Fix the URL for the FreeBSD pflog code.
Make the byte order for the UID and the PID an enum, with the default
being *host*-endian, as, from a quick look at the PF code in the OSes
that have it, both the IDs are in the byte order of the host writing
the file. (This means I need to update libpcap and libwiretap to
byte-swap them when reading a byte-swapped capture file or file section,
as we do with some other pseudo-header fields. That's next on the
list.)
Add some comments about the signedness of the UID and PID fields.
This is the right way to handle #10202.
At some point the indices of the request and response stat tables
got switched, and stats were being looked up in the wrong table.
Use stat_tap_find_table to lookup the tables rather than hardcoding
the indices. Fix#17904
Correctly handle the length field; it should be rounded up to a multiple
of 4 to determine the full length, it shouldn't just have 3 added to it
under the assumption that length % 4 = 1.
The LEN_PFLOG values refer to OpenBSD releases, so name them
LEN_PFLOG_OPENBSD_{version}., not just BSD. Give them values that don't
include the padding.
Add FreeBSD and Darwin AF_INET6 values, as this can be used to analyze
non-OpenBSD PF logs.
Add additionaal reason, action, and direction values, with #ifs for
different platforms. To handle other platforms' PF logs, we'd need a
preference (although what we *really* want are separate LINKTYPE_ values
for different OSes, so the preference would not be needed for newer
files).
Use proto_item_add_item_return_ routines for integral-valued fields.
Show the rule number as decimal, as long as it's an FT_INT32.
Update links for OpenBSD CVS repository, add pfvar.h, and add links to
repositories for other OSes with PF.
Have RTCP behave similar to the RTP dissector and reject packets
with a version other than 2 (after adding some entries to the tree
as RTP does.) This is necessary because WebRTC and others often send
STUN or DTLS packets on a port after SDP has set up the RTCP dissector
(with a=rtcp:port or similar). Improves dissection of the files
in #13193 when the key log file is set in the TLS prefs.
Perhaps later a preference could be added, as with RTP.
packet-ssh.c:2502:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2511:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2516:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2532:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2535:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2538:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2561:25: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2564:25: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-ssh.c:2568:17: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
Remove tvb and offset from ssh_keylog_hash_write_secret
not longer need after 54cd727edf
packet-ssh.c:1879:40: error: unused parameter ‘tvb’ [-Werror=unused-parameter]
packet-ssh.c:1879:49: error: unused parameter ‘offset’ [-Werror=unused-parameter]
packet-ssh.c:2131:14: warning: Although the value stored to 'err' is used in the enclosing expression, the value is never actually read from 'err'
packet-ssh.c:2137:14: warning: Although the value stored to 'err' is used in the enclosing expression, the value is never actually read from 'err'
After commit 16ddc9ab19, we don't need to call srtcp_add_address
separately for a multiplexed connection. Do call it on a client hello
with only a single protection profile offered, in case of a one way
connection, though. Related to #13193.
The RTP dissector supports RFC 5761 multiplexing by default, always
passing payload types that conflict with RTCP to the RTCP dissector.
Thus, when a [S]RTP stream is set up by srtp_add_address, it should
pass along the information to the RTCP dissector so that the rtcp_info
and srtcp_info information is attached to the conversation as well.
Helps with DTLS-SRTP (#13193).
Fix regressions in AppleShare dissection by correcting the length
of afp.access and afp.file_bitmap fields to be UINT16 as specified
in the AppleShare protocol specification.
Fix reuse of afp.file_bitmask in CatSearchExt as a 16 and as a 32 bit
value by introducing afp.request_bitmask for the 32 bit Request
Bitmap.
Closes#17907.
dissections by introducing hf_afp_request_bitmap for the 32 bit
Request Bitmap in FPCatSearchExt. Made the hf_afp_access_*
FT_BOOLEANs have a width of 16 to reflect the fact that
hf_afp_access_mode needs to be a FT_UINT16 as AFP spec defines
access mode as a short.
Fix regressions in AppleShare dissection by correcting the length
of afp.access and afp.file_bitmap fields to be UINT16 as specified
in the AppleShare protocol specification. Closes#17907
The Release Identifer field is only one nibble in GTP'. So in
Release 15 of 3GPP TS 32.295, an extra octet, Release Identifier
Extension, was added to support CDRs encoded with Release 16 and
higher of TS 32.298. Fix#17903.
Use the information in a use_srtp Extension in a Server Hello to
set up SRTP and SRTCP sessions according to RFC 5764. It is RECOMMENDED
that symmetric RTP be used with DTLS-SRTP, and RTP and RTCP traffic may
be multiplexed, so set up all four possible connections.
Fix#17905.
As the owner name of each NSEC3 record is Base32-encoded, the Next
Hashed Owner Name field in those records should also be displayed in
Base32-encoded form. This enables the user to quickly tell what span of
hashed owner names is covered by a given NSEC3 record.
If RTCP is chosen via Decode As, decode as RTCP.
If SRTCP is chosen via Decode As, decode as SRTCP (assuming that
all packets are encrypted, because we can't tell where the E bit is
in that case.)
If possible [S]RTCP is found via the heuristic dissector, assume either
RTCP or (encrypted) SRTCP based a preference. Perhaps later the heuristic
dissector could be improved to make a better decision.
This was done for all generated values in commit:
commit 7e99bbf32b
Author: John Thacker <johnthacker@gmail.com>
AuthorDate: Tue Nov 23 21:36:02 2021 -0500
Commit: John Thacker <johnthacker@gmail.com>
CommitDate: Thu Dec 2 20:40:22 2021 -0500
BER: Make GeneralizedTime a FT_ABSOLUTE_TIME
...
But we need to also do it for manual stuff.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
From 3GPP TS 29.06 V 17.1.0 7.7.51:
The routing area code consists of 2 octets and is found in octet 10
and octet 11. Only the first octet (10) contains the RAC and the
second octet (11) is coded as "11111111".
Don't include the spare octet 11 in the RAC field. The RAC is only
one octet.
Add some undecoded IEs from 3GPP TS 29.060 V17.1.0:
Hop Counter (163), Signaling Priority Indication (203), Signaling
Priority Indication with NSAPI (204), ULI Timestamp (214),
and LHN-ID with NSAPI (215). Related to #17839.
This assert will notify the higher layers that the dissector needs
to be fixed. ieee1722 and zbee-zcl dissectors have been updated to
prevent such a call.
Ref: #17882.
If we are decoding as SRTCP with encrypted payload but srtcp_info
wasn't set up (e.g. because this was done by Decode As or a heuristic),
then since we can't calculate the length, add the expert info about
an undecoded payload rather than the expert info about an incorrect
length.
Related to #17892
The HTTP/2 priority update frame is an extension frame defined in
https://datatracker.ietf.org/doc/draft-ietf-httpbis-priority/.
With this change, we add new support for the frame to the HTTP/2
dissection, matching the capability in the HTTP/3 dissector, to expose
the target of the priority and the value of the hint.
The HTTP/3 priority update frame is an extension frame defined in
https://datatracker.ietf.org/doc/draft-ietf-httpbis-priority/.
Previously, the HTTP/3 dissector only went as far as reporting the
PRIORITY_UPDATE frame types.
With this change, we extend the HTTP/3 dissection to cover the fields
inside the frame. This makes it easier to see the actual target of the
priority and the value of the hint.
Add support for ORIGIN frame (RFC 8336) to the HTTP/2 dissector. The
frame is a sequence of 0 or more origin entries (length and ASCII
value), hence dissection is implemented as a subtree.
This patch links PTPv2 messages to each other and starts analysis
based on the messages:
- Link Sync to FollowUp
- Link PDelay Req to PDelay Res
- Link PDelay Res to PDelay F'Up
- Add timestamp to a sync based on the Follow Up (2-step only).
- Calculate the mean propagation delay and add it to PDelay Resp F'Up.
- Calculate the neighborRateRatio of PDelay and show it
- Calculate the syncRateRatio and show it
This feature is off by default but only slows down dissection of PTP
frames by about 10%.
Instead of consider just negative sizes as invalid, threat 0 the
same way. The size is used to increment the packet offset and 0
causes an infinite loop.
Fix: #17855.
The IE is defined in 3GPP TS 48.058 section 8.3.3 "ERROR INDICATION" as
being a TLV of size 2-4, which means length=0 is an accepted form. Avoid
showing "Malformed packet" error if such packet is found.
If KAZLIB_POSIX_THREADS isn't defined, we are still using thread support
- compiler and support library support for per-thread data, at least for
the stack of exception catchers.
Update and expand comments.
This patch allows to calculate aggregations for easier analysis.
Per configured signal (uint, int, float) the following aggregations
are supported:
- sum of values (sum)
- average of values (avg)
- sum of value * delta_time (int)
Report all registration errors with REPORT_DISSECTOR_BUG().
In the workers for register_all_protocols() and
register_all_protocol_handlers(), use TRY/CATCH/ENDTRY to catch
DissectorError exceptions thrown by REPORT_DISSECTOR_BUG() when
registering dissectors. Return the error message from the main thread
routine and, when joining the worker thread, if there's an error message
returned, throw it in the current thread, so that it gets caught by the
main libwireshark initialization code.
Fixes the crash in #17856.
This prevents the weird failures I saw on macOS in #17856; instead, it
should fail on *all* platforms with
Unhandled exception ("epan/proto.c:8800: failed assertion "DISSECTOR_ASSERT_NOT_REACHED"", group=1, code=6)
(which it does on macOS 11.6/Xcode 12.5.1 and Windows 10/VS 2019
16.11.8; according to
https://en.wikipedia.org/w/index.php?title=Thread-local_storage&oldid=1064900318#C_and_C++
the major UN*X C compilers support __thread and the major Windows C
compilers support __declspec(thread).).
@jvalverde: on branches that require C11/C++11 support, we could perhaps
just use _Thread_local for C and thread_local for C++. Note that
<thread.h> is optional in C11, and macOS 11.6/Xcode 12.5.1 does not
appear to include it.)
This does not *fix* the aforementioned issue; to do *that* we need to do
TRY in the register-dissectors thread code. I'm committing this
separately because it fixes a bug in our exception package that could
cause all sorts of randomness now and in the future - what we're doing
now is Just Wrong.
(Yes, there's code to support per-thread exception handler stacks *on
platforms with pthreads*, but this is simpler *and* also works on
Windows.)
This patch adds support for 802.1AS-2020 Sync with 1-step as they carry
the originTimestamp and the Follow_UP TLV.
This patch also corrects that 802.1AS Sync with 2-step DO NOT have the
originTimestamp but "reserved" data.
Based on MR 2638.
Some http2 headers are unable to be parse in current
HEADERS frame because previous HEADERS frames were not
captured that causing HPACK index table not completed.
This commit make fake headers can also be used in this
situation.
close#17799
According modern EN 300 468 releases reserved PID list includes not
only range 0x00...0x0F from ISO 13818-1 but 0x10...0x1F also.
I added descriptions of the second ones from DVB BlueBook A038r14.
Formally, due to old ISO 13818-1, values 0x10...0x1F (among others)
may be used freely for other purposes but I didn't see such appliance.
Recent commits 2874b979adc1870203047356889242, a2f6b079f1 have lines that
need to be protected by ifdef guards when SSH_DECRYPTION_SUPPORTED
isn't defined. (gcrypt < 1.7.0)
Fixes build.
Get rid of the global content_tvb and object_identifier_id in
the CMS dissector, and put them in a packet scoped proto data
struct, so that when there's a non fatal exception retrieving
the OID we don't use the global value from a previous packet
(or worse, file), since what the content_tvb and object_identifier_id
pointed to were both packet scoped that could lead to memory
access violations.
Clear the values of the OID and the content_tvb each time before
they are retrieved, so that values from a previous PDU of CMS
in the same packet aren't used either. This was not quite as bad
as using a value already freed, but still bad.
Fix#17800, #17809, #17835
Other speed config descriptors are identical to config descriptors, it's
just the request that is different. Handle this request so that other
speed config responses are decoded.
This patch adds support for zero-terminated strings as well as UTF-8 and
UTF-16 strings.
This patch also fixes a check for the signal list UAT (scaler, offset).
Adding subdissector support to UDS and allow Signal PDUs for it.
This patch supports:
- ReadDataByIdentifier (RDBI) Reply
- WriteDataByIdentifier (WDBI) Request
- RoutineControl (RC) Request
- RoutineControl (RC) Reply
Add Multilingual Network Name Descriptor (0x5B),
Multilingual Bouquet Name Descriptor (0x5C),
Multilingual Service Name Descriptor (0x5D),
Multilingual Component Descriptor (0x5E).
Add as a usual DVB descriptors. A specification was taken from
NorDig Unified Requirements 3.1.2.
Formally, private descriptors have to be used after Private Data
Specifier (0x5F) but DVB operators often ignore this rule. So I
didn't limit the descriptors parsing by Nordig private data
specifier (0x00000029).
This patch adds support to the Signal-PDU dissector for the following
data types:
- float: 32 and 64 bit IEEE floating point numbers
- string: fixed length ASCII strings
- uint_string: dynamic length ASCII strings with leading length
Add p_set_proto_data, which either updates our entry if we have a
proto+key match or adds an entry if we don't. Use it with
p_set_proto_depth. Document it and our other proto_data routines.
There was a warning that dynamic_hf[i].p_id is not checked for NULL and
that could mean a NULL Pointer dereference.
To make the code more robust and the compiler happy, this patch adds the
check for NULL.
This relaxes the display filter syntax to accept byte arrays without
separators. An expression such as the following becomes valid:
quic.dcid == b1f0b7cbe0897974
Previously it had to be written as:
quic.dcid == b1:f0:b7:cb:e0:89:79:74
Partially fixes#17818.
Wireshark crashes when missing an UAT column due to a read access
violation. This was introduced by the code to add better compatibility
to UAT changes.
See "UAT: Allow missing fields."
This codes add a check, if the defaults are NULL before accessing them.
The descriptor contains a registered MPEG TS Identifier. Which full des-
cription may be found at https://smpte-ra.org/registered-mpeg-ts-ids.
I added displaying of a readable MPEG TS identifier and an organization
name.
Instead of just assuming CAN-IDs > 0x7ff are extended, the new code
checks the EFF_FLAG of the CAN-ID of the Signal_PDU_Binding_CAN and
AUTOSAR_IPDUM_Binding_CAN. This affects registering CAN-IDs with the CAN
dissector as well as config lookups.
This patch changes the config format of Signal_PDU_Binding_CAN and
AUTOSAR_IPDUM_Binding_CAN. CAN-IDs need to include the EFF-Flag now!
- CISCO-DYNAMIC-ROUTE
Indicates support for IKEv2 Dynamic Routing
- CISCO-VPN-REV-02
Not so sure about this one. Presumably indicates to peers internal
differences in the IKE implementation which can influence subsequent
configuration of the security associations.
Require date/time separators when entering a time value, e,g:
2014-07-04 12:34:56.789+00:00
Separators in the timezone offset are an exception, they are
never mandatory.
This excludes ISO basic format to avoid inputs that could
be entirely numbers indistinguishable from Epoch time, in case
we want to support that in the future.
Protocol parses some fields. As a result, the parsed result is inconsistent with the description in the protocol.
Register different fields in the BICC protocol and parse them separately.
The details are as follows:
1. Split the following fields in the ISUP protocol:
Continuity Indicator(isup.continuity_check_indicator)
End-to-end method indicator(isup.forw_call_end_to_end_method_indicator)
End-to-end method indicator(isup.backw_call_end_to_end_method_indicator)
End-to-end information indicator(isup.backw_call_end_to_end_information_indicator)
BICC indicator(isup.backw_call_isdn_user_part_indicator)
SCCP method indicator(isup.backw_call_sccp_method_indicator)
End-to-end information indicator(isup.forw_call_end_to_end_information_indicator)
BICC indicator(isup.forw_call_isdn_user_part_indicator)
BICC preference indicator(isup.forw_call_preferences_indicator)
SCCP method indicator(isup.forw_call_sccp_method_indicator)
2. Register the following fields in the BICC protocol again.
Continuity Check Indicator(bicc.continuity_check_indicator)
End-to-end method indicator(bicc.forw_call_end_to_end_method_indicator)
End-to-end method indicator(bicc.backw_call_end_to_end_method_indicator)
End-to-end information indicator(bicc.backw_call_end_to_end_information_indicator)
ISDN user part indicator(bicc.backw_call_isdn_user_part_indicator)
SCCP method indicator(bicc.backw_call_sccp_method_indicator)
End-to-end information indicator(bicc.forw_call_end_to_end_information_indicator)
ISDN user part indicator(bicc.forw_call_isdn_user_part_indicator)
ISDN user part preference indicator(bicc.forw_call_preferences_indicator)
SCCP method indicator(bicc.forw_call_sccp_method_indicator)
Add the option to enter a filter with an absolute time
value in UTC. Otherwise the value is interpreted in
local time.
The syntax used is an "UTC" suffix, for example:
frame.time == "Dec 31, 2002 13:55:31.3 UTC"
This also changes the behavior of "Apply Selected as filter".
Fields using a local time display type will use local time
and fields using UTC display type will be applied using UTC.
Fixes#13268.
Instead of having it return the information needed to fetch the string
value, just have it return the string to use to display that string, as
that's all its only caller needs.
(Note that the display string has had control characters, etc. escaped,
which is what you want for text that appears in a string displayed in
the protocol details.)
The Kafka dissector uses the return value of tvb_get_varint to advance
the packet offset in many places. If tvb_get_varint fails it returns 0,
which means our offset isn't guaranteed to advance. Stop dissection
whenever that happens. Fixes#17811.
Refactor the common code in abs_time_to_str() and
abs_time_secs_to_str() into separate functions, to
avoid code duplication and improve maintainability.
This makes it easier to understand the code, avoids conflicts
and ugly and unnecessary casts.
The field display enum has evolved over time from integer types
to a type generic parameter.
Encapsulate the feature requirements for strptime() in a
portability wrapper.
Use _GNU_SOURCE to expose strptime. It should be enough on glibc
without the side-effect of selecting a particular SUS version,
which we don't need and might hide other definitions.
If you're past the end of the tvbuff, tvb_find_line_end() will, when
reassembly is not being done, return a zero-length line without
advancing next_offset, so, unless you check for being past the end of
the tvbuff, you'll loop forever.
Fixes#17801.
To complete the set of equality operators add an "all equal"
operator that matches a frame if all fields match the condition.
The symbol chosen for "all_eq" is "===".
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
Guy Harris
Pau Espin