This combines the SSE4.2 instructions usage, with pre-compiled
pattern searching usage, for a faster pbrk search method.
Testing against large files of HTTP and SIP, there is about
a 5% performance improvement by using pre-"compiled" patterns
for guint8_pbrk() instead of passing it the search string and
having it build the match array every time.
Similar to regular expressions, "compiling" the pattern match array
in advance only once and using the "compiled" patterns for
the searches is faster than compiling it every time.
Change-Id: Ifcbc14a6c93f32d15663a10d974bacdca5119a8e
Ping-Bug: 10798
Reviewed-on: https://code.wireshark.org/review/6990
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also ensure that USB COM dissection is done with the parent tree and not setup one
Change-Id: Iae9f933ff29b3854879375df320a23e623ea785f
Reviewed-on: https://code.wireshark.org/review/7051
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
if captured length < reported length, this will trigger an infinite loop
Change-Id: I6557b455e7bbff12658a934e5bb13a42c023e133
Reviewed-on: https://code.wireshark.org/review/7053
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
This function can only search in captured length buffer
This fixes an ASAN failure reported by Alexis
Change-Id: Ib936f918e057423d63ff34a5fc79fed602e56dfc
Reviewed-on: https://code.wireshark.org/review/7052
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Change-Id: I09b2cc3739628b5de706659731e37fa345804254
Reviewed-on: https://code.wireshark.org/review/7043
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
RFC 2830 describes the Start TLS operation as follows:
1. ExtendedRequest is sent by client with the requestName OID set to
"1.3.6.1.4.1.1466.20037".
2. Server responds with an ExtendedResponse having a resultCode and
optionally a responseName (OID).
The text mentions that the field *must* be set but the definition allows
it to be optional. The previous code then made assumption that once (1)
was seen, then any ExtendedResponse signals an acknowledgement.
That is not entirely correct, a server could reject the request. This
patch corrects that by checking the ExtendedResponse_resultCode for
success, and then uses the new ssl_starttls_ack() helper to kick off
SSL. This simplifies the code a bit.
Tested against ldap-ssl.pcapng (which has no responseName) from
http://wiki.wireshark.org/SampleCaptures#SSL_with_decryption_keys
The result is the same as before, except that "Protocols in frame"
changed from "...:ldap:ssl:ldap" to "...:ssl:ldap".
Change-Id: Id7e40c5a50a217c4d3d46f08241d704f19d195dd
Reviewed-on: https://code.wireshark.org/review/6982
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch lets a dissector hand over control to the SSL dissector which
simplifies dissector code ("TCP | App | SSL | App" becomes
"TCP | SSL | App").
After this patch, all of the affected dissectors will now be dissected
as SSL with its Application Data being treated as the protocol before
STARTTLS. This was previously not the case because the port was not
registered for dissection via ssl_dissector_add.
The desegmentation issue within the MySQL dissector is now also gone.
Convert some tvb_length[_remaining] users in pop and smtp as well.
Tested against mysql-ssl.pcapng and mysql-ssl-larger.pcapng(*1),
Tested against pop-ssl.pcapng (note: only first stream is decrypted,
either the key after negotiation is wrong or there is a bug),
Tested against smtp-ssl.pcapng and smtp2525-ssl.pcapng (with Decode As)
and smtp-ssl.pcapng with filter "tcp.len>0",
Tested against xmpp-ssl.pcapng,
http://wiki.wireshark.org/SampleCaptures#SSL_with_decryption_keys
*1) mysql-ssl-larger has MySQL dissector errors for the fragmented
SSL packet, but reassembly seems to work. Needs further
investigation.
Bug: 9515
Change-Id: I408ef8ff30d9edc8954dab9b3615900666dfa932
Reviewed-on: https://code.wireshark.org/review/6981
Reviewed-by: Michael Mann <mmann78@netscape.net>
All STARTTLS-like dissectors (protocols which can switch to SSL/TLS
after a protocol command) currently fail to get called after decryption.
The reason for this is that the port is not registered for SSL
dissection via ssl_dissector_add. Besides this, the MySQL dissector
breaks in the event of multiple segments because it does not properly
set desegmentation.
The call path TCP | App | SSL | App is a bad, error-prone pattern which
requires duplication of required functionality in dissectors. This patch
enables to bypass the App (TCP | SSL | App) by registering a SSL as
conversation dissector after a STARTTLS switch.
Logical overview of changes:
- Move srv_addr, srv_ptype and srv_port to SslSession and adjust the
users. This allows passing SslSession around which will never be null
unlike SslDecryptSession. This is needed for looking up the packet
direction (server or client) before calling a subdissector.
- Add app_handle to store the dissector and last_nontls_frame the
frame that initiated STARTTLS.
- The same app_handle is now used to store the dissector handle from
a ssl association.
