[Wireshark-dev] Using plugin support to handle pcap-ng block types

2018-01-29 Thread Paul Offord 
Hi,

I am writing a plugin that handles two new PCAP-NG block types - details here: 
https://wiki.wireshark.org/Adding%20Support%20for%20a%20New%20Block%20Type

I'm using Guy's code that adds support for plugins to handle pcap-ng block 
types, described in https://code.wireshark.org/review/#/c/1775/

I have written a read block handler and registered it with Wireshark using 
register_pcapng_block_type_handler() and the handler gets called correctly.  
Once the block has been read by my handler, I want Wireshark to continue to 
process it, but currently the block is ignored and Wireshark just moves on to 
the next block.

The blocks are read via a while loop in the pcapng_read(...) function of 
pcapng.c.  After calling a function to read the block there is a "switch 
(wblock.type)" section of code that decides what next to do with the block.  My 
new block is not defined as a switch case (not surprising), but I believe the 
default case should take into account the fact that a block type may have been 
registered.  The code in this area currently looks like this:

switch (wblock.type) {

case(BLOCK_TYPE_SHB):
pcapng_debug("pcapng_read: another section header block");
g_array_append_val(wth->shb_hdrs, wblock.block);
break;

case(BLOCK_TYPE_PB):
case(BLOCK_TYPE_SPB):
case(BLOCK_TYPE_EPB):
case(BLOCK_TYPE_SYSDIG_EVENT):
case(BLOCK_TYPE_SYSDIG_EVF):
/* packet block - we've found a packet */
goto got_packet;

case(BLOCK_TYPE_IDB):
/* A new interface */
pcapng_debug("pcapng_read: block type BLOCK_TYPE_IDB");
pcapng_process_idb(wth, pcapng, &wblock);
wtap_block_free(wblock.block);
break;

case(BLOCK_TYPE_NRB):
/* More name resolution entries */
pcapng_debug("pcapng_read: block type BLOCK_TYPE_NRB");
if (wth->nrb_hdrs == NULL) {
wth->nrb_hdrs = g_array_new(FALSE, FALSE, 
sizeof(wtap_block_t));
}
g_array_append_val(wth->nrb_hdrs, wblock.block);
break;

case(BLOCK_TYPE_ISB):
/* Another interface statistics report */
pcapng_debug("pcapng_read: block type BLOCK_TYPE_ISB");
if_stats_mand_block = 
(wtapng_if_stats_mandatory_t*)wtap_block_get_mandatory_data(wblock.block);

... lines deleted ...

}
wtap_block_free(wblock.block);
break;

default:
/* XXX - improve handling of "unknown" blocks */
pcapng_debug("pcapng_read: Unknown block type 0x%08x", 
wblock.type);
break;
}
}

got_packet:

/*pcapng_debug("Read length: %u Packet length: %u", bytes_read, 
wth->phdr.caplen);*/
pcapng_debug("pcapng_read: data_offset is finally %" G_GINT64_MODIFIER "d", 
*data_offset);

return TRUE;


I believe that the default condition should check for a plugin registered block 
type and then goto got_packet.  Also, as the code stands we never free 
wblock.block.

Is this a bug, or is my understanding of what's intended wrong?

Thanks and regards...Paul

__

This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not 
necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The 
sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour 
House, Coopers End Lane, Stansted, Essex CM24 1SJ

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] How to get calling dissector

2018-01-29 Thread Uli Heilmeier 
Thanks a lot Roland.

Now that I know what to look for packet-sip.c gives a nice example.

Cheers
Uli

Am 29.01.18 um 18:03 schrieb Roland Knall:
> Short answer: packet_info->layers should get you the list of protocols called 
> before yours. If you iterate, you should
> see the other protocols before yours. In packet.c:754 you see the code adding 
> to the list. 
> 
> Not sure though, how stable that interface is. It is pretty in-depth for 
> span, so you should be save to use it, but not
> sure, if it is official, or if there is another way.
> 
> cheers
> Roland
> 
> On Sun, Jan 28, 2018 at 10:59 PM, Uli Heilmeier  > wrote:
> 
> Hi all,
> 
> TL,DR:
> How does a dissector know which dissector called it?
> 
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] How to get calling dissector

2018-01-29 Thread Roland Knall 
Short answer: packet_info->layers should get you the list of protocols
called before yours. If you iterate, you should see the other protocols
before yours. In packet.c:754 you see the code adding to the list.

