Avoid calling tzset() with every localtime_r() and
gmtime_r() invocation. It's inneficient because it
reads the system configuration, even if it doesn't
need to do anything with it.
We assume the timezone will not change during the process
lifetime, or if it does it can be safely ignored, with some
time values in the old timezone perhaps.
Call it during startup for log initialization and some processes
that are known to require it.
If the second argument is NULL, it means "the string must just contain a
number", so, if there's anything following the number, it reports an
error. No need to get the pointer to the next character past the number
and check that ourselves.
On at least some Linux distributions, dumpcap is either installed with
elevated privileges sufficient to support traffic capture by default or
can optionally be given those privileges. If it has those privileges,
it's typically made group-executable but not world-executable and owned
by a special group, e.g. "wireshark", so that only users in that group
can use dumpcap to capture traffic.
The user installing the Wireshark package is *not* necessarily put into
that group by default; this means that any attempt by Wireshark or
TShark to run dumpcap will fail with EACCES.
If the exec call in the child process sends text error mesages, intended
for end users, up the message pipe, as we had been doing, then figuring
out *why* the exec failed would require some heuristic parsing to figure
out whether it's a permissions problem or not.
Instead of doing that, just send a message giving the errno for exec
failing.
For now, we just format an error message for that in the parent process,
but this leaves room to do a better job.
While we're at it, fix some cases where an empty error message could be
printed.
The messages "Capture started" and the temporary capture file
are always printed by default. That seems excessive. TShark
should omit or at least be very reserved with diagnostic/status
messages unless requested.
Add timing measurements for tshark when dissecting
and filtering a capture file.
The output is in JSON. The "elapsed" member is the total
elapsed time for all passes. After that there is
an array with an object for each pass. We only
have two passes at most currently. The single
pass dissection (the default) generates
an array with one element.
Currently there is a counter for total time
for the pass, and time elapsed in dissection,
applying the read filter and applying the
display filter. If any of these is not
active the respective entry contains zero.
All values are in milliseconds.
Add a tshark option to print the timing info.
Example:
$ tshark -r ~/captures/http.pcapng --print-timers -2 -Y 'http && frame.len > 1' > /dev/null
{
"version": "v4.1.1rc0-30-gb7e187fe2993",
"path": "/home/jpv/captures/http.pcapng",
"filter": "http && frame.len > 1",
"time_unit": "millisecond",
"elapsed": 22981243,
"dfilter_expand": 3,
"dfilter_compile": 35,
[
{
"elapsed": 11022013,
"dissect": 10580266,
"display_filter": 24567,
"read_filter": 0
},
{
"elapsed": 11959230,
"dissect": 11454227,
"display_filter": 21052,
"read_filter": 0
}
]
}
Do that rather than having that code directly call
capture_interface_list(), with the programs providing their own versions
of capture_interface_list().
Don't do so only if no interfaces are reported; we now append extcaps to
the list even if, due to an error, no interfaces were found, so report
an error in that cas regardless of whether the interface list is empty
or not.
Add additional exit status values for -D errors (and potentially for
errors elsewhere), use them, and allow "pcap error" in the tests
for -D.
Restore the ability in tshark -e to filter based on column titles,
at least for the seven default columns. Internally alias the fields
based on their titles to the column type based fields, e.g.
"_ws.col.Info" to "_ws.col.info"
This may be removed in the future, but is useful to have as there
are tools and scripts that use the old beahvior (and there are
supports versions, 3.6.x and 4.0.x, that only support the old
behavior.)
Putting it there makes it not obvious why the check is being done.
Instead, do the check before calling timestamp_set_precision() - and do
the same for timestamp_set_type(), as, in both cases, the _NOT_SET value
means that no command-line option was specified to set the timestamp
type or precision, so there's nothing to set them *to*.
--disable-all-protocols will mark all protocols as disabled by default,
and then disable them. Certain protocols can then be enabled one by one
by using --enable-protocol.
--only-protocols is a helper option to make it easier to enable only
certain protocols It's equivalent to passing --disable-all-protocols and
then several --enable-protocol options. It accepts a comma separated
list of protocols. First all protocols will be disabled, and then all
protocols included in the list will be enabled one by one.
Side-note, it wouldn't make much sense to enable only "tcp" for example
without enabling the protocols in the lower layers (e.g: eth, sll, ip,
ipv6). In this case, something like --only-protocols eth,sll,ip,ipv6,tcp
will generally be needed in order to make sure that TCP is decoded.
Signed-off-by: Juanma Sanchez <juasanch@redhat.com>
Make the text of each registered column a FT_STRING field that can be
filtered, prefixed with _ws.col - these work in display filters, filters
in taps, coloring rules, Wireshark read filters, and in the -Y, -R, -e,
and -j options to tshark. Use them as the default "Apply as Filter" value
for the columns that aren't handled by anything else currently.
Because only the columns formats that actually correspond to columns
get filled in (invisible columns work), register and deregister the
fields when the columns change.
Use the lower case version of the rest of the COL_* define for each
column as the field name.
This adds a number of conditions to "when are the columns needed",
including when the main display filter or any filter on a tap is
using one of these fields.
Custom columns are currently not implemented. For custom columns, the
tree then has to be further primed with any fields used by the custom
columns as well. (Perhaps that should happen in epan_dissect_run() -
are there any cases where we construct the columns and don't want to
prime with any field that custom columns contains? Possibly in taps
that we know only use build in columns.)
Thus, for performance reasons, you're better off matching an ordinary
field if possible; it takes extra time to generate the columns and many
of them are numeric types. (Note that you can always convert a non-string
field to a string field if you want regex matching, consult the
*wireshark-filter(4)* man page.) It does save a bit on typing (especially
for a multifield custom column) and remembering the column title might
be easier in some cases.
The columns are set before the color filters, which means that you
can have a color filter that depends on a built-in column like Info or
Protocol.
Remove the special handling for the -e option to tshark. Note that
the behavior is a little different now, because fixed field names
are used instead of the titles (using the titles allowed illegal
filter names, because it wasn't going through the filter engine.)
For default names, this means that they're no longer capitalized,
so "_ws.col.info" instead of "_ws.col.Info" - hopefully a small
price in exchange for the filters working everywhere.
The output format for -T fields remains the same; all that special
handling is removed (except for remembering if someone asked for
a column field to know that columns should be constructed.)
They're also set before the postdissectors, so postdissectors can
have access.
Anything that depends on whether a packet and previous packets are
displayed (COL_DELTA_TIME_DIS or COL_CUMULATIVE_BYTES) doesn't work
the way most people expect, so don't register fields for those.
(The same is already true of color filters that use those, along with
color filters that use the color filter fields.)
Fix#16576. Fix#17971. Fix#4684. Fix#13491. Fix#13941.
It's fine to write to a pipe and dissect, as long as we're not
doing live capture. Move the check for writing to a pipe and dissecting
inside the code path where we know we're dissecting.
Make sure it's after starting the statistics taps; currently we check
if we're tapping and writing to a pipe before starting the statistics
taps, so the check doesn't work, leading to some odd errors because
the tshark reads random bytes from the pipe output.
Make sure if we're printing packet info and need a preamble, that we
write it after checking for all the invalid options. We don't want
to print the preamble and then just quit.
Related to #17900
Move the protocolfilter map to being a member of output_fields,
consolidating some of the API. The only functions that accept
one accept both, and callers that always pass either as NULL
always pass both as NULL.
Implements suggestion in issue #18714.
Proposed syntax for setting subsecond precision is "tshark -t adoy.3" for
millisecond accuracy in output. Using a dot separator indicates the precision
of what follows the dot in the output.
The following tshark -t combinations are supported:
1. Specifying just the format with e.g. "-t a" and defaulting the precision.
2. Specifying both format and precision, with "-t ad.2" or "-t ad -t .2".
3. Specifying only the precision with "-t .6" and defaulting format.
4. Use "-t a." or even "-t ." to specify auto precision from trace.
The latter use case is particularly useful with wireshark/logray.
Using a dot like this avoids introducing a new command line option.
Reduce the default update interval for dumpcap to notify its parent
of new packets (or to check if we've met file duration, etc.) from
500 ms to 100 ms, and put in the capture options.
This makes the GUI appear to update more in real time rather than
in visible batches of packets.
This also reduces the amount of ring buffer space needed in cases
where we're doing dissection, and dissection is able to keep up,
but the files can be deleted before tshark gets to them because of
the notification lag. (See #1650.)
Store the field filter strings in a wmem_map pointing to the
field flags for each string. This allows specifying multiple
filter options (-j or -J) on the command line, including some
of both.
Fix#17470
epan_dissect_run_* and epan_dissect_reset unreference the packet
block that is part of the record, which frees it if the ref count
drops to zero. However, tshark needs the block later to, e.g.,
copy the options. process_cap_file_[single|second]_pass still
unreference and free the block with wtap_rec_reset() at the end
of each packet loop.
