Add a dissector table indexed by the file type, and, for the
file-type-specific records, have the frame dissector skip the usual
pseudo-header processing, as the pseudo-header has a file-type-specific
record subtype in it, and call the dissector for that file type's
records.
Change-Id: Ibe97cf6340ffb0dabc08f355891bc346391b91f9
Reviewed-on: https://code.wireshark.org/review/1782
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit c0c480d08c.
A better way to do this is to have the record type be part of struct wtap_pkthdr; that keeps the metadata for the record together and requires fewer API changes. That is in-progress.
Change-Id: Ic558f163a48e2c6d0df7f55e81a35a5e24b53bc6
Reviewed-on: https://code.wireshark.org/review/1741
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This reverts commit 2456b22cd3.
Next step: revert my other change.
Change-Id: I7a2302c527c8a85ce9f37d6e4f68c1e2d0adb741
Reviewed-on: https://code.wireshark.org/review/1740
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is the first step towards implementing the mechanisms requestd in
bug 8590; currently, we don't return any records other than packet
records from libwiretap, and just ignore non-packet records in the rest
of Wireshark, but this at least gets the ball rolling.
Change-Id: I34a45b54dd361f69fdad1a758d8ca4f42d67d574
Reviewed-on: https://code.wireshark.org/review/1736
Reviewed-by: Guy Harris <guy@alum.mit.edu>
While investigating an ASAN issue (fixed in
commit dcdd076ab0), I got greatly confused
by three different types having the same "interface_data" field name:
* pcapng_t *pn stores an array of interface_data_t objects.
* wtap *wth stores an array of wtapng_if_descr_t objects.
* pcapng_dump_t should store an array of interface_data_t objects.
pcapng_dump_t and friends are unused since
commit c7f1a431d2, so drop it.
To fix the confusion, rename the interface_data_t type to
interface_info_t type and use the local variable "iface_info"
everywhere. Rename interface_data of pcapng_t to "interfaces" and
add a comment what this exactly means (interfaces listed in the capture
file).
Drop the number_of_interfaces field for interfaces as the array
length is already available from GArray. Now interface_data is always
initialized for wth (which also gets copied to idb).
s/int/guint/g and replace cast at some places.
There are no regressions for the in-tree test suite.
Change-Id: I2d5985c9f1e43f8230dbb4a73bd1e243c4858170
Reviewed-on: https://code.wireshark.org/review/1656
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 1abeb277f5.
This isn't building, and looks as if it requires significant work to fix.
Change-Id: I622b1bb243e353e874883a302ab419532b7601f2
Reviewed-on: https://code.wireshark.org/review/1568
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Start of refactoring Wiretap and breaking structures down into "generally useful fields for dissection" and "capture specific". Since this in intended as a "base" for Wiretap and Filetap, the "wft" prefix is used for "common" functionality.
The "architectural" changes can be found in cfile.h, wtap.h, wtap-int.h and (new file) wftap-int.h. Most of the other (painstaking) changes were really just the result of compiling those new architecture changes.
bug:9607
Change-Id: Ife858a61760d7a8a03be073546c0e7e582cab2ae
Reviewed-on: https://code.wireshark.org/review/1485
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add an FT_STRINGZPAD type, for null-padded strings (typically
fixed-length fields, where the string can be up to the length of the
field, and is null-padded if it's shorter than that), and use it. Use
IS_FT_STRING() in more cases, so that less code needs to know what types
are string types.
Add a tvb_get_stringzpad() routine, which gets null-padded strings.
Currently, it does the same thing that tvb_get_string_enc() does, but
that might change if we don't store string values as null-terminated
strings.
Change-Id: I46f56e130de8f419a19b56ded914e24cc7518a66
Reviewed-on: https://code.wireshark.org/review/1082
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Since tshark.c was using strdup, perror, and g_main_quit, changes to
the file won't pass checkAPIs; so this commit replaces those with
the approved functions; except strdup, which was unecessary.
Change-Id: I031aa44594f2b96960a45f48537ab4e9a10d34b1
Reviewed-on: https://code.wireshark.org/review/898
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When the '-Y' display filter option is given with a '-2', and a '-w' to write out
the packets, tshark grabs *all* dependent frames in the catprue file, even those
that weren't dependents of a matching packet. Note that this also uses the '-2'
two-pass option, since only two-pass mode writes out dependent frames to begin with.
Change-Id: I17726447bec434ba2566e98fb78893d1331e3056
Reviewed-on: https://code.wireshark.org/review/866
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
This fixes part-1 of bug9931: the uninitialized use of a wtap_pkthdr
struct. The second part of the bug deals with dissectors calling
the Ethernet dissector for ecnapsulated Ethernet packets but using
the wrong dissector handle to do so. That's unrelated to the issue this
commit addresses, so I'm splitting them up.
Change-Id: I87be7b736f82dd74d8c261062f88143372b5344c
Reviewed-on: https://code.wireshark.org/review/848
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There's a relatively new feature in 1.11.3 to select a specific file format
reader, instead of relying on magics or heuristics. If you select a file
reader and open a file, open it, and then click the reload-file button or go
to View->Reload or press the ctrl-R keymap, the file is reloaded but using the
magic/heuristics again instead of the file format reader you previously chose.
Likewise, the Lua relaod() function has the same issue (which is how I found
this problem).
I have tested this change by hand, using a Lua script, but I didn't add it
to the testsuite because I need another change for my test script to work
correctly. (an enhancement rather than a bug fix, which I'll submit separately)
Change-Id: I48c2d9ea443e37fd9d41be43d6b6cd5a866d5b01
Reviewed-on: https://code.wireshark.org/review/764
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Now that we have the ability to choose input file format type
in the GUI, we might as well have it in the command-line too.
Plus it would help me in test-stuies if we had a commandline.
So I've added a '-X read_format:Foo' for this. Using just
'-X read_format:', or with a bad name, will make it print out
the full list (in tshark); just like the '-F' does for output
file formats.
Note: I am *not* putting in code for Win32 GUI,
because I can't compile that and I wouldn't have even
done the GTK one if I could compile Qt originally. (I don't think we need
to add any more features to GTK or Win32, just Qt from now on,
right?)
Change-Id: I2fe6481d186f63bd2303b9e591edf397a2e14b64
Reviewed-on: https://code.wireshark.org/review/493
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The best heuristic can fail, so add possibility to manually choose
capture file format type, so not correctly recognize file format can be
loaded in Wireshark.
On the other side now it is possible to open capture file
as file format to be dissected.
Change-Id: I5a9f662b32ff7e042f753a92eaaa86c6e41f400a
Reviewed-on: https://code.wireshark.org/review/16
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Just as "tshark ... -P -w xxx" writes raw packets to xxx *and* writes
text packet summaries to the standard output, and just as "tshark ...
-V -w xxx" writes raw packets to xxx *and* writes text packet details to
the standard output, so should "tshark ... -T fff -w xxx" write raw
packets to xxx *and* write whatever "-T fff" (and any "-e" options)
specifies to the standard output.
Change-Id: I28ab3a4d48531f297533ec4dfb3742031eb69885
Reviewed-on: https://code.wireshark.org/review/278
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We were using cf->buf in some places and a local variable buf in others;
consistenly use the local variable.
Have a local variable for the struct wtap_pkthdr while we're at it; with
some work we may be able to get rid of the struct wtap_pkthdr and the
Buffer in the capture_file structure.
Change-Id: I4762e22e11ef576be6bf9015450d1a270dd3d16b
Reviewed-on: https://code.wireshark.org/review/178
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rename "SVNPATH" to "GITBRANCH" since that seems more appropriate.
Rename "svnversion.h" to "version.h" as Evan suggested. Update some
URLs. In make-version.pl, make sure we don't set an improper upstream
branch name. Use the number of commits + short hash from `git describe`
for package names by default.
Change-Id: I922bba8d83eabdf49284a119f55b4076bc469b96
Reviewed-on: https://code.wireshark.org/review/139
Reviewed-by: Gerald Combs <gerald@wireshark.org>
willing to read or that's bigger than will fit in the file format;
instead, report an error.
For the "I can't write a packet of that type in that file type" error,
report the file type in question.
svn path=/trunk/; revision=54882
declares the functions must be included, in order to make sure the
declarations match the function signature. Make it so.
Said header declares pipe_input_cb_t, so we don't have to do it
ourselves.
svn path=/trunk/; revision=54750
the code to scan for them uses those routines.
This means epan_init() no longer takes those routines as arguments -
which is just as well, given that the mechanism in question is no longer
part of libwireshark, but is part of libwsutil.
This should fix bug 9508.
svn path=/trunk/; revision=53796
knowledge of particular types of plugins. Instead, let particular types
of plugins register with the common plugin code, giving a name and a
routine to recognize that type of plugin.
In particular applications, only process the relevant plugin types.
Add a Makefile.common to the codecs directory.
svn path=/trunk/; revision=53710
header type fails, as we might be capturing on more than one interface.
Report the failing interface name in single quotes in some places where
we weren't doing so, for stylistic consistency.
svn path=/trunk/; revision=53593
subtypes, e.g. Network Monitor version 1 and Network Monitor version 2
are separate "file types", even though they both come from Network
Monitor.
Rename various functions, #defines, and variables appropriately.
svn path=/trunk/; revision=53166
In the process, fix various man page descriptions of the -t flag,
and add support for UTC absolute times in the iousers and iostat TShark
taps.
svn path=/trunk/; revision=53114
Add tshark -G column-formats report and document the missing ftypes, heuristic-decodes and plugins reports.
From me: Sort the reports. Add modelines to epan/column.c. Minor whitespace changes.
svn path=/trunk/; revision=52627
After calling wtap_close(), set the wth to NULL so we don't try to close it
again later. (The core only happens when tshark isn't keeping up with dumpcap's
file rotation.)
Wireshark still has a problem but it's a different one.
svn path=/trunk/; revision=52493
thing as the display filter (-Y) in that case except with more confusing
semantics.
This also lets us fix -c in the single-pass case to unconditionally count
packets. This isn't the old behaviour (which counted them only if they passed
the read filter) but is more consistent with two-pass mode where they are
counted even if they pass the display filter, since they are counted on the
first pass and the display filter is applied on the second pass.
Anyone who wants to use -c to limit packet count conditionally on them passing a
filter should use it in tandem with -2 and -R: the read filter is applied on the
first pass before the count.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9048
svn path=/trunk/; revision=51556
The limits are enforced during the first pass, and frames that get dropped from
the first pass for this reason aren't available to the second pass at all, so
checking again is redundant.
svn path=/trunk/; revision=51460
Make epan_free a no-op if the pointer is NULL. This fixes 99% of the cases
causing problems for wmem_leave_file_scope() - remove that XXX comment and add
back the assertion.
Remove the cleanup_dissection call from epan_cleanup, it doesn't make sense
there. init_dissection is only called from epan_new, so cleanup_dissection
should only be called from epan_free.
Add one missing epan_free call to tshark revealed by the above changes.
svn path=/trunk/; revision=51342
Bill Meier