Age | Commit message (Collapse) | Author | Files | Lines |
|
Add REC_TYPE_SYSCALL to wiretap and use it for Sysdig events. Call the
Sysdig event dissector from the frame dissector. Create a "syscall"
protocol for system calls, but add "frame" items to it for now.
Add the ability to write Sysdig events. This lets us merge packet
capture and syscall capture files.
Change-Id: I12774ec69c89d8e329b6130c67f29aade4e3d778
Reviewed-on: https://code.wireshark.org/review/15078
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
That's not "the biggest record we're willing to write", it's "the
biggest record the pcapng format supports, as the record length is a
16-bit field".
Change-Id: Icbd5e0cc4ed8e2a3a0d474245a9b9ed2c999d520
Reviewed-on: https://code.wireshark.org/review/15818
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(cherry picked from commit 09de28933f9a17d4472206e1ac4b7c92001e44f5)
Reviewed-on: https://code.wireshark.org/review/15820
|
|
The IPv6 comments gave more details.
Change-Id: I4e4d865feadbabfd625cdf2b2b162b99c4f23efa
Reviewed-on: https://code.wireshark.org/review/15815
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
blocks.
The data is not applied anywhere, just stored. The first Section Header block
is still the only one that is used to read a pcapng file.
Change-Id: If9546401101d2fe79b2325bacbd597b92127e86e
Reviewed-on: https://code.wireshark.org/review/15705
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
|
|
This doesn't try to use any data from multiple Name Resolution blocks, it
just converts single Name Resolution block usage into a GArray, so the
potential is there to then use/support multiple Name Resolution blocks
within a file format (like pcapng)
Change-Id: Ib0b584af0bd263f183bd6d31ba18275ab0577d0c
Reviewed-on: https://code.wireshark.org/review/15684
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
This doesn't try to use any data from multiple Section Header blocks, it
just converts single Section Header block usage into a GArray, so the
potential is there to then use/support multiple Section Header blocks
within a file format (like pcapng)
Change-Id: I6ad1f7b8daf4b1ad7ba0eb1ecf2e170421505486
Reviewed-on: https://code.wireshark.org/review/15636
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
The write functionality was too PCAPNG-specific and the intention is to
keep the option blocks as generic as possible.
So moved the write functionality back to pcapng.c and added a
wtap_opttype API to loop through all options in the block
(wtap_optionblock_foreach_option)
Change-Id: Iaf49126a1a3e2ed60ae02c52878ca22671dac335
Reviewed-on: https://code.wireshark.org/review/15525
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Also add a length parameter to wtap_optionblock_set_option_string
Change-Id: I8c7bbc48aa96b5c2a91ab9a17980928d6894f1ee
Reviewed-on: https://code.wireshark.org/review/15505
Reviewed-by: Anthony Coddington <anthony.coddington@endace.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
git/epan/dissectors/packet-a21.c:478:25: error: 'item' was marked unused but was used
[-Werror,-Wused-but-marked-unused]
proto_item_append_text(item, "%s", val_to_str_const(event_id, a21_event_vals, "Unknown"));
^
Added manual change id because file-jpeg.c forced the use of commit -n
Change-Id: Iffff53d6253758c8454d9583f0a11f317c8390cb
Reviewed-on: https://code.wireshark.org/review/14666
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
|
|
Make a more formal method for registering options within a block and do it all with a single function (wtap_optionblock_add_block).
Add ability for block to be able to write itself, refactored out of pcapng.c. This was implemented for SHB, ISB, and IDB blocks. Name resolution (NRB), while possible, seemed a little messy for the moment.
Change-Id: Ie855c8550c7c7d96cfc188c0cd90bfbc4d5f0ee8
Reviewed-on: https://code.wireshark.org/review/14357
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Bug: 12173
Change-Id: Ifff28491073d50e088b26847830a3bc8835f4282
Reviewed-on: https://code.wireshark.org/review/14180
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Bug: 12174
Change-Id: I82eb0ac75f2e03f15c2f016e9b7ff72fdc7044f5
Reviewed-on: https://code.wireshark.org/review/14179
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
If it's 0x1A2B3C4D, that means it has the same byte order as the
instruction set for which Wireshark was built[*]; if it's 0x4D3C2B1A, it
means it has the opposite byte order. (We assume no "middle-endian"
machines here; it's extremely unlikely that any of this code will ever
work on a PDP-11.)
Wireshark *does* work on big-endian machines (if there are any places
where it doesn't, those are bugs that must be fixed), so we can't assume
that "same byte order as our instruction set" means "little-endian".
[*]If, for example, you run a PowerPC binary under Rosetta, it'll act as
if big-endian is the native byte order, even though it's running on a
little-endian machine.
Change-Id: Ic438bd85c034f1fba276408ba30214d7078121d1
Reviewed-on: https://code.wireshark.org/review/14133
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Don't use the byte order from any previously-seen SHB, as it might be
different.
Bug: 12167
Change-Id: I19a81f81f2e8115938387487e2682b8b11a100fe
Reviewed-on: https://code.wireshark.org/review/14131
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
We don't need to allocate an WTAP_OPTION_BLOCK_IF_DESCR option block;
don't use the value we allocated.
We must not allocate an WTAP_OPTION_BLOCK_IF_STATS option block until we
need it, as we may have to allocate *more than one* of them here! The
old code would reuse the same block, adding it more than once, causing a
"freeing already freed data"/"freeing non-allocated data" error on some
platforms.
Change-Id: I8582627c1f5deecfd4f6490dcdf8c31ee3809d12
Reviewed-on: https://code.wireshark.org/review/14130
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
This was inspired by https://code.wireshark.org/review/9729/, but takes it in a different direction where all options are put into an array, regardless of whether they are "standard" or "custom". It should be easier to add "custom" options in this design. Some, but not all blocks have been converted.
Descriptions of some of the block options have been moved from wtap.h to pcapng.h as it seems to be the one that implements the description of the blocks.
Also what could be added/refactored is registering block behavior.
Change-Id: I3dffa38f0bb088f98749a4f97a3b7655baa4aa6a
Reviewed-on: https://code.wireshark.org/review/13667
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Include the pcapng block name in every error message to give user a better hint as to where the error is
Bug: 8798
Change-Id: Idd80a8541ac37a42b9bd2e988fa8da1ce7bc91a0
Reviewed-on: https://code.wireshark.org/review/13310
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
pcapng.c:461:31: warning: ISO C forbids passing argument 3 of 'g_hash_table_insert' between function pointer and 'void *' [-Wpedantic]
pcapng.c:1404:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
pcapng.c:1918:32: warning: ISO C forbids conversion of object pointer to function pointer type [-Wpedantic]
Change-Id: I535633098cc5d37442732dd92e8c9d3cda36631a
Reviewed-on: https://code.wireshark.org/review/12161
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
All trivial (unused variables, duplicate `break`s, etc).
Change-Id: Idbfffae4f6c0b0119a90ae5849de2ed7a1180c9b
Reviewed-on: https://code.wireshark.org/review/11886
Petri-Dish: Evan Huus <eapache@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
|
|
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
It doesn't actually *close* any handle, so it's best called a "finish"
routine rather than a "close" routine.
In libwiretap modules, don't bother setting the finish routine pointer
to null - it's already initialized to null (it's probably best not to
require modules to set it).
Change-Id: I19554f3fb826db495f17b36600ae36222cbc21b0
Reviewed-on: https://code.wireshark.org/review/11659
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
(And with #defines of read as _read and write as _write on Windows,
which might make structure members have surprising names if you try to
look at them in a debugger.)
Change-Id: Iaab5622cbde216d5fedd4bc014c83e4eef95f8a0
Reviewed-on: https://code.wireshark.org/review/11631
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Move the definitions of hashipv4_t and hashipv6_t to wiretap/wtap.h, as
that's the main place they're used. Change them a bit not to depend on
other stuff from libwireshark, and change the code as required by those
changes.
This should fix the Solaris build; apparently, the Sun^WOracle compiler
is generating code for static inline functions even if they're never
called, so that libwiretap ends up including code that calls tvbuff and
wmem functions.
There's probably further cleanup that could be done here, but this
should at least fix the build, as well as getting rid of a dependency
between two libraries that are at least somewhat independent (libwiretap
should *not* depend on libwireshark, as some programs use libwiretap but
not libwireshark, and, ultimately, we probably want it to be possible to
use libwireshark without libwiretap but that'd be more work).
Change-Id: I91c745282f17d7c8bff7809aa277eab2b3cf47c1
Reviewed-on: https://code.wireshark.org/review/11537
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Remove variadic macros restriction (c99, c++11 feature) from
README.developer. GCC, Clang, MSVC 2005 all support it.
Enable -Wno-variadic-macros in configure.ac and CMakeLists.txt when
-Wpedantic is enabled (which would enable -Wvariadic-macros).
For all files matching 'define\s*\w+[0-9]\(', replace "FOO[0-9]" by
"FOO" and adjust the macro definition accordingly. The nbap dissector
was regenerated after adjusting its template and .cnf file. The
generated code is the same since all files disabled the debug macros.
Discussed at:
https://www.wireshark.org/lists/wireshark-dev/201209/msg00142.html
https://www.wireshark.org/lists/wireshark-dev/201510/msg00012.html
Change-Id: I3b2e22487db817cbbaac774a592669a4f44314b2
Reviewed-on: https://code.wireshark.org/review/10781
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
If a pcapng Name Resolution Block has options, they should not screw up the
pcapng reader and cause it to fail to read the file.
Bug: 11485
Change-Id: Ic27cba937b6d93a3d9ed92522ed6b39ae2daeb8f
Reviewed-on: https://code.wireshark.org/review/10307
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
Per the spec, it's always encoded in network order (4 separate bytes), and
thus should not be swapped on read.
Bug: 11484
Change-Id: I6a650896b324f42bfd2e05759c84e87ace733372
Reviewed-on: https://code.wireshark.org/review/10304
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
An IDB snaplen of 0 means no limit, so a Simple Packet Block's capture
length should be the same as its encoded packet length in such a case.
Bug: 11483
Change-Id: I8856d6c6a669a0048ea64b3adbd23c37a598431d
Reviewed-on: https://code.wireshark.org/review/10303
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
*Especially* don't stuff the amount of remaining data in a block into an
int that will then be passed to file_skip() as an amount to skip ahead,
as a Really Large Value will turn into a negative value and produce
various forms of bizarre and tricky-to-debug behavior.
Change-Id: I4d0a6b36fe50df84925690ad688a3ab0433ceb17
Reviewed-on: https://code.wireshark.org/review/10299
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: I33faa41e8b0f36ee49d29fe391feafd94d0a7e80
Reviewed-on: https://code.wireshark.org/review/10245
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Bug: 11455
Change-Id: Ic99ff1bcd7dad65b3ade5a9f46ce0f64573cb059
Reviewed-on: https://code.wireshark.org/review/10147
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
Bug: 11447
Change-Id: I5fe14616ed6e86e0bfe02c58cc9fb31e43bc23ef
Reviewed-on: https://code.wireshark.org/review/10071
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
If a host name is *so* long that an entry for it won't fit in a
65535-byte Name Resolution Block record, ignore the entry for that host.
Use more appropriate data types (guint32 for sizes that are 32-bit
unsigned integers, guint16 for the host name length as it'd better fit
in 16 bits).
Clean up some comments.
Remove a _U_ that's applied to a variable that *is* used.
