Skip to content

Colliding use of wtap_ft_specific_header.record_type for systemd Journal Export Block

Summary

In latest master (g5413331), trying to write a file containing pcapng systemd Journal Export Blocks leads to the following error:

editcap: Record 1 of file "journal_entries.pcapng" has a record type that can't be saved in a "pcapng" file.

Steps to reproduce

Download the attached file with systemd Journal Export Blocks.

Run the following command (or try to merge the file, or save it to disk...):

editcap -r journal_entries.pcapng first_entry.pcapng 1

What is the current bug behavior?

Pcapng systemd Journal Export Blocks cannot be dumped to file.

The bug is caused by the fact that https://gitlab.com/wireshark/wireshark/-/blob/master/wiretap/pcapng.c#L4827 doesn't trigger as the wtap_ft_specific_header.record_type rec->rec_header.ft_specific_header.record_type is not WTAP_FILE_TYPE_SUBTYPE_SYSTEMD_JOURNAL (aka 84) there, but BLOCK_TYPE_SYSTEMD_JOURNAL (aka 9) (I have verified this by printing a debug message).

Now wtap_ft_specific_header.record_type is used for two colliding namespaces, namely as pcapng block type and as an internal Wiretap filesystem subtype!

There doesn't seem to be an immediate workaround, as it gets written (and overwritten...) in two different places, but is also effectively used for different purposes in two different places (only using the field to hold the Wiretap filesystem type breaks pcapng dissection (unknown block type 84), only using the field to hold the pcapng block type leads to the current broken behavior).

What is the expected correct behavior?

Wiretap should be able to dump systemd Journal Export Blocks to file.

Sample capture file

See attached file journal_entries.pcapng

Build information

Wireshark 3.5.0 (v3.5.0rc0-34-g5413331ed3b4)

Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.14.2, with libpcap, without POSIX capabilities,
without libnl, with GLib 2.64.6, with zlib 1.2.11, without SMI, with c-ares
1.15.0, without Lua, without GnuTLS, with Gcrypt 1.8.5, without Kerberos,
without MaxMind DB resolver, without nghttp2, without brotli, without LZ4,
without Zstandard, without Snappy, without libxml2, with QtMultimedia, without
automatic updates, with SpeexDSP (using bundled resampler).

Running on Linux 5.8.16-200.fc32.x86_64, with Intel(R) Core(TM) i7-8665U CPU @
1.90GHz (with SSE4.2), with 15815 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.9.1 (with TPACKET_V3), with Gcrypt 1.8.5,
with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 10.2.1 20201016 (Red Hat 10.2.1-6).
Edited by Dieter Dobbelaere
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information