Add a "contained length" to tvbuffs. For non-subset tvbuffs, that's the
same as the reported length. For a subset tvbuff, that's the amount of
the reported data that was actually present in the "contained data" of
the parent tvbuff.
This is unaffected by the *captured* length of any tvbuff; that differs
from the contained length only if the capture was cut short by a
snapshot length.
If a reference is within the reported data, but not within the contained
data, a ContainedBoundsError exception is thrown. This exception
represents a protocol error, rather than a reference past the captured
data in the packet; we treat it as such.
Change-Id: Ide87f81238eaeb89b3093f54a87bf7f715485af5
Reviewed-on: https://code.wireshark.org/review/27039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We no longer have TVBUFF_ values corresponding to different types of
tvbuff; we have, instead, a set of method pointers for the different
types. Refer to the types by name, rather than by TVBUFF_ value.
Expand the description of some fields in the tvbuff structure.
Change-Id: I38b5281df247ddd66b4e39abfc129053a012d241
Reviewed-on: https://code.wireshark.org/review/27036
Reviewed-by: Guy Harris <guy@alum.mit.edu>
[packet-ber.c:2687]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-erf.c:2475]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-fmp.c:378]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-http2.c:2050]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-obd-ii.c:643]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-yami.c:244]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
Change-Id: Ie71f9f7c8f863d1e9c693bd56444f00bdad48042
Reviewed-on: https://code.wireshark.org/review/27019
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
The doc has a mixed way of providing example, both without executable
name and with it. Add it to all the provided examples. Add highlight of
tshark in examples, too.
Change-Id: I99d83201cc897629f186aabd20c0add9c7c53b93
Reviewed-on: https://code.wireshark.org/review/27034
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The generated elastic mapping file is huge and it can hassle softwares
like Kibana. This change adds the ability to append desired filters
that will appear in the mapping file.
This change adds the option --elastic-mapping-filter <protocols> to tshark.
Example: tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
make only those 3 protocols to appear in the mapping file.
Change-Id: Ie2dcd6e44be2d084e8e50cd6554bd90178da4e38
Reviewed-on: https://code.wireshark.org/review/27001
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
JSON-GLIB depends on GObject. To avoid "undefined reference to
'g_object_unref'" with the gold linker, include gobject directly.
As the files are included with the GLib package, adjust FindGLIB2.cmake.
Change-Id: I007d30b89cc07d8746cee6b619832a722f086105
Fixes: v2.9.0rc0-201-g511c2e166a ("tshark: add -G elastic-mapping report.")
Reviewed-on: https://code.wireshark.org/review/27007
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
If the option length is >= 2, so that it's long enough to include the
code and length, always put it into the protocol tree, even if the
length is invalid. If the length is invalid, attach an expert info item
to the length field, rather than putting it into a top-level item of its
own.
Use a length of -1 for the top-level item for an option, rather than
what the length is supposed to be; that way, we don't throw an exception
if the option is too short - we just attach the aforementioned expert
info item to the length.
Change-Id: If2d987fa10739a7da28ca2c39515bfdf50da6ef9
Reviewed-on: https://code.wireshark.org/review/27018
Reviewed-by: Guy Harris <guy@alum.mit.edu>
All WiresharkDialog instances have a "captureEvent(CaptureEvent)" method
that requires the definition of "CaptureEvent" from capture_file.h.
By luck, this definition is available for CMake builds due to the
generated MOC headers being included in the right order, but this cannot
be relied on. On an autotools build with less luck:
main_status_bar.moc.cpp: In static member function ‘static void MainStatusBar::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)’:
main_status_bar.moc.cpp:241:86: error: invalid use of incomplete type ‘class CaptureEvent’
case 28: _t->captureEventHandler((*reinterpret_cast< CaptureEvent(*)>(_a[1]))); break;
Create a new header file to limit exposure of the CaptureFile class.
Change-Id: I4ab609f13b9438797e39e7b98f367da35536979b
Fixes: v2.9.0rc0-186-g57bf7e4347 ("Qt: Fix memory leak for CaptureEvent")
Reviewed-on: https://code.wireshark.org/review/27003
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Drop support for draft -08 and draft -09, add support for draft -10
handshake decryption only (requires a new salt as well as a HKDF label
change). Fixed a bug in qhkdf_expand (swapped length and "QUIC " label)
which affects KeyUpdate (which was initially untested).
Bug: 13881
Change-Id: I5f3e2fe71ef0fd929d3271ecea3a8870f90e3934
Reviewed-on: https://code.wireshark.org/review/26992
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Previously a filter such as `http.request.method in {"GET"HEAD""}` would
be parsed as three strings (GET, HEAD and an empty string). As it seems
more likely that people make typos rather than intending to construct
such a filter, forbid this by always requiring a whitespace separator.
Change-Id: I77e531fd6be072f62dd06aac27f856106c8920c6
Reported-by: Stig Bjørlykke
Reviewed-on: https://code.wireshark.org/review/26989
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.
To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.
Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens. For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.
An unhandled edge case is "1....2" which is parsed as "1 .. .. 2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.
Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Allow "tcp.srcport in {1662 1663 1664}" to be abbreviated to
"tcp.srcport in {1662 .. 1664}". The range operator is supported for any
field value which supports the "<=" and "=>" operators and thus works
for integers, IP addresses, etc.
The naive mapping "tcp.srcport >= 1662 and tcp.srcport <= 1664" is not
used because it does not have the intended effect with fields that have
multiple occurrences (e.g. tcp.port). Each condition could be satisfied
by an other value. Therefore a new DVFM instruction (ANY_IN_RANGE) is
added to test the range condition against each individual field value.
Bug: 14180
Change-Id: I53c2d0f9bc9d4f0ffaabde9a83442122965c95f7
Reviewed-on: https://code.wireshark.org/review/26945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It has been replaced by cmake.
Change-Id: I83a5eddb8645dbbf6bca9f026066d2e995d8e87a
Reviewed-on: https://code.wireshark.org/review/26969
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fixup a dependency and make sure we create the API reference from
scratch.
Change-Id: I832d1772eb8b4f07cab6f04d164cac10c70ab3bb
Reviewed-on: https://code.wireshark.org/review/26990
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Remove GTK+ entries from .gitignore and start removing it from
packaging.
Change-Id: I70391000906e983eab250c8158b486c3dc6d4a16
Reviewed-on: https://code.wireshark.org/review/26988
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Change-Id: Iff833bf5c197959c8decb62d6ce794c6d0415fb7
Reviewed-on: https://code.wireshark.org/review/26978
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
B4 frames have no length octet at L2 level, but instead a L2 pseudo
length octet at L3. We must call the proper dissector for decoding
them, and gsm_a_ccch supports L2 pseudo length.
This addresses the LAPDm side of
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14105
Ping-Bug: 14105
Change-Id: I5743dc6153a1adae60b8d9564f345861edc3fca4
Reviewed-on: https://code.wireshark.org/review/26798
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
The RSL SACCH INFO MODIFY / RSL SACCH FILL messages contain a
SI5 / SI6 / SI5bis / SI5ter message. Those SI are (like the SI on CCCH)
sent as UI frame in downlink direction. Since Phase 2, the "L2
pseudo-length field is part of the L3 message, and not stripped /
interpreted at L2.
3GPP TS 44.006 states that a special B4 frame format is used on the
SACCH downlink for UI frames, which is basically a normal B frame, but
with no length field at L2, shifting the length field into L3 where it
becomes the L2 pseudo-length.
From RSL, we need to call a variant of the RR dissector that is able to
decode a L3 message that includes a L2 pseudo-length. This is,
paradoxically, not the "gsm_a_sacch" dissector, as that one is only used
for B-frames, i.e. actual LAPDm ABM frames. We must use the "gsm_a_ccch"
dissector.
See also the discussion in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14105
as well as https://lists.osmocom.org/pipermail/openbsc/2017-December/011545.html
and https://osmocom.org/issues/3059 for further background information.
Ping-Bug: 14105
Change-Id: Icdad2b7698d5d7d613cacceec6a3d848b946306c
Reviewed-on: https://code.wireshark.org/review/26797
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the argument to the events a non-memory object
Change-Id: I46d8c24415aa2bc48b2a2d3b1fccffa6956d08b5
Reviewed-on: https://code.wireshark.org/review/26671
Reviewed-by: Roland Knall <rknall@gmail.com>
Switch to a single Doyxgen configuration which was generated using a
recent version of Doxygen and customized to suit our needs. Add
wsar_html and wsar_html_zip targets to CMake. Update some Doxygen markup
and documentation as needed.
Change-Id: Ic8a424b292c35a26f74ae0b53322265683e56e69
Reviewed-on: https://code.wireshark.org/review/26976
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a destination directory flag to git-export-release.sh. Use it to
replace the current "dist" target. Use it in the RPM section to avoid a
symlink.
Change-Id: I30ae76b3ab1a995d232e748b79aa37440f90f854
Reviewed-on: https://code.wireshark.org/review/26974
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Rename packet_list_enable_color() to packet_list_recolor_packets()
to reflect what it does.
Remove the call from where it's not needed.
Change-Id: I55dd1a9af8f5b1dbd83b06136a5bbcfddea06cdb
Reviewed-on: https://code.wireshark.org/review/26959
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add some notes about avoiding the use of git stash.
Change-Id: I441adef099e5d64834a73e9f0f260d00c21be585
Reviewed-on: https://code.wireshark.org/review/26973
Reviewed-by: Gerald Combs <gerald@wireshark.org>
In order to simplify the display filter scanner, try to restrict the use
of dots ('.') in field names. Forbid leading dots, does not affect
current dissectors. Fix '..' typo in fpp dissector and forbid it. Forbid
trailing dots after fixing dissectors: some of them just have an excess
dot, others are missing a name after the dot.
Change-Id: I6e58a04ef0306ee8c16fbf6a3cabb076d7fc69c9
Reviewed-on: https://code.wireshark.org/review/26967
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The previous fix was incomplete and would still result in duplicate PDU
dissections starting from the second reassembled PDU in a TLS stream.
The reason for that is that "nxtseq" is the absolute offset within a TLS
application data stream where the current segment ends while the
reassembled PDU length ("ipfd_head->datalen") is likely smaller than
"nxtseq".
Note: this fix assumes that the there won't be another (partial) PDU
following a reassembled PDU in a single packet (that is, the condition
"nxtseq > msp->nxtpdu" is assumed not to occur). If that is not the
case, a different issue occurs which needs another fix (more work):
"Reassembly error, protocol SSL: Frame already added in first pass".
Change-Id: Ib546f6e85baa0670c2c6a31ee8de87422004ecf3
Bug: 14596
Fixes: v2.1.0rc0-1521-gcefd1d4910 ("ssl: avoid duplicate PDU dissections")
Reviewed-on: https://code.wireshark.org/review/26935
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris
Harald Welte