[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #10 from Gerrit Code Review  ---
Change 34439 merged by Guy Harris:
Also don't treat an empty buffer as JSON.

https://code.wireshark.org/review/34439

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #9 from Gerrit Code Review  ---
Change 34439 had a related patch set uploaded by Guy Harris:
Also don't treat an empty buffer as JSON.

https://code.wireshark.org/review/34439

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15104] Unable to open .etl Windows native network trace: netsh trace start capture=yes

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104
Bug 15104 depends on bug 16031, which changed state.

Bug 16031 Summary: Netsh .etl files are treated as i4b, PacketLogger, or JSON 
files
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

   What|Removed |Added

 Status|IN_PROGRESS |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #8 from Gerrit Code Review  ---
Change 34438 merged by Guy Harris:
Strengthen the JSON validator.

https://code.wireshark.org/review/34438

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

Guy Harris  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|IN_PROGRESS |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16032] New: sshdump crashes due to outdated version of libssh

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16032

Bug ID: 16032
   Summary: sshdump crashes due to outdated version of libssh
   Product: Wireshark
   Version: 3.0.3
  Hardware: x86
OS: macOS 10.14
Status: UNCONFIRMED
  Severity: Normal
  Priority: Low
 Component: Extras
  Assignee: bugzilla-ad...@wireshark.org
  Reporter: bin-wiresh...@m.fago.me
  Target Milestone: ---

Build Information:
Wireshark 3.0.3 (v3.0.3-0-g6130b92b0ec6)

Copyright 1998-2019 Gerald Combs  and contributors.
License GPLv2+: GNU GPL version 2 or later

This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.12.4, with libpcap, without POSIX capabilities,
with
GLib 2.37.6, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with MaxMind
DB
resolver, with nghttp2 1.21.0, with LZ4, with Snappy, with libxml2 2.9.9, with
QtMultimedia, with SBC, with SpanDSP, with bcg729.

Running on Mac OS X 10.14.5, build 18F132 (Darwin 18.6.0), with Intel(R)
Core(TM) i5-4258U CPU @ 2.40GHz (with SSE4.2), with 8192 MB of physical memory,
with locale de_DE.UTF-8, with libpcap version 1.8.1 -- Apple version 79.250.1,
with GnuTLS 3.4.17, with Gcrypt 1.7.7, with zlib 1.2.11, binary plugins
supported (0 loaded).

Built using clang 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4).

--
sshdump breaks with more complicated ssh configs due to a bug in libssh <=
0.8.5.
libssh <= 0.8.5 misses the NULL terminator entry in
ssh_config_match_keyword_table_s and crashes with SIGSEGV when parsing certain
entries in ssh configs.

Steps to reproduce:
1. Create an ssh config with the following content:
Match host HOSTNAME !exec "local-accessible 42.42.42.42"

2. Call sshdump:
/Applications/Wireshark.app/Contents/MacOS/extcap/sshdump
--extcap-interface=sshdump --remote-host myhost --remote-port 22
--remote-username myuser --remote-interface eth42
--remote-capture-command='something' --fifo=FILENAME --capture

sshdump will crash with a segfault.

This problem can be resolved by upgrading to libssh >= 0.8.6. I'd suggest to
adjust LIBSSH_VERSION in all relevant build scripts accordingly.


Thanks to Tobias Schramm for helping me find the origin of this bug :)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #7 from Gerrit Code Review  ---
Change 34438 had a related patch set uploaded by Guy Harris:
Strengthen the JSON validator.

https://code.wireshark.org/review/34438

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b, PacketLogger, or JSON files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

Guy Harris  changed:

   What|Removed |Added

Summary|Netsh .etl files are|Netsh .etl files are
   |treated as i4b or   |treated as i4b,
   |packetlogger files  |PacketLogger, or JSON files

--- Comment #6 from Guy Harris  ---
(In reply to Guy Harris from comment #2)
> Here's the ETL capture from bug 6694; it's currently recognized as an I4B
> trace and, when the I4B heuristics are strengthened, it's recognized as a
> PacketLogger trace.

And when the PacketLogger heuristics are strengthened, it's recognized as a
JSON file.

When *that's* fixed (not to treat a buffer of an arbitrary number of octets,
the first of which is a NUL, as being an empty string and thus valid JSON!),
it's finally treated as "I don't know what this is".

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #5 from Gerrit Code Review  ---
Change 34437 had a related patch set uploaded by Guy Harris:
Strengthen the PacketLogger heuristics.

https://code.wireshark.org/review/34437

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 10861] Little-endian OS X Bluetooth PacketLogger files aren't handled

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10861

--- Comment #13 from Gerrit Code Review  ---
Change 34436 had a related patch set uploaded by Guy Harris:
What we're testing for is byte-swappedness, not raw endianness.

https://code.wireshark.org/review/34436

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 10861] Little-endian OS X Bluetooth PacketLogger files aren't handled

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10861

--- Comment #12 from Gerrit Code Review  ---
Change 34435 had a related patch set uploaded by Guy Harris:
What we're testing for is byte-swappedness, not raw endianness.

https://code.wireshark.org/review/34435

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 10861] Little-endian OS X Bluetooth PacketLogger files aren't handled

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10861

--- Comment #11 from Gerrit Code Review  ---
Change 34434 had a related patch set uploaded by Guy Harris:
What we're testing for is byte-swappedness, not raw endianness.

https://code.wireshark.org/review/34434

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #4 from Gerrit Code Review  ---
Change 34433 had a related patch set uploaded by Guy Harris:
If we get a short read on the first packet in the open, don't check any more.

https://code.wireshark.org/review/34433

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #3 from Gerrit Code Review  ---
Change 34432 had a related patch set uploaded by Guy Harris:
Strengthen the I4B heuristics.

https://code.wireshark.org/review/34432

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11221] Cannot re-set manually resolved address

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11221

--- Comment #7 from Bill Vallance  ---
(In reply to Bill Vallance from comment #6)
> I'm using v3.0.3-g6130b92b0ec6.  The Edit Resolved Name allows me to
> add/change the name associated with the src IP.  If I DON'T save the open
> capture file after using the Edit Resolved Name feature, then reopen it, the
> Edit Resolved Name still appears in the unsaved capture file.  Only when I
> close Wireshark does and re-load the unsaved capture file does the Edit 
> Resolved Name NOT display.
> 
> It appears that Edit Resolved Names remain in memory and continue to change
> the display of IP addresses that have been associated with them.  THIS LEADS
> TO THE IMPRESSION THAT Edit Resolved Names ARE SAVED WITH THE CAPTURE FILE
> WHEN IN FACT THEY AREN'T.
> 
> I suggest that every Edit Resolved Name be deleted from memory when its
> associated capture file is closed - whether or not the capture file was
> saved.  This put the onus on the user to consciously decide whether to save
> Edit Resolved Names to the capture file or not.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11221] Cannot re-set manually resolved address

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11221

Bill Vallance  changed:

   What|Removed |Added

 CC||tec...@wgvallance.com

--- Comment #6 from Bill Vallance  ---
I'm using v3.0.3-g6130b92b0ec6.  The Edit Resolved Name allows me to add/change
the name associated with the src IP.  If I DON'T save the open capture file
after using the Edit Resolved Name feature, then reopen it, the Edit Resolved
Name still appears in the unsaved capture file.  Only when I close Wireshark
does and re-load unsaved capture file does the Edit Resolved Name NOT display.

It appears that Edit Resolved Names remain in memory and continue to change the
display of IP addresses that have been associated with them.  THIS LEADS TO THE
IMPRESSION THAT Edit Resolved Names ARE SAVED WITH THE CAPTURE FILE WHEN IN
FACT THEY AREN'T.

I suggest that every Edit Resolved Name be deleted from memory when its
associated capture file is closed - whether or not the capture file was saved. 
This put the onus on the user to consciously decide whether to save Edit
Resolved Names to the capture file or not.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 6694] .cap files generated by NetMon from .etl files have no readable packets

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694

--- Comment #22 from Guy Harris  ---
(In reply to Guy Harris from comment #21)
> I'm closing this bug.

Fixed in 2.6.0, based on when the fix was checked in (i.e., this shouldn't be
treated as "fixed in 3.2").

