For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There can be no space after pid colon if tid is big enough
in logcat long format.
Change-Id: I8e03e78c88e4bef1a5fdb3a04b77f58fa7d055bc
Reviewed-on: https://code.wireshark.org/review/5411
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
To avoid further duplication of work and bugfixing,
move regex strings to wiretap/logcat_text.h and include
this file in epan/dissectors/packet-logcat-text.c
Change-Id: I82773cda0e3240844139b104c68738ec82788014
Reviewed-on: https://code.wireshark.org/review/5410
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
In L, in line "-- beginning of /<buffer>" the "/" was removed.
This commit accomodates text logcat to that change.
Change-Id: I4cbfadf5a8169589f2848ce1a5793cea593ba459
Reviewed-on: https://code.wireshark.org/review/5405
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
This is needed for Lua File:seek("end").
Change-Id: I28fb23f2f29ca8083c77bf065db8816e039ae5a1
Reviewed-on: https://code.wireshark.org/review/4722
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Michal Labedzki <michal.labedzki@tieto.com>
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Another case where the compiler didn't figure out that the variables
aren't used if they're not set.
Change-Id: I70bfb06c6d86d41a266a087ece971c40cd697ee9
Reviewed-on: https://code.wireshark.org/review/4994
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also, we don't care how much tagged value data we've read, we just care
whether we've read any or not (EOF reading the first one means "end of
file", EOF reading any of the subsequent ones means "short read").
Change-Id: I2edc54494967b3a88bcc2c79d97eedfded00150d
Reviewed-on: https://code.wireshark.org/review/4993
Reviewed-by: Guy Harris <guy@alum.mit.edu>
To check whether data_rate_or_mcs_index is set, check
saw_data_rate_or_mcs_index; we might see a value of 0 for that field
(it's a valid MCS index), so we can't use it as an out-of-band value
meaning "not set".
Change-Id: I75d7fdb4a90836538c82f56f2afb05c0603278a5
Reviewed-on: https://code.wireshark.org/review/4991
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a number of fields corresponding to components of the radiotap MCS
field, add presence bits for them, and set and dissect the fields
supported by Peek tagged files.
Change-Id: I3fc801a3bc180e1c174d074a794af0f3d338f249
Reviewed-on: https://code.wireshark.org/review/4989
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use the "MCS index used" extended flag bit to indicate whether the "data
rate or MCS index" field is a data rate or MCS index.
Display the MCS index value if it's present.
(More to come - MCS indices, plus other information, should be used to
calculate the data rate for 11n and beyond.)
Get rid of the hdr_info_t structure while we're at it; just use local
variables for each of the fields.
Change-Id: I546f53a8ebd89078d5f23e1290557b97348aff38
Reviewed-on: https://code.wireshark.org/review/4988
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a set of presence bits, so we can indicate which bits of radio
metadata we do and don't have.
Fill in more radio metadata from capture files, and display it.
(More to come.)
Change-Id: Idea2c05442c74af17c14c4d5a8d8025ab27fbd15
Reviewed-on: https://code.wireshark.org/review/4987
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Useful if we try to provide some "standard" 802.11 metadata header that
can support both radiotap and Peek tagged (and perhaps others).
Change-Id: Ibac9829e3411670a439db7cb77e1694a5641b0a5
Reviewed-on: https://code.wireshark.org/review/4970
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That bug includes a capture and a screendump of OmniPeek's dissection of
the packet in that capture; this lets us identify some tags as the
center frequency of the 802.11 channel and a set of extended flags used
for 802.11n and 802.11ac.
Show some flags from bug 9586, under the assumption that certain fields
in the Peek tagged header correspond to certain fields in the remote
Peek protocol.
Change-Id: I0f3c2e6638d6cf5f6ec470d65bd574171a2d958d
Reviewed-on: https://code.wireshark.org/review/4969
Reviewed-by: Guy Harris <guy@alum.mit.edu>
I don't trust Packet Builder's ability to convert time stamps between
Capsa format and pcap.
Change-Id: I0ac2e14216e37127d81d5bf1c6d48a2c20841a8e
Reviewed-on: https://code.wireshark.org/review/4721
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up a comment and indentation while we're at it.
Change-Id: Ia2b0a3f642849dcd464e04cdca13ff05c2fbe2e6
Reviewed-on: https://code.wireshark.org/review/4717
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Clean up the code to read the block according to that description.
Change-Id: Icb332e293c4b41d91989aa17a7546f298068e908
Reviewed-on: https://code.wireshark.org/review/4716
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Nothing from the SHB gets stored in the interfaces array - it's filled
in from IDBs - so it doesn't need to exist when we read the first SHB,
and thus doesn't need to be freed if the attempt to read the SHB gets an
error or a "this isn't a pcap-ng file" indication.
Update a comment while we're at it.
Change-Id: Ie67edb52dcf13c974607e95e290661bf48be68ae
Reviewed-on: https://code.wireshark.org/review/4711
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The block read routines don't need to return a "bytes read" amount any
more.
Have pcapng_read_block() just return an indication:
PCAPNG_BLOCK_OK - the read succeeded;
PCAPNG_BLOCK_NOT_SHB - the read failed in a fashion that
indicates that we might just not be reading a pcap-ng file;
PCAPNG_BLOCK_ERROR - the read failed in some other fashion
(i.e., we already have concluded that the file is a pcap-ng
file, or we got an I/O error).
In the cases where it needs to know whether it's reading the first block
for an open, have it check the shb_read flag, rather than being passed a
separate Boolean argument.
This means that pcapng_read_section_header_block() should return such an
indication as well.
Make the other block-reading routines return a Boolean success/failure
indication.
Change-Id: Id371457018a008ece9058d6042da44d631e51889
Reviewed-on: https://code.wireshark.org/review/4710
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't check a possibly-byte-swapped length against the minimum SHB size;
it'll probably look huge if it's byte-swapped, so the test won't fail
even if it is too small, and a really huge SHB's length could look too
small if it's byte-swapped.
Do the check *after* we've read the fixed-length portion of the block;
yes, that means we've read past the purported size of the block at that
point, but if that read succeeds, that doesn't matter, and if that read
fails, it just means we'll report "file cut short" rather than "bad SHB
length", *both* of which are problems with the file.
Change-Id: Ie3b5700662f2a6da40d373a84f00a8fc2cf0ce1b
Reviewed-on: https://code.wireshark.org/review/4692
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Recent changes must have made it not do so in some cases, and
our current version of file_tell(), unlike ftell() around which the
older file_tell() was a wrapper, is known to be cheap (ftell() would
make a system call to get the position). Just use file_tell() before
each read.
(Further cleanup is called for.)
Bug: 10568
Change-Id: Ib92057b2b87ec6eb16fd612bc91baeb668d1e1c7
Reviewed-on: https://code.wireshark.org/review/4691
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Check whether the block-type hash table exists before trynig to look
up anything in it.
Change-Id: I0aeb7f6454903bfcbdd0716909a0b72851d87233
Reviewed-on: https://code.wireshark.org/review/4689
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The time stamps aren't known to be right, so don't provide them - that
way, instead of users reading Capsa files and getting the wrong idea
about the time stamps, they'll get no time stamps and have to ask for
our help, at which point we can ask them for *their* help in seeing what
Capsa thinks the time stamps are. (The joys of reverse-engineering.)
Change-Id: I77e12c09f2bc74b50a1b2b226fa6da3e8c0fedf9
Reviewed-on: https://code.wireshark.org/review/4685
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(So why can't GCC or Clang be taught to warn about *all* implicit
shortenings, as MSVC does, not just 64-bit-to-32-bit shortenings?)
Change-Id: I88c0b0aa2f1b306f58952589ff8bcae17bc29768
Reviewed-on: https://code.wireshark.org/review/4676
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(Yes, we should, on platforms with a 32-bit time_t, check to make sure
the time stamp fits and do something if it doesn't. Or we should make
the seconds part of an nstime_t be 64-bit and handle overly-large values
when converting them to year/month/day/hour/minute/second.)
Change-Id: If219534985dce29d00754ff151f6c4b5893080d8
Reviewed-on: https://code.wireshark.org/review/4675
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The time stamp origin is not correct. Capsa's absolute time stamp for
the sample captures from their Web site would be helpful.
Change-Id: I365daf7b42240e33f54df76939254f41ed57a9b2
Reviewed-on: https://code.wireshark.org/review/4671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fetch the count of records from one of the locations where it appears to
be, and, currently, require that it be equal to the count at the other
location where it appears to be; if they ever differ, we'll need the
file in order to reverse-engineer some more.
Fix the way we *write* .rf5 files - it turns out that we were
1) not writing the full file size;
2) not writing the packet count in the right location.
Detect files written by the old code, and get the packet count from the
right location for those files.
Change-Id: I7ce83afbc9dbbd300c81c96ef8f7785a0aeefa7a
Reviewed-on: https://code.wireshark.org/review/4608
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For open_info, use names based on the names in other lists.
Also, in comments, indicate what the three count 'em three tables are
used for, and clean up the type/subtype table.
Change-Id: I7a763119e790d5970f87dff05284f465eebfb7e7
Reviewed-on: https://code.wireshark.org/review/4599
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Version 3's time stamps are all absolute, so we can directly use the
value in the file; we don't need to keep track of the time in the
private data structure, and some compilers issue warnings due to setting
it and then not using the value to which we set it.
Change some names and indentation to match other file versions while
we're at it.
Change-Id: I97698d933b87a8ad58d9e88ceedd75004797df69
Reviewed-on: https://code.wireshark.org/review/4596
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It returns the length of the string it read, so only treat 0 and -1 as
errors. (0 either means "EOF" or "string is zero length", but this is
only in the code that reads numbers, and a number needs at least 1
digit, so both EOF and "zero-length string" mean "this isn't a valid
Peek tagged file".)
Change-Id: Ib83eb2f1e53d912a2138be01480e2b464cf936db
Reviewed-on: https://code.wireshark.org/review/4591
Reviewed-by: Guy Harris <guy@alum.mit.edu>