Not sure though, how stable that interface is. It is pretty in-depth for
span, so you should be save to use it, but not sure, if it is official, or
if there is another way.

cheers
Roland

On Sun, Jan 28, 2018 at 10:59 PM, Uli Heilmeier  wrote:

> Hi all,
>
> TL,DR:
> How does a dissector know which dissector called it?
>
> Long version:
> I’m currently implementing a dissector for „Session Multiplex Protocol“
> (SMP) [1] requested in bug 14110 [2].
> The Tabular Data Stream (TDS; MS SQL Server) protocol depends on SMP when
> using the MARS feature [3].
>
> SMP runs on top of TCP and is a session layer protocol. SMP however has no
> identifier to specify the next protocol.
> When TDS uses SMP the SMP payload itself is TDS. Resulting in dissector
> stack: Ethernet/IP/TCP/TDS/SMP/TDS.
>
> I want to call the TDS dissector for the SMP payload data only when it was
> called by TDS. Otherwise just display the data as hex.
> How can I get the information which dissector called my dissector?
>
> Any ideas are welcome. Thanks!
>
> [1]: https://msdn.microsoft.com/en-us/library/cc219643.aspx
> [2]: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14110
> [3]: https://docs.microsoft.com/en-us/sql/relational-databases/
> native-client/features/using-multiple-active-result-sets-mars
>
> Cheers Uli
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] How to get calling dissector

2018-01-29 Thread Uli Heilmeier 
Hi all,

TL,DR:
How does a dissector know which dissector called it?

Long version:
I’m currently implementing a dissector for „Session Multiplex Protocol“ (SMP) 
[1] requested in bug 14110 [2].
The Tabular Data Stream (TDS; MS SQL Server) protocol depends on SMP when using 
the MARS feature [3].

SMP runs on top of TCP and is a session layer protocol. SMP however has no 
identifier to specify the next protocol.
When TDS uses SMP the SMP payload itself is TDS. Resulting in dissector stack: 
Ethernet/IP/TCP/TDS/SMP/TDS.

I want to call the TDS dissector for the SMP payload data only when it was 
called by TDS. Otherwise just display the data as hex.
How can I get the information which dissector called my dissector?

Any ideas are welcome. Thanks!

[1]: https://msdn.microsoft.com/en-us/library/cc219643.aspx
[2]: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14110
[3]: 
https://docs.microsoft.com/en-us/sql/relational-databases/native-client/features/using-multiple-active-result-sets-mars

Cheers Uli
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Luacov with Wireshark Lua dissector plugin

2018-01-29 Thread Shakthi Kannan 
Hi,

I would like to see the code coverage when I run tshark for a packet
capture with a Lua dissector plugin. The command used is as follows:

  $ tshark -r input.pcap -X lua_script:dissector.lua

I came across the following StackOverflow post, but, it doesn't give
much details:

  
https://stackoverflow.com/questions/36638393/how-to-perform-code-coverage-test-for-wireshark-lua-dissector

Luarocks has been used to install Luacov. Appreciate your inputs in this regard.

Thanks!

SK

-- 
Shakthi Kannan
http://www.shakthimaan.com
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] PLUGINS: Wireshark source code repository path

2018-01-29 Thread Dario Lombardo 
Yes, it is correct, as stated in the developer page:

https://www.wireshark.org/develop.html

However, the master branch of a project is very likely not the be the
stable one. At least this is the truth for wireshark. If you want some
stable branch, just run

git remote show origin

have a look at master-2.X branches, and take your pick. However, If you're
planning to do some development to be included in wireshark, your best bet
is to start from master.
Hope it helps.
Dario.

On Mon, Jan 29, 2018 at 12:45 PM, Nilesh Bhadule  wrote:

> Hi,
>
>
>
> I have cloned Wireshark source code from 
> *https://code.wireshark.org/review/wireshark
>  *and master branch.
>
>
>
> Is this the correct/stable Wireshark source code path?
>
>
>
> Thanks,
>
> Nilesh
>
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] PLUGINS: Wireshark source code repository path

2018-01-29 Thread Graham Bloice 
On 29 January 2018 at 11:45, Nilesh Bhadule  wrote:

> Hi,
>
>
>
> I have cloned Wireshark source code from 
> *https://code.wireshark.org/review/wireshark
>  *and master branch.
>
>
>
> Is this the correct/stable Wireshark source code path?
>
>
>
> Thanks,
>
> Nilesh
>
>
>
Yes, as per the Develop page on the website (
https://www.wireshark.org/develop.html), and the Developers Guide (
https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html#_install_and_prepare_sources
).

-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] PLUGINS: Wireshark source code repository path

2018-01-29 Thread Nilesh Bhadule 
Hi,

I have cloned Wireshark source code from 
https://code.wireshark.org/review/wireshark and master branch.

Is this the correct/stable Wireshark source code path?

Thanks,
Nilesh
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] One quick question

2018-01-29 Thread Paul Offord 
Hi Krishnamurthy,

Wireshark uses an executable called dumpcap to perform the actual capture.  You 
can use dumpcap directly from the command line, and as dumpcap doesn’t build 
the structures that Wireshark builds you won’t have a memory problem.  You can 
then view the resulting pcapng file with Wireshark in the normal way.

You can find more information here - 
https://community.tribelab.com/course/view.php?id=10 – including a video 
explaining the use of dumpcap.

Best regards…Paul

From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of 
Krishnamurthy Mayya
Sent: 29 January 2018 09:21
To: Developer support list for Wireshark ; 
g...@alum.mit.edu
Subject: Re: [Wireshark-dev] One quick question

Okay.
So, If I am sending continuos stream of data at the line rate(1gb/s) and if I 
am using wireshark to capture the content, it will crash after sometime
due to memory exhaustion. Is there any way to bypass this ? (Any free 
function/some other work around)
Any suggestion from your side would be extremely helpful. Thanks in advcane

Regards,
Krishnamurthy mayya


On Mon, Jan 8, 2018 at 11:05 PM, Guy Harris 
mailto:g...@alum.mit.edu>> wrote:
On Jan 8, 2018, at 5:29 AM, Krishnamurthy Mayya 
mailto:krishnamurthyma...@gmail.com>> wrote:

> epan_get_frame_ts
>
> Like the above function, is there any utility function in wireshark which 
> fress the memory allocated for the given frame_num ?

Are you assuming that epan_get_frame_ts() returns a pointer to a 
freshly-allocated structure that must be freed when the caller no longer needs 
it?

If so, no, it doesn't.  You do not need to free the structure.
___
Sent via:Wireshark-dev mailing list 
mailto:wireshark-dev@wireshark.org>>
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe


__

This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not 
necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The 
sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour 
House, Coopers End Lane, Stansted, Essex CM24 1SJ

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] One quick question

2018-01-29 Thread Krishnamurthy Mayya 
Okay.
So, If I am sending continuos stream of data at the line rate(1gb/s) and if
I am using wireshark to capture the content, it will crash after sometime
due to memory exhaustion. Is there any way to bypass this ? (Any free
function/some other work around)
Any suggestion from your side would be extremely helpful. Thanks in advcane

Regards,
Krishnamurthy mayya


On Mon, Jan 8, 2018 at 11:05 PM, Guy Harris  wrote:

> On Jan 8, 2018, at 5:29 AM, Krishnamurthy Mayya <
> krishnamurthyma...@gmail.com> wrote:
>
> > epan_get_frame_ts
> >
> > Like the above function, is there any utility function in wireshark
> which fress the memory allocated for the given frame_num ?
>
> Are you assuming that epan_get_frame_ts() returns a pointer to a
> freshly-allocated structure that must be freed when the caller no longer
> needs it?
>
> If so, no, it doesn't.  You do not need to free the structure.
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] error occurred WSLDFLAG_VALID0 - Failed

2018-01-29 Thread Graham Bloice 
Ignore it, it's a test for a flag that's not supported by MSVC, so as it
fails it won't be used.  The flag has actually been removed for MSVC in the
current master branch.

On 29 January 2018 at 08:05, Nilesh Bhadule  wrote:

>
>
> hi,
>
> While doing Custom plugin Cmake generation step following error occurred WS
> *LD*FLAG_VALID0 - Failed,
>
>
>
> *-- Performing Test CXX_w34295w34189wd4200VALID *
>
> *-- Performing Test CXX_w34295w34189wd4200VALID *
>
> *- Success statuscheck linker flag - test linker flags: -Wl,--as-needed *
>
> *-- Performing Test WSLDFLAGVALID0*
>
> *-- Performing Test WS**LDFLAGVALID0 - Failed *
>
> *statuscheck linker flag - test linker flags: -pie *
>
> *-- Performing Test WSLDFLAGVALID1 *
>
> *-- Performing Test WS**LDFLAGVALID1 - Failed *
>
> *-- Looking for sys/types.h *
>
> *-- Looking for sys/types.h - found -- Looking for stdint.h*
>
>
>
> How can remove this error?
>
> Thanks,
>
> Nilesh
>
>
>
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>



-- 
Graham Bloice
Software Developer
Trihedral UK Limited
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] error occurred WSLDFLAG_VALID0 - Failed

2018-01-29 Thread Nilesh Bhadule 


hi,
While doing Custom plugin Cmake generation step following error occurred 
WSLDFLAG_VALID0 - Failed,

-- Performing Test CXX_w34295w34189wd4200VALID
-- Performing Test CXX_w34295w34189wd4200VALID
- Success statuscheck linker flag - test linker flags: -Wl,--as-needed
-- Performing Test WSLDFLAGVALID0
-- Performing Test WSLDFLAGVALID0 - Failed
statuscheck linker flag - test linker flags: -pie
-- Performing Test WSLDFLAGVALID1
-- Performing Test WSLDFLAGVALID1 - Failed
-- Looking for sys/types.h
-- Looking for sys/types.h - found -- Looking for stdint.h

How can remove this error?
Thanks,
Nilesh

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe