When a conversation starts with SSL (Client Hello) but gets a HTTP
response back, then the first SSL request should be preserved.
Bug: 12132
Change-Id: I3f9b5c8828bc5c6680945d7cf71740584dd463ab
Reviewed-on: https://code.wireshark.org/review/14726
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This adds the possibility to filter on the negotiated WebSocket
protocol from the upgrade response as well as on a specific TCP port
Bug: 12298
Change-Id: I8e0b785cec0b8c71ec558b74ac07c81194268b38
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
Reviewed-on: https://code.wireshark.org/review/14645
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This saves many dissectors the need to find the data dissector and store a handle to it.
There were also some that were finding it, but not using it.
For others this was the only reason for their handoff function, so it could be eliminated.
Change-Id: I5d3f951ee1daa3d30c060d21bd12bbc881a8027b
Reviewed-on: https://code.wireshark.org/review/14530
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Started by grepping call_dissector_with_data, call_dissector_only and call_dissector and traced the handles passed into them to a find_dissector within the dissector. Then replaced find_dissector with find_dissector_add_dependency and added the protocol id from the dissector.
"data" dissector was not considered to be a dependency.
Change-Id: I15d0d77301306587ef8e7af5876e74231816890d
Reviewed-on: https://code.wireshark.org/review/14509
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This will make it easier to determine protocol dependencies.
Some LLC OUI dissector tables didn't have an associated protocol, so they were left without one (-1 used)
Change-Id: I6339f16476510ef3f393d6fb5d8946419bfb4b7d
Reviewed-on: https://code.wireshark.org/review/14446
Reviewed-by: Michael Mann <mmann78@netscape.net>
When the HTTP request is transmitted to a Proxy the URI is already
a "full URI".
Bug was reported by Thomas Baudelet.
Bug: 12176
Change-Id: I83f6bdef6fa96233792c6bbe54caad38df0f5fb6
Reviewed-on: https://code.wireshark.org/review/14142
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It's not tied to the frame_data structure any more, so it belongs by
itself.
Clean up some #includes while we're at it; in particular, frame_data.h
doesn't use anything related to tvbuffs, so don't have it gratuitiously
include tvbuff.h.
Change-Id: Ic32922d4a3840bac47007c5d4c546b8842245e0c
Reviewed-on: https://code.wireshark.org/review/13518
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That removes most of the uses of the frame number field in the
frame_data structure.
Change-Id: Ie22e4533e87f8360d7c0a61ca6ffb796cc233f22
Reviewed-on: https://code.wireshark.org/review/13509
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add fields for the absolute time stamp (and another field for a presence
flag for the absolute time stamp) and the packet encapsulation for the
packet.
This lets us remove the field for the packet encapsulation in the
frame_data structure; do so.
Change-Id: Ifb910a9a192414e2a53086f3f7b97f39ed36aa39
Reviewed-on: https://code.wireshark.org/review/13499
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I6031ae6f9b31447665236098c87ffed97e4b8a2d
Reviewed-on: https://code.wireshark.org/review/13275
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I5be0ce9168e987e8fd5ba404338111c8b8706c9f
Reviewed-on: https://code.wireshark.org/review/13243
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Create a "registration" system for Follow functionality so most of the work can be abstracted into a dissector and GUI can just be responsible for "display".
This also removes the global variables in follow.c to open up multithreading possibilities.
TCP, UDP and HTTP all have the same "tap interface" for Follow functionality (passing a tvb with byte data to "follow"). SSL still has it's own behavior, so Follow structures have to take that into account.
TShark through the Follow registration now has support for HTTP.
The only thing possibly missing is dynamic menu generation to further reduce explicit knowledge of Follow "type" (and rely on registration)
Bug: 11988
Change-Id: I559d9ee1312406ad0986d4dce9fa67ea2103b339
Reviewed-on: https://code.wireshark.org/review/13161
Reviewed-by: Michael Mann <mmann78@netscape.net>
Have subdissectors do the bit math checking for particular flag bits.
Change-Id: Ie6350e316f79af879be9fc512ce215f24449a7e5
Reviewed-on: https://code.wireshark.org/review/13071
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have the TCP dissector pass FIN bit to subdissectors (HTTP only one currently using it) so subdissector can use information to determine that no more segments are coming.
Bug: 9848
Change-Id: I4aebb5141f41d99598e4776bf25e74101016f5d1
Reviewed-on: https://code.wireshark.org/review/12984
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This automatically detects and decompresses HTTP along a TCP stream through the use of taps.
Bug: 3528
Change-Id: I8ab832d509700d0da8eabf3c3e514d8511c598d3
Reviewed-on: https://code.wireshark.org/review/13009
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ie39ef054a4a942687bd079f3a4d8c2cc55d5f22c
Reviewed-on: https://code.wireshark.org/review/12485
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Some of the ASN.1 dissectors still generate a new_create_dissector_handle from the tool itself, so leave those for now.
Change-Id: Ic6e5803b1444d7ac24070949f5fd557909a5641f
Reviewed-on: https://code.wireshark.org/review/12484
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Treat Transfer-Encoding: chunked specially, it is applied as final
encoding and must be stripped first.
Rename the expert info field http.chunkd_and_length (sic) to something
more generic and add a new field for unknown Transfer-Encodings
(implementations should normally send an error response, but we are not
a server so try to be permissive).
Also removed an unnecessary content_length check, it was covered by
have_content_length.
Tested with the weird crafted capture from bug 11801 and a crafted
capture (netcat) which returns Content-Length: 1 and Transfer-Encoding:
bla,chunked.
Bug: 11801
Change-Id: I978bf74e52e70782ebc5153d1017de67f323e514
Reviewed-on: https://code.wireshark.org/review/12256
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Header names are typically not case-sensitive (like X-Powered-By).
Become consistent with headers such as User-Agent and match custom
headers case-insensitively.
Change-Id: Icde2dc32b5020cc8c68d631667c7c79dfc58435a
Reviewed-on: https://code.wireshark.org/review/11965
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add HTTP Proxy Service attributes and UUID.
Change-Id: If0ab490f2df0930d2b80687ac4c9a1d7e4d463e4
Reviewed-on: https://code.wireshark.org/review/11978
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Picking off "easy" dissectors that only have one or two exit points at most.
Change-Id: I96aa9cf53533cbb07105aa400d42922baf3016b3
Reviewed-on: https://code.wireshark.org/review/11860
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Since ssl_dissector_[add|delete] only take TCP dissectors, remove the parameter and just use it within the "internal" ssl_association_add call.
Change-Id: I0fdf941389934c20cbacf910250e17520614e706
Reviewed-on: https://code.wireshark.org/review/11591
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
SSDP now has its own protocol id to filter on (and use in Decode As), but all other fields are still HTTP as SSDP still doesn't have its own dissector.
Bug: 6190
Change-Id: I43394fb78ac699f0b06b9aa29df11a4e5345e260
Reviewed-on: https://code.wireshark.org/review/11616
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The target here is the Decode As dialog where protocols have multiple registrations into a dissector table and that shows up as multiple entries in the Decode As dialog list with the same name so users are unsure which "dissector" they are choosing.
The "default" behavior (done in this commit) is to not allow duplicates for a dissector table, whether its part of Decode As or not. It's just ENFORCED for Decode As.
Bug: 3949
Change-Id: Ibe14fa61aaeca0881f9cc39b78799e314b5e8127
Reviewed-on: https://code.wireshark.org/review/11405
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788
Reviewed-on: https://code.wireshark.org/review/11463
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
According to RFC 6062, once the connection is established, data is sent as-is
To stop the STUN dissector from interfering, add the ability to specify a starting
frame for a conversation dissector and use it
Bug: 11641
Change-Id: I65ca96bddacf70444009c0642ea22173fa68992e
Reviewed-on: https://code.wireshark.org/review/11372
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
When the HTTP dissector passes data to a subdissector, it should also
propagate the desegmentation ability. Otherwise subdissectors (such as
HTTP2) will not be able to handle large DATA frames.
Reported by Alexis, verified with his capture.
Change-Id: I831a78e8d1ad08536e3d0d870012e427ce289b1b
Reviewed-on: https://code.wireshark.org/review/10544
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The fix for bug 11331 has as side-effect that the HTTP part of a
conversation is not dissected on the second pass.
Fix it by calling the HTTP2 dissector only when it was detected via
heuristics, and not via Upgrade (since that would be handled by the
http loop).
While at it, remove the use of tvb_new_subset_remaining since the
original tvb is not touched and move the comment about the proxy to the
right place.
Tested with the capture from Alexis (plain HTTP2 via Upgrade), the one
from bug 11331 (plain HTTP2 via heuristics) and a HTTP2 in SSL capture
(via heuristics).
Change-Id: Iead7682aa8d5114e4edcfd54eabcd0d659056cc1
Reviewed-on: https://code.wireshark.org/review/10541
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This is initial support for reloading Lua plugins without
restarting the application.
Still todo:
- Deregister FileHandlers
- Support deregister ProtoField with existing abbrev (same_name_hfinfo)
- Add a progress dialog when reloading many plugins
- Search for memory leakages in wslua functions
Change-Id: I48870d8741251705ca15ffe1068613fcb0cb18c1
Reviewed-on: https://code.wireshark.org/review/5028
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
The reported length should be the size of the chunk, not the remaining
size of dechunked data.
Update some comments while we're at it.
Change-Id: Ia71948fb5ecebdaae3e171c53fd88cf72dcf76a3
Reviewed-on: https://code.wireshark.org/review/9846
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The preferences are still supported for backwards compatibility, but the heuristic_protos file has final say on the "preference" to enable/disable a heuristic dissector.
Also add parameter to heur_dissector_add() for the "default" enable/disable of a heuristic dissector. With this parameter, a few more (presumably weak) heuristic dissectors have been "registered" but of course default to being disabled.
Change-Id: I51bebb2146ef3fbb8418d4f5c7f2cb2b58003a22
Reviewed-on: https://code.wireshark.org/review/9610
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Roland Knall <rknall@gmail.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This allows better presentation of heuristic dissectors to the end user.
Change-Id: I2ff3985ab914e83c2989880cc0c7b9904045b3f6
Reviewed-on: https://code.wireshark.org/review/9602
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This replaces the single preference editor dialog in the GTK+ UI.
Change-Id: I10e030981e9f7d1ec121811593586b65cf0797c5
Reviewed-on: https://code.wireshark.org/review/8966
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
This avoids assertions when the field is added with proto_tree_add_string*()
(some of which show up in the fuzzed capture in bug 11254).
Ping-Bug: 11254
Change-Id: Iaf02f59443da0cf279d65eed049122d4dfaf7bcd
Reviewed-on: https://code.wireshark.org/review/8829
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Change-Id: Ib94eabeea865ef5c5d9ce4cef26d9faa51c5659d
Reviewed-on: https://code.wireshark.org/review/8715
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
I happened across the discussion in Ia44e0791b6ee78ad594de342c4f2401bad9beb4e
which indicates that protocols running over SSL can use tcp_dissect_pdus() too.
So do it in the SSTP dissector.
Change-Id: I3de14c1b2af5e4e5fe3630121366b71a5ad223cf
Reviewed-on: https://code.wireshark.org/review/7333
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Jeff Morriss <jeff.morriss.ws@gmail.com>
Use tcp_dissect_pdus to handle reassembly and avoid a recursion in
dissect_websocket. The HTTP dissector is modified to preserve
desegmentation functionality (tested with the capture from bug 8448).
As tcp_dissect_pdus is used now, the workaround for bug 8448 can be
removed and the actual frame dissection logic becomes simpler (the
length is checked in get_websocket_frame_length).
Bug: 10989
Change-Id: I67af96a6c7be88c2a77e1c4138abe90bdb880774
Reviewed-on: https://code.wireshark.org/review/7285
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
... with some changes from Jeff Morriss:
- Change how SSTP is "registered": rather than trying something complicated,
just put the intelligence for recognizing SSTP into the HTTP dissector.
(This does mean the SSTP dissector needs to do its own desegmentation now
but it makes things much cleaner.)
- Use proto_tree_add_subtree_format() instead of proto_tree_add_text() +
proto_item_add_subtree().
- The messagetype is 16 bits, use tvb_get_guint16() instead of tvb_get_guint8()
(fixes COL_INFO display)
- A few other few misc. cleanups
(I didn't update NEWS because I can no longer build NEWS without adding UTF8
fancy quotes and so forth.)
Bug: 8239
Change-Id: I3631ae65f67bea69815ccf43472fdbcac3ca3499
Reviewed-on: https://code.wireshark.org/review/7227
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have them return TRUE on success and FALSE on failure. Check the return
value rather than whether the error string pointer is null or not.
Change-Id: I800a03bcd70a6bbb7b217cf7c4800e9cdcf2189c
Reviewed-on: https://code.wireshark.org/review/7222
Reviewed-by: Guy Harris <guy@alum.mit.edu>
if captured length < reported length, this will trigger an infinite loop
Change-Id: I6557b455e7bbff12658a934e5bb13a42c023e133
Reviewed-on: https://code.wireshark.org/review/7053
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
As indicated in the comment above, the previous code was done on purpose to handle the NUL case
Bug: 10866
Change-Id: I66eb9f6fbc9477456310978b420ba30975d81b0a
Reviewed-on: https://code.wireshark.org/review/6621
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Copy addresses with wmem-scope instead of (forced) seasonal scope. All existing instances were converted to wmem_file_scope, but the flexibility is there for other scopes.
Change-Id: I8e58837b9ef574ec7dd87e278470d7063ae8c1c2
Reviewed-on: https://code.wireshark.org/review/6564
Reviewed-by: Michael Mann <mmann78@netscape.net>
It will be make Mac OS X buildbot happy
Change-Id: I628445c1358675a58cc2d26ce1ca3007dd619ff3
Reviewed-on: https://code.wireshark.org/review/6551
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Citrix uses a proprietary authentication schema called CitrixAGBasic for
their StoreFront/Web Interface product.
The Header looks like:
Authorization: CitrixAGBasic username="dGVzdHVzZXI="; domain= \
"dGVzdGRvbWFpbg=="; password="c2VjcmV0"; AGESessionId= \
"YzI0NmRkMmFmYmE5ZTk5M2I5ZDRkN2UwYzYzZWExN2U="
This patch enhances the HTTP dissector to decode this authentication data.
Due to non-discolsure I can only provide a faked GET request as a pcap
capture (attached to this bug).
Bug: 10851
Change-Id: Ic8e48db94809c9c64889cd050911de3fe23cdcdd
Reviewed-on: https://code.wireshark.org/review/6526
Reviewed-by: Michael Mann <mmann78@netscape.net>