TNEF is a Microsoft defined format for carrying additional information about a message (e.g. rich text formatting)
and generally appears as a "winmail.dat" attachment. Details are here:
http://msdn2.microsoft.com/en-us/library/ms530652.aspx
This is a basic dissector which handles the TNEF attributes and the MAPI properties (found in MAPIPROPS
TNEF attribute). It is not complete and requires further work to complete the dissection. However it will
dissect TNEF generated from Outlook (including messages with attachments).
It is registered under the appropriate BER OID (1.2.840.113556.3.10.1) for X.400 attachments and media
type ("application/ms-tnef") for MIME messages. For MIME messages, any content-transfer-encoding
(usually base64) needs to be removed before calling this dissector. There is a preference in the
MIME multipart dissector to do this.
svn path=/trunk/; revision=22312
It provides basic dissection of the text-based protocol, providing fields for filtering.
It also calls the multipart dissector for any MIME body that is found.
It includes very basic support for MIXER (RFC 2156) fields.
It also registers itself as "message/rfc822" in the media type table.
svn path=/trunk/; revision=22241
Attached is a patch file and a new dissector for FCoE. This protocol
is described at http://fcoe.com and has been submitted to T11. It is an encapsulation protocol that can be used to transport FC frames over raw Ethernet when the link is loss-free due to pause. The Ethertype 0x8906 has been reserved through IEEE for this protocol.
svn path=/trunk/; revision=21967
Replace the Interbase dissector by a Firebird/Interbase
dissector.
Me:
Fix warnings about unused parameters
Fix warnings about unused variables
Fix warning about unused function
Fix warning about mixed code and declaration
Declare all dissection functions static
Remove function declarations and move the switching
function down instead.
Update AUTHORS file
Add $Id$ and email address to file header
Fix filename in first comment line
svn path=/trunk/; revision=21843
new protocol STARTEAM
>Hi,
>
>Here is a submission of a new dissector for the Borland StarTeam protocol.
>For the compiler warnings, I tried to get rid of them, at least what MSVC6
>is reporting. If your compiler reports more, please tell me the line number.
>As I do not have SVN installed but I compiled from the 0.99.5 tarball,
>please forgive me if I cannot easily generate diffs against current SVN (I
>tried my best with Cygwin).
>I also added the sample capture file on the Wiki on which I ran 900 loops
>of fuzz testing with no problem.
svn path=/trunk/; revision=21606
Attachment is a patch for adding a new Juniper NSRP dissector. In this patch, OICQ author email address
<dubingyao@gmail.com> has also been updated to <secfire@gmail.com>.
svn path=/trunk/; revision=21599
most have been tagged unused (few have been deleted if dissector has not been
modified since a long time)
move packet-ssl-utils.c to DISSECTOR_SRC
svn path=/trunk/; revision=21431
Dissector for the DRDA protocol. This is the protocol used by among
others the DB2 database.
modify his entry in AUTHORS
svn path=/trunk/; revision=21331
- asn dissectors : libasndissectors.la
- pidl dissectors : libpidldissectors.la
- normal dissectors : libdissectors.la *and* libcleandissectors.la. I
separated it in two libraries temporarily. The source files used to build
libcleandissectors.la do not generate warning anymore and the -Werror is used
to compile them. If we patch a dissector and it doesn't generate warning
anymore, we have to move the filename dissector from DISSECTOR_SRC to
CLEAN_DISSECTOR_SRC in epan/dissectors/Makefile.common.
If you want to define specific cflags for one library type, let's say pidl, you
may define libpidldissectors_la_CFLAGS.
svn path=/trunk/; revision=21324
This patch adds support for key-mgmt session attributes in SDP (defined in RFC 4567). The patch also contains a Multimedia Internet KEYing (MIKEY is defined in RFC 3830) dissector plugin for "mikey" key-mgmt data.
svn path=/trunk/; revision=20977
Admittedly not much, so if you have any ideas what the rest means or where
I'm wrong please provide feedback.
As tapa uses udp 5000 and ip protocol 4, I needed to add a hack for the
ip part to properly dispatch betweeen ipip and tapa-tunnel (actually I
was unable to turn the ipip dissector into a heuristic dissector :-)
svn path=/trunk/; revision=20971
- move dcom-cba and pn-rt files into profinet plugin (where they really belong)
- move some common pn functionality into new packet-pn.c/h instead of having duplicate code
svn path=/trunk/; revision=20825
Wed, Jan 31, 2007 at 7:24 PM
To: wireshark-dev@wireshark.org
Hello,
Please consider for checkin the following new dissectors, for the FMP protocol.
FMP (File Mapping Protocol) is the network protocol basis for EMC's HighRoad (MPFS) technology. Highroad is used to allow multiple clients to share access to NAS-shared files while allowing clients to directly access data volumes (via, for example, Fibre Channel or iSCSI). EMC currently uses this technology in our Celerra NAS servers, and we're currently in the process of open sourcing portions of the technology.
FMP actually consists of two ONC/RPC-based protocols - the core FMP protocol, and FMP/Notify. The latter is used as an asynchronous callback to inform clients of status changes, such as lock revocation.
We'd like to offer these dissectors to Wireshark users for help in debugging or otherwise troubleshooting MPFS-related problems. There are still a few minor changes that need to be made ( i.e. a handful of fields that aren't decoded) but the dissector is overall fairly complete and very usable.
Let me know if there are questions or feedback, or otherwise if other info is needed (like sample captures, which I don't want to send out to the mailing list).
Thanks,
Ian Schorr
EMC Corporation
svn path=/trunk/; revision=20679
Generally found within a file (.p12 or .pfx) or as a directory attribute (userPKCS12 from iNetOrgPerson).
Wiki page and sample file to follow.
svn path=/trunk/; revision=20416
I have added a new dissector for DMP (STANAG 4406 Direct Message
Profile) as defined in STANAG 4406 Annex E. The DMP protocol has no
assigned UDP port number yet, so the default value in this dissector
is 0 (I suppose this is som sort of "disabled"?) until we get this
registered.
The dissector has been tested on OSX Intel/PowerPC and Solaris SPARC.
Changes in this patch:
* Added DMP dissector
* Added a new CRC table and functions in crc16.c
* Made NonDeliveryReasonCode and NonDeliveryDiagnosticCode available
from X.411
* Made NonReceiptReasonField and DiscardReasonField available from X.420
svn path=/trunk/; revision=20133
This is a new dissector for STUN v2, that is currently in WGLC at the IETF.
- Keep packet-stun.c for the RFC 3498 protocol, plus the STUN and TURN
drafts up to draft-ietf-behave-rfc3489bis-02 and
draft-rosenberg-midcom-turn-08, as there is some huge deployments using
this. There will be no modification to this dissectors in the future,
excepted perhaps to add support for retransmission or things like this.
- Add a new dissector packet-stun2.c for the new STUN (currently in
WGLC), the STUN relay-usage (formerly known as TURN) and the other
usages that will be added in the future (IPv6, NAT Behavior, etc...).
svn path=/trunk/; revision=20131
New dissector for ETSI DCP (ETSI TS 102 821).
Code rearranged to look more like other Wireshark dissectors and some warnings/errors
on Windows fixed.
svn path=/trunk/; revision=19981
The RDM protocol has been accepted as ANSI standard E1.20-2006. The following patch updates the decoder to that spec.
At the same time it is promoted to a build-in dissector.
svn path=/trunk/; revision=19596
this is a wrapper protocol to store SCSI frames inside usb bulk data transfers
the dissector is far from complete but does
track ITL and ITLQ structures and will also call the SCSI dissector to
dissect the SCSI CDB.
what is still missing is handling of data in/out and scsi responses
at least it will now display the SCSI CDB and dissect it. woohoo
svn path=/trunk/; revision=19589
packet-cisco-wireless.c is actually trying to dissect WLCCP:
I have attached a dissector I wrote from scratch for the
frames that I'm seeing. It has #defines for the field offsets and
lengths so it should be easier to merge. I also attached a sample
capture with one of the frames that I'm seeing. There are more fields
in the frame I haven't yet figured out, hopefully your dissector has
those that I'm missing.
Me: - Commented in wlccp over udp as well, it works most of the time.
- Leave the file packet-cisco-wireless.c in for the time being to
copy over knowledge until no usable info is left in the file.
svn path=/trunk/; revision=19447
dissector for Enea's LINX protocol?
A protocol spec is available at <http://www.enea.com/templates/Extension____8947.aspx>. The source of the kernel module could be obtained from Enea by sending a request to "linx at enea dot com".
Currently they use ethertype 0x9999 which is not registered at IEEE.
svn path=/trunk/; revision=19430
few things to be fixed:
- // comments,
- not every hf_xxx used might be registered
some packages from the current h248 dissector are still missing.
svn path=/trunk/; revision=19407
various changes to the existing scsi dissector to start allowing different commandsets to be implemented in their own dissector files to prevent the scsi dissector to become as huge as the parlay dissector
svn path=/trunk/; revision=19360
I have figured out one of the fields in the MAPI
EcRRegisterPushNotification packet. The field is a UDP port number that
the client wants the Exchange server to send new mail notifications on.
