Add a separate menu for Strip Headers (similar to Export PDU, but exporting
to an encapsulation other than WIRESHARK_UPPER_PDU everything for
that encapsulation). Add to the usage output of tshark for the "-U"
option which encapsulation a export tap will produce.
Allow export PDU taps to be registered with a wiretap encapsulation
instead of always using WTAP_ENCAP_WIRESHARK_UPPER_PDU. This allows
creating normal capture files that aren't tied to wireshark without
having to do a "editcap -C -L -T", as well as creating files in
formats other than pcapng and pcap with tshark.
Provide a couple sample implementations in Ethernet (WTAP_ENCAP_ETHERNET)
and IP (v4 and v6, WTAP_ENCAP_RAW_IP) that are the most common use cases.
(I can imagine a few others; WTAP_ENCAP_MPEG_2_TS could probably be
useful, for example.) Fixes#15141
Correct spelling of from Queueing to Queueing.
This fixes issue #17943.
Note that other instances of "Queueing" are
kept because it's technically a correct spelling,
but here it's the name of the protocol.
Let's do what's done for u8, which looks far more sane.
Fixes following gcc 11.2.0 warning:
"""
epan/dissectors/packet-csn1.c:913:17: warning: ‘ui16’ may be used uninitialized in this function [-Wmaybe-uninitialized]
913 | memcpy(pui16, &ui16, 2);
| ^~~~~~~~~~~~~~~~~~~~~~~
"""
1. The fixed size of a Couchbase header is 24 bytes (not 12)
2. The "overflow detection" won't work as the test would wrap.
In addition to that the (current) version of the server will
drop a connection if it encounters a frame bigger than 30MB
and the biggest "legal" packets are currently less than 21MB.
Return NULL when an item with length zero or lower -1 is added to
the tree.
With this the calling dissector doesn't have to check the length and
there is no Dissector bug reported.
Related to #17890
A packet in the Couchbase protocol looks like:
Byte/ 0 | 1 | 2 | 3 |
/ | | | |
|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
+---------------+---------------+---------------+---------------+
0| HEADER |
| |
| |
| |
+---------------+---------------+---------------+---------------+
24| Frame specific extras (only set if magic and length in the |
| header say so) |
+---------------+---------------+---------------+---------------+
x| Ccommand specific extras |
| (note length in the extras length header field) |
+---------------+---------------+---------------+---------------+
y| Key (as needed) |
| (note length in key length header field) |
+---------------+---------------+---------------+---------------+
z| Value (as needed) |
| (note length is total body length header field, minus |
| sum of the other sections above) |
+---------------+---------------+---------------+---------------+
This patch change the dissector to call a separate function to
print each section (instead of a single function).
The motivation for the patch is to make the code more readable
as each of these fields may have multiple formats (depending on
the value in the magic field). Currently only the client initiated
packets are implemented in the dissector, but in certain cases
the server may push messages to the client with a different magic
which use another namespace for the opcodes and would be a lot
easier to implement with this refactor)
In addition the hf_hello_features should be registered as
FT_NONE and not FT_STRING as it isn't a string (and would
cause the "expert info" to print a warning with "trailing
stray characters")
Added in d4499eb9 Changed to "1" in 507d07eda
Setting to "Ok" in UAT expert_severity (Edit->Preferences->Expert)
causes the associated protocol level to not be displayed in the
Packet Details protocol tree.
Example: ip.ttl.too_small set to "Ok" drops "ip" from the tree
It creates bluetooth_data_t what is The Center of the Bluetooth World in Wireshark,
most important is that bluetooth_data_t must provide shared trees (resources) to enable
dissection for non trivial relations in Bluetooth, for example mapping BDADDR to name.
Issue: 17570
Change-Id: Ice17b804ab6d4dcf0f77f1b2356a6712ce7e64b1
dissect_ntlmssp() is also called from dissect_spnego_T_mechListMIC(),
we should detect a 16 byte structure starting with 0x01
and use dissect_ntlmssp_verf().
All other messages in dissect_ntlmssp() start with the
magic string "NTLMSSP", so they never match the 0x01.
It fixes another problem seen in the example captures
of https://gitlab.com/wireshark/wireshark/-/issues/17958
Signed-off-by: Stefan Metzmacher <metze@samba.org>
If we have data remaining before the start of the variable data,
we should assume the space for the version field even without
the NTLMSSP_NEGOTIATE_VERSION flag. In that case we should
mark the 8 bytes as zero bytes.
This fixes https://gitlab.com/wireshark/wireshark/-/issues/17958
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Update the text2pcap man page and the Import from Hexdump WSUG
page to clarify how to use it, for grammar, and to remove a few
things that are no longer relevant. (E.g., it's no longer the case that
files without an EOL don't work.)
Fix#15563, #15564.
GitLab Runner 14.8 added a native Arm binary for macOS. It's been
installed on our build machine, so the `arch` calls in the "macOS Arm
Package" job are no longer needed.
The L.4 adaptation header does not include a sync byte. Use the
current offset to get the ACM byte instead of hardcoding in the
value that is correct for L.2 and L.3.
There are four supported types of DVB Base Band Frame Adaptation Layer
headers, and they all can have false positives. Add a preference that
so that a user can either look for all four possible types, or can
only look for a packets that match the preferred type.
Fix#17950.
Replace the log PROTOCOL_BINARY_RESPONSE_ prefix to STATUS_ and
PROTOCOL_BINARY_CMD_ prefix to CLIENT_OPCODE_.
Couchbase do not support the memcached textual protocol so we'll
_always_ be using the binary protocol framing. In the couchbase
source code all of the PROTOCOL_BINARY_* constants was refactored
to enum classes and these two are called Status and ClientOpcode.
"Unfortuantely" this file is still in C so we can't reuse the
C++ enum classes directly so we'll need a prefix.