When a TCP segment contains the end of two or more SSL PDUs, the TCP reassembly
code passes that segment up to the SSL dissector multiple times--one for each
SSL PDU. The SSL dissector queues the packet for SSL tap listeners each time it
is invoked. Therefore a single packet can be processed by SSL tap listeners
multiple times. But the tap data that the SSL dissector sends to its tap
listeners is a linked list of all PDUs in the packet.
The SSL tap listener responsible for populating the Follow SSL Stream dialog
did not account for the possibility of seeing a packet multiple times. As a
result, it would process the entire linked list of PDUs each time it received a
packet, and that would result in some SSL PDUs showing up two or more times in
the dialog.
This patch fixes the described bug. It also implements a few slight
improvements in closely related code. See bugzilla for details.
svn path=/trunk/; revision=49387
I want to add last four colours to Profile Bluetooth. This should
significantly improve readability - rule is one colour for one
protocol/profile.
Also take responsibility (in the AUTHORS file) for first three dissectors.
svn path=/trunk/; revision=49330
via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8635
"enhanced WCCP decoder"
GRE part of the patch.
Me:
Reorder values
Manually apply the rejected parts of the patch (incompatible whitespace)
Fix whitespace inconsistencies of the patch.
svn path=/trunk/; revision=49240
Dissector for PTP-over-IP (picture transfer protocol). PTP-over-USB also exists
but is not identical, so some parts of the dissector are shared for future use.
svn path=/trunk/; revision=49221
[PATCH 1/8]
Add a subtree for the random DTLS elements. This is what TLS already does, and
it makes more sense than prefixing their display names.
[PATCH 2/8]
Show the actual hex content of the cookie by just using proto_tree_add_item.
The cookie length has its own field, so there's no need to display it twice.
[From me]
Fix an @ in the AUTHORS file
svn path=/trunk/; revision=49172
Dissector for NASDAQ's SoupBinTCP protocol (which is non-trivially different
from the old packet-nasdaq-soup dissector).
From me:
- fix CMake entry
- remove C++-style comments
- fix SVN Id tag
svn path=/trunk/; revision=48452
Centralize logic related to per-interface conversations, and expose it for use
by class-specific dissectors.
Class-specific descriptor dissectors also need to know the interface in whose
context they are called to work.
This is a prerequisite for a USB Video Class dissector, which needs to decode
many class-specific descriptors.
svn path=/trunk/; revision=47990
New dissector for the honeypot-feeds protocol.
From me: Misc. tweaks to expert info layout and remove a few unneeded initializers.
svn path=/trunk/; revision=47962
As part of a semster project in our 3rd semester of
"secure information systems" at the university of
applied sciences upper austria, we built a wireshark
dissector for the OpenVPN protocol.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8240
From me:
Rework reassembly code and tree display of
message fragments and reassembled messages.
Fix various bugs and do some cleanup.
Also: Do minor whitespace changes in AUTHORS.
svn path=/trunk/; revision=47247
Dissector for the SEL (Schweitzer Engineering Labs) Fast Message protocol.
From me:
- use wmem instead of glib to not leak memory
- simplify port preference
- remove unneeded initializers
- modelines
- Id tag
svn path=/trunk/; revision=46949
This patch provides
i) support for Shared Use of Experimental TCP Options (draft-ietf-tcpm-experimental-options-03)
ii) support for TCP Fast Open (draft-ietf-tcpm-fastopen-02).
A new 'TFO=R' string is appended at the column info in case a client sends a SYN packet with a Fast Open Cookie Request. Moreover, if the server responds with a SYN-ACK containing a Fast Open Cookie option a 'TFO=C' is shown (as well as in any subsequent client attempt to send SYN + DATA).
tcp.options.tfo display filter can be used in order to easily select the complete TFO three-way handshake.
Chrome (and I think also Firefox) has support for client-side TFO. Linux 3.7 got both client and server-side support.
svn path=/trunk/; revision=46723
(with a few minor fixes by me).
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8002
major change:
reassembling of PNIO fragments (only works if OpenSafty dissector is disabled)
minor changes:
improved handling of DFP Frames
added / updated
MRP Block decoding
ARServerBlock
ARVendorBlock
PDInterfaceDataReal
PDInterfaceAdjust
PDPortStatistic
SubdirFrameData corrected display and subblocks added
PDIRGlobalData complete dissection
decoding of FrameDataProperties and ARTypes updated to conform the STD
removed now usuported RTC2 ranges
svn path=/trunk/; revision=46522
Add a dissector for the America Online protocol (not the AIM protocol).
From me: always use ENC_NA for FT_UINT8 types.
svn path=/trunk/; revision=45731
Add support for HCI 3.0+HS and v4.0, Bluetooth Low Energy. This includes
dissection of additional HCI commands and events, Attribute Protocol and
Security Manager Protocol.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7872
svn path=/trunk/; revision=45709
Add some additional memory-allocation failure checks in Lemon.
Use NULL rather than 0 as the null-pointer constant in those
checks.
From me:
Catch one more of the NULL-vs-0 cases.
Fix some failure messages to use fprintf(stderr, ...) -
ErrorMsg() requires a file name and line number, and is
generally used if you're going to continue rather than just give
up.
svn path=/trunk/; revision=45214
Add Bluetooth Protocol BNEP. Supported version: 1.0.
I changed offset to be an int to follow WS convention.While at it I changed other types to fit the tvb_get routines.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7719
svn path=/trunk/; revision=44894
New dissector for WSE Remote Ethernet protocol
From me :
* Fix Compilation under linux
* Use proto_tree_add_item*
* Make build-in dissector
* Include Status.* and Codef.* in dissector
* Reorder function (to respect Wireshark Codelines)
* Add Modelines Info and fix indent (use 4 spaces)
* Fix check* tools
* Add Clement to AUTHORS
svn path=/trunk/; revision=43086
Add WebSocket Protocol dissector (RFC6455)
* Support Base Framing Protocol
* Support of major opcode (Text, Binary, Close, Ping, Pong...)
* Support of unmask Payload (Client-to-Server Masking)
TODO
* Add fragmentation support
* Add WebSocket Extensions
svn path=/trunk/; revision=42163
From Tom Cook and Tom Alexander.
1. A VWR encapsulation that reads VeriWave capture files (*.vwr)
generated from
WaveTest test hardware
2. Dissectors that display the VeriWave tap headers (both 802.11 and
Ethernet)
3. A dissector for the WaveAgent protocol. The WaveAgent dissector is
heuristic and parses the WaveAgent packet (a UDP payload).
The WaveAgent dissector has been Fuzz tested.
The VWR ENCAP and dissectors have been used extensively by VeriWave
customers in a special version of WireSark compiled by VeriWave.
svn path=/trunk/; revision=42155
Here is a dissector for ActiveMQ OpenWire protocol.
A few words about the protocol :
OpenWire has two wire formats :
- "loose" : more verbose, less CPU-intensive, less network-intensive (1-pass)
- "tight" : more compact, more CPU-intensive, more network-intensive (2-pass)
This dissector only supports the "loose" syntax, which is not the default.
This dissector only supports version 6 of the protocol.
It can be changed on the broker in the activemq.xml file by specifying
"tightEncodingEnabled=false" :
svn path=/trunk/; revision=41919
This patch adds support for the DVB Bouquet Association Table (BAT) from ETSI
EN 300 468.
With this last patch, the support for the DVB SI table is quite complete.
svn path=/trunk/; revision=41836
This patch adds support for the DVB Time Offset Table and the related
descriptor.
It also contains the Stuffing Descriptor as an added bonus.
svn path=/trunk/; revision=41766
This patch adds support for DVB Network Information Table as documented in
ETSI EN 300 468.
The patch also contains additional mpeg descriptors usually found in NIT plus
a few minor bugfix for other descriptors.
svn path=/trunk/; revision=41754
I'm contributing a new dissector for the HART/IP protocol. This
protocol is specified by the HART Conformance Foundation (HCF). It is
a standard protocol used in the process control industry. It
essential wraps the multip-drop serial HART packets in TCP or UDP
packets. The standard has been approved by the HCF and has been
assigned UDP/TCP port 5094 by IANA.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6961
--This line, and those below,
will be ignored--
M AUTHORS
M epan/CMakeLists.txt
M epan/dissectors/Makefile.common
AM epan/dissectors/packet-hartip.c
M ui/gtk/main_menubar.c
svn path=/trunk/; revision=41644
Support for DCCP Simultaneous-Open for NAT Traversal, RFC 5596. A new packet
format is supported. I did a little code cleanup too.
svn path=/trunk/; revision=41543
Move Y.1711 out of MPLS dissector
ITU-T Y.1711 code was "embedded" into the MPLS dissector in 2006.
This patch moves it into its own dissector.
From me :
Fix a Clang warning
svn path=/trunk/; revision=41486
A new dissector for IEEE 1722.1.
From me: some code cleanup, including:
- Get rid of some unnecessary local variable initializations.
- Put all of 1722.1 under one subtree.
- Just put if(tree)s in the top-level function rather than scattered throughout.
- Remove a couple "set but not used" warnings (a couple are #if'd out).
- Don't use deprecated functions.
svn path=/trunk/; revision=41282
Support for MPLS Packet Loss and Delay Measurement, RFC 6374
Support for MPLS Packet Loss and Delay Measurement, RFC 6374.
Any packetformat is supported: DLM, ILM, DM, DLM+DM and ILM+DM.
From me :
* Prefer proto_tree_add_item when it is possible
* add Modelines information
svn path=/trunk/; revision=41260
Dissector for Alcatel-Lucent Enterprise Universal Alcatel- and NOE protocol
families.
Meant as a replacement for existing UA-dissector in trunk because of better
feature set:
- latest protocol specifiaction
- more detailed dissection and filtering possibilities on subprotocols
- RTP stream setup
- NOE over SIP
Lars Ruoff
On behalf of Alcatel-Lucent Enterprise
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6844
svn path=/trunk/; revision=41134
Enable decryption of TLS 1.2.
Add some cipher suites from RFC5246 and RFC5289.
Fixed a bug in the handling of stream cipher.
(The explicit IV field in the application record doesn't exist when stream ciphers are used. But the original code handles it as if one-byte IV exists.)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6688
svn path=/trunk/; revision=40273
- ... and make that distinction configurable for capture files that do not have padding in small frames, but do have trailers
- Add VSS-Monitoring dissector to show by the TAP inserted time- and portstamps
svn path=/trunk/; revision=40108
This patch covers following -
i) Support for detecting OSPFv2 Opaque RI LSA. (RFC4970)
ii) Support for detecting OSPFv2 RI Capabilities TLV (RFC4970)
iii) Support for detecting OSPF Dynamic Hostname TLV (RFC5642)
iv) As per RFC4970, support for detecting RI LSA for OSPFv3 as well.
svn path=/trunk/; revision=40073
- Removed some mpls preferences which are no longer relevant/needed like
decode PWAC payloads as PPP traffic and assume all channel types except 0x21
are raw BFD.
- MPLS extension from PW-ACH to MPLS Generic Associated Channel as per RFC 5586
- Updated Pseudowire Associated Channel Types as per
http://www.iana.org/assignments/pwe3-parameters
- Updated the VCCV bitmaps as per RFC 5885
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6574
svn path=/trunk/; revision=40026
kNet (KristalliNet) dissector for Wireshark
kNet is a connection-oriented network protocol for transmitting arbitrary application-specific messages between network hosts. It is designed primarily for applications that require a method for rapid space-efficient real-time communication. kNet is an application-level protocol which can be ran either over UDP, TCP or SCTP transports.
From me :
* Add Modelines information and fix trailing whitespace
* Merge packet-knet.h in packet-knet.c
* Make Checkhf happy
* Fix Clang/GCC Warning about unused variable
* Add Authors info & CMakeList.txt
svn path=/trunk/; revision=40010
Enhance XMPP Dissector
XMPP is communication protocol that is based on XML.
Existing Jabber dissector has only few filtering possibilities and displays packets in inconvenient way.
This dissector is a result of cooperation with Jitsi community as Google Summer of Code project (http://www.jitsi.org/index.php/GSOC2011/XmppWireshark).
From me :
Add Mariusz Okrój in AUTHORS File
Add Modelines information
svn path=/trunk/; revision=39799
Dissector for HSR and PRP-1
Here is a patch that adds a dissector for HSR and for PRP-1. Both protocols are defined in IEC62439 Part 3. (High-availability Seamless Redundancy / Parallel Redundancy Protocol)
The existing PRP dissector has been refactored to support both the old PRP (now called PRP-0) and the new PRP-1.
There are three distinct dissectors:
- HSR (ethertype 892F)
- HSR/PRP supervision (ethertype 88FB)
- PRP-0 and PRP-1 (trailer dissector; disabled by default)
From me :
* Fix Clang Warning
* Add modification for CMakeLists.txt
svn path=/trunk/; revision=39692
dissector for HDCP (High bandwidth Digital Content Protection)
HDCP can run on top of TCP, there's no fixed port number assigned. I created a heuristic dissector that's disabled by default and can be enabled by setting a preference (similar to the hilscher dissector). The idea behind this is that some HDCP messages are hard to recognize (e.g. one byte message id + 8 random bytes). Having the dissector enabled at all times may generate false positives.
svn path=/trunk/; revision=39480
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5929
From me:
packet-cipmotion.c:
FT_BOOLEAN fields with bitmasks need a bit-fieldwidth in the hf[] entry 'display' field;
Define attribute_size as guint32 since it has to store guint8*guint16;
Use ENC_NA as encoding arg in proto_tree_add_item() for FT_BYTES field types;
Remove trailing whitespace from lines;
Other minor cleanup and reformatting.
packet-enip.c:
Use ENC_NA as encoding arg in proto_tree_add_item() for FT_BYTES field types;
svn path=/trunk/; revision=39396
Re-write of the EIGRP dissector to support Multi-Protocol (TLV 2.0) and
Multi-Topology (TLV 3.0). This version also support Service Advertisement
Framework(SAF) extensions to EIGRP
Dissector includes:
- Dissection of all EIGRP Opcodes and TLVs
- Decode of EIGRP Flags and bitfields
- Decode of EIGRP Communities
- Decode of latest EIGRP "wide metric" formats
- Decode of EIGRP Extended Metrics
- Decode of SAF packets with XML client data handed off to XML dissector
From me:
Fix checkapi errors/warnings use G_GINT64_CONSTANT and G_GINT64_MODIFIER
svn path=/trunk/; revision=39339
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 8/9] add support for Root Announcement (RANN) IEs
svn path=/trunk/; revision=38281
Vuze, called Azureus before, is a great BT client and has a lot of users,
while its DHT implementation is different from the official one.
From me: New-style dissectors are supposed to to always return
"bytes dissected" (not just when tree != NULL);
svn path=/trunk/; revision=37755
Attached is a dissector for CN/IP protocol described in EIA-852. It is mainly
used to encapsulate and send Lontalk (EIA-709.1) or EIA-600 frames over UDP (or
TCP).
This dissector can only decode the common header and data frames can be decoded
by further dissectors.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5907
svn path=/trunk/; revision=37596
The two patches attached allow the dissection of the Homeplug AV Ethernet MAC
management frames between a controlling device and a Homeplug AV Ethernet to
PLC adapter. This protocol is pretty similar to the previous generation
Homeplug protocol (dissected by packet-homeplug.c) but a couple of noticeable
differences make it require its own dissector handler.
This dissector is based on the work done by Nicolas Thill, Xavier Carcelle and
myself in the Faifa project (https://dev.open-plc.org).
The dissector handles the standard Homeplug AV Ethernet MAC management frames
(called public) as well as the Intellon specific management frames (vendor).
From me:
Remove unnecessary global variables.
Add to COL_INFO even when !tree.
Remove gotos.
Remove unnecessary includes.
svn path=/trunk/; revision=37403
* Remove proto_tree_add_eui64 function from 802.15.4 Dissector
* Replace print_eui64/print_eui64 by eui64_to_str/get_eui64_name
* Update Documentation (README.dev)
* Add new function in libwireshark.def
* Support of encoding for tvb_eui64_to_str
* Use FT_EUI64 for ICMPv6, CAPWAP, Zbee ... dissector
svn path=/trunk/; revision=37015
This patch incorporates the following fixes from the patch attached to
bug 5671 with changes as noted below:
1.) Files where the packet header and packet data are noncontiguous are
handled improperly, resulting in read misalignment and ultimately the
error message, "Observer: bad record: Invalid magic number 0xXXXXXXXX."
This bug is caused by not obeying the packet_entry_header.offset_to_frame
field.
2.) Daylight savings time is not properly accounted for in files using
local time encoding.
3.) As of Observer/GigaStor v13.10 (bug 5671 incorrectly stated v14),
timestamps in the file format changed from local time encoding to GMT
encoding. Wiretap has been changed to support reading both formats.
Patch submitted with bug 5671 added a separate file type to allow
writing local format. This patch does not add the separate file type
and always writes GMT.
4.) The wtap_dumper.bytes_dumped field is not being properly incremented
as data is written to files.
This patch also incorporates the following additional enhancements /
fixes not in bug 5671:
1.) Support for reading BFR files which contain Fibre Channel captures.
Test file Fibre_Channel_Capture.bfr attached.
2.) Support for modified file header used in upcoming v15. New header
file format takes an unused byte from the version string to allow for a
larger offset to the first packet to be specified. Test file
V15_Lrg_Hdr_Test.bfr is attached, it is also a fuzz test as the number
of TLV items given in the header is less then the actual.
3.) It was found that if the number of TLV items given in the header was
larger then present it would fail to open the file. Test file
V9_Num_TLVs_Too_Big.bfr is attached.
svn path=/trunk/; revision=36970
The Locator/ID Separation Protocol [1] is being standardized within the IETF,
and it is nearing RFC status (pending security review). I have been maintaining
a dissector patch for about a year, see [2]. Feedback received indicates that,
among others, it is widely used by the developers of a large router vendor,
without issues.
In January I submitted the dissector for data plane packets as bug #5602, which
was committed as r35615. The patch attached to this bug adds support for
dissection of control plane packets.
[1] http://tools.ietf.org/html/draft-ietf-lisp
[2] http://lisp.ccaba.upc.edu/wireshark/
svn path=/trunk/; revision=36845
zran.c example in the zlib source.
This means that problems in the file's contents might not be reported
when a packet is read, as long as there's no problem in the contents of
the file up to the last bit of compressed data for the packet; we now
check for errors after finishing the sequential read of the file, at
least in some programs, so that shouldn't be an issue (the other
programs need to be changed to do so as well). This is necessary in
order to be able to read all the packets we saw in the sequential pass;
it also lets us get a few more packets from truncated files in some
cases.
svn path=/trunk/; revision=36577
file_read(buf, bsize, count, file) macro is compilant with fread
function and takes elements count+ size of each element, however to make
it compilant with gzread() it always returns number of bytes.
In wiretap file_read() this is not really used, file_read is called
either with bsize set to 1 or count to 1.
Attached patch remove bsize argument from macro.
svn path=/trunk/; revision=36491
This patch adds the capability to create BACnet statistics trees.
Find the respective menu items under 'Statistics->BACnet'.
Packets can be sorted by different criteria:
- Src/Dst IP adresses
- Instance ID
- Object Type
- Service
From me:
- Don't use C++/C99-style comments.
- Name variables for tick_stat_node() don't need to be static.
- Change updateBacnetInfoValue() to require 'data' to be ep_ allocated. Change
the couple of calls that did not send in ep_ allocated data to do so.
- Change one or two functions to be static.
- Do not use (memory-unsafe) g_sprintf().
- Use ep_strconcat() instead of leaking memory with g_strconcat().
- Put back one if(tree) that doesn't appear to do any harm.
- Remove variable declarations and #includes from the header file.
svn path=/trunk/; revision=36468
A patch to add ATM over TCP Dissector.
The dissector dissect only the ATMTCP header (VCI, VPI, Payload Length)
The data are not yet dissect, it is necessary to add a "UAT" (As with the K12
dissector) to indicate the type (ILMI, AAL, ATM...) of data (based on VCI/VPI)
svn path=/trunk/; revision=36354
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5654
From me:
- Entry for DVBCI added to wtap.c encap_table_base[];
- Some code simplification with respect to the use of col_...() for COL_INFO;
- Certain tests for "enough bytes available" not really needed;
- (Other minor tweaks);
- #include<stdio.h> not req'd;
- Minor reformatting and whitespace cleanup;
svn path=/trunk/; revision=36149
Enhance RIPng
* Replace tvb_memcpy/proto_tree_add_text by proto_tree_add_item
* Remove dependency to packet-ipv6.h
* Remove packet-ripng.h (not needed)
Also update AUTHORS file
From me:
Put a check_col() back and reword (shorten) a couple of the new blurbs.
svn path=/trunk/; revision=36033
Update of packet-e212.c dissector according to local national regulatory
MNC assignment document.
www.uke.gov.pl/uke/redir.jsp?place=galleryStats&id=24439
svn path=/trunk/; revision=35889
Add Bearer Control Mode selection support in gtpv1 dissector.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5634
Sligtly reworked by me:
- prefix names with gtp
- Use proto_tree_add_item()
- remove ref to specific protocol version, as it's probably a mix.
- Changed the update to the AUTHORS file.
svn path=/trunk/; revision=35699
- add new PROTECTION obj c-type 2 (RFC4872)
- add new TLVs for IF_ID (RFC4920)
- add Path Key subobj in ERO (RFC5520)
- add new ASSOCIATION obj c-type 4 (oif2008.389)
- add new LSP_ATTRIBUTES and LSP_REQUIRED_ATTRIBUTES objects (RFC5420)
- improved ERROR object dissection and new error values added
- ADMIN_STATUS transformed to filter and new flags added
- minor fix to conversation (not applied to ACK, SREFRESH and HELLO messages)
to resolv displaying of "Unknown session type" string in such messages
Moreover, I've deleted some "enum" statements for error values that I thought
they were useless since they were used only once throughout the RSVP dissector
code.
See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5518
From me: fix two typos.
svn path=/trunk/; revision=35681
From me: add 0_9 to names for #defines and routines for 0-9, add expert
info for the "you ran past the end of the field table" error.
svn path=/trunk/; revision=35380
ICMPv6 Enhancements : make ICMP option filterable (Part 2)
*Merge (and update) FMIPv6 Option with ND Option
*Make ICMP option filterable (use proto_tree_add_item..)
*Reorder ND Option
*Add dissector for RA Flags Extension (RFC5075)
*Add dissector for Handover Key Request/Reply (RFC5269)
*Add dissector for Handover Assist Info / Mobile Node ID (RFC5271)
*Add dissector for DNS Search List (RFC6106
From me removed a c++ style comment and changed
to tvb_memcpy(tvb, (guint8 *)&prefix.bytes in a couple of places.
svn path=/trunk/; revision=35272
Add a bunch of NetFlow/IPFIX extensions from Plixer and ntop.
A little cleanup as well.
From me: remove duplicate blurbs.
svn path=/trunk/; revision=35142
I'd like to share my enhancements to the TDS dissector with everyone.
The list of improvements follows:
- nearly complete dissection of RPC calls,
- detection and dissection of the ALL_HEADERS rule,
- corrected some existing proto_tree fields to support filters,
- other minor fixes where the interpretation of data conflicted with the
official documentation from MS.
I tested the new code on a variety of different TDS captures with many diverse
RPC calls. The code compiles and works on 32-bit Linux, I didn't check those
changes on other platforms though.
From me:
- terminate all value_strings
- change ++*offset to *offset += 1 (I think that's more readable)
- replace all the dissector assertions which could be caused by malformed
packets with expert infos
- Don't throw ReportedBoundsError when the packets have unexpected data in
them, just report an expert info and continue on
svn path=/trunk/; revision=35007
This is a dissector for reload framed message:
ReLOAD packets can be inserted in frame message, as described in
draft-ietf-p2psip-base-10
From me: remove some unnecessary includes.
svn path=/trunk/; revision=35005
Several fixes that make Tight VNC negotiation properly parsed.
It was not parsed correctly previously, for multiple reasons.
svn path=/trunk/; revision=34976
Add a configuration parameter of the NWG version for WiMAX ASN CP dissector.
The format and meaning of TLVs, as well as function types and messages changed
between the different NWG versions.
Added support for the version number of TLVs in the dictionary xml, its parser,
and of course in the packet itself.
Added support for the version number of function-types and message-types by
extending the value_string structure to contain also a "since" version number.
Successfully tested with a live capture and capture file, containing WiMAX ASN
packets (full Network entry).
Also fuzzed 500 passes successfully.
The XML doesn't contain all existing NWG versions, only selected ones. This is
a little tedious work to go over all TLVs of each version, so I'll add some
newer versions later on. can add a short how-to of adding a new version, for
others to use, if needed.
svn path=/trunk/; revision=34919
This patch adds to Wireshark the ability to dissect Infiniband SDP (Socket
Direct Protocol) and CM MADs traffic.
It also contains various other bug-fixes and enhancements. SDP traffic can be
identified automatically (analyzing SDP CM MADs) or manually.
SDP, or Sockets Direct Protocol, is a protocol developed by the Infiniband
Trade Association which enables existing socket-based applications to
transparently utilize the Infiniband capabilities.
This patch is submitted on behalf of Mellanox Technologies Ltd.
svn path=/trunk/; revision=34918
This patch adds support for displaying OPC UA ExtensionObjects.
An ExtensionObject is a mechanism to transport user defined structures as
serialized blobs. Some types of ExtensionObjects are already defined by the OPC
Foundation's OPC UA Specifications.
These types can be implemented by this dissector, because they are well-known.
Real user-defined or vendor-defined types are unlikely to be implemented by a
passive dissector, because this would require browsing of the UA server's
address space to retrieve the type information.
Currently only the following types are supported:
* DataChangeNotification
* EventNotification
Others OPC defined types will follow.
From me: fix warnings: "format not a string literal and no format arguments"
svn path=/trunk/; revision=34906
The attached patch adds many more DAAP codes to be parsed properly by the DAAP
dissector.
In addition, it fixes some prints.
svn path=/trunk/; revision=34899
The company I work for uses two proprietary protocols, for which I initially
developed wireshark plugins. Now we would like to integrate them into the
public wireshark repository.
I followed the READMEs and converted the plugins into a static dissectors. I
cleaned up the code until checkAPI.pl was silent, translated all terms to
english and ran randpkt and fuzz-testing for a long time. All that I found was
a bug in a different dissector.
From me:
- Fold the header files into the dissectors
- Clean up some memory leaks
- Strengthen the heuristics of adwin-config (the TCP heuristics are still pretty
weak)
- Make packet-adwin.c a "new style" dissector
- Use find_or_create_conversation()
- Remove most of the check_col()'s
svn path=/trunk/; revision=34640
BACnet has a private transfer service which is vendor specific. The start of
each request and response contains the vendor identifier. I've added a way for
vendors to provide their own dissectors by registering their vendor identifier.
