There are some new information elements and message types in the GSUP
protocol which are used for transport of non-call-SS and USSD between
MSC/VLR and HLR.
Change-Id: Idd3bb7ed8d4ba3f958cffcb29c6042c047646f70
Reviewed-on: https://code.wireshark.org/review/28301
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In the reference libosmocore's implementation we have:
OSMO_GSUP_MSGT_PURGE_MS_REQUEST = 0b00001100, // 0x0c
OSMO_GSUP_MSGT_PURGE_MS_ERROR = 0b00001101, // 0x0d
OSMO_GSUP_MSGT_PURGE_MS_RESULT = 0b00001110, // 0x0e
while here we had:
OSMO_GSUP_MSGT_PURGE_MS_REQUEST = 0x0c,
OSMO_GSUP_MSGT_PURGE_MS_ERROR = 0x0e, // != 0x0d
OSMO_GSUP_MSGT_PURGE_MS_RESULT = 0x0f, // != 0x0e
Same problem with the 'OSMO_GSUP_MSGT_LOCATION_CANCEL_RESULT'.
Change-Id: Ie49fd2fca8298d97c21e03649935704309015324
Reviewed-on: https://code.wireshark.org/review/28297
Reviewed-by: Harald Welte <laforge@gnumonks.org>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
See https://tools.ietf.org/html/rfc7862#section-12.2.3
As far as I can tell these were zero-based even in the earliest protocol
drafts, so this was just a mistake in the original wireshark submission
that nobody caught because change_attr_type hasn't been widely
implemented.
While we're here, move the defines before the array for better
readability.
Change-Id: Ie721250748fe77098aee4e2cc502ae43fc497a2d
Reviewed-on: https://code.wireshark.org/review/28271
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Don't assume that the 3-digit code we got was followed by a blank, and
display the code followed by a blank followed by the parameters..
Instead, just put the raw text of the entire line into the Info column.
Bug: 14878
Change-Id: I1e081366bf859723158a36f10e86614fe52f124d
Reviewed-on: https://code.wireshark.org/review/28292
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Acccording to 3GPP TS 29.244
ch5.6.3 Modifying the Rules of an Existing PFCP Session
- updating the Rule including the IEs to be removed with a null length,
e.g. by including the Update URR IE in the PFCP Session Modification Request
with the IE(s) to be removed with a null length.
Change-Id: Ib8928edc24e72c25f6d608bee874c1d8603c8620
Reviewed-on: https://code.wireshark.org/review/28264
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Extract it into title_length before checking it, and then check the
value of title_length.
Change-Id: I7f2c334dbce5eeaa12cd5d8bb8e289852fd15c4f
Reviewed-on: https://code.wireshark.org/review/28282
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The number being compared against is the amount of data *remaining* in
the comment information, not the *size* of the comment information.
And it's unsigned, so format it with %u.
Change-Id: I5f02302ad4acbc3b27655ff5518e6e56d464020d
Reviewed-on: https://code.wireshark.org/review/28280
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix indentation, and note that the comment "description" (contents) are
RTF (as opposed to plain text).
Change-Id: I668a08c06e39a32318454d2ee73933083c5cb516
Reviewed-on: https://code.wireshark.org/review/28279
Reviewed-by: Guy Harris <guy@alum.mit.edu>
utf_16_to_utf_8() just ignores the extra octet.
Change-Id: I7bf003b674e5d9b0fb0265b0e8c6c142107084e3
Reviewed-on: https://code.wireshark.org/review/28277
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Pathnames are not limited to 260 characters in recent versions of
Windows; boost the limit to handle up to 32767 UTF-16 octet pairs worth
of path.
The pathname is in UTF-16-encoded Unicode; convert it to UTF-8 for our
internal use.
Bug: 14876
Change-Id: I4ef19fd47c7dbdd74dcaf31a7a80f432d57dbb0d
Reviewed-on: https://code.wireshark.org/review/28273
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The command tshark -G values gave the error:
** (process:26713): WARNING **: Extended value string 'nas_5gs_mm_message_type_vals' forced to fall back to linear search:
that caused regression tests to fail.
Fixes: v2.9.0rc0-947-g587b5a7.
Change-Id: I6c8b8c7e93838f407a363390ba2385603dc62338
Reviewed-on: https://code.wireshark.org/review/28270
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure that the filter for VoIP calls includes RTP streams when calling
Prepare filter.
Bug: 13440
Change-Id: Ia55073151817b88b3fa6a3fd30f98fdf683621a4
Reviewed-on: https://code.wireshark.org/review/27955
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In 3GPP TS 44.018 version 14.4.0 Release 14 both Immediate assigment
extended (9.1.19) and Immediate assignment reject (9.1.20) have Feature
Indicator (10.5.2.76) half octet right after the Page Mode (10.5.2.26)
The Feature Indicator is part of GSM_A_PDU_TYPE_RR and not
GSM_A_PDU_TYPE_COMMON so previously it was not decoded correctly in the
Immediate assigment extended
Change-Id: I117d1ee42d43d01d77da67eea506c28ca0ae3056
Reviewed-on: https://code.wireshark.org/review/28263
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For the 'Infinite value', tree header is now
"Graceful Release Period: Infinite (<val>)"
instead of
"Graceful Release Period: <val> Infinite"
Change-Id: I130e997ffbb3503078e1364fd64c11ead28111b1
Reviewed-on: https://code.wireshark.org/review/28262
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With HTTP2 heuristics to identify the conversation, a packet can be
skipped on first pass and then decoded as HTTP2 on subsequent ones.
Check that header data is available before attempting header
decompression.
Bug: 14869
Change-Id: I8ef7669ca33835b509acb38d797e33d6167a1bd1
Reviewed-on: https://code.wireshark.org/review/28257
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
dissect_cpf was huge and too hard to read and update.
This change pulls out item parsing into individual functions to make
it easier to read, help troubleshoot a bug related to ENIP TLS
connection filtering (Still investigating), and prep for future features.
There are no functional changes.
Main changes:
1. Pulled out the following code into separate functions:
dissect_item_list_identity
dissect_item_cip_security_information
dissect_item_list_services_response
dissect_item_sockaddr_info
dissect_item_sequenced_address
dissect_item_connected_address
dissect_item_unconnected_message_over_udp
dissect_generic_io
dissect_cip_class01_io
2. More documentation. It was a little hard to follow before.
3. Corrected offset inside the while loop in dissect_cpf(). Previously,
offset pointed to 2 bytes *before* the item actually being processed.
Change-Id: I47894fd5c50b4c3d07f916f81e1b21f8890c8396
Reviewed-on: https://code.wireshark.org/review/28205
Reviewed-by: Dylan Ulis <daulis0@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
AT-commands:
+XAPL
+IPHONEACCEV
+APLSIRI
+APLEFM
Add UUID128:
Apple Notification Center Service
Based on: https://developer.apple.com/hardwaredrivers/BluetoothDesignGuidelines.pdf
While adding new UUID remove also tabs from packet-bluetooth.
Change-Id: Ic29b028338a21464fe018f8145ade82297ccd146
Reviewed-on: https://code.wireshark.org/review/28222
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(In retrospect, signed offsets probably were the wrong choice; we
rarely, if ever, use them to signify offsets from the end of the packet.
Let's not do so any more in the future.)
Change-Id: I7ace539be8bf927e21148c34b71e9c2b7535581e
Reviewed-on: https://code.wireshark.org/review/28245
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do more checks to make sure we don't run past the end of the data we're
handed, and don't do a DISSECTOR_ASSERT(), as there may well be packets
that don't have enough data to pass the assertion - that was causing
some errors to show up in the 2.6 buildbot when doing 802.11 decryption
tests. Those errors should instead be reported as "sorry, we can't do
decryption" errors by the decryption code.
(XXX - the 802.11 *dissector* should probably be extracting the relevant
fields and doing the relevant checks, and hand the data to the
decryption code, so that we don't duplicate 802.11 frame parsing with
code that might not do as much necessary work as the 802.11 dissector.)
Tweak some comments while we're at it.
Change-Id: I1d230e07cec2fca8c23f265b5875a0bf83f79432
Reviewed-on: https://code.wireshark.org/review/28240
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Wiretap imposes an arbitrary limit on the maximum packet size, to
prevent it from trying to allocate a huge packet buffer and possibly
running out of address space on ILP32 platforms or just eating too much
backing store on LP64/LLP64 platforms. Don't write packets with a
length greater than that limit.
Bug: 14107
Change-Id: Iba4fe3b008b044215647ba3f838ae7b3ac66c585
Reviewed-on: https://code.wireshark.org/review/28232
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't treat the count+blob as itself a blob of bytes; use FT_NONE.
Create it with an unknown length (-1, meaning "to end of packet, for
now"), and set its length once we've finished dissecting it. Dissect
the raw bytes of a prefixed-bytes item regardless of whether we're
building a protocol tree or not.
This means we do a better job of handling a too-large length; instead of
overflowing the offset, we throw an exception and stop dissecting, so we
don't run the risk of looping infinitely.
Bug: 14841
Change-Id: I593be9b6ba9aa15d8529f96458e53b85ace6402a
Reviewed-on: https://code.wireshark.org/review/28228
Reviewed-by: Guy Harris <guy@alum.mit.edu>
According to TS 29.212 v14.7.0
8.108 Presence Reporting Area Action
8.109 Presence Reporting Area Information
Change-Id: I4b73fb4cd47468aa4cf90ef9a7bee3e17f9b9485
Reviewed-on: https://code.wireshark.org/review/28219
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
According to 3GPP TS 29.212 v14.7.0
Change-Id: Ia1020e5ea04280f6435a4fb737368f6e6b2111df
Reviewed-on: https://code.wireshark.org/review/28216
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Used tcp_dissect_pdus API to reassemble FE TCP packets.
Change-Id: I82bb270bacbd3f5790c015c5a876981417e271fa
Signed-off-by: Adam Goldman <adam.goldman@intel.com>
Reviewed-on: https://code.wireshark.org/review/28203
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Indicate what you're supposed to do when running dpkg-reconfigure
wireshark-common, and indicate that you have to run it as root using
sudo.
Emphasize in README.Debian, and indicate in the permission failure
secondary message, that you have to add users to the "wireshark" group
after doing that, and that a user may have to log out and log in again
to make this change take effect.
Bug: 14847
Change-Id: Ia83ff8e92bd2f00b6c3779272322a40201416da0
Reviewed-on: https://code.wireshark.org/review/28206
Reviewed-by: Guy Harris <guy@alum.mit.edu>