and also (if reassembly is disabled) only dissect the initial (offset==0) data pdu.
dissect_scsi_payload() does not yet use this parameter.
now that we have both data offset and expected data length/bidir expected data length and also the read/write flags availabe we have what we need to reassemble data in/out pdus (modulo overflow/underflow but those are so rare we can worry about them later).
ndmp: ndmp conceptually always has a data in and a data out phase and never fragment the data into smaller pdu's os that dissector always report offset as 0.
svn path=/trunk/; revision=19511
decode this field as relative offset and also store it in the fc_hdr structure so that FCP can pick it up and pass if to the SCSI payload data in/out dissector later
svn path=/trunk/; revision=19510
pass conversation form the transports up to the scsi layer
add tracking of conversation specific info to scsi osd
add tracking of conversation+lun specific info to scsi osd
for scsi osd add tracking of PARTITIONS and display in which frame they were created/removed
svn path=/trunk/; revision=19505
The attached patch fix parsing of the setup header in the usb dissector.
Currently the size of the field specified into proto_tree_add_item call
was wrong.
svn path=/trunk/; revision=19503
or Unicode, and use tvb_get_ephemeral_faked_unicode() to get Unicode
strings; this fixes problems I've seen in captures, where the string
isn't being processed correctly.
svn path=/trunk/; revision=19494
so that the two scsi transports FCP and ISCSI can provide the expected data transfer lengths to SCSI to allow SCSI reassembly.
NDMP does not really need these hints since for NDMP (and also iscsi-lite) there is conceptually always both data in and data out phases and there is never any fragmentation.
svn path=/trunk/; revision=19493
pretty horrible hack to store an ntlmssp blob inside an ldap string
the info column is not entirely pretty but the payload is at least decoded
svn path=/trunk/; revision=19490
An enhancement to the PPP multiplexing protocol
dissector in protocol-ppp.c. There are two changes:
The protocol id field of the multiplexed sub-frame is added
to the protocol tree using a header field. This allows
filters to select the protocol as is the case when it is not
multiplexed. I think this fixes a small bug as the ability to
filter for a protocol should not depend on the lower level
protocol.
When the protocol id of the subframe is not present, the
appropriate default protocol is displayed with the standard
indication that Wireshark generated the value.
svn path=/trunk/; revision=19488
from the 802.11 dissector. Use a #define for the maximum number of
WEP keys. Use AirPcap's if we have it (64). Rename find_module()
prefs_find_module() and make it public.
svn path=/trunk/; revision=19467
This patch fixes a transposition of the orders of
Set Attribute Number
Set Attribute Length
In the page oriented get and set attributes CDB parameters format
Ref SCSI-OSD T10/1355-D Revision 10 section 5.2.2.2
svn path=/trunk/; revision=19460
packet-cisco-wireless.c is actually trying to dissect WLCCP:
I have attached a dissector I wrote from scratch for the
frames that I'm seeing. It has #defines for the field offsets and
lengths so it should be easier to merge. I also attached a sample
capture with one of the frames that I'm seeing. There are more fields
in the frame I haven't yet figured out, hopefully your dissector has
those that I'm missing.
Me: - Commented in wlccp over udp as well, it works most of the time.
- Leave the file packet-cisco-wireless.c in for the time being to
copy over knowledge until no usable info is left in the file.
svn path=/trunk/; revision=19447
The expression (BGP_OSPF_RTYPE_EXT ||BGP_OSPF_RTYPE_NSSA) will always
evaluate to 1. As well, neither of these constants are defined as flag
values, so a bitwise op was probably not intended either.
svn path=/trunk/; revision=19444
Remove preferences stuff
Use stringz for variable length names
Media address size independant
Removed generated item
Set actual length of packet
Make info column work without coloring rules or filters
svn path=/trunk/; revision=19435
dissector for Enea's LINX protocol?
A protocol spec is available at <http://www.enea.com/templates/Extension____8947.aspx>. The source of the kernel module could be obtained from Enea by sending a request to "linx at enea dot com".
Currently they use ethertype 0x9999 which is not registered at IEEE.
svn path=/trunk/; revision=19430
I did improve the OID management in the tcap dissector.
Now, when a tcap message is reveived, without upper layer, the ACN is saved in the TCAP context, and can be used for the next messages of the dialogue. It is used only when the upper layer session is opened with Tcap only messages.
svn path=/trunk/; revision=19414
numerous changes, most notably:
1) BACnetStatusFlags is bit string, not enum, in NotificationParameters
2) Fixes many places where enclosing context tags were not handled properly.
3) Simplify tag decoding logic. Change to explicit decoding in many
instances rather
than read tags in a loop and do a switch based on tag number. Looping
ignores out-of-order and other types of tagging errors.
svn path=/trunk/; revision=19410
few things to be fixed:
- // comments,
- not every hf_xxx used might be registered
some packages from the current h248 dissector are still missing.
svn path=/trunk/; revision=19407
- Indicate direction of DCH Data in info column
- Assume EDCH payload CRC if 2 bytes are left over (previous test was broken)
svn path=/trunk/; revision=19405
always register
itself on the port from the preferences (defaults to 0) upon launch.
This allows the user to right-click and use decode as.
svn path=/trunk/; revision=19403
Modifie the VNC dissector to desegment
the "server cut text" message type for cases where the cut text is in
the next tcp segment from the first part of the message.
svn path=/trunk/; revision=19402
account for this extra reserved byte in the ahs length so that the reconstructed cdb has the correct length and does not contain one extra byte at the end
svn path=/trunk/; revision=19387
This is used to display the field underlined and to allow the user to double-click on it (like FT_FRAMENUM) to open the URL in the configured browser.
Example usage in the x509ce and logotype certificate extensions.
svn path=/trunk/; revision=19383
iscsi: when iscsi transfers a cdb that is alrger than 16 bytes, the first 16 bytes are transferred in the normal place in the header and ther remainder of the cdb is transported inside the AHS.
reassemble these cdb into a proper tvb before passing it to the scsi dissector
svn path=/trunk/; revision=19376
add a test for (length > 0) in the dissector (dissect_xot_pdu), to avoid to
allocate a new tvb when the XOT decoded length is null.
svn path=/trunk/; revision=19365
Please find enclosed a patch about Mobile Network Prefix option in NEMO.
Following RFC3963 Section 4.3, lenght of this option is 18, not 16.
svn path=/trunk/; revision=19363
it is absolutely amazing that none of the iscsi implementors and users of wireshark had noticed this breakage and reported it. they apparently do not use wireshark.
svn path=/trunk/; revision=19362
various changes to the existing scsi dissector to start allowing different commandsets to be implemented in their own dissector files to prevent the scsi dissector to become as huge as the parlay dissector
svn path=/trunk/; revision=19360
- dissection of TIPCv2 internal messages now shows
all fields used according to the protocol spec
- there should be no issues with the current protocol
spec anymore
- the info column is more concise and gives more
details
- some code beautifications
svn path=/trunk/; revision=19354
I've two patchs for FMIPv6:
- FBU encapsulated in FNA are not correctly parsed;
- there is an error when parsing LLA Option.
svn path=/trunk/; revision=19351
I have figured out one of the fields in the MAPI
EcRRegisterPushNotification packet. The field is a UDP port number that
the client wants the Exchange server to send new mail notifications on.
These notifications are on a port > 1023 and are always 8 bytes long.
It looks like I would add the function name to the
dcerpc_mapi_dissectors[] for the register push notification. What would
my new function need to do besides display the field?
Thanks,
Steve
Here is a patch to add this functionality. It displays the notification
port and the notification payload (not sure what the payload itself
means yet). It also dynamically registers each notification port found
with a new dissector (that I called newmail for lack of a better name -
I'm open to suggestions) that displays the notification payload. This
is all undocumented by Microsoft in their usual fashion.
I also changed the code to always display the mapi.opnum field;
currently, the mapi.opnum is only displayed when the
dcerpc_mapi_dissector is null.
Steve
svn path=/trunk/; revision=19350
This patch adds support for dissecting ontap's nfsv4 filehandle,
as well as some updates to nfsv3 filehandle as well in the nfs
dissector.
Alex.
checked in with minor changes
svn path=/trunk/; revision=19345
Here are some patches and a new module to introduce the notion of Tcap context for a Tcap transaction. For each Tcap transaction, several parameters, like session identifier, start time or OID, will be saved in a hash table, to keep these informations available for the next messages. This context is then given to the upper layer, and can be used, for example, to generate transaction-associated statistics.
Moreover, the Upper protocol, detected in the Begin of the TCAP transaction ( according to the OID ), is saved in the context, and will be reused for the next messages of the transaction. This help the decoding of SS7 messages, without any SSN configuration in the "wireshark preferences".
You will have too, the possibility to apply a filter to see only the messages related to a TCAP transaction. (tcap.srt.session_id=XXX)
To enable the use of the Tcap context, you have 2 new parameters in the preferences,
- SRT, enable search for a Tcap context for any TCAP messages
- persistentSRT, keep the Tcap context, even after the transaction has been closed. This is mandatory with Wireshark, to have a clean display of the stats.
There is 2 new timers in the preferences for the statistics, to tune the retransmission timeout, and messages lost timeout.
svn path=/trunk/; revision=19341
this protocol is not too interesting yet since only the function names of this interface is known but it is more that no dissection at all
svn path=/trunk/; revision=19333
- Remove the RFC 3261 attribution in the long text version of several headers (some of them I couldn't easily work out where the first non-obsoleted introduction of them is)
svn path=/trunk/; revision=19328
Add a new WERR error table to packet-windows-common so that PIDL generated dissectors can use this table instead of the DOS table.
To make this table as complete and accurate as possible and to avoid having to type all the values in by hand the table is generated from the samba doserr.h file and two small commandlines.
The commends in pakcet-windows-common.h explains how to regenerate the table from doserr.h
svn path=/trunk/; revision=19306
dont try dcerpc reassembly of fragments if we dont have the entire pdu
only call the heuristical dissectors once from smb/pipe as per guy(?)s comments about idempotence.
when doing reassembly, the dcerpc dissector is indeed not idempotent any more.
svn path=/trunk/; revision=19304
This patch makes the the maximum valid LDAP PDU size a preference. The default value for this new preference is 65535 for backwards compatibility.
svn path=/trunk/; revision=19288
The smb dissector displays lock requests in the "Locking AndX Request" as a vector of locks. It opens a tree branch
"Locks" and appends the locks to this branch. Instead of adding "Lock" objects to this branch it added "Unlock"
objects. Everything else is fine.
svn path=/trunk/; revision=19271
Add the ieee802a_add_oui function to libwireshark.def, and also adds the OUI that I am using to a couple of internal lists (in epan/oui.h and dissectors/packet-llc.c).
From me:
Resorted the oui lists, some witespace changes and added Ericsson OUI:s.
svn path=/trunk/; revision=19262
In dissect_geographical_description the longitude is multiplied by 260
and should be by 360(degrees).
Also it would be good to display to 5 decimal places.
svn path=/trunk/; revision=19260
I have put together a patch for YMSG packet dissector. This is based on my own code and service lists (this
should match Gaim and Kopete service lists). This new code should bring the code up to par to most of the
known services. Which should cover up to Yahoo 7.x or most of it.
I have also setup a new set of constants which are specific to YMSG packets. These are the types that I've
seen in miranda network logs and they should reveal more information. The other constants are mostly for buddy
statuses and need nor apply to the YMSG header. I have left them in the code (for now). These constants are
currently used in my own code.
svn path=/trunk/; revision=19255
"The decoder has some bugs:
* RTP redundancy field is decoded incorrectly.
* Timer TU3920 is displayed as being in seconds, but it is really in units of
100 ms."
svn path=/trunk/; revision=19247
once the private_data -> se_data conversion is complete we can plug quite a large number of memory leaks related to dcerpc
svn path=/trunk/; revision=19240
Fix for bug 1036
I looked at this today and found that in fact the PC stuff is pretty
hosed up in the SS7 dissectors. For example, MTP3 *looks* OK here (DPC is
4-5-6):
Routing label
DPC (4-5-6) (394500)
but 394500 == 0x60504 == 6-5-4. Something's not right.
I made a common PC dissector function for all the SS7 dissectors so as to
concentrate all this code in one place (something I've been wanting to do for a
while anyway) and fixed the reported problem as well as the above problem in
the attached patch.
svn path=/trunk/; revision=19231
the biggest problem in changing this is the dcv->private_data usage.
add a dcv->se_data which can keep data around from a request to a response and use this to change the LSA/OpenPolicy2 servername passing from request to response as a test pattern of moving all users of dcv->private data over to use dcv->se_data.
once all users are migrated over we can then change the dcv->private data pointer to be of ep scope and thus not need an explicit free (which is quite difficult and it is quite difficult in the old semantics to know WHEN we need to free this pointer)
this will eventually make the usage more clean and at the same time close down quite a few memory leaks.
eventually this will make dissect_ndr_nt_SID return a pointer to ep allocated memory that need not be explicitely freed.
svn path=/trunk/; revision=19226
> please find enclosed a patch to the CFlow dissector (packet-netflow.c)
> that enables it to decode IPFIX packet traces.
svn path=/trunk/; revision=19221
Hi folks,
We think we've found a bug in STANAG 5066 SIS layer dissector.
Problem is at S_EXPEDITED_UNIDATA_INDICATION S_Prim's parser
and occurs when we receive a U_PDU via expedited unidata channel.
Dissector tries to parse first 2 bytes of U_PDU as a header size of type
21 s_prim (S_UNIDATA_INDICATION). But, this is not an wanted process on
that parser. Maybe, it was forgotten unchanged from
S_UNIDATA_INDICATION dissector while copying it. So it shows
data (U_PDU) 2 bytes short. Moreover, if data is just 1-byte, TCP datagrams
receive TCP checksum error.
Confirmed.
It was indeed a "copy-paste-did not edit correctly" bug.
While going over the code once more, I found:
1 - One bug in the heuristic. (Changed '&&' to '||')
2 - One to-do that was already done. (Removed the /* TODO */)
3 - One to-do that is now done. ;-)
svn path=/trunk/; revision=19210
Also, there is still an outstanding issue regarding the default use of
the "media" dissector. The way it is currently coded there is no way to
have a heuristic decoder when a content-type header is specified.
In this way if there is a decoder for a specific content-type then it
will be used, then the heuristic decoders have a chance, and finally the
default of either the media-type decoder of the http_payload decoder.
svn path=/trunk/; revision=19208
since source/dest/protocol/info is updated by the content of the payload it doesnt make sense to hide the actual payload inside esp/ah
it just would look confusing
svn path=/trunk/; revision=19206
windows in SYN and SYN+ACK packets are not scaled so dont apply window scaling to them when displaying them in the tree
svn path=/trunk/; revision=19186
add required code to the http (and others) code in req_resp_hdrs.c to signal to tcp
when it wants a session to be reassembled to the FIN.
This is currently done for all HTTP packets where we have a Content-type in the header but no content-length.
svn path=/trunk/; revision=19185
as requested here is a patch in order to take into account Encryption
and Authentication keys for ESP in hexa.
You only have to write your key with 0x first. In this case if the key
is not in 8-bit unit, it will be considered as starting with a "0" (4 bits). Excepted this case, the key should be completely written, even if it
starts with "0x00".
svn path=/trunk/; revision=19181
- Display options in info column
- Only remember blksize from OACK packets
- Add some rfc numbers
- Move tftp_dissect_options in front of dissect_tftp
(I forgot to fix the forward decl once too often ;)
- Warning fixes
- Add expert error in case of tftp-error pdu
svn path=/trunk/; revision=19162
Actually, this was a feature request:
Store the value of the blksize option in the conversation data
and use that information to compare whether we have reached the
last packet.
Includes the cleanup ideas from Ronnie.
svn path=/trunk/; revision=19155
there were instances where the function dissect_nt_sid() would not fill in the return pointer for the sid string
causing callers that rely on that this string will ALWAYS be assigned try to access and g_free() an uninitialized pointer.
dissect_nt_sid() should be changed to use and return ep allocated memory instead of gmalloced memory
svn path=/trunk/; revision=19154
verify that stat_info->request_uri is non null before doing string manipulations on it
so that we dont try to dereference a null pointer further down the code
svn path=/trunk/; revision=19153
A patch to bring the VNC dissector almost to completion.
I have not had a chance to finish the server message type "frame buffer
update," which are the pixel values for screen rectangle updates.
Everything else is there - tracking the keys the user is pushing,
ringing a bell on the client, mouse button pushes/pointer movements,
etc.
svn path=/trunk/; revision=19145
This patch will add the following functionality to the H.248
dissector:
1. Dissection of properties from Annex C.11 SDP equivalents.
2. Dissection of EventNames and SignalNames from Annex E Basic
Packages.
3. Dissection of event and signal parameters from Annex E.9 Analog
Line Supervision Package.
4. Dissection of statistics from Annex E.11 Network Package and
Annex E.12 RTP Package.
svn path=/trunk/; revision=19136
First, the length of the header of a sub-frame may be miscalculated if
if the PID field is not present, but was present in a previous
sub-frame. The calculation of the header length will use the value from
the previous sub-frame.
Second, correct the typo "ength" to "length".
Third, the length of the current sub-frame was not passed as the
reported length to a sub-dissector. When the sub-dissector calls
tvb_reported_length(), the function returns the length of the complete
frame and not the length of the sub-frame to be dissected.
svn path=/trunk/; revision=19132
use call_dissector_only() which is new-style aware and not call_dissector() which is not.
this fixes a recent bug found on the heimdal list.
svn path=/trunk/; revision=19129
New protocol: epl v1
Hi,
in addition to the recently submitted dissector for the EPL v2 protocol,
this is the dissector for the first version of the EPL protocol.
Best Regards,
David
svn path=/trunk/; revision=19125
from 1 to 8 bytes, and not only handle 0-byte session IDs as special,
have it handle session IDs > 8 bytes as special as well.
svn path=/trunk/; revision=19115
we can add code to check that it looks sane (for better heuristics) when
we start adding GSS-KRB reassembly.
we need this for some transports such as SMB/SessionSetup that will transport GSS-KRB blobs inside multiple PDUs (multiple different SMB/SessionSetups) so we can reassemble the blobs before decoding them.
this probably only happens for SMB/SessionSetup but the design of that command is so "nice" that you can not tell whether the blob is fragmented or not or how big it is supposed to be by looking at the SMB layer itself, one needs to know the BER length field for the BER APPLICATION tag. :-(
to make things worse, the only way match multiple such fragments together one will need not just the fragments from the SessionSetup requests but also the UID that is returned in the response to the initial request.
perverse design.
lets assume that there will almost never be multiple sessionsetups on the same tcp session in real traces so to make things easier just ignore the UID for now when reassembling. (well reassembly is not added yet but will be)
svn path=/trunk/; revision=19112