Fix#18693
WTAP_ENCAP_UNKNOWN is used for two different cases:
1. Encapsulation type values that are unsupported by libwiretap or
bogus values (and thus "unknown" to libwiretap).
2. An initial state where the encapsulation type is "not yet" known
for a file type like pcapng without a single encapsulation type in the
header, before any packets or interfaces that set the encapsulation type
have been read. (If the file has no packets, this may be the value after
the file is entirely read in.) This can be the value when an output file
is written out simultaneously with reading an input file, rather than
reading the entire input file first, and, e.g., there is a custom block
before any IDBs.
The first case can never be handled when writing out a file, but the
second case can possibly be handled, so long as (for pcapng) IDBs
are available to write when they become necessary, or (for file
types like pcap with a single link-layer type in the header) the
writer waits until a link-layer type is seen to create the output
header. (It is possible, of course, that writing would fail in the
middle if an unsupported encapsulation type appears, or if the
encapsulation becomes per-packet for file types that don't support that,
but that is an unavoidable risk when writing without reading the entire
input file(s).)
Introduce WTAP_ENCAP_NONE for the second case, and use it for pcapng,
where we guarantee that any necessary IDBs will be passed along.
Continue to use WTAP_ENCAP_UNKNOWN for the first case.
Allow pcapng files to open a file for writing with WTAP_ENCAP_NONE.
There are some other file types that support per-packet link-types,
and could also use WTAP_ENCAP_NONE, but they require more work to
generate IDBs. (Note that all of them currently are impossible to
write to pcapng when they have multiple encapsulations, even if
the encapsulations are all supported by pcapng, because they don't
properly generate IDBs.)
Remove the workaround in ef43fd48b4
for tshark writing to pcapng when the source file is WTAP_ENCAP_UNKNOWN,
since now such files will be WTAP_ENCAP_NONE and work properly (and
also work in editcap, mergcap, etc.)
Along with 8cddc32d35, fix#18449.
Put the "attempt to compile a filter string as a capture filter" code
into a common routine, and, if the attempt succeeds, free up the
generated capture filter code.
Fixes#18837.
Use a pointer to the growing array of NRBs from the source
file, as with DSBs, so as to handle reading NRBs in the middle
of a file in one-pass mode.
Write NRBs when reading a file with editcap, or in tshark when
not dissecting packets and writing our own NRB. Continue not
to write the NRB if we're supplying our own list of address info
instead.
If we have already read the entire source file in (such as in
two-pass tshark), move all the NRBs to the beginning of the file
before packets, as done with DSBs.
When merging files with mergecap, write both sets of NRBs. (There
is no attempt to merge the NRBs by looking for common entries.)
Check for name resolution data in the middle of dumping a file,
not just at the end, and check for DSBs at the end of a file,
after all the packets. This means that Wireshark no longer writes
the NRB at the very end of the file after all the packets (which
is worse for future one-pass reads), and DSBs after all packets
are preserved.
Ping #15502
Dependent frames list order does not matter and thus significantly
faster data structure can be used. Replace the list with hash table to
avoid excessive CPU usage when opening files containing reassembled
packets consisting of large number of fragments.
Save all dependent frames when there are multiple levels
of reassembly.
This is a retry of !6329, combined with the fix in !6509 which
were reverted in !6545.
epan: fix a segfault, introduced in !6329
Return an struct containing error information. This simplifies
the interface to more easily provide richer diagnostics in the future.
Add an error code besides a human-readable error string to allow
checking programmatically for errors in a robust manner. Currently
there is only a generic error code, it is expected to increase
in the future.
Move error location information to the struct. Change callers and
implementation to use the new interface.
The "conversation table" mechanism supports two types of tables, one for
the "Conversations" menu item under "Statistics" and one for the
"Endpoints" menu item under "Statistics". The first of them shows
statistics for conversations at various layers of the networking stack;
the second of them shows statistics for endpoints at various layers of
the networking stack.
The latter is *not* a table of hosts; an endpoint might be a host,
identified by an address at some network level (MAC, IP, etc.), or it
might be a port on a host, identified by an address/port pair.
Some data types, function names, etc. use "host" or "hostlist" or other
terms that imply that an endpoint is a host; change them to speak of
endpoints rather than hosts, using names similar to the corresponding
functions for conversations.
Provide wrapper functions and typedefs for backwards source and binary
compatibility; mark them as deprecated in favor of the new names.
Clean up some comment errors found in the process.
João Valverde