These notifications are on a port > 1023 and are always 8 bytes long.
It looks like I would add the function name to the
dcerpc_mapi_dissectors[] for the register push notification. What would
my new function need to do besides display the field?
Thanks,
Steve
Here is a patch to add this functionality. It displays the notification
port and the notification payload (not sure what the payload itself
means yet). It also dynamically registers each notification port found
with a new dissector (that I called newmail for lack of a better name -
I'm open to suggestions) that displays the notification payload. This
is all undocumented by Microsoft in their usual fashion.
I also changed the code to always display the mapi.opnum field;
currently, the mapi.opnum is only displayed when the
dcerpc_mapi_dissector is null.
Steve
svn path=/trunk/; revision=19350
this protocol is not too interesting yet since only the function names of this interface is known but it is more that no dissection at all
svn path=/trunk/; revision=19333
New protocol: epl v1
Hi,
in addition to the recently submitted dissector for the EPL v2 protocol,
this is the dissector for the first version of the EPL protocol.
Best Regards,
David
svn path=/trunk/; revision=19125
this patch adds support for MPEG2 transport stream packets in RTP (type
MP2T). It currently dissects the headers of the MPEG2 packets
svn path=/trunk/; revision=19023
new protocol: veritas low latency transport
---
Attached is a patch file that adds a new dissector for the LLT protocol
(Veritas Low Level Transport, used for server clustering). They use
ethertype 0xCAFE even though it isn't assigned to them :(. There are
other fields and possibly other message types directly between servers
it does not yet dissect as no one outside of Veritas knows what they
are. This dissector understands the one people will run across most -
multiple servers broadcasting these heartbeats all over the place. I
figured out these fields through many Internet searches.
I will add the protocol to the Wiki after it is committed.
Thanks,
Steve
svn path=/trunk/; revision=18944
I have developed a plugin for Pro-MPEG FEC packets over RTP (see
previous posts on ethereal-dev). I have added a page and example capture
file to the Wiki (http://wiki.wireshark.org/2dParityFEC). The source and
Windows makefile for the plugin are attached. Unfortunately I do not
have access to other systems so this plugin has been tested on Windows
only.
The attached version of my plug-in has only had the copyright header
added.
I will translate this into a proper dissector rather than a plug-in as
requested, but this may take a little time as I have a lot of other
things
to do at the moment.
Me:
Convert into a normal dissector
Reorder / reformat code a bit
Added Marks name to the top of the file.
svn path=/trunk/; revision=18908
This patch adds a new dissector for the daytime protocol (like the time
protocol, but the date and time is send as a text string). This protocol and
dissector work s over TCP or UDP.
svn path=/trunk/; revision=18823
A disassembly module I wrote for Pegasus Lightweight Stream Control, a protocol used by some cable set-top boxes for video-on-demand.
svn path=/trunk/; revision=18807
- allow SDP to parse the IP address + port for the MSRP session from the
path attribute
- setup an MSRP conversation using this address, whose data points back
to the SDP frame
- link to the SDP setup frame while dissecting MSRP (can be switched off
by a preference)
- I also changed sdp.media.port to be a numeric field
svn path=/trunk/; revision=18806
this dissector will not yet detect when ppp is passed over the rfcomm link
but the old code to detect and deescapt the ppp data is still in the dissector, though ifdeffed out to serve as inspiration when ppp over rfcomm captures are made available.
the only captures i have with rfcomm are for raw serial communications so they dont contain any ppp frames. :-(
svn path=/trunk/; revision=18221
acl chandle + direction + l2cap-CID to uniquely identify a single specific
flow of PDU packets.
So we need to pass the chandle upp from acl to l2cap at least.
It would have been nice to handle this using "conversations" but the bluetooth
stack does not eaily map to the idiom host:port<->host:port
instead in bluetooth you have unidirectional flows that are identified by ACL-chandle:L2CAP-CID:direction and additional state held inside l2cap would attach two such flows together into a "conversation".
Bluetooth packets themself only indentify "half" of the two way conversation.
svn path=/trunk/; revision=18218
the fragment reassembly from the old patch is commented out since it has to be redone completely using emem and se_trees the proper way.
but to do this i would need example captures of fragmented bluetooth traffic first.
svn path=/trunk/; revision=18149
patch and new files provide support for Catapult DCT2000
.out files to wiretap and ethereal.
This wiretap support (catapult_dct2000.c+h) appends a short header to
each packet giving some context, and a corresponding ethereal dissector
(packet-catapult-dct2000.c) parses this before passing the real payload
onto an existing ethereal dissector (for ethernet, ip, lapd, ppp,
frame-relay,...).
For now, there is only support for saving dct2000 files in their own
format, although I may add support for converting between dct2000 and
libpcap later.
updated version of these files and patch, now with support
for MTP2. Olivier's trace used the ANSI variant - the MTP2 and MTP3
decode fine with the right preferences set (although the ISUP dissector
reports a reserved/retired message type).
Witha a change to NOT to declare gboolean catapult_dct2000_board_ports_only;
as extern as MSVC choked on it.
svn path=/trunk/; revision=17862
Here is a patch for gsm_map dissector that adds USSD string decoding (mainly used in processUnstructuredSS-Request, UnstructuredSS-Request, UnstructuredSS-Notify). For now, it assumes that it will be GSM 7 bits.
It re-use packet-gsm_sms.c "gsm_sms_char_7bit_unpack" and "gsm_sms_char_ascii_decode" functions, as well as packet-smpp.c "smpp_handle_dcs" function.
svn path=/trunk/; revision=17739
rename binding into assoc(iation) which is the AOC name.
move the definition of sccp_assoc_t to packet-sccp.h so that information regarding sccp associations it can be used by user protocols
svn path=/trunk/; revision=17590
- New Dissector Novell Cluster Services
1. Changes Dir Handle Type from Boolean to val string
2. Changes Search Mode from Boolean to val string
3. Adds a number of additional attribute definitions
4. Adds file migration state values
5. Adds missing return values
6. Adds NCP 90,150 "File Migration Request"
svn path=/trunk/; revision=16844
Log:
From Grame Lunt:
updated X.500 dissectors to include DOP support.
The "dop" dissector is the renamed "x501" dissector consequently the asn/x501 directory should be removed. The patch includes the changes to epan/dissectors/Makefile.common to reflect this.
As the DOP dissection is not fully tested, I have disabled it by default for now (like DSP) but it can be enabled by the user.
svn path=/trunk/; revision=16727
New protocol : CIGI (with minor updates to make it heuristic)
Hi,
This patch is for a CIGI dissector (complete versions 2 and 3). It has
been [fuzz] tested on GNU/Linux using the Ethereal 0.10.13 codebase.
However, the patch here is against the svn repository.
More information about CIGI can be found at http://cigi.sourceforge.net/
Kyle Harms
svn path=/trunk/; revision=16681
Added a new dissector for CDT (CompressedDataType) as
defined in STANAG 4406 Annex E. This dissector is used in P_Mul to
decode encapsulated X.411 content. I have added a function in the
X.411 dissector to decode a MTS APDU without having a ROS
Changes in this patch:
* Added CDT dissector
* Use CDT dissector in P_Mul
* Added function to decode MTS APDU in the X.411 dissector
svn path=/trunk/; revision=16567
we will do service-response-time statistics before other inferior products have even noticed a new protocol is in town.
svn path=/trunk/; revision=16463
New protocol : STANAG 5066
I changed it from being a plugin to a builtin dissector
and also changed a couple of small bugs
svn path=/trunk/; revision=16390
makefile.common.diff - epan directory
1. Adds new packet-ncp-sss.c and packet-ncp-sss.h for new Secret Store dissector
New Novell Secret Store Services dissector
packet-ncp-sss.c
packet-ncp-sss.h
ncp2222.py.diff
1. Adds a number of return values
2. Adds 64bit file size support
3. Add NCP 89,xx NCP's for UTF8 support
4. Fixes a number of field values for proper dissection
5. Adds support for Secret Store dissector
packet-ncp2222.inc.diff
1. Skwelches some compiler warnings
2. Redo of fix for bug 535 which original fix broke dissection of NDS verb 5
3. Adds support for Secret Store dissector
4. Adds expert data
5. Adds tap for service response time
6. Fixes dissection of stream attribute
7. Fixes defragmentation problem with more then 10 fragments
8. Fixes NDS dissection if reply buffer was less then 7
packet-ncp.c.diff
1. Adds tap data
2. Adds expert data
3. Fixes calculation for NCP connection number
4. Fixes malformed packet for destroy service connection
packet-ncp.c.diff
1. Adds tap data
svn path=/trunk/; revision=16266
almost none of the data - fill in only variables for what we need, and
use proto_tree_add_item() in most cases.
Move what's left of the packet-winsrepl.h header into packet-winsrepl.c,
and get rid of the header.
Dissect the name flags field in detail, as per the Samba code.
We don't do any checks for whether the packet is a valid WINS
replication packet, so don't make the dissector a new-style dissector.
svn path=/trunk/; revision=15935
This makes Ethereal build again - there's no real reason that
ethereal fails to build for such a long time on so many platforms.
svn path=/trunk/; revision=15835
Graeme Lunt