When dissectors register for Follow Stream, have them register a
function for finding the next valid sub stream id for a given
stream and substream id pair. This function is NULL if the dissector
does not use sub stream IDs.
Use this function in follow_stream_dialog to update the sub stream
id widget (and use the absence of the function to disable and hide
the widget.) Use this function in the CLI tap-follow to determine
whether to parse a sub stream id from the command line options.
This removes the dependencies on epan/dissectors from the Qt
follow_stream_dialog, and gets us closer to having dissectors
being able to register for Follow Stream without having to update
anything in the common source code.
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
The "conversation table" mechanism supports two types of tables, one for
the "Conversations" menu item under "Statistics" and one for the
"Endpoints" menu item under "Statistics". The first of them shows
statistics for conversations at various layers of the networking stack;
the second of them shows statistics for endpoints at various layers of
the networking stack.
The latter is *not* a table of hosts; an endpoint might be a host,
identified by an address at some network level (MAC, IP, etc.), or it
might be a port on a host, identified by an address/port pair.
Some data types, function names, etc. use "host" or "hostlist" or other
terms that imply that an endpoint is a host; change them to speak of
endpoints rather than hosts, using names similar to the corresponding
functions for conversations.
Provide wrapper functions and typedefs for backwards source and binary
compatibility; mark them as deprecated in favor of the new names.
Clean up some comment errors found in the process.
Almost all the ints in tap-iostat are loop counters, numbers of columns
or rows, durations, lengths, widths, or magnitudes, all things that are
inherently unsigned. Make them unsigned.
This has the incidental effect of fixing an odd alloc-size-larger-than
error with gcc 12.1, which is afraid that if borderlen is signed that
g_malloc will somehow be called with value -1 (18446744071562067969):
Fix#18089
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
Actually output the packet count for RTSP response status codes,
and align the columns between requests and response. (This CLI-only
stat is largely redundant with rtsp,tree but it might as well work.)
Actually output the packet count for HTTP response status codes,
and align the columns between requests and response. (This CLI-only
stat is largely redundant with http,tree but it might as well work.)
Pass the funnel operations ID to new_text_window and new_dialog so that
we can assign parent widgets when we create new FunnelTextDialogs and
FunnelStringDialog. This should ensure that they're destroyed properly.
Ping #17590.
The statistics that use the stats_tree API parse the -z option
without expecting a comma separator between the statistics name
and the filter. This is contrary to both the man pages and how
all the other options work. Fix that so it's consistent.
Fix#17656
Besides the obvious limitation of being unavailable on Windows,
the standard is vague about getopt() and getopt_long() has many
non-portable pitfalls and buggy implementations, that increase
the maintainance cost a lot. Also the GNU libc code currently
in the tree is not suited for embedding and is unmaintainable.
Own maintainership for getopt_long() and use the musl implementation
everywhere. This way we don't need to worry if optreset is available,
or if the $OPERATING_SYSTEM version behaves in subtly different ways.
The API is under the Wireshark namespace to avoid conflicts with
system headers.
Side-note, the Mingw-w64 9.0 getopt_long() implementation is buggy
with opterr and known to crash. In my experience it's a headache to
use the embedded getopt implementation if the system provides one.
"Follow Stream" functionality assumes that all data in a single packet
belongs to the same stream. That is not true for HTTP2 and QUIC, where
we end up having data from unrelated streams.
Filter out the unwanted data directly in the protocol dissector code with
a custom `tap_handler` (as TCP already does).
Close#16093
Revert change to format_size() added in
f509a83381. This commit broke formatting
with spaces and introduced some dead code.
Also replace unnecessary call to format_size_wmem() and remove
unnecessary casts (since our warning settings were fixed in the
mean time).
ws_log_domains.h needs to be included before wslog.h to be used
to define WS_LOG_DOMAIN. Also the definition for enum ws_log_level
needs to be exported for other APIs so move that to ws_log_domains.h
and rename the file to ws_log_defs.h to reflect the new scope.
Add a generic function to write content to file. Use this on write
TLS session keys from UI and tshark, and for export objects.
Remove the now unused export_object_ui.[ch].
The secs member of nstime_t is a time_t, which is difficult to print in
a way that's compatible across platforms. Convert our time to floating
point and print that value instead. Fixes
../ui/cli/tap-follow.c:304:63: error: format specifies type 'unsigned long long' but the argument has type 'time_t' (aka 'long') [-Werror,-Wformat]
printf(" timestamp: %" G_GINT64_MODIFIER "u.%09d\n", follow_record->abs_ts.secs, follow_record->abs_ts.nsecs);
~~~~~~~~~~~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~
%ld
on macOS.
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
Most of the time, the return value tells us nothing useful, as we've
already decided that we're perfectly willing to live with string
truncation. Hopefully this keeps Coverity from whining that those
routines could return an error code (NARRATOR: They don't) and thus that
we're ignoring the possibility of failure (as indicated, we've already
decided that we can live with string truncation, so truncation is *NOT*
a failure).
Remove the editor modeline blocks from the source files in ui that use 4
space indentation by running
perl -i -p0e 's{ \n+ /[ *\n]+ editor \s+ modelines .* shiftwidth= .* \*/ \s+ } {\n}gsix' $( ag -l shiftwidth=4 $( ag -g '\.(c|cpp|h|m|mm)') )
This gives us one source of indentation truth for these files, and it
*shouldn't* affect anyone since
- These files match the default in our top-level .editorconfig.
- The one notable editor that's likely to be used on these files and
*doesn't* support EditorConfig (Qt Creator) defaults to 4 space
indentation.
Ensure that if using tshark -q -t e -z conv,tcp the reported
start time is relative to the epoch time and not relative to
the time of the first packet in the capture file.
Thanks to Theresa Enghardt for reporting the issue and to
Peter Lei for initialy looking into it.
Retap and UI response are much faster when many RTP streams are
processed. RTP Streams/Analyse 1000+, RTP Player 500+.
Changes:
- RTP streams are searched with hash, not by iterating over list.
- UI operations do not redraw screen after every change, just after all
changes. UI is locked when rereading packets.
- Sample list during RTP decoding is stored in memory so wireshark uses
just half of opened files for audio decoding than before.
- Analysis window checkbox area is limited in height
- Dialogs shows shows count of streams, count of selected streams and
count of unmuted streams
- Documentation extended with chapter about RTP decoding parameters
- Documentation extended with performance estimates
Displaying statistics with tshark results in a memory leak.
tshark -r <any pcap file> -z dhcp,stat -q
==26971==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f89a4bae518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f8989af2918 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53918)
init_stat_table allocates a table_stat_t. This is used as private data while
the tap listener is running but it's not freed afterwards.
This patch adds a finish callback for the tap listener where the
table_stat_t is freed.
VoIP Calls dialog and RTP Streams dialog has now option to apply display
filter dialog during processing packets.
Filter checkbox is activated during dialog open when display filter is active.
New field apply_display_filter had to be added to voip_calls_tapinfo_t and
_rtpstream_tapinfo/rtpstream_tapinfo_t structures.
Adds a pre-commit hook for detecting and replacing
occurrences of `g_malloc()` and `wmem_alloc()` with
`g_new()` and `wmem_new()`, to improve the
readability of Wireshark's code, and
occurrences of
`g_malloc(sizeof(struct myobj) * foo)`
with
`g_new(struct myobj, foo)`
to prevent integer overflows
Also fixes all existing occurrences across
the codebase.
The LUA API provides the "set_color_filter_slot" function, but without
a corresponding "get_" function, it's very hard for two LUA dissectors
to co-exist without one overwriting any color filters set by the other.
It also looks like the documentation comment for
"set_color_filter_slot" had an off-by-one error, which I've corrected
as I was adding almost identical documentation for the new API.
Change-Id: Ic54d23be555ec12e1830bbe6f84a1b04d04fd4f0
Reviewed-on: https://code.wireshark.org/review/37511
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This feature introduced in V15.5.0 allows to have up to 15 DRBs by
adding LCID 32 to 38
Change-Id: I4442e26d115efe484eda4f2d8921483cf4278b99
Reviewed-on: https://code.wireshark.org/review/37462
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
For long options, without corresponding short options, to be processed
they need to be assigned a value, preferably outside of the range of
all possible short options. The code in various places tries to stay
clear of these low values, but further coordination is missing, easily
leading to issues when option processing code gets extended and/or
reorganized.
This change introduces a single location from where each catagory of
command line long option can derive a base value, which should minimize
potential option value collisions.
Change-Id: Ic8861a347d0050f74002de3aa1fcfb01202866e5
Reviewed-on: https://code.wireshark.org/review/35459
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Bug: 15360
Change-Id: Iceaa5c2336cfb58966ef12f4267fcd09ae48bfe7
Reviewed-on: https://code.wireshark.org/review/31234
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Removes the limit to export more than 1000 files with the same name
when exporting objects.
For this a preference name gui.max_export_objects is used.
Bug: 16010
Change-Id: Iefc138ac2617491aad3b6ad5827c9058aed112c7
Reviewed-on: https://code.wireshark.org/review/34339
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
The QUIC transport protocol provides a stream, similar to HTTP/2. Make
it possible to look at the stream contents. This can be helpful while
HTTP/3 support is not yet complete.
Known issues that will be addressed in the future:
- If a single packet contains multiple streams, then Follow QUIC Stream
will wrongly include data from streams other than the selected one.
This is tracked by bug 16093 and affects HTTP/2 as well.
- The Substream index menu does not properly filter for available
stream numbers. If a non-existing stream is selected, then changing
to another (potentially valid) index results in the "Capture file
invalid." error. As workaround, clear the display filter first.
- Follow Stream always selects Stream ID 0 instead of the first or
currently selected stream field in a packet. Users should manually
update the stream index as needed.
Change-Id: I5866be380d58c96f0a71a29abdbd1be20ae3534a
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/34694
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HTTP/2 protocol multiplexes a single TCP connection into multiple
independent streams. The Follow TCP output can interleave multiple
HTTP/2 streams, making it harder to analyze a single HTTP/2 stream.
Add the ability to select HTTP/2 Streams within a TCP stream.
Internally, the HTTP/2 dissector now stores the known Stream IDs in a
set for every TCP session which allows an amortized O(n) lookup time for
the previous/next/max Stream ID.
[Peter: make the dissector responsible for clamping the HTTP/2 Stream ID
instead of the Qt code, that should permit future optimizations.]
Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200
Reviewed-on: https://code.wireshark.org/review/32221
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
John Thacker