The related-packet drawing code currently intermingles the selection and the
drawing of the conversation "trace" lines and the indicators. Separating them
out -- so we make the decisions upfront and then do the drawing -- will help
with any future work in this area.
When dumpcap is running as a capture child in passthrough mode, the
SP_FILE message should not be sent until after the source SHB is passed
through to the capture file. Fixes a race condition where the capture
parent attempts to read an SHB from the capture file, following the
SP_FILE message, but the file is empty. Closes#17013.
Added support for RFC 9104 "Distribution of Traffic Engineering
Extended Administrative Groups Using the Border Gateway Protocol
- Link State (BGP-LS)"
Replace the "assume_fcs" preference with a "fcs" tri-state preference
that has three options: use the FCS preference (still the default),
assume no FCS, and assume FCS is present. Fix#10457, #11597, #15303.
Also fix previous behavior where the assume_fcs preference always
overrode wiretap even if the pseudoheader indicated that there
definitely was no FCS on the packet.
Add a preference to VSS Monitoring for dissecting packets that
lack a timestamp and only have port stamping, and set it to false
by default. There's no heuristic for port stamping, so it defaults
to accepting all trailers with 1, 2, 5, or 6 bytes (1 or 2 byte
port stamp plus optional 4 bytes for Ethernet FCS.) That's too
indiscriminate, especially if there are other possible trailers
(e.g., if the PRP-1 dissector is eventually changed to a eth.trailer
dissector, see #17066 which this helps with).
Also, VSS Monitoring has never actually supported two byte port stamps,
and recent product releases have dropped port stamping in favor of
VLAN tagging for port tagging, so only support 1 byte port stamps by
default and add a preference for 2 byte port stamps.
With these changes by default the VSS Monitoring heuristic dissector
only dissects trailers that pass the timestamp heuristic, greatly
reducing the number of false positives. This does much of #8997,
though the timestamp heuristic could be tightened as well.
If the *first* read for a packet gets an EOF, it means that there is an
EOF right at the point where you're reading, which means "no more
packets".
If you get an EOF on any *subsequent* reads for the packet, it means the
file was cut off in the middle of the packet's record, which is an error.
ws_debug() inserts the file name, line number, and function name into
the ws_debug() message (assuming the function name can be obtained from
a macro), so there's no need to include it in the text of the message
(we don't do so elsewhere).
This has a few effects on the behavior of wtap_get_compression_type()
and wtap_get_all_compression_type_extensions():
Make capinfos correctly report the compression type (instead of
saying gzip compressed for zstd and lz4 compressed files).
Makes files with the .zstd and .lz4 extension show up in the file
chooser when "Files of type" is set to something other than "All Files",
such as "All Capture Files" or "Wireshark/... pcapng"
Makes the UI not default to gzip compression when saving a file
compressed as zstd or lz4 (write support for zstd and lz4 doesn't
exist yet, and the GUI doesn't have hooks for it anyway, though
this can help as a prerequisite for later support for writing.)
Also replace a couple of assert() with ws_assert().
Update the PURPOSE in CMakeLists for zstd and lz4 to note that they
can be used to read compressed capture files.
The Ubuntu build commented on some spelling errors in executable code
files. Fix the errors that don't come from external files containing
the spelling errors (USB product and vendor IDs, PCI IDs, ASN.1
specifications), and fix some errors that don't show up in the
executable code files (e.g., in comments and variable names).
Some checks intended for dissectors don't work well on dissector
*generators*, as they see stuff such as "value_string %s[]" in a format
string used to generate dissector code and get upset because the
purported value_string doesn't end with {0, NULL} (the generator *does*
put a {0, NULL} at the end, but the checker isn't clever enough to
figure that out).
Allow the user to select multiple packets, and
* add the same comment to all selected packets
* remove all comments from selected packets
A new comment is added to each packet, now that we support multiple
comments per packet.
This is one potential way to address #8713.
6caf24e966 uncovered a bug
in the h225 dissector where h245_list was used in a path that wasn't
guaranteed to be initialized. It wasn't causing fuzz errors before
because the memory was at least being zeroed, although that state was
still technically invalid.
Initialize and call the tvb_lists in dissect_h225_h225_RasMessage, which
is the other h225 entrypoint, just like dissect_h225_H323UserInformation
(the other dissector entrypoint) was already doing.
Remove "Section N:" headers from capinfos table (`-T`) output when
outputting "additional capture file information" with `-F` and/or
comments with `-k`. These headers broke the formatting of table output.
The downside to this fix is that pcapng files with multiple SHBs and/or
comments will have extra table columns that don't line up with the
header, as in:
...,hardware1,os1,application1,comment1,comment1,hardware2,os2,
application2,comment2,comment2,...
There's no real good way around this though.
IEC 61850 is directly over Ethernet, so use set_actual_length
like other such protocols so that the Ethernet dissector has a
chance to detect and dissect trailers / FCS.
Usage, Usage Minimum and Usage Maximum can be "Extended" Usages. When
parsing report descriptor, respect page encoded in extended usage value.
Remove arbitrary usage count limit, as the usage ranges are limited to
16-bit value and thus the usages array can grow by up by 256 KiB with
single usage range.
Consolidate build instructions and troubleshooting into WSDG chapter 2.
Remove (moved) troubleshooting note that libpcap is required.
Link from WSUG build instructions to the WSDG chapters.
Reorder WSUG to have install instructions before build instructions for both
Windows and Unix.
Link from WSDG build instructions in WSDG sources chapter back to
WSDG chapter 2.
Offer options to the 'git clone' lines in obtaining sources: '--depth' and
'--shallow-since'
Add brief descriptions of new options mentioned.
Save a list of all user options that were specified on the Wireshark
command line using the `-o` option. Reapply those preferences after
reloading Lua plugins. Fixes the behaviour given in #12331 wherein such
prefs were reset to the defaults, not the command-line values, when
reloading Lua plugins.
When the user changes a preference in the Wireshark UI, remove that
preference from the stored command line options, so it doesn't get reset
when Lua plugins are reloaded again.
Use the same style of message for too-short block errors ("pcapng: total
block length XXX of {a,an} XXX is too small...").
Add an additional check for the "skip" Netflix cutom block, to make sure
it has enough room for the 4-byte "skipped" value.
Starting with 3.0 there is a new non backwards compatible Web-Sec-Protocol for BLIP, so the plugin should handle both (the differences are irrelevant from Wireshark's standpoint)
Have the IEEE 1722 AVTP dissector call the MP2T dissector when that
is the payload type. Comment out the "if (tree)" statement since
the MP2T dissector needs to be called on the first pass regardless
to handle fragmentation.
Since there is a 4 octet source packet header timestamp before each
MPEG2-TS packet when carried on AVTP, the MP2T dissector has to be
called multiple times per frame. Since the fragmentation data is
indexed by the offset in the tvb passed to the MP2T dissector, create
a table for each MP2T layer in the packet via pinfo->curr_layer_num.
Fix#10702.
A few helpers weren't in exception-throwing paths and can just free
unscoped memory. The macro in proto.c is only used in contexts with a
tree, so just use the tree's scope there.
Re-implement below change but for the legacy ccmp decryption used on
3.2 release track but also on later releases when Wireshark is built
with older versions of libgcrypt:
e5e37add9a 802.11 Decrypt: Fix AAD Calculation when HT-Control present in a QoS Data Frame
Ping #17577.
If a graph is added it should be a single operation, not multiple setData operations
leading to a myriad of dataChanged signals to be fired, which in turn can hinder redissection.
Allocate the root node in the same pool as the list itself, and make
that pool explicit so we can pass the pinfo scope instead of using the
global packet pool.
Darius Davis