I'm not sold on the name or module the proto_data functions live in, but I believe the function arguments are solid and gives us the most flexibility for the future. And search/replace of a function name is easy enough to do.
The big driving force for getting this in sooner rather than later is the saved memory on ethernet packets (and IP packets soon), that used to have file_scope() proto data when all it needed was packet_scope() data (technically packet_info->pool scoped), strictly for Decode As.
All dissectors that use p_add_proto_data() only for Decode As functionality have been converted to using packet_scope(). All other dissectors were converted to using file_scope() which was the original scope for "proto" data.
svn path=/trunk/; revision=53520
proto_tree_set_text - the string was not the important part, the formatting was.
We were passing the string directly from tvb_get_ptr, but this meant that if the
packet didn't contain a null-terminator we would run off the end. Since the
string comes straight from the packet, just let _add_item handle the length
calculations etc efficiently, and set the display later.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9323
I'm a bit confused honestly why most of these are being set hidden after being
added and formatted, but at least there are no memory errors anymore.
svn path=/trunk/; revision=52979
convert all existing UAT update callbacks to use glib memory instead of
ephemeral memory for that string.
UAT code paths are entirely distinct from packet dissection, so using ephemeral
memory was the wrong choice, because there was no guarantees about when it would
be freed.
The move away from emem still needs to be propogated deeper into the UAT code
itself at some point.
Net effect: remove another bunch of emem calls from dissectors, where replacing
with wmem would have caused assertions.
svn path=/trunk/; revision=52854
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 :
We can't solely rely on the port in the URI to determine whether we will be
recursively called by decode_tcp_ports(). Instead also check the conversation
entry too: if we find that we are the subdissector for this conversation
(which we might be--without the port being in our list of ports--if we
heuristically picked up the conversation or the user did Decode-As),
just bail out and dissect the payload as data.
svn path=/trunk/; revision=49623
least one fuzzed capture contains them, and using ep_strndup() to copy
the line means that the actual amount of memory allocated for the copy
will be less than the length of the line, and code that parses the line
assuming that there are value_len+1 bytes in the buffer (including the
terminating NUL), such as the current parsing code, will break.
We should really have code in Wireshark to handle counted strings, and
have those be what we extract from packets. (And we should handle
non-UTF-8/non-UTF-16 encodings, and octet sequences that aren't valid
strings for their encoding, and handle display of invalid strings and
non-printable characters, and....).
Use g_ascii_ versions of various isXXX() and to{upper,lower}(), so we
don't get surprised by the behavior of the user's locale.
svn path=/trunk/; revision=48490
traffic *without* claiming all that traffic for themselves; they might
want, instead, to register for a particular media type.
Not all traffic to or from port 3689 is DAAP - not even traffic between
two Apple machines doing media stuff (e.g., some FairPlay traffic
isn't). Register for the media type application/x-dmap-tagged, and just
say port 3689 is HTTP. This means we can get rid of the FPLY hack, as
that traffic is application/octet-stream. Update some comments.
Leave it up to the DAAP dissector to tag traffic as DAAP in the protocol
column.
svn path=/trunk/; revision=47376
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
sizeof.
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
strtol() and strtoul().
Change some data types to avoid those implicit conversion warnings.
When assigning a constant to a float, make sure the constant isn't a
double, by appending "f" to the constant.
Constify a bunch of variables, parameters, and return values to
eliminate warnings due to strings being given const qualifiers. Cast
away those warnings in some cases where an API we don't control forces
us to do so.
Enable a bunch of additional warnings by default. Note why at least
some of the other warnings aren't enabled.
randpkt.c and text2pcap.c are used to build programs, so they don't need
to be in EXTRA_DIST.
If the user specifies --enable-warnings-as-errors, add -Werror *even if
the user specified --enable-extra-gcc-flags; assume they know what
they're doing and are willing to have the compile fail due to the extra
GCC warnings being treated as errors.
svn path=/trunk/; revision=46748
- Now works for WebSocket packets not aligned with IP packets.
- Support subdissectors.
From me :
- Fix checkAPIs warning (about comments)
- Remove some whitespace
svn path=/trunk/; revision=45875
implicitly by the #define name and string they were defined to; not all
UATs neatly fit into any of the categories, so some of them were put
into categories that weren't obviously correct for them, and one - the
display filter macro UAT - wasn't put into any category at all (which
caused crashes when editing them, as the GUI code that handled UAT
changes from a dialog assumed the category field was non-null).
The category was, in practice, used only to decide, in the
aforementioned GUI code, whether the packet summary pane needed to be
updated or not. It also offered no option of "don't update the packet
summary pane *and* don't redissect anything", which is what would be
appropriate for the display filter macro UAT.
Replace the category with a set of fields indicating what the UAT
affects; we currently offer "dissection", which applies to most UATs
(any UAT in libwireshark presumably affects dissection at a minimum) and
"the set of named fields that exist". Changing any UAT that affects
dissection requires a redissection; changing any UAT that affects the
set of named fields that exist requires a redissection *and* rebuilding
the packet summary pane.
Perhaps we also need "filtering", so that if you change a display filter
macro, we re-filter, in case the display is currently filtered with a
display filter that uses a macro that changed.
svn path=/trunk/; revision=43603
Add WebSocket Protocol dissector (RFC6455)
* Support Base Framing Protocol
* Support of major opcode (Text, Binary, Close, Ping, Pong...)
* Support of unmask Payload (Client-to-Server Masking)
TODO
* Add fragmentation support
* Add WebSocket Extensions
svn path=/trunk/; revision=42163
Check the user-provided custom header string for invalid characters before
trying to register it in an hf; registering invalid characters in an hf will
lead to an assertion.
svn path=/trunk/; revision=41787
-- HTTP/1.1":
Any HTTP/1.1 message containing an entity-body SHOULD include a
Content-Type header field defining the media type of that body. If
and only if the media type is not given by a Content-Type field, the
recipient MAY attempt to guess the media type via inspection of its
content and/or the name extension(s) of the URL used to identify the
resource. If the media type remains unknown, the recipient SHOULD
treat it as type "application/octet-stream".
To quote section "4. Encoding of Transport Layer" of RFC 2565, "Internet
Printing Protocol/1.0: Encoding and Transport":
HTTP/1.1 [RFC2068] is the transport layer for this protocol.
...
Note: even though port 631 is the IPP default, port 80 remains the
default for an HTTP URI. Thus a URI for a printer using port 631
MUST contain an explicit port, e.g. "http://forest:631/pinetree". An
HTTP URI for IPP with no explicit port implicitly reference port 80,
which is consistent with the rules for HTTP/1.1. Each HTTP operation
MUST use the POST method where the request-URI is the object target
of the operation, and where the "Content-Type" of the message-body in
each request and response MUST be "application/ipp". The message-body
MUST contain the operation layer and MUST have the syntax described
in section 3.2 "Syntax of Encoding". A client implementation MUST
adhere to the rules for a client described for HTTP1.1 [RFC2068]. A
printer (server) implementation MUST adhere the rules for an origin
server described for HTTP1.1 [RFC2068].
So, when choosing a subdissector for HTTP request bodies, search based
on the media type first, and only if we *don't* find a dissector for the
media type, do other stuff such as heuristics or choosing a subdissector
based on the port number.
This fixes a number of problems; in particular, it fixes bug 6765
"non-IPP packets to or from port 631 are dissected as IPP" without
requiring the IPP dissector to attempt to determine whether an entity
body looks like IPP. It also ensures that the default dissector for
HTTP entity bodies, the "media" dissector, will get the media type
passed to it in pinfo->match_string.
Don't use "!str*cmp()" while we're at it - it's valid C, but the "!" can
make it look as if it's checking for something not being the case when,
in fact, you're checking for equality rather than inequality. (The
str*cmp() routines don't return Boolean results.)
svn path=/trunk/; revision=41025
[Actually 1 g_malloc() + N tvb_memcpy() instead of
~ N g_malloc()/g_free() + N*(N+1)/2 tvb_memcpy() where N = number of chunks].
svn path=/trunk/; revision=40242
1. If there's no character encoding (ENC_ASCII, ...) specified
then use ENC_ASCII.
2. For all but FT_UINT_STRING, always use ENC_NA
(replacing any existing True/1/FALSE/0
/ENC_BIG_ENDIAN/ENC_LITTLE_ENDIAN).
svn path=/trunk/; revision=39426
in README.devloper. Remove g_gnuc.h since it's no longer needed. Remove
tvbuff_init(), tvbuff_cleanup(), reassemble_init(), and
reassemble_cleanup() since they were only used for older GLib versions
which didn't support GSlices. Assume we always support the "matches"
operator.
svn path=/trunk/; revision=37978
Make the image (png, gif, jfif) dissectors "new style" so that they don't
dissect data that does not belong to them.
Modify the HTTP dissector to call heuristic dissectors on the body if the
registered subdissector does not accept/dissect the data.
