Both dynamic and egfx channel had problems during the second pass.
For the dynamic the problem is that the reassembled packet usually contains multiple PDUs,
so the first pass works correctly, but given that there's multiple PDUs we can't attach
a single data to pinfo for the second pass. To fix that we compute a hash for the PDU and attach
the correct contextual info associated with this hash, that info will be used during the
second pass.
The patch fixes the same kind of bug in the egfx channel and zgfx uncompressed bits (the zgfx
compression is stateful so we need to save the uncompress buffer for the second pass).
In the dynamic channel, in capabilities packets some fields are present only after version 1
of the protocol.
Added some new EGFX version capabilities (also is listed the bogus 10.6 version that was
exposed in the previous specs).
The display of versions in EGFX capability message has been reworked to correctly show
a tree.
Fix the calculation of the ratio for converting a packet number
to the scrollbar value by accounting for the length of the slider.
maximum() does not correpond to the last packet; it corresponds to
the first packet shown when the scrollbar is at maximum. The last
packet is maximum() + pageStep().
(See https://doc.qt.io/qt-6/qscrollbar.html#details)
The quarter of a page padding should be subtracted, not added,
from the calculated position.
(Fix up 422c0f45d4)
This correctly makes clicking on the a line in the minimap scroll
the packet list so that the corresponding packet is 25% of the
way down the visible window. (Excepting the cases of packets at
the very beginning or end of the entire packet list.)
Fix#13989
Use ws_utf8_truncate to ensure that truncating the result of
tvb_format_text will not split a UTF-8 character. (50 bytes
is not necessarily 50 UTF-8 characters, but 50 UTF-8 characters
don't necessarily have a visible width of 50 characters anyway.)
Fix#18831
Just because a field's value is used in the string that's hashed to
compute a JA3 or JA3S hash, that doesn't mean it should be put into a
variable named "ja3_value", as that doesn't indicate what it *is*. Use
meaningful names instead.
PacketListRecords should only report themselves as colorized when
colorized with the latest version of the coloring rules. Otherwise,
ensureRowColorized will not recolorize rows when the rules have changed.
This makes the minimap/intelligent scrollbar correctly update
colors in the background when the rules have changed. (Rows that
were being displayed were being updated, because the columnStrings
were invalidated at the same time, and when fetching the columnStrings
the colors would be updated if the rules had changed.)
Fix#17621
You're Not Supposed To Do That, as per RFC 8446 section 4.1.2 "Client
Hello".
Also do the equivalent check for DTLS, as RFC 9147 Section 5.3 "Client
Hello" says You're Not Supposed To Do The Equivalent. We don't yet
handle DTLS 1.3, but if we ever do....
Fixes#18851.
While we're at it, improve two comments to clarify what
ssl_dissect_hnd_hello_common() does (and to fix one place where the old
comment was incorrect).
Increase the proto item size so that the ethertype is selected as part
of the cisco-metadata protocol.
Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
The location of the next line should be based off one row larger
than the current row.
This fixes an issue where all the lines drawn in the intelligent
scrollbar are off by one - the color intended to be drawn for
the first packet never appears, the first packet corresponds to
the line for the second packet, etc., and there is a line at
the bottom that can never be colored in.
Fix#18850
We want to do more sophisticated processing of UTF-8 in wmem and
for that we want to use the unicode utility functions in wsutil.
We also want to use wmem scoped memory in wsutil unicode utility
functions.
This introduces a circular dependency. Fix that by making both
the same library and removing the sanitary cordon separating
them.
We still need to be mindful of public header depencies of wmem on
wsutil because wmem.h is included in wireshark.h and we want to
be parsimonious with the use of global includes.
Add `pkgutil --forget org.wireshark.ChmodBPF.pkg` to the "Uninstall
ChmodBPF" postinstall script. The `pkgutil` man page says
--forget package-id
Discard all receipt data about package-id, but do not touch the
installed files. DO NOT use this command from an installer package
script to fix broken package design.
but Homebrew's Wireshark cask does this, and it should help to work
around issue #18734.
Add `pkgutil --forget org.wireshark.path_helper.pkg` to the "Remove
Wireshark from the system path" postinstall script.
epan_dissect_run_* and epan_dissect_reset unreference the packet
block that is part of the record, which frees it if the ref count
drops to zero. However, tshark needs the block later to, e.g.,
copy the options. process_cap_file_[single|second]_pass still
unreference and free the block with wtap_rec_reset() at the end
of each packet loop.
Fix#18693
WTAP_ENCAP_UNKNOWN is used for two different cases:
1. Encapsulation type values that are unsupported by libwiretap or
bogus values (and thus "unknown" to libwiretap).
2. An initial state where the encapsulation type is "not yet" known
for a file type like pcapng without a single encapsulation type in the
header, before any packets or interfaces that set the encapsulation type
have been read. (If the file has no packets, this may be the value after
the file is entirely read in.) This can be the value when an output file
is written out simultaneously with reading an input file, rather than
reading the entire input file first, and, e.g., there is a custom block
before any IDBs.
The first case can never be handled when writing out a file, but the
second case can possibly be handled, so long as (for pcapng) IDBs
are available to write when they become necessary, or (for file
types like pcap with a single link-layer type in the header) the
writer waits until a link-layer type is seen to create the output
header. (It is possible, of course, that writing would fail in the
middle if an unsupported encapsulation type appears, or if the
encapsulation becomes per-packet for file types that don't support that,
but that is an unavoidable risk when writing without reading the entire
input file(s).)
Introduce WTAP_ENCAP_NONE for the second case, and use it for pcapng,
where we guarantee that any necessary IDBs will be passed along.
Continue to use WTAP_ENCAP_UNKNOWN for the first case.
Allow pcapng files to open a file for writing with WTAP_ENCAP_NONE.
There are some other file types that support per-packet link-types,
and could also use WTAP_ENCAP_NONE, but they require more work to
generate IDBs. (Note that all of them currently are impossible to
write to pcapng when they have multiple encapsulations, even if
the encapsulations are all supported by pcapng, because they don't
properly generate IDBs.)
Remove the workaround in ef43fd48b4
for tshark writing to pcapng when the source file is WTAP_ENCAP_UNKNOWN,
since now such files will be WTAP_ENCAP_NONE and work properly (and
also work in editcap, mergcap, etc.)
Along with 8cddc32d35, fix#18449.
Add strings with proto_tree_add_item instead of tvb_memcpy,
appending a null, and a proto_tree_add_string so that the
strings are validated for encoding, trailing nulls, etc.
Fix#18847
Pass a prefix to `codesign` so that our signature identifier is
"org.wireshark.foo" instead of "foo" for our command line utilities,
libraries, and ChmodBPF.
Add the ability to cancel sorting. Since we now parse user inputs
during the sort, test and set the capture file read lock. Try to
sort in PacketList::captureFileReadFinished, since now sorting during
thawing won't happen if it's in the middle of a rescan.
Fix#17640
In certain situations using __MINGW64__ is not correct.
We want to have the condition apply using MinGW-w64 but also
using MSYS2, which the __MINGW64__ condition alone does not
capture.
Add a HAVE_MSYSTEM C define and use it where appropriate.