Re: [Wireshark-dev] Undissected packet bytes
On Fri, Feb 6, 2015 at 7:52 AM, Michal Labedzki michal.labed...@tieto.com wrote: One more hint: if push patch as draft then add reviewer, because draft is invisible for anyone (expect author and reviewers) Alternative command(s) to send to gerrit: git push origin HEAD:refs/drafts/master git push origin HEAD:refs/publish/master Thanks for the suggestion, I missed that. By the way: I vote for adding expert info. Sometimes there are undecoded fields with info like that Undecoded if you want that ask developers to add :) That was my idea, too. But I encountered some issues achieving that. I will add you as reviewer too, maybe you can suggest me a feasible way to to that. Anyone interested, please ask to be added. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
On Thu, Feb 5, 2015 at 1:19 PM, Evan Huus eapa...@gmail.com wrote: I believe g_log and friends go to standard out, but maybe not on all platforms. An expert info under conditional compilation would probably be enough though, I hadn't thought of that. Another question. I've found a promising point to put the check (packet.c:call_dissector_with_data()). This function is called many times (I can count 4 times per packet). Sometimes when tree is open, sometimes when it's closed. How can I navigate (and check) the tree only and only if it's open? Only in this case I can check if there are undecoded bytes. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
Evan,
please find attached a patch that implements what I was trying to do. I'd
like to share it here with you and other devels in order to understand if
it goes in the right direction and maybe to open discussions on it. If it
seems good, I'll move it to gerrit for code review.
To test it, simply comment any proto_tree_add_item() from a dissector of
your choice, and open a packet with wireshark or with tshark -V.
Comments are welcome.
Dario.
On Thu, Feb 5, 2015 at 1:41 PM, Dario Lombardo dario.lombardo...@gmail.com
wrote:
On Thu, Feb 5, 2015 at 1:19 PM, Evan Huus eapa...@gmail.com wrote:
I believe g_log and friends go to standard out, but maybe not on all
platforms. An expert info under conditional compilation would probably
be enough though, I hadn't thought of that.
Another question. I've found a promising point to put the check
(packet.c:call_dissector_with_data()). This function is called many times
(I can count 4 times per packet). Sometimes when tree is open, sometimes
when it's closed. How can I navigate (and check) the tree only and only if
it's open?
Only in this case I can check if there are undecoded bytes.
commit c14aab04326ab438304a0b0a87821b68359c7ebb
Author: Dario Lombardo lom...@gmail.com
Date: Wed Feb 4 10:25:16 2015 +0100
TRY
Change-Id: I03e592dd3d54fc0e1c4af09d5d5336dda93f950e
diff --git a/epan/packet.c b/epan/packet.c
index 2899b7d..d277596 100644
--- a/epan/packet.c
+++ b/epan/packet.c
@@ -43,6 +43,7 @@
#include addr_resolv.h
#include tvbuff.h
+#include log.h
#include epan_dissect.h
#include wmem/wmem.h
@@ -52,6 +53,7 @@
#include epan/stream.h
#include epan/expert.h
#include epan/range.h
+#include epan/proto.h
static gint proto_malformed = -1;
static dissector_handle_t frame_handle = NULL;
@@ -2397,6 +2399,29 @@ call_dissector_with_data(dissector_handle_t handle,
tvbuff_t *tvb,
call_dissector_work(data_handle, tvb, pinfo, tree, TRUE, NULL);
return tvb_length(tvb);
}
+
+ if (tree tree-tree_data-visible strncmp(handle-name, frame,
5)) {
+ gchar* decoded;
+ guint length;
+ guint i;
+ guint byte;
+ guint bit;
+
+ length = tvb_captured_length(tvb);
+ decoded = proto_seek_undecoded_data(tree, length);
+
+ for (i = 0; i length; i++) {
+ field_info* fi = proto_find_field_from_offset(tree, i,
tvb);
+ byte = i / 8;
+ bit = i % 8;
+ if (!(decoded[byte] ((1 bit) 0xFF))
strncmp(fi-hfinfo-abbrev, frame, 5)) {
+ g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_WARNING,
+ Dissector %s incomplete: undecoded
byte %u\n,
+ fi-hfinfo-abbrev, i);
+ }
+ }
+}
+
return ret;
}
diff --git a/epan/proto.c b/epan/proto.c
index e12f3b6..1cd1bc1 100644
--- a/epan/proto.c
+++ b/epan/proto.c
@@ -6940,6 +6940,36 @@ proto_find_field_from_offset(proto_tree *tree, guint
offset, tvbuff_t *tvb)
return offsearch.finfo;
}
+
+static gboolean
+check_for_undecoded(proto_node *node, const gpointer data)
+{
+ field_info *fi = PNODE_FINFO(node);
+ gchar* decoded = (gchar*)data;
+ gint i;
+ guint byte;
+ guint bit;
+
+ if (fi fi-hfinfo-type != FT_PROTOCOL) {
+ for (i = fi-start; i fi-start + fi-length; i++) {
+ byte = i / 8;
+ bit = i % 8;
+ decoded[byte] |= ((1 bit) 0xFF);
+ }
+ }
+
+ return FALSE;
+}
+
+gchar*
+proto_seek_undecoded_data(proto_tree *tree, guint length)
+{
+ gchar* decoded = (gchar*)wmem_alloc0(wmem_packet_scope(), length / 8 +
1);
+
+ proto_tree_traverse_pre_order(tree, check_for_undecoded, decoded);
+ return decoded;
+}
+
/* Dumps the protocols in the registration database to stdout. An independent
* program can take this output and format it into nice tables or HTML or
* whatever.
diff --git a/epan/proto.h b/epan/proto.h
index e9b4f10..fbd9728 100644
--- a/epan/proto.h
+++ b/epan/proto.h
@@ -2221,6 +2221,14 @@ proto_construct_match_selected_string(field_info *finfo,
struct epan_dissect *ed
WS_DLL_PUBLIC field_info*
proto_find_field_from_offset(proto_tree *tree, guint offset, tvbuff_t *tvb);
+/** Find undecoded bytes in a tree
+ @param tree tree of interest
+ @param offset offset in the tvb
+ @param length the length of the frame
+ @return an array to be used as bitmap of decoded bytes */
+WS_DLL_PUBLIC gchar*
+proto_find_undecoded_data(proto_tree *tree, guint length);
+
/** This function will dissect a sequence of bytes that describe a bitmask.
@param tree the tree to append this item to
@param tvb the tv buffer of the current data
Re: [Wireshark-dev] Undissected packet bytes
On Wed, Feb 4, 2015 at 7:28 PM, Evan Huus eapa...@gmail.com wrote: I suppose you could add a an expert info, but I think that might be overkill, most users probably don't care that much. Expert infos could be added under conditional compilation. If enabled it would allow to filter packets that has expert info set, in order to find out incomplete dissectors against a large set of data (eg. menagerie). You could just log it, or dissect it as data, or... You mean using g_log, don't you? Where those logs go? I'm not able to show them. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
On Wed, Feb 4, 2015 at 5:25 PM, Evan Huus eapa...@gmail.com wrote: I think you will need to add a function very similar to proto_find_field_from_offset that makes use of proto_tree_traverse_pre_order and tracks which bytes have been seen as the traversal proceeds. And how the output could be shown to the user? With expert infos? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
On Wed, Feb 4, 2015 at 3:52 PM, Evan Huus eapa...@gmail.com wrote: As a side note, I would expect that method to be *very* slow, since it traverses the entire tree for every byte of the packet. Traversing the tree once and maintaining a set of covered/uncovered ranges would be much more efficient. I can't figure out how to traverse the tree once. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
Hi Evan
This looks promising. Where can I use this call?
If I run it from within a dissector
packet-hpfeeds.c:344 (just an example... for purpose of testing)
for (i = 0; i len; i++) {
fi = proto_find_field_from_offset(tree, i, tvb);
g_print(TEST1 %p %d %p = %p\n, tree, i, tvb, fi);
}
it always returns NULL.
If I run it from the gtk gui
packet-panes.c:369
g_print(TEST2 %p %d %p = %p\n, tree, byte, tvb, finfo);
it returns a (valid?) pointer.
The 2 prints show the same values of pointer/offsets.
Where should a for routine like the above could be added in the code so
it shows every undissected byte in every dissector?
Thanks.
Dario.
On Tue, Feb 3, 2015 at 6:15 PM, Evan Huus eapa...@gmail.com wrote:
As far as I know this is not currently available, but it would
probably be fairly useful and easy. You just need to iterate the proto
tree and keep track of which byte ranges are claimed/unclaimed.
proto_find_field_from_offset does something related to this (it is
used for matching bytes to fields in the UI) so it's probably a good
place to start.
On Tue, Feb 3, 2015 at 12:08 PM, Dario Lombardo
dario.lombardo...@gmail.com wrote:
Hi list
I was wondering if there is a comfortable way to find out undissected
bytes
in packets. This would be useful to find incomplete dissectors.
Any hint?
Thanks!
Dario.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org
?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org
?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Undissected packet bytes
That's a possibility (I have to take a look at the dissectors you both mentioned, and I didn't it yet), but what I was looking for was a more general way to do that. If the dissector itself has to make this checks, it means that all dissectors code must be patched. If we find a way to do that after the dissector has finished, we could have a way to automatically find incomplete disssectors. On Wed, Feb 4, 2015 at 9:46 AM, Michal Labedzki michal.labed...@tieto.com wrote: I use expert info about undecoded thing in Bluetooth dissectors. In proto.h: /** The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity */ #define PI_UNDECODED0x0500 But I use it with PI_NOTE, because I treat PI_WARN more like a bug rather than incomplete dissections. On 3 February 2015 at 23:52, Alexis La Goutte alexis.lagou...@gmail.com wrote: There is some dissector (like ICMPv6, IEEE 802.11 or CAPWAP...) where there is already expert info about undecoded code... On Tue, Feb 3, 2015 at 6:15 PM, Evan Huus eapa...@gmail.com wrote: As far as I know this is not currently available, but it would probably be fairly useful and easy. You just need to iterate the proto tree and keep track of which byte ranges are claimed/unclaimed. proto_find_field_from_offset does something related to this (it is used for matching bytes to fields in the UI) so it's probably a good place to start. On Tue, Feb 3, 2015 at 12:08 PM, Dario Lombardo dario.lombardo...@gmail.com wrote: Hi list I was wondering if there is a comfortable way to find out undissected bytes in packets. This would be useful to find incomplete dissectors. Any hint? Thanks! Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe -- Pozdrawiam / Best regards - Michał Łabędzki, Software Engineer Tieto Corporation Product Development Services http://www.tieto.com / http://www.tieto.pl --- ASCII: Michal Labedzki location: Swobodna 1 Street, 50-088 Wrocław, Poland room: 5.01 (desk next to 5.08) --- Please note: The information contained in this message may be legally privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorised use, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank You. --- Please consider the environment before printing this e-mail. --- Tieto Poland spółka z ograniczoną odpowiedzialnością z siedzibą w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w Sądzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 124858. NIP: 8542085557. REGON: 812023656. Kapitał zakładowy: 4 271500 PLN ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Undissected packet bytes
Hi list I was wondering if there is a comfortable way to find out undissected bytes in packets. This would be useful to find incomplete dissectors. Any hint? Thanks! Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
Some updates on this. When running in QT, 2 dumcaps are created, one for stats and one for capture. When capturing on nflog, the child process require the parent to be dead (its fd are released). I tried to implement a solution that, in case the interface starts with nf, tries again up to 10 times. It works on my machine. I noticed that the first try fails, while the second succeds. You can find the change here https://code.wireshark.org/review/#/c/6796/ Comments welcome. Dario. On Fri, Jan 23, 2015 at 2:11 PM, Dario Lombardo dario.lombardo...@gmail.com wrote: Hi Peter I opened a bug on bugzilla for that https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10886 and I tried to figure out how the solution can be implemented. You can find my WIP here https://code.wireshark.org/review/6757 If you or someone else want to work on it, you're welcome. Dario. On Tue, Dec 23, 2014 at 11:15 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
