(where the initial length isn't readily available when item is first added)
Note that this still won't work where an initial length of 0 is given for
the item that will later be extended using proto_item_set_len(), as the
pointer value part of the zero-length array will reamin NULL...
svn path=/trunk/; revision=23253
- if offset is 0, tvb_length is the same as tvb_length_remaining, just faster.
Replace
- col_append_fstr() with faster col_append_str()
- col_add_str() with col_set_str()
when it's safe
svn path=/trunk/; revision=23252
Removed some workaround code in the .cnf file.
There is still some code for handling an EXTERNAL (EXTERNALt) as the RTSE dissector has its own set of callbacks and consequently can't (currently) use the packet-ber.c functions.
svn path=/trunk/; revision=23242
Note that there is still a problem with 'Apply as filter' filters. They seem to remember the initial length of the item, and not the final length set using proto_item_set_len() (this is the case for groups of TBs/PDUs). Will investigate when time allows...
svn path=/trunk/; revision=23239
if we were given them; doing so when we weren't seems to change the
apparent group set in OS X 10.5 (and possibly 10.4 - the group set
manipulated by getgroups()/setgroups() isn't the full group set, and
changing your UID might cause the credential identity resolver daemon
not to give you your full group set).
svn path=/trunk/; revision=23234
sFlow datagrams can contain sampled headers from conversations on the network.
Often it is convenient to have wireshark dissect these payload headers, but
doing so can also have undesirable side effects. Dissected payload headers may
match filters looking for header fields that also happen to occur in the
payload. This can cause surprising results.
Also TCP analysis will almost always flag errors on sampled headers. They are,
after all, just a sample and many sequence numbers are sure to be missing.
There is probably a more general way to resolve these issues, but adding
preferences to enable/disable tcp analysis and dissection of sampled headers
will be a good start. This will make it possible to examine the details of
sampled headers if desired or to disable dissection if the side effects of
dissecting sampled headers cause issues.
svn path=/trunk/; revision=23230
H.225
- change RysMessage_vals to h225_Rasmessage_vals
- use #.PDU directive for H323-UserInformation and RasMessage instead of implementing it by hands
- register RasMessage_PDU as "h225.ras" dissector for calling it from H.460
asn2wrs make PDUs exportable
svn path=/trunk/; revision=23226
- Generic Extensible Framework helper
- Annex M1 (QSIG over H.323)
- Annex M4
- Annex R
H.225/H.245 support for Generic Extensible Framework (GEF)
H.235 register MIKEY into new H.225/H.245 GEF tables
regenerate H.225,H.245,H.235,H.450,H.450-ROS,T.35 from new makefiles
svn path=/trunk/; revision=23216
When a SYN/ACK is missing in the capture, the base_seq used in
relative sequence numbers was not set correctly. I made the
setting of fwd->base_seq and rev->base_seq a little more solid.
svn path=/trunk/; revision=23213
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1751
The patch adds support to wiretap for a new libpcap DLT for bluetooth captures.
This DLT carries the direction information, which now can be displayed
correctly.
The hci H4 dissector is updated to handle also the newly introduced wtap encap.
svn path=/trunk/; revision=23208
Author :
Richard Kuemmel <r.kuemmel[AT]beckhoff.de>
Updates and bugfixes:
Peter Johansson <peterjohansson73[AT]gmail.com>
svn path=/trunk/; revision=23174
I would like to submit the dissector that will add support for dissecting CFM
packets with the ethertype 0x8902 defined by the IEEE proposal for 802.1ag
Draft 8.1. This code has been tested using the CFM feature implemented on a
pre-GA build of the Spirent TestCenter, and the Alcatel-Lucent 7330 ISAM
product. Code has been reviewed and tested by the design team at
Alcatel-Lucent in the Access Network Department (AND).
I have also added some elements for the ITU proposal Y.1731, where it will
recognize all additional opcodes for that proposal, and it will fully dissect
the AIS PDU.
Fuzztest has been performed and has passed.
svn path=/trunk/; revision=23170
This is a replacement of the existing decoding of ERF files (Extensible Record
Format from Endace).
For the decoding of the ERF files, according to the "type of record" given in
the ERF header, several decoders can be used. Up to now, the decoder is
determined according to an environment variable, or with a kind of heuristic.
And, all the treatment is done during the file extraction.
The new architecture, will separate the ERF file decoding, and the ERF record
decoding. The ERF records will be decoded with a specific dissector. This
dissector can be configured with options, to replace the environment variable.
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1839
svn path=/trunk/; revision=23092
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1888
There are new versions of CMP (v2) in RFC4210 and CRMF (v2) in RFC4211. The
right to exist of CRMF is bound to CMP so I don't split that into two bug
reports.
I'll upload the new (slightly handmassaged) ASN.1 files for both protocols,
along with patches for the respective cnf files, where I also added new
#.REGISTER statements.
Additionally I had to export some definitions from pkix1explicit (Attribute,
Time, UniqueIdentifier and Version) and from pkix1implicit (KeyIdentifier).
I'll also upload a patch for that.
I uploaded a CMPv2 sample (with errors in the protocol!) to the wiki.
svn path=/trunk/; revision=23082
LocalIdentifier when problems with the GlobalDomainIdentifier.
- Initialize global pointers to avoid potential crashes.
svn path=/trunk/; revision=23080
- Added generated entry for total missing sequence numbers
- Added expert info on invalid ack info length
- Added count of ack in info column
svn path=/trunk/; revision=23079
This patch adds support for IMPS 1.3 protocol dissection and also
updates IMPS 1.2 protocol to approved release version.
From me:
- Updated vals_wbxml_public_ids table.
- Reindented file.
svn path=/trunk/; revision=23078
1) IPFIX port (4739) should be configurable without recompiling
2) It should be possible to specify more than one port to be dissected as
Netflow and/or IPFIX
3) Netflow should recognize UDP ports 2055 and 9996 (Both are common)
Also (from me):
- make Netflow a "new style" dissector: return 0 if it doesn't appear to be a
valid netflow packet
- register the old preference (cflow.udp.port) as obsolete so users don't see
warnings about it not being valid
svn path=/trunk/; revision=23075
- COL_REL_CONV_TIME which is used to display the time relative to the first frame that was seen in the conversation
- COL_DELTA_CONV_TIME which is used to display the delta time from the previous frame of the conversation
It also adds the function "col_set_time()" to "epan/column-utils.[ch]" which can be called from within a dissector to set either of these two columns to the appropiate time.
Last but not least, it lets the tcp-dissector make use of these two columns.
svn path=/trunk/; revision=23058
packets that doesnt look like valid radius.
verify that a packet is radius by checking that the command code is
known and also that the length is between 20 and 4096 bytes
move the tap data to be ep_allocated instead of a static global variable
dont use tvb_memcpy() to read a structure off the wiredata
use tvb_get_... to unmarshall the fields explicitely
this fixes bug 1634
svn path=/trunk/; revision=23039
address_to_str_buf() does now take COL_MAX_LEN as a parameter.
Add support for AT_URI to col_expr for addresses in col_set_addr(). The field names are "uri.src" and "uri.dst".
svn path=/trunk/; revision=23017
nothing really in the header to identify it reliably as silly
vendor specific encapsulation
10000 is actually registered by iana for ndmp so it makes no sense for
a lazy vendor to use it by default.
make it check if the packet is ndmp first before assuming that anything
that goes to port 10000 must be some lazy vendor specific protocol
grrr
svn path=/trunk/; revision=23009
make ndmp a heuristic dissector so it will "win" over tcp esp if the
packets look like ndmp and if "preferences/tcp/heuristic dissectors
first has been
chosen"
svn path=/trunk/; revision=23006
http://library.gnome.org/devel/glib/unstable/glib-Miscellaneous-Macros.html#id2571572
G_INLINE_FUNC
#define G_INLINE_FUNC
This macro is used to export function prototypes so they can be linked with an external version when no inlining is performed. The file which implements the functions should define G_IMPLEMENTS_INLINES before including the headers which contain G_INLINE_FUNC declarations. Since inlining is very compiler-dependent using these macros correctly is very difficult. Their use is strongly discouraged.
