When dissectors register for Follow Stream, have them register a
function for finding the next valid sub stream id for a given
stream and substream id pair. This function is NULL if the dissector
does not use sub stream IDs.
Use this function in follow_stream_dialog to update the sub stream
id widget (and use the absence of the function to disable and hide
the widget.) Use this function in the CLI tap-follow to determine
whether to parse a sub stream id from the command line options.
This removes the dependencies on epan/dissectors from the Qt
follow_stream_dialog, and gets us closer to having dissectors
being able to register for Follow Stream without having to update
anything in the common source code.
The dynamic hf entries for HTTP2 read from the UAT should be
changed when the UAT is changed or reset, not on each file
load and file close. If a field is added as a column, coloring
rule, or filter, and the capture file is changed, deregistering
the field and reregistering it can cause a crash.
Use the same approach as with HTTP and SIP, slightly modified
because in HTTP2 the header fields hash contains the static
headers as well, to prevent adding duplicate entries via the UAT.
Fix#14768
It's possible, in the case of errors, for the result of
g_uri_unescape_string not to be valid UTF-8, either if originally
some other encoding was percent-encoded, or if there were errors.
Check for it.
Fix#18658.
Add a tlsinfo struct that is similar to tcpinfo, and carries
the sequence number (within the TLS stream) and the end of
stream notification (from the TCP FIN or close_notify alerts)
in addition to the session app handle pointer already used
by TLS heuristic dissectors.
Have HTTP use the end of stream notification in order to
handle DESEGMENT_UNTIL_FIN the same way it does when HTTP
is directly over TCP. Also have HTTP use the sequence number
in order to reduce chunked processing from O(N^2) to O(N)
similar to done over TCP.
Update all the TLS heuristic dissectors that set the app
handle to use the new structure.
Note the workaround for the issue #15159 - the TLS dissector
has to report to the TCP dissector that desegmentation at FIN
is required, so that the TCP dissector will know to call the
TLS dissector at FIN. However, the TLS dissector does not request
that the TCP dissector resend bytes belonging to records that
TLS has already desegmented (and decrypted, if possible), to
avoid decrypting twice (and upsetting the decoder state.)
This can mean the TCP dissector calling the TLS dissector to
desegment at FIN with a zero byte payload. In such as case, the
TLS dissector artificially returns "1" byte dissected to avoid
indicating rejecting the payload and having the TLS (and subdissector)
layers removed. (TCP ignores the value returned when desegmenting
at FIN.)
Fix#9154. Fix#14382.
Instead of having the UI have to know about each type of follow
stream, and how to retrieve its total number of streams, have
each follow type register a function that returns the total
number of stream. (The function can be NULL, for protocols like
SIP that do not use this.)
This gets us closer to making follow stream registration generic.
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION
frames) are compressed by HPACK. Send them to the follow tap only
after decompression. Update the tests to match the new output.
Ping #18239 (There's still the case of gzip and brotli compressed
DATA frames to handle).
The TCP and UDP follow conversation filter functions should
only retrieve a conversation and conversation data, not
create new conversations or new stream numbers. (That should
only happen during actual packet processing.) So they should
match on the endpoint type and not look up endpoints (since
TCP and UDP don't use the endpoint API.)
They still don't work with tunneling, or any other situation where
the addresses and ports have been changed (see #18231), but this
at least works when some other protocol _has_ used the endpoint
API, and also avoids creating nonsensical streams.
Making them work properly with tunneling either requires adding
packet info to each packet with the stream information, or using
the endpoint API (after finishing it to allow more than one endpoint
on the packet, and a way of searching for endpoints other than
the most recent.)
All currently supported Linux distributions have a version greater
than 1.11.0 (and our macOS and Windows versions are also much greater),
and this allows us to use nghttp2_hd_inflate_hd2(), which replaced the
deprecated nghttp2_hd_inflate_hd()
Use the actual maximum table table size, which may have been set to
a value other than the default 4096, to fill the table with dummy
entries. Fix#17936
Behave like other protcols that call tcp_dissect_pdus and don't set
COL_PROTOCOL or add a proto item before the call to tcp_dissect_pdus.
This avoids adding an empty tree in cases where there isn't enough
of the PDU to actually dissect anything. This makes the protocol
tree the same in the first pass (and thus tshark output), as in later
passes where the HTTP2 dissector won't get called.
