Corretly decode MNC if it consists of 3 digits
Change to what is called big endinan MNC
8 7 6 5 4 3 2 1
+---+---+---+---+---+---+---+---+
| MCC digit 2 | MCC digit 1 | octet x
+---------------+---------------+
| Filler | MCC digit 3 | octet x+1
+---------------+---------------+
| MNC digit 2 | MNC digit 1 | octet x+2
+---------------+---------------+
MNC of length 3:
8 7 6 5 4 3 2 1
+---+---+---+---+---+---+---+---+
| MCC digit 2 | MCC digit 1 | octet x
+---------------+---------------+
| MNC digit 1 | MCC digit 3 | octet x+1
+---------------+---------------+
| MNC digit 3 | MNC digit 2 | octet x+2
+---------------+---------------+
From 3GPP TS 29.171
7.4.27 PLMN Identity
- digits 0 to 9, encoded 0000 to 1001,
- 1111 used as filler digit, two digits per octet,
- bits 4 to 1 of octet n encoding digit 2n-1
- bits 8 to 5 of octet n encoding digit 2n
The Selected PLMN identity consists of 3 digits from MCC followed by either
- a filler digit plus 2 digits from MNC (in case of 2 digit MNC) or
- 3 digits from MNC (in case of a 3 digit MNC).
(cherry picked from commit 156f9e81fc)
Don't try to dissect bytes as string and show its value item if the
bytes field has a subdissector. And add field subdissector under field
item instead of value item.
close#16956
(cherry picked from commit 1c5d577d63)
Creating protocols with unknown length must be created to the end of the TVB
first and reined back using proto_set_len() once the length becomes known.
Not doing so can make indentification of problems harder and prevents analysis
engines like MATE from properly processing the generated protocol trees.
With this change the remaining offending dissectors are corrected for this.
Closes#16961
(cherry picked from commit 918db88055)
Systemd journal entries aren't file-type-specific; they're found in both
systemd journal entry blocks in pcapng files and in systemd journal
export files. Give it a record type, for use with both file types.
This fixes#16955.
It also means that you can open a systemd journal export file and save
it as a pcapng file.
(cherry picked from commit 889e0d5cb6)
The AT response may not contain a leading \r\n, so avoid checking
for this to determine if it's a response. This characters will be
removed as a part of white space removal anyway.
(cherry picked from commit 5413331ed3)
According to [MS-FSCC] if the file has the REPARSE_TAG attribute, the
EaSize field must be interpreted as a reparse tag for the following
info levels:
* FileFullDirectoryInfo
* FileBothDirectoryInfo
* FileIdFullDirectoryInfo
* FileIdBothDirectoryInfo
From tools/check_typed_item_calls.py output:
epan/dissectors/packet-bssgp.c:655 proto_tree_add_item called for hf_bssgp_bss_area_ind - item type is FT_UINT8 but call has len 2
epan/dissectors/packet-bssgp.c:1468 proto_tree_add_item called for hf_bssgp_unit_val - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:1469 proto_tree_add_item called for hf_bssgp_gprs_timer - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:2606 proto_tree_add_item called for hf_bssgp_unit_val - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:2607 proto_tree_add_item called for hf_bssgp_gprs_timer - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:2635 proto_tree_add_item called for hf_bssgp_unit_val - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:2636 proto_tree_add_item called for hf_bssgp_gprs_timer - item type is FT_UINT8 but call has len 3
epan/dissectors/packet-bssgp.c:3276 proto_tree_add_item called for hf_bssgp_cell_acc_mode - item type is FT_UINT8 but call has len 4
Add support internally to using iconv (always present with glib) to convert
strings from various encodings to UTF-8 (using REPLACEMENT CHARACTER as
recommended), and use that to support GB 18030 and EUC-KR. Replace call
directly to iconv in ANSI 637 for EUC-KR to new API. Update comments
and documentation around character encodings. It is possible to replace
the calls to iconv with an internal decoder later. Tested on Linux and
on Windows (including with illegal characters). Closes#16630.
For WPA security association (SA) entries are created on sucessful
PTK derivation from 4-way handshake frames. WEP though don't use
4-way handshake frames for key derivation and therefore no SA entry
is created. Still WEP decryption implementaton expects to find
an SA otherwise the decryption is skipped.
Fix broken WEP decryption by removing the check for an existing SA
entry and instead form the SA on first successful decryption.
Add also a test for WEP decryption.
Fixes: v3.3.0rc0-1263-g099d241046 ("dot11decrypt: Avoid allocating SA on packet decryption")
The SOCKS dissector temporarily changes the pinfo values for destport
or srcport, so it should get the tcp_conversation_data after doing so
before recursively calling the TCP dissector again. Otherwise the TCP
dissector will be confused about whether a TCP multisegment PDU is in
progress or not, causing failure to lookup and store fragments correctly,
including both failed desegmentation and failed asserts (when it expects
an entry in the table which isn't there, as it was stored under a different
port number.) Fixes#16646.
In captures where a lot of packets are missing, requests and ACKs are
sometimes incorrectly paired. With this improvement, ACKs must arrive in
a reasonable time to be paired with a request.
A previous change initialized the k_connection_handle, so we don't
compare random data with remote_bdaddr->chandle, but perhaps we
shouldn't compare it at all if we didn't find a handle pair.
MSVC doesn't, by default, define __STDC_VERSION__, which means that the
code generated by newer versions of winflexbison3's Bison end up
defining YYPTRDIFF_T as long, which is wrong on 64-bit Windows, as
that's an LLP64 platform, not an LP64 platform, and causes warnings to
be generated. Those warnings turn into errors.
With MSVC, if __STDC_VERSION__ isn't defined, Forcibly include
<stdint.h> here to work around that.
Fixes#16924.
Bison 3.4 and later generate deprecation warnings for the "%pure-parser"
directive. As https://git.savannah.gnu.org/cgit/bison.git/tree/NEWS says,
----
** Deprecated features
The %pure-parser directive is deprecated in favor of '%define api.pure'
since Bison 2.3b (2008-05-27), but no warning was issued; there is one
now. Note that since Bison 2.7 you are strongly encouraged to use
'%define api.pure full' instead of '%define api.pure'.
----
Rename our .y files to .y.in, and modify FindYACC.cmake to detect newer
versions of Bison and configure our .y files with "%pure-parser" or
"%define api.pure" as needed. Squelches warnings from Bison in #16924.
The google.protobuf.Timestamp is a standard protobuf message type and
consists of seconds and nanos fields. We dissect protobuf field in
google.protobuf.Timestamp type as wireshark FT_ABSOLUTE_TIME field.
And add tvb_get_protobuf_field_uint() to make it easy to get a
Protobuf field of varint type from the tvb.
close#16927
The function to dissect CSuite Sel returns offset not number of
dissected bytes so calling function must assign new offset rather
than incrementing. For consistency also update the CSuite List
function to return offset.
Fix issues found by running ./tools/check_typed_item_calls.py
epan/dissectors/packet-eap.c:1475 proto_tree_add_item called for hf_eap_gpsk_failure_code - item type is FT_UINT16 but call has len 4
epan/dissectors/packet-eap.c:1479 proto_tree_add_item called for hf_eap_gpsk_failure_code - item type is FT_UINT16 but call has len 4
Speed functions to print hex bytes, escape XML strings and
print out indents by avoiding specifier calls, and building
larger strings before calling fputs().
Someone mentioned this in the sharkfest chat yesterday.
Also, Ostinato relies upon this when importing from pcap.
An example capture I have has gone from 18 to 11 seconds.
As noted in bug #16386, glib's `g_base64_decode_inplace()` aborts
decoding of base64 strings that aren't padded. This addresses that by
adding padding "=" characters if needed to the buffer which will be
decoded.
I added the test case from the bug report to the test suite, though the
location therein may not be ideal.
Closes#16386
Found by running ./tools/check_typed_item_calls.py
epan/dissectors/packet-ieee80211.c:14209 proto_tree_add_item called for hf_ieee80211_osen_akm_count - item type is FT_UINT8 but call has len 2
epan/dissectors/packet-ieee80211.c:20025 proto_tree_add_item called for hf_ieee80211_tclas_ether_type - item type is FT_UINT8 but call has len 2
Fix issues found by running ./tools/check_typed_item_calls.py
epan/dissectors/packet-gtp.c:4414 proto_tree_add_item called for hf_gtp_sel_mode - item type is FT_UINT8 but call has len 2
epan/dissectors/packet-gtp.c:6807 proto_tree_add_item called for hf_gtp_rai_rac - item type is FT_UINT8 but call has len 2
epan/dissectors/packet-gtp.c:7600 proto_tree_add_item called for hf_gtp_bssgp_cause - item type is FT_UINT8 but call has len 2
epan/dissectors/packet-gtpv2.c:3607 proto_tree_add_item called for hf_gtpv2_trace_id - item type is FT_UINT16 but call has len 3
epan/dissectors/packet-gtpv2.c:5049 proto_tree_add_item called for hf_gtpv2_trace_id - item type is FT_UINT16 but call has len 3
Make display_signed_time() take a 64-bit signed number of seconds, and,
in calls to it, cast the argument to gint64, not gint32.
Addresses issue #16909.
This unfortunately includes the name of the filter element but "sack" in TCP
should not mean "a packet with syn+ack set" to most networking people nowadays.
Added a dissector to reassemble IPP Over USB packets and pass them to
the HTTP dissector. Added a display filter so IPPUSB packets can be
filtered. Dissector checks to ensure semgent is IPPUSB and supports
reassembly of send-documents and print-job documents. It also supports
the reassembly and dissection of packets that are truncted or
incomplete.
Change-Id: Icc9525592c07b00baaac887a70bc9e7568273016
This commit introduces usbll states. These states
represent the transaction upto the current packet.
Uses of introducing usbll states:
1. Avoid condition checks upto last three packets.
2. Identify invalid PID sequences.
3. Identify correct transactions. This will help in
the USB 2.0 reassembly.
Ping-bug: 15908
Signed-off-by: Ameya Deshpande <ameyanrd@outlook.com>
Implement the Unicode Standard "best practices" for replacing ill-formed
sequences with the Unicode REPLACEMENT CHARACTER. Add wmem_strbuf_append_len
for appending strings with embedded null characters. Clarify why
wmem_strbuf_grow() doesn't always ensure that there's enough room for
a new string, and short-circuit some tests there. Related to #14948
- Rename some elements to their current RFC names
- Add an expert item for msg_len field
- Create an attribute for 8006 as unknown to avoid triggering the expert item for unknown attributes