Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 24380 is at indices 72 (DF.MExE) and 78 (DF.MexE)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 24384 is at indices 73 (DF.EIA/TIA-533) and 80 (DF.WLAN)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 20233 is at indices 194 (EF.EFSUPI_NAI) and 198 (EF.PBC)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 20234 is at indices 195 (EF.Routing_Indicator) and 199 (EF.PBC1)
New vendor ID's up to june 22, 2022 have been added.
Decoding of the optional description field in BACnet SC BVLC's has been fixed.
Decoding of the exteded event parameters has been fixed.
This patch improves the uat config checking for SOME/IP:
- detecting simple endless loops
- better error output on faulty configs
- using uat resets to fix crash on faulty configs
For the top-level item for an extension, initially create it with a
length of "to the end of the packet" and, when we finish dissecting it,
set the length appropriately. That way, if the length is too large, we
don't throw an immediate exception, making it a little clearer what's
happending.
When dissecting an authentication extension, construct the text of the
top-level item as we dissect it, and initially create it with a length
of "to the end of the packet" and, when we're finished dissecting it,
set the length appropriately. That way, we don't throw an exception
before doing any dissection if the data for the item isn't all there, we
only throw an exception when we run out of data, and we also don't try
to add the data unless there is at least one byte of data.
The latter of those fixes#18181.
Port 45564 is not IANA registered for Apache. The heartbeat
messages all start with the same 8 character ASCII delimiter
string, so use that for heuristics.
Treat all 4 octets of the control field as a single little-endian value
divided into bitfields. We already showed *some* subfields as
bitfields; this means we show *all* of them that way.
That makes the display more clearly show which bits in those octets
correspond to which fields.
It also fixes the dissection of the type field; we have separate
bitfields for I frames (1-bit bitfield) and S and U frames (2-bit
bitfield).
Use proto_tree_add_item_ret_uint() to fetch the values other than the
frame type value.
Fixes#18167.
Strengthen the DCP-ETSI (TS 102 821) heuristic from matching
two bytes to matching four bytes. Split the heuristic and
non-heuristic dissector pieces, and add the non-heuristic
dissector for Decode As.
KNX/IP has an IANA registered port, 3671, and some other ports commonly
used but unregistered (or registered to other services). It also has
no heuristics. Add a port range preference defaulting to the registered
port.
tplink-smarthome uses a port registered by IANA to another application.
At least add a heuristic; since the message is always JSON, we
can decode and test the first two characters.
USB 2.0/1.1/1.0 devices (or 3.x and newer when connected to hosts that
are not Super-Speed capable) operate at one of three speeds:
* Low-Speed (1.5 Mbps)
* Full-Speed (12 Mbps)
* High-Speed (480 Mbps)
Supporting speed specific linktypes allows speed specific dissection
without the need for user to manually set the speed.
After implementing RFC 7983, the STUN dissector will reject
DTLS and [S]RTP packets even in non-heuristic mode. Since
the dissector is more discriminating, it is safe to set
the conversation dissector after receiving any valid STUN
packet, not just specifically a TURN packet.
This makes dissection work better on some captures that have
some TURN ChannelData messages along with STUN packets in
the other direction, but lack the packets that set up the
TURN Channel. In turn, that allows the Decode As setting to
be configured for RTP, which has a weaker heuristic dissector
than STUN. Fix#18148.
This code adds more robust handling of smaller issues with PTP messages,
like a missing 2-step flag of a not quite correct implementation of
802.1AS and improves 1-step support.
Changes:
- Handle 1-step syncs in analysis.
- Handle missing 2-step flag on pDelay more robust and warn in analysis.
- Handle missing F'up TLV in 802.1AS Sync more robust and warn.
Reject the previous reserved and unassigned TURN channels and
STUN methods restricted by RFC 5764 and RFC 7983 to allow
multiplexing of STUN with DTLS-SRTP (and ZRTP) on the same
addresses and ports. (As an exception, allow the special MS
Multiplex TURN channel value.) Earlier versions of the specs
had these as unassigned (or did not support TURN Channels), and
no implementation has used them.
