This is the first step towards implementing the mechanisms requestd in
bug 8590; currently, we don't return any records other than packet
records from libwiretap, and just ignore non-packet records in the rest
of Wireshark, but this at least gets the ball rolling.
Change-Id: I34a45b54dd361f69fdad1a758d8ca4f42d67d574
Reviewed-on: https://code.wireshark.org/review/1736
Reviewed-by: Guy Harris <guy@alum.mit.edu>
While investigating an ASAN issue (fixed in
commit dcdd076ab0), I got greatly confused
by three different types having the same "interface_data" field name:
* pcapng_t *pn stores an array of interface_data_t objects.
* wtap *wth stores an array of wtapng_if_descr_t objects.
* pcapng_dump_t should store an array of interface_data_t objects.
pcapng_dump_t and friends are unused since
commit c7f1a431d2, so drop it.
To fix the confusion, rename the interface_data_t type to
interface_info_t type and use the local variable "iface_info"
everywhere. Rename interface_data of pcapng_t to "interfaces" and
add a comment what this exactly means (interfaces listed in the capture
file).
Drop the number_of_interfaces field for interfaces as the array
length is already available from GArray. Now interface_data is always
initialized for wth (which also gets copied to idb).
s/int/guint/g and replace cast at some places.
There are no regressions for the in-tree test suite.
Change-Id: I2d5985c9f1e43f8230dbb4a73bd1e243c4858170
Reviewed-on: https://code.wireshark.org/review/1656
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 1abeb277f5.
This isn't building, and looks as if it requires significant work to fix.
Change-Id: I622b1bb243e353e874883a302ab419532b7601f2
Reviewed-on: https://code.wireshark.org/review/1568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Start of refactoring Wiretap and breaking structures down into "generally useful fields for dissection" and "capture specific". Since this in intended as a "base" for Wiretap and Filetap, the "wft" prefix is used for "common" functionality.
The "architectural" changes can be found in cfile.h, wtap.h, wtap-int.h and (new file) wftap-int.h. Most of the other (painstaking) changes were really just the result of compiling those new architecture changes.
bug:9607
Change-Id: Ife858a61760d7a8a03be073546c0e7e582cab2ae
Reviewed-on: https://code.wireshark.org/review/1485
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add an FT_STRINGZPAD type, for null-padded strings (typically
fixed-length fields, where the string can be up to the length of the
field, and is null-padded if it's shorter than that), and use it. Use
IS_FT_STRING() in more cases, so that less code needs to know what types
are string types.
Add a tvb_get_stringzpad() routine, which gets null-padded strings.
Currently, it does the same thing that tvb_get_string_enc() does, but
that might change if we don't store string values as null-terminated
strings.
Change-Id: I46f56e130de8f419a19b56ded914e24cc7518a66
Reviewed-on: https://code.wireshark.org/review/1082
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Since tshark.c was using strdup, perror, and g_main_quit, changes to
the file won't pass checkAPIs; so this commit replaces those with
the approved functions; except strdup, which was unecessary.
Change-Id: I031aa44594f2b96960a45f48537ab4e9a10d34b1
Reviewed-on: https://code.wireshark.org/review/898
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When the '-Y' display filter option is given with a '-2', and a '-w' to write out
the packets, tshark grabs *all* dependent frames in the catprue file, even those
that weren't dependents of a matching packet. Note that this also uses the '-2'
two-pass option, since only two-pass mode writes out dependent frames to begin with.
Change-Id: I17726447bec434ba2566e98fb78893d1331e3056
Reviewed-on: https://code.wireshark.org/review/866
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
This fixes part-1 of bug9931: the uninitialized use of a wtap_pkthdr
struct. The second part of the bug deals with dissectors calling
the Ethernet dissector for ecnapsulated Ethernet packets but using
the wrong dissector handle to do so. That's unrelated to the issue this
commit addresses, so I'm splitting them up.
Change-Id: I87be7b736f82dd74d8c261062f88143372b5344c
Reviewed-on: https://code.wireshark.org/review/848
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There's a relatively new feature in 1.11.3 to select a specific file format
reader, instead of relying on magics or heuristics. If you select a file
reader and open a file, open it, and then click the reload-file button or go
to View->Reload or press the ctrl-R keymap, the file is reloaded but using the
magic/heuristics again instead of the file format reader you previously chose.
Likewise, the Lua relaod() function has the same issue (which is how I found
this problem).
I have tested this change by hand, using a Lua script, but I didn't add it
to the testsuite because I need another change for my test script to work
correctly. (an enhancement rather than a bug fix, which I'll submit separately)
Change-Id: I48c2d9ea443e37fd9d41be43d6b6cd5a866d5b01
Reviewed-on: https://code.wireshark.org/review/764
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Now that we have the ability to choose input file format type
in the GUI, we might as well have it in the command-line too.
Plus it would help me in test-stuies if we had a commandline.
So I've added a '-X read_format:Foo' for this. Using just
'-X read_format:', or with a bad name, will make it print out
the full list (in tshark); just like the '-F' does for output
file formats.
Note: I am *not* putting in code for Win32 GUI,
because I can't compile that and I wouldn't have even
done the GTK one if I could compile Qt originally. (I don't think we need
to add any more features to GTK or Win32, just Qt from now on,
right?)
Change-Id: I2fe6481d186f63bd2303b9e591edf397a2e14b64
Reviewed-on: https://code.wireshark.org/review/493
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The best heuristic can fail, so add possibility to manually choose
capture file format type, so not correctly recognize file format can be
loaded in Wireshark.
On the other side now it is possible to open capture file
as file format to be dissected.
Change-Id: I5a9f662b32ff7e042f753a92eaaa86c6e41f400a
Reviewed-on: https://code.wireshark.org/review/16
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Just as "tshark ... -P -w xxx" writes raw packets to xxx *and* writes
text packet summaries to the standard output, and just as "tshark ...
-V -w xxx" writes raw packets to xxx *and* writes text packet details to
the standard output, so should "tshark ... -T fff -w xxx" write raw
packets to xxx *and* write whatever "-T fff" (and any "-e" options)
specifies to the standard output.
Change-Id: I28ab3a4d48531f297533ec4dfb3742031eb69885
Reviewed-on: https://code.wireshark.org/review/278
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We were using cf->buf in some places and a local variable buf in others;
consistenly use the local variable.
Have a local variable for the struct wtap_pkthdr while we're at it; with
some work we may be able to get rid of the struct wtap_pkthdr and the
Buffer in the capture_file structure.
Change-Id: I4762e22e11ef576be6bf9015450d1a270dd3d16b
Reviewed-on: https://code.wireshark.org/review/178
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rename "SVNPATH" to "GITBRANCH" since that seems more appropriate.
Rename "svnversion.h" to "version.h" as Evan suggested. Update some
URLs. In make-version.pl, make sure we don't set an improper upstream
branch name. Use the number of commits + short hash from `git describe`
for package names by default.
Change-Id: I922bba8d83eabdf49284a119f55b4076bc469b96
Reviewed-on: https://code.wireshark.org/review/139
Reviewed-by: Gerald Combs <gerald@wireshark.org>
willing to read or that's bigger than will fit in the file format;
instead, report an error.
For the "I can't write a packet of that type in that file type" error,
report the file type in question.
svn path=/trunk/; revision=54882
declares the functions must be included, in order to make sure the
declarations match the function signature. Make it so.
Said header declares pipe_input_cb_t, so we don't have to do it
ourselves.
svn path=/trunk/; revision=54750
the code to scan for them uses those routines.
This means epan_init() no longer takes those routines as arguments -
which is just as well, given that the mechanism in question is no longer
part of libwireshark, but is part of libwsutil.
This should fix bug 9508.
svn path=/trunk/; revision=53796
knowledge of particular types of plugins. Instead, let particular types
of plugins register with the common plugin code, giving a name and a
routine to recognize that type of plugin.
In particular applications, only process the relevant plugin types.
Add a Makefile.common to the codecs directory.
svn path=/trunk/; revision=53710
header type fails, as we might be capturing on more than one interface.
Report the failing interface name in single quotes in some places where
we weren't doing so, for stylistic consistency.
svn path=/trunk/; revision=53593
subtypes, e.g. Network Monitor version 1 and Network Monitor version 2
are separate "file types", even though they both come from Network
Monitor.
Rename various functions, #defines, and variables appropriately.
svn path=/trunk/; revision=53166
In the process, fix various man page descriptions of the -t flag,
and add support for UTC absolute times in the iousers and iostat TShark
taps.
svn path=/trunk/; revision=53114
Add tshark -G column-formats report and document the missing ftypes, heuristic-decodes and plugins reports.
From me: Sort the reports. Add modelines to epan/column.c. Minor whitespace changes.
svn path=/trunk/; revision=52627
After calling wtap_close(), set the wth to NULL so we don't try to close it
again later. (The core only happens when tshark isn't keeping up with dumpcap's
file rotation.)
Wireshark still has a problem but it's a different one.
svn path=/trunk/; revision=52493
thing as the display filter (-Y) in that case except with more confusing
semantics.
This also lets us fix -c in the single-pass case to unconditionally count
packets. This isn't the old behaviour (which counted them only if they passed
the read filter) but is more consistent with two-pass mode where they are
counted even if they pass the display filter, since they are counted on the
first pass and the display filter is applied on the second pass.
Anyone who wants to use -c to limit packet count conditionally on them passing a
filter should use it in tandem with -2 and -R: the read filter is applied on the
first pass before the count.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9048
svn path=/trunk/; revision=51556
The limits are enforced during the first pass, and frames that get dropped from
the first pass for this reason aren't available to the second pass at all, so
checking again is redundant.
svn path=/trunk/; revision=51460
Make epan_free a no-op if the pointer is NULL. This fixes 99% of the cases
causing problems for wmem_leave_file_scope() - remove that XXX comment and add
back the assertion.
Remove the cleanup_dissection call from epan_cleanup, it doesn't make sense
there. init_dissection is only called from epan_new, so cleanup_dissection
should only be called from epan_free.
Add one missing epan_free call to tshark revealed by the above changes.
svn path=/trunk/; revision=51342
packet information to a terminal (which we assume is the same terminal
as the one to which the packet counts are being printed), as they get in
the way of each other.
Don't print it if we're sending the standard error to a terminal, or if
-q is specified, either.
Put all the setting of print_packet_counts together; it looks as if the
default value of print_packet_counts may have been changed to TRUE and
the code to handle -q wasn't changed to set it to FALSE if -q was
specified rather than setting it to TRUE if it wasn't specified.
svn path=/trunk/; revision=51227
as long options, and thus identified with numbers rather than option
letters as the return value of getopt_long(), we now have to include
capture_opts.h even if we're *not* building with libpcap, to provide
#defines for those numbers.
svn path=/trunk/; revision=51115
Original (read from file) comments can be accessed by pkthdr->opt_comment
Keep user comments in seperated BST, add new method for epan session to get it.
svn path=/trunk/; revision=51090
Remove ->prev_cap, for testing purpose also replace ->prev_dis with number of previously displayed frame number.
This patch reduce size of frame_data by 8B (amd64)
This is what (I think) was suggested by Guy in comment 13 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5821#c13)
svn path=/trunk/; revision=50765
This patch augments Wireshark's and tshark's augument usage reports (-? and
-t?) and the Wireshark and tshark man pages to list all available timestamp
options available for the -t option.
svn path=/trunk/; revision=50445
... as per the XXX comment removed from tshark.c this was a mess to keep the linker
happy... I couldn't!
I did this without even understanding whether calling main_window_update was realy
necessary in most cases. I guess nothing or more specific update cbs would be best.
svn path=/trunk/; revision=50188
as the "where to put the packet data" argument.
This lets more of the libwiretap code be common between the read and
seek-read code paths, and also allows for more flexibility in the "fill
in the data" path - we can expand the buffer as needed in both cases.
svn path=/trunk/; revision=49949
If we're not doing dissection (in 2-pass mode) then don't try to mark frames
as depended upon: in that case epan has not been initialized so we shouldn't
be looking in the edt (and anyway without dissection there won't be any
dependent frames).
(I'm not convinced there's any reason to run 2-pass mode without dissection,
however...)
svn path=/trunk/; revision=49554
capture_sync.c, not from capture.c, so they should be declared in
capture_sync.h, so callers that use the capture_sync.c stuff but not the
capture.c stuff - such as TShark - get the declarations and get their
implementations compared with the signatures that they should have.
Doing so points out that some of them in TShark *don't*, so fix that.
svn path=/trunk/; revision=49517
it into a separate capture_session structure. capture_opts should
contain only user-specified option information (and stuff directly
derived from it, such as the "capturing from a pipe" flag).
svn path=/trunk/; revision=49493
than the standard error.
In Wireshark on Windows, create a console before doing so and destroy it
before exiting. Don't do that in TShark or dumpcap, as those are
console-mode programs on Windows.
This should fix bug 8609 and still allow "wireshark -D" and "wireshark
-L" to work when the standard output isn't redirected.
svn path=/trunk/; revision=49025
Add a 2-pass display-filter flag to tshark so that reassembly and other forward-
looking dissections can be used with filters.
It's a bit of a hack, but this entire area of 2-pass analysis etc. is a giant
pile of hacks to begin with and needs cleaning up. For now just having this
feature is a big enough win.
svn path=/trunk/; revision=48589
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7530
The frame_data_cleanup function was ambiguous; it was being used for two
different purposes, and did neither of them quite properly. Split it instead
into frame_data_reset and frame_data_destroy, and call the correct one depending
on why we were originally calling frame_data_cleanup.
svn path=/trunk/; revision=48324
When doing second pass tshark, packet data is read to cf->pd (and not already freed cf->wth buffer).
Writting files with two pass analysis never worked, buggy since introducing two pass analysis in r30076.
svn path=/trunk/; revision=47851
is running" mutex. Have the NSIS installer check for this mutex and ask
the user to close Wireshark if it's found. While not perfect this makes
the WinSparkle update process much less annoying.
svn path=/trunk/; revision=47758
information to crash dumps and the like. (Currently, we only handle OS
X's CrashReporter, but we should do this on other platforms where this
information can be added and would be helpful.)
White space tweaks.
svn path=/trunk/; revision=47104
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
sizeof.
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
strtol() and strtoul().
Change some data types to avoid those implicit conversion warnings.
When assigning a constant to a float, make sure the constant isn't a
double, by appending "f" to the constant.
Constify a bunch of variables, parameters, and return values to
eliminate warnings due to strings being given const qualifiers. Cast
away those warnings in some cases where an API we don't control forces
us to do so.
Enable a bunch of additional warnings by default. Note why at least
some of the other warnings aren't enabled.
randpkt.c and text2pcap.c are used to build programs, so they don't need
to be in EXTRA_DIST.
If the user specifies --enable-warnings-as-errors, add -Werror *even if
the user specified --enable-extra-gcc-flags; assume they know what
they're doing and are willing to have the compile fail due to the extra
GCC warnings being treated as errors.
svn path=/trunk/; revision=46748
Add that option to tshark, too, and document it.
The option can't be given to Wireshark because the GUI already has a "-g"
(goto packet).
svn path=/trunk/; revision=46513
called. (cf_open() calls init_dissection() which, since r45511,
re-initializes the name resolution database.)
Complain if the user gives an invalid argument to "-W".
Specify the invalid argument if we don't like a "-z" argument.
svn path=/trunk/; revision=46238
should be used (on success, have it return 0). Exit with that exit
status; if the problem is that we couldn't get the interface list or if
there are no interfaces in that list, return 2, as that's not a
command-line syntax error.
svn path=/trunk/; revision=46108
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
Guy Harris