For tshark, cache the interface list the first time it is retrieved,
instead of launching dumpcap once for each interface specified in
the capture options, and when getting each interfaces descriptive
name at the start of the capture. If the interface list changes
when in the middle of processing options before the capture starts
we have problems anyway.
On Windows, this means not getting multiple UAC pop-ups if
npcap is installed limited to Administrator privileges.
We can probably do this for the GUI as well, since the command
line options for capture are only parsed at startup.
Fix#16625
If "-" is passed as the interface, don't bother spawning dumpcap
and retrieving the interface list. It's time-consuming and can
spawn a UAC on Windows depending on how NPcap is installed.
Also, set the description of standard input as done in
get_interface_descriptive_name. (We still possibly want to override
it with the -X option later.)
Part of #17721
Move the check for the -X option for stdin_descr to
capture_dev_user_descr_find so that it gets picked up in
the comment field of the Manage Interfaces Dialog. It's
also a user specified description.
get_interface_descriptive_name is slow, because it retrieves
the interface list. As called in tshark, it doesn't do anything,
because even though it changes interface_opts->descr, the
display_name is still set, so get_iface_list_string doesn't use it.
If the display_name were not set, then get_iface_list_string would
call get_interface_descriptive_name anyway. So either way it's
pointless.
We don't want get_iface_list_string to do extra interface list
retrievals by calling get_interface_descriptive_name in general,
but we probably do want to check the user-supplied description
(via prefs) and special user-supplied description of stdin (via -X),
which capture_opts fill_in_interface_opts_from_ifinfo doesn't do.
As it is, tshark makes extra retrievals of the interface list
and then doesn't do anything with the information.
Related to #16625
Instead of always calling capture_interface_list, have
get_interface_descriptive_name take the capture_options (which
we always have when calling it) as a parameter, and use the
get_iface_list() member of that. Generally that is the same
as calling capture_interface list, but if we cache the interface
list (e.g., when running tshark) it could be different.
We also probably should be looking through the already retrieved
interfaces in ifaces or all_ifaces most of the time before
doing another call to dumpcap, since we call this on interfaces
that are already set up. Passing in the capture_options allows
that change to be made later.
Related to #16625
Zigbee values are little endian, however original implementation of Tunnel Close attribute used ENC_NA resulting in incorrect dissection
Cole Wu <colewu9712@gmail.com> provided this fix and data used to verify.
Our get_json_string does not escape the string passed in as the
key (it expects it already escaped.) This causes issues on Windows.
Also ensure that whenever the error string pointer is passed in that
it gets a message if NULL caps are returned (tshark expects this.)
Instead of calling dumpcap separately for each interface in
the list, make one dumpcap call.
There's still two calls, one to get the list of interfaces and
one to get the capabilities, which is partly because interfaces
that support monitor mode can indicate support for different
link-layer types depending on whether monitor mode is enabled,
and we have to check per-interface preferences for the name to
see if we want monitor mode.
This roughly doubles the speed to add interfaces at startup
in my testing on Windows and Linux, and should massively
reduce the number of UAC pop-ups when npcap is installed with
restrictions to administrative access.
Fix#16191. Related to #15082 (it improves the number of UACs,
but perhaps they could be reduced even further by having dumpcap
stay open for all the calls in the life of the program.)
Maintaining the symbols file on the master branch requires extra work,
while ABI stability is promised only on release branches
The shlibs system [1] offers a simpler approach. To ensure that only
compatible packages are installed to work together on the system the
dependencies are tightened in debian/rules.
[1] https://www.debian.org/doc//debian-policy/ch-sharedlibs.html#the-shlibs-system
The existing Read Capicty sizes in dissect_sbc_readcapacity10()
are displayed in SI rather than Binary Prefixe format. Since the
byte capacity sizes are calculated in 1024-byte chunks, they must
be displayed as Binary Prefixes. These abbreviations are now
displayed in the Packet Detail and List panes.
1. Updated packet-scsi-sbc.c to try and make Ubuntu happy.
2. packet-tcp.c (from another MR) was accidentally included in this
MR. The unchanged packet-tcp.c from master has been included in
this commit.
LBAs are zero-based thus one(1) must be added to them.
The existing Read Capicty sizes in dissect_sbc_readcapacity10()
are displayed in SI rather than Binary Prefixe format. Since the
byte capacity sizes are calculated in 1024-byte chunks, they must
be displayed as Binary Prefixes. These abbreviations are now
displayed in the Packet Detail and List panes.
Changed "[TCP segment of a reassembled PDU]"
to "[TCP PDU reassembled in <frame>]" in the Packet List
This also fixes a bug where "[TCP segment of a reassembled PDU]" was
being displayed in segments that were not reassembled such as in
the case at the end of a capture where all of the segments of a PDU
are not present.
Windows doesn't like printing to the logs from within pytest,
so lower the log levels a bit here. (The ARM64 build doesn't
seem to have interfaces, which causes a message currently.)
Use Qt's save and restoreGeometry functions when trying to restore
to a maximized window state. Those functions do a better job
tracking on what screen we were maximized. It also will cause
the non-maximized size to be saved and restored even when starting
out maximized, insted of reverting to the default size when leaving
maximization.
Maybe in the future we would want to use these functions for all the
recent geometry handling. We would lose our current pref granularity
allowing size, position, and maximized status to each be saved or not.
(Do we need that?)
There are still some edge cases:
https://bugreports.qt.io/browse/QTBUG-77385https://bugreports.qt.io/browse/QTBUG-70721
some of which are resolved in the latest Qt, but it's better than
the current handling.
Fix#12389
This is more accurate, because it accounts for the AccordionFrame
being open or closed, than looking at the visible pixel count.
Keep saving the older method that was also used for the GTK UI,
and fallback to it if this fails. That's also useful for a first
run and for people who switch back and forth with older versions.
Fix#19361
This patch adds the parsing of:
* gcc cluster redirection flags
* the dynamic time zone fields in InfoClient PDU
* serverInfo PDU, interpreting the statusInfo
In ClientInfo, clientSessionId is a UINT32 so show it as such.
Serialize the machine readable version of the interface capability
output as JSON, using an array to support multiple interfaces.
When querying multiple interfaces, try all of them, exit with
success (unless unexpected errors occur) and report any per-interface
errors and exit codes inside the JSON rather than stopping after
the first interface with error.
Update capture_get_if_capabilities to process the JSON. It (and
sync_if_capabilities_open) still only query a single interface at,
but this will allow modification to handle multiple interfaces at
once later.
Related to #16191, #15082
As requested [here][1], help with removing calls to
`wmem_packet_scope()` in favour of references to `pinfo->pool`.
* Plugins chosen semi-alphabetically.
* When a calling function already has a `pinfo` argument, use that.
* Remove `_U_` from its signature if it was there.
* If a function seems narrowly focused on getting and (possibly)
returning memory, change the function signature to take a
`wmem_allocator_t *`.
* If it seems more focused on packet-based operations, pass in a
`packet_info *` instead and use `pinfo->pool` within.
* Some of the files in this MR still have references to
`wmem_packet_scope()` where it would take significant work to remove.
These will need revisiting later.
[1]: https://www.wireshark.org/lists/wireshark-dev/202107/msg00052.html
These words from Jörg Mayer are as true today as they were
21 years ago in 49a2f32336,
"I still have yet to see a case when a MAC address starting
with 0:0:0 actually means Xerox", but there are lots of cases
where all zero OUIs, MAC-48s, EUI-64s, etc are used to mean
null.
[skip ci]
Store the active remote hosts in a preference file.
Use JSON because in addition to each host, we later may want
to save the per-interface settings (but the interfaces
available on a host could change without the host information
changing). Hosts and interfaces together have a tree-like data
structure that doesn't work with a UAT or other table.
Still TODO: password handling (cf. #17949 and extcap.), moving
this into a Model instead of a TreeWidget, getting rid of
remote_interface_dialog and handling all of this in
ManageInterfacesDialog through the model.
Fix#17484. Fix#8557.
Storing every rpcapd host ever connected to in recent_common seems
unwise. Change it to a list, so we can have a max count and order.
Store the most recent 20. Maybe this could be a pref eventually.
Related to #17484.
John Thacker