For each field in the SocketCAN CAN XL pseudo-header, check if we have
all of the field and, if so, swap it, rather than just checking for the
availability of the complete header, just in case some packet is sliced
in the middle of the header.
Do this all with a bunch of offset/length #definitions, which also
means we don't have to worry about alignment or structure layout.
The FCS length in a pcapng IDB is in bits, but the length in an EPB is
in bytes; convert the latter to bits.
The FCS length in the Ethernet pseudo-header is in bytes; convert the
length-in-bits to a length-in-bytes before using it to set the FCS
length in the pseudo-header.
While we're at it, note, in a comment, that we convert the length in
pcap files, which is in units of 16 bits, to bits.
Fixes#19174.
Note: there was a missing entry in the encap_table_base.
Someone (commit 91e8f5db35) added the new WTAP to wtap.h,
but forgot to add it to the encap_table_base, so I added it in, otherwise the mapping for
silabs debug channel protocol didn't work correctly.
Implement the dissector for Ultra-wideband controller
interface packets, based on the protocol description
on the FiRa consortium website:
https://groups.firaconsortium.org/wg/members/document/1679
The dissector recognizes packets with PCAP identifier 293,
or TCP packets on port 7000 (default).
For writing capture files, increment `wdh->bytes_dumped` within
`wtap_dump_file_write()` so the caller doesn't have to manually track
it. Fixes the most common case of writing a file in sequence, leaving
the code clearer.
A small number of file formats effectively leave the header blank, write
the packets, then seek back up to the header to fill it in. In such
cases, save `wdh->bytes_dumped` before filling in the header and restore
it once done, so the value doesn't double-count the size of the header.
This is a port of SiliconDust ALP decoder provided in public repository
https://github.com/silicondust/wireshark
Original Author: Nick Kelsey <nickk@silicondust.com>
When reading memory-mapped Linux capture files, fix up the "real" length
field, in case the file was written by a program doing a capture done
with a version of libpcap with a bug that causes it to incorrectly set
the "real" length for isochronous transfers.
USB 2.0/1.1/1.0 devices (or 3.x and newer when connected to hosts that
are not Super-Speed capable) operate at one of three speeds:
* Low-Speed (1.5 Mbps)
* Full-Speed (12 Mbps)
* High-Speed (480 Mbps)
Supporting speed specific linktypes allows speed specific dissection
without the need for user to manually set the speed.
Each "packet" in the USB encapsulation formats for at least
Linux and Darwin corresponds to an OS-level USB request, so
the packets can be much larger than a USB-level packet.
The default max packet length of 256 KiB prevents Wireshark
from loading capture files that contain requests >256 KiB.
(Saving such a capture already works fine.)
Fix this by making the Linux, Darwin, and FreeBSD formats
use the same max packet length as the USBPCap format, which
is 128 MiB.
Replace all instances of "Nordic BLE Sniffer" with
"nRF Sniffer for Bluetooth LE" which is the name used by
nordic semiconductor for the development tool on the homepage.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
LINKTYPE_ERF pcap files are really ERF files inside a thin pcap wrapper
(don't even ask what a pcapng file with some or all interfaces being
LINKTYPE_ERF is...), so the time stamp comes from the ERF record, not
from the pcap packet header or pcapng block header.
The time stamp reslution for the record should reflect that, so set it
to WTAP_TSPREC_NSEC (ERF time stamps are fractional-power-of-2, not
fractional-power-of-10, so that's the best we can do).
The secs field is a time_t, which is not necessarily 32 bits. If it's
not, casting away the upper bits, by casting to guint32, introduces a
Y2.038K bug.
Either cast to time_t or, if you're assigning a time_t to it, don't
bother with the cast.
Register the pcap and pcapng file types/subtypes rather than hardwiring
them into the table.
Call the registration routines for them directly, rather than through a
generated table; they're always supposed to be there, as some code in
Wireshark either writes only one of those formats or defaults to writing
one of those formats. Don't run their source code through the
registration-routine-finder script.
Have the file type/subtype codes for them be directly exported to the
libwiretap core, and provide routines to return each of them, to be used
by the aforementioned code.
When reporting errors with cfile_write_failure_message(), use
wtap_dump_file_type_subtype() to get the file type/subtype value for the
wtap_dumper to which we're writing, rather than hardcoding it.
Have the "export PDU" code capable of supporting arbitrary file
types/subtypes, although we currently only use pcapng.
Get rid of declarations of now-static can_write_encap and
dump_open routines in various headers.
It corresponds to LINKTYPE_ETW in pcap and pcapng files; the structures
in the record format come from the Event Tracing for Windows (ETW) API
rather than directly from Event Trace Log files.
While we're at it, explain what extcap/etl does.
New link type DLT_ETW is added for write and read Event Trace on Windows.
This change updates MBIM dissector to decode a MBIM message from
a DLT_ETW packet.
I guess Coverity gets upset because, the way GUINT32_TO_BE() works when
building with Coverity, there's at least one test done the result of
which is always the same.
