protocol"; if we see it, that's EAFNOTSUP, which means
either that 1) your kernel doesn't have PF_PACKET support configured in
or 2) this is a Flatpak package of Wireshark that's "helpfully" been
sandboxed. Display a secondary error message indicating one of those is
likely the problem; mention the Flatpak one first, as that's more likely
than the second (if you can still configure PF_PACKET sockets out, it's
not the default, so it's unlikely to be the case).
See issue #19008.
Expand the set of CAP_DEVICE_OPEN_ errors and warnings to include
specific errors for many of the errors and warnings libpcap returns.
(This doesn't include the errors that would definitely either be
Wireshark or libpcap bugs, such as PCAP_ERROR_NOT_ACTIVATED and
PCAP_ERROR_ACTIVATED.)
Don't give "make sure you have the right permissions" secondary error
messages if we know that the error isn't a permissions error.
For the PCAP_ERROR_ codes that we handle individually, don't bother with
the pcap_statustostr() string, as it would duplicate the error message
we're providing.
For the PCAP_ERROR_ codes we *don't* handle individually, give both the
pcap_statustostr() string and the pcap_geterr() string, to give the user
as much information as possible (even if that's just so that they can
give *us* as much information as possible to figure out what the problem
is).
This should remove the "how to support packet capturing on Debian"
message for "sorry, we don't support PF_PACKET sockets" error that shows
up if either 1) your kernel doesn't have PF_PACKET support configured in
or 2) this is a Flatpak package of Wireshark that's "helpfully" been
sandboxed. See issue #19008.
This makes it explicit in the log that the program aborted
because of a logging system exception, usually configured by
the user (fatal log level or domain).
If AddressSanitizer is enabled, we build dumpcap with it, which
can be useful for catching issues - at least when run standalone.
Disable it when running in capture child mode, and ensure that the
sanitizers don't change dumpcap's exit code, since capture/capture_sync
uses the exitcode value and doesn't expect the sanitizer values.
Also disable LSan if prctl(PR_GET_DUMPABLE) is 2 on Linux, since
that means that the process will fail to run LSan and die with a
fatal error in the attempt due to not being able to ptrace. It
cannot be disabled through the normal method of using environment
variables since not being dumpable also means that /proc/self/environ
isn't readable. (LSan is able to deal with a dumpable value of 0,
temporarily setting it to 1, but not 2, because it's not allowed to
set it back to 2, due to CVE-2006-2451.)
Fix#18907
Reduce the default update interval for dumpcap to notify its parent
of new packets (or to check if we've met file duration, etc.) from
500 ms to 100 ms, and put in the capture options.
This makes the GUI appear to update more in real time rather than
in visible batches of packets.
This also reduces the amount of ring buffer space needed in cases
where we're doing dissection, and dissection is able to keep up,
but the files can be deleted before tshark gets to them because of
the notification lag. (See #1650.)
Commit e921b804d0 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
Instead of creating a temp file, unlinking it, and creating a fifo with
the same name, add create_tempdir() so that we can create a temporary
directory and create a fifo inside that.
This should avoid a race condition in Carbon Black Cloud antivirus,
which if the timing is right, will stat the initial temporary *file*,
miss the fact that it's been replaced with a *fifo*, and open and steal
data^W^W read from it, leaving dumpcap to contend with the truncated
remains.
Adding the unexpected magic number to cap_pipe_open_live()'s error
message helped to debug this. Leave it in since it's handy to have in
that case.
Ping #15587
The Sysdig Event dissector handles BLOCK_TYPE_SYSDIG_EVENT_V2 and
BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE blocks. Add them to dumpcap's packet
count so that we don't get a "No packets captured." error.
g_file_open_tmp() does not set name_used unless the temp file
is successfully created (cf. to our old hand written library
pre commit 2925fb0850). Initialize it so that g_free doesn't
free a random memory location in that case, and don't use it
otherwise after failure. Fix#17828.
Add docs/diagnostic-options.adoc, which is a snippet that documents our
various --log-* options. Include it in the dumpcap, rawshark, and tshark
man pages.
Make the ws_log_print_usage output more consistent.
Currently used to define ssize_t on platforms that lack it.
Fix some Windows build errors caused by moving the definition into a
separate header.
Fix some narrowing warnings on Windows x64 from changing the definition
of ssize_t from long int to int64_t.
The casts in dumpcap are ugly but necessary. The whole code needs
to be rewritten for portability, or the warnings disabled.
Joakim Karlsson