Hi Peter I opened a bug on bugzilla for that https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10886 and I tried to figure out how the solution can be implemented. You can find my WIP here https://code.wireshark.org/review/6757 If you or someone else want to work on it, you're welcome. Dario. On Tue, Dec 23, 2014 at 11:15 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] JSON as mime type
Hi list, Now that the json dissector has became heuristic, I was trying to make wireshark open a native json file, like it is able to do it with xml. What is necessary to make it work other than add a line like heur_dissector_add(wtap_file, dissect_json_heur, proto_json); in the json dissector? I tried to read native file dissectors (like the file-png.c) and non-native (like packet-xml.c), but a went to a dead end. Anyone can help? Thanks. Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Question about stats_tree
Hi list I was planning to have stats_tree for hpfeeds, but I have a problem and I need some suggestion from you. In hpfeeds the channel is a user-defined string that is not defined by the protocol, and that is used to share infos in a set of consumer/producer. For that I can't create a pivot table based on hard-coded values. I would like to generate stats per-channel like: Channels stats: 100 - channel 1: 80 - channel 2: 20 Is there a way to achieve that? I am able to get the channel name only during dissection, and not in init phase. Hope to have described the issue well... Any idea/suggestion? Thanks! Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Patch being stuck
On Thu, Jan 8, 2015 at 11:50 AM, Graham Bloice graham.blo...@trihedral.com wrote: No blockage reason, just no-one on the core team has gotten around to having a look at it yet. Submission to the Petri-Dish isn't (yet) automatic, it requires a manual flag (from a core team member). Ok, that's the part I missed. I will take a look at others' suggestion to move libjsmn. Thanks. Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Patch being stuck
Hi list I pushed a patch a couple of days ago https://code.wireshark.org/review/#/c/6350/ I think it's getting stuck for some reason (not even the petri dish buildbot has processed it). Other patches submitted later (eg. https://code.wireshark.org/review/6394 or https://code.wireshark.org/review/6367) have been or are being processed. Is there any reason for that? I'm not pushing anyone... just wondering if for some reason it is blocked. Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Thu, Dec 18, 2014 at 4:29 PM, Peter Wu pe...@lekensteyn.nl wrote: You should not run Wireshark with sudo, instead set the appropriate privileges on the dumpcap binary as described at http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Generally speaking, you are right, and it's waht I do with my stable wireshark. But with my development version, the setcapped binary is overwritten every time I recompile. So I use the master compiled version with sudo. What did I do wrong? I have spend some minutes into debugging it and it turns out that you cannot have two open sockets for NFLOG. Reproducer: $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' File: /dev/null (in a different shell) $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' dumpcap: The capture session could not be initiated on interface 'nflog' (Can't listen on group group index: Operation not permitted). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. The difference between GTK and Qt is that Qt additionally executes `dumpcap -S -Z none` which seems to open a socket for each available interface to collect stats. At this point I stopped debugging, hope it helps. If I've got the point, wireshark QT is not expected to work with nflog, right? If stats can't be stopped, it won't work. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Fri, Dec 19, 2014 at 12:35 PM, Peter Wu pe...@lekensteyn.nl wrote: The Capture - Options dialog is another place where these stats are visible. Is it visible during capture? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Capture from multiple remote machines
On Wed, Nov 19, 2014 at 9:12 AM, Ozan T ozan@gmail.com wrote: Hi Patrick , Thank you, it works! Sorry, it is my mistake I thought rpcapd and Remote Interfaces wer just for Windows machines. Here , I see it works well on Linux and BSD also. Thanks again. Ozan. Hi Ozan Can you share with us some pointers about remote interfaces on linux? I digged a bit but I just found some infos about compiling rpcapd on linux using the winpcap source code, but nothing about telling my linux wireshark that remote sniffing is supported. Under remote interfaces I find this version of wireshark doesn't support [...]. Do you have a linux/bsd-only setup? Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] On which platforms is there a need for Wireshark to have a Language preference?
Hi Guy The answer is yes. I live in italy, but I use linux in english. I switch to en or it for the specific purpose of the moment. With auto-detect I could't do that. For my daily use I switch to EN. To develop/test wireshark italian translation I switch to IT. I don't know if this scenario applies to others, but for me getting rid of a functionality that is still in place is not a good approach. Have a nice day. Dario. On Tue, Nov 4, 2014 at 8:34 PM, Guy Harris g...@alum.mit.edu wrote: I.e., are there reasons, on any platforms, to set the Language preference to anything other than Auto-Detect? As far as I know, on all supported platforms (Windows, OS X, UN*Xes other than OS X) the Qt system locale gets the locale information from the appropriate place on the OS. Is there ever a need to override your global language setting? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] On which platforms is there a need for Wireshark to have a Language preference?
