"unsigned short", "unsigned int" (or "int", as the items appear to be
unsigned), or "unsigned long".
Convert data to and from the appropriate byte order.
Don't free the private data structure in the dumper's close routine -
"wtap_dump_close()" does that for you.
svn path=/trunk/; revision=8094
the network type being 1 and the byte after it being 2; we assume, for
now, that the network type is 1 byte, and that if the byte after it is
0, the network type is an NDIS type - 1, and if it's 2, it's an NDIS type.
svn path=/trunk/; revision=7973
rathe than the record length minus the record header length, as the
number of available (captured) bytes in the packet. Check to make sure
that value isn't bigger than the record length minus the header length.
Only subtract the 4-byte FCS length from the purported length of the
packet on the wire if that would leave the on-the-wire length >= the
number of captured bytes, so that we can better handle capture files
from programs that produce LANalyzer-format captures where the
on-the-wire length *doesn't* include the FCS.
svn path=/trunk/; revision=7948
is pointless, as it's a 16-bit unsigned quantity. Remove those checks -
but note in a comment that WTAP_MAX_PACKET_SIZE must be at least 65535
(as there might well be link-layer types with packets at least that
large).
svn path=/trunk/; revision=7934
variables the user configures - the user isn't expected to change
GLIB_LIBS or GTK_LIBS, and there's a comment nothing that users
shouldn't have to do so), which contain the appropriate libraries for
building stuff that requires only GLib, and stuff that required GTK+ and
GLib, respectively, and use those macros in the Makefile.nmake files.
svn path=/trunk/; revision=7885
variables the user configures - the user isn't expected to change
GLIB_CFLAGS or GTK_CFLAGS, and there's a comment nothing that users
shouldn't have to do so), which contain the appropriate "/I" flags for
building stuff that requires only GLib, and stuff that required GTK+ and
GLib, respectively, and use those macros in the Makefile.nmake files.
svn path=/trunk/; revision=7884
matched if it succeeds, so that it gets re-read when we read the capture
file - it's a line containing a time stamp for a packet, so we need to
re-read it to get that time stamp.
svn path=/trunk/; revision=7752
line, not the "RCV packet" part, so that we recognize files even if they
don't have an "RCV packet" line in the first 200 lines.
svn path=/trunk/; revision=7699
value for DLT_PFLOG, and that goes along with a change to the link-layer
header for DLT_PFLOG - support both the old and new values and format.
svn path=/trunk/; revision=7676
Following fixes for nettl (HP-UX):
1) Fixed 11.X timestamp issue
there is no difference in 10.X/11.X timestamps, so no
need to shift 11.X timestamps
2) Fixed NS_LS_DRIVER trace record handling
now works rather than throwing "...network type that
Ethereal doesn't support" error
3) Fixed handling of traces with sliced packets (nettl -m xx)
now uses correct packet and capture lengths
4) Additional ethernet card support
now handles btlan[1,3-6],gelan,igelan,intl100 driver
trace records
svn path=/trunk/; revision=7642
Makefile.am:99: `YFLAGS' is a user variable, you should not override it;
Makefile.am:99: use `AM_YFLAGS' instead.
Fix it in the proposed way.
svn path=/trunk/; revision=7582
stuff I sent out in a mail message to somebody asking how to add support
for a new file format, but hopefully it'll get improved by various
contributors over time (hint hint).
svn path=/trunk/; revision=7397
aren't 1/1193000.0 second; the code used to use 1/1193180.0 second, but
at least one capture appears to have units of somewhere around
1/3579540.0 second.
svn path=/trunk/; revision=7388
2 the time stamps are in units of 1/31250000 seconds rather than
nanoseconds - and, by generating Windows Sniffer captures with various
hdr.timeunit values, that for all the non-zero values he tested, the
time stamps for non-gigabit pod captures are in units of 1/1193000
second.
Instead of having a TpS array, just test for the exception value (0 for
non-gigabit pod captures, 2 for gigabit pod captures).
svn path=/trunk/; revision=7380
type for loopback devices; map it to DLT_NULL when reading libpcap files
with a major version of 2 and a minor version of 2, and when capturing
from an "loN" device on AIX.
svn path=/trunk/; revision=7361
rename WTAP_ENCAP_ENC0 to WTAP_ENCAP_ENC.
un-#if 0 out the code to handle the value 109 for DLT_ENC, as I've just
checked in support for DLT_ENC in tcpdump.org libpcap and tcpdump, which
maps DLT_ENC to 109 in the file header.
Give packet-enc.c an RCS ID.
svn path=/trunk/; revision=7323
Add support for the OpenBSD enc(4) encapsulating interface. Add
support for Ethernet over IP (RFC 3378).
