(I used PPID 0xffffffff as an end-of-list marker so that PPID can no longer
be used in this dialog; if someone starts using that PPID then we'll have
to put a count of PPIDs in pinfo.)
svn path=/trunk/; revision=42991
make Save-As/Displayed/All-Packets save not only the displayed packets but
also any other packets needed (e.g., for reassembly) to fully dissect the
displayed packets.
This works only for the "All packets" case; choosing only the Selected packet,
the Marked packets, or a range of packets would require actually storing which
packets depend on which (too much memory) or going through the packet list many
times (too slow). Also, this behavior is always the case: you can't save the
displayed packets without their dependencies (I don't see why this would be
desirable).
So far this is done for SCTP and things using the reassembly routines (TCP has
been tested).
The Win32 dialog was modified but hasn't been tested yet.
One confusing aspect of the UI is that the Displayed count in the Save-As
dialog does not match the number of displayed packets. (I tried renaming the
button "Displayed + Dependencies" but it looked too big.) The tooltip tries
to explain this and the fact that this works only in the All-Packets case;
suggestions for improvement are welcome.
Implementation details:
Dissectors (or the reassembly code) can list frames which were needed to
build the current frame's tree. If the current frame passes the display
filter then each listed frame is marked as "depended upon" (this takes up the
last free frame_data flag).
When performing a Save-As/Displayed/All-Packets then choose packets which
passed the dfilter _or_ are depended upon.
svn path=/trunk/; revision=41216
This works between C and Lua.
In C the pinfo.private_table pointer must be initialized using
g_hash_table_new (g_str_hash, g_str_equal);
In Lua the values are available using pinfo.private.<key>, and the
table is created automatically on first usage. It's possible to use
this datatypes: nil, boolean, number and string, but every value
is converted to string so numbers must be converted using tonumber()
on usage. Boolean is either nil or an empty string.
svn path=/trunk/; revision=39461
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
* Disable the TRY_TO_FAKE_THIS_ITEM optimization
* Use GString to store the protocols
We should only do this if the 'hf_frame_protocols' is referenced (unlikely)
svn path=/trunk/; revision=29733
The attached patch file adds dissectors for the ZigBee protocol stack,
which runs atop the IEEE 802.15.4 dissector. Also included is the
dissector for the ZigBee Encapsulation Protocol (packet-zep.c), used by
the Exegin Q51 protocol analyzer.
From me:
Fix a bunch of gcc (the compiler, not me) warnings.
svn path=/trunk/; revision=28429
wiretap. Modify various other locations to accommodate the fact that
PacketLogger files do not specify the direction of packets.
svn path=/trunk/; revision=27463
Attached is a patch for:
- PW Associated Channel Header dissection as per RFC 4385
- PW MPLS Control Word dissection as per RFC 4385
- mpls subdissector table indexed by label value
- enhanced "what's past last mpls label?" heuristic
- Ethernet PW (w/o CW) support as per RFC 4448
svn path=/trunk/; revision=25730
The code for reading ERF files has not been significantly
updated since 2004. This patch brings it up to date with a
number of changes.
1) Increase number of decodable ERF types from 7 to 12. This
covers newer DAG card models and firmware updates.
2) Fix timestamp conversion. Was calculating only microsecond
precision, now displaying with nanosecond resolution. Hardware
precision is 7.5 to 30 ns depending on model.
3) Allow the user to specify HDLC encapsulation as 'chdlc',
'ppp_serial', 'frelay' or 'mtp2'. This is needed because the
ERF HDLC capture formats do not include information on what
protocol is used at the next level. This is currently done via
an environment variable 'ERF_HDLC_ENCAP' and is analagous to the
existing 'ERF_ATM_ENCAP' variable.
If the user does not specify an HDLC encapsulation it tries to
guess, and falls back to MTP2 for backwards compatibility with
Florent's existing behaviour.
I know environment variables are ugly, suggestions are welcome.
4) When reading HDLC captures as MTP2, use
WTAP_ENCAP_MTP2_WITH_PHDR rather than WTAP_ENCAP_MTP2. This
allows us to put the 'Multi-Channel ERF' record 'channel
number' field into the MTP2 pseudo header > 'link_number'
field. This is then displayed in Frame information, and can
be filtered on. (Would be nice if it could be made a display
column?)
Because the ERF record does not specify whether Annex A is used
or not, we pass MTP2_ANNEX_A_USED_UNKNOWN and allow the existing
user preference to decide.
