Dumpcap depends on wsutil.so. The path to the shared library
is encoded in the RPATH (or RUNPATH) property of ELF binaries.
This is currently an absolute path on most Unixy systems.
Dumpcap could not be made to work with a relative RPATH because it
uses elevated privileges and some loaders will ignore relative
RPATHs and non-standard paths under those circumstances, because of
(justified) security concerns.
To enable relocation of the program we link dumpcap statically
with wsutil instead.
This provides a fully working relocatable installation on Linux
and other platforms that support relative RPATHs.
Added the SAP Diag dissector protocol from [SecureAuth's plugin](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/blob/master/src/packet-sapdiag.c).
This is a dissector that implements the Diag protocol. Decompression of packets is not considered as this requires the proprietary LZC/LZH decompression routines still pending to be added in #8973. The Diag packets can be wrapped in an SNC frame, in which case the respective dissector is called. Embedded RFC calls are disabled as this requires the respective dissector to be found, which will be submitted in a separate merge request.
Details about the protocol and example requests can be found in [pysap's documentation](https://pysap.readthedocs.io/en/latest/protocols/SAPDiag.html).
The personal extcap folder $XDG_CONFIG_DIR/wireshark on Linux is
inconsistent with the global extcap folder (lib/wireshark/extcap)
and personal plugins folder (.local/lib/wireshark/plugins) and also
the configuration folder should not contain architecture-specific files.
The extcap personal folder is changed from:
.config/wireshark/extcap
to:
.local/lib/wireshark/extcap
Currently the autocompletion engine always suggests a protocol
field completion, even in places where it isn't syntactically
valid.
Fix that by compiling the preamble to the token under the cursor
and checking the returned error. If it is DF_ERROR_UNEXPECTED_END
that indicates a field or literal value was expected. Otherwise
a field replacement is not valid in this position.
Fixes#12811.
This is the begin of a basic dissection of the proprietary protocol used
by the Mitel OMM/RFP communicatino over TCP. Currently no decryption is
supported so there is the need of external decryption.
This change adds a small dissector for the NVMe-MI protocol, typically
for tunelling Administration commands over an MCTP (over I2C) channel.
We just decode the request and response headers, and leave the payload
as raw data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a very basic dissector for the MCTP control protocol -
just the header fields, leaving the raw payload data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a protocol dissector for the Management Component
Transport Protocol (MCTP). This is a failry simple datagram-based
protocol for messaging between components within a single platform,
typically over I2C, serial or PCIe.
This dissector just implements the header fields, and sequence-number
based message reassembly. Inner protocols will be added as follow-up
changes.
Linux has support for AF_MCTP data, so decode from the MCTP SLL ltype.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This adds new syntax to read a field from the tree as bytes, instead
of the actual type. This is a useful extension for example to match
matformed strings that contain unicode replacement characters. In
this case it is not possible to match the raw value of the malformed
string field. This extension fills this need and is generic enough
that it should be useful in many other situations.
The syntax used is to prefix the field name with "@". The following
artificial example tests if the HTTP user agent contains a particular
invalid UTF-8 sequence:
@http.user_agent == "Mozill\xAA"
Where simply using "http.user_agent" won't work because the invalid byte
sequence will have been replaced with U+FFFD.
Considering the following programs:
$ dftest '_ws.ftypes.string == "ABC"'
Filter: _ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <FT_STRING>)
1 FVALUE("ABC" <FT_STRING>)
Instructions:
00000 READ_TREE _ws.ftypes.string <FT_STRING> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == "ABC" <FT_STRING>
00003 RETURN
$ dftest '@_ws.ftypes.string == "ABC"'
Filter: @_ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <RAW>)
1 FVALUE(41:42:43 <FT_BYTES>)
Instructions:
00000 READ_TREE @_ws.ftypes.string <FT_BYTES> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 41:42:43 <FT_BYTES>
00003 RETURN
In the second case the field has a "raw" type, that equates directly to
FT_BYTES, and the field value is read from the protocol raw data.
The <...> syntax for literals, intended to be as generic as
possible, unintentionally introduced an ambiguity with the
relational expression "a < b or a > c".
Literals are values like numbers, bytes, IPv6 addresses or, one
could imagine, UNC paths for example, if an FT_UNC type were to
be added in the future.
We could use a new unique symbol like @...@ but the <...>
syntax is very recent and may not be necessary with ":xxx" so
just remove it.
A byte array can be explicitly declared by prefixing with a colon. It
is not as generic but the main ambiguity that this new syntax attempted
to solve is bytes vs protocol names. We don't want to introduce a new
reserved symbol for now, until other requirements if any are more clear.
Fixes#18418.
Linux builds were left behind on the Qt transition, presumably because
our Ubuntu CI image does not support Qt6.
Enable Qt6 by default and explicitly disable it for slower or more
conservative Linux distros.
Drop experimental status for Qt6, because we are using it to build
official Windows and macOS releases.
Remove the redundant BASE_FLOAT field display type. The name
BASE_FLOAT is meaningless and the value aliased to BASE_NONE.
Require BASE_NONE instead of BASE_FLOAT (corresponding to
the printf() %g format).
Add new float display types using BASE_DEC, BASE_HEX and BASE_EXP
corresponfing to %f, %a and %e respectively.
Add support for BASE_CUSTOM with floats.
Changes:
- The tool now recognizes which software is running on a device - IOS, IOS XE
or ASA. Based on it, it uses correct sequence of commands to setup
capture, read captured packets and clear the capture.
- The tool reads packets on the fly so you don't have to wait till
--remote-count of packets is reached.
- The tool reads timestamps from capture on the device for IOS and ASA (on
IOS-XE, there is no timestamp in dump).
- Except Windows platform the tool handles early stop of capture on the device
and clear of capture buffer on the device (it finish the capture).
- There are special interface names to allow the tool to generate
specific capture types.
- Documentation updated.
Closes#17672.
Adding an explanation on minimum required versions to the release
notes, as well as bumping c-ares to version 1.14.0
The previous minimum (1.5.0) has been released in 2008. The new
version has been choosen to correlate with those distros, that
also provide a minimum version of Qt5 higher than 5.9, as 5.9
is no longer supported in the main branch