When opening a file offline, pcapng will read initial non packet
blocks in order to try to find the first interface, to try to
support conversion to file types only support one link layer type
and need to know it to set in the initial header.
(0d2a2d3777)
This means that initial NRBs and DSBs can already be processed
when the ipv4 and secrets callbacks are added. Wiretap ensures
that the callbacks are called for any NRBs (c65d5a0a80)
and DSBs (e8f9ac3352) that have
already been read when the callbacks are added. So far so good.
However, this means that capinfos needs to zero out the counters
*before* adding the callbacks, not afterwards.
The FCS length in a pcapng IDB is in bits, but the length in an EPB is
in bytes; convert the latter to bits.
The FCS length in the Ethernet pseudo-header is in bytes; convert the
length-in-bits to a length-in-bytes before using it to set the FCS
length in the pseudo-header.
While we're at it, note, in a comment, that we convert the length in
pcap files, which is in units of 16 bits, to bits.
Fixes#19174.
This reverts commit acdee88430.
The use of a default switch statement prevents useful compiler
diagnostics, unlike the Clang Analyzer warning it purports to
fix.
Print the function argument type if it is not a register.
Use square brackets with DFVM_STACK_POP to make clear
the argument is a count intrinsic to the instruction, not a
numeric field value.
Example:
Filter:
min(2, _ws.ftypes.int32, 1000)
Instructions:
0000 STACK_PUSH 2 <FT_INT32>
0001 READ_TREE _ws.ftypes.int32 <FT_INT32> -> R1
0002 STACK_PUSH R1
0003 STACK_PUSH 1000 <FT_INT32>
0004 CALL_FUNCTION min(2 <FT_INT32>, R1, 1000 <FT_INT32>) <***> -> R0
0005 STACK_POP [3]
0006 IF_FALSE_GOTO 8
0007 NOT_ALL_ZERO R0
0008 RETURN
Somebody closed the bug, and may have been the person who claim it was
"some issue in a broken build system that did not auto-create the
missing header file", but if Meson+Ninja doesn't handle it, either it's
a problem with their Meson configuration, a problem with Meson, or a
problem with Ninja, so either they should fix it or they should report
the problem with the Meson or Ninja maintainers.
Maybe I'll look into why it's failing, and report the bug and perhaps
fix to some Directly Responsible Developers, at some point, but I have
other things on my plate, and another comment in that bug said disabling
the test build was sufficient, so....
[skip ci]
It has a number of performance improvements and, even more important...
...it appears to let our settings for the minimum version to which code
can be deployed on macOS (and for the SDK to use) pass through to the
entire build process, unlike 1.4.5, which somehow seems to have
prevented that, which is why #19405 kept popping up.
Thanks to @tuexen for finding out that 1.5.5 seemed to finally get a
build of the libzstd lbirary that doesn't use Exciting New Run-Time
Linker Features that aren't supported by the run-time linker on older
versions of macOS for which we support Wireshark.
Once upon a time, Wireshark could use GNU ADNS instead of c-ares
for asynchronous DNS lookups. GNU ADNS didn't check the system
hosts file (see 51984de040), so
we added the system hosts file using the same mechanism as profile
paths when using ADNS.
This was then confusing, because "use external DNS resolver / use
system DNS resolving" could be off but /etc/hosts was still used,
so the "only use profile hosts" option was created to avoid using
external system DNS hostsnames at all.
c-ares (and, for that matter, libunbound) does read /etc/hosts, so
this option doesn't do its primary purpose anymore. All it usually
does now is keep any hosts file in the global profile from being used,
but we don't have any other name resolution options where there's a
pref not to use global profile data.
Even more confusingly, if the option is true, then the -H option
to tshark to give a hosts file on the command line doesn't work.
add_hosts_file checks the preference and then doesn't actually
read the file from the command line, which is surely never wanted.
Most people don't understand what the option means, despite the
tooltip, and assume that it means "only use the hosts file as a
source of name resolution data", not "when using hosts files as
a source of name resolution data, only use the one from the personal
profile and not any from the global profile, the tshark command line,
or any other source."
Just mark the option as obsolete.
Related to #11470
Describe the at operator and field references, taking some
information from the wireshark-filter man page and expanding some.
