Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Why the name "Wiretap"?

From: robert.bullen () usbank com
Date: Fri, 28 Sep 2012 14:59:51 -0500
I've always found it confusing that a library responsible for reading and 
writing trace files is called wiretap, since it deals with neither the 
wire nor tapping. Could someone fill me in on the history of that name?

Robert Bullen
Network Application Analysis (NAA)
1 Meridian Crossing
Richfield, MN 55423-3978
Office: 612-973-6216
Email: robert.bullen () usbank com



From:   wireshark-dev-request () wireshark org
To:     wireshark-dev () wireshark org
Date:   09/28/2012 02:01 PM
Subject:        Wireshark-dev Digest, Vol 76, Issue 44
Sent by:        wireshark-dev-bounces () wireshark org



Send Wireshark-dev mailing list submissions to
                 wireshark-dev () wireshark org

To subscribe or unsubscribe via the World Wide Web, visit
                 https://wireshark.org/mailman/listinfo/wireshark-dev
or, via email, send a message with subject or body 'help' to
                 wireshark-dev-request () wireshark org

You can reach the person managing the list at
                 wireshark-dev-owner () wireshark org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-dev digest..."


Today's Topics:

   1. converting pcapng to pcap (Albert Lo)
   2. Re: Do Windows compilers require WS_VAR_IMPORT in .h files
      (Joerg Mayer)
   3. Re: converting pcapng to pcap (Jakub Zawadzki)
   4. Re: Building for Windows without zlib? (Guy Harris)
   5. Re: converting pcapng to pcap (Guy Harris)
   6. Re: converting pcapng to pcap (albert)
   7. Re: [Wireshark-commits] rev 45191: /trunk/
      /trunk/epan/dissectors/: packet-btsap.c /trunk/: CMakeLists.txt
      (Guy Harris)


----------------------------------------------------------------------

Message: 1
Date: Fri, 28 Sep 2012 17:39:01 +0000
From: Albert Lo <ALo () advancedio com>
To: "wireshark-dev () wireshark org" <wireshark-dev () wireshark org>
Subject: [Wireshark-dev] converting pcapng to pcap
Message-ID:
 <E5E4E6B17F036444A5A4D70F62B8739922CB2290 () Banff AdvancedIO loc>
Content-Type: text/plain; charset="us-ascii"

I would like to know where I can find the source files for editcap.
What libpcap API's are being called to convert .pcapng to .pcap with the 
following cmd?


editcap -F libpcap -T ether file.pcapng file.pcap



Thx.
Cheers,
Albert


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/f628a007/attachment.html




------------------------------

Message: 2
Date: Fri, 28 Sep 2012 19:40:29 +0200
From: Joerg Mayer <jmayer () loplof de>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Do Windows compilers require
                 WS_VAR_IMPORT in .h files
Message-ID: <20120928174029.GD8105 () rhrk uni-kl de>
Content-Type: text/plain; charset="utf-8"

Hello Pascal,

On Fri, Sep 28, 2012 at 05:25:41PM +0200, Pascal Quantin wrote:

2012/9/28 Joerg Mayer <jmayer () loplof de>

I'm working on building wireshark with gcc with -fvisibility=hidden. 

This

will mostly mimic the behaviour already on Windows. The gcc attribute
to change the visibility causes errors when used in .h files (well, in
declarations without a  the object).
I have replaced WS_VAR_IMPORT with extern in .h files. Can someone on
Windows
please test whether this still works?


it fails with the following errors (MSVC2010EE 32 bits):


Can you please apply the attached patch on top of the previous one to 
check
whether this fixed the compile problem in packet-dcom.c?
If it does, I will rework the whole patch in the same manner.

Thanks for testing!

 Ciao
    J?rg
-- 
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dcom-dot-c.patch
Type: text/x-diff
Size: 805 bytes
Desc: not available
URL: <
http://www.wireshark.org/lists/wireshark-dev/attachments/20120928/a37f0f59/attachment.patch




------------------------------

Message: 3
Date: Fri, 28 Sep 2012 19:54:09 +0200
From: Jakub Zawadzki <darkjames-ws () darkjames pl>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] converting pcapng to pcap
Message-ID: <20120928175409.GE1989 () darkjames pl>
Content-Type: text/plain; charset=us-ascii

Hi,

On Fri, Sep 28, 2012 at 05:39:01PM +0000, Albert Lo wrote:

What libpcap API's are being called to convert .pcapng to .pcap with the 

following cmd?

We use our own library (wiretap) to read and write capture files.


------------------------------

Message: 4
Date: Fri, 28 Sep 2012 11:05:22 -0700
From: Guy Harris <guy () alum mit edu>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Building for Windows without zlib?
Message-ID: <6A5D75F4-6762-4A3F-B456-006B284110F1 () alum mit edu>
Content-Type: text/plain; charset=us-ascii


On Sep 28, 2012, at 7:47 AM, robert.bullen () usbank com wrote:


I build Wireshark for Windows without zlib. It works faster, but I think 

that is more the result of consuming less memory than an actual speed 
increase.

At least with the new compressed-file code as of 1.6, it shouldn't consume 
more memory (other than for zlib itself, which shouldn't be invoked for 
uncompressed files except when the file is opened, and maybe for a few 
data structure members) for an uncompressed file.  If it's doing that, 
file a bug.


In addition, it allows files larger than 2 GB to be read (at least that 

used to be a reason; not sure if it is still valid).

That should be fixed in the Wiretap library as of 1.6 - the new code for 
reading files doesn't use the zlib I/O routines, and uses routines that 
should support 64-bit file offsets if the underlying OS does (which 
includes 64-bit platforms and, I think, most if not all recent versions of 
various UN*Xes, and NT versions of Windows).

However, a file larger than 2GB might has enough packets that the 
frame_data structures might fill up a 32-bit address space, and there's a 
bug, fixed only recently, where, at least on Windows, we were imposing 
32-bit limits on 64-bit address spaces.

------------------------------

Message: 5
Date: Fri, 28 Sep 2012 11:11:14 -0700
From: Guy Harris <guy () alum mit edu>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] converting pcapng to pcap
Message-ID: <1AD03A96-D583-434D-840C-DF3A0A067F66 () alum mit edu>
Content-Type: text/plain; charset=us-ascii


On Sep 28, 2012, at 10:39 AM, Albert Lo <ALo () advancedio com> wrote:


I would like to know where I can find the source files for editcap.
What libpcap API's are being called to convert .pcapng to .pcap with the 

following cmd?



editcap -F libpcap -T ether file.pcapng file.pcap


As Jakub noted, we don't use libpcap to read or write capture files.

However, if you convert pcap-ng to pcap with the command

                 tcpdump -r file.pcapng -w file.pcap

on a system with libpcap 1.1.0 or later, the APIs used are

                 pcap_open_offline(), to open the input file;

                 pcap_loop(), to read the packets;

                 pcap_close(), to close the input file;

                 pcap_dump_open(), to open the output file;

                 pcap_dump(), to write to the output file;

                 pcap_dump_close(), to close the output file.

That will, of course, only work if the file can actually be converted to 
pcap without damaging it, i.e. if all the interfaces in the pcap-ng file 
have the same link-layer type.  If they don't, the file cannot be 
represented in a pcap file in any form that will actually give the write 
answer if you try to read it (so "-T ether" isn't going to fix that 
problem with editcap).

------------------------------

Message: 6
Date: Fri, 28 Sep 2012 18:43:29 +0000 (UTC)
From: albert <alo () advancedio com>
To: wireshark-dev () wireshark org
Subject: Re: [Wireshark-dev] converting pcapng to pcap
Message-ID: <loom.20120928T203756-894 () post gmane org>
Content-Type: text/plain; charset=us-ascii

Guy Harris <guy@...> writes:




However, if you convert pcap-ng to pcap with the command

               tcpdump -r file.pcapng -w file.pcap

on a system with libpcap 1.1.0 or later, the APIs used are

               pcap_open_offline(), to open the input file;

               pcap_loop(), to read the packets;

               pcap_close(), to close the input file;

               pcap_dump_open(), to open the output file;

               pcap_dump(), to write to the output file;

               pcap_dump_close(), to close the output file.



Thank you for the prompt response.
If you could tolerate a couple more newbie questions.....

I'm assuming that the meat of the .pcapng to .pcap conversion is done in 
the 
pcap_handler callback  for pcap_offline_read().  Is this correct ?

If so, how/where does the callback function for pcap_offline_read() get 
pre-
assigned?

Much appreciated for your time in this matter.


Cheers,
Albert




------------------------------

Message: 7
Date: Fri, 28 Sep 2012 11:52:45 -0700
From: Guy Harris <guy () alum mit edu>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] [Wireshark-commits] rev 45191: /trunk/
                 /trunk/epan/dissectors/: packet-btsap.c /trunk/: 
CMakeLists.txt
Message-ID: <96273A0C-2E67-4ECF-BC64-F93DF83AC871 () alum mit edu>
Content-Type: text/plain; charset=us-ascii


On Sep 28, 2012, at 7:29 AM, Jeff Morriss <jeff.morriss.ws () gmail com> 
wrote:


I had been assuming that we needed to continue to define HAVE_CONFIG_H
for backwards compatibility (e.g., for custom dissectors).


I'm not entirely sure what the point of HAVE_CONFIG_H is.  Is it to allow 
code to be "portable" between an autoconfig environment that uses config.h 
and other build tool environments (including autoconfig-based 
environments) that use -D's in the compile commands?  The autoconf 
documentation doesn't really give an indication of the purpose of 
HAVE_CONFIG_H or an indication of what the "best practice" is.

------------------------------

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev () wireshark org
https://wireshark.org/mailman/listinfo/wireshark-dev


End of Wireshark-dev Digest, Vol 76, Issue 44
*********************************************


U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by 
electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended 
recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise 
disclosing this information in any manner. Instead, please reply to the sender that you have received this 
communication in error, and then immediately delete it. Thank you in advance for your cooperation.



---------------------------------------------------------------------


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: