Bring some modernity to this dissector and use tcp_dissect_pdus. Also an excuse to
remove the conversation_set_dissector in the heuristic dissector which was generating
some false positives because the heuristic isn't that strong.
Bug: 12882
Change-Id: Ibb04fd4fbc819acd1dc96d6259b047c897ec2de6
Reviewed-on: https://code.wireshark.org/review/19125
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
If a TCP segment is small enough, dissectors that have a only a length
check determining if it's their packet or not before calling tcp_dissect_pdus
will throw out packets that are probably destined for them.
Change-Id: I78034307b56aa537943191a6887166577936a6a3
Reviewed-on: https://code.wireshark.org/review/21950
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add a simple dissection function for DCE/RPC that just calls tcp_dissect_pdus
and doesn't do any heuristics checks. This can be used to handle cases
where TCP PDU is too small for DCE/RPC heuristics checks and user
knows the data is DCE/RPC and can set it through Decode As.
Bug: 6392
Change-Id: I9e4960282ea64d20499f7d5a330f48f30a092b30
Reviewed-on: https://code.wireshark.org/review/21951
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
We were allocating it every time we called cap_pipe_dispatch() (or,
prior to I0256daae8478f1100fdde96a16a404465ec200b3, in
capture_loop_dispatch()) and freeing it before the routine in question
returned.
However, we were treating that buffer as if it persisted from call to
call, which worked *only* if freeing and re-allocating the buffer meant
that we'd get back the same buffer with its previous contents intact.
That is *not* guaranteed to work.
Instead, allocate the buffer when we open the capture pipe, and free it
when we close the capture pipe.
Change-Id: Ic785b1f47b71b55aba426db3b1e868186c265263
Reviewed-on: https://code.wireshark.org/review/21948
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's not much point in having a switch-case block with only a default
statement ;-)
Change-Id: Iaacd87bb2995783b98e5395b3654a1c8f32c473a
Reviewed-on: https://code.wireshark.org/review/21938
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Michael Mann <mmann78@netscape.net>
In this case, we can simply replace the exception with an expert info
and exit the loop.
Change-Id: I232e554af299140d7123b5e21d78372a35a7923b
Reviewed-on: https://code.wireshark.org/review/21936
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I0c4346386846c03a67b83bebfce6da6323379180
Reviewed-on: https://code.wireshark.org/review/21937
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The buffer is only used when reading from a pipe; no need to allocate it
when capturing from a pcap_t.
Doing it in cap_pipe_dispatch() makes it clearer when the buffer exists
and when it doesn't.
Change-Id: I0256daae8478f1100fdde96a16a404465ec200b3
Reviewed-on: https://code.wireshark.org/review/21930
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Current layer number needs to be unconditionally saved after v2.3.0rc0-3740-ge1f84f985e,
which increased the number of dissectors that use current layer number to
determine Decode As value.
Change-Id: Ib82370af94ea00613a337890369e228cffa1ed81
Reviewed-on: https://code.wireshark.org/review/21928
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add support for handling LoRaTap (https://github.com/eriknl/LoRaTap) DLT in
wiretap and add dissector for LoRaTap headers.
Exposes Syncword for subdissectors to dissect frame payload.
Change-Id: Ie4ba2189964376938f45eb3da93f2c3376042e85
Reviewed-on: https://code.wireshark.org/review/21915
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Either 1) it can be determined from the libwiretap encapsulation type,
in which case it's redundant information or 2) there *is* no pcap/pcapng
link-layer header type for that encapsulation type, in which case you
need to check for the attempt to determine it failing and handle that
failure appropriately.
Change-Id: Ie9557b513365c1fc8c6df74b9c8239e29aad46bc
Reviewed-on: https://code.wireshark.org/review/21924
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Just let libpcap pick the snapshot length; that way, for link-layer
types that need a really large snapshot length, such as D-Bus (which
requires 128MB for the largest messages), it can pick that, but can
otherwise pick something that doesn't require as much memory, e.g.
256KB.
For pcap_open_live() and pcap_open(), which don't have a way of saying
"give me what's appropriate", pick 256KB.
Change-Id: Idef5694f7dfa85eaf3a61d6ca7a17d263c417431
Reviewed-on: https://code.wireshark.org/review/21917
Reviewed-by: Guy Harris <guy@alum.mit.edu>
"Additional update parameters" info element is not dissect in Paging Response message. See TS 44.018 9.1.25
Change-Id: Ia3aec7809be9b5e8318bb7e04326bc85f77d34bd
Reviewed-on: https://code.wireshark.org/review/21914
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Change-Id: I98c5dad4dba4a8e5eaa450bef977ca7c0b979734
Reviewed-on: https://code.wireshark.org/review/21867
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
EVS value was incorrectly typed from the non-extended type space.
Now it should display as unknown.
Ping-Bug: 13745
Change-Id: I67cfa29d3edcd56e49c1f4eded117a26594f0a14
Reviewed-on: https://code.wireshark.org/review/21911
Reviewed-by: Michael Mann <mmann78@netscape.net>
and fix also some typo
Change-Id: I7892e715af56ebd1abb3fb36110200e2e992e9b1
Reviewed-on: https://code.wireshark.org/review/21901
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
items exported by nProbe.
Change-Id: I476c970d1abb7e1776da01bbdbf74e255387c917
Reviewed-on: https://code.wireshark.org/review/21825
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Implements all seven AEAD_CHACHA20_POLY1305 cipher suites from RFC 7905
(for TLS 1.2) and the final missing one for TLS 1.3 (draft -20).
New test captures (created using OpenSSL_1_1_0-pre6-2528-g042597b0a)
also serve as tests for TLS 1.3 decryption support.
Change-Id: Ice6d639c9c7b7bc23a6ff5fb4832d02694abd8c4
Ping-Bug: 12779
Reviewed-on: https://code.wireshark.org/review/21902
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Add missing offset increment for Header IEs with length (missing from
https://code.wireshark.org/review/21472).
Add missing increment so that the overall header tree spans all elements.
Change-Id: I91515a0b6b5fca8bcc95ea9e2cbc791bddf0500d
Reviewed-on: https://code.wireshark.org/review/21890
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
This may not be the only Netgear protocol, so make a distinction.
Change-Id: I68f460f44ac9345863468cfb407cec205a392d54
Reviewed-on: https://code.wireshark.org/review/21900
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Charlie Lenahan <clenahan@sonicbison.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I93de7ffdbd3c43494bc6a5dd1f44f6f45d6b54f8
Reviewed-on: https://code.wireshark.org/review/21617
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
oss-fuzz invokes the dissector without IP layer, so we can't assume
the IP address to be available when dissecting POWERLINK/UDP packets.
Same goes for the "Exported PDU" functionality.
Bug: 13756
Change-Id: I038f0445ada3f764dcc72f7bce1d02cfa49791fb
Reviewed-on: https://code.wireshark.org/review/21894
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
When reviewing the code, the following issues were identified:
- otid/dtid on 3 bytes were not stored
- when receiving the first continue from dest, the TC_END hash entry was
created with the source tid / address instead of destination ones
- when receiving the first continue from src, the logic could prevent
the creation of the hash entry
Bug: 13739
Change-Id: If4ee70f0fa69f5ff74fdf75f3a741102baa0121a
Reviewed-on: https://code.wireshark.org/review/21780
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Store SslPacketInfo under the same key as used by p_get_proto_data and
pass this data to the Follow SSL tap.
Change-Id: If9b97d0e0e2a82562abe6cb9e61986744680066d
Fixes: v2.3.0rc0-3740-ge1f84f985e ("Fix Decode As for protocols that may use tunneling.")
Reviewed-on: https://code.wireshark.org/review/21893
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This property was introduced in Qt 5.1.
Change-Id: I3446886d65fbeaf011a69071b605b044e5205b60
Reviewed-on: https://code.wireshark.org/review/21895
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Unlike preferences, UATs are stored in their own files, so prefexing file
name with the protocol abbreviation makes sense to keep matters organized.
Change-Id: Ic7918f509e38da38cdb86ad70917923547f9c112
Reviewed-on: https://code.wireshark.org/review/21888
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
Just as we have OD_ENTRY_INITIALIZER, add SUBOBJECT_INITIALIZER, and use
it rather than memset().
Whether removing initializer warnings is a Good Thing is subject to
debate; remove a comment that implies it's been deemed a Good Thing.
Change-Id: Ife658d8bb1d4868789ca3b929aff6e4fccecb430
Reviewed-on: https://code.wireshark.org/review/21892
Reviewed-by: Guy Harris <guy@alum.mit.edu>
CANopen DS301 defines "Unicode_String" as "ARRAY [ length ] OF UNSIGNED16"
and states "For numerical data types the encoding is little endian style".
Change-Id: I146449d7eaafe58b337b505682b14cd672f8ad76
Reviewed-on: https://code.wireshark.org/review/21891
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
macOS Buildbot doesn't like {0} (probably because GNU C already provides {}
exactly for the purpose of initializing all members to zero/NULL/0.0.. etc)
Affected local type definitions now have a static intializer macro that uses
the correct amount of zeroes and braces (similar to PTHREAD_MUTEX_INITIALIZER)
Global type definitions have a memset to zero (Which isn't strictly correct,
but as the platforms we support all have all-bits-zero-nulls and IEEE 754
floats, it should be good enough. A separate change will attempt to disable
-Wmissing-field-initializers -Wmissing-braces globally and hopefully make
these workarounds unnecessary.
Change-Id: I30b0f679bbb8adb2dd7269c9f3bc19732e48212b
Reviewed-on: https://code.wireshark.org/review/21887
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Adding dissection RSL message that corresponds to patent EP2192796 owned by Huawei.
Change-Id: I9fe32370d9b1330f78ac96c1203b6fde3f7784cd
Reviewed-on: https://code.wireshark.org/review/21788
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I41249c832b96c8942b78b17983a493faf802f355
Reviewed-on: https://code.wireshark.org/review/21886
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Dissectors that rely on pinfo structure information may have the
data overwritten if the data is tunneled. Address it by using
proto data that is based on pinfo->curr_layer_num.
Bug: 13746
Change-Id: I1c29f26a3c49f368876f0e96908705bc9c099ce1
Reviewed-on: https://code.wireshark.org/review/21559
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I5262b3b1ac5a6f5bc6ac932eedbb889847131d9c
Reviewed-on: https://code.wireshark.org/review/21601
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Perform sanity check on channel count. Channel count must be greater than zero
to build energy measurements list from Energy List TLV [1]. Zero channel count
results in a division by zero in dissect_thread_mc. Do not process Energy List
TLV if zero.
[1]: OpenThread implementation -
https://github.com/openthread/openthread/blob/b89a9dfbc117a9c80e795700b67/include/openthread/commissioner.h#L158
Energy List TLV contains energy measurements. If no channels are present, no
energy measurements can exist.
Bug: 13747
Change-Id: I53a19dfbeae9ef0421c8c144ef3be4da28413ad3
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1979
Reviewed-on: https://code.wireshark.org/review/21878
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Cyclic PDOs are setup either by ObjectMappings in the asynchronous SDOs,
or by serialized ObjectMappings in device profile files.
We now keep track of ObjectMappings transmitted via SDOs or read from
XDC files and use those to correctly partition the PDO's payloads.
Additionally types and descriptions for Object Directory entries extracted
from the EDS and XDD profiles are used to select the correct Wireshark type
and a string representation for those partitoned PDOs. Other places where
indices and subindices are also enriched by this information.
EDS support leverages GKeyFile and is available unconditionally, XDD/XDC
parsing support depends on the availabilty of libxml2. A patch for
inclusion of the latter as optional dependency was submitted
as Change-Id: I13c0a2f408fb5c21bad7ab3d7971e0fa8ed7d783
Electronic Data Sheet (EDS) is the CANopen standard for device profiles,
POWERLINK being based on CANopen, is occasionly used with EDS profiles.
XML Device Description (XDD) is the Ethernet POWERLINK standard for
device profiles. XDC have the same structure but contain actualValues
fields which can contain default ObjectMappings.
XML Device Descriptions can be 25k+ lines with much duplication,
so wmem_iarray_t is leveraged for saving space as well as faster lookups.
A side-effect of now organizing the capture in conversations is that
POWERLINK over UDP packets are now assigned proper destination and source
node IDs, which are displayed in the column view. The Referenced bug where
packets where erronously flagged as duplicates because the address wasn't
considered is also fixed as a result.
Bug: 13604
Bug: 13749
Change-Id: Ic33ff0be8f2eae7c24fe5877ad9258d1e550c227
Reviewed-on: https://code.wireshark.org/review/21112
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Dissection method was receiving the RLC INFO struct as a paramter instead
of using p_get_proto_data like other channels' dissection methods.
Change-Id: Iaf44f71552526dcdf29b8a583b1d79012e2b24e3
Reviewed-on: https://code.wireshark.org/review/21874
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Michael Mann
Pau Espin