Use a pointer to the growing array of NRBs from the source
file, as with DSBs, so as to handle reading NRBs in the middle
of a file in one-pass mode.
Write NRBs when reading a file with editcap, or in tshark when
not dissecting packets and writing our own NRB. Continue not
to write the NRB if we're supplying our own list of address info
instead.
If we have already read the entire source file in (such as in
two-pass tshark), move all the NRBs to the beginning of the file
before packets, as done with DSBs.
When merging files with mergecap, write both sets of NRBs. (There
is no attempt to merge the NRBs by looking for common entries.)
Check for name resolution data in the middle of dumping a file,
not just at the end, and check for DSBs at the end of a file,
after all the packets. This means that Wireshark no longer writes
the NRB at the very end of the file after all the packets (which
is worse for future one-pass reads), and DSBs after all packets
are preserved.
Ping #15502
Dumpcap depends on wsutil.so. The path to the shared library
is encoded in the RPATH (or RUNPATH) property of ELF binaries.
This is currently an absolute path on most Unixy systems.
Dumpcap could not be made to work with a relative RPATH because it
uses elevated privileges and some loaders will ignore relative
RPATHs and non-standard paths under those circumstances, because of
(justified) security concerns.
To enable relocation of the program we link dumpcap statically
with wsutil instead.
This provides a fully working relocatable installation on Linux
and other platforms that support relative RPATHs.
Make sure init_plugin_dir and get_doc_dir uses the same logic as
get_datafile_dir. Update each so that the xxx_DATA_DIR and
xxx_PLUGIN_DIR environment variables take precedence.
CMake's ENABLE_APPLICATION_BUNDLE determines whether or not we're using
an application bundle layout, so check for it instead of __APPLE__.
Make copies of our top-level packages instead of symlinking them. Blind
attempt at fixing #18830.
Switch to UDZO for our application disk images as recommended in
https://developer.apple.com/forums/thread/128166
[skip ci]
It is fine to dissect and cache columns data during color dissection if
it won't evict already cached data. There is rather high probability of
using the column data because color information is dissected in order.
Dependent frames list order does not matter and thus significantly
faster data structure can be used. Replace the list with hash table to
avoid excessive CPU usage when opening files containing reassembled
packets consisting of large number of fragments.
Invalidate endpoint info on SET ADDRESS to prevent reassembly and/or
retransmission detection across reset boundary.
Leave endpoint info intact when assigning default address (0) to avoid
issues related to unknown control endpoint max packet size. Only control
transfers are allowed to address 0 so this should pose no issues.
Add support for CB_RECALL_ANY operation as given in the following:
RFC 5661 Network File System (NFS) Version 4 Minor Version 1 Protocol.
RFC 8435 Parallel NFS (pNFS) Flexible File Layout.
Opcode: CB_RECALL_ANY (8)
Objects to keep: 0
Number of masks: 1
Type mask: 0x00000001 (Read Delegation)
Type: Read Delegation (0)
Consistently speak of "UNIX-compatible systems" when comparing UN*Xes
and Windows, and, the first time we mention "UNIX-compatible systems" in
a section or a list item, enumerate the not-dead-or-moribund ones.
(HP-UX is deemed moribund given that Itanium processors are no longer
being manufactured and HPE are apparently not porting HP-UX to x86-64,
choosing instead to run HP-UX Itanium applications in a compatibility
environment under Linux on x86-64.)
For the -D option, don't bother mentioning ifconfig -a or ip link show,
as there's no reason not to use -D if you want to know what you can
caputre on - for one thing, -D may list devices *other* than the network
interfaces listed by ifconfig -a or ip link show. In addition, don't
speak of code testing whether the interface can be opened, as recent
versions of libpcap don't check that, and neither do any of the programs
in the Wireshark release. (This was done so that, if there's an
itnerface that shows up in the enumeration but that can't be opened,
it'll be offered to the user, and they'll get a message if they try to
capture on it, indicating either that they need to somehow get the
necessary permissions or should report a bug.)
For the -i option, don't mention ifconfig -a or ip link show, as the
user should, again, use -D.