On Wed, Nov 5, 2014 at 10:52 AM, Bálint Réczey bal...@balintreczey.hu wrote: Please run LC_ALL=it_IT wireshark instead of asking the project to keep the language-switching feature. Thanks for your suggestion. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Compiling with ninja
Hi list Some days ago I played a bit with ninja and I found useful info I'd like to share with you. Ninja is a compilation system similar to make. It's advantage is that it was built with parallelism in mind, to take advantage of multi-core CPUs. Wireshark uses cmake that has a generator for ninja, so I decided to make some tests. 1) cmake and make This a very common way to compile stuff, and wireshark too. The advantage of using cmake and make is that you get a progress of the compilation. Very useful! The disadvantage is that this progress runs bad with parallel make (-j). Not only the output is a mess, but sometimes compilation breaks. I think that cmake doesn't manage well parallel gcc instances. Autotools manage well parallel make, but afaik the cmake subsystem in wireshark has a better support. With this setup I'm able to compile wireshark in about 10m. 2) cmake and ninja To speed up things I made a second setup for ninja, on my ubuntu 14.04 sudo apt-get install ninja-build mkdir build-ninja cd build-ninja cmake -GNinja .. ninja The compilation went well and the compilation took about 2.5m! I lost the progress in term of percentage, but I still have a progress in term of #compiled/#total. But the BIG advantage is the speed: only 25% of the other setup on the same machine. The other advantage is that, using cmake, you can have separate build dirs, that don't pollute each other. Hope it helps people who like faster compilation :). Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Installing on Ubuntu 12.04.5
You installed gtk3 that is the library pkg but not the -dev pkg that is what configure checks for. The key packet you're probably missing is - libgtk-3-dev as stated in the Robert's list. To be sure, look for gtk in your config.log. You will find configure:30681: gcc -o conftest -g -O2 -Wall -W -Wextra -Wdeclaration-after-statement -Wendif-labels -Wpointer-arith -Wno-pointer-sign -Warray-bounds -Wformat-security -fwrapv -fno-strict-overflow -fno-delete-null-pointer-checks -Wold-style-definition -Wstrict-prototypes -Wjump-misses-init -Wvla -Waddress -Wattributes -Wdiv-by-zero -Wignored-qualifiers -Wpragmas -Wno-overlength-strings -Wwrite-strings -Wno-long-long -Wc++-compat -Wshadow -Wlogical-op -fexcess-precision=fast -fvisibility=hidden -DQT_SHARED -I/usr/include/qt4 -I/usr/include/qt4/QtCore -DQT_SHARED -I/usr/include/qt4 -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtCore-DQT_GUI_LIB -Wl,--as-needed -L/usr/local/lib conftest.c 5 conftest.c:36:21: fatal error: gtk/gtk.h: No such file or directory compilation terminated. configure:30681: $? = 1 The missing file is gtk/gtk.h. You can which pkg it belongs to with apt-file search gtk/gtk.h and you obtain something like dario@hardcore:~$ apt-file search gtk/gtk.h libgtk-3-dev: /usr/include/gtk-3.0/gtk/gtk.h libgtk2.0-dev: /usr/include/gtk-2.0/gtk/gtk.h dario@hardcore:~$ that points you to the gtk3 pkg you need. Hope it helps for future dependancies. Dario. On Thu, Oct 23, 2014 at 5:43 AM, Tracy Hockenhull tr...@th-enterprises.net wrote: I'm fairly new to Linux, and new to Wireshark, and I'm having problems with the ./configure part of the process to install Wireshark. The error I'm getting is this: checking for GTK+ - version = 3.0.0... no *** Could not run GTK+ test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GTK+ is incorrectly installed. configure: error: GTK+ 3 is not available To fix this, I tried sudo apt-get install gtk+3.0, which installed gtk+3.0, but I still get the error above when I try ./configure. I have attached the config.log. Thanks, Tracy ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] QT with cmake
I don't know how, but now it compiles. My guess is that it was related to (one of them or both): 1) previous compilation with qt4 2) previous compilation with autotools Thanks everybody for your help. On Wed, Oct 22, 2014 at 1:58 AM, Joerg Mayer jma...@loplof.de wrote: On Tue, Oct 21, 2014 at 03:13:01PM +0200, Dario Lombardo wrote: On Tue, Oct 21, 2014 at 2:48 PM, Peter Wu pe...@lekensteyn.nl wrote: Have you tried to clear your build dir? The QtGui/QAction file is located in the qt4 include directory, in qt5 it is located at QtWidgets/QAction. I've completely deleted the build dir and started over. Same output. [ 79%] Building CXX object ui/qt/CMakeFiles/qtui.dir/about_dialog.cpp.o In file included from /home/dario/Projects/wireshark/ui/qt/about_dialog.cpp:25:0: /home/dario/Projects/wireshark/ui/qt/ui_about_dialog.h:13:25: fatal error: QtGui/QAction: No such file or directory #include QtGui/QAction Weird. Where does this include come from? I can't find it in any file. Hmm, OK, it's in a generated file and most probably generated for Qt4. So maybe it is not properly picking up the qt5 tools (uic) but using the qt4 version instead? Or there is a leftover. The path looks like the file ui_about_dialog.h is in tree, not out of tree, but that's for you to confirm or deny. Ciao Jörg -- Joerg Mayer jma...@loplof.de We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] QT with cmake
Hi list I tried to compile the master of wireshark using cmake. mkdir build cd build cmake .. make In run/ I can find wireshark-gtk but not qt. Any specific command to pass to cmake to have it? I am able to obtain qt executable using autotools (meaning that my qt dev subsystem should be fine). Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] QT with cmake
Well... it's the first thing I searched for, since I compiled it with autotools and I noticed that switch. But actually wireshark/build$ find . -name wireshark wireshark/build$ find . -name wireshark-gtk ./run/wireshark-gtk wireshark/build$ wireshark qt seems not to be compiled at all. On Tue, Oct 21, 2014 at 11:31 AM, Michal Orynicz michal.oryn...@tieto.com wrote: Hi, right now wireshark-qt is renamed to wireshark, and wireshark was renamed to wireshark-gtk. This is to push people to use the new UI. So please check if Your wireshark binary is the one You are searching for :) On 21 October 2014 11:20, Dario Lombardo dario.lombardo...@gmail.com wrote: Hi list I tried to compile the master of wireshark using cmake. mkdir build cd build cmake .. make In run/ I can find wireshark-gtk but not qt. Any specific command to pass to cmake to have it? I am able to obtain qt executable using autotools (meaning that my qt dev subsystem should be fine). Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe -- Pozdrawiam / Best regards Michał Orynicz, Software Engineer Tieto Corporation Product Development Services http://www.tieto.com / http://www.tieto.pl --- ASCII: Michal Orynicz location: Swobodna 1 Street, 50-088 Wrocław, Poland room: 5.01 (desk next to 5.08) --- Please note: The information contained in this message may be legally privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorised use, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank You. --- Please consider the environment before printing this e-mail. --- Tieto Poland spółka z ograniczoną odpowiedzialnością z siedzibą w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w Sądzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 124858. NIP: 8542085557. REGON: 812023656. Kapitał zakładowy: 4 271500 PLN ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] QT with cmake
