| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In the first pass of two-pass wireshark, where we can do
asynchronous DNS lookups, make sure to actually take the
requests off the queue and process them, instead of waiting
until the end of the first pass.
Use a mutex to protect taking requests off the queue, just in
case.
Related to #19629.
|
|
When switching to synchronous external host name lookups (e.g., upon
starting the second pass of a two-pass tshark command), if there are
any in-flight requests, wait for them to return.
This avoids a problem where on the second pass, synchronous lookups
aren't performed but instead immediately report failure (because
according to our cache the request has already been made; in the GUI,
the answer would be updated later.)
It makes tshark two-pass performance faster than one-pass, so long as
the host name lookups are queued in the first pass (e.g., by offering
a display filter like "-Y ip.addr".)
A nice enhancement later would be to ensure that any external host name
lookups that will be needed in the second pass are done asynchronously
in the first pass. Even the overkill of doing the dissection with a visible
tree is likely better performance than waiting for many synchronous
lookups.
Fix #19629.
|
|
The list of TCP/UDP/SCTP/DCCP port numbers never needs to be modified. This
moves ~150 kBytes of data to a read-only data section.
|
|
Saving only the dfilter text and recompiling the code when
[re]dissecting or scanning groups of packets operates on the
explicit assumption that previously validated filter text will
always compile to valid filter code
That assumption is not true; while we invalidate the filter and
replace the text with NULL if display filter macros change or
other aspects of the packet matching expressions change so that
the previous text is no longer valid, display filters that match
FT_IPv4 or FT_IPv6 fields to resolved hostnames require a host
name lookup each time they are compiled, which can timeout, especially
if there are too many requests in flight at once. This is particularly
likely if a recompilation is performed each time additional frames
arrive during a live capture.
It is important to stress that the stronger, implicit assumption that
the display filter will compile to the same code is also false.
1) Display filters that require host name lookup can change even if
it doesn't timeout.
2) Display filter macros can change.
3) Display filters with field references will change if the selected
frame has changed.
In the case of a rescan, redissection, reload, retap, or opening a
new file, we want the new dfcode. For cf_continue_tail and
cf_finish_tail, when a new batch of frames have arrived, we might
be able to cache the host lookup for 1), and a user might want the
new macro definitions in 2) (but in that case, why not a rescan of
all packets?), but almost surely for 3) wants the field references
of the frame selected in the GUI when the filter was applied, not
whatever frame is currently selected when new packets arrive. So
we keep the old dfcode, and also reduce recompilation (which becomes
more important as the default update interval can be reduced, cf.
f0712606a3d014a915e585997f624640b326b9c0 ).
Currently filters with field references don't work at all with
newly arrived frames in live captures, because the references
aren't loaded to the code. This fixes that by using the field
references from the original frame.
Cf. 1370d2f738f4ec4b7a00f63e5f04fe916da79533
Fix #19612. Fix #12517.
|
|
Callers of the service lookup functions, like col_append_ports,
might call it with a nonstandard port type. This might be a
dissector issue, but it's not the sort of thing that should
trigger a ws_assert that crashes Wireshark.
Some dissectors just want the nice looking port column information
even for port types where lookups aren't possible. Dissectors
shouldn't have to know which port types can be looked up.
Related to #19557.
|
|
Value stored to 'bitmask' is never read
|
|
Keep the custom services entries in a separate table and
only copy them to the externally visible table when looked up.
This allows us to make the externally visible strings const,
and means that we don't have to copy the strings from the global
services C array table.
It also means that the externally visible table only has entries
that have actually been looked up, instead of being mixed with
the static entries.
Fix #13857
|
|
Change the hashether status flags to be more consistent with the others.
In the Resolved Addresses dialog, only show addresses that are
actually present in the capture file and resolved, not all entries
in an ethers or wka file. (Entries in the wka file with a /48 mask
are added to the ethers hashtable.)
Part of #13857
|
|
For manuf/OUI, change the status flags to be more consistent with
other types, and provide an accessor for status. In the Resolved
Addresses dialog, only display the OUI that have actually been
looked up in the capture file.
Part of #13857
|
|
For well-known addresses, store whether the address has actually
been used in a lookup or is just present in the global file.
In the Resolved Addresses dialog, only display the well known
addresses that have actually been looked up.
Part of #13857
|
|
Some protocols specifically have 24-bit OUI fields, not
contained within a EUI-48 or EUI-64. Don't return the MA-M
or MA-S that starts with those 24 bits and has 4th and 5th
octet zero when looking up a 24-bit OUI.
When finding a MA-M or MA-S in the global manuf hash tables
(whether from a 24-bit OUI or from a EUI-48 or EUI-64), don't
store the results in the used manuf hashtable, which results
in incorrectly matching other MA-M and MA-S with the same
first 24 bits.
We probably do want to eventually store all MA-M and MA-S used
in some sort of resolved hash table for the Resolved Addresses
dialog.
We also eventually should go through and determine which cases of
tvb_get_manuf_name_if_known are really 24-bit OUIs (e.g.,
roaming consortium in IEEE 802.11) and which are looking
up EUI-48s (e.g., packet-pw-eth.c)
Fix the label writing for the MA-M and MA-S so as not to include
the proper number of nibbles, splitting a byte if appropriate.
Fix #15300
|
|
Once upon a time, Wireshark could use GNU ADNS instead of c-ares
for asynchronous DNS lookups. GNU ADNS didn't check the system
hosts file (see 51984de040b804ca6614830acc62c641cd6d8959), so
we added the system hosts file using the same mechanism as profile
paths when using ADNS.
This was then confusing, because "use external DNS resolver / use
system DNS resolving" could be off but /etc/hosts was still used,
so the "only use profile hosts" option was created to avoid using
external system DNS hostsnames at all.
c-ares (and, for that matter, libunbound) does read /etc/hosts, so
this option doesn't do its primary purpose anymore. All it usually
does now is keep any hosts file in the global profile from being used,
but we don't have any other name resolution options where there's a
pref not to use global profile data.
Even more confusingly, if the option is true, then the -H option
to tshark to give a hosts file on the command line doesn't work.
add_hosts_file checks the preference and then doesn't actually
read the file from the command line, which is surely never wanted.
Most people don't understand what the option means, despite the
tooltip, and assume that it means "only use the hosts file as a
source of name resolution data", not "when using hosts files as
a source of name resolution data, only use the one from the personal
profile and not any from the global profile, the tshark command line,
or any other source."
Just mark the option as obsolete.
Related to #11470
|
|
inet_netw.c -> inet_cidr.c
inet_netw.h -> inet_cidr.h
|
|
|
|
Consolidate code to handle CIDR network addresses in inet_netw.[ch].
|
|
ip_to_str() forces the caller to cast the argument and it's not
obvious at all that the input should be in network-byte order
for IPv4 addresses.
Deprecated the function and add endian-explicit substitutes (number
vs address).
|
|
Ping #19116
|
|
Make sure we always pass at least 6 bytes to ws_manuf_lookup_str().
Fixes #19344.
|
|
Fixes #17416.
|
|
Fix OUI lookups for 802.11 and other protocols that use a
dedicated API for manuf lookups and not the normal MAC Address
name resolution code path.
Of note is that the existing code assumes the byte order is
little-endian.
Fixes #19337.
|
|
Since this is declared in the addr_resolve scope and freed
when address resolving is cleaned up, make sure to set it to
null.
|
|
Our name resolution logic does not use the address block
of the lookup result. As a small optimization avoid a
memset/memcpy to return the result and just return
two const string pointers.
|
|
The result was propagated through both the return value and the first
output parameter. Change the return type to indicate whether it matched.
|
|
Most (all but the entries manually entered through the GUI) address
resolutions are reset upon init_dissection(), because they have
entries from files contained in configuration profiles and thus
need to be reset when the profile changes. (This is also called
upon loading a new file, or with the -M option to tshark.)
That means that if the tables and their entries are in epan scope,
they will not be freed until the program is exited, which means
that excessive memory is consumed.
Create a new wmem allocation scope and use it for the address
tables and entries. (Some of these maps could be made autoreset with
epan scope and the new scope.)
This is similar to file scope, but some lookups need to be available
before file scope is entered; specifically, the enterprises lookups
are used by the RADIUS dissector for turning vendor numbers into
strings during AVP registration, when happens when the dissector
is registered.
Do NOT use the new scope for the manually entered lookups via
"Edit Resolved Name," because those are not freed upon starting
a new dissection (should they be?)
Fix #19309
|
|
Pass a pointer to the IPv6 address instead of a pointer to the pointer.
Fixes #19294
Fixes: v2.9.0rc0-666-g0542c5b700 ("Do IP address resolution synchronously before printing in TShark.")
|
|
Rename function to use the ws_manuf namespace.
Make all the interface functions public.
|
|
|
|
Make global_manuf_lookup() return a struct ws_manuf pointer.
Use a function to handle each switch case.
|
|
|
|
To reduce startup external file parsing replce the manuf file with
static arrays compiled into the binary.
Add 3 tables for MA-L, MA-M and MA-S. Add a fourth table to direct
a 24-bit MAC prefix (OUI) to one of these tables.
Adapt the make-manuf.py script to generate the static C data
instead of the text file.
The arrays are sorted and a binary search is performed to map
an OUI (24bit/28bit/36bit) to a short and long name.
|
|
|
|
We don't ship an external services file anymore but keep the
global file as an optional resource to load at start-up, in
case anyone depends on this or to allow an administrator to
provide a system services file, similar to the personal file but
system-wide.
|
|
To speed up start-up we no longer read the services file
from an external resource. Instead it is compiled statically
into the binary in a sorted array.
The personal services file is still parsed and loaded at startup,
if it exists, to allow users to add custom entries and override
global entries.
For historical reasons the port list is mostly composed of
the same entry for TCP and UDP. To avoid a lot of duplication
we add an extra TCP+UDP table and do two lookups for TCP or
UDP, one in the TCP+UDP table and the other in the TCP/UDP table.
Because the services name space is pretty sparse, with lots of
holes, we also use a binary search instead of a linear array
with aprox. 49000 entries, where most would be empty.
|
|
The TSV extension is uncommon, IMHO ugly and breaks the conventions
used with every other external name resolution file. Remove it.
|
|
Rename generator script and C source file to be more descriptive
and less unwieldly respectively.
|
|
|
|
Move MaxMind lookups to a global Name Resolution preference.
That's a bit of a misnomer (it's not name resolution, but it
is using external sources of data to update information about
a network object), but the MaxMind DB path location is already there.
This means that MaxMind lookups can be disabled with the '-n'
option, and enabled with a 'g' for the '-N' option. This is
significant for tshark, because MaxMind lookups are now synchronous.
Disabling the new global preference also keeps the Endpoints window
from doing MaxMind lookups; currently, even if the IPv4 and IPv6 GeoIP
prefs are disabled the data is still looked up and inserted in the
Endpoints window.
Fix #14692
|
|
This ensures forward compatibility when using Wireshark 4.x or later
(see #18214)
|
|
Ping #18075
|
|
Update the dns_pkt_addr_resolution, use_external_name_resolver, and
use_custom_dns_servers names to be more consistent. Make it more clear
that use_external_name_resolver uses you're system's DNS settings.
|
|
Closes #18234
|
|
Add the port correctly if only one dns server is configured
|
|
|
|
If nameservers use a different default port than 53, Wireshark
is not able to resolve, as it always assumes the default port.
This allows to configure both tcp/udp ports for name resolutions,
with the udp port being asked first and tcp only used for fallback
Implements #18214
|
|
Currently Wireshark does not close the vlans file on profile change.
This leads to major problems, when vlan resolution is turned on:
- Deleting a profile (not even selected) is not possible without exiting
Wireshark.
- Switching from one profile with vlans to another with vlans, does
not switch the resolution but stays on the names of the old profile!
|
|
Replace:
g_snprintf() -> snprintf()
g_vsnprintf() -> vsnprintf()
g_strdup_printf() -> ws_strdup_printf()
g_strdup_vprintf() -> ws_strdup_vprintf()
This is more portable, user-friendly and faster on platforms
where GLib does not like the native I/O.
Adjust the format string to use macros from intypes.h.
|
|
|
|
|
|
|
|
|