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 6694] .cap files generated by NetMon from .etl files have no readable packets

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694

Guy Harris  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|CONFIRMED   |RESOLVED

--- Comment #21 from Guy Harris  ---
(In reply to Gerrit Code Review from comment #18)
> Change 23430 had a related patch set uploaded by Michael Mann:
> Netmon: Add support for process and system config type events.
> 
> https://code.wireshark.org/review/23430

OK, so both of the NetMon files can be read from, at minimum, the Wireshark
code from the tip of the master branch, so *that particular problem* is now
fixed.

I'm closing this bug.  See bug 16031 for the fix for the "ETL files are
identified as I4B or PacketLogger files" problem, and bug 15104 for the "we
can't read ETL files" problem (the two are separate problems; 16031 can be
fixed without adding ETL file support, and adding ETL support without fixing
bug 16031 would fail unless we check for ETL files before any of the types that
are mis-identified as ETL files

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

--- Comment #2 from Guy Harris  ---
Created attachment 17308
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17308&action=edit
netsh ETL trace

Here's the ETL capture from bug 6694; it's currently recognized as an I4B trace
and, when the I4B heuristics are strengthened, it's recognized as a
PacketLogger trace.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 6694] .cap files generated by NetMon from .etl files have no readable packets

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694

Guy Harris  changed:

   What|Removed |Added

Summary|Netsh .etl files are|.cap files generated by
   |treated as packetlogger |NetMon from .etl files have
   |files; .cap files generated |no readable packets
   |by NetMon from .etl files   |
   |have no readable packets|

--- Comment #20 from Guy Harris  ---
OK, I've cloned this bug to put the "ETL files are matched by existing file
readers" issue into a separate bug, on which I'm working.

This one is now for the ".cap files generated by NetMon from .etl files have no
readable packets" problem, which is a separate problem.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15104] Unable to open .etl Windows native network trace: netsh trace start capture=yes

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104

Guy Harris  changed:

   What|Removed |Added

 Depends on|6694|


Referenced Bugs:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694
[Bug 6694] .cap files generated by NetMon from .etl files have no readable
packets
-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 6694] .cap files generated by NetMon from .etl files have no readable packets

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694

Guy Harris  changed:

   What|Removed |Added

 Blocks|15104   |


Referenced Bugs:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104
[Bug 15104] Unable to open .etl Windows native network trace: netsh trace start
capture=yes
-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

Guy Harris  changed:

   What|Removed |Added

 Ever confirmed|0   |1
 Status|UNCONFIRMED |IN_PROGRESS

--- Comment #1 from Guy Harris  ---
So this bug is for the "existing heuristic file readers match ETL files" issue,
for which, at minimum, both the I4B (ISDN-for-BSD) and PacketLogger readers
need to have their heuristics strengthened.

Adding ETL support depends on this, as, otherwise, that would be one more place
where the order of the entries in the list of heuristic dissectors would
matter, and it's best to make Wireshark as robust against putting those entries
in the "wrong order".  (I.e., just putting ETL support before both I4B and
PacketLogger support should not be considered sufficient to fix the problem.)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15104] Unable to open .etl Windows native network trace: netsh trace start capture=yes

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104

Guy Harris  changed:

   What|Removed |Added

 Depends on||16031


Referenced Bugs:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031
[Bug 16031] Netsh .etl files are treated as i4b or packetlogger files
-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16031] New: Netsh .etl files are treated as i4b or packetlogger files

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16031

Bug ID: 16031
   Summary: Netsh .etl files are treated as i4b or packetlogger
files
   Product: Wireshark
   Version: Git
  Hardware: All
OS: All
Status: UNCONFIRMED
  Severity: Normal
  Priority: Low
 Component: Capture file support (libwiretap)
  Assignee: bugzilla-ad...@wireshark.org
  Reporter: g...@alum.mit.edu
CC: alexis.lagou...@gmail.com, bal...@balintreczey.hu,
bugzilla-ad...@wireshark.org, ke...@microsoft.com,
lom...@gmail.com, mman...@netscape.net,
patrick.pre...@gmail.com, raven...@hotmail.com
Blocks: 15104
  Target Milestone: ---

Build Information:
Build Information:
C:\trace>"\Program Files\Wireshark\tshark.exe" -v
TShark 1.7.1-SVN-40242 (SVN Rev 40242 from /trunk)

Copyright 1998-2011 Gerald Combs  and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.26.1, with WinPcap (version unknown), with libz
1.2.5, without POSIX capabilities, with SMI 0.4.8, with c-ares 1.7.1, with Lua
5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, without Kerberos,
with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008).

Built using Microsoft Visual C++ 9.0 build 21022
--
+++ This bug was initially created as a clone of Bug #6694 +++

Hi 

it is not possible to open file created by netsh trace command or Network
Monitor 3.4 

C:\trace>netsh trace start scenario=LAN scenario=WLAN scenario=MBN capture=
yes report=yes tracefile=c:\trace\trace.etl

C:\trace>"\Program Files\Wireshark\capinfos.exe" trace.etl
capinfos: An error occurred after reading 1 packets from "trace.etl": The file
a
ppears to be damaged or corrupt..
(packetlogger: File has 4294967287-byte packet, bigger than maximum of 65535)

File below created by Network Monitor 3.4 

C:\trace>"\Program Files\Wireshark\capinfos.exe" test.cap
File name:   test.cap
File type:   Microsoft NetMon 2.x
File encapsulation:  Per packet
Packet size limit:   file hdr: (not set)
Number of packets:   0
File size:   268013 bytes
Data size:   0 bytes
Capture duration:n/a
Start time:  n/a
End time:n/a
Data byte rate:  n/a
Data bit rate:   n/a
Average packet size: 0.00 bytes
Average packet rate: n/a
SHA1:828b6d8c8e4fd2b16ea208becd41c07d048078b2
RIPEMD160:   b4f74034b938b26a8391c457454d699f7ac19dc3
MD5: f2269187d52a0d628619a21d5437ac90
Strict time order:   True

Would be great when we can open both file types and see also the extended Info
from the etl file , they contain also events and such things ...


Referenced Bugs:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104
[Bug 15104] Unable to open .etl Windows native network trace: netsh trace start
capture=yes
-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15104] Unable to open .etl Windows native network trace: netsh trace start capture=yes

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15104

Guy Harris  changed:

   What|Removed |Added

 Ever confirmed|0   |1
 Status|RESOLVED|CONFIRMED
 Resolution|DUPLICATE   |---

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16030] Use debug build of glib with Debug build of Wireshark on Windows

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16030

Michael Mann  changed:

   What|Removed |Added

 CC||deso...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16030] New: Use debug build of glib with Debug build of Wireshark on Windows

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16030

Bug ID: 16030
   Summary: Use debug build of glib with Debug build of Wireshark
on Windows
   Product: Wireshark
   Version: Git
  Hardware: x86
OS: Windows 10
Status: UNCONFIRMED
  Severity: Enhancement
  Priority: Low
 Component: Build process
  Assignee: bugzilla-ad...@wireshark.org
  Reporter: mman...@netscape.net
  Target Milestone: ---

Build Information:
Version 3.1.1 (v3.1.1rc0-257-gf6dfa67f6868) 
Copyright 1998-2019 Gerald Combs  and contributors.
License GPLv2+: GNU GPL version 2 or later
 This is free software; see the
source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
Compiled (64-bit) with Qt 5.11.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap,
with SpeexDSP (using bundled resampler), with SBC, with SpanDSP, with bcg729. 
Running on 64-bit Windows 10 (1903), build 18362, with Intel(R) Core(TM)
i7-8550U CPU @ 1.80GHz (with SSE4.2), with 16218 MB of physical memory, with
locale English_United States.1252, with light display mode, with HiDPI, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.6.3, with Gcrypt 1.8.3, with
brotli 1.0.2, with AirPcap 4.1.0 build 1622, binary plugins supported (19
loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.14, build 26431). 

--
I wanted to address bug 15992 by using g_file_open_tmp(), however
g_file_open_tmp() doesn't work in the Windows debug build because (per Tomasz
Mon): 
"The g_file_open_tmp() creates the file using
ucrtbase.dll!common_open() while ws_fdopen() does call
ucrtbased.dll!common_fdopen(const int fh, const char * const mode). The
problem is that both ucrtbase.dll and ucrtbased.dll have their own global array
called __pioinfo (which is essentially used in the failing assertion).

The solution would involve getting debug build of glib, so dumpcap.exe and
glib-2.dll (used by libwsutil.dll) would use the same ucrt library
(ucrtbased.dll)."

So I would like an enhancement that has Wireshark using debug builds of glib
(at least on Windows), so that g_file_open_tmp() (and potentially other glib
APIs) can be used.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15866] 802.11 Probe request with Element ID extension "HE capabilities" reported as malformed

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15866

--- Comment #5 from Richard Sharpe  ---
I will have to compare D2.0 to D3 and D4 to see the issue.

I also had not expected people would implement earlier drafts of the standard,
but it seems some have done so.

One way I can see to handle this is to have a preference that allows the user
to specify which draft they are dealing with.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15992] wsutil: create_tempfile() is not thread safe

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15992

Michael Mann  changed:

   What|Removed |Added

 CC||mman...@netscape.net

--- Comment #6 from Michael Mann  ---
(In reply to Tomasz Mon from comment #2)
> (In reply to Guy Harris from comment #1)
> > Is there any compelling reason whatsoever to have create_tempfile() return
> > strings generated into private buffers rather than allocating the buffer and
> > returning a pointer to that?
> 
> I cannot think of any such reason.
> 
> One thing that could be argued is that create_tempfile() resides in a shared
> object (.dll on Windows; .so on Linux) and thus we would need to export a
> function to free the string allocated by create_tempfile() (if the user
> explicitly asks for it by providing the pointer to store the pointer to
> allocated string). But this in no way is enough to warrant to keep the
> inferior memory management approach that create_tempfile() is currently
> using.

While I like the "simpler" approach of using g_file_open_tmp() for all
platforms, to fix this bug, we just need to require clients of
create_tempfile() to free the memory of the string name of the temporary file. 
Since g_file_open_tmp() has the same requirement, the current work on
https://code.wireshark.org/review/34420 (using g_file_open_tmp) is halfway
there.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15866] 802.11 Probe request with Element ID extension "HE capabilities" reported as malformed

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15866

--- Comment #4 from Michael Mann  ---
(In reply to Richard Sharpe from comment #3)
> Actually, I think the correct fix is for code dissecting IEs to check the
> length and bail if there are not enough bytes since I think they changed the
> field by adding more bytes.
> 
> Such code should try to dissect as much as it can and add an Expert Info if
> there are not enough bytes.
> 
> This is a general approach I have had to take elsewhere so that the
> remaining IEs can be dissected.

It looked to me like individual field sizes changed.  For example, in 2.6.x the
"HE MAC Capabilities Information" was 5 bytes worth of bits/flags (for 2.0
draft).  And now its 6 bytes worth of bits/flags.  So it's not just appending
"new" fields to the end of the IE (because that's easier to handle in
Wireshark), but existing fields within the IE are changing sizes.
I would agree with Alexis that I think dissection may need to be based off of
length fields (or at worst preferences) and we can't just say "a single length
value isn't what's expected, dissect nothing".

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15660] tshark -z hosts, ipv4 format is inconsistent with other similar -z options

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15660

Michael Mann  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|CONFIRMED   |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15866] 802.11 Probe request with Element ID extension "HE capabilities" reported as malformed

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15866

--- Comment #3 from Richard Sharpe  ---
Actually, I think the correct fix is for code dissecting IEs to check the
length and bail if there are not enough bytes since I think they changed the
field by adding more bytes.

Such code should try to dissect as much as it can and add an Expert Info if
there are not enough bytes.

This is a general approach I have had to take elsewhere so that the remaining
IEs can be dissected.

I will look at it soon.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16018] Linux network drop monitor (net_dm) support

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16018

Dario Lombardo  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|IN_PROGRESS |RESOLVED
 CC||lom...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15866] 802.11 Probe request with Element ID extension "HE capabilities" reported as malformed

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15866

--- Comment #2 from Alexis La Goutte  ---
(In reply to Michael Mann from comment #1)
> Richard,
> 
> This looks like your handywork, specifically
> Id38a27a61a6a2a083575448e5c59a8e190827e6d, which in the comments states "It
> will not dissect older D2.x packet captures.".
> 
> These packets seem to come from D2.x captures.

Fix will be complicated... because there is no field for say what draft it
is...
(or need to check length ?)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe