For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.
To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.
Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens. For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.
An unhandled edge case is "1....2" which is parsed as "1 .. .. 2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.
Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Allow "tcp.srcport in {1662 1663 1664}" to be abbreviated to
"tcp.srcport in {1662 .. 1664}". The range operator is supported for any
field value which supports the "<=" and "=>" operators and thus works
for integers, IP addresses, etc.
The naive mapping "tcp.srcport >= 1662 and tcp.srcport <= 1664" is not
used because it does not have the intended effect with fields that have
multiple occurrences (e.g. tcp.port). Each condition could be satisfied
by an other value. Therefore a new DVFM instruction (ANY_IN_RANGE) is
added to test the range condition against each individual field value.
Bug: 14180
Change-Id: I53c2d0f9bc9d4f0ffaabde9a83442122965c95f7
Reviewed-on: https://code.wireshark.org/review/26945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tested with some hand-generated PDUs.
Change-Id: Ic603d0ca4578d23121e438ac2458be34e63492d2
Reviewed-on: https://code.wireshark.org/review/26755
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This patch adds support for sequencing HTTP Redirects. This enables
tracking of HTTP-based redirects, which may not have a Referer header.
As such, this patch also renames 'HTTP Referer statistics' to
'HTTP Request Sequences' to better reflect the more generic
functionality.
Note that this does not fully support RFC 3986. An external library like
uriparser.github.io may be a better option for efficient, full relative
HTTP URL resolution.
A Sample PCAP to test functionality is available here:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http_redirects.pcapng
A sample PCAP to demonstrate usefulness is available here:
https://www.malware-traffic-analysis.net/2015/08/31/page2.html
(examine request to hxxp://lk2gaflsgh.jgy658snfyfnvh.com/service.php)
Change-Id: I9edd1a1de86228b0dcb1df9f6f30e24379684321
Reviewed-on: https://code.wireshark.org/review/26679
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Add duplicate ACK ticks to Statistics → TCP Stream Graphs → Time
Sequence (tcptrace), which I missed when porting from GTK+. Add zero
window crosses while we're here.
Switch TCPStreamDialog to a subclass of GeometryStateDialog.
Add a slot and URL for the Help button and a stub entry in the User's
Guide.
Bug: 12009
Change-Id: Idf2ddb9eb33d924d65998285b5cffc234156497c
Reviewed-on: https://code.wireshark.org/review/26592
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This change introduces the OSCORE dissector, following
draft-ietf-core-object-security-07. It performs decryption and
authenticity
check on requests.
Bug: 14417
Change-Id: I92e45d66d5df51f6d4dbea4ef44e707955b65bee
Reviewed-on: https://code.wireshark.org/review/25480
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: I34f610a19a972db1c08d7896453e5ed671ec4dc6
Reviewed-on: https://code.wireshark.org/review/26394
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
MaxMind is discontinuing its legacy databases in April in favor of
GeoIP2, which use a newer database format (MaxMind DB). The reference C
library (libmaxminddb) is available under the Apache 2.0 license which
isn't quite compatible with ours.
Add mmdbresolve, a utility that reads IPv4 and IPv6 addresses on stdin
and prints resolved information on stdout. Place it under a liberal
license (MIT) so that we can keep libmaxminddb at arm's length. Add
epan/maxmind_db.[ch], which spawns mmdbresolve and communicates with it
via stdio.
Migrate the preferences and documentation to MaxMindDB.
Change the IPv4 and IPv6 asnum fields to FT_UINT32s. Change the
geographic coordinate fields to FT_DOUBLEs.
Bug: 10658
Change-Id: I24aeed637bea1b41d173270bda413af230f4425f
Reviewed-on: https://code.wireshark.org/review/26214
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Remove the endpoint map and its button from the Qt and GTK+ UIs. It
depends on GeoIP Legacy for coordinate information and those databases
are being deprecated in favor of MaxMind DB. We *could* upgrade the code
to use mmdbresolve, but according to
https://dev.maxmind.com/geoip/geoip2/geolite2/ they're also going to
remove coordinate information from GeoLite2:
"In addition, in 2019, latitude and longitude coordinates in the
GeoLite2 databases will be removed.* Latitude and longitude coordinates
will continue to be provided in GeoIP2 databases. Please check back for
updates."
Change-Id: I43e1593d282a0f1aae897b1f4724117d1496b21e
Reviewed-on: https://code.wireshark.org/review/26229
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Use the standard Wireshark style sheet for the release notes. Add a note
about updating them via themes.asciidoctor.org.
Change-Id: Ic6b66308cf1e1bea7b34a09963f92881d01eda8c
Reviewed-on: https://code.wireshark.org/review/25911
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This adds a dissector for the Steam In-Home Streaming
Discovery Protocol by Valve Software.
Useful documentation can be found at:
https://codingrange.com/blog/steam-in-home-streaming-discovery-protocol
Change-Id: I26a79e201cfb0aad0ca702ac962e1e7b1b541517
Reviewed-on: https://code.wireshark.org/review/23615
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix a few errors in the Asciidoctor macros. Use the new macro names in
the release notes and gen-bugnote.
Change-Id: I2ca672949c59ca3da8a6b963cb5bd9abd66c348d
Reviewed-on: https://code.wireshark.org/review/25774
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Switch the markup text processor for files in the docbook directory from
AsciiDoc to Asciidoctor. Asciidoctor has several useful features (such
as direct PDF output) and is actively developed. It's written in Ruby
but that dependency can be sidestepped with AsciidoctorJ, a
self-contained bundle that only depends on the JRE.
The current toolchain targets require Python, AsciiDoc, DocBook XML,
DocBook XSL, Java, FOP, xsltproc, lynx, and the HTMLHelp compiler:
HTML: AsciiDoc → DocBook XML → xsltproc + DocBook XSL
Chunked HTML: AsciiDoc → DocBook XML → xsltproc + DocBook XSL
PDF: AsciiDoc → DocBook XML → xsltproc + DocBook XSL → FOP
HTMLHelp: AsciiDoc → DocBook XML → xsltproc + DocBook XSL → HHC
This change removes the AsciiDoc and FOP requirements and adds either
AsciidoctorJ or Asciidoctor + Ruby:
HTML: Asciidoctor → DocBook XML → xsltproc + DocBook XSL
Chunked HTML: Asciidoctor → DocBook XML → xsltproc + DocBook XSL
PDF: Asciidoctor
HTMLHelp: Asciidoctor → DocBook XML → xsltproc + DocBook XSL → HHC
Ideally we could generate all of these using AsciidoctorJ, Java, and
lynx. Unfortunately we're not there yet.
The release notes depend on several macros (ws-buglink, ws-salink,
cve-idlink, sort-and-group). Add Asciidoctor (Ruby) equivalents.
Remove the BUILD_xxx_GUIDES CMake options and add various output targets
automatically. This means that you have to build the various documentation
targets explicitly.
Change-Id: I31930677a656b99b1c6839bb6c33a13db951eb9a
Reviewed-on: https://code.wireshark.org/review/25668
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Switch from AsciiDoc's smart quotes markup to the quotes themselves. Use
double curly quotes in place of singles.
Switch from XML entities to their direct equivalents where we can.
Switch from hex entities to decimal entities where we can't or it's not
convenient. (Asciidoctor PDF doesn't yet handle hex entities).
Change-Id: Iaf5ec33249e1c91b3d50b5d96251763243b72836
Reviewed-on: https://code.wireshark.org/review/25606
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Adding Session Multiplex Protocol SMP
SMP is used by TDS when MARS in enabled.
Bug: 14110
Change-Id: Ia4113c627d107da6c3d51e4004265efb228a297b
Reviewed-on: https://code.wireshark.org/review/25509
Reviewed-by: Craig Jackson <cejackson51@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I306341c7cddf8facb4a9ca62254a465a1da22174
Reviewed-on: https://code.wireshark.org/review/25423
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I049c8b9b9a0a1da2243217532186ba5a19cf5671
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/25424
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Codecs in general come in many flavours, G.729 non in the least.
Be accurate about what codec implementation is actually provided.
Change-Id: I372062906bef973c8e19b63e5296574780d8a89e
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/25388
Reviewed-by: Michael Mann <mmann78@netscape.net>
ASN.1 prose imported from the specification and heavily modified
manually to workaround its poor quality.
Some of them are marked with -- WS modification comment, some are not.
Probably useless as-is, but it is an initial start until an updated
version is available.
Change-Id: I19ab6cedb6aa23c8ed57bae525ee4a3391494e32
Reviewed-on: https://code.wireshark.org/review/25235
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This interperates the main body of Lustre traffic.
This dissects all current Lustre OPCODES (as of Lustre 2.10.2)
This dissects MDS REINT sub-opcodes
This dissects LDLM Intent opcodes
This dissects LLOG EADATA
Conversation matching is just IP based and not IP/port based.
Only one lustre "instance" can be running on a given host at a given time,
and request / reply pairs aren't don't always match by port numbers.
Add exception for lustre_* structure names in PROTOABBREV.
We have several lustre.lustre_* because the internal lustre structre is
named lustre_ (i.e. lustre_handle or lustre_msg_v2)
This is still a work in progress, as there are missing FLAG values
and some LLOG EADATA structures that aren't fully decoded.
Change-Id: If57085e2692565336e49f40fb475ca1035da7a35
Signed-off-by: Nathaniel Clark <nathaniel.l.clark@intel.com>
Reviewed-on: https://code.wireshark.org/review/24800
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use SetConsoleTextAttribute to reset our colors on Windows. Update the
release notes and man page.
Change-Id: I2bc309787f9c2331324503092bd1c9ae6360eb55
Reviewed-on: https://code.wireshark.org/review/25170
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I360bc4f802e28e9fc64cbd5cc06e514cbaf3b25f
Reviewed-on: https://code.wireshark.org/review/25091
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Two Edit->Copy methods are using the same keyboard shortcut as other
functionality:
1. Ctrl+Shift+D is used for "Copy this item's description" and
"Ignore All Displayed packets"
2. Ctrl+Shift+F is used for "Copy this item's field name" and
"Reload as File Format/Capture"
Resolve this by changing the Copy methods to use Ctrl+Alt+Shift as modifier.
Add a keyboard shortcut for "Copy all visible items" while here.
Change-Id: I0d963501055e63963d93e211f592aa9e82801d3c
Reviewed-on: https://code.wireshark.org/review/24884
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
So far decode just packet headers
Change-Id: I7a01f3c83b97882f4c669122ad94b2bdab0ab251
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
Reviewed-on: https://code.wireshark.org/review/24583
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Instead of blurring the main welcome screen during startup, draw a dark
band under the progress bar. This reduces the startup time a bit here.
Port over a date check from the GTK+ UI.
Change-Id: I997d0fd2e4320702fe85ee2aea02ce835a423df9
Reviewed-on: https://code.wireshark.org/review/24711
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>