Issue was spotted because the bit used by wireshark in this field
didn't make sense, as same bit was being used by MS Power field.
According to spec "3GPP TS 44.004" section "7.2 SACCH uplink block format",
the field is located in bit 6 of the 1st octet.
Change-Id: Ia4390b79d9d2b3966c4ca69eda0bf1ae10be7398
Reviewed-on: https://code.wireshark.org/review/29893
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
current_stream_id is only defined when built with HAVE_NGHTTP2. One
option is to create the session with stream ID unconditionally. As the
subdissector (DoH) is chosen based on the Content-Type header and
parsing of such headers is only possible with nghttp2, don't bother.
Change-Id: Iefee65210974bf5b8b75c6870a0476567b6830e5
Fixes: v2.9.0rc0-2007-gcc69e09981 ("HTTP2: allow subdissectors to query the Stream ID")
Reviewed-on: https://code.wireshark.org/review/29896
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
../sharkd_session.c: In function ‘json_puts_string’:
../sharkd_session.c:125:20: warning: array subscript has type ‘char’ [-Wchar-subscripts]
fputs(json_cntrl[str[i]], stdout);
Change-Id: I03a07b8cb42692f636491fad9b15ac71ac0c03f4
Reviewed-on: https://code.wireshark.org/review/29883
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It should fix warning reported by Stig:
[...]/wireshark/sharkd_session.c:125:20: warning: array subscript is of type 'char' [-Wchar-subscripts]
fputs(json_cntrl[str[i]], stdout);
^~~~~~~
Change-Id: I9352174223644394ba2bf76f10ff3bf6b6abcad5
Reviewed-on: https://code.wireshark.org/review/29877
Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add enough AVPs to get the Diameter XML validating again.
Also some whitespace and indentation cleanup.
Change-Id: Ibebfc8832d50f6347e371ca4b8c5b81548e061a8
Reviewed-on: https://code.wireshark.org/review/29898
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Obsoleting the gtk packages allows a clean upgrade to the Qt version (without
requiring the user to manually remove those packages).
Set the install prefix based on what the user set when running cmake (like
we did with autotools).
Change-Id: Ica283f40bc002951af4ff1f9d719295c0a598c3b
Reviewed-on: https://code.wireshark.org/review/29892
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Continue dissecting if we find an empty line. Add an entry for the
_SYSTEMD_USER_SLICE field.
Change-Id: Id6e970b785e359095fbd8101e071f2d8cabcaf53
Reviewed-on: https://code.wireshark.org/review/29897
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
We shouldn't set any rec_header.syscall_header fields in
pcapng_read_systemd_journal_export_block.
Change-Id: I920accdbcdcdbf6d71324c8d9d6d562511f6a9d1
Reviewed-on: https://code.wireshark.org/review/29895
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Handle DoH messages specially, use the HTTP/2 Stream ID for matching
requests with responses. Fixes misleading "retransmission" expert infos
and properly link (successive) requests with (out-of-order) responses.
Change the "Protocol" column to "DoH" while at it.
Change-Id: I42b22c5c8560ee029051dcb3561e188572a4245f
Ping-Bug: 14433
Reviewed-on: https://code.wireshark.org/review/29889
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Last version of Wireshark can not decode DynamicFramePacking
subframes. Changes are implemented to decode subframes.
Change-Id: Ifba011418a5211d9599c48d37597a16733dfafa8
Reviewed-on: https://code.wireshark.org/review/29882
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add the new elements introduced for OWE:
- OWE DH Parameter in the association request/response as specified in RFC 8110
- OWE Transition Mode element as specified in "Opportunistic Wireless Encryption Specification version 1.0" by the WiFi Alliance
Bug: 15146
Change-Id: I9b6c6de459899ce28c909bf79bdde431e50679c9
Reviewed-on: https://code.wireshark.org/review/29850
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In case the TLS key log file is provided by means other than a file,
split the file reading part from the contents processing part. Adjust
the line handling logic to allow immutable strings. Stick to fgets to
avoid partial lines in case the read buffer is full.
Rename some SSL -> TLS while at it.
Change-Id: I28da96834833e6096074ce122a6ebc3484655d9f
Reviewed-on: https://code.wireshark.org/review/29890
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will be used by the DNS dissector to distinguish different
request/response pairs over the same connection (for DoH).
Change-Id: I53721904b007847861807faa1a2137e696639428
Reviewed-on: https://code.wireshark.org/review/29888
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This is required for the latest version. The message type "dns/message"
was briefly used in draft -06, but it was changed in the next version.
Change-Id: If26e367b71b7e270cad2f61eaee76041f530273c
Ping-Bug: 14433
Reviewed-on: https://code.wireshark.org/review/29887
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Development-related files (header files, cmake files, the pkg-config file)
don't belong in the base RPM. This moves those ~600 files (~4 MiB) to a
separate RPM for those who may want them.
Also clean up a few other things in the SPEC file while here to make things
more readable and consistent.
Change-Id: I89f93a8696c54b9117595f1da9f856c080853dce
Reviewed-on: https://code.wireshark.org/review/29814
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When (1) a frame has multiple TLS application data records and (2) two
of them request reassembly of a new PDU, then the second fragment would
be considered conflicting with the first one since the PDUs (MSPs) are
identified by the frame number of the starting frame.
This behavior was observed in a firefox-http2-frag.pcap
(attachment 16616) which uses tcp_dissect_pdus to trigger reassembly:
Frame 19: 8694 bytes on wire (69552 bits), 8694 bytes captured (69552 bits)
...
Transport Layer Security (8640 bytes)
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 7/7 last segment of previous PDU
SSL segment data (1203 bytes) <-- 1/5 first segment of new PDU
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 2/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 3/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 4/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (976 bytes) <-- 5/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 1/? first segment of another PDU
[5 Reassembled TLS segments (6286 bytes): #19(1203), #19(1369), #19(1369), #19(1369), #19(976)]
[7 Reassembled TLS segments (8201 bytes): #17(1190), #17(1369), #17(1369), #18(1369), #18(1369), #18(1369), #19(166)]
HyperText Transfer Protocol 2 (8201 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 8192 (partial entity body)
...
(7/7 finishes previous reassembly, see "7 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1203 bytes, start of new PDU)
HyperText Transfer Protocol 2 (6286 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 6277 (partial entity body)
...
(all fragments are in this frame, see "5 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1369 bytes, start of another PDU)
[Reassembly error, protocol SSL: Frame already added in first pass]
TLS records for fragments 1/5 and 1/? both start a new PDU and would
thus invoke fragment_add with the same identifier. That results in the
Reassembly error which breaks further decryption. Reduce the probability
of this issue by mixing in the TLS stream position of the fragment.
Bug: 11173
Change-Id: I5536f3010b156555f1d7ae6dc98e08c030c8f771
Reviewed-on: https://code.wireshark.org/review/29871
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
proto_tree_add_item with a zero length argument could end up calling
tvb_get_ptr to retrieve the (empty) backing buffer. This empty tvb was
possibly the result of bad reassembly, but let's gracefully handle it to
avoid a dissector exception.
Call trace for the original exception (only present on the first pass):
proto_report_dissector_bug (format=0x7ffffffecea0 "") at epan/proto.c:1368
ensure_contiguous_no_exception (tvb=0x6060001a5460, offset=0, length=0, pexception=0x7ffffffed060) at epan/tvbuff.c:775
ensure_contiguous (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:906
subset_get_ptr (tvb=0x607000194b90, abs_offset=0, abs_length=0) at epan/tvbuff_subset.c:58
ensure_contiguous_no_exception (tvb=0x607000194b90, offset=0, length=0, pexception=0x7ffffffed3c0) at epan/tvbuff.c:773
ensure_contiguous (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:906
proto_tree_set_bytes_tvb (fi=0x608000535ca0, tvb=0x607000194b90, offset=0, length=0) at epan/proto.c:3862
proto_tree_new_item (new_fi=0x608000535ca0, tree=0x604000543150, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:2318
proto_tree_add_item_new (tree=0x604000543150, hfinfo=0x7ffff30e91f8, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3381
proto_tree_add_item (tree=0x604000543150, hfindex=65120, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3391
dissect_body_data (tree=0x604000543150, pinfo=0x614000000a58, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/dissectors/packet-http2.c:1974
Change-Id: Icfae83d61ddcc9e26f16eab7f6e0e84e2f0d73ac
Reviewed-on: https://code.wireshark.org/review/29851
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The frame.protocols list does not contain "ssl" and thus the expert info
"Unencrypted HTTP protocol detected over encrypted port, could indicate
a dangerous misconfiguration" was shown even for the normal HTTPS port.
This also renames the http.ssl_port to http.tls_port with no backwards
compatibility, hopefully that is reasonable.
Change-Id: I5c8481693ff63dc0a19b4dc1de431680bdda3244
Reviewed-on: https://code.wireshark.org/review/29828
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
In the long run, we'd like to remove the time stamp from the frame_data
structure, as, in Wireshark, and in TShark in two-pass mode, there's one
allocated for every frame in the file, and shrinking the size of that
structure reduces the memory usage.
This removes one obstacle to that.
Change-Id: Ia8f87522cd974555c57e0ac1e742b097e8b0f2fc
Reviewed-on: https://code.wireshark.org/review/29881
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Either pcap_process_pseudo_header() returns -1, in which case we fail,
or it returns the exact same value as pcap_get_phdr_size(). If we don't
fail, don't bother to check whether the values are the same.
Change-Id: I18191cc3de2a1c2144ca9b508ed17b2f593fc835
Reviewed-on: https://code.wireshark.org/review/29879
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Keeping them together might increase the likelihood that all of them get
updated when a new pcap/pcapng link-layer type whose pseudo-header is
first processed here rather than by a dissector.
Change-Id: Ia6f45c38e9530b7c6a53d006fbc01b3040e9a014
Reviewed-on: https://code.wireshark.org/review/29868
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sort the cases to match the order in other routines.
That turned up a missing case for WTAP_ENCAP_NFC_LLCP, so add it.
Change-Id: I500731322ae93c6d2efc368f16cf468f589910f3
Reviewed-on: https://code.wireshark.org/review/29858
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix JSON generation:
- add lookup table to encode all required control characters (0x00 - 0x1F),
- don't output comma just after opening object in iograph.
Change-Id: Ib53af9c37f4d7785cafc5f9a8d0e71b214c7f349
Reviewed-on: https://code.wireshark.org/review/29852
Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Have pcap_read_erf_pseudoheader() do all the work of reading an ERF
pseudo-header.
Add pcap_write_erf_pseudoheader() as a routine to do all the work of
writing an ERF pseudo-header.
Change-Id: If53ae50fcee35a45113ca0f0c64f69848e044cbd
Reviewed-on: https://code.wireshark.org/review/29847
Reviewed-by: Guy Harris <guy@alum.mit.edu>
it is the first release to start to follow IETF QUIC (draft-12)
Update also the heuristic to detect Q044
Bug: 15131
Change-Id: Ieec7d75a2a0a7ab1ddacfb88d86cb9856cd67164
Reviewed-on: https://code.wireshark.org/review/29572
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
RFC 6887 states that options have to be padded to a multiple
of 4 octets. This commit adds missing padding.
Bug: 14950
Change-Id: I68a0631ecdd2f30e24e83b1a6e8dfc55856c9c94
Reviewed-on: https://code.wireshark.org/review/29832
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Put the cases in pcap_write_phdr() into the same order as the cases in
pcap_process_pseudo_header().
Doing so revealed that there wasn't a case for WTAP_ENCAP_NFC_LLCP in
pcap_write_phdr(), so NFC LLCP captures wouldn't be saved correctly.
Add pcap_write_llcp_pseudoheader() and use it.
Change-Id: I2728a96e63d2e0606ae0bb480f97fe124ab48d17
Reviewed-on: https://code.wireshark.org/review/29841
Reviewed-by: Guy Harris <guy@alum.mit.edu>