Change-Id: I153d5aa885105149c62a5e5d2b78b54cf6ed7b4e
Reviewed-on: https://code.wireshark.org/review/9917
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
32-bit value
Change-Id: Ie796cee755470bea0416b46ff8ff6a94cd8d93d3
Reviewed-on: https://code.wireshark.org/review/9896
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Make pcapng decode options in an NRB during read, and store the comment
option, and write it back out as well. Also make it handle plugin handlers
for unknown options in received NRB(s).
Change-Id: I81863ef8d85cb1c8b5ba6673ba0e562efe77714f
Reviewed-on: https://code.wireshark.org/review/9723
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Cleanup some pcapng.c comments, defines, etc.
Change-Id: Id854c6ef033eb8cb99175ba62aa8733e21433463
Reviewed-on: https://code.wireshark.org/review/9698
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
Change-Id: I4667fd4091c510a4c798f79dae333a07dc42dad6
Reviewed-on: https://code.wireshark.org/review/8880
Reviewed-by: Bill Meier <wmeier@newsguy.com>
|
|
It points to an array of bytes, not a character string.
Add some casts to squelch other Sun/Oracle C warnings.
Clean up some comments while we're at it.
Change-Id: Id0908178cb00d537e95569b9ce6f745c8fd6d716
Reviewed-on: https://code.wireshark.org/review/8369
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Most of our sites are now HTTPS-only. Update URLs accordingly. Update
other URLs while we're at it. Remove or comment out dead links.
Change-Id: I7c4f323e6585d22760bb90bf28fc0faa6b893a33
Reviewed-on: https://code.wireshark.org/review/7621
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
Due to an off-by-one error an invalid ISB interface ID could make us
fetch past the end of a GArray. Found using American Fuzzy Lop.
Bug: 10895
Change-Id: I7d4049ad7a386ae7e8013b8e741d54a31f353f1f
Reviewed-on: https://code.wireshark.org/review/6798
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
Change-Id: I10d3057801673bc1c8ea78f144215869cc4b1851
Reviewed-on: https://code.wireshark.org/review/6217
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
|
|
Change-Id: I117c007c0a8be573bb3069fc44a490e6e5d2fef8
Reviewed-on: https://code.wireshark.org/review/6167
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
That indicates that it's a problem specific to *writing* capture files;
we've already converted some errors to that style, and added a new one
in that style.
Change-Id: I8268316fd8b1a9e301bf09ae970b4b1fbcb35c9d
Reviewed-on: https://code.wireshark.org/review/5826
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
For cases where record (meta)data is something that can't be written out
in a particular file format, return WTAP_ERR_UNWRITABLE_REC_DATA along
with an err_info string.
Report (and free) that err_info string in cases where
WTAP_ERR_UNWRITABLE_REC_DATA is returned.
Clean up some other error reporting cases, and flag with an XXX some
cases where we aren't reporting errors at all, while we're at it.
Change-Id: I91d02093af0d42c24ec4634c2c773b30f3d39ab3
Reviewed-on: https://code.wireshark.org/review/5823
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: Icc5c9cff43be6c073f0467607555fa7138c5d074
Reviewed-on: https://code.wireshark.org/review/5797
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
pcapng_read_block() never sets *err_info if it returns
PCAPNG_BLOCK_NOT_SHB - that happens on an EOF, a short read, or on a
successful read of something that doesn't look like an SHB.
Change-Id: I23ad6aa1c95d800b068a798a4aad1d70d07ac281
Reviewed-on: https://code.wireshark.org/review/5686
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
We only create hash tables if somebody puts a handler in one, so we need
to check whether the hash table exists first, to avoid run-time warnings.
Change-Id: I739d2d808935e651b11bd44b258f168a42ca4b7c
Reviewed-on: https://code.wireshark.org/review/5683
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: Ib79bb30e67dacdda2e87f39438c4a836632d55bd
Reviewed-on: https://code.wireshark.org/review/5552
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: Ic904f9b8551353192e872cb896f198572da83e27
Reviewed-on: https://code.wireshark.org/review/5551
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|