Send SIGTERM on UNIX systems to all extcap processes when user requests
capture stop. Wait up to 30 seconds for extcaps to finish. If extcaps do
not finish in time, send SIGKILL to remaining extcaps.
Do not call TerminateProcess() on Windows in the same place where UNIX
SIGTERM is sent. Instead schedule extcap termination timeout to happen
as soon as control returns back to the event loop.
There is no universally agreed replacement for SIGTERM on Windows, so
just keep things simple (forcefully terminate like always) until we
have agreed on something.
The ECN-Echo flag is abbreviated in RFC 3168 using ECE, not ECN.
In addition, when displaying the flags, no abbreviations are
used. Therefore, do the same for the CWR flag.
Any time an expert info is added to the Expert Info tap, the
Expert Info GUI tap listener needs to set TAP_PACKET_REDRAW.
draw_tap_listeners(FALSE) is called from MainApplication::updateTaps()
on a timer (controlled by a preference, defaulting to 3 seconds),
and that clears the Expert Info tap's need_redraw flag. The larger
a capture and the more expert infos, the more likely that the timer
can trigger while epan_dissect_run_with_taps() is still generating
more EI entries, but has already generated EIs of all severities
that are present in the capture. This prevents the expertInfoTreeView
from being redrawn at the end when the captureEvent is finished
retapping the packets.
Fix#18232. Fix#16591.
Extcap child watch callback assumed that the stderr pipe is broken.
However the stdout and stderr pipes are not necessarily broken if the
child process spawned new processes that inherited standard handles.
Do not drain stderr in busy loop to prevent UI freeze. Stop capture
session only when all extcap watches are removed. Remove stdout and
stderr watches on capture stop timer (30 seconds) expiration, even if
the pipes are not broken.
Do not rely only on 0 bytes read to cease reading stdout and stderr.
Stop reading if the status is anything else than G_IO_STATUS_NORMAL
(especially it can be G_IO_STATUS_EOF).
Since version 10.2.0 (2011-03) of 3GPP TS 44.018, unused octets of the
SI6 Rest Octets IE (see 10.5.2.35a) may optionally contain random bits
instead of the standard repeating sequence of '00101011'.
This is a counter-measure making the known-plaintext attack on encrypted
channels slower (and thus harder). For more details, see GP-110384 [1].
[1] http://portal.3gpp.org/ngppapp/DownloadTDoc.aspx?contributionUid=GP-110384
Without this patch Wireshark would warn about an unknown or potentially
malformed PDU if the network is using random padding bits:
SI 6 Rest Octets
L... .... = PCH and NCH Info: Not Present
.L.. .... = VBS/VGCS options: Not Present
..L. .... = DTM: Not Supported in Serving cell
...L .... = Band Indicator: 1800
.... L... = GPRS MS PWR MAX CCCH: Not Present
.... .L.. = MBMS Procedures: Not supported
.... ..L. = Additions in Rel-7: Not Present
Padding Bits: Unknown extension detected or malformed PDU (Not decoded)
With this patch, value of the random bit stream indicator is used to
determine presence of random bit stream (padding):
SI 6 Rest Octets
L... .... = PCH and NCH Info: Not Present
.L.. .... = VBS/VGCS options: Not Present
..L. .... = DTM: Not Supported in Serving cell
...L .... = Band Indicator: 1800
.... L... = GPRS MS PWR MAX CCCH: Not Present
.... .L.. = MBMS Procedures: Not supported
.... ..L. = Additions in Rel-7: Not Present
.... ...H = Random Bit Stream: Present
Padding Bits: random bit stream
Add a generated item showing the pseudowire type for the session
to L2TP data packets.
Use ccid instead of tunnel id in the info column for L2TPv3
Consistently use hex for SIDs and CCIDs in L2TPv3 instead of a mix
of hex and decimal.
Remove some unnecessary whitespace in info column
Include the L2-Specific Sublayer length in the L2TP length
Put the L2-Specific Sublayer in the L2TP tree instead of the root tree
Along with previous commits, fix#16565.
since we define DIG_MD5(0x40) to DIG_SM3(0x45) in
epan/dissectors/packet-tls-utils.h
and in ssl_cipher_suite_dig,
we use cs->dig - DIG_MD5 to retrive from digests,
so we should add SM3 to digests
A few of the minor usability improvements mentioned in #16565.
Account for the cookie length in the protocol length, and
simplify some of the accounting.
Rename the "Packet Type" item as "Flags" because it contains
several different boolean flags. Add it as a bitmask instead
of with a separate tree, which provides a better summary.
Remove the l2tp.session_id field that duplicated l2tp.sid
(but only in L2TP over IP data messages)
Instead of registering subdissectors to arbitrary Wireshark
assigned numbers, register them to the actual pseudowire type
number assigned by IANA and present in the Pseudowire Type AVP.
Half of the previously registered types were never used, because
the dissector table could not be called with their Wireshark
internal number.
This makes it easier to add dissectors to support currently
unsupported but assigned types, and also makes it more intuitive
to use Decode As when the PW Type AVP is not present. Previously,
the dissector for the "default" type of CHDLC had to be changed to
a different subdissector.
RFCs 2661 and 3931 say that L2TPv2 and L2TPv3 use a TFTP-like method
of selecting ports. The initiator picks a source port (which may or
may not be 1701, the IANA assigned L2TP port), and sends a message to
1701; the recipient picks a free port (which may or may not be 1701)
and replies to the initiator's chosen port and address, and the
conversation from then on uses the chosen ports.
In practice, due to NAT, firewalls, etc., most implementations just
use a symmetric predetermined L2TP port. To support both methods
we use one-sided conversations with one port omitted. Fix the lookup
of the reverse conversation. Part of #16565.
HTTP/1.1 chunked Transfer-Encoding doesn't have a overall length,
but requires scanning through variable length chunks to find the
end. If we determine that additional segments are needed, and
we have a sequence number (or other identifier) for the message,
store the position of the last chunk size found.
Use this to start scanning at that same offset when the next
segment arrives, reducing the algorithm for determining if
when we have the complete chunked message from O(N^2) to O(N),
which can be significant on captures with many chunks.
This does most of #14382, reducing the length of time to process
a file with 2 pass tshark from over 8.5 secs to under 3 seconds
on my machine. There is still some O(N^2) contribution from the
reassembly code itself with many small fragments (see #17311).
Other dissectors need some small changes to enable this for
HTTP over other transport layers. (TLS would be fairly easy and
is the other important case.)
Store the cookie length, session IDs, and pseudowire type when
they are carried in Cisco vendor-specific AVPs in the same way
as done with the IETF AVPs. More of #16565.
Read extcap stdout/stderr data when available to prevent extcap hang on
stdout/stderr write. Discard stdout data as it was not used earlier.
Store up to 1024 bytes of stderr and display it to user after capture
stops.
Fixes#17827
Remove ws_read_string_from_pipe() as this function encourages bad design
and is no longer necessary. Extcap stderr is read only after the child
process has finished and thus the read will never block.
Close process information thread handle right away as we don't use it.
Remove unused ws_pipe_t member variables.
Wait up to 30 seconds for extcap process to finish after closing pipes.
The wait is achieved in non-blocking fashion, i.e. the UI is completely
responsive during the wait. Only actions related to capture process like
capture control, file open, save, export are inactive during the wait.
On Windows extcap child watch callback gets called immediately as the
process is forcefully terminated. Prior to this change the extcap was
forcefully terminated on Windows anyway.
The wait is possible on UNIX systems if extcap does handle SIGPIPE and
SIGTERM signals. The defaults handlers for SIGPIPE and SIGTERM simply
terminate the process so for large number of extcaps there is no change.
If extcap does not finish within 30 seconds, it is forcefully terminated
using SIGKILL signal.
Don't have things that substantively affect dissection depend
on whether the tree is present or not. (It's not really necessary
to do all these checks anyway since items are faked.)
Prevents adding "[Malformed Packet]" to the Info column for all
Zero Length Body messages. One of the things mentioned in
issue #16565 (that patch was lost with Gerrit.)
Change the expert info for Exif files that have Exif instead
of JFIF in their first identifier fields from a PI_MALFORMED
to PI_PROTOCOL. It's not the correct protocol spec, but it's
common in Exif files and it doesn't make the dissector give up,
so PI_PROTOCOL is more appropriate.
Since STUN and TURN (and DLTS, RTCP) are multiplexed togther,
using the non-heuristic TURN dissector with Decode As is not
usually the correct choice. However, if we're doing that, and
the packet doesn't look like a TURN packet, don't give a bogus
PDU length to the TCP dissector but instead take until the end
of the packet. Fix#16756
Update the attributes to include four Google undocumented attributes
in the IANA registry. Add a comment about the Unassigned value that
was Data Indication in the TURN draft, and note that MS-TURN still
mentions it and some captures use it.
Remove callback function from pref registrations for dissectors that
don't need a callback. In other dissectors, move registration that
only needs to be done once inside the check for initialization,
avoiding some console messages when preferences are changed
("Duplicate dissectors (anonymous) and (anonymous) for protocol...")
and the like.
Add a couple auto preferences for dissectors missed in previous waves.
Ping #14319
Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION
frames) are compressed by HPACK. Send them to the follow tap only
after decompression. Update the tests to match the new output.
Ping #18239 (There's still the case of gzip and brotli compressed
DATA frames to handle).
Tomasz Moń
Vadim Yanitskiy