snprintf(), sensibly, takes a size_t argument specifying the size of the
buffer. g_snprintf(), bogusly, takes a gulong argument specifying the
size of the buffer, so we had to do casts to avoid narrowing complaints,
but we're just using snprintf() now (as we require C11 or later), and
don't need the casts any more.
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix#19080
On Linux, look for an error message of "socket: Address family not
supported by protocol"; if we see it, that's EAFNOTSUP, which means
either that 1) your kernel doesn't have PF_PACKET support configured in
or 2) this is a Flatpak package of Wireshark that's "helpfully" been
sandboxed. Display a secondary error message indicating one of those is
likely the problem; mention the Flatpak one first, as that's more likely
than the second (if you can still configure PF_PACKET sockets out, it's
not the default, so it's unlikely to be the case).
See issue #19008.
Expand the set of CAP_DEVICE_OPEN_ errors and warnings to include
specific errors for many of the errors and warnings libpcap returns.
(This doesn't include the errors that would definitely either be
Wireshark or libpcap bugs, such as PCAP_ERROR_NOT_ACTIVATED and
PCAP_ERROR_ACTIVATED.)
Don't give "make sure you have the right permissions" secondary error
messages if we know that the error isn't a permissions error.
For the PCAP_ERROR_ codes that we handle individually, don't bother with
the pcap_statustostr() string, as it would duplicate the error message
we're providing.
For the PCAP_ERROR_ codes we *don't* handle individually, give both the
pcap_statustostr() string and the pcap_geterr() string, to give the user
as much information as possible (even if that's just so that they can
give *us* as much information as possible to figure out what the problem
is).
This should remove the "how to support packet capturing on Debian"
message for "sorry, we don't support PF_PACKET sockets" error that shows
up if either 1) your kernel doesn't have PF_PACKET support configured in
or 2) this is a Flatpak package of Wireshark that's "helpfully" been
sandboxed. See issue #19008.
This makes it explicit in the log that the program aborted
because of a logging system exception, usually configured by
the user (fatal log level or domain).
If AddressSanitizer is enabled, we build dumpcap with it, which
can be useful for catching issues - at least when run standalone.
Disable it when running in capture child mode, and ensure that the
sanitizers don't change dumpcap's exit code, since capture/capture_sync
uses the exitcode value and doesn't expect the sanitizer values.
Also disable LSan if prctl(PR_GET_DUMPABLE) is 2 on Linux, since
that means that the process will fail to run LSan and die with a
fatal error in the attempt due to not being able to ptrace. It
cannot be disabled through the normal method of using environment
variables since not being dumpable also means that /proc/self/environ
isn't readable. (LSan is able to deal with a dumpable value of 0,
temporarily setting it to 1, but not 2, because it's not allowed to
set it back to 2, due to CVE-2006-2451.)
Fix#18907
Reduce the default update interval for dumpcap to notify its parent
of new packets (or to check if we've met file duration, etc.) from
500 ms to 100 ms, and put in the capture options.
This makes the GUI appear to update more in real time rather than
in visible batches of packets.
This also reduces the amount of ring buffer space needed in cases
where we're doing dissection, and dissection is able to keep up,
but the files can be deleted before tshark gets to them because of
the notification lag. (See #1650.)
Commit e921b804d0 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
Instead of creating a temp file, unlinking it, and creating a fifo with
the same name, add create_tempdir() so that we can create a temporary
directory and create a fifo inside that.
This should avoid a race condition in Carbon Black Cloud antivirus,
which if the timing is right, will stat the initial temporary *file*,
miss the fact that it's been replaced with a *fifo*, and open and steal
data^W^W read from it, leaving dumpcap to contend with the truncated
remains.
Adding the unexpected magic number to cap_pipe_open_live()'s error
message helped to debug this. Leave it in since it's handy to have in
that case.
Ping #15587
The Sysdig Event dissector handles BLOCK_TYPE_SYSDIG_EVENT_V2 and
BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE blocks. Add them to dumpcap's packet
count so that we don't get a "No packets captured." error.
g_file_open_tmp() does not set name_used unless the temp file
is successfully created (cf. to our old hand written library
pre commit 2925fb0850). Initialize it so that g_free doesn't
free a random memory location in that case, and don't use it
otherwise after failure. Fix#17828.
Add docs/diagnostic-options.adoc, which is a snippet that documents our
various --log-* options. Include it in the dumpcap, rawshark, and tshark
man pages.
Make the ws_log_print_usage output more consistent.
Currently used to define ssize_t on platforms that lack it.
Fix some Windows build errors caused by moving the definition into a
separate header.
Fix some narrowing warnings on Windows x64 from changing the definition
of ssize_t from long int to int64_t.
The casts in dumpcap are ugly but necessary. The whole code needs
to be rewritten for portability, or the warnings disabled.
Fix the dumpcap log handler to not pass debug messages as error messages
to parent process. Otherwise it is impossible to use dumpcap in debug
mode as a child process. Dumpcap will be in debug mode if it inherits
the environment variable WIRESHARK_LOG_LEVEL set to "debug" (or
"noisy") from the parent process.
Fixes dc7f0b88bb.
Fixes#17764.
Extcaps require a log file when invoked in child mode. It also has
a specific flag to enable debugging, other that the wslog options.
Fix the logging to:
1. Enable debug log level if --debug is used.
2. Do not emit messages to the stderr if debug is enabled.
This brings extcap logging to the same feature level it had before
wslog replaced GLib logging.
The issue in question is Npcap issue 250, for which work is being
considered in Npcap issue 506; this is all apparently due to Windows
tearing down and reassembling the networking stack in various sitations.
See @jtippet's comments in Npcap issue 250.
We just tell users that this is a known problem, work is being done on
it, so there's no need to report it.
We need to update global_ld.inpkts_to_sync_pipe as soon as we've written
a packet to the current capture file. If we're writing to multiple
files, then, if we delay counting until after we switch to another file,
the packet-count message we send to the parent before switching won't
include the packet, and the first packet-count message we send to the
parent *after* switching *will* include the packet, which could mean the
parent will try to read more packets than there are in the new file, in
which case it'll get an EOF and, at least in the case of TShark, treat
that as an error and stop capturing.
This should fix issue #17654.
While we're at it, don't send a "we have no packets" packet-count
message even for the packet-count message we send just before switching
files.
Besides the obvious limitation of being unavailable on Windows,
the standard is vague about getopt() and getopt_long() has many
non-portable pitfalls and buggy implementations, that increase
the maintainance cost a lot. Also the GNU libc code currently
in the tree is not suited for embedding and is unmaintainable.
Own maintainership for getopt_long() and use the musl implementation
everywhere. This way we don't need to worry if optreset is available,
or if the $OPERATING_SYSTEM version behaves in subtly different ways.
The API is under the Wireshark namespace to avoid conflicts with
system headers.
Side-note, the Mingw-w64 9.0 getopt_long() implementation is buggy
with opterr and known to crash. In my experience it's a headache to
use the embedded getopt implementation if the system provides one.
This is used to select ringbuffer savefile name template. Choose one of two
savefile name templates:
If value is 1, make running file number part before start time part; this is
the original and default behaviour (e.g. log_00001_20210828164426.pcap).
If value is greater than 1, make start time part before running number part
(e.g. log_20210828164426_00001.pcap).
The latter makes alphabetical sortig order equal to creation time order, and
keeps related multiple file sets in same directory close to each other (e.g.
while browsing in wireshark "Open file" dialog).
Signed-off-by: Juha Takala <juha.takala+rauta@iki.fi>
When dumpcap is running as a capture child in passthrough mode, the
SP_FILE message should not be sent until after the source SHB is passed
through to the capture file. Fixes a race condition where the capture
parent attempts to read an SHB from the capture file, following the
SP_FILE message, but the file is empty. Closes#17013.
1) Consistently say "capture device"; not all capture devices are
"interfaces" in the sense of "network interfaces' ("any" means "all
network interfaces", and capturing may be supported on a USB bus or on
D-Bus or....)
2) Use double quotes to quote the device specifier (it probably won't
have spaces in its name, but...).
3) Make sure that there's a space between "capture device" and the
quoted device name.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
Version info is an aspect of UI implementation so move it to
a more appropriate place, such as ui/. This also helps declutter
the top-level.
A static library is appropriate to encapsulate the dependencies
as private and it is better supported by CMake than object libraries.
Also version_info.h should not be installed as a public header.
Functions clock_gettime() and timespec_get() cover all the platforms
we support with sub-second resolution in a a portable manner. Fallback
to using time().
Pass a struct timespec to the log writer callback for maximum
flexibility.
Instead of receiving the program name from GLib, pass it explicitly
to ws_log_init() instead and use that to initialize the GLib program
name.
ws_log_parse_args() will now exit the program when it encounters an
argument error if exit_failure >= 0.
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
Guy Harris