Move the call to fill_in_local_interfaces to after checking for
an interface capabilities query.
We don't need to retrieve all the local interfaces if we're doing
a capabilities query and then exiting. The interfaces to query
are either specified on the command line, specified in preferences,
or picked as a default (interface "1"), none of which requires
filling in all the local interfaces and querying their capabilities
an additional time.
Part of #15082
The non-Huffman encoded QPACK bytes are added to the tree as
FT_BYTES, and they are expected to be probably printable
ASCII but treated as opaque data if not. That's
BASE_SHOW_ASCII_PRINTABLE, which makes the values a little more
useful in the tree.
Move some of the less useful messages to ws_noisy, the rest to
ws_debug. (A few of the errors could be ws_info, which isn't
displayed by default either.)
Part of #19519
Logray filters the interface list down the extcap interfaces,
so don't bother spawning dumpcap to retrieve the other interface
types. It's time consuming, and on Windows with NPcap installed
with administrator privileges, means unnecessary UAC prompts.
Since global_capture_opts is always already init'ed in
scan_local_interfaces_filtered, call the get_iface_list
callback instead of the generic capture_interface_list there.
Cached the interface list returned from capture_interface_list
and store it in the MainApplication. On subsequent calls
to the capture opts get_iface_list callback, return the cached
list if it exists.
When Refresh Local Interfaces is called (either manually by the
user, or by a notification from iface_monitor), clear the cached
interface list and set it to NULL so that a new capture_interface_list
call will happen.
This prevents multiple privileged dumpcap calls when parsing
multiple interface options, or when retrieving the entire interface
list after having already done so to parse an interface command
line option.
Related to #15082
Return the number of bytes decoded and placed in the tree and
set pinfo->desegment_offset and desegment_len so that the QUIC
disssector can desegment the HTTP3 Encoder stream.
Pass that number of bytes to the nghttp3 decoder so that we don't
end up passing the same bytes twice with reassembly.
Make it so the QUIC data stream desegmenting code puts a link
to the frame data was reassembled in for segments that begin
an MSP as well in more cases, as the TCP dissector does.
(There are a few more cases TODO to produce results similar to
TCP.)
Fix#19475
See
1. https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
2. The `nla_put(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts))`
call in net/netfilter/nfnetlink_log.c in the Linux kernel source.
Add support for 16-byte and 12-byte seconds/microseconds time stamp, to
match what we already have for seconds/nanoseconds time stamps, in
`proto_tree_add_item()` etc., and use that.
Fixes#19525.
Store the QPACK encoder stream state, such as the number of insertions
in the current segment and the total so far, and retrieve it on subsequent
passes. Passing the data to the nghttp3_qpack_decoder on subquent
dissections creates confusion and inaccurate results.
We don't have to memdup the buffer unless we're actually doing the
decoding.
We can later use this information in order to defragment QPACK
table insertion instructions that are split across QUIC packets.
Related to #19475
Don't bother trying to desegment and calling the subdissector indicated
by the app handle / ALPN for a zero length stream payload segment. It
won't work, and it messes up our methods of determining if desegmentation
is needed.
Revisit this is there ever is a protocol on top of QUIC that must
be called with a zero length payload segment.
Fix#19497
Named pipes have special names on Windows
( https://learn.microsoft.com/en-us/windows/win32/ipc/pipe-names )
If we're on Windows, and the interface name given has such a name,
assume it is a pipe and don't bother retrieving the interface list.
Dumpcap and rawshark already have identical code for testing if an
interface name is a pipe. Move that into win32-utils and have
capture_opts, dumpcap, and rawshark all use the common function.
Fix#17721
Instead of not compiling plugins.c without HAVE_PLUGINS, we
should disable plugin support in a way that is functionally
the same as if the platform does not support it at runtime.
This reduces the number of ifdefs and allows sharing more utility
code for plugins.
In general user customization should take higher priority
over system defaults. Do that here. This allows the user
to replace system plugins without much hassle.
We load the personal plugin folder first and lower the report
for a plugin found in multiple folders to a console log message
with log level "message" (so by default it will be displayed).
If the global plugins dir is the same as the users plugins dir,
Wireshark will prompt the warning "The plugin 'xxx' was found in
multiple directories".
Space is set aside in an array of hfs for UPSTREAMFIELD_NOTUSED (0),
presumably because that's easier than applying an offset to the
type value. However, an hf is never registered.
On 4.2 and earlier it ends up adding an empty "text only" field to
the tree, because the hfindex is initialized to zero (as a static
array). Since the hfindex 0 no longer corresponds to the text only
field (but means an unregistered field), the bug has been exposed.
There's already a FT_NONE field for an unknown type greater than
the maximum value. Let's use that for this type, which is also
contrary to spec.
Seen in fuzzed data (#19522)
Add an option to the tools menu to copy a binary plugin file
(a .dll or .so) to the personal plugin folder.
This avoids the user having to create the paths manually and
knowning a lot of relatively unimportant details about where and
how Wireshark loads binary plugins.
It will also try to validate the plugin and do some sanity checks to
ensure the ABI is compatible.
SOME/IP-SD sends out a StopSubscribe entry followed by a Subscribe
entry, if the previous Subscribe was not answered. This patch adds an
expert info to show that.
At least currently, it can only fail with "that pcap_t is activated,
this can't be changed", but we're calling it after it's been created
but before it's been activated.
Report failures of attempts to set various attributes between
pcap_create() and pcap_activate().
Make a routine not called outside capture/capture-pcap-util.c static.
João Valverde