- Moved conversation data (SslDecryptSession) to ssl-utils to avoid
code duplication. Merge ssl_session_init into it. The new
ssl_session_get() is needed for STARTTLS frame/handle storage.
- Introduce new "ssl_starttls_ack" function to signal the last non-TLS
packet.
- Ensure that match_uint is set before calling the conversation
dissector. This ensures that dissectors using match_uint to check
the direction of a packet (client vs. server) see the TCP port
instead of the IP proto. At least the MySQL and SMTP dissectors
require such special treatment.
- Move epan/conversation.h outside HAVE_LIBGNUTLS, remove from dtls
(as it is already included by ssl-utils).
- Various comment/debug string updates. Remove outdated comment before
SSL association lookup.
Besides setting match_uint and caching the app_handle, existing
dissectors should not be affected by this patch. Follow-up patches
will update existing dissectors to use the new ssl_starttls_ack
interface.
Bug: 9515
Change-Id: I795d16b6a901e672a5d89e922adc7e5bbcda0333
Reviewed-on: https://code.wireshark.org/review/6872
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch improves detection of a SPDY/3.1 in SSL capture. While at it,
add other protocols from the RFC/drafts.
spdy was tested against a private capture from spdy/3.1 communication
between Chromium 40 and ssl.gstatic.com.
http2 was tested against http2-16-ssl.pcapng from
http://wiki.wireshark.org/SampleCaptures#SSL_with_decryption_keys
Change-Id: I111efae34d614b7d8e37eaaa686b391d332753dd
Reviewed-on: https://code.wireshark.org/review/7000
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
On the wire P_DATA_V2 is same as P_DATA-V1 plus 3 bytes "peer-id" value
after opcode. Client-side support has been added since OpenVPN 2.3.6,
server side is in master branch and will appear in 2.4.
Peer-id is especially useful for mobile clients (they often float
between 3G/Wi-Fi) and in general for Wi-Fi clients (solves UDP NAT
timeout issue).
Change-Id: Ic5d2e05e62c27bed18c2368a1bbc5c7bf4d358f1
Reviewed-on: https://code.wireshark.org/review/7023
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows for even more cleanup with respect to how address types are handled, including removing address_to_str.c. Most of the functionality was folded into address_types.c, but the remainder was just dispersed because it didn't make sense to keep the file.
Change-Id: Id4e9391f0c3c26eff8c27b362e4f7a1970d718b4
Reviewed-on: https://code.wireshark.org/review/7038
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Using the new address type registration, dissectors can create their own address types with their own (column) filters attached to them, eliminating the need for an address to keep track of a hf_ field.
Change-Id: I2bbec256a056f403a7ac9880d5d76a0b2a21b221
Ping-Bug: 7728
Reviewed-on: https://code.wireshark.org/review/7037
Reviewed-by: Michael Mann <mmann78@netscape.net>
Information about dissector (filter) fields should be kept in a dissector as much as possible. Supporting "column filter string" also allows other dissectors to create their own "address types" with different column filters (because AT_ETHER isn't always an "Ethernet" address).
This feature also allowed a few "dissector specific" address types to be moved to their own dissector.
Change-Id: Ie9024af4db62bc2ee4f8c9d28a1d807f706f45bf
Ping-Bug:7728
Reviewed-on: https://code.wireshark.org/review/7029
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Now address types are setup just like field types and must be registered with a structure that provides its string representation (and more things in the future). Address types that are limited to a single dissector are registered by the dissector. More "common" ones are globally registered. There are still a few that really belong in a dissector, but have other dependencies currently not accounted for in the address type support.
Many of the "address to string" conversions that involved g_sprintf have be changed to use more "performance friendly" methods (some at the cost of needing to_str-int.h)
Leaving all comments regarding this "solution" in address_to_str.c in until all have been implemented
Change-Id: I494f413e016b22859c44675def11135f228796e0
Reviewed-on: https://code.wireshark.org/review/7019
Reviewed-by: Michael Mann <mmann78@netscape.net>
The DNS packet's 3rd additional RR is a LOC RR.
In the LOC RR, Wireshark marks the Size field with meters unit.
However, the Horizontal and Vertical Precision fields have no units
Issue reported by Boaz
Bug:10940
Change-Id: If177757d2bba6ea012a320aceaea2f8d8e50155c
Reviewed-on: https://code.wireshark.org/review/7014
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Icb7fec658f895e91069e51bab50d57a0a93f5cba
Reviewed-on: https://code.wireshark.org/review/7031
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ic8f93913396de3d97cdba4473e6837056c8250a6
Reviewed-on: https://code.wireshark.org/review/7030
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
Mostly: Rename a number of macros to be RIEMANN_...
Change-Id: I2b8beb5f9241a0a2a380b8a38222ef07beb1703c
Reviewed-on: https://code.wireshark.org/review/7028
Reviewed-by: Bill Meier <wmeier@newsguy.com>
uuid_t is a data type provided by a number of environments, thanks to
the Open Software Fuundation; calling the Bluetooth code's data type,
which includes an actual OSF-style UUID as a member, "uuid_t" can lead
to confusion and *does* lead to compile errors on platforms where, for
better or worse, system headers such as <unistd.h> define uuid_t (and
are included by, for example, Qt headers).
Just rename it "bluetooth_uuid_t".
Change-Id: Ic742723913ba4105cd3269dd24fc821147285176
Reviewed-on: https://code.wireshark.org/review/7017
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The following doesn't quite do what it might seem to be doing:
guint64 num;
guint8 b;
num |= ((b & 0x7f) << shift);
The warning from MSVC2013:
Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value. Results might not be an expected value
Change-Id: Ic8c939355b54317f0b459c60342f3cb5dfa29624
Reviewed-on: https://code.wireshark.org/review/7015
Reviewed-by: Bill Meier <wmeier@newsguy.com>
if they're dealing with HID descriptors
Change-Id: Ia529fe373653ddf18e05e8ad148a2f5b5686fa95
Reviewed-on: https://code.wireshark.org/review/7010
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Change-Id: I19544eeccd5206de88fe480f9b02bc57fcc278bd
Reviewed-on: https://code.wireshark.org/review/7009
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Change-Id: Iaf339310c3b606885e945d10cffc1956ce24578a
Reviewed-on: https://code.wireshark.org/review/7008
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
treat those two messages as class-specific control messages, handle them
inside the USB HID dissector
Change-Id: I42d201df4a8fdb94c947b6118c0b50945c306423
Reviewed-on: https://code.wireshark.org/review/7006
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
pass the data only to one subsequent dissection function
either we have a standard request or a non-standard request that can be
handled by a class dissector (we used to do both at the same time,
this makes the output difficult to read)
Change-Id: Ia46239b2b9e121c9ca165cc56d0b271345d7962e
Reviewed-on: https://code.wireshark.org/review/7005
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
top-most tree on which it operates
this gives callers more control over where things are displayed
Change-Id: I8cdc07b4f3569bca728781fb709e2a2bb37c433b
Reviewed-on: https://code.wireshark.org/review/7004
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
standard setup request
it's not sufficient to look at the type bits in the request type field
use the new function where we checked the type bits before
Change-Id: I65b901dca91607a4dad4e4296b3f3a877aebf346
Reviewed-on: https://code.wireshark.org/review/7003
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
Introduced in gca3fe28;
Found by MSVC2013 Code Analysis
Change-Id: I4c754dfacca492b53debdaf82557e4fe91698460
Reviewed-on: https://code.wireshark.org/review/6991
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
It is a GUI+QT feature that introduce Bluetooth menu and
"ATT Server Attributes" that present all handle+UUID pairs
as table. User may copy cell value, row, selected rows or whole
table within header. On activate user will go to packet that
introduce UUID for specified handle.
Change-Id: If17e53aff5feb89ededc740a595ba5882b90be5e
Reviewed-on: https://code.wireshark.org/review/6911
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
"Break" is not missing, "error opcode" is part of opcode "Error Response"
that is needed to fetch request data.
Change-Id: I35432b22fae492a93332a8787213dd8fcf796e3b
Reviewed-on: https://code.wireshark.org/review/7001
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
- Remove some boilerplate comments;
- Use a consistent indent style (gnu);
- Use a consistent format for hf[] entries;
- Whitespace;
- Long lines;
- Rename a generic macro;
Change-Id: Ic2edcf8a8c0151d63a0d0ad901ddea9d7443ad19
Reviewed-on: https://code.wireshark.org/review/6994
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Found by MSVC2013 Code Analysis
Change-Id: If8138ff3eab7daa1da728781314f8024e36545be
Reviewed-on: https://code.wireshark.org/review/6992
Reviewed-by: Bill Meier <wmeier@newsguy.com>
can be considered TOS 0.
Use similar logic in LSA-Summary processing.
Ping-Bug: 6302
Change-Id: I0a74b95f6c4413ebce240e6e1b46c7e88311713a
Reviewed-on: https://code.wireshark.org/review/6951
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Since 'values' is always 'length/4', we can have it as 'gint' and avoid
the Clang warning concerning the while cycle.
>> cannot optimize loop, the loop counter may overflow [-Wunsafe-loop-optimizations]
Change-Id: I4342f9e3fcd5df7779f41414ab6f789fe402e3af
Reviewed-on: https://code.wireshark.org/review/6979
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
They've been deprecated for a very long time. Replace them with
getaddrinfo. Note that we might not want to do synchronous name
resolution at all.
Add HAVE_GETADDRINFO to the KfW win-mac.h collision list.
Change-Id: If59ce8a038776eadd6cd1794ed0e2dad8bf8a22c
Reviewed-on: https://code.wireshark.org/review/6958
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Hadriel Kaplan