libpcap format, and say that it's also used by "other tools" (tcpdump
and Ethereal/Tethereal aren't the only tools that write captures in that
format).
Weaken the claim that we read Etherpeek files to say only that we read
Etherpeek versions 5, 6, and 7 for Macintosh, so people don't conclude
that we read Etherpeek-for-Windows captures (we don't).
svn path=/trunk/; revision=4337
files would put a 32-bit quantity on a 16-bit boundary without padding;
this means that many compilers will insert the padding and thus make the
structure not match what's in the file.
Instead of using a C structure, #define values for the offsets of
fields, read the header into an array of bytes, and extract values using
the offsets.
svn path=/trunk/; revision=4334
trying to read the frame table, return -1 with "*err" set to
WTAP_ERR_SHORT_READ, don't return 0 - we've already decided that the
file is a NetMon file, so we shouldn't return a "this isn't a NetMon
file" indication, we should return a "this file is too short" error, as
that's what the problem is.
Fix up the error messages for WTAP_ERR_SHORT_READ to indicate that the
read might have gotten cut short in the middle of data other than a
packet.
svn path=/trunk/; revision=4331
formats we can read (and to put them in the order in which they're
mentioned in the man pages, to make it easier to make sure the lists are
the same).
svn path=/trunk/; revision=4330
Nisbet.
Make a comment in "wiretap/file.c" clearer, so people know where to put
the entries for their capture file type.
svn path=/trunk/; revision=4328
insensitive, make its label sensitive or insensitive too.
When "update list of packets in real time" mode is on, make the ring
buffer mode toggle button, and the "number of ring buffer files" spin
button, insensitive, as ring buffer mode is not supported in "update
list of packets in real time" captures.
When "update list of packets in real time" mode is off, make the
auto-scroll mode button insensitive, as auto-scroll mode is meaningless
unless you're doing an "update list of packets in real time" capture.
Bundle all the sensitivity setting into a single common routine.
Make "ring buffer" two words.
svn path=/trunk/; revision=4325
files to get that big.
From Thomas Wittwer and Matthias Nyffenegger:
Support for "ring buffer mode", wherein there's a ring buffer of N
capture files; as each capture file reaches its maximum size (the ring
buffer works only with a maximum capture file size specified), Ethereal
rolls over to the next capture file in the ring buffer, replacing
whatever packets might be in it with new packets.
svn path=/trunk/; revision=4324
files to get that big.
From Thomas Wittwer and Matthias Nyffenegger:
Support for "ring buffer mode", wherein there's a ring buffer of N
capture files; as each capture file reaches its maximum size (the ring
buffer works only with a maximum capture file size specified), Ethereal
rolls over to the next capture file in the ring buffer, replacing
whatever packets might be in it with new packets.
svn path=/trunk/; revision=4323
only there's TCP in the current frame and it will be set to PT_UDP only
if there's UDP in the current frame. As such, there's no need to check
"ipproto" before checking "ptype" - and we should check "ptype" as well
as "ipproto" when deciding whether we'll put up a "Decode As" dialog
with anything in it.
(Not that there's anything other than IPv4 or IPv6 over which we
currently dissect TCP or UDP....)
svn path=/trunk/; revision=4318
whether the port type is PT_TCP or PT_UDP, don't check the IP protocol
type at the network layer (except to check whether it's set at all, to
decide whether it's IP/IPv6 - if it's not, the transport isn't TCP or
UDP); that way, we don't have to keep track of which IP protocol numbers
are being decoded as TCP or UDP.
svn path=/trunk/; revision=4317
plugin APIs, and add the new "dissector_add_handle()".
Add an entry in the dissector table structure for
"create_dissector_handle".
svn path=/trunk/; revision=4314
pointer to a "struct dissector_table", containing a pointer to a hash
table and a pointer to a list of handles. Fix
"dissector_all_tables_foreach_func()" to understand that.
svn path=/trunk/; revision=4312
dissector table contain both a hash table, to use to look up port
numbers to find a dissector, and a list of all dissectors that *could*
be assigned to ports in that hash table, to be used by user interface
code.
Make the "Decode As" dialog box code use that.
Also make it *not* let you choose whether to set the dissector for both
the UDP and TCP versions of a port; some protocols run only atop TCP,
some run only atop UDP, and even those that can run atop both may have
different dissector handles to use over TCP and UDP, so handling a
single merged list would be a mess. (If the user is setting the
dissector for a TCP port, only those protocols that Ethereal can handle
over TCP should be listed; if the user is setting the dissector for a
UDP port, only those protocols that Ethereal can handle over TCP should
be listed; if the user is setting a dissector for both, only those
protocols that Ethereal can handle over *both* TCP *and* UDP should be
listed, *and* there needs to be a way to let the "Decode As" code get
both the TCP handle *and* the UDP handle and use the right ones. If
somebody really wants that, they need to implement all of the above if
they want the code to be correct.)
Fix the code that handles setting the dissection for the IP protocol
number to correctly update the lists of protocols being dissected as TCP
and as UDP; the code before this change wasn't updating the single such
list to add new protocols.
svn path=/trunk/; revision=4311
if found, return the dissector handle for that port.
Use that routine in the X.25 dissector; revert to attaching a dissector
handle to an X.25 virtual circuit.
svn path=/trunk/; revision=4310
take a dissector handle as an argument, rather than a pointer to a
dissector function and a protocol ID. Associate dissector handles with
dissector table entries.
svn path=/trunk/; revision=4308
rather than a function pointer, "dissect_wtp_fromudp()" no longer needs
to be global; make it static, register it by name, and have the WSP
dissector get the handle by calling "find_dissector()" rather than by
constructing its own handle for it.
Fix up some attributions.
svn path=/trunk/; revision=4306
Adds an "Add Expression..." button to the color filter
creation dialog.
Improve the look of the "Add color to protocols" window.
Clean up some ugly code.
Give John credit in the AUTHORS file for the coloring stuff.
svn path=/trunk/; revision=4301
identifier, but means X.29 when used as an X.263/ISO 9577 secondary
protocol identifier.
Add support for the IPv6 NLPID, and Ethernet type, in more places.
Fix up the handling of the user data of a CALL REQUEST packet to more
correctly distinguish between user data containing an NLPID and user
data containing an X.264/ISO 11570 UN TPDU. If it's an NLPID, use
"nlpid_vals" to show its value.
Put that user data in a subtree.
Create a new "x.25.spi" dissector table, for protocols running atop
X.25, rather than having a built-in switch statement, so that other
protocols can register themselves by NLPID.
svn path=/trunk/; revision=4300
Rename WTAP_ENCAP_PRISM to WTAP_ENCAP_PRISM_HEADER, to match
DLT_PRISM_HEADER.
Add in missing capture support for WTAP_ENCAP_PRISM_HEADER when
capturing with "pcap_open_live()" rather than reading the capture from a
pipe.
svn path=/trunk/; revision=4299
1. Changes how can_desegment works so that can_desegment is
only != 0 for whichever dissector is running immediately on
top of whoever offers the can_desegment service.
Thus DCERPC needs no special handling to see if it can trust
can_desegment (which is currently only available ontop of TCP
and not ontop of tcp->nbss->smb).
2. Changes fragment reassembly of transaction smb to only show
the defragmented packet for the transaction smb holding the
first fragment.
To see why, test it with a transaction SMB containing a ~60kb
PDU or larger. The old behaviour had approximately quadratic
behaviour regarding runtime for dissecting such PDUs.
(example: NetShareEnum is a command which can grow really really
large if the number of shares and comments are large)
svn path=/trunk/; revision=4296
"smb_saved_info_t" in the table of requests whose replies have been
found, don't look it up in the table of requests whose replies have not
been found - if the request in question has no reply in the capture,
that may find some later frame in the same conversation with the same
MID, and we don't need that information anyway - the only reason we
*need* that structure is to save information in it for use when
processing its reply, and we already did that the first time we
processed the request. (The information for the later frame may be bad,
e.g. having a null "extra_info" pointer, or having one that points to
information for another request.)
Arrange that we don't use the pointer to the "smb_saved_info_t" when
processing a request except to save information if the request hasn't
already been processed, as that pointer may not be valid if the request
has already been processed, as per the above.
svn path=/trunk/; revision=4292
Add some checks for null tvbuff arguments.
When dissecting transaction setup, parameters, and data when we couldn't
dissect it as a pipe or mailslot transaction, use the reported length of
the supplied tvbuff, not the actual length, as the amount of data
present.
svn path=/trunk/; revision=4291
Guy Harris