When dissecting an if_tsresol option in an IDB, calculate the resolution
from the base and the offset. If the result overflows, mark it as an
overflow; otherwise, mark it with the units for more values than 1
microsecond. Store the calculated resolution, which we initialize to
the default of 1 microsecond.
When displaying time stamps in blocks, use the calculated resolution,
rather than re-calculating it. If it's 0, it means the resolution is
too high, so don't calculate it and end up dividing by zero.
Bug: 14402
Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f
Reviewed-on: https://code.wireshark.org/review/25673
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The MIME based pcapng dissector incorrectly displayed the EPB
Flags option's link layer error bits.
Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac
Reviewed-on: https://code.wireshark.org/review/23279
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The pcapng spec[1] suggests that the first octet marks the filter type,
but it is not clear whether this other types are implemented. Just skip
over the byte for now.
[1]: https://github.com/pcapng/pcapng/blob/c0dd7a7391/draft-tuexen-opsawg-pcapng.xml#L1083
Change-Id: I272dac55ea9ca3798e1fea45ce92023f7aa82564
Reviewed-on: https://code.wireshark.org/review/22043
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Use common name for "Number of Received Packets".
Change-Id: Ib57b142e8fc5c85a03c5622c264ce1d7e113f795
Reviewed-on: https://code.wireshark.org/review/20795
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
In commit 35cf66d8bd four existing
objects were renamed for no good reason. Restore original names.
Also remove unnessary Darwin options from packet block options
and remove leftover include.
Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c
Reviewed-on: https://code.wireshark.org/review/20171
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jim Young <jim.young.ws@gmail.com>
This patch augments the MIME based file-pcapng dissector to allow one to
more easily examine pcapng blocks that contain Darwin Process Information.
With this patch one can dissect and inspect, albeit as a MIME object, the
Darwin process information elements contained within an Apple augmented
pcapng file:
$ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng
$ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less
Apple's macOS provides an enhanced tcpdump with a pktap interface option
that supports the collection, display and storing of Darwin process and/or
service class information related to each captured packet. Using Apple's
pktap interface during a live capture the process information may be
revealed using Apple's tcpdump -k [metadata] option.
Apple's tcpdump -k option augments tcpdump's standard report with an
additional parenthesized () set of information inserted after the packet
timestamp. If the capture file actually contains Darwin process
information, Apple's tcpdump -k could include the interface name (or
interface id), process id, process name, process_uuid, service, and/or
direction for each packet depending on the value of the -k's [metadata]
argument provided (if any).
If the Apple tcpdump trace is captured to disk, the Darwin based process
and service information is saved in pcapng format augmented with several
new Enhanced Packet Block options (32779, 32780, 32781) along with a new
block type (0x80000001) called here a Darwin Process Event Block (DPEB).
The Darwin Process Event Block is used in a manner similar to a pcapng
IDB in that it contains process event information that is referenced by
later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB
ID (32871). EPBs may also include the Darwin Service Class option (32770)
which includes a numeric value that maps to a mnemonic service class.
A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump
along and the help of its -k option to display the original Darwin Process
Information. Packets collected using Apple's remote virtual interface
(rvictl)[1] from iOS devices can also contain Darwin Process Information.
Note: This is a first step to help determine what will be necessary to
eventually display any available Darwin Process Information within
the Frame tree when an Apple PKTAP enhanced pcapng file is opened
naturally in Wireshark and not as a MIME object.
[1] https://developer.apple.com/library/content/qa/qa1176/_index.html
Ping-Bug: 13096
Ping-Bug: 12587
Change-Id: I180e661dab0b0096a711603b53270105390d05e2
Reviewed-on: https://code.wireshark.org/review/20157
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains everything
past a certain point, for some number of bytes, in an existing tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).
Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step. (This also
makes it easier to find the calls that need fixing.)
Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also some other tricks to remove unnecessary tvb_get_string_enc calls.
Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914
Reviewed-on: https://code.wireshark.org/review/16158
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Started by grepping call_dissector_with_data, call_dissector_only and call_dissector and traced the handles passed into them to a find_dissector within the dissector. Then replaced find_dissector with find_dissector_add_dependency and added the protocol id from the dissector.
"data" dissector was not considered to be a dependency.
Change-Id: I15d0d77301306587ef8e7af5876e74231816890d
Reviewed-on: https://code.wireshark.org/review/14509
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
That removes most of the uses of the frame number field in the
frame_data structure.
Change-Id: Ie22e4533e87f8360d7c0a61ca6ffb796cc233f22
Reviewed-on: https://code.wireshark.org/review/13509
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add fields for the absolute time stamp (and another field for a presence
flag for the absolute time stamp) and the packet encapsulation for the
packet.
This lets us remove the field for the packet encapsulation in the
frame_data structure; do so.
Change-Id: Ifb910a9a192414e2a53086f3f7b97f39ed36aa39
Reviewed-on: https://code.wireshark.org/review/13499
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Just treat it as an array of bytes. When checking for whether it's a
pcapng file, also determine whether it's big-endian or little-endian.
Note that reading it in *host* byte order will tell you whether it's in
your byte order or byte-swapped; you have to know your byte order to
know whether that means little-endian or big-endian.
Have a #define for the byte-order magic number size, as all byte order
magic number values must be that size, and use that as the size of the
magic-number arrays.
Also use a #define for the SHB block type magic number.
Get rid of a now-unused expert info. (If the magic number isn't
something we recognize, we don't treat the file as a pcap file, so it
can never be "unknown".)
Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac
Reviewed-on: https://code.wireshark.org/review/13494
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ie39ef054a4a942687bd079f3a4d8c2cc55d5f22c
Reviewed-on: https://code.wireshark.org/review/12485
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Put that dissector into its own file, and get handles for it from the
pcap and pcapng file dissectors. Put the value_string of pcap/pcapng
LINKTYPE_ values there, and have the pcap and pcapng file dissectors
import it.
Expand that table to include all LINKTYPE_ values in the current
libpcap.
Change-Id: I9397035efa5711e8a18a26e056d3b54494fd3148
Reviewed-on: https://code.wireshark.org/review/12000
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Assign numbers for LinkTypes on webpage
http://www.tcpdump.org/linktypes.html were changed, so update
it for file dissector for PCAP/PCAPNG.
Change-Id: Icb52c2a8f19bd056723de155700b83497d5fded4
Reviewed-on: https://code.wireshark.org/review/11983
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788
Reviewed-on: https://code.wireshark.org/review/11463
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also fix an off by 1 error for EPB case
Change-Id: I895d82a58ec02c577dcaa67a97d456b42460b947
Reviewed-on: https://code.wireshark.org/review/10149
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Otherwise dissection will fail when analyzing a capture with a snap length set
Change-Id: If6714364efffdd1fbf88c947743929a71f75c663
Reviewed-on: https://code.wireshark.org/review/10135
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use common code for all time stamps, so it's handled the same for the
Packet Block, Enhanced Packet Block, and Interface Statistics Block.
Show the high and low parts of the time stamp as fields; file dissectors
should show the raw file details. Mark the calculated time stamp as
generated, as it's not the raw file data.
Get the 64-bit time stamp by shifting the high part left 32 bits and
ORing in the low part; no need to play games with unions and byte order
Change-Id: I19b2c3227a3ca1e93ec653f279136aa18687581f
Reviewed-on: https://code.wireshark.org/review/10116
Reviewed-by: Guy Harris <guy@alum.mit.edu>
"secs" in an nstime_t is a time_t; cast the calculated seconds portion
to time_t.
Change-Id: Ieaad4c18bb21384a5781f50eadd3a537b414a369
Reviewed-on: https://code.wireshark.org/review/10113
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They have educational values and can be used to debugging some issues.
Now Wireshark can open three files (BTSNOOP, PCAP, PCAPNG)
in two modes: Capture (Traditional) and File-Format.
Change-Id: I833b2464d11864f170923dc989a1925d3d217943
Reviewed-on: https://code.wireshark.org/review/10089
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris