This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
Mostly functioning proof of concept for #14329. This work is intended to
allow Wireshark to support multiple packet comments per packet.
Uses and expands upon the `wtap_block` API in `wiretap/wtap_opttypes.h`.
It attaches a `wtap_block` structure to `wtap_rec` in place of its
current `opt_comment` and `packet_verdict` members to hold OPT_COMMENT
and OPT_PKT_VERDICT option values.
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
Experience has shown that:
1. The current logging methods are not very reliable or practical.
A logging bitmask makes little sense as the user-facing interface (who
would want debug but not crtical messages for example?); it's
computer-friendly and user-unfriendly. More importantly the console
log level preference is initialized too late in the startup process
to be used for the logging subsystem and that fact raises a number
of annoying and hard-to-fix usability issues.
2. Coding around G_MESSAGES_DEBUG to comply with our log level mask
and not clobber the user's settings or not create unexpected log misses
is unworkable and generally follows the principle of most surprise.
The fact that G_MESSAGES_DEBUG="all" can leak to other programs using
GLib is also annoying.
3. The non-structured GLib logging API is very opinionated and lacks
configurability beyond replacing the log handler.
4. Windows GUI has some special code to attach to a console,
but it would be nice to abstract away the rest under a single
interface.
5. Using this logger seems to be noticeably faster.
Deprecate the console log level preference and extend our API to
implement a log handler in wsutil/wslog.h to provide easy-to-use,
flexible and dependable logging during all execution phases.
Log levels have a hierarchy, from most verbose to least verbose
(debug to error). When a given level is set everything above that
is also enabled.
The log level can be set with an environment variable or a command
line option (parsed as soon as possible but still later than the
environment). The default log level is "message".
Dissector logging is not included because it is not clear what log
domain they should use. An explosion to thousands of domains is
not desirable and putting everything in a single domain is probably
too coarse and noisy. For now I think it makes sense to let them do
their own thing using g_log_default_handler() and continue using the
G_MESSAGES_DEBUG mechanism with specific domains for each individual
dissector.
In the future a mechanism may be added to selectively enable these
domains at runtime while trying to avoid the problems introduced
by G_MESSAGES_DEBUG.
Systemd journal entries aren't file-type-specific; they're found in both
systemd journal entry blocks in pcapng files and in systemd journal
export files. Give it a record type, for use with both file types.
This fixes#16955.
It also means that you can open a systemd journal export file and save
it as a pcapng file.
Move the maximum number of tree items and maximum tree depth to
preferences instead of hardcoded values. Refer to issue #12584 for
an example VNC capture where real data exceeds the current limit.
Add support to read/write the new EPB options, epb_packetid,
epb_queue and epb_verdict, from/to pcap files.
In addition, it updates the packet-frame dissector to dissect
these new fields.
More details on the options can be found in the PcapNG
specification: https://github.com/pcapng/pcapng
An application using these new fields can be found here:
https://github.com/chaudron/xdp-tools/tree/dev/pcapngII/xdp-dump
Change-Id: I761b8114b437fe573dd2c750e35586ad88494938
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-on: https://code.wireshark.org/review/37412
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
/opt/SourceCode/wireshark/epan/dissectors/packet-frame.c 818 warn V547 Expression 'fi' is always true.
/opt/SourceCode/wireshark/epan/dissectors/packet-gsm_sms.c 2692 warn V547 Expression 'length <= (offset - saved_offset)' is always false.
/opt/SourceCode/wireshark/epan/dissectors/packet-isup.c 4688 warn V1037 Two or more case-branches perform the same actions. Check lines: 4688, 4697
/opt/SourceCode/wireshark/extcap/androiddump.c 1237 warn V560 A part of conditional expression is always true: data_str.
/opt/SourceCode/wireshark/extcap/androiddump.c 1603 warn V547 Expression is always true.
/opt/SourceCode/wireshark/ui/qt/models/packet_list_model.cpp 497 warn V560 A part of conditional expression is always true: ok_r1.
For the voip_calls.c change, I preferred to initailize along with every other field, rather than set to actual value it gets set to later.
For the isobus-vt change, I could not find a spec but followed the pattern from other error bit fields.
