Update the images and text to match the current main and display filter
toolbars.
Change-Id: I4d23a3ece35c3b9186b4fff170f6c391f4d157c9
Reviewed-on: https://code.wireshark.org/review/29234
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The Internals menu items were moved under the View menu a while back.
Fix an internals dialog title.
Change-Id: I78d61bf4f52bf9eb86cf7ff59fc036b9f7e846f5
Reviewed-on: https://code.wireshark.org/review/29228
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Make sure each tools help target is generated by and depends on its
generating executable.
Change-Id: I716c0db23b297e2d2692b72a47259c40aa0c52fa
Reviewed-on: https://code.wireshark.org/review/28780
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Hide the Compare option, reorder the chapters to match the current Qt
order and move the Wireless menu to a new chapter.
Change-Id: I7f0eeb45f4894f66a9c91d62d7d43db775f469e5
Reviewed-on: https://code.wireshark.org/review/28761
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Currently out-of-order segments will result in cutting a stream into
two pieces while the out-of-order segment itself is ignored. For
example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with
"C" ignored. This behavior breaks TLS decryption or prevent application
layer PDUs (such as HTTP requests/responses) from being reconstructed.
To fix this, buffer segments when a gap is detected.
The proposed approach extends the "multi-segment PDU" (MSP) mechanism
which is normally used for linking multiple, sequential TCP segments
into a single PDU. When a gap is detected between segments, it is
assumed that the segments within this gap are out-of-order and will be
received (or retransmitted) later.
The current implementation has a limitation though, if multiple gaps
exist, then the subdissector will only be called when all gaps are
filled (the subdissector will receive segments later than necessary).
For example with "ACEBD", "ABC" can already be processed after "B" is
received (with "E" still buffered), but due to how MSP are extended, it
must receive "D" too before it reassembles "ABCDE". In practice this
could mean that the request/response times between HTTP requests and
responses are slightly off, but at least the stream is correct now.
(These limitations are documented in the User's Guide.)
As the feature fails at least the 802.11 decryption test where packets
are missing (instead of OoO), hide this feature behind a preference.
Tested with captures containing out-of-order TCP segments from the
linked bug reports, comparing the effect of toggling the preference on
the summary output of tshark, the verbose output (-V) and the two-pass
output (-2 or -2V). Captures marked with "ok" just needed "simple"
out-of-order handling. Captures marked with "ok2" additionally required
the reassembly API change to set the correct reassembled length.
This change does "regress" on bug 10289 though when the preference is
enabled as retransmitted single-segment PDUs are now passed to
subdissectors. I added a TODO comment for this unrelated cosmetic issue.
Bug: 3389 # capture 2907 (HTTP) ok
Bug: 4727 # capture 4590 (HTTP) ok
Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok
Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok
Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok
Bug: 13754 # capture 15593 (MySQL) ok2
Bug: 14649 # capture 16305 (WebSocket) ok
Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56
Reviewed-on: https://code.wireshark.org/review/27943
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With MATE being an integral part of Wireshark for a long time now and its
documentation being part of the Wiki for a while it is time to move it
into the Wireshark Users Guide.
All credits go to Luis Ontanon for creating MATE and the Wiki pages,
the various contributors to those pages and especially Pavel Sindelka for
the creation of the graphics.
This change merely incorporates the contents of the Wiki pages into an
asciidoc file for processing into documentation output. It is in no way a
claim to knowledge of or deep insight in the workings of MATE on my part.
Change-Id: Id9c60fd3ba4a52aafb988370ea7d658907970ccd
Reviewed-on: https://code.wireshark.org/review/27894
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add back the capture info dialog. Draw sparklines for each protocol.
Update the User's Guide.
Bug: 12004
Change-Id: I45be8a0df4752255831a8b139ee84bb34d675ba9
Reviewed-on: https://code.wireshark.org/review/27565
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add missing section on display filter functions to WSUG and make it
consistent with the wireshark-filter(4) manual. "count" was added in
Wireshark 1.12 (bug 9480). "len" was added in Wireshark 1.6.x.
