Wireshark mailing list archives
Why the name "Wiretap"?
From: robert.bullen () usbank com
Date: Fri, 28 Sep 2012 14:59:51 -0500
I've always found it confusing that a library responsible for reading and writing trace files is called wiretap, since it deals with neither the wire nor tapping. Could someone fill me in on the history of that name? Robert Bullen Network Application Analysis (NAA) 1 Meridian Crossing Richfield, MN 55423-3978 Office: 612-973-6216 Email: robert.bullen () usbank com From: wireshark-dev-request () wireshark org To: wireshark-dev () wireshark org Date: 09/28/2012 02:01 PM Subject: Wireshark-dev Digest, Vol 76, Issue 44 Sent by: wireshark-dev-bounces () wireshark org Send Wireshark-dev mailing list submissions to wireshark-dev () wireshark org To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-dev or, via email, send a message with subject or body 'help' to wireshark-dev-request () wireshark org You can reach the person managing the list at wireshark-dev-owner () wireshark org When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-dev digest..." Today's Topics: 1. converting pcapng to pcap (Albert Lo) 2. Re: Do Windows compilers require WS_VAR_IMPORT in .h files (Joerg Mayer) 3. Re: converting pcapng to pcap (Jakub Zawadzki) 4. Re: Building for Windows without zlib? (Guy Harris) 5. Re: converting pcapng to pcap (Guy Harris) 6. Re: converting pcapng to pcap (albert) 7. Re: [Wireshark-commits] rev 45191: /trunk/ /trunk/epan/dissectors/: packet-btsap.c /trunk/: CMakeLists.txt (Guy Harris) ---------------------------------------------------------------------- Message: 1 Date: Fri, 28 Sep 2012 17:39:01 +0000 From: Albert Lo <ALo () advancedio com> To: "wireshark-dev () wireshark org" <wireshark-dev () wireshark org> Subject: [Wireshark-dev] converting pcapng to pcap Message-ID: <E5E4E6B17F036444A5A4D70F62B8739922CB2290 () Banff AdvancedIO loc> Content-Type: text/plain; charset="us-ascii" I would like to know where I can find the source files for editcap. What libpcap API's are being called to convert .pcapng to .pcap with the following cmd?
editcap -F libpcap -T ether file.pcapng file.pcap
Thx. Cheers, Albert -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/f628a007/attachment.html
------------------------------ Message: 2 Date: Fri, 28 Sep 2012 19:40:29 +0200 From: Joerg Mayer <jmayer () loplof de> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] Do Windows compilers require WS_VAR_IMPORT in .h files Message-ID: <20120928174029.GD8105 () rhrk uni-kl de> Content-Type: text/plain; charset="utf-8" Hello Pascal, On Fri, Sep 28, 2012 at 05:25:41PM +0200, Pascal Quantin wrote:
2012/9/28 Joerg Mayer <jmayer () loplof de>I'm working on building wireshark with gcc with -fvisibility=hidden.
This
will mostly mimic the behaviour already on Windows. The gcc attribute to change the visibility causes errors when used in .h files (well, in declarations without a the object). I have replaced WS_VAR_IMPORT with extern in .h files. Can someone on Windows please test whether this still works?it fails with the following errors (MSVC2010EE 32 bits):
Can you please apply the attached patch on top of the previous one to check whether this fixed the compile problem in packet-dcom.c? If it does, I will rework the whole patch in the same manner. Thanks for testing! Ciao J?rg -- Joerg Mayer <jmayer () loplof de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. -------------- next part -------------- A non-text attachment was scrubbed... Name: dcom-dot-c.patch Type: text/x-diff Size: 805 bytes Desc: not available URL: < http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/a37f0f59/attachment.patch
------------------------------ Message: 3 Date: Fri, 28 Sep 2012 19:54:09 +0200 From: Jakub Zawadzki <darkjames-ws () darkjames pl> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <20120928175409.GE1989 () darkjames pl> Content-Type: text/plain; charset=us-ascii Hi, On Fri, Sep 28, 2012 at 05:39:01PM +0000, Albert Lo wrote:
What libpcap API's are being called to convert .pcapng to .pcap with the
following cmd? We use our own library (wiretap) to read and write capture files. ------------------------------ Message: 4 Date: Fri, 28 Sep 2012 11:05:22 -0700 From: Guy Harris <guy () alum mit edu> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] Building for Windows without zlib? Message-ID: <6A5D75F4-6762-4A3F-B456-006B284110F1 () alum mit edu> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 7:47 AM, robert.bullen () usbank com wrote:
I build Wireshark for Windows without zlib. It works faster, but I think
that is more the result of consuming less memory than an actual speed increase. At least with the new compressed-file code as of 1.6, it shouldn't consume more memory (other than for zlib itself, which shouldn't be invoked for uncompressed files except when the file is opened, and maybe for a few data structure members) for an uncompressed file. If it's doing that, file a bug.
In addition, it allows files larger than 2 GB to be read (at least that
used to be a reason; not sure if it is still valid). That should be fixed in the Wiretap library as of 1.6 - the new code for reading files doesn't use the zlib I/O routines, and uses routines that should support 64-bit file offsets if the underlying OS does (which includes 64-bit platforms and, I think, most if not all recent versions of various UN*Xes, and NT versions of Windows). However, a file larger than 2GB might has enough packets that the frame_data structures might fill up a 32-bit address space, and there's a bug, fixed only recently, where, at least on Windows, we were imposing 32-bit limits on 64-bit address spaces. ------------------------------ Message: 5 Date: Fri, 28 Sep 2012 11:11:14 -0700 From: Guy Harris <guy () alum mit edu> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <1AD03A96-D583-434D-840C-DF3A0A067F66 () alum mit edu> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 10:39 AM, Albert Lo <ALo () advancedio com> wrote:
I would like to know where I can find the source files for editcap. What libpcap API's are being called to convert .pcapng to .pcap with the
following cmd?
editcap -F libpcap -T ether file.pcapng file.pcap
As Jakub noted, we don't use libpcap to read or write capture files. However, if you convert pcap-ng to pcap with the command tcpdump -r file.pcapng -w file.pcap on a system with libpcap 1.1.0 or later, the APIs used are pcap_open_offline(), to open the input file; pcap_loop(), to read the packets; pcap_close(), to close the input file; pcap_dump_open(), to open the output file; pcap_dump(), to write to the output file; pcap_dump_close(), to close the output file. That will, of course, only work if the file can actually be converted to pcap without damaging it, i.e. if all the interfaces in the pcap-ng file have the same link-layer type. If they don't, the file cannot be represented in a pcap file in any form that will actually give the write answer if you try to read it (so "-T ether" isn't going to fix that problem with editcap). ------------------------------ Message: 6 Date: Fri, 28 Sep 2012 18:43:29 +0000 (UTC) From: albert <alo () advancedio com> To: wireshark-dev () wireshark org Subject: Re: [Wireshark-dev] converting pcapng to pcap Message-ID: <loom.20120928T203756-894 () post gmane org> Content-Type: text/plain; charset=us-ascii Guy Harris <guy@...> writes:
However, if you convert pcap-ng to pcap with the command tcpdump -r file.pcapng -w file.pcap on a system with libpcap 1.1.0 or later, the APIs used are pcap_open_offline(), to open the input file; pcap_loop(), to read the packets; pcap_close(), to close the input file; pcap_dump_open(), to open the output file; pcap_dump(), to write to the output file; pcap_dump_close(), to close the output file.
Thank you for the prompt response. If you could tolerate a couple more newbie questions..... I'm assuming that the meat of the .pcapng to .pcap conversion is done in the pcap_handler callback for pcap_offline_read(). Is this correct ? If so, how/where does the callback function for pcap_offline_read() get pre- assigned? Much appreciated for your time in this matter. Cheers, Albert ------------------------------ Message: 7 Date: Fri, 28 Sep 2012 11:52:45 -0700 From: Guy Harris <guy () alum mit edu> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] [Wireshark-commits] rev 45191: /trunk/ /trunk/epan/dissectors/: packet-btsap.c /trunk/: CMakeLists.txt Message-ID: <96273A0C-2E67-4ECF-BC64-F93DF83AC871 () alum mit edu> Content-Type: text/plain; charset=us-ascii On Sep 28, 2012, at 7:29 AM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:
I had been assuming that we needed to continue to define HAVE_CONFIG_H for backwards compatibility (e.g., for custom dissectors).
I'm not entirely sure what the point of HAVE_CONFIG_H is. Is it to allow code to be "portable" between an autoconfig environment that uses config.h and other build tool environments (including autoconfig-based environments) that use -D's in the compile commands? The autoconf documentation doesn't really give an indication of the purpose of HAVE_CONFIG_H or an indication of what the "best practice" is. ------------------------------ _______________________________________________ Wireshark-dev mailing list Wireshark-dev () wireshark org https://wireshark.org/mailman/listinfo/wireshark-dev End of Wireshark-dev Digest, Vol 76, Issue 44 ********************************************* U.S. BANCORP made the following annotations --------------------------------------------------------------------- Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation. ---------------------------------------------------------------------
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Why the name "Wiretap"? robert . bullen (Sep 28)
- Re: Why the name "Wiretap"? Gilbert Ramirez (Sep 28)
- Re: Why the name "Wiretap"? Jakub Zawadzki (Sep 28)
- Re: Why the name "Wiretap"? Guy Harris (Sep 28)
- Re: Why the name "Wiretap"? Jakub Zawadzki (Sep 28)
- Re: Why the name "Wiretap"? Gilbert Ramirez (Sep 28)