ACDR is a protocol over UDP that is used by AudioCodes devices for
recording traffic to and from the device.
It adds a header to each packet that contains extra data about the packet.
For some packet types (like SIP), it also appends the IP and UDP/TCP
headers of the sent/received packet.
The dissector unwraps the ACDR header, and displays the packets with the
original type (and when available, with the original addresses).
Bug: 16275
Change-Id: I19ad90053a2ef73da80881dc5e94aa362de23ea3
Reviewed-on: https://code.wireshark.org/review/35417
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
When a HTTP response includes HTTP headers and a subset of data for the
subdissector in the same frame, be sure to skip the HTTP headers for
reassembly of the latter data. Otherwise the HTTP headers will be
misinterpreted as the subprotocol (for example, WebSocket).
Bug: 16274
Change-Id: Ida6f6f2f7d0c463be2d498bfde5e8a9cd11a4b25
Reviewed-on: https://code.wireshark.org/review/35536
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: Idbc67da75ad75803a01f17ae3ff6f8f677670db8
Reviewed-on: https://code.wireshark.org/review/35191
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The commit 0c5b14395e fixed a leak
but introduced a regression since the username gets freed while it's
still needed. We need to make a copy here.
Change-Id: Id45c1b8f98c9649a0ead30ec6cacdd6c44b923bd
Reviewed-on: https://code.wireshark.org/review/33821
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
This new tap collects credentials (username and paassword)
from the dissectors.
So far, few dissectors have been instrumented:
- http (basic auth)
- http (header auth)
- ftp
Others can be instrumented as well using the same technique.
Tshark has a new option (-z credentials) and Wireshark a new
"tools" menu: the documentation has been updated accordingly.
Change-Id: I2d0d96598c85bb3ea4fb5ec090dd8dc28b481fc9
Reviewed-on: https://code.wireshark.org/review/33453
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Any request or response with the Content-Type header and no
Content-Length header would cause the HTTP dissector to combine all
segments until the end of the connection. This is bogus, it should only
do this for HTTP responses under stricter conditions.
To fix this issue: 1) explicitly disable body desegmentation for
messages that never have a message body, 2) restrict "desegmentat until
the end" to HTTP responses.
The "Connection: Keep-Alive" case was a fix for bug 1142, but that is
now properly addressed by checking for the 304 status code.
Bug: 13116
Change-Id: I02371ac88ec2de6ee966fdc6df0dd246ad49c46d
Reviewed-on: https://code.wireshark.org/review/33035
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
It's not used unless we have either zlib or libbrotli, so don't define
it if we have neither of them. This fixes no-zlib/no-libbrotli builds.
Change-Id: I97358c9197a2ab789f85498cc4e40d301ecb792d
Reviewed-on: https://code.wireshark.org/review/32975
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 4234
Change-Id: Ibd59809b2dd9890a7851eb57ef7af384e280a74b
Reviewed-on: https://code.wireshark.org/review/31222
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add the request URI to the response to allow filtering of
responses by request URI in a single pass.
Bug: 15344
Change-Id: I89bf675dccaed37f54a4d13956223cbdde601e7d
Reviewed-on: https://code.wireshark.org/review/31184
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
The frame.protocols list does not contain "ssl" and thus the expert info
"Unencrypted HTTP protocol detected over encrypted port, could indicate
a dangerous misconfiguration" was shown even for the normal HTTPS port.
This also renames the http.ssl_port to http.tls_port with no backwards
compatibility, hopefully that is reasonable.
Change-Id: I5c8481693ff63dc0a19b4dc1de431680bdda3244
Reviewed-on: https://code.wireshark.org/review/29828
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
gcd95e197ca renamed a bunch of "<proto>.ssl.port" preferences to
"<proto>.tls.port" but neglected to add obsolete entries for the old
preferences. Do so here.
Rename couchbase.tls_port to couchbase.tls.port to be in line with the
other TLS port preferences.
Change-Id: Ie23d6be0a5cb3616f37e41dbfbf13ad1b7206473
Reviewed-on: https://code.wireshark.org/review/29829
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Rename packet-ssl{,-utils}.[ch] to packet-tls{,-utils}.[ch].
Change-Id: I4732162ec131ddf0734b3dd191ccc9e48a76ce06
Reviewed-on: https://code.wireshark.org/review/29659
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Rename the "ssl" protocol to "tls" and add an "ssl" alias. Prefer "TLS"
over "SSL" in user interface text and in the documentation.
Fix the test_tls_master_secret test while we're here.
Bug: 14922
Change-Id: Iab6ba2c7c4c0f8f6dd0f6d5d90fac5e9486612f8
Reviewed-on: https://code.wireshark.org/review/29649
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The g_base64_decode_inplace() does not handle zero length string
so add a guard for this before calling.
Bug: 15113
Change-Id: I89fa17dd62af238f4282835c317e5c8be6e0c8a1
Reviewed-on: https://code.wireshark.org/review/29428
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Replace ws_base64_decode_inplace() with g_base64_decode_inplace()
or g_base64_decode(), which was introduced in glib 2.12.
The only observed difference is a need for zero-terminate the buffer
after decoding.
Change-Id: Ia102d0d8e9bec575ffeddf448191a3f6de9fb1ed
Reviewed-on: https://code.wireshark.org/review/29382
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Based on an idea from David M. Lloyd, let subdissectors register
themselves with the HTTP dissector based on the Upgrade header instead
of the other way round.
Tested with SSTP (bug 82390), WebSocket (bug 13889), HTTP2 PRI without
Upgrade (bug 11331), h2c (from HTTP2 wiki), spdy/3.1 (bug 12874).
Change-Id: I1425b7119d4d85e626032408504fc2c6b2f2eeb8
Reviewed-on: https://code.wireshark.org/review/29112
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
After a HTTP upgrade, some data may already follow the headers. Be sure
to dissect this. Tested with a SSTP capture (bug 8239), HTTP proxy
capture (bug 15043), no regressions were found. WebSocket traffic from
the attached bug is now properly dissected.
Bug: 13889
Change-Id: Icc32871b4ebb2520769cb17505517d9d11543684
Reviewed-on: https://code.wireshark.org/review/29111
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The very first message after a 200 OK response to a CONNECT request
likely originates from the client. So assume that this destination is
actually the server.
This reduces the probability of address and port collisions. Previously
the proxy port (e.g. 3128) and server port (443) identified each
conversation, now it will use the client and server port instead.
Bug: 15043
Change-Id: Ib73f370334873efd773ac6b49e2db57146bc20b0
Fixes: v2.9.0rc0-1420-g2f126db3fe ("HTTP: set correct server port for tunnels")
Reviewed-on: https://code.wireshark.org/review/29110
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The server port must be set or else http_payload_subdissector will
assume two independent flows originating from the client. For example,
client 50813 connects through proxy server 3128 to server 443.
Previously it would result in three conversations: 50813<->3128 (proxy),
50813->443, 3128->443. Now it will see 50813<->3128 and 3128<->443 and
TLS decryption will work again.
Bug: 15042
Change-Id: I50bcef568be320b6512ee6fc5a09d2838d2f7a9a
Reviewed-on: https://code.wireshark.org/review/29046
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Previously HTTP message bodies following a HEAD request in the same conversation
were not desegmented, resulting in spurious "Continuation" messages and failure
to reassemble HTTP bodies. Fix this by properly taking the current HTTP message
type (request or response) into account.
Bug: 14793
Change-Id: I1ffb052468cf414b73243447138466aca47db3e6
Reviewed-on: https://code.wireshark.org/review/28312
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Put routine to free all dynamically registered header fields in the
UAT reset callback to avoid ASAN report for memory leaks on exit.
Handle duplicated entries without leaking memory.
Call proto_free_deregistered_fields() in proto_cleanup() and move
this after prefs_cleanup() to free the memory used in UATs.
Change-Id: I96545177b5b23b9c20ad8e7751a0d5621c9ca10f
Reviewed-on: https://code.wireshark.org/review/27907
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
wmem_ascii_strdown() stops when it sees a NUL, so there's no guarantee
that the resulting string is as long as the length passed in. This is
probably the cause of bug 14779 - the check that tests whether the
header name is valid scans the result of wmem_ascii_strdown(), assuming
it has the same length as the supplied header length, but if there's a
NUL in the header, it will be shorter than the supplied header length.
Check the raw line text in the check for a valid header name; fail if we
see a NUL (as that's not a valid character in an HTTP header).
is_token_char() handles both upper-case and lower-case letters, so we
don't need to wmem_ascii_strdown() the header first.
Once that succeeds, we can safely use wmem_ascii_strdown() to make a
null-terminated all-lower-case string for the header name.
Bug: 14779
Change-Id: Id3fa046dd0b1a8bd73fc9ff582e5e1fae535c2e9
Reviewed-on: https://code.wireshark.org/review/27936
Reviewed-by: Guy Harris <guy@alum.mit.edu>
While HTTP header names are restricted to a limited set, many
implementations basically read whole lines and then look for a colon.
Actual validation happens after that. Follow that approach to avoid
early termination of request/response headers and diagnose the issue.
This may break HTTP/0.9 response parsing, but nobody should be using
that now.
Bug: 10123
Change-Id: If435aa832effc83095f9b6b822a76cb46451e7de
Reviewed-on: https://code.wireshark.org/review/27605
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Craig Jackson <cejackson51@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have dissectors register with their protocol ID string in that table,
rather than having a table in epan/dissectors/packet-ssl-utils.c that
has to be updated for new protocols.
Have a table of protocol ID string prefixes, to handle the case of
protocols such as SPDY and HTTP2 drafts, where multiple protocol IDs are
used for different versions.
Change-Id: I363d04895a88e779fbbca7dc8e1f31aa1970a31a
Reviewed-on: https://code.wireshark.org/review/27836
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This patch adds support for sequencing HTTP Redirects. This enables
tracking of HTTP-based redirects, which may not have a Referer header.
As such, this patch also renames 'HTTP Referer statistics' to
'HTTP Request Sequences' to better reflect the more generic
functionality.
Note that this does not fully support RFC 3986. An external library like
uriparser.github.io may be a better option for efficient, full relative
HTTP URL resolution.
A Sample PCAP to test functionality is available here:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http_redirects.pcapng
A sample PCAP to demonstrate usefulness is available here:
https://www.malware-traffic-analysis.net/2015/08/31/page2.html
(examine request to hxxp://lk2gaflsgh.jgy658snfyfnvh.com/service.php)
Change-Id: I9edd1a1de86228b0dcb1df9f6f30e24379684321
Reviewed-on: https://code.wireshark.org/review/26679
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The main benefit of this feature is that it enables users to see the
succession of HTTP requests that led to a specific request.
A sample PCAP is available here:
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16085
Change-Id: I7c521315b848fbce659fdc01e43f261d804a3a48
Reviewed-on: https://code.wireshark.org/review/25319
Reviewed-by: Moshe Kaplan <me@moshekaplan.com>
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For the moment this mirrors the port_type enumeration (PT_XXX), but the
intent is to move away from using "port types", eliminating most (if not
all)
Added conversation_pt_to_endpoint_type() so that conversations deal with the
correct enumeration. This is for dissector that use pinfo->ptype as input
to conversation APIs. Explicit use of port types are converted to using
ENDPOINT_XXX type.
Change-Id: Ia0bf553a3943b702c921f185407e03ce93ebf0ef
Reviewed-on: https://code.wireshark.org/review/24166
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Switch the file_data handling to use the captured length. In a test
capture here this lets us call the GIF dissector in a truncated packet.
Fixup a variable type and some whitespace.
Change-Id: I21b64519ad84f730e1412115035125c2bf1f361c
Reviewed-on: https://code.wireshark.org/review/23838
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 14091
Change-Id: Ic8d37e29f02dc9751c60e827aa773d915cabc088
Reviewed-on: https://code.wireshark.org/review/23802
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add a distinct field for a version in a response packet,
http.response.version
Bug: 14085
Change-Id: Ib255acf7fc329566869bfb82108826931368701d
Reviewed-on: https://code.wireshark.org/review/23769
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It avoids leaking memory in case an exception is thrown during
dissection
Change-Id: Ic63a8ad7923c81c7c7d7f0c471e304d8a5224212
Reviewed-on: https://code.wireshark.org/review/23465
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
They're not used anywhere other than inside the dissectors, so make them
private to the dissectors.
Change-Id: I9946713f34f95a8173fd7748055fd4aa2e870f70
Reviewed-on: https://code.wireshark.org/review/23357
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Moshe Kaplan