This macro is often mistaken for a replacement for the inline keyword; inline is already declared in a portable manner in the glib headers and can be used normally.
svn path=/trunk/; revision=22980
To quote doc/README.developer:
Don't use "inline"; not all compilers support it. If you want to have a
function be an inline function if the compiler supports it, use
G_INLINE_FUNC, which is declared by <glib.h>.
svn path=/trunk/; revision=22979
case N ... M:
as that's not supported by all compilers.
Say so in the Portability section of README.developer, in the hopes of
discouraging others from using that GCCism.
svn path=/trunk/; revision=22976
tcp.time_relative ==> the time that has elapsed since the
first packet that was seen in the current TCP stream
tcp.time_delta ==> the time that has elapsed since the
last packet that was seen in the current TCP stream
Calculating these timestamps is turned off by default to not
use the extra memory that is needed for the per-packet-data.
It can be turned on through the TCP protocol preferences
svn path=/trunk/; revision=22966
This is an update for the DCCP dissector and has previously been sent to
the DCCP dissector maintainer, Francesco Fondelli, who supplied
the Acked-by. I have been using it with profit for several weeks.
This patch provides the following extensions:
* type-dependent decoding of feature-negotiation options (NN and SP types of
options, NN is a 1..6 byte value in network-byte-order, SP is always a list of
unsigned char)
* decoding for CCID3 Send Loss Event Rate feature
* some pretty-printing of options
* decoding of CCID3-specific options
- Loss Event Rate (receiver report)
- Receive Rate (also reported by receiver)
* there was a change in the spec - the NDP count at sometime `grew' from 3 to
6 bytes (it was the same in the kernel). I have updated the data type from uint32 to
uint64
* utility function to decode from network-byte-order into host byte order with
variable length
svn path=/trunk/; revision=22961
authentication packet or else we will get inconsistent dissection when
clicking on packets.
(inconsistent as in : a certain packet might/might not be dissected as
LDAP/SASL depending on which packets we clicked on previously)
svn path=/trunk/; revision=22949
cant check that the payload starts with BER tag 0x60 and an oid.
instead check that the length byte (first 4 bytes) look sane and if
SASL authentication has been negotiated on the connection
also, sometimes clients will mix both non-SASL and SASL protected LDAP
traffic on the same tcp connection by initially performing simple
unauthenticated searches on the database before performing the Bind.
svn path=/trunk/; revision=22948
Capture files generated on TCP segmentation offload (TSO) hardware have an
all-zero IP-length field in outbound packets.
Wireshark errors out on the small length and refuses to parse the packet further.
svn path=/trunk/; revision=22931
Wireshark is only supporting a very old and deprecated version of the Bluetooth
specification (1.1). The Bluetooth SIG recently ratified version 2.1 of the
Bluetooth specification and a lot of enhancements have been added to the
specification. The HCI dissectors needs a major update to match these changes.
svn path=/trunk/; revision=22924
At an August 2007 meeting, a T11 committee made changes to the encapsulation
protocol for FCoE. For the latest info, see http://fcoe.com.
The attached patch will update the dissector to handle the new version also.
svn path=/trunk/; revision=22915
- reassembling of fragmented TIPCv2 messages
- calling of heuristic subdissectors
- multicast upper+lower bound header fields are now shown
- corrects few typos in the comments in packet-tipc.c
svn path=/trunk/; revision=22889
packets in the Packet Details View.
This "appendix" bytes are not copied with the Copy functions or in the
Export Selected Packet Bytes.
svn path=/trunk/; revision=22887
The decodes of FC ELS opcodes is incomplete. The attached patch adds a few
more that are sometimes seen (ECHO, RTV, RLS, REC, and LKA).
The list is still incomplete.
svn path=/trunk/; revision=22880
ethernet's VLAN tag. It is sometimes called the VSAN tag.
It used to be proprietary, but now it's standard.
Wireshark currently displays it as an 8-byte field without dissecting it further.
