Generate a dissector based on doc/packet-PROTOABBREV.c.
Change-Id: I9233c1212acb30f7166ba91e39d98bc3fb123731
Reviewed-on: https://code.wireshark.org/review/35062
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Show the custom column field name in the column context menu to
improve usability when show/hide columns. The column title alone
may not be sufficient to separate different columns.
Change-Id: I52f249433b8090249af87725fa97eba302692918
Reviewed-on: https://code.wireshark.org/review/35088
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Don't indicate "Align Left" when the column has default alignment,
because that may be wrong. Add back support for turning off custom
column alignment.
This is a regression from ge39f2bb5.
Change-Id: Ib9dc24067b02a44ffb2f3cd387f1c1c2a5c780ab
Reviewed-on: https://code.wireshark.org/review/35087
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
The APS counter is only 8-bit, which causes trouble for the
reassembly of fragments because packet counters are reused.
With this change the counter is extended to 32-bit to avoid
packet counter clashes.
Inspiration is taken from the RTP dissector.
Bug: 15021
Change-Id: Ibc61f40dd12b7a1bfd69b24ed5200d31229b69cb
Reviewed-on: https://code.wireshark.org/review/35072
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a test to verify that PTK can be derived for WPA3 SuiteB-192
captures and that encrypted keydata field is decrypted so that
GTK can be dissected.
NOTE: Capture file contains no encrypted data frames as currently
Wireshark does not support decrypting GCMP-256 encrypted data.
Ping-Bug: 16197
Change-Id: I57fbc14a4b4bca58790c4edcee14f1ef73d73fd5
Reviewed-on: https://code.wireshark.org/review/35068
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The temporary buffer to store calculated mic is too short to keep
the message digest when using HMAC-SHA384 algo. HMAC-SHA384 yields
a message digest of 48 bytes so increase buffer size to make room
for the largest possible value.
Ping-Bug: 16197
Change-Id: I36fd094c39ce77329fb303fa181d286be694ae65
Reviewed-on: https://code.wireshark.org/review/35067
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The key derivation function (Dot11DecryptRsnaKdfX) used for
deriving PTK use some hard coded hash length values making
it fail to generate full / correct PTK for 704 bit long PTK.
Fix by replacing hard coded values with acutal hash length
values.
Ping-Bug: 16197
Change-Id: I48847cdb019672dde76174efb0f17514c58ace51
Reviewed-on: https://code.wireshark.org/review/35066
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With AKMS 00-0F-AC:12 a 384 bit long PMK shall be used. To be able
to support key derivation and decryption from this larger sized
PMK the user PSK / PMK key input validation code is updated as well
as the various places where a hard coded PMK size is used.
Ping-Bug: 16197
Change-Id: I39c9337e8a84095246e3db5ef33dc96fb78e5dc3
Reviewed-on: https://code.wireshark.org/review/35065
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use AKM, cipher suite and group cipher suite from RSNA to determine
key lenghts and offsets. This allows keys of different lengths
for PTK derivation, MIC validation etc.
Ping-Bug: 16197
Change-Id: I9a721fb9811db89357218b50a2a107cf945d3dae
Reviewed-on: https://code.wireshark.org/review/35064
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Not all AKMS use same MIC length. Last part to support both 16 byte
24 byte long MIC is to actually make use of the now known in mic
length in MIC check / validation function. Instead of hardcoded
length use the length in eapol_parsed struct received from
dissector.
Ping-Bug: 16197
Change-Id: I6585b7a54de4def9e5ff846c19f12059b90ffdf6
Reviewed-on: https://code.wireshark.org/review/35063
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The ieee80211 dissector reuses the conversation concept to track
each association as one conversation. For this a simple counter
is incremented on each (re)assoc request frame.
There are two already existing hacky tricks for conversation lookup:
1. Each frame is marked with current assoc counter value
2. pinfo srcport and destport is then set to assoc counter value
With the above a conversation can then be looked up using the normal
conversation utility functions.
Though depending on the dissection flow a conflicting conversation can
be created eap dissector making the conversation lookup used for
function determine_mic_len return the one created by EAP dissector
instead with the effect that wrong mic length is returned.
Building further on this hack a way to solve this is to explictly
mark pinfo srcport destport whenever we're either creating or searching
for a "wlan conversation".
Uploading the patch to get some feedback on how this whole "wlan
conversation" thing can be properly solved. This error was discovered
when working on implementing support for bug 16197 where 24 byte long
MICs are used.
Change-Id: I7bd22cdf5d382a6c5f881ee29820f058d581a94e
Reviewed-on: https://code.wireshark.org/review/35050
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Simplify the still quite complex Dot11DecryptScanEapolForKeys function
and further reduce frame parsing inside Dot11Decrypt engine. This is
done by breaking out the EAPOL keydata decryption step into a new
function Dot11DecryptDecryptKeyData to be called from dissector.
After this Dot11DecryptScanEapolForKeys can now focus on one
task, to scan for keys in (unencrypted) EAPOL key frames.
With keydata decryption step separated from the broadcast
key parsing step the dissectors' GTK parsing can replace
the Dot11Decrypt internal RSN GTK TAG parsing.
Change-Id: I3b89f40586b8b7dbe2ff74cfc30761010d5b80bc
Reviewed-on: https://code.wireshark.org/review/35022
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Break out the group handshake parsing from Dot11DecryptScanEapolForKeys
to a separate function. With this Dot11DecryptScanEapolForKeys logics
is simplified to either handle 4-way handshake or group handshake
message.
Change-Id: I2714d26623812066c888f7fea4b21eb03f22e510
Reviewed-on: https://code.wireshark.org/review/35021
Reviewed-by: Anders Broman <a.broman58@gmail.com>
To be able to support authentication key management suites that use
different MIC, PMK, PTK lengths the engine would need to be extended
to support parsing EAPOL Key frames with variable field lengts. Though
as the IEEE 802.11 dissector already support this the alternative
(implemented in this patch) is to remove the EAPOL frame parsing inside
the engine and have the dissector feed it with a struct of parsed
fields instead.
For this a new type DOT11DECRYPT_EAPOL_PARSED is exported and
dot11decrypt now expects dissector to fill this struct with parsed
EAPOL fields before calling Dot11DecryptScanEapolForKeys.
Dissection of EAPOL fields is scattered over several functions in the
dissector code so parsed fields are temporarily stored in proto data
and then gathered before fed into dot11decrypt engine.
Change-Id: Ic6aeb4900f373dcde1ea3f1f0f24df2ae827576e
Reviewed-on: https://code.wireshark.org/review/35020
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Error:
../epan/dissectors/packet-bluecom.c:494:32: error: variable ‘segcode’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Werror=clobbered]
guint cmd, flags, blocknb, segcode=0;
^
cc1: all warnings being treated as errors
Change-Id: I4534d1e95d0fb937ace34a757b7c9d36dd9e53b3
Reviewed-on: https://code.wireshark.org/review/35080
Reviewed-by: Anders Broman <a.broman58@gmail.com>
To make the adding of the timestamp to a name for a previous version
useful we also need to save it for that set of request. Then we get the
correct names printed out for subsequent request for that same file.
Change-Id: I5c554ae235303a7aea075df92827d6d219ccce56
Reviewed-on: https://code.wireshark.org/review/35076
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Commit 3c8c392 (https://code.wireshark.org/review/c/35071/) introduced
a regression where the messages in the status bar are no longer visible.
This change corrects that.
Change-Id: I23059a5013a65efe73454fc798048630a9e66792
Reviewed-on: https://code.wireshark.org/review/35085
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Fixing the status message disappearing from the status bar
Change-Id: I16925a5a8ad6ac929e1c4da8e36e3cf8fa29db84
Reviewed-on: https://code.wireshark.org/review/35084
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
For TCP SYN and FIN flags sequence/acknowledgment number increments
by one. Therefore we should also increment the nextseq field.
With this commit we increment nextseq regardless of TCP data.
So far we did this only when there was TCP payload included (e.g. with
TCP Fast Open).
We do this direct for the hf field as the variable nxtseq is also used
for TCP sequence analysis and to dissect the TCP payload.
The in flights bytes are now correctly calculated when SYN or FIN bit
is set.
Furthermore this commit allows reassemble of segmented TCP payload also
with SYN bit set. This works also when payload overlaps (without option
analyzing sequence number enabled. Otherwise it is detected as
retransmission.).
Bug: 15964
Bug: 9882
Change-Id: I0b12f9ec9803e9367d4a8f9a6ceac759f7d56cbd
Reviewed-on: https://code.wireshark.org/review/34273
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Currently push pop is propagated by a massive load of signals
which partly are also propagated through parent objects.
This moves the status handling to WiresharkApplication, also
pathlining future moves to move status to different classes or
use additional methods of status information
Change-Id: Ibcb2c98688f1adf40dce1483f336596ef992bb06
Reviewed-on: https://code.wireshark.org/review/35071
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
The asn1 directory was moved to epan/dissectors back in 2016.
Change-Id: Id22c99fa4e0cacf19ab0c5a6055e71abf94f6159
Reviewed-on: https://code.wireshark.org/review/35074
Reviewed-by: Gerald Combs <gerald@wireshark.org>
If a display filter is applied, but the display filter bar
has been cleared by deleting the context (either by setting a
space or backspacing over the filter), it is not clearly indicated
that the filter is still being applied.
Bug: 12438
Change-Id: Ibd4c48b094467182ed51e9859e0d5fad770000c7
Reviewed-on: https://code.wireshark.org/review/35070
Petri-Dish: Roland Knall <rknall@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
This reverts commit 39bbb90e78.
If you check 9.4.2.242.3 HE PHY Capabilities Information field, you will see the "Supported Channel Width" field starts from B1 of the "HE PHY Capabilities Information field", not B0.
The Table 9-231 Subfields of the HE PHY Capabilities Information fiel applies only for the Channel Width Support Field. So B1 of the PHY cap should be used as B0 of the channel width.
Bug: 16190
Change-Id: Iff5beaf93f57d535b70ffab4b51e4a163aaf3a6d
Reviewed-on: https://code.wireshark.org/review/35038
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When viewing the summary pane it is useful to know if the request is
for a previous version of a file. This is signalled by the existence of
TWRP Extra Create Parameter. If we see one, add the time string to
the info column.
Change-Id: I3564c2c38a1dd3aa13484bcb329577088025ca70
Reviewed-on: https://code.wireshark.org/review/35058
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Qt GUI uses proto_get_first_protocol() to find the list of protocols
and build the autocompletion list. As pinfo protocols are stored in
another list, they are kept aside.
Let's add them in the same list as normal protocols.
Bug: 16130
Change-Id: I9ff67ea4198a8cc6baf3ded584c48eadfb097092
Reviewed-on: https://code.wireshark.org/review/34778
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
EPIPE almost certainly means "the next program after us in the pipeline
exited before we were finished writing", so this isn't a real error, it
just means we're done. (We don't get SIGPIPE because libwireshark
ignores SIGPIPE to avoid getting killed if writing to the MaxMind
process gets SIGPIPE because that process died.)
Presumably either that program exited deliberately (for example, "head
-N" read N lines and printed them), in which case there's no error to
report, or it terminated due to an error or a signal, in which case
*that's* the error and that error has been reported.
(We don't do that for EINVAL, as that's presumably a real error. It
shows up on Windows in bug 16192, but what we probably want to do there
is to, on Windows, use _doserrno, check for the equivalent Windows
errors, and, for the default case, convert _doserrno to the appropriate
string, using Windows APIs, and report *that* string; the MS C library
converts a whole bunch of Windows errors to EINVAL, thus losing
information and making it harder to determine what the real error is.
Therefore, I'm just marking this with Ping-Bug, as it's only fixing the
problem on UN*Xes.)
Change-Id: I94c392f478561e29501facd657487716a5882295
Ping-Bug: 16192
Reviewed-on: https://code.wireshark.org/review/35053
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
strchr() is declared in <string.h>, and we now use strchr(), so we must
include <string.h>.
Change-Id: Ie80763c10c4ad1ef85d4a83d8eacc3ea236bea56
Reviewed-on: https://code.wireshark.org/review/35052
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Documentation of the Wireshark command line options between help text,
manual page and user's guide diverged over time. One aspect of this is
the implementation of more long options. This change tries to update
all documentation to be complete and in sync again.
Bug: 16168
Change-Id: Id833fbeb14fdb7b3dbc1564504a25d96f4367c91
Reviewed-on: https://code.wireshark.org/review/35047
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
If the display filter is cleared, because it is emptied, the
new display filter ("") is not yet applied. This is not signaled
properly, as the user get's the expression, that no filter is applied,
although the old one still is. Visible is this by displaying
the placeholder text and removing the clear button
With this patch, in such a case, the placeholder text is empty
and the clear button still visible, until really an empty filter
is being applied.
Bug: 12438
Change-Id: I45128ebf2bc1854da5a4055d3980d913d0139a28
Reviewed-on: https://code.wireshark.org/review/35045
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
Support for Local RIB in BGP Monitoring Protocol (BMP)
Add new peer type (3/Loc-RIB Instance), Peer Flags (F), Peer UP (VRF/Table Name) and Peer Down (Local system Closed)
Change-Id: I8de0e782d6eadfaa6fe9eff4de66a4295f173c40
Reviewed-on: https://code.wireshark.org/review/35041
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When printing an error message about (1) imported file does not exist
or (2) type is defined duplicated, the loaded .proto filename and line
number are included to ease fixing the errors of .proto file.
Change-Id: I2efc7a200dd86016450bba2bc960f53773bfc2e8
Reviewed-on: https://code.wireshark.org/review/35032
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix dead store (Dead assignement/Dead increment) Warning found by Clang
Change-Id: Ie9f9909c7ae0fad0df8c964f75d5f08a15926927
Reviewed-on: https://code.wireshark.org/review/35039
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
On NVMe specification, calling NVMe "Identify Namespace list" command
(Identify with CNS 0x2) is responded with 4K data structure which
holds a list of all namespace's IDs (NSID) related to this NVMe
storage controller (padded with zeroes).
This commits dissects this NSID list.
Change-Id: I78d80eee117218ab1bc45bef834ccc0b1303d4dd
Signed-off-by: Nitzan Carmi <nitzanc@mellanox.com>
Reviewed-on: https://code.wireshark.org/review/34933
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
On NVMe specification, calling NVMe "Identify Namespace" command
(Identify with CNS 0x0) is responded with 4K data structure which
holds all namespace's capabilities/attributes.
This commits dissects the main fields in this data structure.
Change-Id: Ibba48ea0e6ecc24b0138e017094fa9d09ec13350
Signed-off-by: Nitzan Carmi <nitzanc@mellanox.com>
Reviewed-on: https://code.wireshark.org/review/34932
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>