Re: [Wireshark-dev] Next releases
On Fri, May 22, 2009 at 8:55 AM, Jeff Morriss wrote: > Peter Harris wrote: >> >> Is there any chance of applying the patch in >> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2981 >> (X11 extension dissection support) for 1.2? > > I was reviewing that for a while but have had virtually no time of late > (though that may change soon; the fact that I got my PC's Internet > connection working again might help!). Okay, thanks for the update. Peter Harris ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] writing non-Ethernet pcapng files
Hi Michael. Thanks for clarifying that for me. On Fri, May 22, 2009 at 3:30 PM, Michael Tüxen < michael.tue...@lurchi.franken.de> wrote: > Hi Tyson, > > 1.0.7 does only support one section header and one interface header at > the > beginning of the pcapng file. The current svn version, allows one > section > header at the beginning and multiple interface headers, but not multiple > sections headers. Basically, Wireshark (the svn version) can currently > only read pcapng files containing one section. That is the reason why > you can not just concatenate several pcapng files and read the > resulting file. > So it is not a limitation of pcapng, but of its current implementation > in Wireshark. > > Best regards > Michael > > On May 22, 2009, at 1:27 PM, Tyson Key wrote: > > > Hi. > > Out of interest, are there supposed to be issues with Ethernet Pcap- > > NG files/packets appended to other Pcap-NG files generated with > > Wireshark 1.0.7 having an unrecognised link type in later (SVN) > > versions of Wireshark? At the same time, it seems that 1.0.7 has > > issues reading packets in Pcap-NG files from later versions (i.e. > > it'll try to recognise a few frames, and if the link type is > > Ethernet, show them in the packet pane, but it'll complain about a > > decompression error when trying to view them, or it'll just show one > > packet with an unknown link type (usally 0 or 113 here), depending > > on how packets were combined). > > > > I've attached some samples for reference. > > > > Thanks, > > Tyson. > > > > On Fri, May 22, 2009 at 6:35 AM, Ulf Lamping > > wrote: > > Aaron Turner schrieb: > > > On Thu, May 21, 2009 at 12:20 PM, Michael Tüxen > > > wrote: > > >> On May 21, 2009, at 9:15 PM, Aaron Turner wrote: > > >> > > >>> On Thu, May 21, 2009 at 11:55 AM, Michael Tüxen > > >>> wrote: > > Hi Aaron, > > > > can you check also with the latest svn version? > > >>> This was trunk-1.0 r28436. Are you working in trunk (wireshark > > >>> 1.1.x)? > > >> Yes, I'm working in 1.1.x... > > > > > > > > > I just looked at the lastest trunk, and it too hard codes only > > > ethernet as supported: > > > > > > from wiretap/pcapng.c pcapng_dump_can_write_encap(): > > > > > > /* XXX - for now we only support Ethernet */ > > > if (encap != WTAP_ENCAP_ETHERNET) > > > return WTAP_ERR_UNSUPPORTED_ENCAP; > > > > > > > Hi! > > > > This comment is from the time when I started to experimentally > > implement > > pcapng. > > > > This was only a rough prototype at that time and as I'm personally > > only > > using Ethernet, I've only implemented the absolutely necessary stuff. > > > > It's very long ago so I can't remember if there are any further > > problems > > with anything else then Ethernet. > > > > Seems that you're the first one trying to use it in this way ... > > > > Regards, ULFL > > > ___ > > Sent via:Wireshark-dev mailing list > > Archives:http://www.wireshark.org/lists/wireshark-dev > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe > > > > > > > > -- > > Fight Internet Censorship! http://www.eff.org > > ~ > > http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | > > +447549728105 > > < > > Cooked_DC28436 > > -107_Ethernet_Concat > > .ntar > > > > > < > > Cooked_Dumpcap_SVN_28436 > > .ntar > > > > > < > > Ethernet_Dumpcap_SVN_28436 > > .ntar > > > > > < > > Ethernet_Wireshark_1.0.7 > > .ntar > > > > > > ___ > > Sent via:Wireshark-dev mailing list > > Archives:http://www.wireshark.org/lists/wireshark-dev > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe > > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > -- Fight Internet Censorship! http://www.eff.org ~ http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105 ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] writing non-Ethernet pcapng files
Hi Tyson, 1.0.7 does only support one section header and one interface header at the beginning of the pcapng file. The current svn version, allows one section header at the beginning and multiple interface headers, but not multiple sections headers. Basically, Wireshark (the svn version) can currently only read pcapng files containing one section. That is the reason why you can not just concatenate several pcapng files and read the resulting file. So it is not a limitation of pcapng, but of its current implementation in Wireshark. Best regards Michael On May 22, 2009, at 1:27 PM, Tyson Key wrote: > Hi. > Out of interest, are there supposed to be issues with Ethernet Pcap- > NG files/packets appended to other Pcap-NG files generated with > Wireshark 1.0.7 having an unrecognised link type in later (SVN) > versions of Wireshark? At the same time, it seems that 1.0.7 has > issues reading packets in Pcap-NG files from later versions (i.e. > it'll try to recognise a few frames, and if the link type is > Ethernet, show them in the packet pane, but it'll complain about a > decompression error when trying to view them, or it'll just show one > packet with an unknown link type (usally 0 or 113 here), depending > on how packets were combined). > > I've attached some samples for reference. > > Thanks, > Tyson. > > On Fri, May 22, 2009 at 6:35 AM, Ulf Lamping > wrote: > Aaron Turner schrieb: > > On Thu, May 21, 2009 at 12:20 PM, Michael Tüxen > > wrote: > >> On May 21, 2009, at 9:15 PM, Aaron Turner wrote: > >> > >>> On Thu, May 21, 2009 at 11:55 AM, Michael Tüxen > >>> wrote: > Hi Aaron, > > can you check also with the latest svn version? > >>> This was trunk-1.0 r28436. Are you working in trunk (wireshark > >>> 1.1.x)? > >> Yes, I'm working in 1.1.x... > > > > > > I just looked at the lastest trunk, and it too hard codes only > > ethernet as supported: > > > > from wiretap/pcapng.c pcapng_dump_can_write_encap(): > > > > /* XXX - for now we only support Ethernet */ > > if (encap != WTAP_ENCAP_ETHERNET) > > return WTAP_ERR_UNSUPPORTED_ENCAP; > > > > Hi! > > This comment is from the time when I started to experimentally > implement > pcapng. > > This was only a rough prototype at that time and as I'm personally > only > using Ethernet, I've only implemented the absolutely necessary stuff. > > It's very long ago so I can't remember if there are any further > problems > with anything else then Ethernet. > > Seems that you're the first one trying to use it in this way ... > > Regards, ULFL > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > > > > -- > Fight Internet Censorship! http://www.eff.org > ~ > http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | > +447549728105 > < > Cooked_DC28436 > -107_Ethernet_Concat > .ntar > > > < > Cooked_Dumpcap_SVN_28436 > .ntar > > > < > Ethernet_Dumpcap_SVN_28436 > .ntar > > > < > Ethernet_Wireshark_1.0.7 > .ntar > > > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Warning/error messages when running Wireshark
Stephen Fisher wrote: > On Thu, May 21, 2009 at 07:32:49AM +0200, Joerg Mayer wrote: >> In there is also a warning message by dumpcap that seems quite >> unnecessary (useless?) to me - at least when I run wireshark with the >> "-r" option. That may be something to be done before 1.2. > > Is it this message? > > dumpcap: There are no interfaces on which a capture can be done This is the subject of bug https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2060 I looked at it once but I think I found it was non-trivial to fix correctly. ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Next releases
Peter Harris wrote: > On Fri, May 15, 2009 at 2:27 PM, Gerald Combs wrote: >> Next week I plan on releasing 1.2.0rc1 and 1.0.8. The 1.2.0rc1 release >> will include creating a /trunk-1.2 branch in SVN. If you need me to >> postpone the branch or release, please let me know. >> >> I've started working on the release notes (docbook/release-notes.xml). >> If I missed any new/updated features, let me know. > > Is there any chance of applying the patch in > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2981 > (X11 extension dissection support) for 1.2? > > Or did I misunderstand "missed new/updated features"? I was reviewing that for a while but have had virtually no time of late (though that may change soon; the fact that I got my PC's Internet connection working again might help!). ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] how do I know that a new capture has been started
Thanks for all answers, Olivier Stephen Fisher a écrit : > On Thu, May 21, 2009 at 05:23:52PM +0200, wsgd wrote: > > >> Into a plugin dissector, >> how do I know that : >> - a new capture has been started >> - a new file is loaded >> >> reset callback of register_tap_listener ? >> other possibilities ? >> >> Can I use (or it is normal to use) the tap system on my own protocol ? >> other possibilities ? >> > > The plugin dissector will be called when a new capture has been started > that has packets which belong to your plugin dissector. When a new file > is loaded, the same happens if there are packets belonging to your > dissector. A dissector is called once per packet for every packet > belonging to it. What are you trying to accomplish? > manage global data (which must be reseted when we start a new capture, ...) > > Steve > > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > > > -- Wireshark Generic Dissector http://wsgd.free.fr ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] writing non-Ethernet pcapng files
Hi. Out of interest, are there supposed to be issues with Ethernet Pcap-NG files/packets appended to other Pcap-NG files generated with Wireshark 1.0.7 having an unrecognised link type in later (SVN) versions of Wireshark? At the same time, it seems that 1.0.7 has issues reading packets in Pcap-NG files from later versions (i.e. it'll try to recognise a few frames, and if the link type is Ethernet, show them in the packet pane, but it'll complain about a decompression error when trying to view them, or it'll just show one packet with an unknown link type (usally 0 or 113 here), depending on how packets were combined). I've attached some samples for reference. Thanks, Tyson. On Fri, May 22, 2009 at 6:35 AM, Ulf Lamping wrote: > Aaron Turner schrieb: > > On Thu, May 21, 2009 at 12:20 PM, Michael Tüxen > > wrote: > >> On May 21, 2009, at 9:15 PM, Aaron Turner wrote: > >> > >>> On Thu, May 21, 2009 at 11:55 AM, Michael Tüxen > >>> wrote: > Hi Aaron, > > can you check also with the latest svn version? > >>> This was trunk-1.0 r28436. Are you working in trunk (wireshark > >>> 1.1.x)? > >> Yes, I'm working in 1.1.x... > > > > > > I just looked at the lastest trunk, and it too hard codes only > > ethernet as supported: > > > > from wiretap/pcapng.c pcapng_dump_can_write_encap(): > > > > /* XXX - for now we only support Ethernet */ > > if (encap != WTAP_ENCAP_ETHERNET) > > return WTAP_ERR_UNSUPPORTED_ENCAP; > > > > Hi! > > This comment is from the time when I started to experimentally implement > pcapng. > > This was only a rough prototype at that time and as I'm personally only > using Ethernet, I've only implemented the absolutely necessary stuff. > > It's very long ago so I can't remember if there are any further problems > with anything else then Ethernet. > > Seems that you're the first one trying to use it in this way ... > > Regards, ULFL > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > -- Fight Internet Censorship! http://www.eff.org ~ http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105 Cooked_DC28436-107_Ethernet_Concat.ntar Description: Binary data Cooked_Dumpcap_SVN_28436.ntar Description: Binary data Ethernet_Dumpcap_SVN_28436.ntar Description: Binary data Ethernet_Wireshark_1.0.7.ntar Description: Binary data ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] writing non-Ethernet pcapng files
Hi Aaron, thanks for the fix. I have committed it (with whitespace changes). Best regards Michael On May 22, 2009, at 12:48 AM, Aaron Turner wrote: > Looks like there was a bug where WTAP codes weren't being properly > converted to DLT types and since ethernet == ethernet, that worked, > but most everything else didn't. > > I've attached a patch which I've tested with HDLC, 802.11, 802.11 w/ > radio headers and Juniper Ethernet. The first three work just fine, > but Wireshark isn't properly decoding the Juniper Ethernet pcapng file > even though it appears correctly formatted: > > 000: 0a0d 0d0a 1c00 4d3c 2b1a 0100 M<+. > 010: 1c00 0100 > 020: 1400 b200 dc05 1400 > 030: 0600 8400 0100 2f69 0400 /i.. > 040: d61a b423 6400 6400 4d47 4380 ...#d...d...MGC. > > As you can see at offset 0x24-25, the encoded DLT is 178 which is > Juniper Ethernet, but capinfos/Wireshark is returning Unknown. I > haven't bothered to track down why wireshark (latest 1.1.x from svn) > handles this for pcap but not pcapng. > > Side note: I thought wireshark coding standard was to uses spaces and > not tabs, but pcapng.c seemed to be tabbed so I maintained that. If > someone wants me to do differently, let me know. > > > -- > Aaron Turner > http://synfin.net/ > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for > Unix & Windows > Those who would give up essential Liberty, to purchase a little > temporary > Safety, deserve neither Liberty nor Safety. >-- Benjamin Franklin > > > > On Thu, May 21, 2009 at 1:39 PM, Aaron Turner > wrote: >> On Thu, May 21, 2009 at 1:06 PM, Michael Tüxen >> wrote: >>> Hi Aaron, >>> >>> I see what you mean. I'm using pcapio.[ch] in dumpcap, >>> so I'm using WTAP_ENCAP_PER_PACKET... >>> >>> Can you file a bug report at https://bugs.wireshark.org/bugzilla/ >>> such that it does not get forgotten. Please describe >>> what you want to get working (possibly providing the >>> input file). Then it does not get lost. >>> >>> I will look at it after finishing the capturing support, >>> if no one else takes the issue earlier. >> >> Well looks like it was more work then I thought... converting from >> pcap to pcapng looses the ecapsulation type for some reason (at least >> with my HDLC test). I'm going to see if I can dig around and figure >> out what's going on. >> >> -- >> Aaron Turner >> http://synfin.net/ >> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for >> Unix & Windows >> Those who would give up essential Liberty, to purchase a little >> temporary >> Safety, deserve neither Liberty nor Safety. >>-- Benjamin Franklin >> > export > .patch > > > ___ > Sent via:Wireshark-dev mailing list > Archives:http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe