"gzgets()" is the one most recently added; it was added in 1.0.9.
Check for it, rather than for a list of functions, when checking for
"zlib" support - if you check for N functions, and they're all there,
you get N "-lz"s added to the list of libraries with which to link.
Indicate in the README that "zlib" versions prior to 1.0.9 definitely
won't work.
svn path=/trunk/; revision=1144
"gzseek()" *and* "gztell()" *and* "gzgets()" *and* "zError()" are all in
Zlib - we use all of them, and it appears that some older versions of
Zlib that some users had on their systems don't have some of them.
svn path=/trunk/; revision=1134
both LAPB and PPP captures get written out with that network type.
Flag it as WTAP_ENCAP_UNKNOWN when the file is opened, and, when we see
the first packet, check whether the address field is 0xFF, in which case
we flag it as PPP, or anything else, in which case we flag it as LAPB.
svn path=/trunk/; revision=1129
dissector; I don't think it's guaranteed that even a Sniffer will tell
you that (there may be situations where it can't figure it out, and
where the user didn't tell it), we may need it for "atmsnoop" traffic
and other types of ATM traffic as well, we will probably want to add to
it the ability to let the user specify "virtual circuit X.Y is this kind
of traffic", and we may also have Ethereal try to intuit it based on
previous traffic in the capture (Q.2931 call setup, LANE traffic, etc.).
Don't show the cell count if it's zero - assume that means we don't know
how many cells made up the packet. Also don't show the AAL5 trailer if
the cell count is zero - the ATM Sniffer *might* sometimes supply a cell
count of 0 even if it has the AAL5 trailer, I guess, and we *might* see
some other capture file format that has the AAL5 trailer but no cell
count, but we'll cross that bridge when we come to it.
Add support for "atmsnoop" captures to the code to handle "snoop"
captures.
Use the field in "iptrace" headers that appears to be, in ATM captures,
a direction indicator - we may have the direction backwards, but, as an
STP packet was tagged as a DCE->DTE packet, and as the capturing
machine, which also was presumably the recipient of the packet, was an
AIX box, not a switch or bridge or some piece of networking equipment
such as that, it *probably* wasn't sending the STP packet, it was
probably receiving it.
svn path=/trunk/; revision=1120
necessarily start at an offset of 128 into the file; we have to read the
first entry in the frame table to find the offset in the file of the
first frame. (That also works on NetMon 1.0.)
Keep the header size around, though, as we'll need it if we add code to
*write* NetMon files.
svn path=/trunk/; revision=1119
<flo@rfc822.org> for the sample traces.
It turns out that the iptrace 2.0 header is simply an extension to
the iptrace 1.0 header. It also appears that iptrace 1.0 has only tv_sec, but
not tv_usec, which explains why the fields are separated in the iptrace 2.0
header, but doesn't explain why the iptrace 2.0 header has tv_sec copied
in two places.
I changed iptrace.c to detect FDDI captures via if_type, even though I
don't have a trace to substantiate this. If *should* work, given that
loopback, ethernet, token-ring, and X.25 work. If it doesn't work, someone
will let me know.
svn path=/trunk/; revision=1117
warnings about multiple declaration of "pseudo_header" as a common.
Instead, define it only in "ascend-grammar.y", and declare it in
"ascend-int.h" as an "extern".
svn path=/trunk/; revision=1103
If a interface type is not recognized, set error to WTAP_ERR_UNSUPPORTED
instead of WTAP_BAD_RECORD.
Continue to check for X.25, FDDI, and loopback traces via the interface
name instead of the newly-discovered if_type field in the packet header.
Once Olivier confirms that his traces still work by checking only if_type,
I'll change the code. But he's on vacation right now. ATM, Ethernet, and
Token-Ring are discovered via the if_type field.
svn path=/trunk/; revision=1063
Also, explicitly compare the result of "memcmp()" against 0 - the
appearance of a comparison operator in the expression makes it clearer
what test is being done.
svn path=/trunk/; revision=1061
AppHLType is the subtype of that type; set them appropriately (as best
we can, given that we can only *guess* what kind of traffic it is) for
"iptrace" captures in Wiretap. (Alas, more work is needed to
distinguish Ethernet from Token-Ring LANE traffic....)
Handle VPI = 0, VCI = 5 as the Signalling AAL in "iptrace" captures.
svn path=/trunk/; revision=1058
all packets are recognized yet, but ILMI and Classical IP (LLCMX) are.
The ATM iptrace facility uses the ngsniffer_atm_phdr pseudo header so that
ethereal doesn't have to worry about yet another psuedo header.
svn path=/trunk/; revision=1057
and on a comment that "libpcap"/BPF on AIX appears to return 6 as the
network type for an Ethernet device - the BSD IFT_ETHER is 6.
svn path=/trunk/; revision=1048
colors.c wasn't freeing path in one place
main.c wasn't freeing rc_file
the frame_buffer fix in wtap.c didn't clear everything.
svn path=/trunk/; revision=1001
and aligned g_malloc calls with g_free calls (i.e, we no longer mix-and-match
C-library malloc with GLIB g_free, and vice-versa).
svn path=/trunk/; revision=1000
of the "libpcap" patch that changes the per-packet header but not the
magic number - it seems to work on at least one capture file I tried it
on.
Give the modified "libpcap" format a WTAP_FILE type of its own (so that,
in the future, we could support writing captures out in that format,
possibly).
svn path=/trunk/; revision=987
Kuznetsov's modified "libpcap" *as long as you have the ss990915 or
later patch*; the 990417 patch, alas, changes the per-packet header but
*doesn't* change the magic number, so you can't just look at the magic
number to see that it's Not Standard Libpcap. (Even more unfortunately,
Red Hat appears to have picked up *that* patch for Red Hat 6.1; I've
filed bug 6773 with Bugzilla on their site - hopefully, if I'm not
misremembering the RH 6.1 code I've seen, and they really *did* pick up
the older patch, they'll fix it ASAP to use the new magic number, and
will make updates available.)
svn path=/trunk/; revision=986
overwritten here?" is probably "because I was cutting-and-pasting text
to insert the error-handling code, and didn't remove the "*err = errno"
from that particular case. Remove it now.
svn path=/trunk/; revision=955
Fix the error checking ("file_error()" returns an "errno" value *if*
there's an error and it's a UNIX error, but it may also return a
non-"errno" value for non-UNIX errors, so its return value should be
passed back through the "err" pointer).
svn path=/trunk/; revision=954
line of ISDN routers. Much like the ascend reader, this module reads an
ASCII hex dump of trace data.
Rearranged the order in which wiretap tries trace files, to keep the
ASCII-readers (ascend and toshiba) at the end, and put the binary-readers
(everything else) at the front of the list. If a telnet session of
and ascend trace or toshiba trace were captured near the beginning of
another trace, wiretap might think the trace was ascend or toshiba if it
tried that module first.
Fixed the way wtap_seek_read() selects functions to call. It was using
the encap type instead of the file type. We got lucky because
WTAP_ENCAP_ASCEND == WTAP_FILE_ASCEND
svn path=/trunk/; revision=952
more display filters for X.25;
no LCN in X.25 RESTART / DIAGNOSTIC / REGISTRATION packets;
support for nettl file format (nettl is a trace tool for HP-UX).
For now, it only supports traces for X.25 interfaces (tested
with HP-UX 10.20).
svn path=/trunk/; revision=879
for ip.ip_p and ip6.ip6_nxt (and other IPv6 header chain).
use val_to_str() as much as possible in dissect_{ipv6,pim,ripng}().
make --disable-zlib a default for netbsd (temporary workaround).
svn path=/trunk/; revision=827
parser/lexical analyzer in question are needed only in the ".c" files
for the generated parser and lexical analyzer, and Flex and Byacc/Bison
put them there; don't bother putting them in a header file, just
directly declare the functions with the right names.
svn path=/trunk/; revision=801
file (which could be WTAP_ENCAP_UNKNOWN, if we couldn't determine it, or
WTAP_ENCAP_PER_PACKET, if we could determine the encapsulation of
packets in the file, but they didn't all have the same encapsulation).
This may be useful in the future, if we allow files to be saved in
different capture file formats - we'd have to specify, when creating the
capture file, the per-file encapsulation, for those formats that don't
support per-packet encapsulations (we wouldn't be able to save a
multi-encapsulation capture in those formats).
Make the code to read "iptrace" files set the per-file packet
encapsulation - set it to the type of the first packet seen, and, if any
subsequent packets have a different encapsulation, set it to
WTAP_ENCAP_PER_PACKET.
svn path=/trunk/; revision=772
Assign a range of Wiretap errors for zlib errors, and have
"wtap_strerror()" use "zError()" to get an error message for
them.
Have the internal "file_error()" routine return 0 for no error
and a Wiretap error code for an error.
svn path=/trunk/; revision=769
Sniffer trace, and printout therefrom, sent to me by Jeff Foster. (The
Sniffer manuals I'd had a chance to read didn't say what the units
were.)
svn path=/trunk/; revision=744
same (which raises the question "so why the heck are there two types?" -
note that the way you're supposed to tell Ethernet from 802.3 packets is
by looking at the value of the type/length field; both of them can be
transmitted on the same wire), so we'll treat them the same.
svn path=/trunk/; revision=733
"zlib" was built in FreeBSD 3.2 (and possibly other 4.4-Lite-derived
BSDs), if HAVE_UNISTD_H is defined before "zlib.h" is included, the
declaration of "gzseek()" in "zlib.h" expands to something that doesn't
match what's in the OS's "zlib".
svn path=/trunk/; revision=721
The "fh" member of a "wtap" structure points to something constructed
from the "fd" member of that structure, so that closing the stream
referred to by "fh" also closes the underlying file descriptor; get rid
of an unnecessary close of "wth->fd".
svn path=/trunk/; revision=720
not, so it's OK to use "zlib" to read capture files, as it handles
uncompressed files correctly.
When *writing* capture files, however, we can't detect automatically
whether the user wanted to write the file out as a compressed file or
not, so we should *NOT* use "zlib" until we add a flag to the API
specifying whether to write the file out as a compressed file or not.
Furthermore, the code in Ethereal that implements the "-S" flag depends
on being able to get the "FILE *" for a capture file being written, so
that it can "fflush()" it.
svn path=/trunk/; revision=703
bounce bar for compressed file support). Note that the progress bar may
not grow smoothly for compressed files, but it should be reasonably accurate
for files which are large enough to matter.
svn path=/trunk/; revision=701
gzip. The zLib library is used for this purpose. If zLib is not available
(or it's use is disabled by the --disable-zlib option to configure), you
can still compile Ethereal but it will be unable to read compressed capture
files.
IMPORTANT:
Now all file accesses to capture files should be done through special macros.
Specifically, for any use of the following functions on capture files, replace them.
The arguments for the right-side functions are exactly the same as for the
original stdio functions.
fopen file_open
fdopen filed_open
fread file_read
fwrite file_write
fseek file_seek
fclose file_close
ferror file_error
svn path=/trunk/; revision=695
not like #preprocessor_macros that do not start at
the first column.
So write:
#ifdef FOO
# include <dummy1.h>
# define DUMMY 1
#else
# include <dummy2.h>
# define DUMMY 2
#endif
instead of
#ifdef FOO
#include <dummy1.h>
#define DUMMY 1
#else
#include <dummy2.h>
#define DUMMY 2
#endif
svn path=/trunk/; revision=668
family has a set of debug commands that allow you to log the traffic on a
WAN or dialup connection as text, e.g.
RECV-iguana:241:(task: B04E12C0, time: 1975358.50) 15 octets @ 8003D634
[0000]: FF 03 00 3D C0 06 C9 96 2D 04 C1 72 00 05 B8
Created wtap_seek_read() which parses the textual data for and Ascend
trace, and does a normal fseek() and fread() for any other file type.
The fseek()/fread() pairs in file.c were replaced with the new function.
svn path=/trunk/; revision=652
this causes "Makefile.in" to have two GPL notices - "Makefile.in" and
the "Makefile" generated from it are generated files, so maybe that's
OK).
svn path=/trunk/; revision=639
don't seek around it - some implementations of the standard I/O library
routines (e.g., the ones in Solaris 2.5.1, at least) appear not to be
clever enough to handle seeks that occur within the buffer by moving the
current buffer position; instead, they do a seek on the underlying file
descriptor *and* appear to throw out the buffer, forcing them to do
another read.
Instead, read it into a buffer.
svn path=/trunk/; revision=626
header fields we don't look at - some implementations of the standard
I/O library routines (e.g., the ones in Solaris 2.5.1, at least) appear
not to be clever enough to handle seeks that occur within the buffer by
moving the current buffer position; instead, they do a seek on the
underlying file descriptor *and* appear to throw out the buffer, forcing
them to do another read.
Instead, read the entire record header into a structure, and pick the
relevant bits out of it.
Also, skip over the FCS in LAPB captures by reading it rather than
seeking around it (should we put it in the pseudo-header?).
svn path=/trunk/; revision=625
Use "pletohs()" and "pletohl()" to access 16-bit and 32-bit fields in
the file and packet headers, as those fields are little-endian.
svn path=/trunk/; revision=612
read, and maintain it ourselves as we read through the file, rather than
calling "ftell()" for every packet we read - "ftell()" may involve an
"lseek()" call, which could add a noticeable CPU overhead when reading a
large file.
svn path=/trunk/; revision=596
"FDDI with the MAC addresses bit-swapped"; whether the MAC addresses are
bit-swapped is a property of the machine on which the capture was taken,
not of the machine on which the capture is being read - right now, none
of the capture file formats we read indicate whether FDDI MAC addresses
are bit-swapped, but this does let us treat non-"libpcap" captures as
being bit-swapped or not bit-swapped independent of the machine on which
they're being read (and of the machine on which they were captured, but
I have the impression they're bit-swapped on most platforms), and allows
us to, if, as, and when we implement packet capture in Wiretap, mark
packets in a capture file written in Wiretap-native format based on the
machine on which they are captured (assuming the rule "Ultrix, Alpha,
and BSD/OS are the only platforms that don't bit-swap", or some other
compile-time rule, gets the right answer, or that some platform has
drivers that can tell us whether the addresses are bit-swapped).
(NOTE: if, for any of the capture file formats used only on one
platform, FDDI MAC addresses aren't bit-swapped, the code to read that
capture file format should be fixed to flag them as not bit-swapped.)
Use the encapsulation type to decide whether to bit-swap addresses in
"dissect_fddi()".
svn path=/trunk/; revision=557
Have the code that opens "libpcap" files for writing check to make sure
that the Wiretap encapsulation can be written to a "libpcap" file, and
return -1 and supply a new WTAP_ERR_UNSUPPORTED_ENCAP error code if it
can't.
Handle that new error code in "wtap_strerror()".
svn path=/trunk/; revision=546
code supplied by a Wiretap routine (whether a positive UNIX "errno" code
or a negative Wiretap error code), and returns an error message
corresponding to it.
Use that to construct the message Ethereal put up in a message box for
those errors for which we don't have Ethereal put up a message of its
choice.
svn path=/trunk/; revision=545
Get rid of WTAP_ENCAP_NONE; replace it with WTAP_ENCAP_UNKNOWN, which
means "I can't handle that file, it's using an encapsulation I don't
support".
Check for encapsulations we don't support, and return an error (as is
already done in "libpcap.c").
Check for too-large packet sizes, and return an error (as is already
done in "libpcap.c").
Print unsigned quantities in Wiretap messages with "%u", not "%d".
svn path=/trunk/; revision=544
and in different capture files; throw in some heuristics to try to
figure out whether the 4-byte header is:
1) PPP-over-HDLC (some version of ISDN4BSD?);
2) big-endian AF_ value (BSD on big-endian platforms);
3) little-endian AF_ value (BSD on little-endian platforms);
4) two octets of 0 followed by an Ethernet type (Linux, at least
on little-endian platforms, as mutated by "libpcap").
Make a separate Wiretap encapsulation type, WTAP_ENCAP_NULL,
corresponding to DLT_NULL.
Have the PPP code dissect the frame if it's PPP-over-HDLC, and have
"ethertype()" dissect the Ethernet type and the rest of the packet if
it's a Linux-style header; dissect it ourselves only if it's an AF_
value.
Have Wiretap impose a maximum packet size of 65535 bytes, so that it
fails more gracefully when handed a corrupt "libpcap" capture file
(other capture file formats with more than a 16-bit capture length
field, if any, will have that check added later), and put that size in
"wtap.h" and have Ethereal use it as its notion of a maximum packet
size.
Have Ethereal put up a "this file appears to be damaged or corrupt"
message box if Wiretap returns a WTAP_ERR_BAD_RECORD error when opening
or reading a capture file.
Include loopback interfaces in the list of interfaces offered by the
"Capture" dialog box, but put them at the end of the list so that it
doesn't default to a loopback interface unless there are no other
interfaces. Also, don't require that an interface in the list have an
IP address associated with it, and only put one entry in the list for a
given interface (SIOCGIFCONF returns one entry per interface *address*,
not per *interface* - and even if you were to use only IP addresses, an
interface could conceivably have more than one IP address).
Exclusively use Wiretap encapsulation types internally, even when
capturing; don't use DLT_ types.
svn path=/trunk/; revision=540
from RADCOM WAN/LAN Analyzers.
(BTW, the previous checkin also removed the comments about the hack
wherein we pretended that ATM Sniffer captures were really Ethernet,
Token-Ring, or RFC 1483 captures, given that said hack was itself
removed.)
svn path=/trunk/; revision=526
washed out to sea the code that used to pretend that an ATM Sniffer
capture was an Ethernet or Token-Ring Sniffer capture.
svn path=/trunk/; revision=524
file, instead of throwing out all but LANE or RFC 1483 data frames and
pretending that the former are just Ethernet or Token-Ring frames.
Add some level of decoding for ATM LANE, but not all of it; the rest,
including decoding non-LANE frames, is left as an exercise for somebody
who has captures they want to decode, an interest in decoding them, ATM
expertise, and time....
svn path=/trunk/; revision=523
variable from lanalyzer_t (plus an additional variable which wasn't being
used). While I was in there I cleaned up some comments and renamed a couple
variables to make more sense.
svn path=/trunk/; revision=521
expecting it as normal. Added paragraph about iptrace oddities to README.
I also added a section to the README about how to report bugs.
svn path=/trunk/; revision=519
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=518
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=516
the variable for the return value of "wtap_dump_close()", just check it
against EOF; shoving it into "ret" means it gets set to 0 on a
successful close, but a return value of 0 means "wtap_dump_close()"
failed.
svn path=/trunk/; revision=514
can't translate the encapsulation type, it should return an
encapsulation type; we add a new one, WTAP_ENCAP_UNKNOWN. and have it
return that.
Have "capture()" handle "wtap_pcap_encap_to_wtap_encap()" returning that
encapsulation type (if it happens, we need to add a new Wiretap
encapsulation type to handle the new "libpcap" encapsulation type).
svn path=/trunk/; revision=513
for errors when closing a file to which we've written packets (we don't
bother checking if we're giving up on a capture).
Add some more error checks in Wiretap.
Make a single list of all Wiretap error codes, giving them all different
values (some can be returned by more than one routine, so they shouldn't
be per-routine).
svn path=/trunk/; revision=510
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
Guy Harris