"size" (added in 1.8.x) is not documented since it works like "len",
except that it is not limited to strings and byte arrays. I think that
"len" should be extended to other types while removing "size".
Change-Id: I2c8e2b4a11f007de7852a797bed971af86840b47
Reviewed-on: https://code.wireshark.org/review/27146
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.
To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.
Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens. For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.
An unhandled edge case is "1....2" which is parsed as "1 .. .. 2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.
Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Allow "tcp.srcport in {1662 1663 1664}" to be abbreviated to
"tcp.srcport in {1662 .. 1664}". The range operator is supported for any
field value which supports the "<=" and "=>" operators and thus works
for integers, IP addresses, etc.
The naive mapping "tcp.srcport >= 1662 and tcp.srcport <= 1664" is not
used because it does not have the intended effect with fields that have
multiple occurrences (e.g. tcp.port). Each condition could be satisfied
by an other value. Therefore a new DVFM instruction (ANY_IN_RANGE) is
added to test the range condition against each individual field value.
Bug: 14180
Change-Id: I53c2d0f9bc9d4f0ffaabde9a83442122965c95f7
Reviewed-on: https://code.wireshark.org/review/26945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Update some cross references which were renamed in 1cd92c4961. Fixup
some capitalization while we're here.
Change-Id: Iae3227839cd34a52662a4b973c0f87e7e5a765cc
Reviewed-on: https://code.wireshark.org/review/26655
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Add duplicate ACK ticks to Statistics → TCP Stream Graphs → Time
Sequence (tcptrace), which I missed when porting from GTK+. Add zero
window crosses while we're here.
Switch TCPStreamDialog to a subclass of GeometryStateDialog.
Add a slot and URL for the Help button and a stub entry in the User's
Guide.
Bug: 12009
Change-Id: Idf2ddb9eb33d924d65998285b5cffc234156497c
Reviewed-on: https://code.wireshark.org/review/26592
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
MaxMind is discontinuing its legacy databases in April in favor of
GeoIP2, which use a newer database format (MaxMind DB). The reference C
library (libmaxminddb) is available under the Apache 2.0 license which
isn't quite compatible with ours.
Add mmdbresolve, a utility that reads IPv4 and IPv6 addresses on stdin
and prints resolved information on stdout. Place it under a liberal
license (MIT) so that we can keep libmaxminddb at arm's length. Add
epan/maxmind_db.[ch], which spawns mmdbresolve and communicates with it
via stdio.
Migrate the preferences and documentation to MaxMindDB.
Change the IPv4 and IPv6 asnum fields to FT_UINT32s. Change the
geographic coordinate fields to FT_DOUBLEs.
Bug: 10658
Change-Id: I24aeed637bea1b41d173270bda413af230f4425f
Reviewed-on: https://code.wireshark.org/review/26214
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Remove the endpoint map and its button from the Qt and GTK+ UIs. It
depends on GeoIP Legacy for coordinate information and those databases
are being deprecated in favor of MaxMind DB. We *could* upgrade the code
to use mmdbresolve, but according to
https://dev.maxmind.com/geoip/geoip2/geolite2/ they're also going to
remove coordinate information from GeoLite2:
"In addition, in 2019, latitude and longitude coordinates in the
GeoLite2 databases will be removed.* Latitude and longitude coordinates
will continue to be provided in GeoIP2 databases. Please check back for
updates."
Change-Id: I43e1593d282a0f1aae897b1f4724117d1496b21e
Reviewed-on: https://code.wireshark.org/review/26229
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Switch from AsciiDoc's smart quotes markup to the quotes themselves,
along with apostrophes.
Change-Id: I78930d6902e2691b6a2cb35ed5bae6fef4bb7257
Reviewed-on: https://code.wireshark.org/review/26108
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Add "QA engineers use it to verify network applications",
as suggested by Alexander Sashnov.
Change-Id: Ia9c83fd2f2610db747043f861931470e3f4e4c53
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/26057
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use "or" instead of a comma for alternate keyboard shortcuts.
Change-Id: I3f2abf63b4c437ca0fe439d91dfac44e24d9d8e5
Reviewed-on: https://code.wireshark.org/review/25624
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Convert some passthrough XML comments left over from the DocBook →
AsciiDoc conversion to AsciiDoc / Asciidoctor comments.
Change-Id: Iaf44bcf0b8a3a383e735b2b4394722cbbb2bdff3
Reviewed-on: https://code.wireshark.org/review/25615
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Switch from AsciiDoc's smart quotes markup to the quotes themselves. Use
double curly quotes in place of singles.
Switch from XML entities to their direct equivalents where we can.
Switch from hex entities to decimal entities where we can't or it's not
convenient. (Asciidoctor PDF doesn't yet handle hex entities).
Change-Id: Iaf5ec33249e1c91b3d50b5d96251763243b72836
Reviewed-on: https://code.wireshark.org/review/25606
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Start using markup that is preferred by Asciidoctor but compatible with
both generators.
Add a missing "cpp" attribute and set a couple of Asciidoctor-specific
compatibility attributes.
Change-Id: Iff4c31362e4493b97a85f46db2c39b18c336536f
Reviewed-on: https://code.wireshark.org/review/25600
Reviewed-by: Gerald Combs <gerald@wireshark.org>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put different types of plugins (libwiretap, libwireshark) in different
subdirectories, give libwiretap and libwireshark init routines that
load the plugins, and have them scan the appropriate subdirectories
so that we don't even *try* to, for example, load libwireshark plugins
in programs that only use libwiretap.
Compiled plugins are stored in subfolders of the plugin folders, with
the subfolder name being the Wireshark minor version number (X.Y). There is
another hierarchical level for each Wireshark library (libwireshark, libwscodecs
and libwiretap).
The folder names are respectively plugins/X.Y/{epan,codecs,wiretap}.
Currently we only distribute "epan" (libwireshark) plugins.
Change-Id: I3438787a6f45820d64ba4ca91cbe3c8864708acb
Reviewed-on: https://code.wireshark.org/review/23983
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Add links to the online man page for each tool. Make sure tshark
generates pre-commit-compatible output on Linux.
Change-Id: I00d2973475f27460065bc8a65471abef152ded33
Reviewed-on: https://code.wireshark.org/review/23754
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a CMake target that dumps the help output for our command line tools
to individual files. Include those files in the tools appendix instead
of pasting them in manually.
Fixup the output of some tools so that they pass the pre-commit checks.
Change-Id: I925f24818422a190927a96531c21f4d16d3fe5b5
Reviewed-on: https://code.wireshark.org/review/23737
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Relax requirements for upgrades and make running side-by-side installations
more convenient.
Change-Id: I5299eed005a4748c54465dec90f477adb577e056
Reviewed-on: https://code.wireshark.org/review/23619
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Installing machine code to XDG_CONFIG_HOME is problematic.
Use ~/.local/lib/wireshark/plugins instead.
XDG_CONFIG_HOME should be architecture independent. This allows copying the
configuration between different architectures safely.
Reference: https://www.freedesktop.org/software/systemd/man/file-hierarchy.html
Change-Id: I1b18f64aab4dd351d611cfbea3b9333f23c98bfa
Reviewed-on: https://code.wireshark.org/review/23498
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Wireshark patch releases (X.Y.Z) are binary compatible so reflect
that in the plugin installation path.
By installing to $pkglibdir/plugins/X.Y out-of-tree plugins don't
need to be reinstalled with every patch release.
Change-Id: I9d1728e6fb12bcb51d2a723af22c750cb7a966cf
Reviewed-on: https://code.wireshark.org/review/23497
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Jason Zhekov