Age | Commit message (Collapse) | Author | Files | Lines |
|
the mplog format is used by some commercial logging tools that capture
ISO 14443 traffic between a card reader and a contactless smartcard
Change-Id: If359b8f0f671eb2a7c6315e2b8960a5bd581a9e9
Reviewed-on: https://code.wireshark.org/review/14950
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
|
|
Bug: 12279
Change-Id: Ib6c54f8b86d95c5546bc800749f124cd0dbb8ff0
Reviewed-on: https://code.wireshark.org/review/14585
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
This was inspired by https://code.wireshark.org/review/9729/, but takes it in a different direction where all options are put into an array, regardless of whether they are "standard" or "custom". It should be easier to add "custom" options in this design. Some, but not all blocks have been converted.
Descriptions of some of the block options have been moved from wtap.h to pcapng.h as it seems to be the one that implements the description of the blocks.
Also what could be added/refactored is registering block behavior.
Change-Id: I3dffa38f0bb088f98749a4f97a3b7655baa4aa6a
Reviewed-on: https://code.wireshark.org/review/13667
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
(There's also work needed in libpcap; that's also in progress.)
Change-Id: Iff5a34c139a000865e2d78cc17a4af5ff24fb44b
Reviewed-on: https://code.wireshark.org/review/14025
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
DO NOT USE THIS FOR ANYTHING NEW.
Change-Id: Iee2ddaa2eeb735b33aef9e81b32bb4a3535e3451
Reviewed-on: https://code.wireshark.org/review/14023
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
It doesn't correspond to anything we support - and the old Linux USB
LINKTYPE_ value of 186 doesn't give enough information to dissect the
packets (it discards the event type, for example), so we drop the rest
of our support for it as well.
Change-Id: I6f537d9263174aba4320edf5140e1d1540e979c8
Reviewed-on: https://code.wireshark.org/review/14020
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: I338e7fb60ff62d1d26ca0b32468ada4294d52d8d
Reviewed-on: https://code.wireshark.org/review/13594
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
I guess the ability to define a structure inside another structure is a
C-ism discarded by C++, so it causes warnings if you disallow stuff that
can't be handled by a C++ compiler, as we do.
Change-Id: I8cf52af0424708eb663ab6dbfecbf317fe3bccdb
Reviewed-on: https://code.wireshark.org/review/13257
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
The data before the Ethernet packet isn't a 16-bit little-endian
integer, it's two bytes, one byte of offset and one byte of padding.
Change-Id: I327b88f058dda184b79d3c2c6cf0dea52c0d28b1
Reviewed-on: https://code.wireshark.org/review/13254
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
That's how they're extracted in the libwiretap module, and that's how
they're shown in the ERF spec.
This gets rid of some compiler warnings about type-punning.
Merge some reserved bit fields to match what's in the ERF spec.
Renumber others.
Process the AAL2 and MC headers differently; yes, they're both
big-endian 32-bit values, but that makes the code a bit clearer, and,
heck, the optimizer may well combine the two sequences of code.
Change-Id: Ief7f976e77e8f2fba1685ad5a50ee677a8070ae7
Reviewed-on: https://code.wireshark.org/review/13251
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Add support for Generic Framing Procedure. Generic Framing Procedure (GFP)
is used to map octet-aligned variable length payloads (e.g. Ethernet, MPLS,
octet-aligned PPP, IP) into octet-synchronous signals such as SONET/SDH
(ITU-T G.707) and OTN (ITU-T G.709). GFP is a telecommunications industry
standard defined in ITU-T G.7041/Y.1303.
(https://www.itu.int/rec/T-REC-G.7041/)
Bug: 11961
Change-Id: Idf5b311e82b051b1ee65bde5149b3de405537b02
Reviewed-on: https://code.wireshark.org/review/13043
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
The use of a flag field here is aesthetically unpleasing when the flags
are referred to frequently. Convert these into bitfield entries.
Change-Id: I6f47e31558439dfd343ec7f856d04480366a1237
Reviewed-on: https://code.wireshark.org/review/12511
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Process it in libwiretap; no need to hand it to libwireshark for
dissection, it can just dissect the radio information pseudo-header with
the processed information.
Change-Id: I482697947eecbd3967cf1910ba2fa2bff805cd66
Reviewed-on: https://code.wireshark.org/review/12202
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
add DLT_ISO14443 to pcap_to_wtap_map[]
define WTAP_ENCAP_ISO14443, link it to the iso14443 dissector
Change-Id: Id837197c4d66071094f9336d60db36a371424807
Reviewed-on: https://code.wireshark.org/review/11959
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
It includes the temporary-file generation, so you don't have to do it
yourself.
