the top-level directory.
Don't build config.h in the wiretap directory - it now uses config.h
from the top-level directory. Get rid of the template config.h.win32 in
that directory.
Get rid of files that are no longer in the wiretap directory or are no
longer constructed in that directory.
svn path=/trunk/; revision=23797
in Wireshark when reading CommView files. Also write out these values when
coming from a file format with encapsulation type 802.11 with radio.
svn path=/trunk/; revision=23617
used by the mpeg-audio dissector: instead keep the data inside the wiretap
module and add accessor functions. I think this should fix
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1677 and anyway it's
cleaner.
svn path=/trunk/; revision=23612
HDLC" to try to distinguish Cisco HDLC from PPP packets;
Address-and-Control-Field-Compression can be negotiated on, so there's
no guarantee that PPP frames begin with 0xff 0x03. Fixes bug 2005.
svn path=/trunk/; revision=23535
When trying to open a pcap file with the new pseudo-header/DLT (using SVN
version, changelist 23283) I get the error message:
"libpcap: ERF file has a 13-byte packet, too small to have even an ERF
pseudo-header".
After reviewing Paolo's patch I found that there are 2 places with missing
breaks in switch case structures.
svn path=/trunk/; revision=23298
using modf() and thus not requiring libm. In addition, adding -lm to
the dependencies upsets the build on at least some platforms because
"-lm" isn't a pathname.
svn path=/trunk/; revision=23210
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1751
The patch adds support to wiretap for a new libpcap DLT for bluetooth captures.
This DLT carries the direction information, which now can be displayed
correctly.
The hci H4 dissector is updated to handle also the newly introduced wtap encap.
svn path=/trunk/; revision=23208
This is a replacement of the existing decoding of ERF files (Extensible Record
Format from Endace).
For the decoding of the ERF files, according to the "type of record" given in
the ERF header, several decoders can be used. Up to now, the decoder is
determined according to an environment variable, or with a kind of heuristic.
And, all the treatment is done during the file extraction.
The new architecture, will separate the ERF file decoding, and the ERF record
decoding. The ERF records will be decoded with a specific dissector. This
dissector can be configured with options, to replace the environment variable.
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1839
svn path=/trunk/; revision=23092
if there are packets with different encapsulationtype in the file.
Otherwise use the encapsulationtype of the packets in the file.
This makes it possible to save the imported data as libpcap file
(or any other format that does not support per-packet encapsulation).
svn path=/trunk/; revision=23031
Attached is a small patch that correct an issue with reading certain IBM
iSeries Comms traces.
Traces where data has been dropped for whatever reason now have the
packet number suffixed with an asterix "*", this causes the current
iSeries wiretap routine to report a "bad" header. The attached patch
simply scans the packet number field and removes any "* characters prior
to scanning, the fact that data may be missing is more than adequately
reported later by current wireshark packet processing.
Regards .. Martin
svn path=/trunk/; revision=23000
tshark can read a HP-UX nettl IP packet dump (written with 'nettl -traceon all
-entity ns_ls_ip -file dump'), but cannot convert it to a pcap raw IP packet
dump, with 'tshark -r dump.nettl -w dump.pcap'. A single-line patch to
wiretap/libpcap.c makes it possible to do this.
The input file uses encapsulation type WTAP_ENCAP_NETTL_RAW_IP.
svn path=/trunk/; revision=22849
- It accepts the "/" character in interface names
- It accepts EOF as delimiter for the last packet (when there is no more emptyline)
svn path=/trunk/; revision=22765
Use G_GINT64_CONSTANT() to make a 64-bit integral constant; not all
compilers we use support LL as a suffix for that (MSVC++ 6, for one).
svn path=/trunk/; revision=22580
This patch adds support for the Juniper NetScreen snoop output format.
It takes a text-dump op the captured packets and parses the headers
and hex-data. Since the snoop files on a Junpiper NetScreen can be saved
to a tftp-server, this patch makes it quite easy to use the snoop
function of the Juniper NetScreen firewalls.
/* XXX TODO:
*
* o Create a wiki-page with instruction on how to make tracefiles
* on Juniper NetScreen devices. Also put a few examples up
* on the wiki (Done: wiki-page added 2007-08-03)
*
* o Use the interface names to properly detect the encapsulation
* type (ie adsl packets are now not properly dissected)
* (Done: adsl packets are now correctly seen as PPP, 2007-08-03)
*
* o Pass the interface names and the traffic direction to either
* the frame-structure, a pseudo-header or use PPI. This needs
* to be discussed on the dev-list first
* (Posted a message to wireshark-dev abou this 2007-08-03)
*
*/
svn path=/trunk/; revision=22533
1) "-e" isn't supported by good old /bin/sh, so we use "-r"
instead;
2) "The algorithm for determining the precedence of the
operators and the return value that will be generated is
based on the number of arguments presented to test", so we
explicitly parenthesize.
svn path=/trunk/; revision=22448
such as the fact that Flex strips all but the last component of the "-o"
argument, and that it doesn't generate a header file to declare routines
the generated lexical analyzer defines. Use that script when building
lexical analyzers, and, for each lexical analyzer, include the generated
header file in the generated analyzer.
svn path=/trunk/; revision=22446
Makefile.nmake files; currently, it has the (F)lex-to-C rule and a
.SUFFIXES pseudo-rule to add .l to the list of suffixes. Have
Makefile.nmake files with .l.c rules include Makefile.nmake.inc to get
that rule.
The names Makefile.am.inc and Makefile.nmake.inc aren't necessarily the
right names for the files in question.
Use $(PACKAGE) in the Mate plugin's Makefile, rather than "mate".
svn path=/trunk/; revision=22437
Makefile.am files; currently, it has the (F)lex-to-C rule. Have
Makefile.am files with .l.c rules include Makefile.am.inc to get that
rule.
svn path=/trunk/; revision=22436
Move the %options to the beginning if they weren't already there, and
put them in the same order in all files.
Add "prefix=" options to .l files that don't already have them, so we
don't have to pass a "-P" option.
Add "never-interactive" and "noyywrap" options to our lexical analyzers,
to remove extra isatty() checks and to eliminate the need for yywrap()
from the Flex library.
Get rid of %option nostdinit - that's the default.
Add .l.c: rules to Makefile.am files, replacing the rules for specific
.l files. Have those rules all check that $(LEX) is set.
Update the address for the FSF.
svn path=/trunk/; revision=22424
a source release tarball without having Flex (think of a source release
tarball being as much a platform-independent distribution format for
people *not* interested in development, and who are on platforms for
which there aren't binary packages, as a way of getting the source to do
development). Don't check Flex's capabilities in the configure script
(handling reentrant scanners would have to be done differently).
svn path=/trunk/; revision=22414
Its argument, however, needs to be cast to "guchar", so that if the
high-order bit is set, it doesn't get sign-extended.
svn path=/trunk/; revision=22303
The encap_table_base in wcap.c is missing an entry.
This causes e.g. "dumpcap -i usb3 -L" to output:
Data link types (use option -y to set):
USB_LINUX
(MPEG)
svn path=/trunk/; revision=22292
The code for reading ERF files has not been significantly
updated since 2004. This patch brings it up to date with a
number of changes.
1) Increase number of decodable ERF types from 7 to 12. This
covers newer DAG card models and firmware updates.
2) Fix timestamp conversion. Was calculating only microsecond
precision, now displaying with nanosecond resolution. Hardware
precision is 7.5 to 30 ns depending on model.
3) Allow the user to specify HDLC encapsulation as 'chdlc',
'ppp_serial', 'frelay' or 'mtp2'. This is needed because the
ERF HDLC capture formats do not include information on what
protocol is used at the next level. This is currently done via
an environment variable 'ERF_HDLC_ENCAP' and is analagous to the
existing 'ERF_ATM_ENCAP' variable.
If the user does not specify an HDLC encapsulation it tries to
guess, and falls back to MTP2 for backwards compatibility with
Florent's existing behaviour.
I know environment variables are ugly, suggestions are welcome.
4) When reading HDLC captures as MTP2, use
WTAP_ENCAP_MTP2_WITH_PHDR rather than WTAP_ENCAP_MTP2. This
allows us to put the 'Multi-Channel ERF' record 'channel
number' field into the MTP2 pseudo header > 'link_number'
field. This is then displayed in Frame information, and can
be filtered on. (Would be nice if it could be made a display
column?)
Because the ERF record does not specify whether Annex A is used
or not, we pass MTP2_ANNEX_A_USED_UNKNOWN and allow the existing
user preference to decide.
Move the MTP2_ANNEX_A_ definitions into Wiretap, make the annex_a_used
field a guint8, and change MTP2_ANNEX_A_USED_UNKNOWN to 2 so it fits in
a guint8. (This means that if you can save an ERF MTP2 file as a
libpcap file, the pseudo-header will have MTP2_ANNEX_A_USED_UNKNOWN in
it.)
svn path=/trunk/; revision=22067
network type; there's no "presumably" about it.
Suggest that "realtick" might have the right time stamp in other cases
(if not, a comment should explicitly indicate that, so that in all cases
where we either know that realtick is wrong or have a lot of evidence to
show that it's right, we note that fact).
svn path=/trunk/; revision=21996
