Wireshark-dev: Re: [Wireshark-dev] Capture filename not available at plugin init time

From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Fri, 3 Nov 2017 14:07:51 +0000

Thanks for responding Roland.

 

I’ve written a tool that reads a log file and converts it to a PCAP-NG with a matching dissector.  The pcap file carries a data descriptor block in a new PCAP-NG block type called as TSDB.  The TSDB carries the information needed to register the header fields.  To add support for the TSDB into core Wireshark is going to be a big job (which I will submit later).  As a quick solution, the dissector gets the information by directly opening and reading it from the PCAP-NG file – hence the need for the filename.

 

The above aside, and I can guess you are thinking I’m just trying to avoid a bigger coding job, it’s not unreasonable to expect plugin_if_get_ws_info to get the filename at init time, and init is called when the filename is known.

 

I have a really kludgie workaround which is to read the TSDB and register the hf structure on the first call to the dissector, but it’s not ideal.

 

Best regards…Paul

 

From: Wireshark-dev [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Roland Knall
Sent: 03 November 2017 13:53
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Capture filename not available at plugin init time

 

Hi Paul

 

As far as I know, cf_open can still fail after calling the init-functions. In that case you would get the filename, but the capture is already closed.

 

My question is, why do you need the filename in the first place?

 

Also, you could set the filename at a later point. If you implement a tap-interface, you could set the filename in the first tap-print callback. Makes sense, 'cause you normally only have data at this point anyway.

 

You can raise this as an improvement (do not think it is a bug) if you want to, not really sure though, if it should be changed

 

cheers

 

 

On Fri, Nov 3, 2017 at 2:49 PM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

I have a dissector that needs the capture file name at the time my dissector’s init function is called.  I attempt to get the name with plugin_if_get_ws_info(…), not an unreasonable request I think you’ll agree, but unfortunately the filename comes back as a NULL pointer.

 

I’ve traced through the code and this is what happens:

 

  • We pass through the MainWindow signal and slot stuff and eventually call cf_open(…) in file.c with the filename as one of the parameters
  • cf_open(…) opens the file to test the validity of the filename and then closes with cf_close(cf)
  • cf_close(cf) frees the memory holding the filename and NULLs the filename pointer in the cf structure
  • cf_open then creates a new epan session with ws_epan_new(cf)
  • ws_epan_new(cf) calls epan_new() which calls init_dissection() and this is where eventually my dissector’s init function gets called
  • My dissector calls plugin_if_get_ws_info(…) which attempts to get the filename info from the cf structure, which due to the above returns a NULL filename pointer
  • Eventually we return back to cf_open(…) and a little later we set up the file name in the cf structure – all too late for my dissector’s init function

 

So my questions are:

 

  • Can I raise this as a bug?
  • If not, would a solution that made the filename available to plugin_if_get_ws_info(…) at init time be accepted?
  • What would be an acceptable solution?

 

Thanks and regards…Paul


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

 


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________