Create a tvbuff that covers the data portion of a block, and use that to
dissect all data in the block, including but not limited to the options.
Catch ReportedBoundsError exceptions and treat them as an indication
that the block length was too short - add an expert info to the block
length item indicating that.
Have separate routines for each block type that dissects the data in
that block type.
While we're at it, check whether the trailing block length is equal to
the header block length and, if not, report an error in the trailing
block length.
Fix the tests to match.
It runs up to either the end of the option data or the terminating
end-of-options option (readers MUST handle lists of options that
contains an end-of-options option and lists of options that don't).
Show the first octet of the option, giving the filter type.
Only display the rest of the option as a string if the type is 0,
meaning it's a libpcap-style filter string.
While we're at it, clean up the dissection of the rest of the options:
* do more proto_tree_add_item_ret_XXX to get the option value;
* don't bother constructing a string for the value if we don't have to;
* use proto_tree_add_item_ret_display_string for string values, so we
know they're printable.
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Keep the endianness (as an ENC_ value) in the info structure we use
while dissecting.
When dissecting an SPB, peek ahead at the byte-order magic before
dissecting the block length, to determine the byte order of all fields
in that block *and* all other blocks in that section. Report an error
and stop dissecting if the byte-order magic isn't valid.
Change-Id: I6d94d4fad10d60f327f4a486e180cdcee2f6be2d
Reviewed-on: https://code.wireshark.org/review/37138
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Do it the same way that wiretap/pcapng.c does it.
Bug: 16440
Change-Id: Ied811e5d10d4219de718f4f74254440b324f0ed1
Reviewed-on: https://code.wireshark.org/review/37132
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The "Original Packet Length" field of a Simple Packet Block can be
greater than the amount of data actually captured; the Interface
Description Block's snap length must be checked as well.
To enable this in the MIME Files Format dissector, the
`interface_description` needs to store the snap length. This allows the
appropriate section of `dissect_block()` to access it via the `info`
parameter.
The "Captured Length" field from EPB/PB dissection is added to SPB
dissection as a generated field to clarify the difference between it and
the field labelled "Packet Length".
Bug: 16526
Change-Id: I27f2fccc9ed2f682377059931b18d7e42d7ff0a3
Reviewed-on: https://code.wireshark.org/review/37095
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
When reading a new SHB in a pcapng file, reset the array of interface
descriptions to empty. No blocks that follow will be referring to
interfaces from the previous section.
Ping-Bug: 16526
Change-Id: Iaa4257e3392bb829445aab1f79b54334f5db0263
Reviewed-on: https://code.wireshark.org/review/37092
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Have a routine that takes an interface ID as an argument and:
if it's within range, fetches the interface description and
returns a pointer to it;
if it's not within range, adds an expert info and returns NULL;
and have the code to dissect blocks with interface IDs just call it.
Change-Id: I705fe94a9a5fb5a27650465f3c55e0dc1b6fbd23
Reviewed-on: https://code.wireshark.org/review/37090
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The interface ID is just an ordinal; there's no reason to show it as hex
(we don't show it as hex if we're treating a pcapng file as a capture
rather than a file to be dissected).
The packet drops count is just a count, so, again, there's no reason to
show it as hex.
The hash algorithms numbers are given in decimal in the pcapng spec, so
display it as decimal.
Change-Id: I93fd50e7243a5b012bd29324f7116e634aca62af
Reviewed-on: https://code.wireshark.org/review/37072
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fix the check for the Interface Statistics Block as well.
Make the check for the Simple Packet BLock similar to the other checks -
at the beginning, set interface_id to 0 and then check interface_id
against the size of the array.
Change-Id: Ib05255fe13eca6292447f365b62ff3094805bd4a
Reviewed-on: https://code.wireshark.org/review/37071
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
*Any* packet block can have an invalid interface ID; that's not just an
error in the first packet block.
For Enhanced Packet Blocks and Packet Blocks, you can have an invalid
interface ID even if you've already seen one or more Interface
Description Blocks; you have to check whether the interface ID is >= the
number of IDBs we've seen.
Change-Id: I33268d224ef3ad928ad9c000027fb6783806b978
Reviewed-on: https://code.wireshark.org/review/37070
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
A valid pcapng file must have an IDB before any EPB/SPB/PB/ISB. So check
our interface count when we parse the first such block of a section, and
add expert info if there are no interfaces.
Discovered during work on Bug #16526.
Ping-Bug: 16526
Change-Id: I23ff452fd163a0e4472e0658a905f85ab85d5e9d
Reviewed-on: https://code.wireshark.org/review/36986
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
An entire pcapng file is dissected as a unit, so there's only one file;
the "file_number" field counts Section Header Blocks, so it's a section
number, not a file number. Rename it to "section_number".
Change-Id: I3ee477c9aa0ee4cdfa7496935b2be915c31a4644
Reviewed-on: https://code.wireshark.org/review/36977
Reviewed-by: Guy Harris <gharris@sonic.net>
Add checks for bad block lengths - either too short or not a multiple of
4. (Yes, the pcapng spec requires it to be a multiple of 4. And there
is at least one implementation that requires it.)
For various structures with a length field, create the top-level tree
field for the item with a "run to the end of the packet" length and,
once we're finished dissecting it, set the length to its actual value.
Fetch various field values using proto_tree_item_add_uint. Fix some
incorrect field types based on errors reported by that.
If an end-of-options option has a non-zero length, 1) don't treat it as
not an end-of-options option and 2) report an error on its length.
Change-Id: I72b2c065f3e3c76d5b71a1cd2ef3c1f497623266
Reviewed-on: https://code.wireshark.org/review/36746
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
While we're at it, use decimal, rather than hex, for option numbers;
they're given in decimal in the pcapng spec.
And fix a typo.
Change-Id: I2a6e857a29d5bcb6533b8f5aef00711dd57e6df5
Reviewed-on: https://code.wireshark.org/review/36600
Reviewed-by: Guy Harris <gharris@sonic.net>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Support reading and writing pcapng files with DSBs. A DSB may occur
multiple times but should appear before packets that need those
decryption secrets (so it cannot be moved to the end like NRB). The TLS
dissector will be updated in the future to make use of these secrets.
pcapng spec update: https://github.com/pcapng/pcapng/pull/54
As DSBs may be interleaved with packets, do not even try to read it in
pcapng_open (as is done for IDBs). Instead process them during the
sequential read, appending them to the 'wtap::dsbs' array.
Writing is more complicated, secrets may initially not be available when
'wtap_dumper' is created. As they may become available in 'wtap::dsbs'
as more packets are read, allow 'wtap_dumper::dsbs_growing' to reference
this array. This saves every user from checking/dumping DSBs.
If the wtap user needs to insert extra DSBs (while preserving existing
DSBs), they can set the 'wtap_dumper::dsbs_initial' field.
The test file was creating using a patched editcap (future patch) and
combined using mergecap (which required a change to preserve the DSBs).
Change-Id: I74e4ee3171bd852a89ea0f6fbae9e0f65ed6eda9
Ping-Bug: 15252
Reviewed-on: https://code.wireshark.org/review/30692
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When dissecting an if_tsresol option in an IDB, calculate the resolution
from the base and the offset. If the result overflows, mark it as an
overflow; otherwise, mark it with the units for more values than 1
microsecond. Store the calculated resolution, which we initialize to
the default of 1 microsecond.
When displaying time stamps in blocks, use the calculated resolution,
rather than re-calculating it. If it's 0, it means the resolution is
too high, so don't calculate it and end up dividing by zero.
Bug: 14402
Change-Id: Idc34ededb4f7250b3604b14d4468c32f6592793f
Reviewed-on: https://code.wireshark.org/review/25673
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The MIME based pcapng dissector incorrectly displayed the EPB
Flags option's link layer error bits.
Change-Id: Ia14eec39e2a9c4432e6b3d1c0cee718ad2da1cac
Reviewed-on: https://code.wireshark.org/review/23279
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The pcapng spec[1] suggests that the first octet marks the filter type,
but it is not clear whether this other types are implemented. Just skip
over the byte for now.
[1]: https://github.com/pcapng/pcapng/blob/c0dd7a7391/draft-tuexen-opsawg-pcapng.xml#L1083
Change-Id: I272dac55ea9ca3798e1fea45ce92023f7aa82564
Reviewed-on: https://code.wireshark.org/review/22043
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Use common name for "Number of Received Packets".
Change-Id: Ib57b142e8fc5c85a03c5622c264ce1d7e113f795
Reviewed-on: https://code.wireshark.org/review/20795
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
In commit 35cf66d8bd four existing
objects were renamed for no good reason. Restore original names.
Also remove unnessary Darwin options from packet block options
and remove leftover include.
Change-Id: I9dfa642639af13e73b519438b82b1b2a77546c7c
Reviewed-on: https://code.wireshark.org/review/20171
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jim Young <jim.young.ws@gmail.com>
This patch augments the MIME based file-pcapng dissector to allow one to
more easily examine pcapng blocks that contain Darwin Process Information.
With this patch one can dissect and inspect, albeit as a MIME object, the
Darwin process information elements contained within an Apple augmented
pcapng file:
$ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng
$ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^ Block:|Darwin .* =' | less
Apple's macOS provides an enhanced tcpdump with a pktap interface option
that supports the collection, display and storing of Darwin process and/or
service class information related to each captured packet. Using Apple's
pktap interface during a live capture the process information may be
revealed using Apple's tcpdump -k [metadata] option.
Apple's tcpdump -k option augments tcpdump's standard report with an
additional parenthesized () set of information inserted after the packet
timestamp. If the capture file actually contains Darwin process
information, Apple's tcpdump -k could include the interface name (or
interface id), process id, process name, process_uuid, service, and/or
direction for each packet depending on the value of the -k's [metadata]
argument provided (if any).
If the Apple tcpdump trace is captured to disk, the Darwin based process
and service information is saved in pcapng format augmented with several
new Enhanced Packet Block options (32779, 32780, 32781) along with a new
block type (0x80000001) called here a Darwin Process Event Block (DPEB).
The Darwin Process Event Block is used in a manner similar to a pcapng
IDB in that it contains process event information that is referenced by
later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB
ID (32871). EPBs may also include the Darwin Service Class option (32770)
which includes a numeric value that maps to a mnemonic service class.
A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump
along and the help of its -k option to display the original Darwin Process
Information. Packets collected using Apple's remote virtual interface
(rvictl)[1] from iOS devices can also contain Darwin Process Information.
Note: This is a first step to help determine what will be necessary to
eventually display any available Darwin Process Information within
the Frame tree when an Apple PKTAP enhanced pcapng file is opened
naturally in Wireshark and not as a MIME object.
[1] https://developer.apple.com/library/content/qa/qa1176/_index.html
Ping-Bug: 13096
Ping-Bug: 12587
Change-Id: I180e661dab0b0096a711603b53270105390d05e2
Reviewed-on: https://code.wireshark.org/review/20157
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains everything
past a certain point, for some number of bytes, in an existing tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).
Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step. (This also
makes it easier to find the calls that need fixing.)
Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also some other tricks to remove unnecessary tvb_get_string_enc calls.
Change-Id: I2f40d9175b6c0bb0b1364b4089bfaa287edf0914
Reviewed-on: https://code.wireshark.org/review/16158
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Started by grepping call_dissector_with_data, call_dissector_only and call_dissector and traced the handles passed into them to a find_dissector within the dissector. Then replaced find_dissector with find_dissector_add_dependency and added the protocol id from the dissector.
"data" dissector was not considered to be a dependency.
Change-Id: I15d0d77301306587ef8e7af5876e74231816890d
Reviewed-on: https://code.wireshark.org/review/14509
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
That removes most of the uses of the frame number field in the
frame_data structure.
Change-Id: Ie22e4533e87f8360d7c0a61ca6ffb796cc233f22
Reviewed-on: https://code.wireshark.org/review/13509
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add fields for the absolute time stamp (and another field for a presence
flag for the absolute time stamp) and the packet encapsulation for the
packet.
This lets us remove the field for the packet encapsulation in the
frame_data structure; do so.
Change-Id: Ifb910a9a192414e2a53086f3f7b97f39ed36aa39
Reviewed-on: https://code.wireshark.org/review/13499
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Just treat it as an array of bytes. When checking for whether it's a
pcapng file, also determine whether it's big-endian or little-endian.
Note that reading it in *host* byte order will tell you whether it's in
your byte order or byte-swapped; you have to know your byte order to
know whether that means little-endian or big-endian.
Have a #define for the byte-order magic number size, as all byte order
magic number values must be that size, and use that as the size of the
magic-number arrays.
Also use a #define for the SHB block type magic number.
Get rid of a now-unused expert info. (If the magic number isn't
something we recognize, we don't treat the file as a pcap file, so it
can never be "unknown".)
Change-Id: Ic74cceac17d1490eb70a28f67cb4dbb512e031ac
Reviewed-on: https://code.wireshark.org/review/13494
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ie39ef054a4a942687bd079f3a4d8c2cc55d5f22c
Reviewed-on: https://code.wireshark.org/review/12485
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Put that dissector into its own file, and get handles for it from the
pcap and pcapng file dissectors. Put the value_string of pcap/pcapng
LINKTYPE_ values there, and have the pcap and pcapng file dissectors
import it.
Expand that table to include all LINKTYPE_ values in the current
libpcap.
Change-Id: I9397035efa5711e8a18a26e056d3b54494fd3148
Reviewed-on: https://code.wireshark.org/review/12000
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Assign numbers for LinkTypes on webpage
http://www.tcpdump.org/linktypes.html were changed, so update
it for file dissector for PCAP/PCAPNG.
Change-Id: Icb52c2a8f19bd056723de155700b83497d5fded4
Reviewed-on: https://code.wireshark.org/review/11983
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788
Reviewed-on: https://code.wireshark.org/review/11463
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Guy Harris