Fold Markus' .h files into their respective .c files, add a define to
ipproto.h and use it.
svn path=/trunk/; revision=7310
Add a bunch of capture types discovered by stuffing them into Windows
Sniffer captures and seeing what a Sniffer thought they were. Add
support for writing at least some of them.
svn path=/trunk/; revision=7265
it's a gigabit Ethernet capture, possibly, with special hardware, and
that time stamps have 1000 times the resolution that they have in other
captures (perhaps due to the special hardware having a higher-resolution
clock?).
svn path=/trunk/; revision=7240
Get rid of acconfig.h, as it's an archaism; put descriptions
into AC_DEFINE instead. That squelches some warnings from
later versions of autoconf.
Fix an unquoted call to AC_MSG_ERROR.
Move the stuff to define HAVE_SOME_SNMP into configure.in.
svn path=/trunk/; revision=7203
bytes of padding into the packet (possibly more, as if it's putting
extra stuff in the padding as Shomiti/Finisar Surveyor does, it might be
up to 7). Fortunately, Surveyor puts lots of stuff into the padding, so
we'll crank up the "snoop vs. Surveyor" check to look for 4 or more
bytes.
svn path=/trunk/; revision=7167
that have direction information.
Support writing WTAP_ENCAP_FRELAY_WITH_PHDR and WTAP_ENCAP_PPP_WITH_PHDR
captures out in libpcap format - we throw away the direction
information, but so it goes.
When reading/writing Windows Sniffer format, read and write the
direction flag.
svn path=/trunk/; revision=7052
configure option is given on the command line. The value of the arguement
is passwd in the enableval variable. The 4th argument tells what to do in
case no command line argument was given.
This causes --disable-gtk2 (which is the default) to behave differently
from the case when no option is given.
I do not really understand where the difference in the behaviour of the
generated codes comes from, but I definitely see a difference.
Fixed all occurrences where the 3rd arguement was empty.
svn path=/trunk/; revision=7044
addresses and the protocol type, as supplied by BPF; on Linux, they *do*
have an offset field, as supplied by PF_PACKET sockets. Add a new
WTAP_ENCAP_ARCNET_LINUX, with packets that include the offset field, and
don't dissect an offset in WTAP_ENCAP_ARCNET packets.
Map a libpcap link-layer type of 129 to WTAP_ENCAP_ARCNET_LINUX; that
value was recently assigned to Linux-style ARCNET.
Add some more ARCNET protocol IDs.
For most protocol IDs, dissect an ATA 878.2 fragmentation header; don't
do it for RFC 1051 IP and ARP, and Diagnose packets. Set the length of
the ARCNET protocol tree item appropriately.
Dissect both the RFC 1051 and RFC 1201 styles of IP and ARP over ARCNET,
and dissect the RFC 1201 style of RARP as well.
svn path=/trunk/; revision=6981
indicates the subtype of an "Internetwork analyzer" capture; we've seen
only one such capture, and it was a frame relay capture, so we just wire
it to frame relay for now.
svn path=/trunk/; revision=6923
as it's the major version number.
Try using the first word of "rsvd" to determine whether a capture is an
ISDN capture or not in version 1 captures.
Version 1 captures look as if they might also have a REC_HEADER2 record
- it's longer than the ones in version 4 and 5 captures, but it still
appears to have a network subtype in the 5th byte.
Get rid of the heuristic that checks for WTAP_ENCAP_ISDN by looking at
the packet data; if we fail to recognize an ISDN capture, we should look
for stuff in the headers to determine whether the capture is one or not.
svn path=/trunk/; revision=6894
that flag in the ATM pseudo-header, and use it to determine whether a
frame is a raw cell or a reassembled frame, rather than using the AAL,
as you can have raw AAL5 cells in a capture.
svn path=/trunk/; revision=6889
length of the packet, and the second two bytes are the captured length
of the packet. The old "length" value appears to be the captured length
of the packet as well; perhaps it's to be interpreted as the number of
bytes of data following the packet header (just in case there's padding,
for example).
Treat "ATM/", as an encapsulation string, as RFC 1483 ATM. (It may
actually be raw ATM, but the only capture I've seen had, in the parts I
saw, only RFC 1483 traffic LLC/SNAP traffic.)
There are 8 bytes in front of the LLC/SNAP header in ATM captures; skip
them, for now. (Perhaps they're a pseudo-header, giving VPI/VCI
information and stuff such as that? Or perhaps that's in the record
header?)
svn path=/trunk/; revision=6871
Sniffer format, it doesn't distinguish between LE Control and LANE
encapsulated LAN frames, so we can't rely on the ATM subtype being
correct even when reading DOS Sniffer captures - we force it to
TRAF_ST_LANE_LE_CTRL for LANE frames that begin with 0xff 0x00.
Move the calls to "infer_pkt_encap()" into "fix_pseudo_header()".
svn path=/trunk/; revision=6869
number.
Put in some commented-out code to deal with some end-of-packet crud in
some ISDN captures - not all ISDN captures have it, so we can't
unconditionally slice it out.
svn path=/trunk/; revision=6867
number.
Put in some commented-out code to deal with some end-of-packet crud in
some ISDN captures - not all ISDN captures have it, so we can't
unconditionally slice it out.
svn path=/trunk/; revision=6863
HDLC-flavored encapsulation (or, at least, it was in at least one
capture). Instead, treat it as WTAP_ENCAP_PER_PACKET, and infer the
packet type, as we do for NET_ROUTER.
For NET_ROUTER captures, if the ISDN channel number is zero, infer the
packet type from the contents, rather than wiring it to PPP - it might
be, for example, Cisco or Wellfleet HDLC.
Fix the check for Cisco HDLC to look for 0x0F 0x00 and 0x8F 0x00, as
0x0F, not 0x08, is the unicast address in Cisco HDLC.
When fixing the pseudo-header, fix it for WTAP_ENCAP_WFLEET_HDLC,
WTAP_ENCAP_CHDLC, and WTAP_ENCAP_PPP_WITH_PHDR, as well as for
WTAP_ENCAP_ISDN, as the three ones listed don't use x25.flags, they use
p2p.sent.
svn path=/trunk/; revision=6850
used for the DOS-based ATM Sniffer. (That's not a great name, but I
couldn't think of a better one.)
Add a new WTAP_ENCAP_ATM_PDUS_UNTRUNCATED encapsulation type for capture
files where reassembled frames don't have trailers, such as the AAL5
trailer, chopped off. That's what at least some versions of the
Windows-based ATM Sniffer appear to have.
Map the ATM capture file type for NetXRay captures to
WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, and put in stuff to fill in what we've
reverse-engineered, so far, for the pseudo-header; there's more that
needs to be done on it, e.g. getting the channel, AAL type, and traffic
type (or inferring them if they're not in the packet header).
svn path=/trunk/; revision=6840
Make the "fs" and "flags" fields in type 6 records unsigned, as they are
in other per-frame records - they're probably the same set of flag bits.
svn path=/trunk/; revision=6814
well as Cisco HDLC support. It compiles OK, but I do not claim that it is
not borken.
I will have to add a small dissector that eats the first two bytes and then
calls the Ethernet dissector as well, to complete the work.
svn path=/trunk/; revision=6809
use : 42:f9:02:34:12:66:22:88 instead of 42:d2:00:34:12:66:22:88
We should accept both (perhaps bytes 2 and 3 are a version number ?)
- the code which looks for the "capture start time" is wrong.
Apparently, we should look for the string "Active Time" in the file.
The "frame_date" structure which contains the capture start time is
found 32 bytes before this string.
svn path=/trunk/; revision=6794
Surveyor capture, as there's one link-layer type that UNICOS/mp snoop
treats one way and Shomiti Surveyor treats another way. The only way to
check that is to look at the first record to see how much padding it
has.
svn path=/trunk/; revision=6750
-Wcast-align" to be added to CFLAGS (except in Wiretap, where we already
do "-Wcast-qual"). We don't do them by default, as they produce some
warnings that aren't easy to eliminate; if we figure out how to
eliminate them on all platforms (or at least, on the platforms where you
*can't* eliminate them, reduce them to a low level), we can make those
options the default.
svn path=/trunk/; revision=6689
header.
Add overflow checks to "BYTES_ARE_IN_FRAME()", and cast all arguments to
unsigned values (negative values should never be passed) to squelch
compiler warnings.
svn path=/trunk/; revision=6567
captures.
Use #defines rather than magic numbers for various header sizes, and put
in a comment explaining the header formats.
svn path=/trunk/; revision=6545
WTAP_ENCAP_ISDN encapsulation type, which includes a pseudo-header
giving the direction (user-to-network or network-to-user) and the
channel number.
Add a new circuit type, using the ISDN channel number as the circuit ID.
Add an ISDN dissector to put the direction and channel number into the
protocol tree and to call the appropriate dissector for the payload
based on the channel (LAPD for the D channel; V.120, PPP, or data for B
channels, based on some heuristics).
svn path=/trunk/; revision=6521
unknown bytes might actually be 32-bit fields.
The field after the upper 32 bits of the time stamp of the capture start
appears to be the speed of the network, in bits/second.
Put in a field for the rest of the file header, as a bunch of 32-bit
values (most fields are 32 bits, and all of them might be, in that
header), for use when reverse-engineering.
At least in version 002.x of NetXRay-format captures, WAN captures might
be ISDN captures; treat all WAN version 002.x captures as ISDN captures
for now, until we see some captures where that's wrong (and thus stand a
chance of figuring out where in the file header it indicates what type
of capture it is).
svn path=/trunk/; revision=6519
builds with zlib - "zlib.h", alas, includes <winsock.h>, and you can't
include <winsock.h> before including <winsock2.h> (at least you can
include <winsock2.h> before including <winsock.h>; thank heaven for
small favors).
svn path=/trunk/; revision=6427
gtk2 instead of gtk and glib2 instead of glib.
Right now, --enable-gtk2 will fail during compile unless
acompanied by --disable-ethereal, as ethereal does not yet
support gtk2 (but does support glib2 alone).
svn path=/trunk/; revision=6107
have it get that information from the pseudo-header instead, and set the
VPI and VCI fields in the pseudo-header before calling it.