Create some cross-references between saved filters, filter buttons,
display filter macros, and field references, because they're all
useful to use with each other.
Fix#17594
- Adding reserved for incomplete dissections
- more consistent formatting
- adding sorting to make-isobus.py in case csv are not sorted in future
- adding macros to packet-isobus-parameters.h
Note that one permissible way to have the update_cb actually
change a record, not just validate it, is if the same changes
are made by the copy_cb (e.g. by having the copy_cb call the
update_cb on the newly created record.) Some UATs do this.
[skip ci]
The GUI preferences don't affect dissection in general and shouldn't
require a costly redissection.
We used to have a PREF_EFFECT_GUI, but it seems that nothing needed
to check it because any changes were noticed in other ways, so it
was removed. (d95213afb0) Bring it
back, because the Lua set_preference assumes that *some* effect
flag is returned when a preference is changed.
We have to set this separately for each submodule too, because
the effect flags are reset to PREF_EFFECT_DISSECTION regardless
of the parent module. The changes to columns, fonts, and colors
are also handled separately without special effect flags; the
layout submodule does have its own effect flag.
Fix#17629
Ran `tools/convert-glib-types.py` over the files in `doc/` and
`docbook/`, then manually checked/massaged/reverted results as
appropriate.
One small step towards addressing #19116
Use `wmem_map_t`s (with `wmem_file_scope()`) instead of `GHashTable`s in
`packet-gtp.c` and `packet-gtpv2.c`. This stops us from mixing wmem and
GLib memory allocations in these dissectors.
Fix
```
*** CID 1548363: Null pointer dereferences (FORWARD_NULL)
/builds/wireshark/wireshark/epan/dissectors/packet-quic.c: 4051 in dissect_quic_long_header()
4045 } else {
4046 /* The client [may] know that the server supports greasing the
4047 * QUIC bit, and perhaps will do so. (We can't really test if
4048 * this token came less than 7 days ago from a server that
4049 * supports it, so we'll assume it might be to be safe.)
4050 */
>>> CID 1548363: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "conn".
4051 conn->server_grease_quic_bit = true;
4052 }
4053 offset += (guint)token_length;
4054 }
4055 }
```
The UAT update_cb can *only* be used to validate an entry in ways
that cannot be determined by checking the UAT fields individually.
The update_cb is called on the copy of the record that is placed in
the UAT's user_data, not on the records that are in raw_data. When
the UAT is saved, the records in user_data are destroyed, and valid
records (as determined by running update_cb before) from raw_data
are newly copied into user_data. This *doesn't* cause the update_cb
to be run again, since the records were validated before. For this
reason, the update_cb should probably take a const void* not a void*.
This meant that Display Filter Macros were not parsed into their
parts and argument positions when the UAT was subsequently saved,
only on first load.
The only callback that is guaranteed to run whenever the data has
changed is the post_update_cb. Assign one, and call the former
macro_update (renamed and with slightly different signature; note that
it always returned true and never had an error before) on all the
macros then.
The comment about macros_init() adding a separate post_update_cb has not
been valid ever since GTK+ Wireshark went away, as QT Wireshark never
added that. The post_update_cb placed by the GTK+ macros_init was designed
to avoid a crash that is now avoided in Qt Wireshark by registering the
UAT with the UAT_AFFECTS_FIELDS flag (see a3806fc69b)
Fix#11946
Associate Request for Measurement Message (RMM) to its Measurement Answer Message (MAM) using request/response as in ICMP dissector.
Compute response time for RMM and determine dynamic delay measurement using Annex F formulas: using request/response association, we now know both time qualities.
Put additional features information in the info column for easier readability, especially New Measurement Request.
Removed unused field DDC unknown.
Added expert info: no response to RMM, RSSI index not compliant.
Hide many of our installation sections from the components page, which
installs them unconditionally. This brings the NSIS installer behavior in
line with the Debian and RPM installers and simplifies the installer UI.
Leave the extcaps individualy selectable for now.
Previously when a message contains an Extension Field with a local
code the operation name corresponding to this local code was added to
the Info column. This is incorrect as extensions local codes are not
operations.
This change is similar to how Extension Field is handled in the CAMEL
protocol.
John Thacker