There are lot of text dissectors which want just to add escaped (not filtrable) text,
add new function proto_tree_add_format_text() which just do this in optimized way.
Change-Id: Ia0e189b620cc0a5b74cfdaef1ad4571d766bb2ab
Reviewed-on: https://code.wireshark.org/review/1678
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Evan Huus <eapache@gmail.com>
packet-http.c:2629: warning: implicit conversion shortens 64-bit value into a 32-bit value
Change-Id: I6a423639a53c24431fcfd79e0a235f2885ea86c2
Reviewed-on: https://code.wireshark.org/review/1389
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Using value_is_in_range is making quite some assumptions, namely (1) the
proxy server is always run on a registered HTTP port, and (2) the
source (client) port is always not HTTP. The former is quite a strong
assertion which fails to hold when using a custom port (8008) that got
detected through heuristics.
Fix this by recording the source address and port pair for the server
and then check this against the current packet.
This fixes detection of a SSL conversation where two conversations got
detected instead of one. Example: 8008 is proxy, 443 is target server.
Now the proxied conversation got detected as 443 --> "client port"
(server to client, ok) and 443 --> 8008 (client to server, not ok,
should be "client port" --> 443).
bug:7717
Change-Id: I05113ec2aca6c9296184759a8a62eb32cbfcbb4f
Reviewed-on: https://code.wireshark.org/review/1380
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
For long cookies, the label "[truncated] Cookie: foo=v..." is not really
helpful. Add a new subtree to display individual cookies, this makes
copying values much easier.
A new "http.cookie_pair" field was added instead of re-using
"http.cookie". This has the advantage that `tshark -Tfields -e
http.cookie` does not end up with duplicates. At the same time, one can
match against individual cookie values.
I also considered to limit the number of cookies to be split, but as
there is no limit on the number of headers, I decided not to be
restrictive for cookies either.
Change-Id: I98d9522867811278ade3e04aab02e517f997928b
Reviewed-on: https://code.wireshark.org/review/1186
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
From Martin Mathieson.
In a profiled run with FTP traffic, the HTTP dissector looking for the end of a line of data (which was binary) was taking around 3% of runtime.
bug:8822
Change-Id: I2617d1e49030bd5ad85b0e818c48c01dc6fae075
Reviewed-on: https://code.wireshark.org/review/1373
Reviewed-by: Michael Mann <mmann78@netscape.net>
"line" is used only in the main loop processing the lines.
Change-Id: I370c6516867a9c972f9673b3362141f0f42d178a
Reviewed-on: https://code.wireshark.org/review/1360
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also, shuffle some comments around to make them better describe what's
happening.
Change-Id: Ie4d71e7c64b68a7f02b4ec6cd2d8601a796a9867
Reviewed-on: https://code.wireshark.org/review/1359
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Always need to initialize "firstline" when "line" is initialized.
Bug:10041
Change-Id: Iecee2e387e4a35f0d7126f8f14aa5bd34449a5d3
Reviewed-on: https://code.wireshark.org/review/1351
Reviewed-by: Michael Mann <mmann78@netscape.net>
It causes the DTLS decryption test suite to fail for some reason, and I don't have time/energy to investigate further, so we should probably revert it until that gets resolved.
This reverts commit fc5d8db74d.
Change-Id: Iac9a7592047d2e080e380a70752efa076303e442
Reviewed-on: https://code.wireshark.org/review/1297
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Evan Huus <eapache@gmail.com>
Change-Id: Ic315ed9b7d65fe70401945cb0cceda4af863d140
Reviewed-on: https://code.wireshark.org/review/1215
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
wmem_packet_scope() cannot be used outside of a packet treatment
Change-Id: I6e545bbb51f325b366288f17358f9d2347a7d7c4
Reviewed-on: https://code.wireshark.org/review/977
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Change-Id: I7489e2fb3a1f2630ca17b0a5fe1aa873992f1061
Reviewed-on: https://code.wireshark.org/review/975
Reviewed-by: Michael Mann <mmann78@netscape.net>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The majority of the fixes are for calls to uat_new(). Instead of
having each caller cast its private data to (void**), we use void*
in the uat_new() API itself. Inside uat_new(), we cast the void*
to void**.
Some dissectors use val64_string arrays, so a VALS64() macro was
added for those, to avoid using VALS(), which is useful only for
value_string arrays.
packet-mq.c was changed because dissect_nt_sid() requires
a char**, not a guint**. All other callers of dissect_nt_sid() use
char*'s (and take the address of it) for their local storage. So,
this was changed to follow the other practices.
A confusion between gint and absolute_time_display_e in packet-time.c
was cleared up.
The ugliest fix is the addition of ip6_guint8_to_str(), for exactly
one caller. The caller uses one type of ip6 address byte array,
while ip6_to_str() expects another. This new function is in place
until the various address implementations can be consolidated.
Add VALS64() to the developer documentation.
Change-Id: If93ff5c6c8c7cc3c9510d7fb78fa9108e4552805
Reviewed-on: https://code.wireshark.org/review/48
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
I'm not sold on the name or module the proto_data functions live in, but I believe the function arguments are solid and gives us the most flexibility for the future. And search/replace of a function name is easy enough to do.
The big driving force for getting this in sooner rather than later is the saved memory on ethernet packets (and IP packets soon), that used to have file_scope() proto data when all it needed was packet_scope() data (technically packet_info->pool scoped), strictly for Decode As.
All dissectors that use p_add_proto_data() only for Decode As functionality have been converted to using packet_scope(). All other dissectors were converted to using file_scope() which was the original scope for "proto" data.
svn path=/trunk/; revision=53520
proto_tree_set_text - the string was not the important part, the formatting was.
We were passing the string directly from tvb_get_ptr, but this meant that if the
packet didn't contain a null-terminator we would run off the end. Since the
string comes straight from the packet, just let _add_item handle the length
calculations etc efficiently, and set the display later.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9323
I'm a bit confused honestly why most of these are being set hidden after being
added and formatted, but at least there are no memory errors anymore.
svn path=/trunk/; revision=52979
convert all existing UAT update callbacks to use glib memory instead of
ephemeral memory for that string.
UAT code paths are entirely distinct from packet dissection, so using ephemeral
memory was the wrong choice, because there was no guarantees about when it would
be freed.
The move away from emem still needs to be propogated deeper into the UAT code
itself at some point.
Net effect: remove another bunch of emem calls from dissectors, where replacing
with wmem would have caused assertions.
svn path=/trunk/; revision=52854
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 :
We can't solely rely on the port in the URI to determine whether we will be
recursively called by decode_tcp_ports(). Instead also check the conversation
entry too: if we find that we are the subdissector for this conversation
(which we might be--without the port being in our list of ports--if we
heuristically picked up the conversation or the user did Decode-As),
just bail out and dissect the payload as data.
svn path=/trunk/; revision=49623
least one fuzzed capture contains them, and using ep_strndup() to copy
the line means that the actual amount of memory allocated for the copy
will be less than the length of the line, and code that parses the line
assuming that there are value_len+1 bytes in the buffer (including the
terminating NUL), such as the current parsing code, will break.
We should really have code in Wireshark to handle counted strings, and
have those be what we extract from packets. (And we should handle
non-UTF-8/non-UTF-16 encodings, and octet sequences that aren't valid
strings for their encoding, and handle display of invalid strings and
non-printable characters, and....).
Use g_ascii_ versions of various isXXX() and to{upper,lower}(), so we
don't get surprised by the behavior of the user's locale.
svn path=/trunk/; revision=48490
traffic *without* claiming all that traffic for themselves; they might
want, instead, to register for a particular media type.
Not all traffic to or from port 3689 is DAAP - not even traffic between
two Apple machines doing media stuff (e.g., some FairPlay traffic
isn't). Register for the media type application/x-dmap-tagged, and just
say port 3689 is HTTP. This means we can get rid of the FPLY hack, as
that traffic is application/octet-stream. Update some comments.
Leave it up to the DAAP dissector to tag traffic as DAAP in the protocol
column.
svn path=/trunk/; revision=47376
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
sizeof.
Cast away some implicit 64-bit-to-32-bit conversion errors due to use of
strtol() and strtoul().
Change some data types to avoid those implicit conversion warnings.
When assigning a constant to a float, make sure the constant isn't a
double, by appending "f" to the constant.
Constify a bunch of variables, parameters, and return values to
eliminate warnings due to strings being given const qualifiers. Cast
away those warnings in some cases where an API we don't control forces
us to do so.
Enable a bunch of additional warnings by default. Note why at least
some of the other warnings aren't enabled.
randpkt.c and text2pcap.c are used to build programs, so they don't need
to be in EXTRA_DIST.
If the user specifies --enable-warnings-as-errors, add -Werror *even if
the user specified --enable-extra-gcc-flags; assume they know what
they're doing and are willing to have the compile fail due to the extra
GCC warnings being treated as errors.
svn path=/trunk/; revision=46748
- Now works for WebSocket packets not aligned with IP packets.
- Support subdissectors.
From me :
- Fix checkAPIs warning (about comments)
- Remove some whitespace
svn path=/trunk/; revision=45875
implicitly by the #define name and string they were defined to; not all
UATs neatly fit into any of the categories, so some of them were put
into categories that weren't obviously correct for them, and one - the
display filter macro UAT - wasn't put into any category at all (which
caused crashes when editing them, as the GUI code that handled UAT
changes from a dialog assumed the category field was non-null).
The category was, in practice, used only to decide, in the
aforementioned GUI code, whether the packet summary pane needed to be
updated or not. It also offered no option of "don't update the packet
summary pane *and* don't redissect anything", which is what would be
appropriate for the display filter macro UAT.
Replace the category with a set of fields indicating what the UAT
affects; we currently offer "dissection", which applies to most UATs
(any UAT in libwireshark presumably affects dissection at a minimum) and
"the set of named fields that exist". Changing any UAT that affects
dissection requires a redissection; changing any UAT that affects the
set of named fields that exist requires a redissection *and* rebuilding
the packet summary pane.
Perhaps we also need "filtering", so that if you change a display filter
macro, we re-filter, in case the display is currently filtered with a
display filter that uses a macro that changed.
svn path=/trunk/; revision=43603
Add WebSocket Protocol dissector (RFC6455)
* Support Base Framing Protocol
* Support of major opcode (Text, Binary, Close, Ping, Pong...)
* Support of unmask Payload (Client-to-Server Masking)
TODO
* Add fragmentation support
* Add WebSocket Extensions
svn path=/trunk/; revision=42163
Check the user-provided custom header string for invalid characters before
trying to register it in an hf; registering invalid characters in an hf will
lead to an assertion.
svn path=/trunk/; revision=41787
-- HTTP/1.1":
Any HTTP/1.1 message containing an entity-body SHOULD include a
Content-Type header field defining the media type of that body. If
and only if the media type is not given by a Content-Type field, the
recipient MAY attempt to guess the media type via inspection of its
content and/or the name extension(s) of the URL used to identify the
resource. If the media type remains unknown, the recipient SHOULD
treat it as type "application/octet-stream".
To quote section "4. Encoding of Transport Layer" of RFC 2565, "Internet
Printing Protocol/1.0: Encoding and Transport":
HTTP/1.1 [RFC2068] is the transport layer for this protocol.
...
Note: even though port 631 is the IPP default, port 80 remains the
default for an HTTP URI. Thus a URI for a printer using port 631
MUST contain an explicit port, e.g. "http://forest:631/pinetree". An
HTTP URI for IPP with no explicit port implicitly reference port 80,
which is consistent with the rules for HTTP/1.1. Each HTTP operation
MUST use the POST method where the request-URI is the object target
of the operation, and where the "Content-Type" of the message-body in
each request and response MUST be "application/ipp". The message-body
MUST contain the operation layer and MUST have the syntax described
in section 3.2 "Syntax of Encoding". A client implementation MUST
adhere to the rules for a client described for HTTP1.1 [RFC2068]. A
printer (server) implementation MUST adhere the rules for an origin
server described for HTTP1.1 [RFC2068].
So, when choosing a subdissector for HTTP request bodies, search based
on the media type first, and only if we *don't* find a dissector for the
media type, do other stuff such as heuristics or choosing a subdissector
based on the port number.
This fixes a number of problems; in particular, it fixes bug 6765
"non-IPP packets to or from port 631 are dissected as IPP" without
requiring the IPP dissector to attempt to determine whether an entity
body looks like IPP. It also ensures that the default dissector for
HTTP entity bodies, the "media" dissector, will get the media type
passed to it in pinfo->match_string.
Don't use "!str*cmp()" while we're at it - it's valid C, but the "!" can
make it look as if it's checking for something not being the case when,
in fact, you're checking for equality rather than inequality. (The
str*cmp() routines don't return Boolean results.)
svn path=/trunk/; revision=41025
[Actually 1 g_malloc() + N tvb_memcpy() instead of
~ N g_malloc()/g_free() + N*(N+1)/2 tvb_memcpy() where N = number of chunks].
svn path=/trunk/; revision=40242
1. If there's no character encoding (ENC_ASCII, ...) specified
then use ENC_ASCII.
2. For all but FT_UINT_STRING, always use ENC_NA
(replacing any existing True/1/FALSE/0
/ENC_BIG_ENDIAN/ENC_LITTLE_ENDIAN).
svn path=/trunk/; revision=39426
in README.devloper. Remove g_gnuc.h since it's no longer needed. Remove
tvbuff_init(), tvbuff_cleanup(), reassemble_init(), and
reassemble_cleanup() since they were only used for older GLib versions
which didn't support GSlices. Assume we always support the "matches"
operator.
svn path=/trunk/; revision=37978
Make the image (png, gif, jfif) dissectors "new style" so that they don't
dissect data that does not belong to them.
Modify the HTTP dissector to call heuristic dissectors on the body if the
registered subdissector does not accept/dissect the data.
From me: don't use assert() and don't add a preference to the HTTP dissector
for this behavior: it makes sense to behave like that by default.
svn path=/trunk/; revision=36305
I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.
svn path=/trunk/; revision=35259
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
Attached patch:
1. Adds port 5985 as a HTTP traffic port (used by MS Powershell remoting over
HTTP)
2. Adds dissection of Kerberos authentication to HTTP.
svn path=/trunk/; revision=34641