The HTTP/2 priority update frame is an extension frame defined in
https://datatracker.ietf.org/doc/draft-ietf-httpbis-priority/.
With this change, we add new support for the frame to the HTTP/2
dissection, matching the capability in the HTTP/3 dissector, to expose
the target of the priority and the value of the hint.
Add support for ORIGIN frame (RFC 8336) to the HTTP/2 dissector. The
frame is a sequence of 0 or more origin entries (length and ASCII
value), hence dissection is implemented as a subtree.
Some http2 headers are unable to be parse in current
HEADERS frame because previous HEADERS frames were not
captured that causing HPACK index table not completed.
This commit make fake headers can also be used in this
situation.
close#17799
These display bases work to replace unprintable characters so the
name is a misnomer. In addition they are the same option and this
display behaviour is not something that is configurable.
This does not affect encodings because all our internal text strings
need to be valid UTF-8 and the source encoding is specified using
ENC_*.
Remove the assertion for valid UTF-8 in proto.c because
tvb_get_*_string() must return a valid UTF-8 string, always, and we
don't need to assert that, it is expensive.
Add an UAT for configuring fake headers according to the server port, stream
id and direction of the long-lived stream that we start capturing packets
after it is established. That helps to parsing the DATAs captured subsequently.
A testcase also added.
close#17691
- Point all MSP related DATA frames to their MSP instead of
using wmem_tree_lookup32_array_le().
- Add test_grpc_streaming_mode_reassembly testcase for verifying
this feature.
close#17633
"Follow Stream" functionality assumes that all data in a single packet
belongs to the same stream. That is not true for HTTP2 and QUIC, where
we end up having data from unrelated streams.
Filter out the unwanted data directly in the protocol dissector code with
a custom `tap_handler` (as TCP already does).
Close#16093
Changes:
- epan/follow.c: follow_conv_filter_func has new parameter
epan_dissect_t *edt, so filter can be generated based on decoded tree
of packet below the cursor
- menu Follow/SIP Call is enabled when sip packet is selected
- value of sip.Call-ID is used as filter for SIP call
- for sharkd it generates filter just 'sip.Call-ID' with no value
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
From a recent cppcheck scan:
epan/dissectors/packet-http2.c:1604: warning: The expression 'strcmp(header_name,"<unknown>") != 0' is suspicious. It overlaps 'strcmp(header_name,":method") == 0'.
epan/dissectors/packet-http2.c:1604: warning: The expression 'strcmp(header_name,"<unknown>") != 0' is suspicious. It overlaps 'strcmp(header_name,":status") == 0'.
Change-Id: I373398112ca9e44d848da4a2b21bd7d059fa049c
Reviewed-on: https://code.wireshark.org/review/37352
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
nghttp2_hd_inflate_hd has only been deprecated because its "in" argument
is non-const, aside from this aspect the implementation is equivalent.
For inflate_http2_header_block there is no difference since the buffer
is already non-const. However in fix_partial_header_dissection_support,
the given buffer is const. To avoid new -Wcast-qual warnings while
keeping the buffer read-only, just add a simple wrapper function.
This fixes a build failure reported for libnghttp2-devel
1.7.1-1.15.x86_64 on openSUSE Leap 42.3.
Change-Id: I9ab9305ffc5920f5e3f4866c2f0378d45008b57a
Reviewed-on: https://code.wireshark.org/review/37346
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In incomplete streams the http2 dissector fails to display the content of
a data packet following a header with unknown fields as
reassembly_info->data_initiated_in is not set.
Change-Id: I754bdc92049124bcc722a25f8cf791e36f8f523a
Reviewed-on: https://code.wireshark.org/review/37311
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Populate the dynamic table with dummy entries to ensure that nghttp2
will continue even if previous headers were missing (for example, due to
the capture starting in the middle of a plaintext h2c connection).
Bug: 16496
Change-Id: Ifb2fd4c6b8f3f93babed42e1f803048a695b23e9
Reviewed-on: https://code.wireshark.org/review/37278
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If the packet containing the content type header is missing the stream
can be dissected by using decode as.
Change-Id: I40c57e34971c9eee3d694975262dd7b3c7b3ef89
Reviewed-on: https://code.wireshark.org/review/36852
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
João Valverde