dissect_ntlmssp() is also called from dissect_spnego_T_mechListMIC(),
we should detect a 16 byte structure starting with 0x01
and use dissect_ntlmssp_verf().
All other messages in dissect_ntlmssp() start with the
magic string "NTLMSSP", so they never match the 0x01.
It fixes another problem seen in the example captures
of https://gitlab.com/wireshark/wireshark/-/issues/17958
Signed-off-by: Stefan Metzmacher <metze@samba.org>
If we have data remaining before the start of the variable data,
we should assume the space for the version field even without
the NTLMSSP_NEGOTIATE_VERSION flag. In that case we should
mark the 8 bytes as zero bytes.
This fixes https://gitlab.com/wireshark/wireshark/-/issues/17958
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Update the text2pcap man page and the Import from Hexdump WSUG
page to clarify how to use it, for grammar, and to remove a few
things that are no longer relevant. (E.g., it's no longer the case that
files without an EOL don't work.)
Fix#15563, #15564.
GitLab Runner 14.8 added a native Arm binary for macOS. It's been
installed on our build machine, so the `arch` calls in the "macOS Arm
Package" job are no longer needed.
The L.4 adaptation header does not include a sync byte. Use the
current offset to get the ACM byte instead of hardcoding in the
value that is correct for L.2 and L.3.
There are four supported types of DVB Base Band Frame Adaptation Layer
headers, and they all can have false positives. Add a preference that
so that a user can either look for all four possible types, or can
only look for a packets that match the preferred type.
Fix#17950.
Replace the log PROTOCOL_BINARY_RESPONSE_ prefix to STATUS_ and
PROTOCOL_BINARY_CMD_ prefix to CLIENT_OPCODE_.
Couchbase do not support the memcached textual protocol so we'll
_always_ be using the binary protocol framing. In the couchbase
source code all of the PROTOCOL_BINARY_* constants was refactored
to enum classes and these two are called Status and ClientOpcode.
"Unfortuantely" this file is still in C so we can't reuse the
C++ enum classes directly so we'll need a prefix.
Before:
Filter: http.user_agent == açaí
dftest: "�" was unexpected in this context.
After:
Filter: http.user_agent == açaí
dftest: Non-printable ASCII characters may only appear inside double-quotes.
Related with #17770.
Split the match functions in twain, one for case-sensitive and
one for case-insensitive, so we can use memchr to search for the
first byte in the case-sensitive version and ws_mempbrk for the
case-insensitive version. They are highly optimized on most systems
and considerably faster on large files.
Also fix a few issues regarding wide strings, such as false positives
and the length to highlight when matching. Fix#12908