Well... after installing some other qt5 packages I get CMake Error at ui/qt/CMakeLists.txt:306 (QT5_ADD_TRANSLATION): Unknown CMake command QT5_ADD_TRANSLATION. On Tue, Oct 21, 2014 at 11:49 AM, Peter Wu pe...@lekensteyn.nl wrote: On Tuesday 21 October 2014 11:20:54 Dario Lombardo wrote: I tried to compile the master of wireshark using cmake. mkdir build cd build cmake .. make In run/ I can find wireshark-gtk but not qt. Any specific command to pass to cmake to have it? I am able to obtain qt executable using autotools (meaning that my qt dev subsystem should be fine). If I am not mistaken, the CMake build defaults to Qt5 by default. To use Qt4 instead, pass the option -DENABLE_QT5=0. Otherwise, install the qt5-tools package which should provide the packages which are reported missing during cmake. Have you checked the cmake output already? -- Kind regards, Peter https://lekensteyn.nl ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] QT with cmake
On Tue, Oct 21, 2014 at 1:20 PM, Peter Wu pe...@lekensteyn.nl wrote: What distro are you using? For Debian/Ubuntu you need to install qttools5-dev. It is exactly what I'm using (ubuntu 14.04). I've installed qttools5-dev and compilation made few steps ahead, but then stopped with Scanning dependencies of target qtui [ 79%] Building CXX object ui/qt/CMakeFiles/qtui.dir/about_dialog.cpp.o In file included from /home/dario/Projects/wireshark/ui/qt/about_dialog.cpp:25:0: /home/dario/Projects/wireshark/ui/qt/ui_about_dialog.h:13:25: fatal error: QtGui/QAction: No such file or directory #include QtGui/QAction ^ compilation terminated. make[2]: *** [ui/qt/CMakeFiles/qtui.dir/about_dialog.cpp.o] Error 1 make[1]: *** [ui/qt/CMakeFiles/qtui.dir/all] Error 2 make: *** [all] Error 2 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] QT with cmake
On Tue, Oct 21, 2014 at 2:48 PM, Peter Wu pe...@lekensteyn.nl wrote: Have you tried to clear your build dir? The QtGui/QAction file is located in the qt4 include directory, in qt5 it is located at QtWidgets/QAction. I've completely deleted the build dir and started over. Same output. [ 79%] Building CXX object ui/qt/CMakeFiles/qtui.dir/about_dialog.cpp.o In file included from /home/dario/Projects/wireshark/ui/qt/about_dialog.cpp:25:0: /home/dario/Projects/wireshark/ui/qt/ui_about_dialog.h:13:25: fatal error: QtGui/QAction: No such file or directory #include QtGui/QAction ^ compilation terminated. make[2]: *** [ui/qt/CMakeFiles/qtui.dir/about_dialog.cpp.o] Error 1 make[1]: *** [ui/qt/CMakeFiles/qtui.dir/all] Error 2 make: *** [all] Error 2 The strange thing I noticed is that QtGui/Qaction is not present in any qt5 package (only qt4) wireshark/build$ sudo apt-file search QAction libqt4-dev: /usr/include/qt4/QtGui/QAction libqt4-dev: /usr/include/qt4/QtGui/QActionEvent libqt4-dev: /usr/include/qt4/QtGui/QActionGroup qtbase5-dev: /usr/include/qt5/QtGui/QActionEvent qtbase5-dev: /usr/include/qt5/QtWidgets/QAction qtbase5-dev: /usr/include/qt5/QtWidgets/QActionGroup ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] QT with cmake
Hi list I tried to compile the master of wireshark using cmake. mkdir build cd build cmake .. make In run/ I can find wireshark-gtk but not qt. Any specific command to pass to cmake to have it? I am able to obtain qt executable using autotools (meaning that my qt dev subsystem should be fine). Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Translation tools
Ok, thanks. I'm able to start the translation. I've translated a couple of entries, recompiled, changed the language, and everything is ok: my translated entries are now in wireshark. But if now I translate other entries, run lupdate and lrelease, then make, the ui is not recompiled again. It seems that the ui compilation subsystem can't notice that I changed the language file so it doesn't recompile it. If I git stash make git stash pop make, the changes are compiled. Do I have to issue some magic to force the ui recompilation? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Translation tools
On Wed, Oct 8, 2014 at 9:06 PM, Alexis La Goutte alexis.lagou...@gmail.com wrote: Hi, It is now possible to translate the Gui of Wireshark (with Qt) Actually, there is start of French translation, Polish (Thanks Michal) and Japanese (Thanks martin Megane) How one can start a task like that? Is there any documentation? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Translation tools
I tried to start a new translation (italian). After I run lupdate/lrelease, I found the following files modified (other than the ones I modified): modified: ui/qt/wireshark_en.qm modified: ui/qt/wireshark_en.ts modified: ui/qt/wireshark_fr.qm modified: ui/qt/wireshark_fr.ts modified: ui/qt/wireshark_ja_JP.qm modified: ui/qt/wireshark_ja_JP.ts modified: ui/qt/wireshark_pl.qm modified: ui/qt/wireshark_pl.ts modified: ui/qt/wireshark_zh_CN.qm modified: ui/qt/wireshark_zh_CN.ts Having a look at the diff, I figured out that something has changed in the source files, and that change was not ported to the compiled ones. Am I right? What should I do with those changes? Keep them or discard them? On Thu, Oct 9, 2014 at 4:22 PM, Alexis La Goutte alexis.lagou...@gmail.com wrote: On Thu, Oct 9, 2014 at 4:02 PM, Dario Lombardo dario.lombardo...@gmail.com wrote: On Wed, Oct 8, 2014 at 9:06 PM, Alexis La Goutte alexis.lagou...@gmail.com wrote: Hi, It is now possible to translate the Gui of Wireshark (with Qt) Actually, there is start of French translation, Polish (Thanks Michal) and Japanese (Thanks martin Megane) How one can start a task like that? Is there any documentation? Hi Dario, If you have ready to use Qt Linguist, you can look README.qt (in docs folder) There is all steps for add new translation Regards ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] [Wireshark-commits] master 14824e6: Revert Fixup: tvb_* - tvb_captured
On Thu, Jun 19, 2014 at 9:18 PM, Evan Huus eapa...@gmail.com wrote: We were not bulk-converting them so that we could catch the ones that really should have been tvb_reported_length and tvb_reported_length_remaining from the beginning. If you look at the code in epan/tvbuff.h:228,237,244 you can find those defines #define tvb_length tvb_captured_length #define tvb_length_remaining tvb_captured_length_remaining #define tvb_ensure_length_remaining tvb_ensure_captured_length_remaining This means that tvb_length doesn't go to the compiler, since it's changed to tvb_captured_length by the preprocessor. What about a change that replaces only these? This should be safe. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] [Wireshark-commits] master 14824e6: Revert Fixup: tvb_* - tvb_captured
On Fri, Jun 20, 2014 at 4:33 PM, Jeff Morriss jeff.morriss...@gmail.com wrote: IOW the reason these functions were renamed was because a large portion of the time dissector-writers would use tvb_length() when they really should have been using tvb_reported_length(). By renaming the functions and adding a macro--which is listed as deprecated by checkAPIs--for backwards compatibility we can know which calls have yet to be audited/checked for correctness. That is, the whole point is to *not* systematically replace tvb_length() but rather check each call and replace it with the correct one. Well, thank you, I've got the point now. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Deprecated APIs
Hi list I'm having a look at obsolete APIs and I've got those lines from checkAPI.pl Warning: Found soft-deprecated APIs in packet-bacapp.c: ep_address_to_str Warning: Found soft-deprecated APIs in packet-umts_fp.c: se_new0 but I can't find how those func should be changed. Can anyone help me? Dario ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Patching as per checkAPI
I'm trying to taking care of some of the warnings from checkAPI. The result is a set of commits. What should I do now? 1) submit one push for every commit (eg. branch checkapi1, checkapi2, etc.) 2) submit one push with multiple commits (don't know if gerrit allows it... I got an error when I tried to do so) 3) squash them into one commit (don't like it... the commits are related to different APIs) 4) something else :) Thanks for your help. Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Deprecated APIs
Hi list I'm having a look at obsolete APIs and I've got those lines from checkAPI.pl Warning: Found soft-deprecated APIs in packet-bacapp.c: ep_address_to_str Warning: Found soft-deprecated APIs in packet-umts_fp.c: se_new0 but I can't find how those func should be changed. Can anyone help me? Dario ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Fwd: Broken link for buildbot
On Wed, Jun 11, 2014 at 10:17 PM, Gerald Combs ger...@wireshark.org wrote: If it's causing any confusion I can remove it before then. No it isn't. I was just jumping over the links on the page and I found it. Do you think a bug on filezilla would be appropriate? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Fwd: Broken link for buildbot
Hi In the header of the gerrit site, the link buildbot - documentation points to https://code.wireshark.org/plugins/buildbot/ that is a broken link. I'd like to point someone at it. Dario ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] (no subject)
Do you want to keep the pdml file format, or do you just want to export a subset of infos? In the latter case you can use the -T fields switch plus the -e switch. On Thu, Mar 6, 2014 at 8:04 AM, varsha mintri vmin...@yahoo.com wrote: Hi, I wanted to reduce the details produced while exporting a capture file as pdml file so that the file size could be reduced.Can anyone help?? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Git + Gerrit: next steps
On Thu, Dec 19, 2013 at 8:51 PM, Gerald Combs ger...@wireshark.org wrote: BTW, I *might* be able to have Gerrit's SSH daemon listen on port 22 instead of 29418. Would this be useful? In testing/lab/home networks access to outside is normally open (or can be opened). That means that port 80, 22, 443 or XXX is allowed. In corporate networks web access is always granted through proxies, while other traffic is not allowed. My opinion is that ssh port doesn't make the difference. The difference is made by the http write access, that is the most common channel. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Git + Gerrit: next steps
On Thu, Dec 19, 2013 at 4:57 AM, Evan Huus eapa...@gmail.com wrote: - handy quick-start instructions from Marc: https://www.wireshark.org/lists/wireshark-dev/201309/msg00191.html I had a look at the instructions above. Seems that only ssh is supported. Will it be so in the production git too, or http in write mode will be available? In some networks direct ssh is not possible, while proxied http is. Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
Thanks for your description. On Thu, Sep 12, 2013 at 11:46 PM, Joerg Mayer jma...@loplof.de wrote: Here is what I do (now) - I'm on Linux: - cd epan/dissectors/ - Pick a letter from the alphabet. - grep emem.h packet-letter*.c - ../../tools/checkAPI.pl -g emem packet-letter*.c ../../tools/checkAPIs.pl -g emem packet-cdp.c packet-cdp.c: found 69 useless add_text() vs. 76 add_something else() calls (90.79%) What should be done for that? Is that related to emem? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
I'm testing a way to speed up the process, for trivial cases. This is the
script I'm using.
#!/bin/bash
for file in `../../tools/checkAPIs.pl -g emem packet-*.c 21 | egrep
ep_alloc$ | awk ' { print $6 } ' | sed 's/://g'`
do
echo patching $file
sed -i 's/#include epan\/emem.h/#include epan\/wmem\/wmem.h/g' $file
sed -i 's/ep_alloc(/wmem_alloc(wmem_packet_scope(), /g' $file
done
I can open a bug with the output of this script, so we can share the result.
On Thu, Sep 12, 2013 at 11:46 PM, Joerg Mayer jma...@loplof.de wrote:
Hello Kauschik,
On Fri, Sep 13, 2013 at 02:53:50AM +0530, kaushik varanasi wrote:
Can any of you brief me about what should be done. I would like to get
involved and learn.
Here is what I do (now) - I'm on Linux:
- cd epan/dissectors/
- Pick a letter from the alphabet.
- grep emem.h packet-letter*.c
- ../../tools/checkAPI.pl -g emem packet-letter*.c
- Fix inconsistencies (remove includes for emem.h from files that don't
use ep_ or se_ functions, add the include where it is missing
- Go through all files that only contain simple to convert functions
+ Replace the include statement and se_ and ep_ functions the way Evan
described, then compile and install libwireshark (I do:
make -C epan install)
+ run tshark -v to find obvious breakages. If it breaks, svn revert
the file
+ Next file
- Commit my changes
Maybe you can do this and once you have successfully converted the fist
file open a bug and attach your patch to it. Depending on the feedback
go over the patch again or (once sufficiently confident) finish all
dissectors for that letter and attach the patch to the previous bug again.
Ciao
Jörg
Unfortunately emem.h is included everywhere via packet.h via
packet_info.h via address.h, so there are dissectors that use it
without including it directly. check-APIs is more reliable since it
actually looks for the function calls.
P.S. I have a few vim macros that I wrote to speed up the process.
I
can
share them if anybody using vim wants to help :)
Sure, go ahead please.
Put the following in your vimrc:
let @e = 'xxiwmem^[/(^Mawmem_packet_scope(), ^[/\ep_^Mkj'
let @s = 'xxiwmem^[/(^Mawmem_file_scope(), ^[/\se_^Mkj'
Then the 'e' macro will convert an ep_* call and jump to the next one,
the 's' macro will convert an se_* call and jump to the next one.
These only work for functions like _alloc and _strdup, for
data-structures (like ep_strbuf_append) which take the data-structure
and not the scope as the first argument you will have to convert
manually still, but there are not many of those.
On Thu, Sep 12, 2013 at 11:54 AM, Dario Lombardo
dario.lombardo...@gmail.com wrote:
On Thu, Sep 12, 2013 at 5:36 PM, Joerg Mayer jma...@loplof.de
wrote:
So if we could split this between a few people at least the trivial
part
could be done quickly.
Can you please show us what should be done? I could get a part of it
if
it's clear what to do.
The doc/README.wmem section 2.1.1 includes a brief example of how
calls can be replaced. You can also take a look at some of my (and
Joerg's) previous commits doing conversion.
--
Joerg Mayer jma...@loplof.de
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org
?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
I'm trying to address se_alloc() calls. If I change this: Index: packet-infiniband_sdp.c === --- packet-infiniband_sdp.c (revision 52002) +++ packet-infiniband_sdp.c (working copy) @@ -31,6 +31,7 @@ #include epan/packet.h #include epan/prefs.h #include epan/conversation.h +#include epan/wmem/wmem.h #include stdlib.h #include errno.h @@ -529,8 +530,8 @@ heur_dissector_add(infiniband.mad.cm.private, dissect_ib_sdp, proto_ib_sdp); /* allocate enough space in the addresses to store the largest address (a GID) */ -manual_addr_data[0] = se_alloc(GID_SIZE); -manual_addr_data[1] = se_alloc(GID_SIZE); +manual_addr_data[0] = wmem_alloc(wmem_file_scope(), GID_SIZE); +manual_addr_data[1] = wmem_alloc(wmem_file_scope(), GID_SIZE); initialized = TRUE; } @@ -567,4 +568,3 @@ } } - tshark -v crashes. What is wrong with my patch? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
using wmem_epan_scope() it seems to work. Is it correct to use that scope? On Fri, Sep 13, 2013 at 1:55 PM, Dario Lombardo dario.lombardo...@gmail.com wrote: I'm trying to address se_alloc() calls. If I change this: Index: packet-infiniband_sdp.c === --- packet-infiniband_sdp.c (revision 52002) +++ packet-infiniband_sdp.c (working copy) @@ -31,6 +31,7 @@ #include epan/packet.h #include epan/prefs.h #include epan/conversation.h +#include epan/wmem/wmem.h #include stdlib.h #include errno.h @@ -529,8 +530,8 @@ heur_dissector_add(infiniband.mad.cm.private, dissect_ib_sdp, proto_ib_sdp); /* allocate enough space in the addresses to store the largest address (a GID) */ -manual_addr_data[0] = se_alloc(GID_SIZE); -manual_addr_data[1] = se_alloc(GID_SIZE); +manual_addr_data[0] = wmem_alloc(wmem_file_scope(), GID_SIZE); +manual_addr_data[1] = wmem_alloc(wmem_file_scope(), GID_SIZE); initialized = TRUE; } @@ -567,4 +568,3 @@ } } - tshark -v crashes. What is wrong with my patch? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
I've submitted a patch with epan scope. On Fri, Sep 13, 2013 at 2:30 PM, Evan Huus eapa...@gmail.com wrote: On 2013-09-13, at 7:55 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: I'm trying to address se_alloc() calls. If I change this: Index: packet-infiniband_sdp.c === --- packet-infiniband_sdp.c (revision 52002) +++ packet-infiniband_sdp.c (working copy) @@ -31,6 +31,7 @@ #include epan/packet.h #include epan/prefs.h #include epan/conversation.h +#include epan/wmem/wmem.h #include stdlib.h #include errno.h @@ -529,8 +530,8 @@ heur_dissector_add(infiniband.mad.cm.private, dissect_ib_sdp, proto_ib_sdp); /* allocate enough space in the addresses to store the largest address (a GID) */ -manual_addr_data[0] = se_alloc(GID_SIZE); -manual_addr_data[1] = se_alloc(GID_SIZE); +manual_addr_data[0] = wmem_alloc(wmem_file_scope(), GID_SIZE); +manual_addr_data[1] = wmem_alloc(wmem_file_scope(), GID_SIZE); initialized = TRUE; } @@ -567,4 +568,3 @@ } } - tshark -v crashes. What is wrong with my patch? Apparently there is no file in scope when that code is run. Depending on the necessary lifetime of the memory, it may make sense to replace it with epan scoped memory (the lifetime of the program, basically) or manually managed memory if the lifetime is something else. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Question regarding emem - wmem conversion
On Thu, Sep 12, 2013 at 5:36 PM, Joerg Mayer jma...@loplof.de wrote: So if we could split this between a few people at least the trivial part could be done quickly. Can you please show us what should be done? I could get a part of it if it's clear what to do. Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Multiple input files
On Fri, Sep 6, 2013 at 9:50 PM, Christopher Maynard christopher.mayn...@gtech.com wrote: Two problems: 1) How do you guarantee the files will be processed in correct time order for appending? I can't. If the user needs it, they can run reordercap. 2) mergecap today doesn't support reading from stdin. I think Jasper's solution is the way to go for now (less the -a option due to #1 above). Even my earlier proposed script isn't as useful as it could be. What might make it more useful (potentially) is if in addition to supporting reading from stdin, mergecap also supported reading from and writing to the same file, as that would completely avoid the tmp file(s) altogether, i.e.: This would be a very useful option. But I don't think it's a feasible way, since the file handlers (in and out) are different. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Multiple input files
Another option could be to support stdin as input file in mergecap with an append switch. If mergecap whould support something like this cat input1.pcap | mergecap -a - -w output.pcap cat input2.pcap | mergecap -a - -w output.pcap this would allow a user to do something like for file in *.pcap do tshark -r $file -Y FILTER -w - | mergecap -a - -w output.pcap done what about that? On Thu, Sep 5, 2013 at 3:35 PM, Christopher Maynard christopher.mayn...@gtech.com wrote: Evan Huus eapache@... writes: You can even (I think) pipe from mergecap to tshark as follows: mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y dns.qry.name contains google -o google.pcap Just a slight correction on the tshark command-line options needed (note the -i -): mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y dns.qry.name contains google -o google.pcap ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Multiple input files
Hi list I was trying to change the code of tshark to support multiple -r switches. The aim is to have many input files and one output file. Before getting mad in changing it, I was wondering if it makes sense or not, and if it was addressed before in some way. An example of use of it: tshark -r input1.pcap -r input2.pcap -r input3.pcap -Y dns.qry.name contains google -o google.pcap Thanks for your suggestions. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Multiple input files
On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus eapa...@gmail.com wrote: mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y dns.qry.name contains google -o google.pcap mergecap would be certainly an option, if the merged file is not too big to be given to tshark. I have 10 file, 1G each. If I merge them, the resulting 10G file is too big for tshark. I'd need to run tshark on every 1G file, then merge the output, not the inverse. Another option could be to add the opportunity to append tshark output to an existing pcap file (this is not supported now, is it?). ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Memory consumption in tshark
I've run it on the original 10G file (70M packets). It can't process all of them. At around 30M packets memory consumption is about 3.7G. It's a good improvement anyway! Thanks Dario. On Fri, Aug 30, 2013 at 3:35 AM, Evan Huus eapa...@gmail.com wrote: On Thu, Aug 29, 2013 at 11:07 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus eapa...@gmail.com wrote: Basically, but it's also more. If your capture contains a DNS packet resolving a name in a certain way, and the system name resolver gives a different answer, we prefer the DNS packet in the capture (since presumably the capture was on some local network where that name resolves differently). For this reason we can't just drop old cache entries unless name resolution is disabled completely. That's really interesting. This means that if a DNS packet with a fake resolution is got, it can pollute the cache. I've triggered this behaviour in the attached pcap file. It appears that I'm pinging google (in my svn wireshark), while actually I'm pinging a private addres :). I have checked in an option for this in revision 51584 which should also solve your memory problem (or most of them). If you run that revision of tshark with the flag: -o dns.use_for_addr_resolution:FALSE then you should see substantially lower memory usage, (and your crafted capture won't resolve the internal address as google either). I left it enabled by default, since that was the existing behaviour, but I don't have a strong opinion one way or the other. Cheers, Evan ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Memory consumption in tshark
Running the same command as before (I mean without valgrind) with -n, I get 1.5G of memory consumption, as without -n. That's quite useful actually: it looks like the majority of the memory is being used to store address-resolution data from all of the DNS packets so that if those IP addresses show up later we can resolve them immediately (without having to ask the system name resolver). It's a cache, isn't it? It doesn't look like there's a way to disable this at the moment (I believe we still store the names even if name resolution is disabled), but it should be easy enough to fix. The add_ipv4_name and add_ipv6_name functions should probably be no-ops if all name resolution is disabled. Then simply passing the -n flag will greatly reduce your memory usage (though it won't yet). What about a circular buffer? Instead of storing all the resolution, you could create a circular buffer of N resolutions. This should give you the control of the maximum amount of ram eaten by this part of the code. Once reached the maximum you could - delete older entries - delete newer entries - keep the existing entries making the following through the resolver Just an idea. Disabling resolution when -n is used is to be implemented anyway IMHO. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Memory consumption in tshark
On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus eapa...@gmail.com wrote: Basically, but it's also more. If your capture contains a DNS packet resolving a name in a certain way, and the system name resolver gives a different answer, we prefer the DNS packet in the capture (since presumably the capture was on some local network where that name resolves differently). For this reason we can't just drop old cache entries unless name resolution is disabled completely. That's really interesting. This means that if a DNS packet with a fake resolution is got, it can pollute the cache. I've triggered this behaviour in the attached pcap file. It appears that I'm pinging google (in my svn wireshark), while actually I'm pinging a private addres :). wireshark-resolution-bug.pcapng Description: Binary data ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Memory consumption in tshark
On Tue, Aug 27, 2013 at 10:38 PM, Evan Huus eapa...@gmail.com wrote: We already discard a great deal of state in (single-pass) tshark that we keep around in Wireshark (or two-pass tshark). We do need to keep some, though. It's only a bug if we're keeping more than we actually need, and that's not determinable from the information we have here. Dario, if you could get us a memory profile of tshark in this situation (through valgrind's massif tool, for example) that would help us debug further. For sure. But I'd need exactly the commands to run and what I should give you back. I dislike the idea of two-pass by default for exactly this reason: people expect tshark to be relatively state-less. This is already not the case, but it's a lot worse in two-pass mode. It might even make sense to add a --state-less flag to tshark that disables all options which require state. I don't know how feasible that would be however. Evan FYI, 10G file is a giant DNS capture. Maybe the state kept in the queries (for conversations creation) triggers the memory consumption. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] wireshark crashes while I export the packets.
You could use a bisection method. Split the file in 2 smaller and try both. Continue until you have 1 packet. Once you have the guilty, you can give it to the different softwares (wireshark, tshark, reordercap, mergecap, etc). If only one crashes, the bug is located there. If all crash probably the bug is in some lib (libwireshark?). Hope it helps. Dario On Mon, Aug 26, 2013 at 11:31 AM, Danniel_zeng cheer_z...@163.com wrote: Hi all, The wireshark(we have added some something) crashes while I export the packet(regardless which packet). And this only happens with the captures in our lab . It is hard to discover which message cause this issue,as there is not output in the console window at all. So I would like to know which method can I use to locate the bug. Thanks! ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Memory consumption in tshark
Hi list I've run this command on a 10G pcap file. ./tshark -r traffic.all -Y dns.qry.name.len 50 -w longnames.pcap Used memory grows continuously, up to over 3GB of ram. At this point my pc goes thrashing and I must kill tshark. That's not what I expected. I expected the memory to grow up to a certain size, then stop, feeding the output file. Any idea about what happens? Any suggestion on how to debug it? Thanks Dario. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
