HDLC" to try to distinguish Cisco HDLC from PPP packets;
Address-and-Control-Field-Compression can be negotiated on, so there's
no guarantee that PPP frames begin with 0xff 0x03. Fixes bug 2005.
svn path=/trunk/; revision=23535
When trying to open a pcap file with the new pseudo-header/DLT (using SVN
version, changelist 23283) I get the error message:
"libpcap: ERF file has a 13-byte packet, too small to have even an ERF
pseudo-header".
After reviewing Paolo's patch I found that there are 2 places with missing
breaks in switch case structures.
svn path=/trunk/; revision=23298
using modf() and thus not requiring libm. In addition, adding -lm to
the dependencies upsets the build on at least some platforms because
"-lm" isn't a pathname.
svn path=/trunk/; revision=23210
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1751
The patch adds support to wiretap for a new libpcap DLT for bluetooth captures.
This DLT carries the direction information, which now can be displayed
correctly.
The hci H4 dissector is updated to handle also the newly introduced wtap encap.
svn path=/trunk/; revision=23208
This is a replacement of the existing decoding of ERF files (Extensible Record
Format from Endace).
For the decoding of the ERF files, according to the "type of record" given in
the ERF header, several decoders can be used. Up to now, the decoder is
determined according to an environment variable, or with a kind of heuristic.
And, all the treatment is done during the file extraction.
The new architecture, will separate the ERF file decoding, and the ERF record
decoding. The ERF records will be decoded with a specific dissector. This
dissector can be configured with options, to replace the environment variable.
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1839
svn path=/trunk/; revision=23092
if there are packets with different encapsulationtype in the file.
Otherwise use the encapsulationtype of the packets in the file.
This makes it possible to save the imported data as libpcap file
(or any other format that does not support per-packet encapsulation).
svn path=/trunk/; revision=23031
Attached is a small patch that correct an issue with reading certain IBM
iSeries Comms traces.
Traces where data has been dropped for whatever reason now have the
packet number suffixed with an asterix "*", this causes the current
iSeries wiretap routine to report a "bad" header. The attached patch
simply scans the packet number field and removes any "* characters prior
to scanning, the fact that data may be missing is more than adequately
reported later by current wireshark packet processing.
Regards .. Martin
svn path=/trunk/; revision=23000
tshark can read a HP-UX nettl IP packet dump (written with 'nettl -traceon all
-entity ns_ls_ip -file dump'), but cannot convert it to a pcap raw IP packet
dump, with 'tshark -r dump.nettl -w dump.pcap'. A single-line patch to
wiretap/libpcap.c makes it possible to do this.
The input file uses encapsulation type WTAP_ENCAP_NETTL_RAW_IP.
svn path=/trunk/; revision=22849
- It accepts the "/" character in interface names
- It accepts EOF as delimiter for the last packet (when there is no more emptyline)
svn path=/trunk/; revision=22765
Use G_GINT64_CONSTANT() to make a 64-bit integral constant; not all
compilers we use support LL as a suffix for that (MSVC++ 6, for one).
svn path=/trunk/; revision=22580
This patch adds support for the Juniper NetScreen snoop output format.
It takes a text-dump op the captured packets and parses the headers
and hex-data. Since the snoop files on a Junpiper NetScreen can be saved
to a tftp-server, this patch makes it quite easy to use the snoop
function of the Juniper NetScreen firewalls.
/* XXX TODO:
*
* o Create a wiki-page with instruction on how to make tracefiles
* on Juniper NetScreen devices. Also put a few examples up
* on the wiki (Done: wiki-page added 2007-08-03)
*
* o Use the interface names to properly detect the encapsulation
* type (ie adsl packets are now not properly dissected)
* (Done: adsl packets are now correctly seen as PPP, 2007-08-03)
*
* o Pass the interface names and the traffic direction to either
* the frame-structure, a pseudo-header or use PPI. This needs
* to be discussed on the dev-list first
* (Posted a message to wireshark-dev abou this 2007-08-03)
*
*/
svn path=/trunk/; revision=22533
1) "-e" isn't supported by good old /bin/sh, so we use "-r"
instead;
2) "The algorithm for determining the precedence of the
operators and the return value that will be generated is
based on the number of arguments presented to test", so we
explicitly parenthesize.
svn path=/trunk/; revision=22448
such as the fact that Flex strips all but the last component of the "-o"
argument, and that it doesn't generate a header file to declare routines
the generated lexical analyzer defines. Use that script when building
lexical analyzers, and, for each lexical analyzer, include the generated
header file in the generated analyzer.
svn path=/trunk/; revision=22446
Makefile.nmake files; currently, it has the (F)lex-to-C rule and a
.SUFFIXES pseudo-rule to add .l to the list of suffixes. Have
Makefile.nmake files with .l.c rules include Makefile.nmake.inc to get
that rule.
The names Makefile.am.inc and Makefile.nmake.inc aren't necessarily the
right names for the files in question.
Use $(PACKAGE) in the Mate plugin's Makefile, rather than "mate".
svn path=/trunk/; revision=22437
Makefile.am files; currently, it has the (F)lex-to-C rule. Have
Makefile.am files with .l.c rules include Makefile.am.inc to get that
rule.
svn path=/trunk/; revision=22436
Move the %options to the beginning if they weren't already there, and
put them in the same order in all files.
Add "prefix=" options to .l files that don't already have them, so we
don't have to pass a "-P" option.
Add "never-interactive" and "noyywrap" options to our lexical analyzers,
to remove extra isatty() checks and to eliminate the need for yywrap()
from the Flex library.
Get rid of %option nostdinit - that's the default.
Add .l.c: rules to Makefile.am files, replacing the rules for specific
.l files. Have those rules all check that $(LEX) is set.
Update the address for the FSF.
svn path=/trunk/; revision=22424
a source release tarball without having Flex (think of a source release
tarball being as much a platform-independent distribution format for
people *not* interested in development, and who are on platforms for
which there aren't binary packages, as a way of getting the source to do
development). Don't check Flex's capabilities in the configure script
(handling reentrant scanners would have to be done differently).
svn path=/trunk/; revision=22414
Its argument, however, needs to be cast to "guchar", so that if the
high-order bit is set, it doesn't get sign-extended.
svn path=/trunk/; revision=22303
The encap_table_base in wcap.c is missing an entry.
This causes e.g. "dumpcap -i usb3 -L" to output:
Data link types (use option -y to set):
USB_LINUX
(MPEG)
svn path=/trunk/; revision=22292
The code for reading ERF files has not been significantly
updated since 2004. This patch brings it up to date with a
number of changes.
1) Increase number of decodable ERF types from 7 to 12. This
covers newer DAG card models and firmware updates.
2) Fix timestamp conversion. Was calculating only microsecond
precision, now displaying with nanosecond resolution. Hardware
precision is 7.5 to 30 ns depending on model.
3) Allow the user to specify HDLC encapsulation as 'chdlc',
'ppp_serial', 'frelay' or 'mtp2'. This is needed because the
ERF HDLC capture formats do not include information on what
protocol is used at the next level. This is currently done via
an environment variable 'ERF_HDLC_ENCAP' and is analagous to the
existing 'ERF_ATM_ENCAP' variable.
If the user does not specify an HDLC encapsulation it tries to
guess, and falls back to MTP2 for backwards compatibility with
Florent's existing behaviour.
I know environment variables are ugly, suggestions are welcome.
4) When reading HDLC captures as MTP2, use
WTAP_ENCAP_MTP2_WITH_PHDR rather than WTAP_ENCAP_MTP2. This
allows us to put the 'Multi-Channel ERF' record 'channel
number' field into the MTP2 pseudo header > 'link_number'
field. This is then displayed in Frame information, and can
be filtered on. (Would be nice if it could be made a display
column?)
Because the ERF record does not specify whether Annex A is used
or not, we pass MTP2_ANNEX_A_USED_UNKNOWN and allow the existing
user preference to decide.
Move the MTP2_ANNEX_A_ definitions into Wiretap, make the annex_a_used
field a guint8, and change MTP2_ANNEX_A_USED_UNKNOWN to 2 so it fits in
a guint8. (This means that if you can save an ERF MTP2 file as a
libpcap file, the pseudo-header will have MTP2_ANNEX_A_USED_UNKNOWN in
it.)
svn path=/trunk/; revision=22067
network type; there's no "presumably" about it.
Suggest that "realtick" might have the right time stamp in other cases
(if not, a comment should explicitly indicate that, so that in all cases
where we either know that realtick is wrong or have a lot of evidence to
show that it's right, we note that fact).
svn path=/trunk/; revision=21996
Fix compilation failures when building wireshark-0.99.6-SVN-21916 on an
x86_64-unknown-linux-gnu target with gcc version 4.1.2 20070403 (Red Hat
4.1.2-8).
The failures fall into two categories:
(1) Casts between pointers and 32-bit integers without an intermediary cast
via 'long' or 'unsigned long'. This results in a compiler warning complaining
about casts between a pointer and an integer of a different size.
(2) Passing values to "%lld" or similar printf-style format options that the
compiler thinks are a different size. Such values need to be cast to 'long
long' or 'unsigned long long'.
svn path=/trunk/; revision=21975
possibly-unaligned pointers, and turn on -Wcast-align so at least some
future code that does that will fail to compile.
svn path=/trunk/; revision=21968
what the complete set of warnings we should either try to fix or, for
cases where it can't be fixed, turn off or or avoid -Werror for. I'll
revert this change as soon as a complete set of buildbot builds start
with it.
svn path=/trunk/; revision=21917
libraries. A single library is generated with the lex code without the barrier
"stop on warning". An other library is generated from the remaining source
files with the "stop on warning" barrier.
svn path=/trunk/; revision=21817
Since wiretap.h is not autogenerated, just make wtap-plugins.h include
the top level config.h to pull in the defines for HAVE_DIRENT which was
checked at top level
svn path=/trunk/; revision=21707
So far I've done only regression testing (the new functionality and what's in wtap-plugins.c has not yet being tested).
it is a first step in the way to have lua opening files.
svn path=/trunk/; revision=21686
--enable-warnings-as-errors (if any tests enabled by
--enable-extra-gcc-checks are safe to treat as errors, they're safe to
turn on by default).
svn path=/trunk/; revision=21515
on some platforms due to unfixable problems (e.g., crappy vendor
headers), we can move them back to the "extra" list.
Put those warnings in the order in which they appear in the GCC man page
on my machine.
If we turn on -pedantic, try turning on -Wno-long-long as well, so that
it's not *so* pedantic that it rejects the 64-bit integral data types
that we explicitly require.
svn path=/trunk/; revision=21514
Add -Wpointer-arith to the GCC -W flags by default.
Make "extra-gcc-checks" and "warnings-as-errors" --enable flags rather
than --with flags - autoconf's model is that --enable is for turning
features on or off, --with is for enabling or disabling the use of
external packages (libpcap, Net-SNMP, GNU ADNS, etc.).
When testing whether the compiler is GCC, use the same style all the
time - check whether "x$GCC" equals "xyes". (The "x" might be overkill
- if you don't quote the arguments, it avoids a missing argument to
"test"/"[", but if you do, it might not be needed.)
svn path=/trunk/; revision=21492
Check for a case where, conceivably, the on-the-wire packet length (from
the IP header) could be shorter than the captured data length (due to
Ethernet padding), and handle it by making sure the on-the-wire length
is always >= the captured data length.
svn path=/trunk/; revision=21490
static to the module.
Add the older(?) ID tag for MPEG audio.
Just use the ID at the beginning to identify MPEG audio files; don't
check the file any further.
If the read of the magic number doesn't work, get the error, and, if
there is no error (i.e., it's a short read), just return 0 (meaning "no
error, but this isn't that type of file).
Similarly, if the magic number doesn't match, just return 0, so other
types of file are tried.
svn path=/trunk/; revision=21192
(Temporarily disable the warnings as errors default on Unix to get
to get the buildbots and people with gcc40 going again until those
additional warnings gcc40 generates can be fixed-I'm working on it
ASAP)
Patch for configure.in which disables by default the treatment of
warnings as errors.
It can be enabled with './configure --with-warnings-as-errors'.
The macro will test first if GCC is present. If it's the case,
HAVE_WARNINGS_AS_ERRORS is defined. All the USING_GCC have been replaced
by HAVE_WARNINGS_AS_ERRORS.
With this switch, people won't suffer from unexpected warnings when
downloading svn sources during the transition time ;)
svn path=/trunk/; revision=21153
directory and most of the plugins to match the same command
put in the Makefile.nmake files for Windows compliations. Fix
a few warnings when compiling under gcc 3.4.4 on FreeBSD. Create
new automake file variable called USING_GCC in configure.in and
wiretap/configure.in to acomplish the above -Werror addition.
svn path=/trunk/; revision=21127
remove all compiler warnings:
a) prevent wrong malloc/free definitions by lex/yacc generated files
b) add int/time_t casts - MSVC2005 is more "sensitive" about this than MSVC6
svn path=/trunk/; revision=21078
In the attached patch, the K12 wiretap now saves the content of record
after captured packet data. The K12 dissector then could extract them and provide
useful information to properly dissect FP frames (user plane of UTRAN Iub
interface).
svn path=/trunk/; revision=20749
Kriang Lerdsuwanakij <lerdsuwa@users.sourceforge.net>
I discovered that Wireshark K12xx detects the type of input (E1 timeslot or ATM)
based on the extra information. My previous patch to enable Wireshark to open
K12xx files with no extra information (extra_len equals 0 in SRCDEST record)
failed to give later dissectors the input type.
Attached is the patch to correct this for ATM PVC. It adds VPI/VCI/CID information
for display in the dissected tree (in k12_open function). k12_read and k12_seek_read
are also made more robust. These are reverse engineered based on hexeditor
and constants found in tektronix configuration file. Please apply the patch.
svn path=/trunk/; revision=20705
Modified to support the header as a pseudo_header rather than as part of
the packet data.
Fixed some calls that fetch data from the USB packet to fetch it in
little-endian byte order.
Got rid of redundant code to get conversation-specific data (the
get_usb_conv_info() call already does that).
For control packets, only parse the setup information if setup_flag is
0.
Don't interpret a control packet as a standard request unless the setup
type is "Standard".
svn path=/trunk/; revision=20632
I found out the reason Wireshark refuses to read some .rf file I have.
Those files have zero extra_len in SRCDEST header structure. See the
attached file for example. It was created by selecting some frames from
a larger .rf5 file (within Tektronix's own reader) and save as a
separate file.
svn path=/trunk/; revision=20579
32-bit numbers. Separate signed and unsigned accessors have been
added and used where appropriate.
Definitely not for 0.99.5.
svn path=/trunk/; revision=20472
fix this, by providing required functions in the new file file_util.c - it's mostly copied from GLib (g_open alike - that take UTF8 as filename format but don't use msvcrt.dll V6 for this as the glib files do)
"link" to these functions in file_util.h: #define eth_open eth_stdio_open
revert changes (from SVN 20282) throughout the code related to these file functions which were introduced with the first tries of MSVC 2005 ...
Hopefully I've done everything right with the new file_util.c ...
svn path=/trunk/; revision=20402
Wiretap has its own configuration file. Do to its configuration file
what was done to the top-level configuration file.
svn path=/trunk/; revision=20326
used with shared libraries, to fix some error that shows up in some
cases; some Apple documentation recommends it for most shared libraries.
svn path=/trunk/; revision=20312
I posted a patch about 1.5 years ago for the formerly Ethereal to successfully compiled with Visual > 6. I have always successfully used this patched Ethereal/Wireshark compiled with VS 2003 and have just checked when compiled with Visual C++ 2005 Express
svn path=/trunk/; revision=20282
HP-UX 11.31 will add a new nettl trace subsystem, NS_LS_TELNET (ID=267).
NS_LS_TELNET is just raw telnet data. There is no layer 2/3/4 headers, so
there's just the HP-UX nettl record header followed directly by the TCP payload
for a telnet connection. Thus the need for a new wiretap encapsulation type...
svn path=/trunk/; revision=20253
This patch consists also the last issues. Additionally it solves:
- For the SSCOP frames the AAL5 decoding was not performed due to an earlier patch. This caused that no SSCOP message was properly decoded.
- As the detection between a LANE frame and a SSCOP frame is rather hard a switch within the atm dissector is included which enforce SSCOP dissecting over a LANE frame. At the moment I do not see a better solution for that.
svn path=/trunk/; revision=20013
- The characters between the timestamp and start of data are almost always " l ", optimise memory usage in this case
- Rename hash table for clarity
svn path=/trunk/; revision=19891
Check for an invalid channel frequency. Pass the channel, data rate,
and quality to the 802.11 dissector, so that they show up there
as well. Clean up whitespace.
svn path=/trunk/; revision=19878