--disable-all-protocols will mark all protocols as disabled by default,
and then disable them. Certain protocols can then be enabled one by one
by using --enable-protocol.
--only-protocols is a helper option to make it easier to enable only
certain protocols It's equivalent to passing --disable-all-protocols and
then several --enable-protocol options. It accepts a comma separated
list of protocols. First all protocols will be disabled, and then all
protocols included in the list will be enabled one by one.
Side-note, it wouldn't make much sense to enable only "tcp" for example
without enabling the protocols in the lower layers (e.g: eth, sll, ip,
ipv6). In this case, something like --only-protocols eth,sll,ip,ipv6,tcp
will generally be needed in order to make sure that TCP is decoded.
Signed-off-by: Juanma Sanchez <juasanch@redhat.com>
Make the text of each registered column a FT_STRING field that can be
filtered, prefixed with _ws.col - these work in display filters, filters
in taps, coloring rules, Wireshark read filters, and in the -Y, -R, -e,
and -j options to tshark. Use them as the default "Apply as Filter" value
for the columns that aren't handled by anything else currently.
Because only the columns formats that actually correspond to columns
get filled in (invisible columns work), register and deregister the
fields when the columns change.
Use the lower case version of the rest of the COL_* define for each
column as the field name.
This adds a number of conditions to "when are the columns needed",
including when the main display filter or any filter on a tap is
using one of these fields.
Custom columns are currently not implemented. For custom columns, the
tree then has to be further primed with any fields used by the custom
columns as well. (Perhaps that should happen in epan_dissect_run() -
are there any cases where we construct the columns and don't want to
prime with any field that custom columns contains? Possibly in taps
that we know only use build in columns.)
Thus, for performance reasons, you're better off matching an ordinary
field if possible; it takes extra time to generate the columns and many
of them are numeric types. (Note that you can always convert a non-string
field to a string field if you want regex matching, consult the
*wireshark-filter(4)* man page.) It does save a bit on typing (especially
for a multifield custom column) and remembering the column title might
be easier in some cases.
The columns are set before the color filters, which means that you
can have a color filter that depends on a built-in column like Info or
Protocol.
Remove the special handling for the -e option to tshark. Note that
the behavior is a little different now, because fixed field names
are used instead of the titles (using the titles allowed illegal
filter names, because it wasn't going through the filter engine.)
For default names, this means that they're no longer capitalized,
so "_ws.col.info" instead of "_ws.col.Info" - hopefully a small
price in exchange for the filters working everywhere.
The output format for -T fields remains the same; all that special
handling is removed (except for remembering if someone asked for
a column field to know that columns should be constructed.)
They're also set before the postdissectors, so postdissectors can
have access.
Anything that depends on whether a packet and previous packets are
displayed (COL_DELTA_TIME_DIS or COL_CUMULATIVE_BYTES) doesn't work
the way most people expect, so don't register fields for those.
(The same is already true of color filters that use those, along with
color filters that use the color filter fields.)
Fix#16576. Fix#17971. Fix#4684. Fix#13491. Fix#13941.
Allow string slices (indexing) to work with internationalized
strings. The old behavior of indexing on byte boundaries can
be obtained using raw slices.
Document `register_dissector()` and
`register_dissector_with_description()` as being preferable alternatives
to `create_dissector_handle()` in doc/README.dissector.
Update the examples in that file which were taken from `packet-hartip.c`
and `packet-dnp.c` to reflect changes in those files made since writing.
One small step toward addressing #5612
Add ENC_BOM to the list of bitflag modifiers, and use it with
UTF-16, UCS-2, and UCS-4 (UTF-32). If set, this means that the
first 2 (or 4) octets, if present, are checked to see if they are
a Big-Endian BYTE ORDER MARK ("ZERO WIDTH NON-BREAKING SPACE"). If so,
those octets are skipped and the encoding is set to Little-Endian
or Big-Endian depending on endianness of the BOM.
If the BOM is absent, the passed in Endianness flag is used normally.
Related to #17991
Related to #18009 - Have randpkt default to pcapng, allow selecting
a different capture file format via the common -F option that other
command line tools use, and document it.
For the randpktdump extcap, just use pcapng.
This fixes --all-random, because --all-random requires different
encapsulation per packet. It also fixes the related -r option to
randpkt (though note that picking a file format that doesn't support
ENCAP_PER_PACKET with -r causes problems.)
Document -r in the randpkt man page.
Fix#18944
Allow the escaping of whitespace characters and backspace with
the -T fields options to be disabled. There may be some use
cases (particular for redirected output instead of viewing at
a terminal) for not escaping, particularly since escaping makes
it difficult to distinguish a literal "\n" from an escaped newline.
Document this option, which also documents the escaping behavior.
Also add vertical tab to the list of escaped characters, for the
same reason as the others.
Fix#15796
Speak of dumpcap writing a "capture file" rather than a "pcap file".
Use .pcapng rather than .pcap as the extension in sample capture file
names.
In the description of the -i option, explicitly mention the -P option as
being overridden if more than one -i option is specified.
EBCDIC Code Page 500 has exactly the same repertoire as CP 037,
covering all of ISO-8859-1, but has 7 bytes permuted. It is
the default code page for DRDA; use it there.
GLib 2.76 deprecated G_MODULE_SUFFIX, so just use ".dll" on Windows and
".so" elsewhere. It also deprecated g_module_build_path, so just use
g_strconcat.
ws_module_open was only used to open wpcap.dll, so rename it to
load_wpcap_module.
Move MaxMind lookups to a global Name Resolution preference.
That's a bit of a misnomer (it's not name resolution, but it
is using external sources of data to update information about
a network object), but the MaxMind DB path location is already there.
This means that MaxMind lookups can be disabled with the '-n'
option, and enabled with a 'g' for the '-N' option. This is
significant for tshark, because MaxMind lookups are now synchronous.
Disabling the new global preference also keeps the Endpoints window
from doing MaxMind lookups; currently, even if the IPv4 and IPv6 GeoIP
prefs are disabled the data is still looked up and inserted in the
Endpoints window.
Fix#14692
Use the common dissection options processing for rawshark.
This means that the error message for resolving options includes
all the possible resolving options (e.g. instead of omitting VLAN).
This add support for the other options, which generally make sense,
like enabling and disabling protocols and heuristics.
The only option that isn't supported is the Decode As option, only
because '-d' is used by rawshark for its payload link layer type /
dissector selection.
Implements suggestion in issue #18714.
Proposed syntax for setting subsecond precision is "tshark -t adoy.3" for
millisecond accuracy in output. Using a dot separator indicates the precision
of what follows the dot in the output.
The following tshark -t combinations are supported:
1. Specifying just the format with e.g. "-t a" and defaulting the precision.
2. Specifying both format and precision, with "-t ad.2" or "-t ad -t .2".
3. Specifying only the precision with "-t .6" and defaulting format.
4. Use "-t a." or even "-t ." to specify auto precision from trace.
The latter use case is particularly useful with wireshark/logray.
Using a dot like this avoids introducing a new command line option.
Add docs/dissection-options.adoc as a snippet similar to
diagnostic-options.adoc to try to keep the man pages consistent
between dissecting programs and provide some logical separation
to avoid overwhelming a user with the huge list of options.
Use it for tshark and wireshark.
Continue to have more Decode As examples on the tshark page,
but have (in the HTML version) the cross-reference from the
wireshark page to the tshark Decode As examples link to an
anchor to the examples.
Make the name resolution option description accurate.
Reduce the default update interval for dumpcap to notify its parent
of new packets (or to check if we've met file duration, etc.) from
500 ms to 100 ms, and put in the capture options.
This makes the GUI appear to update more in real time rather than
in visible batches of packets.
This also reduces the amount of ring buffer space needed in cases
where we're doing dissection, and dissection is able to keep up,
but the files can be deleted before tshark gets to them because of
the notification lag. (See #1650.)
Update the example typical location for the temporary directory
on Windows in the manpages to something newer than where Windows NT
or Windows 98 might put it.
Fix#18463
Tweak the script used for creating a new skeleton dissector, to allow it
to create the dissector in `plugins/epan/PROTOSHORTNAME` instead of in
`epan/dissectors`. Handles modifying the appropriate CMake file in the
appropriate way, and generates the plugin's `CMakeLists.txt` if needed.
Consistently speak of "UNIX-compatible systems" when comparing UN*Xes
and Windows, and, the first time we mention "UNIX-compatible systems" in
a section or a list item, enumerate the not-dead-or-moribund ones.
(HP-UX is deemed moribund given that Itanium processors are no longer
being manufactured and HPE are apparently not porting HP-UX to x86-64,
choosing instead to run HP-UX Itanium applications in a compatibility
environment under Linux on x86-64.)
For the -D option, don't bother mentioning ifconfig -a or ip link show,
as there's no reason not to use -D if you want to know what you can
caputre on - for one thing, -D may list devices *other* than the network
interfaces listed by ifconfig -a or ip link show. In addition, don't
speak of code testing whether the interface can be opened, as recent
versions of libpcap don't check that, and neither do any of the programs
in the Wireshark release. (This was done so that, if there's an
itnerface that shows up in the enumeration but that can't be opened,
it'll be offered to the user, and they'll get a message if they try to
capture on it, indicating either that they need to somehow get the
necessary permissions or should report a bug.)
For the -i option, don't mention ifconfig -a or ip link show, as the
user should, again, use -D.
Give more detail when describing files and directories under the global
or personal preferences directory, calling out macOS specially for the
global preferences directory, as it's in the app bundle, and taking into
account that Wireshark might be installed under /usr rather than
/usr/local (for example, if it's installed from a package that's part of
a Linux distribution).
Replace the "Overrides XXX' description of some environment variables
with a more verbose description similar to what's used for other
environment variables.
Install documentation to DOCDIR instead of DATADIR.
The code must be fixed to open the Help URLs from
this new path.
This only affects Unix-like FHS platforms. Windows
installation does its own thing.
Needs testing with macOS packaging.
DFTest is a private test utility and isn't installed anywhere.
I don't think it makes sense to maintain a man page. Certainly
doesn't make sense to ship it.
The doc file is understandably minimal so just nuke it.
Set our ld library path and our data, extcap, and plugin directories.
Document WIRESHARK_EXTCAP_DIR and WIRESHARK_PLUGIN_DIR. Note that we
might want to set our various directories relative to the program path.
When reading a packet capture with capinfos on a system with
FIPS 140-2 enabled, libgcrypt will abort for any non approved
algorithm. In this case the RIPEMD 160.
Unused bytes in SLL Link Layer address can be random bytes.
Which makes the duplicate check think the packets are different.
Even if the unused bytes was the only difference.
This flag enables editcap to set the unused bytes to zeros to enable
the duplicate check to detect duplicates.
