This code adds more robust handling of smaller issues with PTP messages,
like a missing 2-step flag of a not quite correct implementation of
802.1AS and improves 1-step support.
Changes:
- Handle 1-step syncs in analysis.
- Handle missing 2-step flag on pDelay more robust and warn in analysis.
- Handle missing F'up TLV in 802.1AS Sync more robust and warn.
Reject the previous reserved and unassigned TURN channels and
STUN methods restricted by RFC 5764 and RFC 7983 to allow
multiplexing of STUN with DTLS-SRTP (and ZRTP) on the same
addresses and ports. (As an exception, allow the special MS
Multiplex TURN channel value.) Earlier versions of the specs
had these as unassigned (or did not support TURN Channels), and
no implementation has used them.
This prevents the STUN dissector from claiming RTP packets
going to the same port as set for STUN by Decode As, and should
allow us to set the STUN dissector as the dissector for a conversation
on UDP if we see any STUN message, not just a TURN message type.
- Declare a separate type for the IPv6 TLV MAC address, otherwise its
filter key is `ieee1905.ipv4_type.mac_addres` instead of the expected
`ieee1905.ipv6_type.mac_addres` one which is confusing
- Fix label for `hf_ieee1905_ipv6_type_count` to read "IPv6 address count"
instead of the wrong "IPv4 address count"
- Parse the IPv6 link local address which appears between the EUI-48 and
the IPv6 address count in IPv6 type TLVs, without that, valid IPv6 TLVs
are wrongly parsed and reported as malformed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MS-IMPLEMENTATION-VERSION is not a duplicate of MS-VERSION, and
has a different interpretation. MS-VERSION is the version number
of MS-TURN, its values described in 2.2.2.17 of its spec, and
MS-IMPLEMENTATION-VERSION is the version of MS-ICE2, its values
described in section 3.1.5.2 of its spec.
The latter indicates whether the STUN message format must be that of
Internet-Draft behave-rfc3489bis-02 (that is, roughly the final
form of classic STUN, also used in MS-TURN) or whether that of
RFC 5389 is also supported.
HTTP chunked transfer encoding can have lots of chunks, and calling
the data dissector for each individual chunk adds a large number of
layers to the frame and doesn't really make sense. (As opposed to
calling the data dissector on the reassembled data if we can't handle
the content type, which does make sense.) In particular, this can
cause a failed assertion by adding more layers than
PINFO_LAYER_MAX_RECURSION_DEPTH.
Just add each data chunk as a FT_BYTES item. Fix#18130.
This adds support for using the layers filter
with field references.
Before:
$ dftest 'ip.src != ${ip.src#2}'
dftest: invalid character in macro name
After:
$ dftest 'ip.src != ${ip.src#2}'
Filter: ip.src != ${ip.src#2}
Syntax tree:
0 TEST_ALL_NE:
1 FIELD(ip.src <FT_IPv4>)
1 REFERENCE(ip.src#[2:1] <FT_IPv4>)
Instructions:
00000 READ_TREE ip.src <FT_IPv4> -> reg#0
00001 IF_FALSE_GOTO 5
00002 READ_REFERENCE_R ${ip.src <FT_IPv4>} #[2:1] -> reg#1
00003 IF_FALSE_GOTO 5
00004 ALL_NE reg#0 != reg#1
00005 RETURN
This requires adding another level of complexity to references.
When loading references we need to copy the 'proto_layer_num'
and add the logic to filter on that.
The "layer" sttype is removed and replace by a new
field sttype with support for a range. This is a nice
cleanup for the semantic check and general simplification.
The grammar is better too with this design.
Range sttype is renamed to slice for clarity.
Use "True" or "TRUE" instead of "true" and remove case insensivity.
Same for false. This should serve to differentiate booleans a bit
more from protocol names, which should be using lower-case.
This change fixes a segmentation fault core dump in tshark/Wireshark
when loading a pcapng file that contains the packet verdict option.
This problem got introduced in the commit mentioned below.
Fixes: 030b06ba3c ("pcapng: write packet and Netflix custom blocks the same as other blocks.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This dissector is for the control messages of the GRE bonding protocol by
Huawei. These messages are encapsulated in GRE and can appear on both/all
bonding links.
During development, I made heavy use of traffic for Deutsche Telekom Hybrid
service. There fore, it also supports the first version which did not have an
IEEE assigned ethertype.
By adding signal aggregation the time to change profiles changed
dramatically. This is due to unregistering header fields being a very
slow operation and for aggregation each signal line did not lead to 2
but to 5 hfs.
Unregistering header fields for 150k signal example config (debug build):
- 3.6: 50s
- 3.7: 592s (9:52!!!)
This patch brings the time back to 50s, if no aggregation is configured.
Use host byte-order with AT_NUMERIC to make it more generic
and practical.
Change openSAFETY to pass addresses in host byte-order (the
previous code assumed they were in little-endian).
Plus a few cleanups.
The previous output was missing some fields under some conditions, and
some output text was wrong. This ended up in big confusion when looking
at the fields. Let's add the missing fields, fix the existing ones and
provide better formatting of the strings to understand which exact field
provides the info.
ETSI TS 24.380 section 8.2.3.4 specifies that:
"The <Reject Phrase> value is a text string encoded the text string
in the SDES item CNAME as specified in IETF RFC 3550."
This does not mean that SDES tipe and length files are necessary,
only applies in the enconding of the text string.
Make the default UI layout "packet list on top, packet detail and bytes
side by side". This is more space efficient on modern displays and is
the first thing I change when using the default profile.
After parsing a Topology Descriptor at the start of a request
or reply command, reset the left and right bracket counters
before going back to the top of the loop to parse the next
command, just like how done at the end of the while loop with
a normal command.
Prevents marking as malformed packets which have a Topology Descriptor
followed by a single command (e.g. Move) without any trailing
descriptors, and hence no more left brackets.
Add a numeric address type analog to StringZ for
protocols who only use numeric values as addresses
with no further handling.
e.g. IAT protocols which only enumerate the devices
Since the endpoint_by_id code uses elements and not the old
endpoint structure, it shouldn't set pinfo->use_endpoint to
TRUE when creating, and it should check if pinfo->conv_elements
is NULL, not pinfo->conv_endpoint.
Trying to parse LUS and LNS files if the protocol version
was "A1" led to them being marked as a malformed packets.
THis is because protocol version A1 LUS and LNS files do
not have the exception timer field. So to fix it, we check if
the protocol version is not A1, and only if it isn't do we try to
parse the exception timer field.
Because completed reassemblies are hashed in the reassembled_table for
all the frame numbers that contributed fragments,
fragment_get_reassembled_id() works wherever fragment_get_reassembled()
does, and also works where the fragment id is not the frame number.
However, since the reassembled_table hash key only depends on the
fragment id and the frame number, it only allows a frame to have
one reassembly with a given fragment id. Some protocols can have
more than one reassembly with a given fragment id (that differ on
addresses or other keys), such as GSM SMS, and the wrong reassembly
is retrieved on the second pass in those cases.
For this reason, we might want to add additional key elements to
reassembled_table, such as layer number. fragment_get_reassembled_id
already takes packet_info as a parameter and can accommodate that
without further changes, but fragment_get_reassembled cannot, so
remove the latter in favor of the former.
If we get into the dissect_tftp call, we must have either matched
a WRQ/RRQ at some point and created a wildcarded UDP conversation,
or we matched the TFTP port. While it is contrary to the spirit
of RFC 1350 for the server not to switch ports, it basically works
and the port is IANA assigned, so it doesn't do harm to process these.
In the heuristic dissector, of course, we don't do this.
The conversation code doesn't automatically fill in wildcarded
ports for UDP (since it's connectionless), and the wildcarded
find_conversation call in the TFTP dissector was twisted around
so it didn't actually fill in the second port before anyway.
Filling in the server port would make sense, but then the necessary
logic to find the right conversations would be more complicated.
(The default find_conversation logic prefers any conversation with
both ports to a wildcarded conversation, but the TFTP dissector would
then want the most recent conversation, whether wildcarded or with
both ports.)
These packets were handled prior to the 3.6 changes. Fix#18122
Unlike most of the FC fields, Track info participant type string file
padding is not considered in the dissector. This causes that all the FC
message dissection fails the string contains padding.
According to ETSI TS 24.380 Section 8.2.3.13:
If the length of the <Participant Type> value is not a multiple
of 4 bytes, the <Participant Type> value is padded to a
multiple of 4 bytes. The value of the padding bytes is set to zero.
The padding bytes are ignored by the receiver.
Use the proper encoding instead of ENC_ASCII when displaying the
individual parts of a reassembled unpacked 7-bit GSM alphabet
SM, just as when displaying each fragment.
SMPP only has the number of octets of the message payload, but
with packed 7-bit GSM with a UDH, there are fill bits after the
UDH before the message (to align the message start with a septet
boundary), and we need to calculate the number of septets.
Handle UDH-like information (ports and fragmentation info) that is sent
in TLVs instead of in a UDH, passing to to the gsm_sms_ud dissector.
Allow message_payload TLV to substitute for short_message when allowed.
Warn with expert info when both fields are present.
Skip over a UDH, if present, when converting the short message to text
using the encoding.
Fix#2161.
Use protocol data to reduce the amount of parameters passed back and
forth.
replace_sm can have a TLV (message_payload) (at least in 5.0), so
check for that.
The UDH parsing in the gsm_sms dissector is much more complete
than the one in gsm_sms_ud, so use that one and get rid of the
redundant fields. Add in the option to pass in the UDH field
data to the dissector instead, since there is an option to transmit
the ports and fragment information as TLVs in SMPP.
Rather than using three mutually exclusive booleans for the
encoding, use the existing enum, adding entries to distinguish
UCS2 from 8 bit binary and to support GSM 7-bit unpacked in a
more natural way.
Update the list of possible UDH IEs. Include some rudimentary decoding
of the Language Shift IEs, though actually implementing the different
encodings is an entirely different beast.
The DCS in SMPP has many reserved values, and only can take a few
possiblities from the GSM DCS (and cannot be interpreted as Cell
Broadcast DCS.) Remove unused DCS fields and add others that are
missing.
Determine the proper text encoding for the values from 3GPP TS 23.038
DCS with the high two bits set.
Add support for EUC-KR. Add a preference for GSM 7-bit alphabet packed
versus unpacked for the DCS values that unambiguously indicate the
7 bit alphabet (unlike DCS 0).
If the SOME/IP-SD message is broken, it could have happend that the
parsing stopped on the option and did not go back to the entry parsing.
This patch makes this code more robust.
Fix
```
*** CID 1505356: Null pointer dereferences (REVERSE_INULL)
/builds/wireshark/wireshark/epan/conversation.c: 1427 in find_conversation()
1421 * conversation with the specified address B and port B as the
1422 * first address and port, and with any second address and port
1423 * (this packet may be going in the opposite direction from the
1424 * first packet in the conversation).
1425 * (Neither "addr_a" nor "port_a" take part in this lookup.)
1426 */
>>> CID 1505356: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "addr_a" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1427 if ((addr_a != NULL) && (addr_a->type == AT_FC)) {
1428 DPRINT(("trying wildcarded match: %s:%d -> *:*",
1429 addr_b_str, port_a));
1430 conversation = conversation_lookup_no_addr2_or_port2(frame_num, addr_b, port_a, etype);
1431 } else {
1432 DPRINT(("trying wildcarded match: %s:%d -> *:*",
```
Commit 5cd591129f removes a number
of conversation related functions. Remove them from the debian
symbol list.
The commit also removed the implementation of conversation_hash_exact,
so remove the declaration from the header file.
Convert the address+port conversation code to element lists. Make our
conversation keys element lists. Document more of the conversation API.
Update the Conversation Hash Table dialog to use the new API.
Describe an alternative key type and data structure at the top of
conversation.c.
In a typical setting where int is 32 bits and the type guint8 is 8 bits,
the overflow check in Dot11DecryptDerivePmkFromMsk will automatically
promote the sum of msk_len and *pmk_len to an int. Since int is 32 bits
and guint8 will always be 8 bits, the sum will never overflow.
Therefore, an explicit casting of the sum of msk_len and *pmk_len to
the type guint8 is necessary.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Some AT commands and responses need context to be parsed correctly.
For example AT+CGMI's and AT+CGSN's responses are arbitrary strings
without "AT+" or "+" prefix (So saving the command is needed).
Another use case is when a command/response is followed by its data in
the following line, like AT+CGML (SMS content's listed in the line after
the "+CGML" line).
The implementation utilizes the USB conversation of the session to
pass information between packets.
Every new packets takes a 'snapshot' of the data stored in the conversation
before starting to parse and re-uses it when parsing & re-parsing of
that packet occurs.
Epan plugins init runs before proto_init() to setup for that but there
is also a need to have a routine that runs at the end of epan_init(),
which can do pretty much anything using epan, like runnning tests.
When desegmenting, don't add [TCP segment of a reassembled PDU] to
the INFO column if we've already dissected a complete PDU in this
frame. This is for the same reasons that we set a fence in the INFO
column and set the PROTOCOL column to be not writable. It's not
of particular interest that this frame also contains the start of
a new PDU when the INFO column has information about a complete
higher level PDU. The information about the other PDU is contained
in the tcp tree elements.
Fix#15494
In the case where the beginning of a TCP segment does not continue
a higher-level PDU, but the end of the segment is the beginning of
another PDU, we don't need to create the MSP for the second PDU
after the first time we visit the packet. However, we do want to
retrieve that MSP for determining in which frame the second PDU
was reassembled.
Make "Reassembled PDU in frame:" messages be added in that case
like it already is for other frames with MSPs.
TCP can contain multiple PDUs of the next layer protocol, and the
subdissector (or further subdissectors called from it) can change
the addresses and ports. However, the addresses and ports are used
for the desegmentation tables at the TCP level, as well as for
various purposes in encapsulated protocols.
Restore the addresses and ports values of packet_info before each PDU,
and in desegment_tcp after returning from a subdissector. When leaving
desegment_tcp ensure that the addresses and ports are set to whatever
they were after the last subdissector call that successfully
desegmented a PDU.
Fix#2345. Fix#9782.
The test for "old_len" with a reassembled MSP has never been accurate
for out of order reassembly, where it caused additional data requested
to be taken from the end of the current frame instead of from the
correct portion of the reassembled MSP, which could be from an
out of order frame (later in sequence, but arrived earlier.)
The test is unnecessary - the other case, where we need more data
but there's more in the current frame is already handled by looping again.
This fixes reassembly where TCP is out of order and those out of order
segments don't align on PDU boundaries. Fix#13317.
Also fix a minor issue in the same situation where the length of the
current segment was indicated incorrectly for out of order frames
contributing to multiple MSPs.
The warning is harmless and we want to keep upstream code
as pristine as possible (unless there is a real issue in
the code of course) so disable the warning.
Add the de facto standard Lua regex API to Wireshark. Upstream
code is copied verbatim and the module opened in the "rex" table.
This is just a user convenience and developer quality of life improvement
over the GRegex Lua API because it has always been possible to
load lrexlib-pcre2 as a Lua module from Wireshark.
This code has been unmaintained and does not pass the lrexlib test
suite. GRegex itself has been obsolescent for some time, although GNOME
has recently restarted trying to move it to PCRE2.
Remove it in preparation for a move to lrexlib-pcre2.
When processing segments out of order in TCP, it is possible to
get new segments that fill a sequence gap and be able to dissect
at least one PDU but need more data for additional PDUs (that have
data from the contiguous stream bytes.) We can only determine this
after passing the reassembled segments to the subdissector first.
To keep dissection and layer numbers consistent between passes,
split the multisegment PDU, keeping the already dissect PDU(s) in
the current reassembly and creating a new MSP for the parts not yet
dissected.
Update the dissection test to enable the currently skipped test that
require MSP splitting and remove test_tcp_out_of_order_twopass_with_bug
Introduce Wireshark specific enum to facilitate USB speed specific
dissection. Any similarity of actual enum values with any protocol
is coincidence and should not be relied upon.
Rename speed defines in USBIP dissector to not collide with Wireshark
USB speed enum. The values used in USBIP are implementation specific.
Allow user to set capture speed in USBLL dissector preferences. Use the
selected speed in USB dissector to sanitize endpoint maximum packet size
value based on speed specfic requirements from USB 2.0 specification.
Close#18062
Switch the non-endpoint *_by_id conversation routines to use element
lists. Change the ID type from guint32 to guint64. None of them used the
address+port option flag arguments, so remove them.
Field infos have a length property that was not stored with the
field value so when using a negative index the end was computed
from the captured length of the frame tvbuff, leading to incorrect
results. The documentation in wireshark-filter(5) describes how
this was supposed to work but as far as I can tell it never worked
properly.
We now store the length and use that (when it is different from -1)
to locate the end of the protocol data in the tvbuff. An extra wrinkle
is that sometimes the length is set after the field value is created.
This is the most common case as the majority of protocols have a
variable length and dissection generally proceeds with a TVB subset from
the current layer (with offset zero) through all remaining layers to the
end of the captured length. For that reason we must use an expedient to allow
changing the protocol length of an existing protocol fvalue, whenever
proto_item_set_len() is called.
Fixes#17772.
Rename conversation_lookup_hashtable to conversation_lookup_addr_port.
Add a new conversation_lookup_hashtable that consolidates some duplicate
code and takes a general set of arguments similar to the other
conversation_*_hashtable routines.
Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.
Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.
Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
The new TECMP release renames as follows:
- Capture Module -> Device
- Channel -> Interface
Header fields (incl. filters) and Config UATs are affected.
This patch updates the TECMP dissector with 1.6 and 1.7 changes.
Changes:
- Multiple new flags for CAN, CAN-FD, FlexRay, LIN, Analog, etc.
- Reordering of flags
- Additional data units for Analog
- New Header CRC and Frame CRC for FlexRay (1.6 change)
- New CRCs for CAN and CAN-FD (1.6 change)
- Deprecated the removed Analog Threshold Undershot/Exceeded flags,
since they were removed
This patch does not include the renaming to Device and Interface.
packet-smc.c:722:4: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-smc.c:887:4: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:1099:13: warning: Value stored to 'tag' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:1100:13: warning: Value stored to 'len' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:3076:21: warning: Value stored to 'sub_dissector_result' is never read [deadcode.DeadStores]
Extract Method for multiple message of SDP Media Attribute to simplify things and Make processes clearer.
dissect_sdp_media_attribute_rtpmap
dissect_sdp_media_attribute_fmtp
dissect_sdp_media_attribute_path
dissect_sdp_media_attribute_h248_item
dissect_sdp_media_attribute_crypto
The original function remain unchanged.
Respect BASE_SPECIAL_VALS when adding to the title item of an
item added with the proto_tree_add_bitmask* functions.
Note that the documentation for the BMT_NO_INT flag has always
said that "only boolean flags are added to the title" and that
no integer based items are added, but the actual behavior has been
to add integer items with custom format functions and value strings.
When integer fields are displayed in the bitmask header item in
proto_tree_add_bitmask_tree and hf->strings is set, only the string
from the value_string is used, not the integer value, to save space.
However, that means that BASE_UNIT_STRING fields have to be treated
differently from all the other fields with hf->strings set. If not,
then only the units are displayed instead of the number with the units.
Fields based on 32 bit integers were already being handled correctly.
Use that same logic for fields based on 64 bit integers.
(See commit 24d991dab4 for something similar.)
In proto_item_add_bitmask_tree, on the signed integer path, the
test for if the display uses a unit string is clearly reversed,
calling it only if BASE_UNIT_STRING is unset. Use the correct
test from the unsigned integer path.
Add support for BASE_SPECIAL_VALS to fill_label_bitfield[64], for
fields with a nonzero bitmask, using the same logic as
fill_label_number[64].
There's at least one dissector (packet-ipmi-se.c) that was trying
to use this already, but silently had no effect.
[1702/2528] Building C object epan/dfilter/CMakeFiles/dfilter.dir/dfvm.c.o
In function ‘drange_contains_layer’,
inlined from ‘filter_finfo_fvalues’ at /home/jpv/code/wireshark/wireshark/epan/dfilter/dfvm.c:587:21:
/home/jpv/code/wireshark/wireshark/epan/dfilter/dfvm.c:555:41: warning: ‘upper’ may be used uninitialized [-Wmaybe-uninitialized]
555 | if (num >= lower && num <= upper) { /* inclusive */
| ~~~~^~~~~~~~
/home/jpv/code/wireshark/wireshark/epan/dfilter/dfvm.c: In function ‘filter_finfo_fvalues’:
/home/jpv/code/wireshark/wireshark/epan/dfilter/dfvm.c:537:20: note: ‘upper’ was declared here
537 | int lower, upper;
| ^~~~~
When there are a lot of if-else branch judgments, the table-driven method can be used to optimize to facilitate subsequent maintenance.
The original function remain unchanged.
DVB-S2X has two possible meanings of the rolloff factor, with
different value strings. Only add the correct one as part of the bitmask,
instead of always adding it twice, once with the low value string and once
with the appropriate value string.
In some cases the available information on packets were not displayed.
This change displays this information. Some code formatting and
variable renaming was also done.
Using a similar strategy to ce087027ef we
group conversation and pdata use by the layer depth we are decoding.
This now decodes EAP-TLS within TEAP (and should work for TTLS and PEAP)
More fine tuning of the SMC-Rv2 support, and add the support to show
the GID list in a CLC proposal message.
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Add SMCRv2 clc proposal/accept/confirm and decline support.
Proposal and decline parsing routines are used by SMC-R(v2) and SMC-D(v2).
Enhance the existing SMC protocol dissector in such
a generic way that it supports both SMC-R(v2) and SMC-D(v2)
protocols. These two protocols are similar to each other.
SMC-D and SMC-R has a version 1 and version 2.
Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
The existing PEAP support does not decode the inner attributes, this
commit adds that support by introducing packet-peap.c which recreates
a 'pseudo' EAP header before looping the TVB back into the EAP dissector.
Decode TEAP's O-flag.
We also update the diagram and references as PEAPv0 has a different view
of how the flags are used compared to the RFCs and drafts.
Add get_configuration_namespace() and use it in code that writes
"generated by" comments at the top of various configuration files.
Update our Logwolf colorfilters.
Prepare for adding reusing code where only descriptive name differs.
But the numbers are encoded using the same rules.
"E.164 number (MSISDN)" & "E.164 number (ISDN)" for example.
The End of LLDPDU TLV is optional, should not as malformed even if missing.
Resolve it by checking whether the total length of each TLV reaches the total length of TVB.
Close#18029
Fix
epan/conversation_filter.h:43:11: warning: parameter 'A' not found in the function declaration [-Wdocumentation]
* @param A valid protocol name.
^
epan/conversation_filter.h:43:11: note: did you mean 'proto_name'?
Add support to display filters for matching a specific layer within a frame.
Layers are counted sequentially up the protocol stack. Each protocol
(dissector) that appears in the stack is one layer.
LINK-LAYER#1 <-> IP#1 <-> TCP#1 <-> IP#2 <-> TCP#2 <-> etc.
The syntax allows for negative indexes and ranges with the usual semantics
for slices (but note that counting starts at one):
tcp.port#[2-4] == 1024
Matches layers 2 to 4 inclusive.
Fixes#3791.
The word range is used for different things with different
meanings and that is confusing. Avoid using "range" in code to
mean "slice".
A range is one or more intervals with a lower and upper bound.
A slice is a range applied to a bytes field.
Replace range with slice wherever appropriate. This usage of
"slice" instead of range is generally correct and consistent in
the documentation.
Packet info already contains the notion of layer depth for the
current protocol, among all the protocols in the frame. This
adds an extra layer number for the protocols that are the same
as the current one. Obviously this will only go above one if
the protocol is repeated in the stack, such as with IP tunneling.
Adds extra logic to track numbers for each protocol in the frame
and update them when calling a dissector.
The total layer number and protocol layer number are store in
the field info structure so they can be used after dissection,
namely by display filters.
- The latest version of the Wi-SUN FAN specification has added
a number of Information Elements that need to be supported by
the dissector.
- Following changes and additions have been included:
- New Header IEs: LUTT, LBT, NR, LUS, FLUS, LBS, LND, LTO, PANID
and RT.
- New Payload IEs: POM, LCP, LFNVER and LGTKHASH
- New frame types: LFN PAN Advertisements, Solicits and time
synchronization frame types.
- Update to the channel spacing names to incorporate the new
ones defined in FAN 1.1
The handshake hash is used to derive TLS decryption keys when the
Extended Master Secret (EMS) extension is in use.
ssl_calculate_handshake_hash updates this hash only when the master
secret has not been determined yet.
During TLS renegotiation, there are two master secrets: one before, and
one after. Before this fix, the second calculated master secret is
wrong because the second Client Hello is missing in the handshake hash.
It was missing because the handshake hash was not being updated since
the master secret for the first handshake was still present, and the
decryption state was only reset after that hash update.
To fix this, make sure to clear the SSL_MASTER_SECRET flag before
updating the handshake hash when needed. Additionally, clear the
handshake hash when processing the Client Hello just to make sure that
any previous state is gone.
Fixes#18059
All currently supported Linux distributions have a version greater
than 1.11.0 (and our macOS and Windows versions are also much greater),
and this allows us to use nghttp2_hd_inflate_hd2(), which replaced the
deprecated nghttp2_hd_inflate_hd()
Bum the minimum version of GnuTLS to 3.5.8, which was the first stable
release in the 3.5 series. All the currently supported Linux
distributions have a version at least this new.
Add a "section number" field to wtap_rec, with a presence flag, and
provide the section number (0-based) for pcapng files.
Display it (1-based) if present.
Extract Method for multiple message parsing for tpdus to simplify things for future bug fixes and to make the code logic clearer.
Encapsulate the following functions:
dissect_gtp_tpdu_by_handle
dissect_gtp_tpdu_as_pdcp_lte_info
dissect_gtp_tpsu_as_pdcp_nr_info
Note: The original code function is not changed.
Check for null conversations in conversation_add_proto_data,
conversation_get_proto_data, and conversation_delete_proto_data.
Document them as well. Ping #18043.
Libgcrypt 1.8.x is required for a large amount of decryption
support and is the current LTS version of libgcrypt. The 1.6 and
1.7 series have been end-of-life since 2017-06-30 and 2019-06-30,
respectively.
The Linux distributions that have versions of libgcrypt before 1.8.0
are nearing or at end of support (RHEL7, SLES 12, Debian stretch,
Ubuntu 16.04LTS) and can be supported by the Wireshark 3.6 LTS release
series.
Remove an enormous amount of ifdefs based on libgcrypt versions
1.6.0, 1.7.0, and 1.8.0. There will be a second pass for the
commons defines HAVE_LIBGCRYPT_AEAD, HAVE_LIBGCRYPT_CHACHA20, and
HAVE_LIBGCRYPT_CHACHA20_POLY1305, which are now always defined.
The ISAKMP dissector has some comments noting that some workarounds
were used for libgcrypt 1.6 that aren't needed with 1.7; perhaps
that could be updated now.
If we're faking items, then proto_[item|tree]_get_parent[_nth] return
the parent of the faked item, which may not be what we want. We have
no way of knowing if the logical item meant was the faked item itself
or one of its children that share the same proto_item when faked.
Thus we don't know if we should return the proto_item itself or its
parent when called on a possibly faked item. Most of the time we will
be adding new items to what we return here, which means not faking items
that could be faked (since we might be returning the root node, which
doesn't have a field_info), hurting performance (see #8069).
It can also have some unusual effects on the protocol hierarchy stats,
particularly if we change things so that non-visible items can change
their length, which has a similar issue. (#17877)
Convert our conversation protocols to a dynamic list and add
add_conversation_filter_protocol(). Use it in the Falco Bridge plugin to
add protocols with conversation filters.