Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 248 insertions, 0 deletions

diff --git a/epan/dissectors/file-pcapng-darwin.c b/epan/dissectors/file-pcapng-darwin.c
new file mode 100644
index 00000000..055389a4
--- /dev/null
+++ b/epan/dissectors/file-pcapng-darwin.c
@@ -0,0 +1,248 @@
+/* file-pcapng-darwin.c
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/addr_resolv.h>
+
+#include <epan/dissectors/file-pcapng.h>
+
+/*
+ * Apple's Pcapng Darwin Process Event Block
+ *
+ *    A Darwin Process Event Block (DPEB) is an Apple defined container
+ *    for information describing a Darwin process.
+ *
+ *    Tools that write / read the capture file associate an incrementing
+ *    32-bit number (starting from '0') to each Darwin Process Event Block,
+ *    called the DPEB ID for the process in question.  This number is
+ *    unique within each Section and identifies a specific DPEB; a DPEB ID
+ *    is only unique inside the current section. Two Sections can have different
+ *    processes identified by the same DPEB ID values.  DPEB ID are referenced
+ *    by Enhanced Packet Blocks that include options to indicate the Darwin
+ *    process to which the EPB refers.
+ *
+ *
+ *         0                   1                   2                   3
+ *         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *         +---------------------------------------------------------------+
+ *       0 |                   Block Type = 0x80000001                     |
+ *         +---------------------------------------------------------------+
+ *       4 |                     Block Total Length                        |
+ *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *       8 |                          Process ID                           |
+ *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      12 /                                                               /
+ *         /                      Options (variable)                       /
+ *         /                                                               /
+ *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *         |                     Block Total Length                        |
+ *         +---------------------------------------------------------------+
+ *
+ *                   Figure XXX.1: Darwin Process Event Block
+ *
+ *    The meaning of the fields are:
+ *
+ *    o  Block Type: The block type of a Darwin Process Event Block is 2147483649.
+ *
+ *       Note: This specific block type number falls into the range defined
+ *       for "local use" but has in fact been available publically since Darwin
+ *       13.0 for pcapng files generated by Apple's tcpdump when using the PKTAP
+ *       enhanced interface.
+ *
+ *    o  Block Total Length: Total size of this block, as described in
+ *       Pcapng Section 3.1 (General Block Structure).
+ *
+ *    o  Process ID: The process ID (PID) of the process.
+ *
+ *       Note: It is not known if this field is officially defined as a 32 bits
+ *       (4 octets) or something smaller since Darwin PIDs currently appear to
+ *       be limited to maximum value of 100000.
+ *
+ *    o  Options: A list of options (formatted according to the rules defined
+ *       in Section 3.5) can be present.
+ *
+ *    In addition to the options defined in Section 3.5, the following
+ *    Apple defined Darwin options are valid within this block:
+ *
+ *           +------------------+------+----------+-------------------+
+ *           | Name             | Code | Length   | Multiple allowed? |
+ *           +------------------+------+----------+-------------------+
+ *           | darwin_proc_name | 2    | variable | no                |
+ *           | darwin_proc_uuid | 4    | 16       | no                |
+ *           +------------------+------+----------+-------------------+
+ *
+ *              Table XXX.1: Darwin Process Description Block Options
+ *
+ *    darwin_proc_name:
+ *            The darwin_proc_name option is a UTF-8 string containing the
+ *            name of a process producing or consuming an EPB.
+ *
+ *            Examples: "mDNSResponder", "GoogleSoftwareU".
+ *
+ *            Note: It appears that Apple's tcpdump currently truncates process
+ *            names to a maximum of 15 octets followed by a NUL character.
+ *            Multi-byte UTF-8 sequences in process names might be truncated
+ *            resulting in an invalid final UTF-8 character.
+ *
+ *            This is probably because the process name comes from the
+ *            p_comm field in a proc structure in the kernel; that field
+ *            is MAXCOMLEN+1 bytes long, with the +1 being for the NUL
+ *            terminator.  That would give 16 characters, but the
+ *            proc_info kernel interface has a structure with a
+ *            process name field of only MAXCOMLEN bytes.
+ *
+ *            This all ultimately dates back to the "kernel accounting"
+ *            mechanism that appeared in V7 UNIX, with an "accounting
+ *            file" with entries appended whenever a process exits; not
+ *            surprisingly, that code thinks a file name is just a bunch
+ *            of "char"s, with no multi-byte encodings (1979 called, they
+ *            want their character encoding back), so, yes, this can
+ *            mangle UTF-8 file names containing non-ASCII characters.
+ *
+ *    darwin_proc_uuid:
+ *            The darwin_proc_uuid option is a set of 16 octets representing
+ *            the process UUID.
+ *
+ */
+
+static int proto_pcapng_darwin_process_info = -1;
+
+void proto_register_pcapng_darwin_process_info(void);
+void proto_reg_handoff_pcapng_darwin_process_info(void);
+
+
+static int hf_pcapng_option_code_darwin_process_info = -1;
+static int hf_pcapng_darwin_process_id = -1;
+static int hf_pcapng_option_darwin_process_name = -1;
+static int hf_pcapng_option_darwin_process_uuid = -1;
+
+#define BLOCK_DARWIN_PROCESS         0x80000001
+#define BLOCK_DARWIN_PROCESS_NAME    "Darwin Process Event Block"
+
+
+static const value_string option_code_darwin_process_info_vals[] = {
+    { 0,  "End of Options" },
+    { 1,  "Comment" },
+    { 2,  "Darwin Process Name" },
+    { 4,  "Darwin Process UUID" },
+    { 0, NULL }
+};
+
+/* Dissect an individual option */
+static
+void dissect_darwin_process_info_option(proto_tree *option_tree, proto_item *option_item,
+                                        packet_info *pinfo, tvbuff_t *tvb, int offset,
+                                        int unknown_option_hf,
+                                        guint32 option_code, guint32 option_length,
+                                        guint encoding _U_)
+{
+    char         *str;
+    e_guid_t      uuid;
+
+    switch (option_code) {
+        case 2: /* Darwin Process Name */
+            proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_darwin_process_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
+            break;
+
+        case 4: /* Darwin Process UUID */
+            proto_tree_add_item(option_tree, hf_pcapng_option_darwin_process_uuid, tvb, offset, option_length, ENC_BIG_ENDIAN);
+            tvb_get_guid(tvb, offset, &uuid, ENC_BIG_ENDIAN);
+
+            proto_item_append_text(option_item, " = %s",
+                guid_to_str(pinfo->pool, &uuid));
+
+            break;
+        default:
+            proto_tree_add_item(option_tree, unknown_option_hf, tvb, offset, option_length, ENC_NA);
+            break;
+    }
+}
+
+/* Dissect this block type */
+static void
+dissect_darwin_process_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
+                            block_data_arg *argp)
+{
+    int offset = 0;
+
+    /* Show current nuber of these blocks, and increment */
+    proto_item_append_text(argp->block_item, " %u", argp->info->darwin_process_event_number);
+    argp->info->darwin_process_event_number += 1;
+
+    /* Process ID */
+    proto_tree_add_item(tree, hf_pcapng_darwin_process_id, tvb, offset, 4, argp->info->encoding);
+    offset += 4;
+
+    /* Options */
+    dissect_options(tree, pinfo, BLOCK_DARWIN_PROCESS, tvb, offset, argp->info->encoding, NULL);
+}
+
+
+void
+proto_register_pcapng_darwin_process_info(void)
+{
+    static hf_register_info hf[] = {
+
+        { &hf_pcapng_option_code_darwin_process_info,
+            { "Code",                                      "pcapng.darwin.options.option.code",
+            FT_UINT16, BASE_DEC, VALS(option_code_darwin_process_info_vals), 0x00,
+            "Darwin Process Info block option", HFILL }
+        },
+        { &hf_pcapng_darwin_process_id,
+            { "Darwin Process ID",                         "pcapng.darwin.process_id",
+            FT_UINT32, BASE_DEC_HEX, NULL, 0x00,
+            "Process ID for Darwin Process Info", HFILL }
+        },
+        { &hf_pcapng_option_darwin_process_name,
+            { "Darwin Process Name",                       "pcapng.darwin.process_name",
+            FT_STRING, BASE_NONE, NULL, 0x00,
+            "Process name for Darwin Process Info", HFILL }
+        },
+        { &hf_pcapng_option_darwin_process_uuid,
+            { "Darwin Process UUID",                       "pcapng.darwin.process_uuid",
+            FT_GUID, BASE_NONE, NULL, 0x00,
+            "Process UUID for Darwin Process Info", HFILL }
+        },
+    };
+
+    proto_pcapng_darwin_process_info = proto_register_protocol("PCAPNG Darwin Process Information Block", "Darwin-Process-Information", "pcapng.darwin");
+
+    proto_register_field_array(proto_pcapng_darwin_process_info, hf, array_length(hf));
+}
+
+void
+proto_reg_handoff_pcapng_darwin_process_info(void)
+{
+    /* Register with pcapng dissector */
+    static local_block_callback_info_t dissector_info;
+    dissector_info.name = BLOCK_DARWIN_PROCESS_NAME;
+    /* Block-dissector function */
+    dissector_info.dissector = dissect_darwin_process_data;
+    /* Options-related */
+    dissector_info.option_root_hf = hf_pcapng_option_code_darwin_process_info;
+    dissector_info.option_vals = option_code_darwin_process_info_vals;
+    dissector_info.option_dissector = dissect_darwin_process_info_option;
+
+    register_pcapng_local_block_dissector(BLOCK_DARWIN_PROCESS, &dissector_info);
+}
+
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 4
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=4 tabstop=8 expandtab:
+ * :indentSize=4:tabSize=8:noTabs=true:
+ */