An entire pcapng file is dissected as a unit, so there's only one file;
the "file_number" field counts Section Header Blocks, so it's a section
number, not a file number. Rename it to "section_number".
Change-Id: I3ee477c9aa0ee4cdfa7496935b2be915c31a4644
Reviewed-on: https://code.wireshark.org/review/36977
Reviewed-by: Guy Harris <gharris@sonic.net>
Provide Doxygen comment blocks for unit string and true false string
helper functions.
Change-Id: I70801561e9cd3ead5e3417ea9d297d828105f3d0
Reviewed-on: https://code.wireshark.org/review/36968
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Only use proto_tree_add_bytes_item() if you
1) are processing a hex string rather than binary byte array;
2) need the raw byte data.
While we're at it, fix the encoding argument in some calls adding
FT_BYTES fields to be ENC_NA, and, for some cases that could use
FT_UINT_BYTES, use proto_tree_add_item_ret_uint() to handle the length
and add a comment about that.
Change-Id: I6a1baca5c7da3001c0a6669f9c251e9773346c8c
Reviewed-on: https://code.wireshark.org/review/36967
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
modified the peekremote dissector to support 11ax flag in the extended
flags (one reserved bit set to 1 for ax and 1 for 160mhz). Also added
constants for new data rates MCS 10-11.When the 11ax flag is on,
decoding the phy as 11ax (11ax PHY is a different commit already in the
main code since november 2019)
Bug: 15740
Change-Id: Ida7977cdbbd5c83d2158115d9560c5acc815eab9
Reviewed-on: https://code.wireshark.org/review/36686
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Group them by the data types for which they're used, starting with the
byte-order definitions which (with the inclusion of ENC_NA) are used
with all types.
Put all the ones used for strings together, starting with the character
encodings, with the Zigbee flag and the flags for "this is a string but
we're going to interpret it as a byte array or time stamp".
Make ENC_CHARENCODING_MASK equal to ENC_STR_MASK; no, there's no reason
for ENC_STR_MASK to replace ENC_CHARENCODING_MASK - the opposite should
happen, as ENC_CHARENCODING_MASK at least specifies what the bits set in
it are used for, namely character encodings. If all #defines for
strings should have _STR_ in them, start with the character encoings.
Change-Id: I072420f313086153b4ea4034911fc293453dea00
Reviewed-on: https://code.wireshark.org/review/36962
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Rework the method verifying if there are more data in packed attribute
New version checks if there are any non-zero bits after the current bit in the
packet. If it sees some non-zero bits - that means there is some data in the
packet. If there are zero bits only - that means there is no more data in the
packet.
Changes affect RTSP/SDP dissector and they are specific for
SDP media attribute (a) fmtp/sprop-parameter-sets for H264 protocol
Bug: 16322
Change-Id: Ic4768c56f16b79cbf2ccac8a9736f8fa15043224
Reviewed-on: https://code.wireshark.org/review/36899
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
parameter 'ti' not found in the function declaration [-Wdocumentation]
Change-Id: I4080cf118c3a81fd47fd4c32e8809d83256893dd
Reviewed-on: https://code.wireshark.org/review/36955
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit adds a basic dissector for ScyllaDB RPC protocol.
ScyllaDB (www.scylladb.com) is a No-SQL database serving multiple
client protocols (e.g. CQL). The newly introduced dissector
provides a way to inspect Scylla's internal protocol, used by
the nodes to communicate with each other - share data, gossip
the cluster state, update the schemas, etc.
This dissector implements only a shallow dissection of most packets,
i.e. recognizing the packet type. Two requests with deeper dissection
are MUTATION and READ_DATA, used by I/O operations in the database.
Bug: 16471
Change-Id: Ibba8262bd4e5a637b24b3e7846c42c6534ef811b
Signed-off-by: Piotr Sarna <sarna@scylladb.com>
Reviewed-on: https://code.wireshark.org/review/36633
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Add some ENC_ values for various flavors of packed BCD, and use that
instead of explicitly calling tvb_bcd_dig_to_wmem_packet_str() and
adding the result.
Change-Id: I07511d9d09c9231b610c121cd6ffb3b16fb017a9
Reviewed-on: https://code.wireshark.org/review/36952
Reviewed-by: Guy Harris <gharris@sonic.net>
It has to be initialized to false, otherwise you get random misreported
cycles.
Change-Id: I1ffa1f8fae4883960ebf0522e44bc9e1378b2470
Reviewed-on: https://code.wireshark.org/review/36939
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add support to the MSRP dissector to reassemble messages from multiple
packets.
Bug: 8270
Change-Id: I464c91b2e6e3c4edc242b3e2f52a8febc455e5ae
Reviewed-on: https://code.wireshark.org/review/36894
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A retransmitted ChangeCipherSpec could result in resetting the cipher.
The subsequent Finished message and application data messages would
therefore fail to decrypt. In legitimate TLS sessions, there should not
be a CCS without starting a new handshake, so that remains unaffected.
To ease debugging this issue, log the packet number and add some extra
details to the debug log. Move or remove ssl_packet_from_server calls to
avoid redundant work and to keep the debug log cleaner.
Additionally, try harder to dissect handshake messages if we know for
sure that they are decrypted. This allows inspection of a broken
Finished message that had a too large fragment length.
Tested with a private capture file from Stig Bjørlykke.
Change-Id: If6f15f8b72c467ea9ef15ddcaf2c5ebe980c27c8
Reviewed-on: https://code.wireshark.org/review/36929
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The IEEE 1278.1-2012 spec for DIS (Distributed Interactive Simulation)
specifies the format of Articulated Part VP record as:
8bits Record Type enum
8bits Change Indicator unsigned integer
16bits ID unsigned integer
32bits Parameter Type enum
32bits Parameter Value floating point
32bits Padding unused
(Section 6.2.94.2)
The dissector was interpreting the last 64bits as one value, this patch
fixes it to interpret it as 32bit float and 32bit padding.
Change-Id: Id509715f02daeecf12e3094fc1ed63e81705852b
Reviewed-on: https://code.wireshark.org/review/36922
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
The headers for UFTP version 4 contain a header length field which gives
the length of the header in 4 byte words. Currently, only the raw value
is displayed, not the actual byte count (for example 4 instead of 16).
Several headers contain a timestamp field composed of 4 byte seconds and
4 byte microseconds since the UNIX epoch. These are currently being
interpreted incorrectly as nanoseconds instead of microseconds.
The FILEINFO header contains a file timestamp field composed of 4 bytes
seconds since the epoch that is currently displayed as a raw value
instead of as a timestamp.
Change-Id: I936eb5317ca6802a094d8c1e01ae8ae78bb5cb7c
Reviewed-on: https://code.wireshark.org/review/36910
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Add proto_item_get_display_repr(), which returns a string, allocated
with a specified wmem scope, containing the display representation of
the value of a proto_item.
Use it in the LLDP dissector, to append that string to the parent
protocol tree item; use packet scope, so it doesn't hang around forever
(the previous code used the NULL scope, meaning explicit freeing was
required, but it wasn't explicitly freeing the value, so it was
leaking).
Change-Id: I146380118833b1daef9dea8bd9463001e5b9325f
Reviewed-on: https://code.wireshark.org/review/36931
Petri-Dish: Guy Harris <gharris@sonic.net>
Reviewed-by: Guy Harris <gharris@sonic.net>
true_false_strings have no helper function to properly retrieve the
string representing the true or false value, much like unit_strings,
even though this is not uncommon in dissectors.
This change introduces the helper function and modifies the dissectors,
so that they use this helper i.s.o. their own expressions.
Change-Id: I477ed2d90a9a529fc5dcfef7e3ea42ec180d27ae
Reviewed-on: https://code.wireshark.org/review/36920
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Don't use hf_text_only. For the protocol tree items that are just
subtrees, use proto_tree_add_subtree(); for the emergency call numbers,
give them real FT_STRING fields, using tvb_bcd_dig_to_wmem_packet_str().
Change-Id: I721271e26502abce8d8ce2375fc0916c0de586e6
Reviewed-on: https://code.wireshark.org/review/36928
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Otherwise values look confusing since at first glance they look like hex
values, for instance "-22cB".
Change-Id: I8ce3c108876f5acd65c5d6418c18ce43f618eb25
Reviewed-on: https://code.wireshark.org/review/36907
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Distinguished Name (AFI 17) is not a widely used address family, but
there is ongoing work in the LISP IETF working group to standardize its
use within the LISP control plane protocol. The encoding is quite
simple, it's just a zero-terminated ASCII string. Details can be found
in the following IETF draft:
https://tools.ietf.org/html/draft-farinacci-lisp-name-encoding
Change-Id: I701f54d0c5e95b14ad48030935eb059bd68c9a0e
Reviewed-on: https://code.wireshark.org/review/36892
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix the field length of "Length of Destination Interface
field" and "Length of Network Instance field" which should
be two-octet long but only one in the current codes.
Change-Id: Id303b92812bb2551ec570ec807d602d0fb44f27a
Signed-off-by: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
Reviewed-on: https://code.wireshark.org/review/36908
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add more tabs and fix some type mismatch
Add some expert info for wide used flag
Add dissection of FRACSEC in milliseconds if it possible
Change-Id: Ic681a69e0659c6b6e33f77a8016e14708a7dca08
Reviewed-on: https://code.wireshark.org/review/36888
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fixing two issues:
1. Dissecting each item in the content list is off by 4 bytes,
so the content type, the offset and the length are all
incorrect.
2. When the content item is a HOLE the length should be 8 bytes
not 4.
Also, simplifying the dissect_nfs4_read_plus_content function
to dissect only the contents of each item instead of the whole
list and then use dissect_rpc_array function to dissect the
array of content items.
Bug: 16499
Change-Id: Ia5c9929366cb35ab5d1646219c9b56f6051c4ff5
Reviewed-on: https://code.wireshark.org/review/36861
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
packet-mac-lte.c:4370:7: warning: no previous prototype for function 'get_dual_conn_phr_num_c_bytes' [-Wmissing-prototypes]
Change-Id: Ifb585026610b4b2f100f60e4b20278d986775d3a
Reviewed-on: https://code.wireshark.org/review/36896
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
packet-lwm2mtlv.c:476:6: warning: no previous prototype for ‘lwm2m_allocate_fields’ [-Wmissing-prototypes]
packet-lwm2mtlv.c:518:25: warning: no previous prototype for ‘lwm2m_search_float_resources’ [-Wmissing-prototypes]
packet-lwm2mtlv.c:535:25: warning: no previous prototype for ‘lwm2m_search_fields’ [-Wmissing-prototypes]
packet-lwm2mtlv.c:558:6: warning: no previous prototype for ‘lwm2m_free_fields’ [-Wmissing-prototypes]
Change-Id: Ib62ed48b68c6eb28e1372466ceef6a2a118ebe1c
Reviewed-on: https://code.wireshark.org/review/36897
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Ethernet frame padding for short frames _should_ be zeros. Replace
the assume_padding preference with the padding preference that by default
will only consider consecutive zeros long enough to reach the minimum
ethernet length to be padding. The old behaviors are preserved.
Never (old FALSE) and Any (old TRUE - old default)
The old behavior broke some trailer dissectors when the trailer was
added before the determination of needing padding was made. Thus the
ethernet dissector would consume some of the trailer as padding.
Bug: 16481
Change-Id: I6b9e1d26d07d84cb768eece5e44412e23dfe37ca
Reviewed-on: https://code.wireshark.org/review/36691
Reviewed-by: Jason Cohen <kryojenik2@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If the packet containing the content type header is missing the stream
can be dissected by using decode as.
Change-Id: I40c57e34971c9eee3d694975262dd7b3c7b3ef89
Reviewed-on: https://code.wireshark.org/review/36852
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It has header_added, but the header is UDP, not IP.
Change-Id: I1a4e6f0bf655f0764abdd8c45582dd9dcbc7686c
Reviewed-on: https://code.wireshark.org/review/36880
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Register the DVB-CI dissector by name in addition to linking it to
the DVB-CI DLT.
This makes it easier for fuzzshark to find the dissector.
Change-Id: Ieda150a9ad573a59e2dfcce97a4a1b17a0d66d93
Reviewed-on: https://code.wireshark.org/review/36886
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Fix some fields name
- Use BASE_UNIT to display fields units
Bug: 16494
Change-Id: I004c720bb53fd8afe64494d2574efc137ca94ccf
Reviewed-on: https://code.wireshark.org/review/36874
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In Wi-Fi Agile Multiband Technical Specification it is specified that
'BSS Transition Candidate List Entries' found in WNM Transition
management request/response action frame may contain WFA vendor
specific element.
Bug: 16494
Change-Id: Ifa7a2b1a6da48e6d4920e896340c3671cfb9625e
Reviewed-on: https://code.wireshark.org/review/36871
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When present in WNM Transition management request, 'BSS Termination
Duration' has the same format as the sub element in neighbor report
element and not just a single 64bits value.
Bug: 16494
Change-Id: I3a5a0659fa9e81e97de7a99fea2cffa6a58eea0e
Reviewed-on: https://code.wireshark.org/review/36870
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>