Rename ascend_seek() to ascend_find_next_packet(), to indicate what it
does; it doesn't seek to an arbitrary place, it tries to find the
starting offset of the next packet when reading sequentially.
Don't have it set the header type - that's the job of the parser.
Don't set the "next packet seek start" when doing random access I/O -
that field is only for sequential I/O, and we don't want random I/O
happening at the same time (which can happen in Wireshark) interfering.
Clean up comments.
Change-Id: I2808479eeec074afa16945ffb577b91d8cb356f7
Reviewed-on: https://code.wireshark.org/review/29975
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Read and seek-read routines shouldn't do that; it causes TShark to
report an error when there was no error.
Change-Id: If564348fa01dce83c6a2317ac56ac8716d514bf7
Reviewed-on: https://code.wireshark.org/review/29972
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no guarantee that there will be two digits after PRI-XMIT or
PRI-RCV; the capture file in bug 3535, for exmaple, has "PRI-XMIT-0/1"
and "PRI-RCV-0".
Require a minimum of 1, not 2, non-{/(:} characters. Leave the maximum
of 20 in place.
Change-Id: Ie8f8f4ff5eb04baf0ee61bf28015e59a1fa43948
Reviewed-on: https://code.wireshark.org/review/29947
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The "first_free" pointer is currently only increaseed by
ws_buffer_increase_length (unused) and ws_buffer_append (for writes).
Reading into the buffer should not reduce the available space. Otherwise
the next wtap_read_packet_bytes call will reallocate the buffer.
This reallocation is unexpected by some users of cf_read_record and
results in a use-after-free crash following these steps:
1. Open packet capture.
2. Ignore packet.
3. Open context menu, twice.
This crashes because the ByteViewText class points to the buffer which
is reallocated after calling PacketList::getFilterFromRowAndColumn.
Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d
Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.")
Reviewed-on: https://code.wireshark.org/review/29915
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add an sdjournal extcap, which reads journal entries using the
sd-journal API and dumps them as journal Export Format records.
Change-Id: I17ccfa88ab5d053c16c869cd26e580d84022502e
Reviewed-on: https://code.wireshark.org/review/29479
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That puts the two arguments to fill in - the wtap_rec and the Buffer -
together.
Change-Id: I8850a7aaccc98e5acd292e3cebc1f37cee8a6ce7
Reviewed-on: https://code.wireshark.org/review/29946
Reviewed-by: Guy Harris <guy@alum.mit.edu>
wtap_read() clears it for you.
Change-Id: I736509d54ff385e5b80e9393aeb91c6473b02824
Reviewed-on: https://code.wireshark.org/review/29939
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no need to set *err to 0; it's set by stanag4607_read_file().
There's no need for an intermediate variable to hold the current file
offset; just assign it directly to *data_offset.
Change-Id: I24bd1c349dd48576a65cc36228a680134427bba5
Reviewed-on: https://code.wireshark.org/review/29938
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We shouldn't set any rec_header.syscall_header fields in
pcapng_read_systemd_journal_export_block.
Change-Id: I920accdbcdcdbf6d71324c8d9d6d562511f6a9d1
Reviewed-on: https://code.wireshark.org/review/29895
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Either pcap_process_pseudo_header() returns -1, in which case we fail,
or it returns the exact same value as pcap_get_phdr_size(). If we don't
fail, don't bother to check whether the values are the same.
Change-Id: I18191cc3de2a1c2144ca9b508ed17b2f593fc835
Reviewed-on: https://code.wireshark.org/review/29879
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Keeping them together might increase the likelihood that all of them get
updated when a new pcap/pcapng link-layer type whose pseudo-header is
first processed here rather than by a dissector.
Change-Id: Ia6f45c38e9530b7c6a53d006fbc01b3040e9a014
Reviewed-on: https://code.wireshark.org/review/29868
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sort the cases to match the order in other routines.
That turned up a missing case for WTAP_ENCAP_NFC_LLCP, so add it.
Change-Id: I500731322ae93c6d2efc368f16cf468f589910f3
Reviewed-on: https://code.wireshark.org/review/29858
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have pcap_read_erf_pseudoheader() do all the work of reading an ERF
pseudo-header.
Add pcap_write_erf_pseudoheader() as a routine to do all the work of
writing an ERF pseudo-header.
Change-Id: If53ae50fcee35a45113ca0f0c64f69848e044cbd
Reviewed-on: https://code.wireshark.org/review/29847
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put the cases in pcap_write_phdr() into the same order as the cases in
pcap_process_pseudo_header().
Doing so revealed that there wasn't a case for WTAP_ENCAP_NFC_LLCP in
pcap_write_phdr(), so NFC LLCP captures wouldn't be saved correctly.
Add pcap_write_llcp_pseudoheader() and use it.
Change-Id: I2728a96e63d2e0606ae0bb480f97fe124ab48d17
Reviewed-on: https://code.wireshark.org/review/29841
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For each pseudo-header type, put a routine to write the pseudo-header
after the routine to read it.
Change-Id: Iffc010c1bf97acc5eb834a388e328ad3c2310351
Reviewed-on: https://code.wireshark.org/review/29840
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not as if 0 means received, 1 means sent, and anything else is
invalid; treat all non-zero values as meaning "sent" when reading, and
write out 1 for "sent".
Change-Id: Iaf5eb327a6b87b893a203475c8730452c51a38e9
Reviewed-on: https://code.wireshark.org/review/29839
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put all the #defines and structure declarations for a particular
pseudo-header before the function to read the pseudo-header.
Change-Id: I11013ff99d72832f49e9bea56dbc07f5cd8618f3
Reviewed-on: https://code.wireshark.org/review/29838
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That centralizes knowledge of the particular pseudo-header into its read
routine.
Change-Id: I4931d03a20a1b648af3ab6b92a034659c55d1ba3
Reviewed-on: https://code.wireshark.org/review/29837
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Either it's TRUE, meaning sent, or it's FALSE, meaning received. Make
it a gboolean and get rid of the #defines for it. ("Unknown" is handled
by the WTAP_ENCAP_ value not *having* a p2p pseudo-header.)
Change-Id: I650d7213523b49e7531d9555a98cde1be519a294
Reviewed-on: https://code.wireshark.org/review/29836
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For file formats, say "pcap/pcapng" or "pcap and pcapng" instead; this
code handles both formats. Use just "pcap_" in structure types.
Change-Id: I2c0e096855ac3736bbfd72480ed4221b3a2f25d1
Reviewed-on: https://code.wireshark.org/review/29835
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not just for X.25, it's for anything that has the notion of Data
Terminal Equipment and Data Communications Equipment; call it "dte_dce",
not "x25".
Change-Id: I3d51fec8b424e91ffd6d59895f50fc5ece791b08
Reviewed-on: https://code.wireshark.org/review/29834
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We always tell pcap_process_pseudo_header() to check to make sure the
pseudo-header isn't bigger than the captured data; no need for a flag
argument to tell it to do so.
Change-Id: I8310bb06a390a7f4a7a232ad140ae07955d52da1
Reviewed-on: https://code.wireshark.org/review/29833
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to specify maximum function counts for each group to
checkAPIs. Add maximum counts for the "termoutput" and "abort" groups
where needed. Show summaries in various checkAPI targets.
Switch uses of ws_g_warning back to plain g_warning.
Change-Id: I5cbddc8c671729e424eed8551f69116d16491976
Reviewed-on: https://code.wireshark.org/review/29721
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Add a file parser and dissector that can handle the output of
`journalctl -o export`. From here we can add a systemd journal extcap
and possibly support for the JSON and binary formats.
Change-Id: I01576959b2c347ce7ac9aa57cdb5c119c81d61e9
Reviewed-on: https://code.wireshark.org/review/29311
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A CMake config-file package provides support for downstreams using
CMake and Wireshark libraries to easily configure the libwireshark
dependency with:
find_package(Wireshark CONFIG [REQUIRED])
target_link_libraries(foo epan)
The FindWireshark.cmake file is no longer needed.
See cmake-package(7) for more details on CMake's package system.
Change-Id: Ie8af1d44417a99dd08d37959f7b2ffca88572ec2
Reviewed-on: https://code.wireshark.org/review/29208
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Support for writing it in live captures will come later; this change,
but not that one, will be backported so older versions of Wireshark
won't remove it when writing a file out.
Change-Id: I9fd4067991acfd2d18c03d0a373ce8337a9f3a76
Reviewed-on: https://code.wireshark.org/review/29064
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't return an error unless we get a read error. If the line could be
read, but isn't a valid text line, that just means it's not an RFC 7468
text file.
Change-Id: I04f48294cac213cf61b8dcb851b99dc6dd776df8
Reviewed-on: https://code.wireshark.org/review/29039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We call that dissector even for zero-length PSDUs, so the radio
information is shown. We also show the zero-length PSDU type.
We don't call the 802.11 dissector for zero-length PSDU frames.
That way, you don't have to open up the radiotap information to find out
about zero-length PSDU frames, we can support zero-length PSDU
information for other pseudo-headers and file types if they support it,
and taps using the radio information can get zero-length PSDU frame
information.
Change-Id: I7d5da4ea978d8ca4889fc76160f11e3416b4d036
Reviewed-on: https://code.wireshark.org/review/29034
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do some renaming.
Change-Id: If8fa85370014f9618df38d97048dd1c52a4c389f
Reviewed-on: https://code.wireshark.org/review/28918
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have the Wiretap code just do a heuristic test to see if the file looks
like a RFC 7468 file and just had the entire blob of raw file data to
the caller, with an encapsulation type of WTAP_ENCAP_RFC7468.
Have a file-rfc7468.c dissector that processes the lines of the file,
displaying all of them. Have it extract the label from the
pre-encapsulation boundary line, and, after it's decoded the
base64-encoded data lines into a blob of data, try handing the tvbuff
with the blob to dissectors that have registered in the
"pem.preeb_label" dissector table with the appropriate label value, and
hand it to the raw BER dissector only if that fails.
This allows some files to have the content dissected as more than just a
raw blob of BER-encoded data.
Change-Id: I98db9f0beb86e5694fb8e886005a2df4fc96ba71
Reviewed-on: https://code.wireshark.org/review/28914
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Allow forward timestamp deltas up to 1 year, up from 7 days.
Surprisingly this was overly restrictive in some real cases.
Change-Id: I8a4bd1ca791b978aa5d2be40f7f8dd8e23db8837
Reviewed-on: https://code.wireshark.org/review/28882
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Or, at least, use them in the libwiretap file-writing code; we can
change other places to use them as appropriate.
Change-Id: I63af2267a22a158ee23f3359b043913dac0e285b
Reviewed-on: https://code.wireshark.org/review/28783
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Strip off only extensions that correspond to file types we know about;
QFileInfo::baseName() strips off *all* extensions, where "extension" is
"anything preceded by a .", so it turns foo.bar.pcap.gz into foo, not
foo.bar. We don't want that; instead, we strip off only those
extensions that correspond to file types we know how to read, so we'd
strip off .pcap.gz in foo.bar.pcap.gz, and strip off .pcap in
foo.bar.pcap, leaving foo.bar in both cases.
Change-Id: I5385921ad2f0fef815d52e9902fef15735fd9dae
Reviewed-on: https://code.wireshark.org/review/28636
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This should squelch warnings from Ida7b98af8c44a52ddac2c4ab0702db2519a0c4af.
Change-Id: I6803001981c63ddf76a735341ab2cc8dccdb8ab0
Reviewed-on: https://code.wireshark.org/review/28573
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This allows code to initialize them without having to know the details
of the structure; the initializes should, and will, be changed if the
members of the structure are changed.
Change-Id: I93e6ebfcde9ceca17df696fcba4e8410c5afb175
Reviewed-on: https://code.wireshark.org/review/28501
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That makes it a bit clearer that we don't need to initialize it to zero
before the loop.
This fixes a Dead Store (Dead assignement/Dead increment) Warning found
by Clang.
Change-Id: Iabfc4b47a3c6300814492c37ccfb321afd0c54ea
Reviewed-on: https://code.wireshark.org/review/28374
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Multi-configuration generators (such as Xcode or VS) append the current build configuration to most paths (eg. Debug/Release). Currently this results in inconsistent paths for the application bundle and the included command line tools. This commit sets the correct path information for multi-configuration generators for macOS application bundles. The standard Makefile behaviour is untouched.
One Windows specific configuration was changed, as it was conflicting with these changes. This needs to be checked before merging.
Additionally the wrapper scripts are omitted for Xcode, as the path to the binaries depends on the configuration chosen in Xcode. Therefore it is not viable to create these scripts in the cmake run.
Bug: 11816
Change-Id: Ib43d82eb04600a0e2f2b020afb44b579ffc7a7c9
Reviewed-on: https://code.wireshark.org/review/28291
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris