Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
It's in other such lists.
Update some comments while we're at it.
Fixes #19565.
|
|
Update the functions that get an interface name or description
to also take the section number in the record (0 if not present.)
Store a mapping of SHB number and interface number to global
interface number, and provide a function to access it. Use the
function to display the correct interface name and description
when there are multiple SHBs.
Use this information to rewrite interface numbers when writing a
pcapng file through wtap dumper, since we don't write additional
SHBs to a file when dumping. We could, but we'd have to store
exactly when to write the extra SHB when reading the file in
sequentially (unlike the other internal blocks, IDB, NRB, and
DSBs, that we intentionally move to the start.)
Since we're changing the number of sections, perhaps we should edit
the SHB options more?
Merging handles interface numbers in its own manner, but also needs
to know about the per-SHB interface ID to global ID mapping when
doing so.
Capinfos and capture file properties still require a bit more work
for proper output.
Fix #16531, fix #18049
|
|
Add a wiretap implementation for EGNOS Message Server (EMS) files.
|
|
In packet-sysdig-event.c:
- Use wiretap's pcapng block type definitions.
- Simplify calling the sinsp dissector handle and call it for both
syscalls and plugin events.
In the Falco bridge plugin:
- Add support for dissecting enriched syscall data.
In wiretap:
- Use "meta event" instead of "Sysdig meta event"; we might want
to retain other meta event data.
- Remove the meta event callback code since we're not using it.
|
|
Using stuff from ws_assert.h doesn't include using wslog.h; ws_assert.h
uses things from wslog.h, but it also includes wslog.h.
|
|
Add support for Sysdig meta events. In file-pcapng.c, use the blocks
defined in pcapng_module.h and expand the block name list.
|
|
Add WTAP_TSPREC_ values for the new precisions, and rename the 1/10
second and 1/100 second values to match the style used for the new ones,
with additional WTAP_TSPREC_DSEC and WTAP_TSPREC_CSEC defines for
backwards compatibility. Switch to those new ones in existing files.
For NetMon, use WTAP_TSPREC_100_NSEC for the 2.3 version of the file
format and WTAP_TSPREC_USEC for previous 2.x versions. Get rid of code
that would have handled 3.x and later formats, as 1) those formats were
never created, 2) the code that was there wouldn't have worked if the
format were different enough, and 3) we didn't support them when reading
in any case.
Regenerate the introspection enums.
|
|
They are not used, and, if filled in, become one more place to worry
about "is this out of sync"?
This whole mechanism of maintaining three lists of information about
capture file types needs to be claed up; the biggest prblem is that the
open_info array currently needs a lot of hand curation to make sure that
the weak AF heuristics (I'm nooking at *you*, .vwr raw capture reader!)
are run as late as possible.
|
|
Give more details, update to reflect reality, etc..
|
|
Add detailed comments for some routines in wiretap/wtap.h.
Fix other comments there to reflect reality.
Shuffle all the routines that are used to get extension lists for file
open dialogs, and to free those lists, together.
(Yes, it's confusing that we have three tables, all with extensions.
This should be cleaned up.)
|
|
Add .scap in a couple of places as an extension for pcapng files.
|
|
Add a routine to generate a dummy IDB from a packet record.
When pcapng is writing enhanced packet blocks and the source
doesn't provide an interface id, search through the list of
intereface ids for a match. If there isn't one, generate a new
one and use it.
This allows pcapng to write per-packet encapsulation when the
source doesn't provide IDBs.
|
|
We have two different places for "generate an IDB given an
encapsulation, timestamp precision, and snap length", one used
by wtap dumper and one used when reading files.
Have a common static function, filled in with the appropriate pars
of the wtap struct or wtap_dump_params struct.
|
|
MPEG files register ".mpeg" as its preferred extension, but
don't actually add that to the list used in the file open dialog
for filtering, nor to the list of extensions used for heuristics.
MPEG2 TS adds ".mp2t" to the list of extensions used for filtering,
but not to the list used for heuristics.
Fix those
|
|
Add a wiretap file format reader to read rtpdump files.
Generates "Exported PDU" data from the header of the rtpdump
file.
Add MIME file format read support for rtpdump files.
Change the default extension for exporting rtpdump files to '*.rtp' as
per the rtptools project's recommendation.
Wireshark generates rtpdump files slightly differently from how rtpdump
itself works. Both the wiretap reader and the MIME reader examine the
text and binary headers to determine the most appropriate presentation
of information to the user.
|
|
For writing capture files, increment `wdh->bytes_dumped` within
`wtap_dump_file_write()` so the caller doesn't have to manually track
it. Fixes the most common case of writing a file in sequence, leaving
the code clearer.
A small number of file formats effectively leave the header blank, write
the packets, then seek back up to the header to fill it in. In such
cases, save `wdh->bytes_dumped` before filling in the header and restore
it once done, so the value doesn't double-count the size of the header.
|
|
That indicates that it's a *per-file* encapsulation, not just some
unspecified type of encapsulation such as per-packet or per-interface.
|
|
wtap_dump_file_encap_type() could be read as indicating that, given a
handle for an encapsulation type, it returns the encapsulation type for
the file being written, rather than, given a list of encapsulation
types, returning the encapsulation type that would be required for all
of those types, which is what it does.
Rename it to wtap_dump_required_file_encap_type().
|
|
|
|
WTAP_ENCAP_UNKNOWN is used for two different cases:
1. Encapsulation type values that are unsupported by libwiretap or
bogus values (and thus "unknown" to libwiretap).
2. An initial state where the encapsulation type is "not yet" known
for a file type like pcapng without a single encapsulation type in the
header, before any packets or interfaces that set the encapsulation type
have been read. (If the file has no packets, this may be the value after
the file is entirely read in.) This can be the value when an output file
is written out simultaneously with reading an input file, rather than
reading the entire input file first, and, e.g., there is a custom block
before any IDBs.
The first case can never be handled when writing out a file, but the
second case can possibly be handled, so long as (for pcapng) IDBs
are available to write when they become necessary, or (for file
types like pcap with a single link-layer type in the header) the
writer waits until a link-layer type is seen to create the output
header. (It is possible, of course, that writing would fail in the
middle if an unsupported encapsulation type appears, or if the
encapsulation becomes per-packet for file types that don't support that,
but that is an unavoidable risk when writing without reading the entire
input file(s).)
Introduce WTAP_ENCAP_NONE for the second case, and use it for pcapng,
where we guarantee that any necessary IDBs will be passed along.
Continue to use WTAP_ENCAP_UNKNOWN for the first case.
Allow pcapng files to open a file for writing with WTAP_ENCAP_NONE.
There are some other file types that support per-packet link-types,
and could also use WTAP_ENCAP_NONE, but they require more work to
generate IDBs. (Note that all of them currently are impossible to
write to pcapng when they have multiple encapsulations, even if
the encapsulations are all supported by pcapng, because they don't
properly generate IDBs.)
Remove the workaround in ef43fd48b4f981392a0c61b5e9a804e8f9c85eb4
for tshark writing to pcapng when the source file is WTAP_ENCAP_UNKNOWN,
since now such files will be WTAP_ENCAP_NONE and work properly (and
also work in editcap, mergcap, etc.)
Along with 8cddc32d35e36d9962495c3d4358842ea88aac41, fix #18449.
|
|
Use a pointer to the growing array of NRBs from the source
file, as with DSBs, so as to handle reading NRBs in the middle
of a file in one-pass mode.
Write NRBs when reading a file with editcap, or in tshark when
not dissecting packets and writing our own NRB. Continue not
to write the NRB if we're supplying our own list of address info
instead.
If we have already read the entire source file in (such as in
two-pass tshark), move all the NRBs to the beginning of the file
before packets, as done with DSBs.
When merging files with mergecap, write both sets of NRBs. (There
is no attempt to merge the NRBs by looking for common entries.)
Check for name resolution data in the middle of dumping a file,
not just at the end, and check for DSBs at the end of a file,
after all the packets. This means that Wireshark no longer writes
the NRB at the very end of the file after all the packets (which
is worse for future one-pass reads), and DSBs after all packets
are preserved.
Ping #15502
|
|
|
|
This patch allows Wireshark to open DLT files directly.
|
|
Rename the following build targets, similar to the recent macOS target
name changes:
nsis_package_prep to wireshark_nsis_prep
nsis_package to wireshark_nsis
Rename some NSIS files to reflect that they're specific to Wireshark.
Update the documentation and CI configurations.
|
|
If we do a save with copy, so that we just copied the binary
file, everything in the wtap structure should be the same except
for the filename and the file descriptors, so just change that
instead of closing wtap and reopening it.
The current behavior of calling wtap_open_offline does not work
for files that have blocks (SHBs, IDBs, NRBs, DSBs, ISBs, etc.) in
the middle of the file instead of at the beginning, but we shouldn't
have to waste time rescanning the entire file either.
In the case where a specific file format reader was manually selected,
this will keep the same file format as selected instead of switching to
the auto-detection when opening the copy, just as SAVE_WITH_MOVE already
does and presumably what the user wants.
Update wtap_fdreopen to change the wtap struct's pathname if
wtap_fdreopen is called with a different filename than currently.
Fix #17472
|
|
The Ixia IxVeriWave .vwr file reader's heuristics matched a journal file
here, so place the systemd journal before it in the list.
|
|
Wireshark's file formats are now listed in WiresharkInfo.plist.in.
|
|
This allows the "needs to be reloaded" indication to be set in the close
process, as is the case for ERF; having a routine that returns the value
of that indication is not useful if it gets seet in the close process,
as the handle for the wtap_dumper is no longer valid after
wtap_dump_close() finishes.
We also get rid of wtap_dump_get_needs_reload(), as callers should get
that information via the added argument to wtap_dump_close().
Fixes #17989.
|
|
|
|
|
|
Use macros from inttypes.h.
|
|
In wtap_dump_init_dumper(), when constructing a dummy IDB for files
that don't have one, if the tsprecision value is anything other than
the default, then the OPT_IDB_TSRESOL option also needs to be set.
Without it, for a pcapng the timestamps will be written according to the
tsprecision and time_units_per_second values, but when it is read,
the values will be interpreted incorrectly.
It would probably be better if the consistency of these values were enforced.
|
|
|
|
Support reloading a Lua FileHandler when this is in use for a
loaded capture file. Prompt to save the file if having unsaved
changes because the file must be reloaded.
Fixes #17615
|
|
The file type/subtype for built-in types are <=
wtap_num_builtin_file_types_subtypes - the plugin types are given
type/subtype values after the last built-in type/subtype value.
Fixes #17614.
|
|
This patch adds first support for the BLF file format.
|
|
|
|
|
|
|
|
Most of the time, the return value tells us nothing useful, as we've
already decided that we're perfectly willing to live with string
truncation. Hopefully this keeps Coverity from whining that those
routines could return an error code (NARRATOR: They don't) and thus that
we're ignoring the possibility of failure (as indicated, we've already
decided that we can live with string truncation, so truncation is *NOT*
a failure).
|
|
|
|
Only a tiny amount of code outside libwiretap needs to know about
pcap/pcapng LINKTYPE_ values, and all that code needs to know is, for a
given LINKTYPE_ value, what the corresponding WTAP_ENCAP_ value is.
Nothing should need to know, for a given WTAP_ENCAP_ value, what its
LINKTYPE_ value is.
Make it the case that nothing *does* need to know, for a given
WTAP_ENCAP_ value, what its LINKTYPE_ value is. Export
wtap_dump_can_write_encap() and use *that*, in the "import hex dump"
code, what formats can be written to a pcap file.
|
|
Name the source to the code to read Observer files after the file
format, not the company that created it, got bought by JDSU, and then
ended up in Viavi when JDSU split.
Refer to the file format as "Viavi Observer" to reflect that.
|
|
Let individual file type/subtype modules register their
backwards-compatibility names, rather than having a centralized table
that would need to be updated along with the module.
|
|
JDSU bought Network Instruments, and then split into Viavi and Lumentum,
with Viavi getting Observer.
|
|
And get rid of the entry for that type in the table of type/subtypes.
|
|
Check to make sure the value is non-negative and less than the number of
file type/subtypes.
Make it clearer than one check is unnecessary:
* pull wtap_dump_open_check() into wtap_dump_init_dumper(), so it's
clear that wtap_dump_init_dumper() ensures the validity of the file
type/subtype value early on (wtap_dump_can_open() fails if it's not
valid);
* pull wtap_dump_alloc_wdh() into wtap_dump_init_dumper(), so that the
allocation and all the initialiation is done there - that makes it clear
that it sets the file_type_subtype member of the wtap_dumper structure
before wtap_dump_init_dumper() returns;
* have wtap_dump_open_finish() use that value rather than being passed
the type/subtype value explicitly, so it's clear that it's dealing with
a validated value.
|
|
It only registers one file type/subtype, so rename it to
wtap_register_file_type_subtype().
That will also force plugins to be recompiled; that will produce compile
errors for some plugins that didn't change to match the new contents of
the file_type_subtype_info structure.
Also check to make sure that the registered file type/subtype supports
at least one type of block; a file type/subtype that doesn't return
*any* blocks and doesn't permit *any* block types to be written is not
very useful. That should also catch most if not all other plugins that
didn't change to match the new contents of the file_type_subtype_info
structure.
Don't make errors registering a file type/subtype fatal; just complain,
don't register the bogus file type/subtype, and drive on.
|
|
Register the pcap and pcapng file types/subtypes rather than hardwiring
them into the table.
Call the registration routines for them directly, rather than through a
generated table; they're always supposed to be there, as some code in
Wireshark either writes only one of those formats or defaults to writing
one of those formats. Don't run their source code through the
registration-routine-finder script.
Have the file type/subtype codes for them be directly exported to the
libwiretap core, and provide routines to return each of them, to be used
by the aforementioned code.
When reporting errors with cfile_write_failure_message(), use
wtap_dump_file_type_subtype() to get the file type/subtype value for the
wtap_dumper to which we're writing, rather than hardcoding it.
Have the "export PDU" code capable of supporting arbitrary file
types/subtypes, although we currently only use pcapng.
Get rid of declarations of now-static can_write_encap and
dump_open routines in various headers.
|