Change-Id: I0798df95a5c5646224ec49612f50b423ed78547a
Reviewed-on: https://code.wireshark.org/review/11751
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
Have a "this is stdout" flag for a wtap_dumper, and have "open the
standard output for dumping" routines that set that flag. When closing
a wtap_dumper, do most of the work regardless of whether we're writing
to the standard output or not (so that everything gets written out) and
only skip the closing of the underlying file descriptor.
Change-Id: I9f7e4d142b3bd598055d806b7ded1cb4c378de8e
Reviewed-on: https://code.wireshark.org/review/11673
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Move the definitions of hashipv4_t and hashipv6_t to wiretap/wtap.h, as
that's the main place they're used. Change them a bit not to depend on
other stuff from libwireshark, and change the code as required by those
changes.
This should fix the Solaris build; apparently, the Sun^WOracle compiler
is generating code for static inline functions even if they're never
called, so that libwiretap ends up including code that calls tvbuff and
wmem functions.
There's probably further cleanup that could be done here, but this
should at least fix the build, as well as getting rid of a dependency
between two libraries that are at least somewhat independent (libwiretap
should *not* depend on libwireshark, as some programs use libwiretap but
not libwireshark, and, ultimately, we probably want it to be possible to
use libwireshark without libwiretap but that'd be more work).
Change-Id: I91c745282f17d7c8bff7809aa277eab2b3cf47c1
Reviewed-on: https://code.wireshark.org/review/11537
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Currently there are a lot of local hacks in the 802.11ad support and
better support can be provided.
Also add a structure to track 802.11ad (DMG) specific features in the phdr
structure as suggested by Guy Harris.
Also, respond to some suggestions by Guy Harris.
Change-Id: I8459e3986a134a08ee2e31f0158b8aa5c9b91d86
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-on: https://code.wireshark.org/review/10204
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: I6b81d3e853d503c6a81f9793957b48ab34c6808c
Reviewed-on: https://code.wireshark.org/review/10156
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Add more information about the capture file, and about the interface
descriptions in it. Also remove long-unused g_options code.
Change-Id: I93cbd70fc7b09ec1b8b2fd6c85bb885c7f749543
Reviewed-on: https://code.wireshark.org/review/10073
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Refactor the file merging code by removing the duplicate logic from mergecap.c
and file.c's cf_merge_files(), into a new merge_files() function in merge.c.
Also the following user-visible changes:
* Removed the '-T' encap type option from mergecap, as it's illogical for
mergecap and would complicate common merge code.
* Input files with IDBs of different name, speed, tsprecision, etc., will produce
an output PCAPNG file with separate IDBs, even if their encap types are the same.
* Added a '-I' IDB merge mode option for mergecap, to control how IDBs are merged.
* Changed Wireshark's drag-and-drop merging to use PCAPNG instead of PCAP.
Bug: 8795
Bug: 7381
Change-Id: Icc30d217e093d6f40114422204afd2e332834f71
Reviewed-on: https://code.wireshark.org/review/10058
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Change-Id: I8516d0c561ed0b63e49a3594027c9c15bb789258
Reviewed-on: https://code.wireshark.org/review/9726
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Make pcapng decode options in an NRB during read, and store the comment
option, and write it back out as well. Also make it handle plugin handlers
for unknown options in received NRB(s).
Change-Id: I81863ef8d85cb1c8b5ba6673ba0e562efe77714f
Reviewed-on: https://code.wireshark.org/review/9723
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
It doesn't appear to provide the FEC type, although radiotap does, so
add a flag to indicate whether we have that.
Change-Id: I298d79bc6b640ee2408c3d70075c32bf331a210c
Reviewed-on: https://code.wireshark.org/review/9533
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: I71e66a8f6faf3b213ab6db2856a36c1d31897166
Reviewed-on: https://code.wireshark.org/review/9527
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
We're already only setting it for 11b and 11g; this makes it a bit
cleaner, e.g. we don't need to say "oh, wait, we *don't* have short
preamble" for 11n and 11ac.
Change-Id: Idcf3e8c93d6a417f0319e4bd33247b98f07b6052
Reviewed-on: https://code.wireshark.org/review/9209
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
The assignment of a short to a guint8 in packet-ieee80211-radiotap.c line 1696
generates a narrowing warning.
In my reading of the spec which shows the field as 9 bits,
and looking at the hf fields for this item I think it should be a guint16.
Change-Id: Ic7785c2bfc66d72f7b1e914b1a46f32079fc99d9
Reviewed-on: https://code.wireshark.org/review/9197
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
|
|
Add more fields to the metadata to handle everything radiotap has, and
show them.
Call the FEC type field just "FEC", and have it be an integer field with
0 meaning BCC and 1 meaning LDPC, rather than a Boolean.
11ac doesn't have *an* MCS, it can have up to 4, one per user.
Label the 11ac bandwidth values the same way we do in the radiotap
dissector.
Change-Id: I2c2415baff3e5d68d49dda497980e8271d26b1f6
Reviewed-on: https://code.wireshark.org/review/9176
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Have a field that holds the PHY type but nothing else. Have
a union with structures holding PHY-type-specific information, as a
bunch of attributes are PHY-specific.
If we have a channel and band, but don't have the frequency, attempt to
calculate the frequency, and add that to the radio information if we
succeed. If we have the frequency, but don't have the channel, attempt
to calculate the channel, and add that to the radio information if we
succeed.
Handle FHSS information, 11a "half/quarter-clocked" and turbo
information, 11g normal vs. Super G, additional 11n and 11ac
information, and the "short preamble" flag for 11b and 11g.
Add a PHY type for 11 legacy DSSS and detect it if possible.
Clean up the AVS dissector - make all fields wlancap. fields (if you
want generic fields, use the wlan_radio. fields).
Set more fields when writing out Commview Wi-Fi files.
Change-Id: I691ac59f5e9e1a23779b56a65124049914b72e69
Reviewed-on: https://code.wireshark.org/review/9146
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Provide that information so that the "802.11 radio information" protocol
can indicate whether a packet was 802.11 legacy/11b/11a/11g/11n/11ac,
and possibly whether it's 2.4 GHz or 5 GHz 11n. (Sometimes the center
frequency might not be supplied, so the band information can be useful.)
Also, provide some 11ac information, now that we can distinguish between
11n and 11ac. Don't calculate the data rate from the MCS index unless
it's 11n; we don't yet have code to calculate it for 11ac.
For radiotap, only provide guard interval information for 11n and 11ac,
not for earlier standards.
Handle the 11ac flag in the Peek remote protocol.
For Peek tagged files, the "extension flags" are 11n/11ac flags, so we
don't have to check for the "MCS used" bit in order to decide that the
packet is 11n or 11ac or to decide whether to provide the "bandwidth" or
"short GI" information.
Change-Id: Ia8a1a9b11a35243ed84eb4e72c384cc77512b098
Reviewed-on: https://code.wireshark.org/review/9032
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Have dissectors of various forms of radio information headers in the
packets fill in a struct ieee_802_11_phdr with radio information as
appropriate, and call the "802.11 radio information" dissector rather
than the raw 802.11 dissector.
This means that the radio information can be found in a
protocol-independent and encapsulation-independent form when you're
looking at the packet; that information can be presented in a form
somewhat easier to read than the raw metadata header format.
It also enables having a single "radio information" tap that allows
statistics to handle all different sorts of radio information
encapsulation.
In addition, it lets us clean up some of the arguments passed to the
common 802.11 dissector routine, by having it pull that information from
the struct ieee_802_11_phdr.
Ensure that the right structure gets passed to that routine, and that
all the appropriate parts of that structure are filled in.
Rename the 802.11 radio protocol to "wlan_radio", rather than just
"radio", as it's 802.11-specific. Give all its fields "wlan_radio."
names rather than "wlan." names.
Change-Id: I78d79afece0ce0cf5fc17293c1e29596413b31c8
Reviewed-on: https://code.wireshark.org/review/8992
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Remove some unused members, and move the presence flags after the
should-always-be-set fields, right before the fields to which it
applies.
Change-Id: I8d6f08e1d3d8de0c11a9e04de4e98408d6b90693
Reviewed-on: https://code.wireshark.org/review/8972
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: Ia1fe1758998237a344889bdf8215ecfba7b871ee
Reviewed-on: https://code.wireshark.org/review/8942
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Those aren't pseudo-headers exported from libwiretap, they're just
structures corresponding to the pseudo-headers for some pcap/pcap-ng
link-layer header types.
Change-Id: Iec37cfc162b64adacdeb57e14e546bced7b673fa
Reviewed-on: https://code.wireshark.org/review/8941
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
TS 32 423(XML)
Change-Id: I37895ec35797089a32c7d1695e735046d6aa979e
Reviewed-on: https://code.wireshark.org/review/8237
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Change-Id: Ica74f3f9239a96486967cf248feb4313bc390734
Reviewed-on: https://code.wireshark.org/review/7751
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Change-Id: I9e4e6efa9f8c7dbff7627f8d5fc3278ab383618d
Reviewed-on: https://code.wireshark.org/review/7441
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
libjsmn has also been moved from epan/ to wsutil/ to make it visible from wiretap.
Change-Id: I59abb3419acb1baa83194b38152d3651ed5c123c
Bug: 10878
Reviewed-on: https://code.wireshark.org/review/6716
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
|
|
That's a little cleaner, and lets us preserve the LINKTYPE_ value for
DLT_LOOP captures. ("Preserve" here doesn't mean "write files with a
link-layer header type of 12", as that's ambiguous; we write it with a
link-layer header type of LINKTYPE_LOOP, i.e. 108. If programs on
OpenBSD don't recognize that as DLT_LOOP, that's a bug in OpenBSD's
libpcap or in the program.)
Change-Id: I48a2e04aed41c013823ffb5c588d2a8e8b376e15
Reviewed-on: https://code.wireshark.org/review/7143
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: If7a6f2697be732ae4f94ed8b845fd293c32510f7
Also: tabs-stops should be 8
Reviewed-on: https://code.wireshark.org/review/7100
Reviewed-by: Bill Meier <wmeier@newsguy.com>
|
|
That indicates that it's a problem specific to *writing* capture files;
we've already converted some errors to that style, and added a new one
in that style.
Change-Id: I8268316fd8b1a9e301bf09ae970b4b1fbcb35c9d
Reviewed-on: https://code.wireshark.org/review/5826
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
For cases where record (meta)data is something that can't be written out
in a particular file format, return WTAP_ERR_UNWRITABLE_REC_DATA along
with an err_info string.
Report (and free) that err_info string in cases where
WTAP_ERR_UNWRITABLE_REC_DATA is returned.
Clean up some other error reporting cases, and flag with an XXX some
cases where we aren't reporting errors at all, while we're at it.
Change-Id: I91d02093af0d42c24ec4634c2c773b30f3d39ab3
Reviewed-on: https://code.wireshark.org/review/5823
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: I22d407efe3ae9fba7aa25f08f050317549866442
Reviewed-on: https://code.wireshark.org/review/5798
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
That makes it clearer what the problem is, and that it should only be
returned by the dump code path, not by the read code path.
Change-Id: Icc5c9cff43be6c073f0467607555fa7138c5d074
Reviewed-on: https://code.wireshark.org/review/5797
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
For example, this can be used for pcap-ng options not mapped to
file-type-independent metadata values.
Change-Id: I398b324c62c1cc1cc61eb5e9631de00481b4aadc
Reviewed-on: https://code.wireshark.org/review/5549
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Add a number of fields corresponding to components of the radiotap MCS
field, add presence bits for them, and set and dissect the fields
supported by Peek tagged files.
Change-Id: I3fc801a3bc180e1c174d074a794af0f3d338f249
Reviewed-on: https://code.wireshark.org/review/4989
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Use the "MCS index used" extended flag bit to indicate whether the "data
rate or MCS index" field is a data rate or MCS index.
Display the MCS index value if it's present.
(More to come - MCS indices, plus other information, should be used to
calculate the data rate for 11n and beyond.)
Get rid of the hdr_info_t structure while we're at it; just use local
variables for each of the fields.
Change-Id: I546f53a8ebd89078d5f23e1290557b97348aff38
Reviewed-on: https://code.wireshark.org/review/4988
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Add a set of presence bits, so we can indicate which bits of radio
metadata we do and don't have.
Fill in more radio metadata from capture files, and display it.
(More to come.)
Change-Id: Idea2c05442c74af17c14c4d5a8d8025ab27fbd15
Reviewed-on: https://code.wireshark.org/review/4987
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
The time stamp origin is not correct. Capsa's absolute time stamp for
the sample captures from their Web site would be helpful.
Change-Id: I365daf7b42240e33f54df76939254f41ed57a9b2
Reviewed-on: https://code.wireshark.org/review/4671
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|