Give more detail when describing files and directories under the global
or personal preferences directory, calling out macOS specially for the
global preferences directory, as it's in the app bundle, and taking into
account that Wireshark might be installed under /usr rather than
/usr/local (for example, if it's installed from a package that's part of
a Linux distribution).
Replace the "Overrides XXX' description of some environment variables
with a more verbose description similar to what's used for other
environment variables.
Get the installation prefix from the program dir. We have code
to obtain the directory where the executable resides for all
platforms we support, Linux, BSDs, Apple, etc.
On less well-known platforms where this isn't true (POSIX does not
define any standard interfaces for this) we fallback on
using a hard-coded installation prefix, like we have been doing
until now.
The path relocation allows the whole installation tree to be moved
without having to recompile the program. But note there are other
requirements for shared libraries to have full support for relocation.
This is only partial support.
We now use a header to pass the relative path definitions to avoid
excessively long compilation command lines as the number of #defines
increases.
pcapng allows multiple link-layer types, and allows new link-layer types
in the middle of a file. Many (most) other capture types allow a single
link-layer type, which must be specified in the initial header.
When reading files and writing their contents to another file (which
may be of a different type), many programs using the wiretap API want
want to know the link-layer type upon initially opening the source
file, so that they can check if that encapsulation can be written to
the output file, and so that they can write the output file header.
They should be able to wait until a link-layer type is seen before
creating the output type, but don't. (Wireshark reads the entire file
in intially, so this isn't a problem, but that isn't much of an option
for some command line tools, particularly when operating on a pipe or
FIFO.) Note that regardless, if a new link-layer type is encountered
partway through a file, they would still have to fail in the middle
of reading and writing.
However, to make this a little bit easier for such file types, pcapng
block types that are handled strictly internally and not passed back
to the reader can be processed initially in pcapng_open(). (Note
that for DSBs and NRBs, any blocks processed in pcapng_open() will
automatically be sent to the callbacks when the callbacks are added
later.) Previously we just processed all the IDBs immediately after
the initial SHB, instead of all the internal block types.
Fix#18581. Ping #15502.
Added the SAP Diag dissector protocol from [SecureAuth's plugin](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/blob/master/src/packet-sapdiag.c).
This is a dissector that implements the Diag protocol. Decompression of packets is not considered as this requires the proprietary LZC/LZH decompression routines still pending to be added in #8973. The Diag packets can be wrapped in an SNC frame, in which case the respective dissector is called. Embedded RFC calls are disabled as this requires the respective dissector to be found, which will be submitted in a separate merge request.
Details about the protocol and example requests can be found in [pysap's documentation](https://pysap.readthedocs.io/en/latest/protocols/SAPDiag.html).
If the server greeting and login packets weren't part of the captured packets we assume various capabilities were not set. This MR tries to make a better guess in those cases to allow dissection to work in most cases.
update r2_ap_capa_flags (epan/dissectors/packet-ieee1905.c):
- rename
- hf_ieee1905_basic_service_prio_flag ==>
hf_ieee1905_ctag_service_prio_flag
- hf_ieee1905_enhanced_service_prio_flag ==>
hf_ieee1905_dpp_onboarding_flag
- add new flag hf_ieee1905_traffic_separation_flag:0x08
used by r2_ap_capa_flags
- update hf_ieee1905_r2_ap_capa_flags_reserved:0x07
as defined by Wi-Fi EasyMesh™ Specification Version 5.0 :
17.2.48 Profile-2 AP Capability TLV format
Length encoded integers were:
- Reported as `mariadb.prefix` and `mariadb.length` but were not specific to MariaDB specific protocol features.
- These were reported in the UI as "Length" and "Prefix" and were in many cases the same as 1 byte integers are very common.
- These were often duplicating things like `hf_mysql_connattrs_length`, `hf_mysql_connattrs_name_length`, etc which meant that the same length was often reported 3 times in the interface.
Parse Multi-AP Extension subelement flags:
- Profile-1 Backhaul STA association disallowed.
- Profile-2 Backhaul STA association disallowed.
defined by Wi-Fi_EasyMesh_Specification_v5.0.pdf / Table 14
Gerald Combs