diff options
| author | Anthony Coddington <anthony.coddington@endace.com> | 2016-03-21 17:32:13 +1300 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2016-06-07 03:56:02 +0000 |
| commit | ad0e70f10c1cd18d17874db2264c7e1986b9b9b3 (patch) | |
| tree | ec0c362681e87a41b12bf8f608e369b68986daeb | |
| parent | 0ec5a271ea96e92d80060bded7245749a71e199d (diff) | |
| download | wireshark-ad0e70f10c1cd18d17874db2264c7e1986b9b9b3.tar.gz | |
ERF: Make ERF wiretap forwards compatible.
Dissector has always been able to cope with unknown record types so pass them
through (and call the data dissector from the ERF dissector in this case).
Previously was stopping processing on the first unrecognized record which is
very unhelpful for otherwise valid files that have new types mixed in.
Remove ERF type check altogether from open heuristic as ERF type could be past
48 in future and with more extension headers bit any byte value could be valid.
Also allow setting ERF_RECORDS_TO_CHECK to 0 to force skipping the heuristic.
Change-Id: I8331eef30ba2e949564f418b3100bd73b8f58116
Reviewed-on: https://code.wireshark.org/review/15361
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-erf.c | 1 | ||||
| -rw-r--r-- | wiretap/erf.c | 14 | ||||
| -rw-r--r-- | wiretap/erf.h | 3 |
3 files changed, 7 insertions, 11 deletions
diff --git a/epan/dissectors/packet-erf.c b/epan/dissectors/packet-erf.c index 39809ec940..f5f7099bb9 100644 --- a/epan/dissectors/packet-erf.c +++ b/epan/dissectors/packet-erf.c @@ -2481,6 +2481,7 @@ dissect_erf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) break; default: + call_data_dissector(tvb, pinfo, tree); break; } /* erf type */ return tvb_captured_length(tvb); diff --git a/wiretap/erf.c b/wiretap/erf.c index 04a1bb5be8..e8208be361 100644 --- a/wiretap/erf.c +++ b/wiretap/erf.c @@ -237,7 +237,7 @@ extern wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info) /* number of records to scan before deciding if this really is ERF */ if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) { - if ((n = atoi(s)) > 0 && n < 101) { + if ((n = atoi(s)) >= 0 && n < 101) { records_for_erf_check = n; } } @@ -295,12 +295,12 @@ extern wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info) continue; } - /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */ - /* Not all types within this range are decoded, but it is a first filter */ - if ((header.type & 0x7F) == 0 || (header.type & 0x7F) > ERF_TYPE_MAX ) { + /* ERF Type 0 is reserved for ancient legacy records which are not supported, probably not ERF */ + if ((header.type & 0x7F) == 0) { return WTAP_OPEN_NOT_MINE; } + /* fail on decreasing timestamps */ if ((ts = pletoh64(&header.ts)) < prevts) { /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */ if ( ((prevts-ts)>>32) > 1 ) { @@ -680,10 +680,8 @@ static gboolean erf_read_header(wtap *wth, FILE_T fh, case ERF_TYPE_TCP_FLOW_COUNTER: /* unsupported, continue with default: */ default: - *err = WTAP_ERR_UNSUPPORTED; - *err_info = g_strdup_printf("erf: unknown record encapsulation %u", - erf_header->type); - return FALSE; + /* let the dissector dissect as unknown record type for forwards compatibility */ + break; } { diff --git a/wiretap/erf.h b/wiretap/erf.h index 168f51a275..bf91311025 100644 --- a/wiretap/erf.h +++ b/wiretap/erf.h @@ -95,9 +95,6 @@ /* Pad records */ #define ERF_TYPE_PAD 48 -#define ERF_TYPE_MIN 1 /* sanity checking */ -#define ERF_TYPE_MAX 48 /* sanity checking */ - #define ERF_EXT_HDR_TYPE_CLASSIFICATION 3 #define ERF_EXT_HDR_TYPE_INTERCEPTID 4 #define ERF_EXT_HDR_TYPE_RAW_LINK 5 |