The packet-bacapp.c method fConfirmedPrivateTransfer has been modified to look
for a vendor specified dissector. If found it will be run. If not found we
default to running the standard dissection included in packet-bacapp.c.
I modified the summary column display for private transfer messages so that the
summary now displays the Vendor Identifier (V=xx) and the Service Number (SN=xx).
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5250
From me: Rename sub-dissector tablle to "bacapp.vendor_identifier"
Change subdissector ui_name to "BACapp Vendor Identifier"
svn path=/trunk/; revision=34625
RFC 4447 describes new TLV called Generalised PWid FEC in LDP messages with the
id 0x81. This is related to PsuedoWire setup and maintenance.
Related to this, following are the TLVs which are defined in RFC 4447 and RFC 4446.
1. PW Status TLV
2. PW Interface parameters
3. PW Group TLV
From me: remove some unused variables; Mark fcn arg as unused.
svn path=/trunk/; revision=34606
It is a rework of PAP PPP dissector
- Replace proto_tree_add_text by proto_tree_add_item
- add col_append_fstr to show information (Peer-ID, Password...)
svn path=/trunk/; revision=34604
Add dissector for PAPI (Aruba AP Control Protocol), used by Aruba WLAN
Controller).
There is no documentation on this protocol, the dissector is based on my
analysis ...
There is also an experimental "debug dissector" (not enable by default) for
dissecting the rest of data.
Changes by me:
- make it a new-style dissector
- change the name of the "debug" preference
- other minor changes
svn path=/trunk/; revision=34587
The attached patch begins to add support for RPL to the ICMPv6 file. All
locations that RPL code have been added are marked with a comment allowing this
patch to be reverted at a future time if it is decided to e.g. move all the RPL
code to it's own dissector.
A few values await IANA assignment and are also clearly marked (in
packet-ipv6.h).
Only the 'metric' option is left unsupported, as it is primarily defined in
another I-D.
svn path=/trunk/; revision=34579
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5095
From me: Fix a bug in add_symbol which caused occasional Wireshark crashes;
Add additional checking during parse of symbol hash file;
Improve "directory not found" error message;
Do misc code cleanup and simplification.
svn path=/trunk/; revision=34558
Hi a patch to enchance the PPTP Dissector
It is a rework of PPTP dissector
- Replace proto_tree_add_text by proto_tree_add_item
- Replace not standard table and function by standard value_string
- ....
The code is checked and fuzzed (more 200 pass) ! with personnal PPTP Sample and
PPTP Sample from pcapr.net
svn path=/trunk/; revision=34504
The NFS dissector (all versions) show access types that have not been requested
to be checked as "not allowed" in the call and reply. This is incorrect and
misleading. At present one must manually compare what was requested in order
to assess if access was actually denied for that type. When there are hundreds
or thousands of these ACCESS requests in a capture, it is not possible or
practical to manually check each one.
The submitted patch does the following:
* Passes the access mask in the call to the reply for comparison
* Adds filterable fields for each supported (v4) and access type
* Adds a pseudo field, nfs.access_denied
* Lists the access types to be checked in the summary and tree
* Separately lists the supported, denied, and allowed access types in the
summary and tree
The changes are applied to all NFS versions.
From me: a couple of small changes to make it compile without warnings.
svn path=/trunk/; revision=34141
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5067
From me: - Fix one bug;
- Add a comment about some code which doesn't display info
in COL_INFO as intended due to what seems to be a Wireshark bug in
tcp_dissect_pdus() when there are multiple records in a
TCP frame.
svn path=/trunk/; revision=33824
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5051
From me:
- Move proto_register... and proto_reg_handoff.. to the end of the file;
- Define a function as static;
- Minor reformatting and whitespace cleanup.
svn path=/trunk/; revision=33747
so we give a non-zero exit status for invalid interfaces or capture
filters.
From me: don't exit immediately if dumpcap failed, print out information
from taps and the like.
svn path=/trunk/; revision=33393
From me: A few minor changes:
- col-clear() not req'd;
- Use 'gint32 length' rather than 'guint8 length';
- Use ENC_NA instead of FALSE/TRUE in two cases;
- Move global tdmoe_handle to be local to proto_reg_handoff...
svn path=/trunk/; revision=33307
This functionality keeps track of all SMB objects contained in a capture,
and is able to export to a file a full or partial captured file that has
been transfered through the SMB protocol. In a partial capture, the holes
produced by the non-captured information are filled out with zeros.
It includes the needed modifications of the SMB dissector in the way it keeps
track of the opened SMB files and also to feed the eo_smb tap listener.
svn path=/trunk/; revision=33227
Add a new dissector for the NexusWare C7 MTP over UDP/TCP protocol. One of
NexusWare's example applications provide a way to forward MTP Level 3 messages
via UDP/TCP. This is a dissector for this protocol (which is lacking an IANA
assigned port).
svn path=/trunk/; revision=33082
The wireless meshing protocol B.A.T.M.A.N. Advanced changed their packet format
in such a way that now versions can be identified and so correct dissection of
the packets can be supported by wireshark.
Since it is a ever moving target it is very possible that the packet format is
changing slightly. The dissector was written in such a way that new version can
be supported relative easy.
I hope that it sufficient for the inclusion in wireshark.
I tried to fuzzing it some hours and no error was reported.
From me:
Initialize our dissector handles.
Merge packet-batadv.h into packet-batadv.c. It isn't included anywhere else.
Fuzz 500 passes using attached capture files.
svn path=/trunk/; revision=33052
This patch adds a new '-S' option to editcap that will rewrite timestamps of
packets to insure that the new capture file is in strict chronological order.
This option's primary use case is to fixup the occasional timestamps that have
a negative delta time relative to previous packet.
This feature is related to (but does not depend on) capinfos enhancement
submitted in bug #4315 which helps identify tracefiles with "out-of-order"
packets.
svn path=/trunk/; revision=33042
This patch adds a new '-o' option to capinfos (enabled by default) to report if
the packets within a particular capture file are in strict chronological time
order or not.
svn path=/trunk/; revision=33041
I've created a ASN.1 dissector for the IEC 61850 Sampled Values protocol. It
dissects ethernet frames of the IEC 61850-9-2LE specification form the UCA
International User Group.
There is also a new TAP for tshark (-R sv) which extracts the important
information of the frame and allows to create plots (with external tools) of
the sampled values.
I've developed under Linux (Ubuntu 8.10) but everything should be in place for
successful compilation under Windows.
It would be great if this dissector could be included in wireshark. I'm looking
forward for your comments.
svn path=/trunk/; revision=33039
This is an extension to the Wireshark context sensitive protocol help. Rows in
TreeView window are analyzed and suitable help file (as HTML) is opened in a
browser.
The help part (large file, 23 MB) of the Protocol Help can be downloaded under
www.inacon.com/dowload/stuff/protocol_help.tar.gz
This protocol help "light" provides descriptive content for the most frequently
used standard protocols, including IP, TCP or SMTP.
From me:
Changes:
Rename "ph_" in some function names to "proto_help_". Move the protocol
help code to its own module.
Make a bunch of functions static. Remove unused code.
Use browser_open_url() instead of a custom function.
Increase the logging levels. Don't clobber the normal log handler.
Update some Doxygen comments to match the format in the rest of the code
base.
Removed GTK version checks. We've been 2.x only for a while.
Move ph_replace_string to string_replace() in epan/strutil.[ch].
Fix a bunch of memory leaks.
Add a NULL pointer check.
Reformat the overview menu label.
Document the file format and locations.
Add Edgar to AUTHORS.
svn path=/trunk/; revision=32995
Call the various flavors of OS X integration just "OS X integration",
not anything with "IGE" in it - it appears that, in some places,
"ige-mac-integration" refers only to the older Carbon-based functions,
although the library still appears to be called -ligemacintegration.
Update the URLs for the information about the OS X integration
libraries.
Clean up help message for --with-pcap-remote.
Clean up white space a bit.
Speaking of white space, it's "Mac OS X", not "MacOS X".
svn path=/trunk/; revision=32941
Support PPP-over-USB.
Don't remove the USB pseudo-header from the packet data for
Linux USB packets, just byte-swap it if necessary and have the
USB dissector fetch the pseudo-header from the raw packet data.
Update USB language ID values.
svn path=/trunk/; revision=32534
see: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4590
From me: A few minor changes:
- Make ancp_info a local variable rather than a static global variable;
- Use Stats ! ANCP rather than Stats ! ANCP ! Packet Types.
svn path=/trunk/; revision=32353
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4611
From me:
- Remove #if 0'd #includes;
- Use tvb_reported_length_remaining (instead of tvb_length_remaining)
- Other minor cleanup (including whitespace).
svn path=/trunk/; revision=32319
See: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4584
From me:
- Change dissect_sasp_pdu() to return void: tcp_dissect_pdus() ignores
any return value when it calls a dissector and thus trying to register/use
the dissector as a 'new-style' dissector doesn't work as intended;.
- Add some 'expert' messages for invalid SASP Header Type and unknown Message Type.
- Use consistent indentation & cleanup whitespace;
- (A few other minor changes).
svn path=/trunk/; revision=32266
(real and simulated) BMW cars for all kinds of gadget communication.
My plugin only dissects the high level infrastructure and not any particular
messages. It uses a heuristic dissector to detect INTERLINK packets.
svn path=/trunk/; revision=32202
add support for ERROR_STRING IF_ID TLV (see RFC 4783)
add support for generalized label interpretation: SUKLM
format for SONET/SDH label (RFC 4606), t3t2t1 format for G.709 ODUk label
(RFC 4328), G.694 format for lambda label (draft-ietf-ccamp-gmpls-g-694-lamb
da-labels-05). Add related user preference option.
svn path=/trunk/; revision=32127
Add ETSI ts101671 dissector
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4543
I added dissection of
UmtsQos,
IMSevent,
LDIevent,
TARGETACTIVITYMONITOR-1
TARGETACTIVITYMONITORind,
TARGETCOMMSMONITORind,
TTRAFFICind,
CTTRAFFICind
And used the original HI2Operations ASN1 file.l
svn path=/trunk/; revision=32053
Aruba Wireless Controller support a Remote Monitoring of Access Point
The code is based en HP ERM/Cisco ERSPAN dissectors
svn path=/trunk/; revision=31645
RSVP extensions for G.709 Optical Transport Networks Control, RFC 4328
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4148
With some changes from me:
-(readme.developer:" Furthermore, 'display' field must be ORed with 'BASE_RANGE_STRING' (e.g. BASE_DEC|BASE_RANGE_STRING)."
- Prefix headerfields with hf_
- Remove check_col
svn path=/trunk/; revision=30727
Add the missing ndmp v4 messages, namely the:
NDMP_CONFIG_GET_EXT_LIST
NDMP_CONFIG_SET_EXT_LIST
This may serve as the 1st step into actual extensions (Snapvault etc)
dissector implementation.
svn path=/trunk/; revision=30684
Back in August 2002 the check-sum field was removed from the
LMP specification (draft-ietf-ccamp-lmp-05). This patch aligns
packet-lmp.c dissector with RFC 4204.
svn path=/trunk/; revision=30244
This patch adds support to Wireshark for dissecting UDP packets used by
collectd's network plugin in order to transmit data from ones host to another
host (e.g. centralized storage of statistics while data is collectd on
individual systems)
The current dissector understands the part types supported by collectd-4.5
series and gracefully processes future part types (flagging them as unknown).
In regard to protocol errors or bad packets checks are based on the various
length fields used, parts are marked with warning when length is unexpected;
marked with error when length breaks minimal rules.
svn path=/trunk/; revision=29887
This patch adds extension support to the X11 dissector.
I've removed the perl script from the make file, since the new one depends on
perl 5.10, xcbproto (at least git as of today), and mesa (at least the
mesa/src/mesa/glapi directory). It seemed easier to just add the generated
header files to svn directly.
svn path=/trunk/; revision=29854
Within the attached diff file are two source files, packet-dtn.h and
packet-dtn.c. Their function is to decode Bundle Protocol PDUs sent using the
UDP or TCP Convergence Layers. These protocols have been released by the
Internet Research Task Force and are described in RFC 4838 and RFC 5050.
Detailed information on DTN can be obtained at www.dtnrg.org.
svn path=/trunk/; revision=29010
This patch attempt should more closely align with the Wireshark "layout" of using
a dissector rather than a "hack" to the packet-llc dissector.
svn path=/trunk/; revision=28823
2003 the Gerhard-Mercator-University and the University of Essen merged
to the University of Duisburg-Essen.", so the two entries for Thomas
Dreibholz are probably for the same person; merge them.
teluna.org is the site for a Joost Damad and an Isabelle Marien, and
following the links to his blog indicates that he's a Debian user and at
least uses openMSX. A search for Joost Yervante Damad also finds a
recommendation to accept a Joost Yervante Damad as a Debian developer;
he says he maintains openMSX and is "a software developer and integrator
for a large multinational". My guess is that said large multinational
is Siemens, so I'm assuming the two Joost Yervante Damad entries are for
the same person.
That leaves the two Thomas Palmers; they might be the same person, but
it's conceivable that they're not, so I'll do a bit more digging before
combining those entries.
svn path=/trunk/; revision=28632
it's an obvious duplicate; if the addresses are in the same domain, it's
almost certainly a duplicate; if the addresses are in different domains,
but one company bought some of the product line for another company, we
assume it's a duplicate (e.g., we presume Martijn Schipper moved from
Intersil to GlobespanVirata when Intersil sold the PRISM 802.11 chipset
lines to GlobespanVirata, although he now appears to be at Magna Carta).
This still leaves Joost Yervante Damad, Thomas Dreibholz, and Thomas
Palmer as duplicates - probably the same people, but I'll ask The Great
Gazoogle a few questions first.
svn path=/trunk/; revision=28631
Added support for Host Identity Protocol (HIP).
From me:
- Adjusted location of "Checksum" and "HIP Controls", as they seems to have
switched place in the bytes window
- Rewrote some proto_tree_add_uint -> proto_tree_add_item (some still remain)
- Rewrote to not use tvb_memcpy()
- Corrected some proto_tree_add_item's as the format seems to be big-endian
- Terminate ALL value_string's with { 0, NULL }
- No need to zero-terminate value_string strings.
- Removed call to check_col()
- Removed some prototypes
- Removed unused hf_hip_tlv_id, hf_hip_res and hf_hip_tlv_enc_iv (please check)
- Rewrote some C++ comments
svn path=/trunk/; revision=28596
Add support to read citrix netscaler capture file format.
From me:
- Renamed packet-ns.c to packet-nstrace.c
- Rewrote to not use "goto" in netscaler.c
- Moved dissecting of coreid
svn path=/trunk/; revision=28564
* adding pydoc documentation to doc/README.python
* possible to access directly libwireshark via libhandle and raw_<tvb|pinfo|tree>
* transform some methods into properties
* update sample to reflect changes/features
* adding comments!!!
svn path=/trunk/; revision=28532
Add:
- FIX 4.0 to 4.4 fields, auto generated with XSLT stylesheets applied on
http://www.quickfixengine.org/ xml files (not included quickfixengine code is
BSD but xml files have no copyright).
- value_string functions for string keys, added to value_string.c.
- FIX desegmentation, it doesn't work well with malformed FIX PDU.
svn path=/trunk/; revision=28478
- Removed heuristic for find if is_request and used event_type
- URB_INTERRUPT don't goes in reverse direction... fixed
svn path=/trunk/; revision=28477
I've created a new bug rather than reopening 1181 as the scope is constrained
somewhat more.
Basically, when capturing from a named pipe the wireshark display lags by one
packet. This is especially frustrating when the packets arrive at low rates.
tshark is fine. But the packet count in dumpcap also lags by one.
Looking at the code, the problem appears to be in cap_pipe_select(). It
attempts to use WaitForSingleObject() on the named pipe but AFAICT this never
blocks.
I've attached a diff for some code that fixes the issue for me. The semantics
of overlapped IO in Win32 is quite different from the select/read model - hence
the other changes!
I've tested this fix on WinXP, 2k server and 2003 server. I've also checked
that my changes compile on a Freespire box that I have lying around.
From me:
Adapt the changes for dumpcap, which is where the affected code now lives.
svn path=/trunk/; revision=28452
When audio samples have to be dropped or silence samples inserted to reflect
the timestamp there is no indication of these problems on the display.
I propose that such problems be indicated on the waveform display by the use of
amber coloration and that the number of incorrect timestamps be listed
svn path=/trunk/; revision=28451
Add a UAT for custom HTTP header fields.
From me:
Use se_alloc0 to initialize a struct. Use g_strdup(...) instead of
g_strdup_printf("%s"...). Add a missing UAT_END_FIELDS.
svn path=/trunk/; revision=28406
Attached please find a patch that enables to heuristically find VNC
traffic on non-standard ports.
(it also adds some if(tree) ... around some proto_tree_add_item()
functions)
svn path=/trunk/; revision=28394
Add support for TightVNC extensions to the VNC dissector.
It has the following changes:
- Dissect TightVNC negotiation (tunneling, basic authentication, capabilities).
- Dissect X cursor encoding.
- Dissect POINTER_POS encoding.
- Dissect the general form of Tight rectangles.
- Dissect Tight image data (basic compression, JPEG, gradient).
- Handle LastRect encoding.
- Fix some always-true conditions.
- Some code cleanups.
svn path=/trunk/; revision=26825
Add the fragment to the defragmentation sequence if the SMTP dissector
encouters a packet that contains both a DATA fragment and the terminating
\r\n.\r\n sequence.
svn path=/trunk/; revision=26419
Display FQDN binary encoded name as text
Ensure that get_dns_name does not cross packet sub boundry
From me:
Preserve the usage of bootp.fqdn.name as a display filter
svn path=/trunk/; revision=25981
Added TeamSpeak2 dissector
From me:
- Made all local functions static
- Renamed my_vals to conv_vals
- Call correct function to parse LOGINEND
- Fixed some obvious errors in typenames list
- Fixed some indentation
svn path=/trunk/; revision=25973
From me:
Instead of adding adns_config.h, place it a custom adns package in
wireshark-win32-libs. Update tools/win32-setup.sh accordingly.
Split the MSVC2008EE variant into MSVC2008 and MSVC2008EE, similar to
MSVC2005 and MSVC2005EE. We have to worry about vcredist_x86.exe in
both cases.
Add Pascal to AUTHORS.
Update the Developer's Guide.
svn path=/trunk/; revision=25921
Although this patch successfully recognizes group keys and decrypts packets
properly using the group key, there is a limitation. If an AP is using key
rotation, clicking on individual packets in a trace may not properly decrypt a
packet encrypted with a group key. This is because the current structure used
in Wireshark only supports one active unicast and one active group key. If a
new key has been seen, but you are looking at a packet encrypted with an older
key, it will not decrypt. The summary lines, however, do show the packets
properly decrypted.
I've written up a much longer and more detailed explanation in a comment in the
code, along with a proposed idea for a solution, plus a clunky work-around in
the GUI when using the current code.
I also suspect there might still be a problem with decrypting TKIP groups keys
that are sent using WPA2 authentication. In the most common operation, if you
are using WPA2, you'll also be using AES keys. It's not a common AP
configuration to use WPA2 with TKIP. In fact, most APs don't seem to support
it. Since it is an uncommon setup, I haven't put aside the time to test this
patch against such an AP. I do have access to an AP that supports this, so
when I have the time I'll test it and if needed, will submit another patch to
handle that odd-ball condition.
From me:
Remove the decrypt element of s_rijndael_ctx (which was unused, as indicated
in the comments).
Preserve the GPL licensing text in several files (which the patch shouldn't
have removed).
Remove changes that added whitespace.
Convert C++-style comments to C-style.
Update to include recent SVN changes (e.g. renaming variables named "index").
Remove extraneous printf's.
Define DEBUG_DUMP in airpdcap_debug.h.
Comment out some instances of DEBUG_DUMP.
Change malloc/free to g_malloc/g_free.
Use g_memdup instead of allocating and copying.
Use gint16 instead of INT16 in airpdcap_rijndael.c.
Add Brian to AUTHORS.
svn path=/trunk/; revision=25879
Follow-up from SVN 25825 check in
The g_slist_free() is really needed in export_object.c, otherwise, the export
list has false (repetitive) entries in it, that cause a crash when selecting
them.
Whether false entries are in the list, only depends on the speed of the export
processing, since this tap is
Replaced all guchar with gchar. This should eliminate the warnings on solaris.
I guess I used the wrong reference.
Added patch for 'Authors' in case I need to add myself to the list.
svn path=/trunk/; revision=25834
The SMPP dissector currently supports only version 3.4. The latest version of
the protocol is version 5.0 and it has been around for a while. However, the
usage of this version of the protocol is only now picking up.
This patch adds basic support for SMPP 5.0. By basic I mean:
- New Operations and Responses.
- New TLVs.
- New Error codes.
- Any changes to earlier values.
svn path=/trunk/; revision=25787
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2693 :
The rfc4938bis draft extends the Point-to-Point over Ethernet (PPPoE) protocol
with an optional credit-based flow control mechanism and an optional Link
Quality Metric report. These optional extensions improve the performance of
PPPoE over media with variable bandwidth and limited buffering, such as mobile
point-to-point radio links.
Support for rfc4938 already exists in wireshark, but rfc4938bis specifies a new
credit scale factor TLV and the use of the reserved field of the PADQ to
specify max and current data-rate scaling.
svn path=/trunk/; revision=25768
Attached is a patch for:
- PW Associated Channel Header dissection as per RFC 4385
- PW MPLS Control Word dissection as per RFC 4385
- mpls subdissector table indexed by label value
- enhanced "what's past last mpls label?" heuristic
- Ethernet PW (w/o CW) support as per RFC 4448
svn path=/trunk/; revision=25730
The decoded value of Size Packet shown as "From the calling DTE" is the value
of "From the called DTE".
When the size packet to negotiate has any of 512, 1024, 2048 or 4096 bytes, the
value shown decoded is erroneus.
The patch attached also includes new decoded facilities:
- Extended CUG selection.
- Extended access outgoing CUG selection.
- Extended RPOA selection.
- NUI selection.
- Charging info selection.
- Call dureation.
- Segment Count.
- Monetary Unit.
svn path=/trunk/; revision=24932
This plugin implements a dissector for Infiniband. It is released
under the GPL v2.
Rather than using say libpcap to capture raw (unframed) IP packets
from near the top of an IPoIB stack, this plugin dissects link level
Infiniband frames.
Infiniband trace files can be read from Endace ERF format trace
files, or from libpcap DLT_ERF files containing ERF TYPE_INFINIBAND
records. There is currently no native DLT_INFINIBAND in libpcap.
Each record contains a hardware timestamp, capture metadata such as
port Id, and a complete link level Infiniband frame starting from
the Local Route Header.
svn path=/trunk/; revision=24628
This patch adds some new ENCAP and FILE types for wiretap. It also adds new
entries to pcap_to_wtap_map[] to provide a mapping of the new types to some
pcap DLTs.
svn path=/trunk/; revision=24622
Attached is a patch to export packets data as "C Arrays". I often have
the need to [re]send data captured with wireshark using a raw/pf_packet socket.
Output format is one char[] per packet, it looks like almost the same as
the one produced by "Follow TCP stream".
svn path=/trunk/; revision=24604
This is a new dissector plugin for Hilscher analyzer frames.
These frames are generated by Hilscher analyzer products and are identified via
their unique source MAC address (this is a reserved MAC from Hilscher-range and
will never be used by another network device). Most likely these frames are
only generated on a virtual network interface or the generating device is
attached directly via patch cable to a real network interface, but not routed
through a network. The Ethernet-header (destination MAC, source MAC and
Length/Type) is not displayed in the protocol tree for these frames as this is
overhead-information which has no practical use in this case.
Note:
This is a heuristic Ethernet dissector which means it gets called for every
Ethernet frame. So as to not cause a performance hit for most Wireshark users
it has a preference which, by default, disables the dissector.
svn path=/trunk/; revision=24495
a list of fields, prints the field values found in each packet.
Packet data can be specified as a libpcap DLT, e.g. "EN10MB" or an upper-layer protocol, e.g. "http".
svn path=/trunk/; revision=24339
Add a dissector for the Scripting Service Protocol provided as part of the
RSPLIB package. RSPLIB is an Open Source implementation of the upcoming
Reliable Server Pooling standard. The scripting service is an application
for load distribution, based on Reliable Server Pooling.
From me:
Shorten the protocol name to SSP.
svn path=/trunk/; revision=24276
Added support for Symbian OS btsnoop.
The bluetooth HCI layer in Symbian OS can be configured to log all packets to a
file. The log format, "btsnoop" is based on the RFC1761 "snoop" format - but
differences in the header make it incompatible.
The btsnoop format supports logging of these formats:
"H1" (raw HCI packets without framing)
"H4" (HCI UART packets including packet type header)
"H5" (HCI 3 wire UART packets including framing)
"BCSP" (HCI bluecore serial protocol including framing)
"H1" and "H4" are section numbers in the original v1 bluetooth specifications,
but still used colloquially - wireshark's existing support for Linux bluez HCI
logs uses the "H4" name.
In practice, the "H1" format is used for H5,BCSP and USB HCI logs, as the HCI
packet logs are mainly useful for debugging higher layers, bluetooth profiles
and bluetooth applications.
From me:
Deleted some unused prototypes.
Mark an unused parameter.
svn path=/trunk/; revision=24263
Fix the bug related to Option template:
- System scope (check that options scope size is == 4, not <= 4)
- Interface scope (same)
Same fix for fields BytesExported PacketsExported FlowsExported.
Also fix some tabulations in a previous patch related to IPv6 Addresses.
svn path=/trunk/; revision=24138
1/ patches to support the libpcap/SITA format 'WTAP_ENCAP_SITA'.
2/ patches to the LAPB dissector to accept MLP (Multi-link protocol)
(although MLP dissection has _not_ been added (yet)).
3/ New protocol dissectors for:
a) SITA's WAN layer 0 status header,
b) An airline protocol ALC,
c) An airline (and other industry) protocol UTS.
These patches are submitted as a set since the new protocol dissectors are not
useful without the libpcap/SITA related changes, and there is no point in
having those changes without the additional dissectors.
This fixes bug/enhancement 2016.
svn path=/trunk/; revision=23885
Error message when capturing too short WTAP_ENCAP_USB_LINUX type packets
contains a copy-paste typo.
From me:
Fix some addresses in AUTHORS.
svn path=/trunk/; revision=23882
Patch to do the following:
1) Dissect CIE Lists in NHRP Extensions
2) Dissect original NHRP packet in Error Indication
3) Support for Cisco NAT extensions
4) Support for Cisco NHRP Traffic Indication packet
svn path=/trunk/; revision=23587
quit. Temporary coloring filters can be set by:
- pressing <ctrl>-<digit> will create a conversation coloring filter based on the
addresses of the currently selected packet (order TCP/UDP/IP/Ethernet)
This can also be achieved from the "View|Colorize Conversation" menu.
- Rightclicking on a packet in the packet-list will give the option to
"Colorize Conversation" just as "Conversation Filter" does.
- Rightclicking on an item in the packet-detail-list will give the option to
"Colorize with filter" which works similar to "Apply as filter"
Temporary filters can be cleared from the same menus or by pressing <ctrl>-<space>.
This patch also adds an item to the above mentioned menu's to add a permanent color filter
in the same way.
The colors for the temporary coloring rules are now hardcoded as I do not know
how to change the color of menu-items and therefore I chose to use icons to
show the actual color of each of the ten temporary coloring rules. Is it at all
possible to have different menu items in different colors?
One other way of solving this is to recreate the icons on the fly after changing
the colors. I will have a look into that once it is clear whether I can use
different colors within the menu structure.
svn path=/trunk/; revision=23560
This patch updates the DTLS dissector to be compatible with OpenSSL 0.9.8f in
the following ways:
* Handle both SSL version number 0xfeff (RFC 4347 and OpenSSL 0.9.8f), and
0x100 (Used by OpenSSL 0.9.8e and earlier)
* Reassemble fragmented handshake messages.
svn path=/trunk/; revision=23369
This patch adds support for IMPS 1.3 protocol dissection and also
updates IMPS 1.2 protocol to approved release version.
From me:
- Updated vals_wbxml_public_ids table.
- Reindented file.
svn path=/trunk/; revision=23078
found by desktop-file-validate:
wireshark.desktop: warning: value "" for key "Path" in group "Desktop Entry"
does not look like an absolute path
wireshark.desktop: warning: value "GNOME;Application;Network;" for key
"Categories" in group "Desktop Entry" contains a deprecated value
"Application"
wireshark-root.desktop: warning: key "Encoding" in group "Desktop Entry" is
deprecated
wireshark-root.desktop: warning: value "" for key "Path" in group "Desktop
Entry" does not look like an absolute path
wireshark-root.desktop: warning: value "GNOME;Application;Network;" for key
"Categories" in group "Desktop Entry" contains a deprecated value
"Application"
svn path=/trunk/; revision=23034
- reassembling of fragmented TIPCv2 messages
- calling of heuristic subdissectors
- multicast upper+lower bound header fields are now shown
- corrects few typos in the comments in packet-tipc.c
svn path=/trunk/; revision=22889
When LACP packets have the actor state or partner state fields set to 0x00,
wireshark prints the state like this (note the closing parenthesis):
Actor State: 0x00)
Since there are no flags set, this fields should be printed like this:
Actor State: 0x00
svn path=/trunk/; revision=22594
add it to the distributed files, to the Win32 NSIS and U3 packages. UNIX packages will still miss this (optional) file.
svn path=/trunk/; revision=22487
- add support of session management for tcap ANSI.
(In fact, this support already exist for ANSI MAP subdissector, but as our
simulators can reuse the tcap transaction Id, the decoding of the response
may be wrong)
- move the code related to asn1 in tcap.cnf, and update tcap.cnf
- move the code related to the session management in tcap-persistentdata
- add a compilation option to free the entry in the hashtable for a closed
transaction. This is used only for tshark statistics generation, with huge file.
- cleanup and add some comments
Add Id tags to epan/tcap-persistentdata.{c,h}
svn path=/trunk/; revision=22415
last draft, draft-ietf-behave-rfc3489bis-07. Changelog:
* My employer is now sponsoring this work, so added a copyright line.
* Added a comment for each method/attribute with the RFC/I-D where is
it defined, so it will be easier to add new STUN usages.
* Removed the SHARED-SECRET method.
* Removed the PASSWORD and REFRESH-INTERVAL attributes.
* Changed "Response" to "Success Response".
* Changed "Error Reason Phase" to "Error Reason Phrase".
* Added reassembly for TCP segments on STUN2.
* Updated STUN acronym expansion.
* Renamed STUN2_ERROR to ERROR_RESPONSE.
* Changed the value of attribute FINGERPRINT from 0x8025 to 0x8028.
* Display if an unknown attribute is comprehension-optional or
comprehension-required.
* Reorganized order of attributes in the dissector code.
* The message length is now displayed in decimal.
svn path=/trunk/; revision=22383
receiving a SES MAJOR SYNC POINT, as this indicates the end of the
COTP DT Data stream. Previous the RTSE dissector was called when
receiving a COTP DT Data fragment with the "last data unit" bit set,
but this does not work with messages fragmented in RTSE. Reassembly
can be turned off in the preferences.
svn path=/trunk/; revision=22176
- Remove ethertype preference from recently added FCoE dissector
Me:
- Add Joe to the AUTHORS list
- Change previous line in AUTHORS list from @ to [AT] in e-mail address
svn path=/trunk/; revision=22133
Replace the Interbase dissector by a Firebird/Interbase
dissector.
Me:
Fix warnings about unused parameters
Fix warnings about unused variables
Fix warning about unused function
Fix warning about mixed code and declaration
Declare all dissection functions static
Remove function declarations and move the switching
function down instead.
Update AUTHORS file
Add $Id$ and email address to file header
Fix filename in first comment line
svn path=/trunk/; revision=21843
The attached patch adds ability of of creating radio button, drop-down
list and range type preference entries to the Lua plugin.
It also fixes a lua compile warning/error in wslua_gui.c.
The patch is written by Tamas Regos, he asked me to send it to the list.
svn path=/trunk/; revision=21655
Attachment is a patch for adding a new Juniper NSRP dissector. In this patch, OICQ author email address
<dubingyao@gmail.com> has also been updated to <secfire@gmail.com>.
svn path=/trunk/; revision=21599
the current SVN (rev 21448) 802.11 WMM TSPEC dissector seems to have
some bugs.
TS Info field should be three bytes long, not two. Suspension Interval
field is missing altogether, shifting all other fields by four bytes.
Maximum Burst Size, Minimum PHY Rate, Peak Data Rate and Delay Bound
are in wrong order.
svn path=/trunk/; revision=21450
I would like to handle the rare situation of Little Endian encoded
IP addresses, so i added a function which reads the address with
tvb_get_ipv4(), then swaps the bytes before SET_ADDRESS().
svn path=/trunk/; revision=21397
- Break out and display A-MSDUs
- HT Control field (currently disabled)
- Action No Ack
- HT Information IE
- HT Capability IE
- Block Ack Request
- Secondary Channel Offset Tag
- Measurement Request Tag
- Measurement Report Tag
...along with a bunch of other updates, including displaying the
type/subtype as a hex value (first nibble: type, second nibble: subtype).
svn path=/trunk/; revision=21391
New dissector support, SHIM6
checked in with the following modifications :
- use of proto_tree_add_item whenever possible (addition of several hf_items),
- use distinct subtree idx for each subtree,
- addition of some subtrees,
- split shim_opts in several functions,
- accurate incrementation of offset in locator preferences (in case of option length > 3)
- add true_false_string for critical options and protocol differentiation (hip, shim6)
- add ipv6.shim6.checkksum_good, ipv6.shim6.checkksum_bad, cksum expert info
section added to AUTHORS
svn path=/trunk/; revision=21390
Dissector for the DRDA protocol. This is the protocol used by among
others the DB2 database.
modify his entry in AUTHORS
svn path=/trunk/; revision=21331
I've refactored the offending code branch and added some comments so
hopefully the intent is a bit clearer. The loop termination conditions
are now obviously independent of the content on the wire (they were
meant to be before, but I admit it was obscure). I've tried using the
ephemeral memory routines.
Add a check for a maximum fragment count, and bail out of reassembly instead
of triggering an ep_alloc exception. Add Julian to AUTHORS. Update the
release notes.
svn path=/trunk/; revision=21007
Attached is a wireshark patch that adds support for decoding DHCP option 125
and the DHCP option 125 suboptions defined by the DSL Forum's TR-111
specification.
svn path=/trunk/; revision=20783
sminmpec_values array is marked as just "export" instead of "WS_VAR_IMPORT" in
epan/sminmpec.h. This prevents its using in Windows builds of plugins directly.
svn path=/trunk/; revision=20720
Wed, Jan 31, 2007 at 7:24 PM
To: wireshark-dev@wireshark.org
Hello,
Please consider for checkin the following new dissectors, for the FMP protocol.
FMP (File Mapping Protocol) is the network protocol basis for EMC's HighRoad (MPFS) technology. Highroad is used to allow multiple clients to share access to NAS-shared files while allowing clients to directly access data volumes (via, for example, Fibre Channel or iSCSI). EMC currently uses this technology in our Celerra NAS servers, and we're currently in the process of open sourcing portions of the technology.
FMP actually consists of two ONC/RPC-based protocols - the core FMP protocol, and FMP/Notify. The latter is used as an asynchronous callback to inform clients of status changes, such as lock revocation.
We'd like to offer these dissectors to Wireshark users for help in debugging or otherwise troubleshooting MPFS-related problems. There are still a few minor changes that need to be made ( i.e. a handful of fields that aren't decoded) but the dissector is overall fairly complete and very usable.
Let me know if there are questions or feedback, or otherwise if other info is needed (like sample captures, which I don't want to send out to the mailing list).
Thanks,
Ian Schorr
EMC Corporation
svn path=/trunk/; revision=20679
1 Add ALCAP and NBAP as subdissectors of SSCOP. Previously it only
knows about SSCF-NNI and data. (Changes in packet-sscop.c,
packet-sscop.h)
2 Add capability for lower layer to force SSCOP to choose a particular
dissector. It is passed as "subdissector" field of SSCOP protocol
data. This is required because different payload protocol is
distinguished by different VPI/VCI. There is no protocol field inside
SSCOP frame. (Changes in packet-sscop.c, packet-sscop.h)
3 Make K12xx configuration file supporting the following syntax:
C:\k1297\stacks\umts_iub\umts_iub_aal2l3.stk sscop:alcap
This says dissect with SSCOP first and then pass to ALCAP.
The change is made general, so it supports arbitrary number of
protocol, like "proto1:proto2:proto3". Using ":" as separator
allow us to expand the syntax further to support parameters like
"proto1 param1:proto2 param2 param3". (Changes in packet-k12.c)
With above 3 changes together, dissecting Iub traces are correct for
control and signaling planes. I am still investigating user plane
frames because writing UMTS RLC/MAC protocol dissector is required.
The patch and sample .rf file (same as my previous patch) is in the
attachment.
plus:
Add Kriang to the AUTHORS list (and once at it upate my own record)
svn path=/trunk/; revision=20580
There was a change in Corrigendum 1 (03/2004) to H.248.1 which allows an
empty {} to be omitted from the Signal Descriptor. Currently (SVN 20346)
this causes Wireshark to report [Packet size limited during capture] as
shown in the attached example outputs.
I have attached a possible patch to solve this.
svn path=/trunk/; revision=20360
The attached patch changes the way the ssl-session-id is displayed.
Currently it is not shown, only the length is shown like this:
Session ID Length: 32
Session ID (32 bytes)
To me, it is not useful to repeat the length and omit the ID itself.
With this patch the ssl-session-id is shown like this:
Session ID Length: 32
Session ID: A4B2FB0EE6D8F58DEFF68E38B1E5B4C25F1869D4BC86A96E...
svn path=/trunk/; revision=20212
a little patch against revision 20088 in packet-isis-lsp.c for the
following :
- hf_isis_lsp_remaining_life declared but unused
- replacing a proto_tree_add_uint useless with proto_tree_add_item
svn path=/trunk/; revision=20148
I have added a new dissector for DMP (STANAG 4406 Direct Message
Profile) as defined in STANAG 4406 Annex E. The DMP protocol has no
assigned UDP port number yet, so the default value in this dissector
is 0 (I suppose this is som sort of "disabled"?) until we get this
registered.
The dissector has been tested on OSX Intel/PowerPC and Solaris SPARC.
Changes in this patch:
* Added DMP dissector
* Added a new CRC table and functions in crc16.c
* Made NonDeliveryReasonCode and NonDeliveryDiagnosticCode available
from X.411
* Made NonReceiptReasonField and DiscardReasonField available from X.420
svn path=/trunk/; revision=20133
I defined a range_string struct. It's like value_string
but stores range <-> string pairs.
Moreover I wrote rval_to_str(), match_strrval_idx()
match_strrval() which are behaving exactly as
val_to_str(), match_strval_idx() and match_strval().
svn path=/trunk/; revision=20061
support.
WEP key preferences have been overloaded to allow WPA keys. The
decryption code currently uses Windows-specific data types, but can be
converted to use glib equivalents.
Add a few text and whitespace fixups.
svn path=/trunk/; revision=20049
by myself:
Corrected patch; epan/column.c and epan/column_utils.c were not included. This
one has now been properly tested against a clean checkout of today's code.
- New menu option available under view\time display format
- New sub-option (e) to -t switch for both wireshark and tshark
- Extended recent settings code to handle new value
- Did NOT add new explicit epoch time column
svn path=/trunk/; revision=20040
This patch fixes a transposition of the orders of
Set Attribute Number
Set Attribute Length
In the page oriented get and set attributes CDB parameters format
Ref SCSI-OSD T10/1355-D Revision 10 section 5.2.2.2
svn path=/trunk/; revision=19460
I have figured out one of the fields in the MAPI
EcRRegisterPushNotification packet. The field is a UDP port number that
the client wants the Exchange server to send new mail notifications on.
These notifications are on a port > 1023 and are always 8 bytes long.
It looks like I would add the function name to the
dcerpc_mapi_dissectors[] for the register push notification. What would
my new function need to do besides display the field?
Thanks,
Steve
Here is a patch to add this functionality. It displays the notification
port and the notification payload (not sure what the payload itself
means yet). It also dynamically registers each notification port found
with a new dissector (that I called newmail for lack of a better name -
I'm open to suggestions) that displays the notification payload. This
is all undocumented by Microsoft in their usual fashion.
I also changed the code to always display the mapi.opnum field;
currently, the mapi.opnum is only displayed when the
dcerpc_mapi_dissector is null.
Steve
svn path=/trunk/; revision=19350
This patch adds support for dissecting ontap's nfsv4 filehandle,
as well as some updates to nfsv3 filehandle as well in the nfs
dissector.
Alex.
checked in with minor changes
svn path=/trunk/; revision=19345
Hi folks,
We think we've found a bug in STANAG 5066 SIS layer dissector.
Problem is at S_EXPEDITED_UNIDATA_INDICATION S_Prim's parser
and occurs when we receive a U_PDU via expedited unidata channel.
Dissector tries to parse first 2 bytes of U_PDU as a header size of type
21 s_prim (S_UNIDATA_INDICATION). But, this is not an wanted process on
that parser. Maybe, it was forgotten unchanged from
S_UNIDATA_INDICATION dissector while copying it. So it shows
data (U_PDU) 2 bytes short. Moreover, if data is just 1-byte, TCP datagrams
receive TCP checksum error.
Confirmed.
It was indeed a "copy-paste-did not edit correctly" bug.
While going over the code once more, I found:
1 - One bug in the heuristic. (Changed '&&' to '||')
2 - One to-do that was already done. (Removed the /* TODO */)
3 - One to-do that is now done. ;-)
svn path=/trunk/; revision=19210
Also, there is still an outstanding issue regarding the default use of
the "media" dissector. The way it is currently coded there is no way to
have a heuristic decoder when a content-type header is specified.
In this way if there is a decoder for a specific content-type then it
will be used, then the heuristic decoders have a chance, and finally the
default of either the media-type decoder of the http_payload decoder.
svn path=/trunk/; revision=19208
New protocol: epl v1
Hi,
in addition to the recently submitted dissector for the EPL v2 protocol,
this is the dissector for the first version of the EPL protocol.
Best Regards,
David
svn path=/trunk/; revision=19125
new protocol: veritas low latency transport
---
Attached is a patch file that adds a new dissector for the LLT protocol
(Veritas Low Level Transport, used for server clustering). They use
ethertype 0xCAFE even though it isn't assigned to them :(. There are
other fields and possibly other message types directly between servers
it does not yet dissect as no one outside of Veritas knows what they
are. This dissector understands the one people will run across most -
multiple servers broadcasting these heartbeats all over the place. I
figured out these fields through many Internet searches.
I will add the protocol to the Wiki after it is committed.
Thanks,
Steve
svn path=/trunk/; revision=18944
I have developed a plugin for Pro-MPEG FEC packets over RTP (see
previous posts on ethereal-dev). I have added a page and example capture
file to the Wiki (http://wiki.wireshark.org/2dParityFEC). The source and
Windows makefile for the plugin are attached. Unfortunately I do not
have access to other systems so this plugin has been tested on Windows
only.
The attached version of my plug-in has only had the copyright header
added.
I will translate this into a proper dissector rather than a plug-in as
requested, but this may take a little time as I have a lot of other
things
to do at the moment.
Me:
Convert into a normal dissector
Reorder / reformat code a bit
Added Marks name to the top of the file.
svn path=/trunk/; revision=18908
Hi,
The attached file should fix the following two bugs in the AJP dissector.
1) The dissector doesn't know about CPING/CPONG
2) The dissector misinterprets multiple requests in one connection if a
prior request has a Body request part.
svn path=/trunk/; revision=18780
this dissector will not yet detect when ppp is passed over the rfcomm link
but the old code to detect and deescapt the ppp data is still in the dissector, though ifdeffed out to serve as inspiration when ppp over rfcomm captures are made available.
the only captures i have with rfcomm are for raw serial communications so they dont contain any ppp frames. :-(
svn path=/trunk/; revision=18221
library. If that's not done, it leaves to ethereal or other binaries
using it the job of linking adns within them. This behaviour is
unreliable and breaks when using the --as-needed flag for GNU ld
(version 2.16 or better 2.17).
svn path=/trunk/; revision=17969
Anders Broman