Calculate the "native" value of the direction, and then put it into
big-endian order, in two separate statements.
This should squelch Coverity CID 1457345.
Change-Id: I1ccd6fd848e6abc91f16fa375c98efcab9c5bf60
Reviewed-on: https://code.wireshark.org/review/37370
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
wiretap/erf_record.h has declarations for records in ERF files and in
LINKTYPE_ERF packets in pcap and pcapng files.
wiretap/erf-common.h has declarations of routines to be called by
pcap/pcapng reader code when processing LINKTYPE_ERF packets.
wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with
the tables of file readers and writers.
Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa
Reviewed-on: https://code.wireshark.org/review/37021
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fall back on the Wayback Machine for some links.
Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842
Reviewed-on: https://code.wireshark.org/review/34103
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Dissect raw USB Packets. The actual USB packets to transaction conversion
(which is needed to pass the data to existing USB URB dissector) is not
implemented yet.
Ping-Bug: 15908
Change-Id: Ia75d58882d770fdd8650622d318241743069ad8f
Reviewed-on: https://code.wireshark.org/review/34006
Reviewed-by: Tomasz Moń <desowin@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
209 is LINKTYPE_IPMB_LINUX; add _LINUX/_linux to the WTAP_ENCAP_ name
and function/structure names, to clarify that it's not I2C in general,
it's I2C with a particular pseudo-header.
199 is now LINKTYPE_IPMB_KONTRON, not LINKTYPE_IPMB, as it doesn't have
raw I2C packets, it has I2C packets with a pseudo-header. Change the
WTAP_ENCAP_ name, and add a dissector for it.
Change-Id: Ie097f4317b03d2b2adfd9b81a4b11caf6268399e
Reviewed-on: https://code.wireshark.org/review/32539
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
New link type for IEEE 802.15.4 with pseudo-header and optional
meta-data TLVs, PHY payload exactly as it appears in the spec (no
padding, no nothing), and FCS if specified by FCS Type TLV.
Specification at https://github.com/jkcko/ieee802.15.4-tap
Bug: 15429
Change-Id: I67bd154891ad5818be9a1630aa5cbb863b55509a
Reviewed-on: https://code.wireshark.org/review/32141
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a dissector for http://fd.io vpp graph dispatch traces. The file
format is described in detail here:
https://fdio-vpp.readthedocs.io/en/latest/gettingstarted\
/developers/vnet.html#graph-dispatcher-pcap-tracing
Fuzz-tested with good results.
Bug: 15411
Change-Id: I3b040bb072ce43fb2fb646a9e473c5486654906a
Signed-off-by: Dave Barach <dave@barachs.net>
Reviewed-on: https://code.wireshark.org/review/31466
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ie5ab56f1ee80d14032969cbe7f31e086fb2b4b91
Reviewed-on: https://code.wireshark.org/review/31159
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Keeping them together might increase the likelihood that all of them get
updated when a new pcap/pcapng link-layer type whose pseudo-header is
first processed here rather than by a dissector.
Change-Id: Ia6f45c38e9530b7c6a53d006fbc01b3040e9a014
Reviewed-on: https://code.wireshark.org/review/29868
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sort the cases to match the order in other routines.
That turned up a missing case for WTAP_ENCAP_NFC_LLCP, so add it.
Change-Id: I500731322ae93c6d2efc368f16cf468f589910f3
Reviewed-on: https://code.wireshark.org/review/29858
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have pcap_read_erf_pseudoheader() do all the work of reading an ERF
pseudo-header.
Add pcap_write_erf_pseudoheader() as a routine to do all the work of
writing an ERF pseudo-header.
Change-Id: If53ae50fcee35a45113ca0f0c64f69848e044cbd
Reviewed-on: https://code.wireshark.org/review/29847
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put the cases in pcap_write_phdr() into the same order as the cases in
pcap_process_pseudo_header().
Doing so revealed that there wasn't a case for WTAP_ENCAP_NFC_LLCP in
pcap_write_phdr(), so NFC LLCP captures wouldn't be saved correctly.
Add pcap_write_llcp_pseudoheader() and use it.
Change-Id: I2728a96e63d2e0606ae0bb480f97fe124ab48d17
Reviewed-on: https://code.wireshark.org/review/29841
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For each pseudo-header type, put a routine to write the pseudo-header
after the routine to read it.
Change-Id: Iffc010c1bf97acc5eb834a388e328ad3c2310351
Reviewed-on: https://code.wireshark.org/review/29840
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not as if 0 means received, 1 means sent, and anything else is
invalid; treat all non-zero values as meaning "sent" when reading, and
write out 1 for "sent".
Change-Id: Iaf5eb327a6b87b893a203475c8730452c51a38e9
Reviewed-on: https://code.wireshark.org/review/29839
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put all the #defines and structure declarations for a particular
pseudo-header before the function to read the pseudo-header.
Change-Id: I11013ff99d72832f49e9bea56dbc07f5cd8618f3
Reviewed-on: https://code.wireshark.org/review/29838
Reviewed-by: Guy Harris <guy@alum.mit.edu>