From me: don't use assert() and don't add a preference to the HTTP dissector
for this behavior: it makes sense to behave like that by default.
svn path=/trunk/; revision=36305
I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.
svn path=/trunk/; revision=35259
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
Attached patch:
1. Adds port 5985 as a HTTP traffic port (used by MS Powershell remoting over
HTTP)
2. Adds dissection of Kerberos authentication to HTTP.
svn path=/trunk/; revision=34641
We parse host & request page from headers, so we easily can construct full http
uri.
I was thinking about making it as field, so we could filter, print in column
info, or do other fancy stuff, but for now this is imho enough.
From me: add it as a (filterable) item. Clean up spacing and indentation in a
few places.
svn path=/trunk/; revision=34162
I don't want to change get_token_len() to not skip multiple spaces,
because I don't know if other protocols depends on this behaviour.
We should maybe check this...
This fixes bug 5181.
svn path=/trunk/; revision=34063
The HTTP dissector uses strtoll() to convert the Content-Length string into a
64bit variable. But that string can contain a number larger (or less) than
64bit, which lets the strtoll() return INT_MAX (or INT_MIN). strtoll() then
indicates this with errno==ERANGE.
The attachted patch checks if errno is set this way and then treats that HTTP
Content-Length as unspecified, since we don't know the real size.
I haven't checked other occurences of strtoll() in the HTTP dissector if they
could benefit from the errno check, or if other dissectors could use it.
svn path=/trunk/; revision=32772
1) This indicates that the string has ephemeral lifetime
2) More consistent with its existing seasonal counterpart, se_address_to_str().
svn path=/trunk/; revision=29747
packet-daap requests registration on that port via http_dissector_add
and thus packet-http does not need to do a default registration on that port.
Also: fix a typo in a comment.
svn path=/trunk/; revision=29265
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
a protocol tree;
the column values.
This includes stats-tree listeners.
Have the routines to build the packet list, and to retap packets, honor
those requirements. This means that cf_retap_packets() no longer needs
an argument to specify whether to construct the column values or not, so
get rid of that argument.
This also means that there's no need for a tap to have a fake filter
to ensure that the protocol tree will be built, so don't set up a fake
"frame" filter.
While we're at it, clean up some cases where "no filter" was represented
as a null string rather than a null pointer.
Have a routine to return an indication of the number of tap listeners
with filters; use that rather than the global num_tap_filters.
Clean up some indentation and some gboolean vs. gint items.
svn path=/trunk/; revision=28645
Add a UAT for custom HTTP header fields.
From me:
Use se_alloc0 to initialize a struct. Use g_strdup(...) instead of
g_strdup_printf("%s"...). Add a missing UAT_END_FIELDS.
svn path=/trunk/; revision=28406
- Change ugly GLIB version checking statements to GLIB_CHECK_VERSION
- Remove ws_strsplit files because we no longer need to borrow GLIB2's
g_strsplit code for the no longer supported GLIB1 builds
svn path=/trunk/; revision=24829
est. Use g_ascii_strcasecmp() and g_ascii_strncasecmp(), and supply our
own versions if they're missing from GLib (as is the case with GLib
1.x).
In the code to build the list of named fields for Diameter, don't use
g_strdown(); do our own g_ascii_-style upper-case to lower-case mapping
in the hash function and use g_ascii_strcasecmp() in the compare
function.
We do this because there is no guarantee that toupper(), tolower(), and
functions that use them will, for example, map between "I" and "i" in
all locales; in Turkish locales, for example, there are, in both
upper case and lower case, versions of "i" with and without a dot, and
the upper-case version of "i" is "I"-with-a-dot and the lower-case
version of "I" is "i"-without-a-dot. This causes strings that should
match not to match.
This finishes fixing bug 2010 - an earlier checkin prevented the crash
(as there are other ways to produce the same crash, e.g. a bogus
dictionary.xml file), but didn't fix the case-insensitive string matching.
svn path=/trunk/; revision=23623
for the same tvb. This keeps us from freeing the same memory twice and
crashing on some systems.
This might be the same bug Brian Vandenberg was looking for in
http://www.wireshark.org/lists/wireshark-dev/200705/msg00406.html .
svn path=/trunk/; revision=23415
- s/ntohl/g_ntohl
- s/free/g_free
- Change some tvb_get_string()+g_free()'s into tvb_get_ephemeral_string()
- Change some tvb_fake_unicode()+g_free()'s into tvb_get_ephemeral_faked_unicode()
- Change some tvb_get_string() calls that were clearly memory leaks (like
atoi(tvb_get_string(...))) into tvb_get_ephemeral_string()
svn path=/trunk/; revision=22515
While looking into the http-dissector I improved a few things on
how it dissects a proxy CONNECT session. This is what I have changed:
- added the fields hf_http_proxy_connect_host and -port
- changed proto_tree_add_text to proto_tree_add_string and -uint
so that it's possible to filter on them
- make these two fields "PROTO_ITEM_SET_GENERATED"
- removed the alteration of the ports within pinfo, now the
ports in the column info are not changed to the port used to
connect to the backend server. It is now possible to use
follow-tcp-stream again on proxied ssl sessions.
svn path=/trunk/; revision=21618
some warning fixes
packet-http.c
set headers.content_length = 0 before the first potential use of it.
packet-kink.c
"ifdef kerberos" around one function declaration
packet-nbns.c
set headers.{dgm_length|pkt_offset|error_code} = 0
packet-pflog.c
delete capture_pflog and
capture_old_pflog which aren't used anymore in the code.
svn path=/trunk/; revision=21120
The capture file the user supplied had a HTTP chunked response
in it with no actual chunks other than the zero length chunk
indicating the end of the chunks. The fix is to only create
a new_tvb and copy it over the tvb going into the
chunked_encoding_dissector() function if the chunk size is > 0.
svn path=/trunk/; revision=21034
- Split the HTTP tap into two taps: one for the HTTP statistics
and the other for the export object function. This allows the
HTTP statistics to work again (they seem to have been
partially broken since SVN rev 18901).
- Pass the conversation data (conv_data) between functions now
instead of using the global variable stat_info (now only used
for the HTTP stats)
- Pass only pointers from the HTTP dissector to the Export Object
tap, where we'll then copy the values and insert into the slist.
- Make sure we free all memory allocated by this feature when
we're done with it.
- Various other minor improvements
svn path=/trunk/; revision=21021
- Note in the user's guide that export object is not available
in GTK1 builds of Wireshark.
- Make scanning through the slists more efficient
- Use new tap.c function called have_tap_listener() to only save
object payload data when the export object listener is actively
listening for it.
- Save objects in the HTTP dissector with g_malloc() instead of
se_malloc() and free it when we're done with it - when the
export object window is closed (Fixes bug #1412)
- Various minor improvements
svn path=/trunk/; revision=20980
- Add to User's Guide
- Add a help button
- Move a lot of code into the shared export_object.c file and out of
dissector specific file export_object_http.c. This will make adding
additional protocols much easier.
- Change comment in packet-http.c to reflect new name (Export Object)
- Various other minor improvements
svn path=/trunk/; revision=20961
feature lists all of the content found in an HTTP stream (images, http, etc.)
and displays it in a list that allows the user to save each one as a file that
is already reassembled by the dissectors.
svn path=/trunk/; revision=20867
Create two new files (ws_strsplit.[ch]) that use GTK2 code to override
the buggy g_strsplit() function when compiling for GTK1. Include this
work-around function (ws_strsplit) in libwireshark.def. Add notes on usage
to README.developer. Include epan/ws_strsplit.h in all files that use
g_strsplit().
svn path=/trunk/; revision=20804
when it encountered a proxy http connect to port 80. This was caused by
the dissector calling itself over and over. Now if the connect to port is
one of the defined http ports, it calls the data dissector.
svn path=/trunk/; revision=19899
Also, there is still an outstanding issue regarding the default use of
the "media" dissector. The way it is currently coded there is no way to
have a heuristic decoder when a content-type header is specified.
In this way if there is a decoder for a specific content-type then it
will be used, then the heuristic decoders have a chance, and finally the
default of either the media-type decoder of the http_payload decoder.
svn path=/trunk/; revision=19208
verify that stat_info->request_uri is non null before doing string manipulations on it
so that we dont try to dereference a null pointer further down the code
svn path=/trunk/; revision=19153
Attached is a patch to packet-http.c that calls a subdissector for
traffic flowing through a proxy via the HTTP CONNECT method. Most
protocols, especially SSL, can be tunneled through an HTTP proxy.
Wireshark currently says this traffic is "Continuation or non-HTTP
traffic" but this patch turns the payload over to the dissector for the
protocol being tunneled. This is similar to how the Socks dissector
works.
svn path=/trunk/; revision=18901
- Many DCT2000 protocols can be embedded within an IP primitive
message. Add a heuristic to see if we can find the protocol payload
within in IP primitive message, and look for an ethereal dissector
matching the DCT2000 protocol name (this is useful for simple protocol
testing where no physical links are involved)
- Make some more of these protocols (diameter, http, mgcp) findable by name
- Adds protocol 'variant' number to stub and dissector
- Break the duplicated writing of the stub header out into a separate
function
svn path=/trunk/; revision=18212