Move the MTP2_ANNEX_A_ definitions into Wiretap, make the annex_a_used
field a guint8, and change MTP2_ANNEX_A_USED_UNKNOWN to 2 so it fits in
a guint8. (This means that if you can save an ERF MTP2 file as a
libpcap file, the pseudo-header will have MTP2_ANNEX_A_USED_UNKNOWN in
it.)
svn path=/trunk/; revision=22067
add sccp_info to struct _packet_info (Sorry but the way private_data works and the fact that TCAP uses it and BSSAP/RANAP can be tunnelled on GSMMAP over TCAP makes it impossible to avoid)
SCCP
- Have SCCP to have a TAP,
- Fix associations so that every message belongs to the association.
- Export message type values so that they can be used by a tap listener
RANAP
- Have RANAP information attached to the sccp_info
BSSAP + GSM_A
- Have DTAP, BSSMAP and BSSAP info attached to the sccp_info
svn path=/trunk/; revision=21076
use this field in the policy handle helper to indicate not only which frames the handle was opened/close in but also the name of the function that opened it.
eventually, when other pidl support infrastructure is developed it would be nice if this could be expanded to also contain the name of the object/handle opened.
svn path=/trunk/; revision=20895
there used to be a bug in tcp reassembly that even if the dissector only asked for x more bytes from the next segment the entire segment would still be added to reassembly.
this caused some issues when there was a new multisegment pdu that started at the end of the segment but this bug was fixed when tcp reassembly was refactored semi-recently.
there was also another "bug" in the http reassembly that it would only ask for one more byte at a time when doing reassembly.
this did work well however when we still had the bug in tcp reassembly but made wireshark become very very very slow once this tcp bug was fixed since it is very very very slow to reassemble a huge http pdu just one byte at a time.
this patch adds partial support (what we need for http which does not use tcp_dissect_pdus() ) for the desegmentation flag : DESEGMENT_ONE_MORE_SEGMENT and also to the http dissector so that reassembly of http headers spanning multiple semgents now become fast again
svn path=/trunk/; revision=19859
add required code to the http (and others) code in req_resp_hdrs.c to signal to tcp
when it wants a session to be reassembled to the FIN.
This is currently done for all HTTP packets where we have a Content-type in the header but no content-length.
svn path=/trunk/; revision=19185
indicating the direction, narrowband/broadband, and interface number.
- Add support to display the direction and interface number.
- Add support to packet-mtp2.c to use the broadband/narrowband indication.
svn path=/trunk/; revision=14265
callers, so that they can tell "no decrypted tvbuff because I couldn't
decrypt it" from "no decrypted tvbuff because it's not encrypted in the
first place". Set that based on the Kerberos seal algorithm field in
the SPNEGO Kerberos 5 wrap dissector code.
Use that to determine whether the GSS-API encapsulated data in LDAP is
encrypted or not., rather than using a heuristic.
Set the length of the SASL blob tvbuff based on the SASL length and the
length of the tvbuff from which it's consstructed, rather than setting
it to the SASL length.
svn path=/trunk/; revision=13780
in the frame. The filter "frame.protocols contains ip:icmp:ip" could
be used to find any ICMP packets containing IP headers.
Clean up whitespace.
svn path=/trunk/; revision=13118
"epan/packet_info.h" and put it in "epan/address.h".
Use the AT_ values from "epan/address.h" for address types in the
interface lists rather than having our own FAM_ enums.
svn path=/trunk/; revision=11427
they have LF at the end of the line on UN*X and CR/LF on Windows;
hopefully this means that if a CR/LF version is checked in on Windows,
the CRs will be stripped so that they show up only when checked out on
Windows, not on UN*X.
svn path=/trunk/; revision=11400
support the ISUP CIC as a circuit ID;
add a preference option to control whether to put the CIC into
the Info column or not.
svn path=/trunk/; revision=10265
that dissectors for pass-through proxying protocols such as SOCKS can
allow the subdissectors they call to ask that desegmentation be done.
svn path=/trunk/; revision=9488
packet-smpp.c).
Now the higher-level protocols show up without the need of unfolding the SMPP
dissector tree.
Add a new address type AT_STRINGZ, and use it for GSM SMS message reassembly.
Get rid of the different UDH IE subtrees, and replace them with one subtree
for all UDH IEs.
Add debug logging to SMPP and SMPP GSM SMS dissectors.
Move the Short Message reassembly from the SMPP dissector to the SMPP GSM SMS
dissector. Fix duplicated "reassembled in" header fields.
Rename header fields that are now part of SMPP GSM SMS (including the dissector
table name, so it has also been updated in packet-wsp.c and packet-wtp.c).
Add an explicit "if (!tree) return" in the WSP add_headers() method.
NOTE: it would be great if we were able to merge the existing packet-gsm_sms.c
and the SMPP GSM SMS dissector.
svn path=/trunk/; revision=9431
* Add a "match_string" field to the "packet_info" structure,
saving the string value that matched in a string dissector
lookup, by analogy to "match_port" - this was required for
dissection with token rendering of WBXML content when no public
ID was given (e.g. Nokia/Ericsson OTA provisioning data).
* Add support for textual content type based WBXML token
mapping.
* Add extra WBXML public identifiers.
* Add the Nokia/Ericsson OTA provisioning (version 7) token
definitions.
* Inform the user when a content-type based token match is found.
svn path=/trunk/; revision=9061
- Dissector for FICON
- Dissector for FC-SP (Security Protocol for Fibre Channel)
- Patches to correct the reassembly of FC fragments.
- Support for new MDS Port Analyzer Adapters that carry the
frame length for truncated frames.
svn path=/trunk/; revision=8823
stub data even if there's a problem dissecting the verifier.
Show stub data as "Encrypted stub data" if it's encrypted, "Decrypted
stub data" if it was encrypted but we decrypted it, and "Stub data" if
it wasn't encrypted.
Don't attempt to decrypt data unless it was encrypted (i.e., the
authentication level is "Packet privacy".
Get rid of "decrypted_data" member of "packet_info" structure - we don't
need it any more.
svn path=/trunk/; revision=8743
ONCRPC dissector updated to provide hint to TCP where the next RPCoverTCP
PDU starts as example.
Trivial updates to the other TCP based protocols required to amke them handle
this as well. See the updates to packet-rpc.c as an example.
This is enabled by activating tcp analysis and provides hints to TCP to know where PDUs starts when not aligned to the start of the segment.
svn path=/trunk/; revision=7543
- A new decoder called MDSHDR which decodes the internal header of the
Cisco MDS switch (this is different from the Boardwalk header).
- Support for some more new columns as part of FC support.
- Fixed the decoding of the Special Frame in FCIP.
- Fixed the decoding of credit management type field in FLOGI/PLOGI frame
in FC-ELS.
svn path=/trunk/; revision=6974
we also call the proper DCERPC subdissector.
With this change ethereal will call the SAMR dissector and dissect the
decrypted SAMR packets in devins capture.
svn path=/trunk/; revision=6855
starting and ending frame number, and circuits with the same circuit ID
are sorted by the starting frame number (the last circuit can have 0 as
the ending frame number, meaning "unknown"), and, when looking up a
circuit, we take a frame number as an argument and return the circuit
that includes that frame.
Add a new circuit ID type for X.25 virtual circuits, and use the circuit
mechanism to keep track of the dissector for an X.25 virtual circuit
rather than having a private mechanism.
svn path=/trunk/; revision=6580
WTAP_ENCAP_ISDN encapsulation type, which includes a pseudo-header
giving the direction (user-to-network or network-to-user) and the
channel number.
Add a new circuit type, using the ISDN channel number as the circuit ID.
Add an ISDN dissector to put the direction and channel number into the
protocol tree and to call the appropriate dissector for the payload
based on the channel (LAPD for the D channel; V.120, PPP, or data for B
channels, based on some heuristics).
svn path=/trunk/; revision=6521
protocols (where there's a virtual circuit ID of some sort in packets)
what conversations are for protocols ultimately running atop
connectionless network layers. Have circuit type and ID values in the
"packet_info" structure.
Have the Frame Relay dissector set the circuit type and ID values, and
have the Wellfleet compression protocol set up circuit information and
store compression information with the circuit.
svn path=/trunk/; revision=6469
"pinfo->srcport", and "pinfo->destport" appropriately in the IPX
dissector. Add support for PT_IPX port types in display columns.
Have an "spx.socket" dissector table, similar to the "ipx.socket"
dissector table, and have the SPX dissector use that, with the IPX
socket numbers from "pinfo->srcport" and "pinfo->destport", so that
dissectors for protocols that run atop SPX can register with particular
socket numbers. (Think of it as similar to what would have been the
case had the IP header had 16-bit source and destination port numbers,
and had TCP and UDP used those port numbers rather than having port
numbers in their headers.) Also, have the SPX dissector dissect
subprotocols regardless of whether we're building a protocol tree or not.
Use the dissector handle for the IPX message dissector for both IPX
socket numbers; there's no need to create separate handles for both
registrations.
Have NDPS register as a subdissector of the SPX dissector, using
"spx.socket", and get rid of the duplicate SPX dissection in the NDPS
dissector.
Make the NDPS dissector set the columns regardless of whether a protocol
tree is being built, and clean up the dissector (fixing some bugs).
