| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We need to update global_ld.inpkts_to_sync_pipe as soon as we've written
a packet to the current capture file. If we're writing to multiple
files, then, if we delay counting until after we switch to another file,
the packet-count message we send to the parent before switching won't
include the packet, and the first packet-count message we send to the
parent *after* switching *will* include the packet, which could mean the
parent will try to read more packets than there are in the new file, in
which case it'll get an EOF and, at least in the case of TShark, treat
that as an error and stop capturing.
This should fix issue #17654.
While we're at it, don't send a "we have no packets" packet-count
message even for the packet-count message we send just before switching
files.
|
|
Closes #17089
|
|
This is part of the API and should also be renamed to avoid conflicts.
|
|
Besides the obvious limitation of being unavailable on Windows,
the standard is vague about getopt() and getopt_long() has many
non-portable pitfalls and buggy implementations, that increase
the maintainance cost a lot. Also the GNU libc code currently
in the tree is not suited for embedding and is unmaintainable.
Own maintainership for getopt_long() and use the musl implementation
everywhere. This way we don't need to worry if optreset is available,
or if the $OPERATING_SYSTEM version behaves in subtly different ways.
The API is under the Wireshark namespace to avoid conflicts with
system headers.
Side-note, the Mingw-w64 9.0 getopt_long() implementation is buggy
with opterr and known to crash. In my experience it's a headache to
use the embedded getopt implementation if the system provides one.
|
|
This is used to select ringbuffer savefile name template. Choose one of two
savefile name templates:
If value is 1, make running file number part before start time part; this is
the original and default behaviour (e.g. log_00001_20210828164426.pcap).
If value is greater than 1, make start time part before running number part
(e.g. log_20210828164426_00001.pcap).
The latter makes alphabetical sortig order equal to creation time order, and
keeps related multiple file sets in same directory close to each other (e.g.
while browsing in wireshark "Open file" dialog).
Signed-off-by: Juha Takala <juha.takala+rauta@iki.fi>
|
|
When dumpcap is running as a capture child in passthrough mode, the
SP_FILE message should not be sent until after the source SHB is passed
through to the capture file. Fixes a race condition where the capture
parent attempts to read an SHB from the capture file, following the
SP_FILE message, but the file is empty. Closes #17013.
|
|
1) Consistently say "capture device"; not all capture devices are
"interfaces" in the sense of "network interfaces' ("any" means "all
network interfaces", and capturing may be supported on a USB bus or on
D-Bus or....)
2) Use double quotes to quote the device specifier (it probably won't
have spaces in its name, but...).
3) Make sure that there's a space between "capture device" and the
quoted device name.
|
|
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
|
|
The latter is what editcap calls --capture-comment, and the _NUM serves
no purpose whatsoever. One #define name for it suffices.
|
|
Version info is an aspect of UI implementation so move it to
a more appropriate place, such as ui/. This also helps declutter
the top-level.
A static library is appropriate to encapsulate the dependencies
as private and it is better supported by CMake than object libraries.
Also version_info.h should not be installed as a public header.
|
|
Functions clock_gettime() and timespec_get() cover all the platforms
we support with sub-second resolution in a a portable manner. Fallback
to using time().
Pass a struct timespec to the log writer callback for maximum
flexibility.
|
|
Initialiaze the cmdarg error stream earlier.
Dumpcap also needs to know earlier if it is running in capture
child mode.
|
|
We start the capture anyway, but print a warning message or pop up a
warning dialog first.
|
|
Instead of receiving the program name from GLib, pass it explicitly
to ws_log_init() instead and use that to initialize the GLib program
name.
ws_log_parse_args() will now exit the program when it encounters an
argument error if exit_failure >= 0.
|
|
|
|
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
|
|
|
|
Use standard buffered I/O instead of printing to a string.
This is more efficient, cleaner and allows custom output per stream.
|
|
|
|
|
|
A domain filter can be given in the environment variable
'WS_LOG_DOMAINS' or in a command-line options "--log-domains".
The filter is specified as a comma separated case insensitive list,
for example:
./tshark --log-domains=main,capture
Domain data type switches from an enum to a string. There is no
constaint on adding new domains, neither in code or at runtime.
The string format is arbitrary, only positive matches will produce
output.
|
|
Also tweak format for readability.
|
|
Experience has shown that:
1. The current logging methods are not very reliable or practical.
A logging bitmask makes little sense as the user-facing interface (who
would want debug but not crtical messages for example?); it's
computer-friendly and user-unfriendly. More importantly the console
log level preference is initialized too late in the startup process
to be used for the logging subsystem and that fact raises a number
of annoying and hard-to-fix usability issues.
2. Coding around G_MESSAGES_DEBUG to comply with our log level mask
and not clobber the user's settings or not create unexpected log misses
is unworkable and generally follows the principle of most surprise.
The fact that G_MESSAGES_DEBUG="all" can leak to other programs using
GLib is also annoying.
3. The non-structured GLib logging API is very opinionated and lacks
configurability beyond replacing the log handler.
4. Windows GUI has some special code to attach to a console,
but it would be nice to abstract away the rest under a single
interface.
5. Using this logger seems to be noticeably faster.
Deprecate the console log level preference and extend our API to
implement a log handler in wsutil/wslog.h to provide easy-to-use,
flexible and dependable logging during all execution phases.
Log levels have a hierarchy, from most verbose to least verbose
(debug to error). When a given level is set everything above that
is also enabled.
The log level can be set with an environment variable or a command
line option (parsed as soon as possible but still later than the
environment). The default log level is "message".
Dissector logging is not included because it is not clear what log
domain they should use. An explosion to thousands of domains is
not desirable and putting everything in a single domain is probably
too coarse and noisy. For now I think it makes sense to let them do
their own thing using g_log_default_handler() and continue using the
G_MESSAGES_DEBUG mechanism with specific domains for each individual
dissector.
In the future a mechanism may be added to selectively enable these
domains at runtime while trying to avoid the problems introduced
by G_MESSAGES_DEBUG.
|
|
In dumpcap, if we're being run by TShark or Wireshark, if there are no
link-layer types, just provide an empty list to our caller; let them
construct an empty list of link-layer types when they read our output.
In the code that reads that list, don't report an error if the list is
empty, rely on the caller to do so.
Have capture_opts_print_if_capabilities() do more work, moving some
functions from its callers to it.
|
|
It's not a generic capture option also supported by TShark and dumpcap,
it's Wireshark-specific (dumpcap *always* starts a capture, and TShark
starts one iff it's passed one or more interfaces on which to capture;
only Wireshark needs it to start the capture immediately - that's a
relic of the days when Wireshark *itself* did what dumpcap now does for
Wireshark).
Handle it in commandline_other_options(), rather than in
capture_opts_add_opt().
That lets us get rid of an argument to capture_opts_add_opt(), and dummy
variables in TShark and dumpcap used to work with that extra argument.
|
|
The distinction between the different kinds of capture utility
may not warrant a special subfolfer for each, and sometimes the
distinction is not be clear or some functions could stradle
multiple "categories" (like capture_ifinfo.[ch]).
Simplify by having only a generic 'capture' subfolder. The
separate CMake libraries are kept as a way to reuse object code
efficiently.
|
|
g_memdup() was deprecated and replaced with g_memdup2() in GLib 2.68,
we provide our own copy of g_memdup2() for older GLib versions.
|
|
Add --ifname and --ifdescr to allow the name and description for an
interface or pipe to be set; this overrides the specified name or
reported description for an interface, and overrides the pipe path name
and provides a description for a pipe.
Provide those arguments when capturing from an extcap program.
This is mainly for extcaps, so you have something more meaningful than
some random path name as the interface name and something descriptive
for the description.
|
|
Have dumpcap in child mode return an error message with a primary and
secondary string, instead of using stderr. When writing to the console
log we ignore the second message to prevent flooding the log with
tutorial-like info on permissions.
|
|
Add it to the default list of checks, and fix some errors it causes.
(Sadly, it doesn't work in CLang.)
|
|
|
|
Turn the sequence of details to supply in an Npcap bug into a list, with
one element per line, and provide the interface name, Windows version
string, and Npcap version string. Put that into a common routine.
|
|
That adds the description, if present, on UN*X, and replaces the ugly
GUID-based name with a friendly name on Windows.
|
|
Give a whole bunch of details to put into the bug, in the (vain?) hope
that the user will put them in the bug, to try to help Daniel and
possibly Microsoft networking stack folk figure out what's happening.
(Remove an extra report_capture_error() left over from the previous
commit.)
|
|
dumpcap can capture on more than one interface at a time. If the
capture stops due to an error on an interface, report the name of the
interface on which the error occurred.
|
|
So only tell the user to report that as an Npcap bug if they *haven't*
removed the device.
|
|
The error message text for ERROR_DEVICE_REMOVED (1617) might be in the
user's language; just look for the numeric error code.
|
|
For "PacketReceivePacket error: The device has been removed. (1617)",
report the error in that fashion, indicate that the interface is no
longer attached, *and* suggest that this may be an Npcap bug and that
the user should report it as such; give the URL for the Npcap issue
list.
For "The other host terminated the connection", report the error in that
fashion, and suggest that it might be a problem with the host on which
the capture is being done.
Hopefully this will mean fewer bugs filed as *Wireshark* bugs for those
issues.
(And, with any new capture API in libpcap, these should all turn into
specific PCAP_ERROR_ codes, to make it easier to detect them in callers
of libpcap.)
|
|
On Windows, some devices don't let promiscuous mode be enabled, and
return an error rather than silently ignoring the request to use
promiscuous mode (as UN*X devices tend to do). Check for the error
message from that error, and suggest that the user turn off promiscuous
mode on that device.
|
|
Replace g_malloc with g_new to improve
source code readability.
|
|
Adds a pre-commit hook for detecting and replacing
occurrences of `g_malloc()` and `wmem_alloc()` with
`g_new()` and `wmem_new()`, to improve the
readability of Wireshark's code, and
occurrences of
`g_malloc(sizeof(struct myobj) * foo)`
with
`g_new(struct myobj, foo)`
to prevent integer overflows
Also fixes all existing occurrences across
the codebase.
|
|
That way, there's only one pcap_pipe_open_live() call, as was the case
in the past.
|
|
|
|
On Windows, we do pipe I/O in a separate thread, as we can't do select()
- or even WaitForMultipleObjects() - on pipes, so
cap_pipe_read_data_bytes() is used only on sockets.
Update a comment.
|
|
We check for that when *writing* the block, but the error message for
that is not at all clear; check for it after we've read the block total
length, and report it with a better error message.
Clean up some other error messages while we're at it.
|
|
It *can* get errors with error codes, so it should pass them to its
caller so it can report the error correctly.
|
|
|
|
Doing a blocking read from a pipe on Windows is done in several places,
using similar sequences of code; put that sequence into a subroutine,
with the parts that differ in arguments to the routine.
Add some comments, and update some comments, to better clarify what the
code is doing in various places.
In the switch statement that tests the first 4 bytes read from a pipe or
socket, call pcap_pipe_open_live() at the end of all of the cases where
the file appears to be a pcap file; that makes the handling of pcap
files look a bit more like the handling of pcapng files.
|
|
Some UN*Xes (4.4-lite-derived, such as the obscure, little-known macOS,
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) have a length field in the
socket address structure.
That was originally done for OSI address support; unlike most transport
addresses, such as IPv4 (and IPv6) addresses, where the size of the
address is fixed, the size of an OSI transport layer address is *not*
fixed, so it cannot be inferred from the address type.
With the dropping of OSI support, that field is no longer necessary in
userland. System calls that take a socket address argument also take an
address length argument; in newer (all?) versions of the {macOS,
FreeBSD, NetBSD, OpenBSD, DragonFly BSD} kernel, the system call code
sets the length field in the kernel's copy of the address to the address
length field value.
However, that means that you have to pass in the appropriate length; if
you have a sockaddr_storage that might contain an IPv4 address or an
IPv6 address, connect() (and bind()) calls should use the IPv4 address
size for IPv4 addresses and the IPv6 address size for IPv6 addresses,
otherwise, at least on macOS, the call fails.
In cap_open_socket(), report socket() and connect() errors separately,
to make it easier to determine where TCP@ captures fail, if they do
fail. (That's how I got here in the first place.)
|
|
|