It'd be nice to have it broken down into fields. A patch is attached.
svn path=/trunk/; revision=22879
fetch the major OS version. If we're running Windows >= 6 (Vista)
_and_ npf.sys isn't running, warn the user in Wireshark and TShark.
Add a recent prefs item to disable the warning in Wireshark.
svn path=/trunk/; revision=22877
- Indexing (implied and not) is OK now, however indexes for related tables (AUGMENT, EXTEND, etc) are registered many times.
svn path=/trunk/; revision=22861
1) DMP "range" addresses can cause packet dissection failure.
2) A NULL return of match_strval() is not handled.
3) DMP addresses should be displayed in hex.
4) ep_alloc should not be used, use static variables.
svn path=/trunk/; revision=22850
indicate that they're for DFS; update comments as well.
Rename packet-dcerpc-afs4int.c to packet-dcerpc-fileexp.c, and change
the short and filter names for the protocol, and the names for the
filterable fields, to reflect the fact that it's for the File Exporter
protocol in DFS. ("AFS 4" = DCE DFS.)
svn path=/trunk/; revision=22827
The attached patch to packet-bfd.c adds the following enhancements to BFD
decoding:
- The Authentication Section is now decoded. All of the authentication methods
are supported. Verification of checksums is not implemented.
- BFD flags are now shown in a tree
- Added support for the M flag
- Added a display filter for the message length
- For the Desired Min TX Interval, Required Min RX Interval, and Required Min
Echo RX Interval fields, the time value is now printed in both milliseconds and
microseconds. (Previously, only milliseconds was being shown.) The PDU
represents the time in microseconds, but most implementations deal in
milliseconds.
- Added a warning to flag the packet if the Authentication bit is set, but the
full Authentication Section is not present.
- Added descriptions for most of the fields
- Fix the name of the protocol. BFD stands for Bidirectional Forwarding
Detection and not Bi-directional Fault Detection.
- Register the protocol on the UDP multihop port (4784).
- Change the filter name for the protocol from bfdcontrol to bfd since all of
the other display filters started with bfd.
Removed unused hf_bfd_auth_checksum.
Modified printing of the ':' at the end of the Authentication tree.
svn path=/trunk/; revision=22825
Instead of overflowing an unsigned int when determining the number of
items in a range, use a signed int and check for a negative value. Make
sure our offset increments as we step through each item. This should
avoid large/inifinite loops.
Fix the size of hf_dnp3_al_range_stop32.
svn path=/trunk/; revision=22811
packet-netflow.c is lack of the capability to decode ipv6 address related fields in netflow v9.
This patch enables dissecting the following fields:
Type 27 IPV6_SRC_ADDR,
Type 28 IPV6_DST_ADDR,
Type 29 IPV6_SRC_MASK,
Type 30 IPV6_DST_MASK and
Type 62 IPV6_NEXT_HOP.
svn path=/trunk/; revision=22793
use g_hash_table_new() on gtk1 and leak memory instead
this should actually a be using an se_tree instead of hashtables
svn path=/trunk/; revision=22789
This patch adds a new feature to dissect HSRPv2 packets.
One of the main features of HSRPv2 can enable using HSRP on IPv6. In order to
achieve this new feature, HSRPv2 packet format is totally different from
HSRPv1. HSRPv2 introduces new TLV formats.
This patch can decode these new formats of HSPRv2.
svn path=/trunk/; revision=22781
RTP analysis' jitter values are thrown off by RTP events
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1076
a) Ephemeral string (packet duration) was inserted into long-term hash of
dynamic payloads
b) There was no clock_rate mapping for MIME type "telephone-event".
svn path=/trunk/; revision=22780
tvb_reported_length_remaining(), not by tvb_length_remaining() -
tvb_length_remaining() shows only the amount of *captured* data
remaining, but the capture might have been done with a snapshot length
that cut the packet data short.
The payload length from the PPPoE header could legitimately be different
from the actual length of the PPPoE payload if there's not enough PPPoE
payload to avoid padding at the E(thernet) level. Only complain if
there shouldn't have been any padding.
Report an "expert" warning if the payload length looks wrong.
Update a comment to reflect current reality (as of many many years ago,
when we went all-tvbuff).
svn path=/trunk/; revision=22770
Fix for bug 1807. This patch corrects the decoding of the NotificationParameters.
I fuzz tested with these and other captures (Pass > 100).
svn path=/trunk/; revision=22766
not a lost packet but the tcp ports are being reused. This is often
seen in load-balanced environments where client ports are preserved
on the server-side.
We only want to report port reusage once, so the SYN/ACK is excluded
from TCP_SEQ analysis.
svn path=/trunk/; revision=22762
setuid instead of Wireshark. Remove the "DANGEROUS" notices, but leave it
disabled by default. Whine if the user runs Wireshark or TShark as root.
Add a preference to disable the whining. Add a "setuid-root" script that
can be used to switch dumpcap and TShark's setuid-ness on and off for
development and testing. Update the release notes and README.packaging.
svn path=/trunk/; revision=22733
- Added ASN.1 integer values for StandardExtension, ExtensionAttributeType
and TokenDataType.
- Added expert info for unknown standard-extension, extension-attribute-type
and tokendata-type.
- Added expert info for unknown built-in content-type.
svn path=/trunk/; revision=22730
- As noted by Thomas Anders values are not added to the tree anymore. Move the calling of subdissectors to the end of the function, so that the value is added to the tree.
- add port 8161 to be decoded as SNMP (hey, it's on IANA's services file!)
UAT:
- do not have the uat reloaded.
OIDS:
- do not complain if renaming an OID to an identical name
svn path=/trunk/; revision=22704
rename dcerpc_smb_fetch_pol to dcerpc_fetch_polhnd_data and also make
it take an additional parameter to return the "type" of the policy
handle, if such a type was stored.
extend the pol_value structure used to track policy handles to also
store a type to represent what created the policy handle
types could be USER/ALIAS/CONNECT/... etc handles returned from the
SAMR interface
add a new helper function dcerpc_store_polhnd_type()
track policy handles between request/responses for dcerpc
update the samr.cnf file to make the samr dissectors for
SetSecurity/QuerySecurity dissect the specific bits for the security
descriptor correctly based on whether the policy handle refers to a
CONNECT/DOMAIN/USER/ALIAS or GROUP
svn path=/trunk/; revision=22703
- reimplement the "snmp.variable_oid" dissector table
- oids.[ch]
- get rid of keytype_implicit in oid_value_type_t we won't use it.
- have the windows base path for mibs be consistent to where we've put the mibs
- oid_get_from_encoded() and oid_get_from_string(): have the subids array being computed in a prior statement of where the side-effected argument is going to be used... worked on gcc, not on windows... I deserve "have daemons flying out of my nose" for that :-).
svn path=/trunk/; revision=22684
Place two DISSECTOR_ASSERT() guards to avoid an (I believe impossible) buffer overflow of the ep_allocated subid array in oid_string2subid() and oid_encoded2subid().
svn path=/trunk/; revision=22656
1. Priority field decode.
The 802.1q tag field of a frame is separated from its frame body in
a ERSPAN packet.
Current packet-cisco-erspan.c decodes only the vlan id field of the
802.1q tag.
This patch can also decode the priority field of the 802.1q tag.
2. Direction of a captured frame decode.
A ERSPAN packet includes the additional information of the direction
a captured frame as below.
If a caputred frame comes from outside to a switch port, this means an
'Incoming' frame. If a caputred frame goes out of a switch port,
this is an 'Outgoing' frame.
Added an extra unknown value for the bit between direction and spanid.
svn path=/trunk/; revision=22649
- Decodes all valid Restart Signaling CLVs
- The restart flags are now shown in a tree and have display filters for them
- The Remaining hold time field now has a display filter
- The Restarting Neighbor Id field is now decoded
- Corrected another CLV decoder that assumed the length of a system ID was 6
and hard coded that value instead of using the id_length variable
Rearranged the Restart Signaling Flags to show the most significant bit first
svn path=/trunk/; revision=22646