Get rid of unneeded includes in "packet-ndps.c".
svn path=/trunk/; revision=6424
isn't guaranteed to return 0, 1, or -1, it returns *some* positive
number, not necessarily 1, if the first argument is greater than the
second, and *some* negative number, not necessarily -1, if the first
argument is less than the second).
svn path=/trunk/; revision=6063
-1,0,1 as the xxxcmp() functions will instead of just true/false.
Useful if you not only want to check for equality but also if you want to have a way to order the elements.
svn path=/trunk/; revision=5917
in the "packet_info" structure instead, as we don't need a pointer for
every single frame in the capture file, just for each frame for which we
currently have an open "epan_dissect_t".
svn path=/trunk/; revision=5614
structure to the "packet_info" structure; only stuff that's permanently
stored with each frame should be in the "frame_data" structure, and the
"column_info" structure is not guaranteed to hold the column values for
that frame at all times - it was only in the "frame_data" structure so
that it could be passed to dissectors, and, as all dissectors are now
passed a pointer to a "packet_info" structure, it could just as well be
put in the "packet_info" structure.
That saves memory, by shrinking the "frame_data" structure (there's one
of those per frame), and also lets us clean up the code a bit.
svn path=/trunk/; revision=4370
1. Changes how can_desegment works so that can_desegment is
only != 0 for whichever dissector is running immediately on
top of whoever offers the can_desegment service.
Thus DCERPC needs no special handling to see if it can trust
can_desegment (which is currently only available ontop of TCP
and not ontop of tcp->nbss->smb).
2. Changes fragment reassembly of transaction smb to only show
the defragmented packet for the transaction smb holding the
first fragment.
To see why, test it with a transaction SMB containing a ~60kb
PDU or larger. The old behaviour had approximately quadratic
behaviour regarding runtime for dissecting such PDUs.
(example: NetShareEnum is a command which can grow really really
large if the number of shares and comments are large)
svn path=/trunk/; revision=4296
access their own "pinfo". A packet_info is stored in epan_dissect_t,
which is created for the dissection of a single packet.
GUI functions which need to access the packet_info of the currently
selected packet used to use "pi"; now they use cfile.edt->pi. cfile's
"edt" member is the epan_dissect_t of the currently-selected packet.
The functionality of blank_packetinfo() was moved into
dissect_packet(), as that's the only place that called blank_packetinfo(),
after a spurious call to blank_packetinfo() was removed from
packet_list_select_cb().
svn path=/trunk/; revision=4246
structure, the check for a null tvbuff pointer in "alloc_field_info()",
and the "tvb_create_from_top()" macro; they're no longer needed, as
there's no non-tvbuffified dissector code remaining.
svn path=/trunk/; revision=4205
stuff currently being dissected is part of a packet included in an error
packet (e.g., an ICMP Unreachable packet). Have the TCP dissector not
bother doing reassembly if the TCP segment is part of an error packet,
rather than an actual TCP transmission; other dissectors might want to
treat those packets specially as well.
Add to the "tcpinfo" structure a flag indicating whether the URG flag
was set, rather than having the zero or non-zero value of the urgent
pointer indicate that. (Yes, at least as I read RFC 793, a zero urgent
pointer value isn't useful, as it means "the stuff before this segment
is urgent", but it's certainly possible to put onto the wire a TCP
segment with URG set and a zero urgent pointer.)
Don't dissect the TCP header by grabbing the entire header with
"tvb_memcpy()" and then pulling stuff out of it - extract stuff with
individual tvbuff calls, and put stuff into the protocol tree and the
Info column as we extract it, so that we can dissect a partial header.
This lets us, for example, get the source and destination ports from the
TCP header of the part of a TCP segment included in a minimum-length
ICMPv4 error packet.
svn path=/trunk/; revision=3986
dissectors to use it, from Ronnie Sahlberg, with additional changes to
handle the case where a frame contains messages that don't run past the
end followed by one that does and where a reassembled chunk has, at the
end, a message that runs past the end of that chunk (because the
reassembly was for an earlier message).
svn path=/trunk/; revision=3923
"void *" that a dissector can set to point to such a structure; that
means that the stuff in the epan directory doesn't have to know anything
about the protocol-specific private data one dissector passes to
another, and that structure doesn't have to be changed if a dissector
wants to pass some new type of data to another dissector.
svn path=/trunk/; revision=3818
structures as arguments, that evaluates to "true" if the two addresses
are equal and "false" if they're not equal. Use that macro in the
conversation code.
svn path=/trunk/; revision=3509
Anders Broman