Bug: 16335
Change-Id: Ie55082222b582f6fff4e8c7a992d863acee6cf15
Reviewed-on: https://code.wireshark.org/review/37160
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Change-Id: Ib6cb86bc20dae9f88fdeb469983c2380bcc9216d
Reviewed-on: https://code.wireshark.org/review/34335
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Thanks to Peter Wu for the deep analysis of the issue:
Reproduce this issue with master v3.1.0rc0-662-gfd30adca44 and the reproducer from
the oss-fuzz issue tracker:
HOME=/x FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf fuzzshark
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232
Attached are the traces for watchpoints on changes to parent_tree.tree_data.count,
this revealed 7 nodes that were added from the catch block in epan/expert.c:759
show_reported_bounds_error adds a proto node and calls expert_add_info:
1. _ws.malformed - protocol node via epan/show_exception.c:177
expert_create_tree adds two items:
2. _ws.malformed - expert tree via epan/expert.c:480
3. _ws.malformed - protocol filter because group==PI_MALFORMED via epan/expert.c:488
Because an explicit ei field was given: "add_expert_info(..., &ei_malformed)", two
fields are added instead of one:
4. _ws.malformed.expert - none node via epan/expert.c:543
5. _ws.expert.message - string node via epan/expert.c:545
Two more fields are added for the severity and group:
6. _ws.expert.severity - uint node via epan/expert.c:549
7. _ws.expert.group - uint node via epan/expert.c:552
So this problem would never occur when an exception is triggered via DISSECTOR_ASSERT,
but only for ReportedBoundsError exceptions (which occur when trying to use proto_tree_add_item
with invalid bounds for a tvb).
In conclusion, increasing EXCEPTION_TREE_ITEMS by 2 would suffice, but bump it to 10
(double the current value) to prevent similar crashes to happen if few more items
will be added in the future.
Bug: 14978
Change-Id: Ib9f5e254aeb4d756da5bab8f2e7ccf2572764aa4
Reviewed-on: https://code.wireshark.org/review/33060
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
That's what dissector_try_uint_new() does, and some tests depend on it.
Bug: 15630
Change-Id: I57934a5e90f83ee6ea0eb539a91826c950530ad3
Reviewed-on: https://code.wireshark.org/review/32542
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
See bug 15630 for details.
Bug: 15630
Change-Id: Ib7c9defae77ef8901ff2c8ef91dc50761f6924f2
Reviewed-on: https://code.wireshark.org/review/32527
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add macros to extract the direction, reception type, and FCS length
fields of the pack_flags field, and add definitions for different
directions and reception types.
Add a macro to construct a pack_flags field value from subfields; this
is for use by non-pcapng file readers (the pack_flags field is just a
copy of the EPB flags option, so that's not needed for pcapng).
Move some #defines for that field from packet-frame.c to wtap.h, and
rename them to match the new macros.
Use the macros rather than rolling our own code.
Fix a variable name in text2pcap.c that apparently had the wrong name,
given the value that was being tested.
Change-Id: Ia788ca4e9f5fabd8d24e6ead5ff1817509f54827
Reviewed-on: https://code.wireshark.org/review/32010
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When underlying dissectors exceed MAX_TREE_ITEMS, the frame dissector
will fail when adding more items. We make room for the following items
by decrementing the count for the current tree before adding them.
This change will fix all errors where underlying dissectors add MAX_TREE_ITEMS
items to the tree.
Bug: 15448
Change-Id: I03f3191cf1b737ac9ab569fbe5bf77f3a30e2401
Reviewed-on: https://code.wireshark.org/review/31975
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
What we were calling the "name" is actually a description to show to
users; what were calling the "short name" is just the name to use on the
command line.
Rename some routines and structure members, and put the name first and
description second in the table.
Expand some descriptions to give more details (e.g., to be more than
just a capitalized version of the name).
Fix the CamelCase capitalization of InfiniBand.
Change-Id: I060b8bd86573880efd0fab044401b449469563eb
Reviewed-on: https://code.wireshark.org/review/31472
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fixes a bug where the packet direction was reversed
for WTAP_ENCAP_BLUETOOTH_HCI (aka raw HCI or H1).
Change-Id: I2f404ed543062818ac6a8c6ca58d5ecfd7644bc8
Signed-off-by: Allan Møller Madsen <almomadk@gmail.com>
Reviewed-on: https://code.wireshark.org/review/30778
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
It's not just for X.25, it's for anything that has the notion of Data
Terminal Equipment and Data Communications Equipment; call it "dte_dce",
not "x25".
Change-Id: I3d51fec8b424e91ffd6d59895f50fc5ece791b08
Reviewed-on: https://code.wireshark.org/review/29834
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
pinfo->pkt_encap is jsut a copy of pinfo->phdr->pkt_encap; no need for
the copy.
Expand a comment while we're at it.
Change-Id: I5fcfe694ecba42507f1d629d01440da0a0989501
Reviewed-on: https://code.wireshark.org/review/25643
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't just do it if we're actually creating protocol tree information
for the "Frame" protocol; that information is used even when we're *not*
creating protocol tree information for "Frame".
Bug: 14245
Change-Id: Ie3754e15754fb6a73529e20d8fa68956e206a994
Reviewed-on: https://code.wireshark.org/review/24593
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sequence analysis has its own "filtering" system that required its
tap functions to look for some "filter flags". register_tap_listener()
already comes with a filter argument, so use that to simplify logic
of tap functions in dissectors.
Also have Qt GUI for Flow Graph look like other dialogs that have a
"Limit to display filter" checkbox.
Change-Id: I91d9d9599309786892f5b50c98692e52651e7174
Reviewed-on: https://code.wireshark.org/review/23659
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Functionality for ICMP was "hidden" in the frame/"any" flow.
Pull it out into its own using the new sequence analysis API.
Change-Id: I2035f1a59a9e46ea1086443ad4b4a9723dc13883
Reviewed-on: https://code.wireshark.org/review/23625
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Remove protocol member from seq_analysis_item_t.
It's not used by any GUI, so don't burden dissectors with populating it.
2. Allow any dissector to change colors display by flow graph
3. Provide helper functions that may be common if other dissectors
want to create sequence analysis.
Change-Id: I04fa3c9f3cf6879ab9a8d7d6f4896b4979d010d7
Reviewed-on: https://code.wireshark.org/review/23613
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Create registration system to allow creation of analysis items
to be localized to the dissector. For now only frame (all) and
TCP are supported.
VOIP functionality will be covered in a separate patch.
Change-Id: I5b05ef6d5afff8d0b162b03a0f451ab810602e81
Reviewed-on: https://code.wireshark.org/review/23571
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch introduces the frame.interface_description field.
While testing this new functionality it became obvious that we have
a non-optimal interaction between the existing cfile.c's
cap_file_get_interface_name(), the recently added frame.interface_name
field and this new frame.interface_description field.
The string returned from cap_file_get_interface_name() may in fact
come from one of three different sources: the idb's interface name
(if it exists) or the idb's interface description (if that exists)
or a default text of "unknown". The string ultimately becomes the
rame.interface_name whether or not the idb had an interface name
option to begin with. This behavior does not allow one to test for
the simple presence of frame.interface_name. The new peer function
cap_file_get_interface_description() added by this patch returns
NULL instead of "unknown" if the idb does not have an interface
description. Should cap_file_get_interface_name() be similarly
modified to return NULL if the idb does not have an interface name?
Bug: 9781
Change-Id: Ie479f373c5080c004dd22bd88919838feca71e95
Reviewed-on: https://code.wireshark.org/review/19861
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I87d842e3efe9f82eaaab81347dfb79d6c0932792
Reviewed-on: https://code.wireshark.org/review/19491
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I1cc180abd7e73e5aea55b1b7eef9dc4b0e66e164
Reviewed-on: https://code.wireshark.org/review/19692
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have all dissector tables have a "supports Decode As" flag, which
defaults to FALSE, and which is set to TRUE if a register_decode_as()
refers to it.
When adding a dissector to a dissector table with a given key, only add
it for Decode As if the dissector table supports it.
For non-FT_STRING dissector tables, always check for multiple entries
for the same protocol with different dissectors, and report an error if
we found them.
This means there's no need for the creator of a dissector table to
specify whether duplicates of that sort should be allowed - we always do
the check when registering something for "Decode As" (in a non-FT_STRING
dissector table), and just don't bother registering anything for "Decode
As" if the dissector table doesn't support "Decode As", so there's no
check done for those dissector tables.
Change-Id: I4a1fdea3bddc2af27a65cfbca23edc99b26c0eed
Reviewed-on: https://code.wireshark.org/review/17402
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ic644042d238b5f2abcd874bca92c6dea55804ba9
Reviewed-on: https://code.wireshark.org/review/15913
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
João Valverde