[Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>]

URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=35cf66d8bd2d225ab4dad39f5af5253ab6c8caa9
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

35cf66d by Jim Young (jyoung@xxxxxxx):

    file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files
    
    This patch augments the MIME based file-pcapng dissector to allow one to
    more easily examine pcapng blocks that contain Darwin Process Information.
    
    With this patch one can dissect and inspect, albeit as a MIME object, the
    Darwin process information elements contained within an Apple augmented
    pcapng file:
    
    $ wireshark -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng
    
    $ tshark -V -X read_format:'MIME Files Format' -r bug12587.pktap.pcapng | egrep '^    Block:|Darwin .* =' | less
    
    Apple's macOS provides an enhanced tcpdump with a pktap interface option
    that supports the collection, display and storing of Darwin process and/or
    service class information related to each captured packet. Using Apple's
    pktap interface during a live capture the process information may be
    revealed using Apple's tcpdump -k [metadata] option.
    
    Apple's tcpdump -k option augments tcpdump's standard report with an
    additional parenthesized () set of information inserted after the packet
    timestamp. If the capture file actually contains Darwin process
    information, Apple's tcpdump -k could include the interface name (or
    interface id), process id, process name, process_uuid, service, and/or
    direction for each packet depending on the value of the -k's [metadata]
    argument provided (if any).
    
    If the Apple tcpdump trace is captured to disk, the Darwin based process
    and service information is saved in pcapng format augmented with several
    new Enhanced Packet Block options (32779, 32780, 32781) along with a new
    block type (0x80000001) called here a Darwin Process Event Block (DPEB).
    The Darwin Process Event Block is used in a manner similar to a pcapng
    IDB in that it contains process event information that is referenced by
    later EPB's via the EPB options Darwin DPEB ID (32769) and Darwin EDPEB
    ID (32871). EPBs may also include the Darwin Service Class option (32770)
    which includes a numeric value that maps to a mnemonic service class.
    
    A PKTAP enhanced pcapng file can later be read back in with Apple's tcpdump
    along and the help of its -k option to display the original Darwin Process
    Information. Packets collected using Apple's remote virtual interface
    (rvictl)[1] from iOS devices can also contain Darwin Process Information.
    
    Note: This is a first step to help determine what will be necessary to
    eventually display any available Darwin Process Information within
    the Frame tree when an Apple PKTAP enhanced pcapng file is opened
    naturally in Wireshark and not as a MIME object.
    
    [1] https://developer.apple.com/library/content/qa/qa1176/_index.html
    
    Ping-Bug: 13096
    Ping-Bug: 12587
    Change-Id: I180e661dab0b0096a711603b53270105390d05e2
    Reviewed-on: https://code.wireshark.org/review/20157
    Petri-Dish: Anders Broman <a.broman58@xxxxxxxxx>
    Tested-by: Petri Dish Buildbot <buildbot-no-reply@xxxxxxxxxxxxx>
    Reviewed-by: Michael Mann <mmann78@xxxxxxxxxxxx>
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  7ccc551   Modbus - Add ability to filter by holding/input register number OR value
    adds  35cf66d   file-pcapng: Add support for inspecting Apple's PKTAP enhanced pcapng files


Summary of changes:
 epan/dissectors/file-pcapng.c |  329 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 314 insertions(+), 15 deletions(-)