Don't call it for non-ATM NetMon captures.
svn path=/trunk/; revision=5982
All files:
- Replace types from sys/types.h by those from glib.h
- Replace ntoh family of macros from netinet/in.h and winsock2.h
by g_ntoh family from glib.h
- Remove now unneeded includes of sys/types.h, netinet/in.h and
winsock2.h
wtap.h
Move includes to the top
svn path=/trunk/; revision=5909
Allow "-" as the output file name in Wiretap, referring to the
standard error.
Optimize the capture loop.
Fix some of the error-message printing code in Ethereal and Tethereal.
Have Wiretap check whether it can seek on a file descriptor, and pass
the results of that test to the file-type-specific "open for output"
routine. Have the "open for output" routines for files where we need to
seek when writing the file return an error if seeks don't work.
svn path=/trunk/; revision=5884
offset of the beginning of the first record containing data from that
packet, and the offset from the first byte of data in that record of the
first byte of data from that packet; to read a given packet, seek to the
offset of the first record, and keep processing packets until we find
one with the right direction.
This fixes a problem where it wasn't correctly reading the packet, when
doing random access, in cases where you have a sequence of records that
stop in the middle of a packet.
svn path=/trunk/; revision=5873
DOCSIS support, including support for "Ethernet" captures where
the raw frame is a DOCSIS frame rather than an Ethernet
frame (some Cisco cable-modem head-end gear can send out a
trace of all traffic on an Ethernet, but what it sends are
the raw bytes of DOCSIS frames, not Ethernet frames)
Get rid of second AUTHORS entry for Devin Heitmueller, merging its item
into the older entry.
Clean up the order of some lists of plugin items.
svn path=/trunk/; revision=5861
Don't add "-I/usr/include" to CFLAGS or CPPFLAGS; GCC 3.1 warns
about it, and it's not necessary.
Expand the plugin directory path used for installation at
installation time, rather than configuration time, so the user
can reset "prefix" at installation time.
svn path=/trunk/; revision=5828
<packet32.h> includes <winsock2.h>; we include that rather than
<winsock.h>, to avoid errors due to conflicting declarations in
<winsock.h> and <winsock2.h>.
svn path=/trunk/; revision=5742
types and Wiretap encapsulations after the entries to map between
platform-independent libpcap link-layer types and those Wiretap
encapsulations, so that, when writing a libpcap-format file, we choose
the platform-independent link-layer types.
svn path=/trunk/; revision=5668
In libpcap.c, move wtap_pcap_encap_to_wtap_encap before libpcap_open
so that if HAVE_PCAP_H is not true, the file will still compile.
svn path=/trunk/; revision=5660
Have "wtap_open_offline()", if asked to open a FIFO, return that error
if it was asked to open the file for random access.
svn path=/trunk/; revision=5643
the internal z_err value for the stream if an "fseek()" call it makes
fails, so that if "gzerror()" is subsequently called, it returns Z_OK
rather than an error.
To work around this, we pass "file_seek()" an "int *err", and have the
with-zlib version of "file_seek()" check, if "gzseek()" fails, whether
the return value of "file_error()" is 0 and, if so, have it return
"errno" instead.
svn path=/trunk/; revision=5642
they are, in fact, WTAP_ENCAP_FRELAY. Support 11 as WTAP_ENCAP_FRELAY
if DLT_FR is defined and is equal to 11, and support 107 as
WTAP_ENCAP_FRELAY unconditionally.
Get rid of a comment indicating that 105 isn't used - it's been
supported as DLT_IEEE802_11 for a while.
svn path=/trunk/; revision=5640
is always called before the "close" routine is called, so the "close"
routine doesn't need to free anything that's freed by the
"sequential_close" routine.
svn path=/trunk/; revision=5619
the packets, as the offsets of the frames have been saved by our caller
(because they need them to pass to the random-read routine); add a
sequential_close routine for Netmon files and free up the frame table in
that routine.
svn path=/trunk/; revision=5618
EtherPeek heuristic is a bit stronger, and there's at least one
EtherPeek capture that gets misidentified as a pppdump capture if you
check for pppdump captures first.
svn path=/trunk/; revision=5585
specify them on the command line of Tethereal/editcap/etc. (and to keep
those programs from dropping core when enumerating the names); now that
we can write Windows Sniffer 2.00x-format files, give them a short name.
svn path=/trunk/; revision=5524
Added support for NS_LS_TCP, NS_LS_UDP, NS_LS_LOOPBACK, NS_LS_ICMP and
unnamed subsystem 0xb9 (which contains ethernet headers in my captures frames).
However, NS_LS_ICMP will not be dissected since we dont have a
RAW_ICMP wiretap encapsulation type.
Updated decoding of usec timestamp for HPUX11 since HPUX11 has 0.1us
resolution for the scalar in this field.
YMMV but all these ones works for me from nettl traces from HPUX11.
svn path=/trunk/; revision=5523
A little work still needs to be done on the new NCP dissector -- make
some of the COL_INFO texts more useful, handle a Unicode issue, and
modify some of the cases that use "request conditions".
But the NCP dissector as it stands is very usable now.
Note: I didn't merge in the PROTO_LENGTH_UNTIL_END macro... I wanted
to think about the various possible macros and review an email conversation
I had with Guy on the subject.
svn path=/trunk/; revision=5432
"err" argument is null and return an error code through that argument
only if it isn't, to match what "wtap_dump_close()", which calls those
routines, does.
Put the NetXRay dump routines in order by version number.
svn path=/trunk/; revision=5385
into Wiretap, so that if you read a frame from Wiretap you have what
traffic type information could be gleaned from the information in the
capture file, and can write the frame out to a capture file where the
file contains some or all of that information without having to
determine it outside of Wiretap.
svn path=/trunk/; revision=5314
just an image of the ATM Sniffer data. This means that Ethereal doesn't
have to know any ATM Sniffer-specific details (that's all hidden in
Wiretap), and allows us to add to that pseudo-header fields, traffic
types, etc. unknown to ATM Sniffers.
Have Wiretap map VPI 0/VCI 5 to the signalling AAL - for some capture
files, this might not be necessary, as they may mark all signalling
traffic as such, but, on other platforms, we don't know the AAL, so we
assume AAL5 except for 0/5 traffic. Doing it in Wiretap lets us hide
those details from Ethereal (and lets Ethereal interpret 0/5 traffic as
non-signalling traffic, in case that happens to be what it is).
We may know that traffic is LANE, but not whether it's LE Control or
emulated 802.3/802.5; handle that case.
svn path=/trunk/; revision=5302
comparing with the "size_t" value "ngsniffer->rand.nbytes", rather than
just casting "ngsniffer->rand.nextout" to "unsigned" - if "unsigned" is
shorter than "long", the latter doesn't do what you want.
svn path=/trunk/; revision=5252
"struct x25_phdr" to "wiretap/wtap.h".
Have two X.25 dissectors, one of which assumes that there's a "struct
x25_phdr" pseudo-header and one of which doesn't; the former uses the
information in that pseudo-header to determine whether the packet is
DTE->DCE or DCE->DTE, and the latter assumes it has no clue whether the
packet is DTE->DCE or DCE->TDE. Use the former one in the LAPB
dissector, and the latter one in the XOT dissector and in the LLC
dissector table.
In the X.25-over-TCP dissector, handle multiple X.25 packets per TCP
segment, and handle X.25 packets split across TCP segments.
svn path=/trunk/; revision=5134
the "read" routine, which means it's already had any end-of-frame
padding/FCS removed; we don't need to remove it in the "seek_read"
routine.
svn path=/trunk/; revision=5124
returns radio information such as signal strength, channel, and data
rate in a pseudo-header. Add that pseudo-header.
Use the "802.11 with radio information" encapsulation type for Wireless
Sniffer files; extract the radio information from where it appears to be
in the header.
Add dissector code for that encapsulation type.
Fix an error in the code to put radio information into the AiroPeek
tree.
Make the "wrapped" flag for NetXRay/Windows Sniffer captures a
"gboolean".
svn path=/trunk/; revision=5122
Read in the entire packet, including the padding, and just tell our
caller about the non-padding part; that avoids doing a "file_seek()"
("fseek()"s are inefficient on some platforms, as they flush the
standard I/O buffers and do an "lseek()"), and would also let us supply
the padding to the caller if it turns out it's an FCS rather than
padding.
svn path=/trunk/; revision=5107
as BPF filters return either 0 if they fail or the snapshot length if
they succeed, and a snapshot length of 0 means success is
indistinguishable from failure and the filter expression would reject
all packets.
Now that a snapshot length of 0, inside Ethereal, means "snapshot length
unknown", we have to, when opening a libpcap file for output, make the
snapshot length some non-zero value. We make it WTAP_MAX_PACKET_SIZE,
in case some program uses the snapshot length as a buffer size. (That
doesn't help if there are packets with more than 65535 bytes of data; if
there are, we'd need to raise WTAP_MAX_PACKET_SIZE just to make those
files readable in Ethereal in any case.)
svn path=/trunk/; revision=4905
an "err" argument that points to an "int" into which to put an error
code if it fails.
Check for errors in one call to it, and note that we should do so in
other places.
In the "wtap_seek_read()" call in the TCP graphing code, don't overwrite
"cfile.pseudo_header", and make the buffer into which we read the data
WTAP_MAX_PACKET_SIZE bytes, as it should be.
In some of the file readers for text files, check for errors from the
"parse the record header" and "parse the hex dump" routines when reading
sequentially.
In "csids_seek_read()", fix some calls to "file_error()" to check the
error on the random stream (that being what we're reading).
svn path=/trunk/; revision=4874
For file types where we allocate private data, add "close" routines
where they were missing, to free the private data. Also fix up the code
to clean up after some errors by freeing private data where that wasn't
being done.
Get rid of unused arguments to "wtap_dump_open_finish()".
Fix indentation.
svn path=/trunk/; revision=4857
scripts, and check in changes to add _U_ to some unused arguments (some
other should perhaps be used, so we leave the _U_ out so that the
warnings serve as a reminder to check those).
svn path=/trunk/; revision=4847
In the "configure.in" files, add
-D_U_="__attribute__((unused))"
to CFLAGS if we're using GCC, and add
-D_U_=""
otherwise, so _U_ can be used to mark arguments as unused.
Add -D_U_="" arguments to the Makefile.nmake files as well, so _U_ works
with Microsoft Visual C++ as well.
Add comments and RCS IDs to the Makefile.nmake files that don't already
have them.
svn path=/trunk/; revision=4824
non-existent functions.
Remove the "filetype" argument from the "can_write_encap" functions for
particular capture file types - the argument value is implicit, in that
the routine being called is the routine for that particular file type.
svn path=/trunk/; revision=4823
reading the capture file. Have callers of "wtap_snapshot_length()"
treat a value of 0 as "unknown", and default to WTAP_MAX_PACKET_SIZE (so
that, when writing a capture file in a format that *does* store the
snapshot length, we can at least put *something* in the file).
If we don't know the snapshot length of the current capture file, don't
display a value in the summary window.
Don't use "cfile.snap" as the snapshot length option when capturing -
doing so causes Ethereal to default, when capturing, to the snapshot
length of the last capture file that you read in, rather than to the
snapshot length of the last capture you did (or the initial default of
"no snapshot length").
Redo the "Capture Options" dialog box to group options into sections
with frames around them, and add units to the snapshot length, maximum
file size, and capture duration options, as per a suggestion by Ulf
Lamping. Also add units to the capture count option.
Make the snapshot length, capture count, maximum file size, and capture
duration options into a combination of a check box and a spin button.
If the check box is not checked, the limit in question is inactive
(snapshot length of 65535, no max packet count, no max file size, no max
capture duration); if it's checked, the spinbox specifies the limit.
Default all of the check boxes to "not checked" and all of the spin
boxes to small values.
Use "gtk_toggle_button_get_active()" rather than directly fetching the
state of a check box.
svn path=/trunk/; revision=4709
even if it doesn't have "gzgets()", so one might think we could use it
by using our own replacement for "gzgets()".
One would be wrong to think so, however, as the "gzseek()" it has
doesn't actually work when reading uncompressed files.
zlib 1.0.9 has "gzgets()", and fixes that bug, so we rever to checking
for "gzgets()" rather than "gzseek()", so that we don't accept pre-1.0.9
versions of zlib, and we get rid of our "gzgets()" replacement.
svn path=/trunk/; revision=4702
Digital UNIX, and HP C compilers, and it may not work with other
compilers (due to the GLib problem mentioned in the previous checkin),
so it runs the risk of being an "attractive nuisance", i.e. users may
try it, find it doesn't work, and then send mail to various Ethereal
mailing lists asking about it.
svn path=/trunk/; revision=4640
(This isn't as useful for testing purposes as it is in tcpdump and
libpcap, as GLib is configured based on the compiler used to compile it,
so you can't necessarily build an application using GLib with a compiler
different from the one used to compile GLib, but we'll add it anyway.)
svn path=/trunk/; revision=4637
NetMon 2.0; I don't have any ATM captures *from* NetMon to try it on, so
I don't know what significance the "destination address" and "source
address" fields have, but we can at least read the captures we ourselves
write out, as can NetMon).
svn path=/trunk/; revision=4606
that EtherPeek for Windows uses the same format as EtherPeek for MacOS,
so the code isn't specific to the MacOS version.
Check the physMedium value in the secondary header, and leave a
placeholder for a value of 1, which is presumably used in AiroPeek
captures.
Treat unknown mediaType and physMedium values as indications that we
don't have a *Peek file, not as unsupported *Peek files - we need all
the heuristics we can get.
svn path=/trunk/; revision=4601
formats we can read; include vendor names.
We should be able to read TokenPeek captures, as well as captures from
the Windows versions of EtherPeek.
Don't list the version numbers for EtherPeek and TokenPeek - those are
file format version numbers, not program version numbers.
svn path=/trunk/; revision=4599
data structure attached to the "wtap" structure, rather than in a
pseudo-header structure; get rid of the EtherPeek pseudo-header
structure, as it's not actually used as a pseudo-header, it's just used
as private data for the EtherPeek reader.
Get rid of an extra level of indentation in switch statements.
svn path=/trunk/; revision=4561
in Sniffer Classic files; there's nothing we can do about those
platforms that bit-swap FDDI addresses before handing them to DLPI or
whatever, so we'll just let people live with wrong FDDI addresses (or
maybe someday put in code to bit-swap them before writing them out to
the capture file).
svn path=/trunk/; revision=4519
captures are IP packets, so make the file encapsulation
WTAP_ENCAP_RAW_IP rather than WTAP_ENCAP_PER_PACKET, so you can save
those captures in other formats.
svn path=/trunk/; revision=4503
The second argument to g_ptr_array_free() does not indicate to
glib to free the objects that the pointers in the GPtrArray refer to,
but simply whether or not the free the block of pointers. We have
to free the objects ourselves.
svn path=/trunk/; revision=4391
fix a bogus batch mode inference rule of make, so that
"vc60.pdb" files are created in the proper directory;
delete ".pdb" files in a "nmake -f Makefile.nmake clean";
include the text2pcap and mergecap ".pdb" files in the Windows
binary distribution.
svn path=/trunk/; revision=4385
the "The Compiler and Tools" section on
http://fink.sourceforge.net/doc/porting/basics.php
Do so on MacOS X regardless of whether the compiler is called "gcc" or
not, as that page also indicates that the compiler is installed as "cc".
svn path=/trunk/; revision=4354
files would put a 32-bit quantity on a 16-bit boundary without padding;
this means that many compilers will insert the padding and thus make the
structure not match what's in the file.
Instead of using a C structure, #define values for the offsets of
fields, read the header into an array of bytes, and extract values using
the offsets.
svn path=/trunk/; revision=4334
trying to read the frame table, return -1 with "*err" set to
WTAP_ERR_SHORT_READ, don't return 0 - we've already decided that the
file is a NetMon file, so we shouldn't return a "this isn't a NetMon
file" indication, we should return a "this file is too short" error, as
that's what the problem is.
Fix up the error messages for WTAP_ERR_SHORT_READ to indicate that the
read might have gotten cut short in the middle of data other than a
packet.
svn path=/trunk/; revision=4331
Nisbet.
Make a comment in "wiretap/file.c" clearer, so people know where to put
the entries for their capture file type.
svn path=/trunk/; revision=4328
files to get that big.
From Thomas Wittwer and Matthias Nyffenegger:
Support for "ring buffer mode", wherein there's a ring buffer of N
capture files; as each capture file reaches its maximum size (the ring
buffer works only with a maximum capture file size specified), Ethereal
rolls over to the next capture file in the ring buffer, replacing
whatever packets might be in it with new packets.
svn path=/trunk/; revision=4323
Rename WTAP_ENCAP_PRISM to WTAP_ENCAP_PRISM_HEADER, to match
DLT_PRISM_HEADER.
Add in missing capture support for WTAP_ENCAP_PRISM_HEADER when
capturing with "pcap_open_live()" rather than reading the capture from a
pipe.
svn path=/trunk/; revision=4299
*always* zero, so it won't always work, and it's somewhat gross. The
right answer is "don't use Digital/Tru64 UNIX's tcpdump, use
tcpdump.org's".
svn path=/trunk/; revision=4202
for AIX 5.x's non-standard libpcap, where "pcap_datalink()" doesn't
return DLT_ values, it returns RFC 1573 ifType values.
Put that wrapper, and the routine to get the interface list, in a
separate file, for packet-capture utility routines, so not everybody who
includes "util.h" needs to include <pcap.h>.
Fix up the Wiretap hack for dealing with said incompatibility to use the
correct ifType value for Token Ring.
svn path=/trunk/; revision=4184
No, Nokia *weren't* kind enough to change the major or minor version
number in the capture file when they changed the format, just as they
weren't kind enough to change the magic number.
svn path=/trunk/; revision=4173
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
Update the lists of known capture file formats in the Tethereal,
editcap, and mergecap man pages to match the current list (as found in
the Ethereal man page).
svn path=/trunk/; revision=4039
the specified encapsulation with the specified capture file type, and
that we can allocate a "wtap_dumper *".
If we could do all that, and could create the dump file, but the
file-type-specific create routine fails (e.g., because there's not
enough disk space to write out the header), remove the dump file.
svn path=/trunk/; revision=4032
don't need to check whether zlib has them. We *do*, however, have to
check for "gzseek()", as we don't have our own version of that.
svn path=/trunk/; revision=3963
versions of these commands in file_wrappers.c. This allows us to
compile successfully even on platforms where X has an older zlib built
in.
Removed this restriction from acinclude.m4
svn path=/trunk/; revision=3948
which we store it a "size_t", and then fix up the bugs that were
revealed by the compiler warnings that produced - "fwrite()" returns 0,
not a negative number, on an I/O error.
Fix up some other items to have type "size_t", or to have various
unsigned types, while we're at it, to squelch compiler warnings.
svn path=/trunk/; revision=3867
were just DLPI data link types, and didn't know that the list had
expanded at some point and that Sun *used* some of the new types (e.g.,
in atmsnoop), or decided on their own to go beyond those types to encode
an Oh-So-Useful link speed indication, or just didn't *care* that they
were just DLPI data link types.
Therefore, we have to map Shomiti link types to wiretap types using a
different mapping table. For now, we assume files with a version number
of 2 are snoop files, and version numbers of 3, 4, and 5 are Shomiti
files; Shomiti claims to use a version number of 2 as well, but to
determine whether a file with a version number of 2 is a snoop file or a
Shomiti file requires that we look at the header of the first packet and
assume that if there's more than 3 bytes of padding it's a Shomiti file.
The return value from "fwrite()" is a "size_t"; make the variable into
which we store it a "size_t", and then fix up the bugs that were
revealed by the compiler warnings that produced - "fwrite()" returns 0,
not a negative number, on an I/O error.
svn path=/trunk/; revision=3866
Optimize use of AC_CHECK_FUNC in wiretap/acinclude.m4
Move #include "config.h" to be first include in some files.
From albert chin (china@thewrittenword.com)
svn path=/trunk/; revision=3857
checking for "gzgets()" in zlib.
If there is a "zlib.h" header, and there is a "gzgets()" in zlib, check
whether we find "gzgets()" in zlib when we link with the GTK+ link
flags, and, if not, fail. People often grab XFree86 source and build
and install it on their systems, and they appear sometimes to
misconfigure XFree86 so that, even on systems with zlib, it assumes
there is no zlib, so the XFree86 build process builds and installs its
own "mini-zlib" in the X11 library directory. The "mini-zlib" lacks
"gzgets()", and that's the zlib with which Ethereal gets linked, so the
build of Ethereal fails.
svn path=/trunk/; revision=3849
"--with-pcap", it adds the "include" subdirectory of that directory to
the list of directories to search for include files, rather than adding
the directory itself.
Check whether libpcap defines "pcap_version", and define
HAVE_PCAP_VERSION if it does. Use "pcap_version" iff HAVE_PCAP_VERSION
is defined, rather than special-casing MacOS X.
Don't #define a string for the WinPcap version; just leave
HAVE_PCAP_VERSION undefined on Windows, as WinPcap 2.2beta is out, so we
can no longer assume that the Windows version of Ethereal is using
WinPcap 2.1.
svn path=/trunk/; revision=3792
replace "--with-plugindir" with "--with-plugins", and have the
plugin directory optional - this allows plugins to be disabled;
add "--traditional-cpp" on MacOS X/Darwin (Apple's "cc" compiler
requires it, for some annoying reason, even though it is, as far
as I know, GCC-based, and other GCC's don't require it);
on MacOS X, don't use "pcap_version[]", as, for some annoying
reason, libpcap on MacOS X doesn't define it.
Clean up some whitespace in the help messages for the configure script.
Move the AM_CONDITIONAL for SETUID_INSTALL after the point at which
"enable_setuid_install" is set, as it tests "enable_setuid_install".
svn path=/trunk/; revision=3788
* gcc 3.0 warning fixes:
- text2pcap.c: The number of characters to scan should probably not be 0
- wiretap/csids.c: using preincrement on a variable used on both
sides of an assignment might be undefined by the C99(?) standard
* turn on additional warnings for epan and wiretap too
- epan/configure.in
- wiretap/configure.in
* Fix some warnings (missing includes, signed/unsigned, missing
initializers) found by turning on the warnings
- all other files :-)
svn path=/trunk/; revision=3709
compressed Sniffer files by sequentially moving forward, and we no
longer seek backward by seeking to the beginning and then seeking
forward to the new position, we now seek to the beginning of the
compressed block that contains the target position, if we're not already
in that block, and then move to the appropriate position in that block.
svn path=/trunk/; revision=3658
get from calling "wtap_file()", so get rid of the call and the
(otherwise unused) variable to which its result gets assigned.
That lets us get rid of "wtap_file()" in Wiretap.
It also lets us get rid of the include of "zlib.h" in "file.h"; the
#defines of "file_open()", "filed_open()", and "file_close()" are also
unnecessary, so we get rid of those as well.
However, that means we need to include <zlib.h> in "gtk/main.c" and
"tethereal.c", so that the version number of libz is defined and can
show up in the version string.
svn path=/trunk/; revision=3652
specified to "--with-pcap", add that directory to the include file and
library search paths, so that you can use "--with-pcap=DIR" to search
for libpcap in a directory other than the standard ones (either because
it was installed somewhere other than under "/usr" or "/usr/local", or
because you want to use a special version you've installed rather than
the standard one).
svn path=/trunk/; revision=3611
"-L/usr/local/lib" added to CFLAGS and LDFLAGS merely as a result of
running AM_PATH_GLIB, as 1.2.9 and later don't install headers directly
under "/usr/local/include". Therefore, we have to put
"-I/usr/local/include" into CFLAGS ourselves, just as we do in the
top-level configure script, or we run the risk of not being able to find
other packages (libpcap, zlib, etc.) if it's installed under
"/usr/local".
svn path=/trunk/; revision=3318
that the loop in "lanalyzer_open()" is an infinite loop, so the "return
0;" at the end isn't necessary to suppress a compiler warning with that
compiler - and Sun C not only figures it out, it warns that the
"g_assert_not_reached()" and the "return 0;" are unreachable, so I'll
take them out for now (and put them back if my older GCC at home still
requires it to suppress warnings).
svn path=/trunk/; revision=3310