This prevents the STUN dissector from claiming RTP packets
going to the same port as set for STUN by Decode As, and should
allow us to set the STUN dissector as the dissector for a conversation
on UDP if we see any STUN message, not just a TURN message type.
- Declare a separate type for the IPv6 TLV MAC address, otherwise its
filter key is `ieee1905.ipv4_type.mac_addres` instead of the expected
`ieee1905.ipv6_type.mac_addres` one which is confusing
- Fix label for `hf_ieee1905_ipv6_type_count` to read "IPv6 address count"
instead of the wrong "IPv4 address count"
- Parse the IPv6 link local address which appears between the EUI-48 and
the IPv6 address count in IPv6 type TLVs, without that, valid IPv6 TLVs
are wrongly parsed and reported as malformed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MS-IMPLEMENTATION-VERSION is not a duplicate of MS-VERSION, and
has a different interpretation. MS-VERSION is the version number
of MS-TURN, its values described in 2.2.2.17 of its spec, and
MS-IMPLEMENTATION-VERSION is the version of MS-ICE2, its values
described in section 3.1.5.2 of its spec.
The latter indicates whether the STUN message format must be that of
Internet-Draft behave-rfc3489bis-02 (that is, roughly the final
form of classic STUN, also used in MS-TURN) or whether that of
RFC 5389 is also supported.
HTTP chunked transfer encoding can have lots of chunks, and calling
the data dissector for each individual chunk adds a large number of
layers to the frame and doesn't really make sense. (As opposed to
calling the data dissector on the reassembled data if we can't handle
the content type, which does make sense.) In particular, this can
cause a failed assertion by adding more layers than
PINFO_LAYER_MAX_RECURSION_DEPTH.
Just add each data chunk as a FT_BYTES item. Fix#18130.
This change fixes a segmentation fault core dump in tshark/Wireshark
when loading a pcapng file that contains the packet verdict option.
This problem got introduced in the commit mentioned below.
Fixes: 030b06ba3c ("pcapng: write packet and Netflix custom blocks the same as other blocks.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This dissector is for the control messages of the GRE bonding protocol by
Huawei. These messages are encapsulated in GRE and can appear on both/all
bonding links.
During development, I made heavy use of traffic for Deutsche Telekom Hybrid
service. There fore, it also supports the first version which did not have an
IEEE assigned ethertype.
By adding signal aggregation the time to change profiles changed
dramatically. This is due to unregistering header fields being a very
slow operation and for aggregation each signal line did not lead to 2
but to 5 hfs.
Unregistering header fields for 150k signal example config (debug build):
- 3.6: 50s
- 3.7: 592s (9:52!!!)
This patch brings the time back to 50s, if no aggregation is configured.
Use host byte-order with AT_NUMERIC to make it more generic
and practical.
Change openSAFETY to pass addresses in host byte-order (the
previous code assumed they were in little-endian).
Plus a few cleanups.
The previous output was missing some fields under some conditions, and
some output text was wrong. This ended up in big confusion when looking
at the fields. Let's add the missing fields, fix the existing ones and
provide better formatting of the strings to understand which exact field
provides the info.
ETSI TS 24.380 section 8.2.3.4 specifies that:
"The <Reject Phrase> value is a text string encoded the text string
in the SDES item CNAME as specified in IETF RFC 3550."
This does not mean that SDES tipe and length files are necessary,
only applies in the enconding of the text string.
After parsing a Topology Descriptor at the start of a request
or reply command, reset the left and right bracket counters
before going back to the top of the loop to parse the next
command, just like how done at the end of the while loop with
a normal command.
Prevents marking as malformed packets which have a Topology Descriptor
followed by a single command (e.g. Move) without any trailing
descriptors, and hence no more left brackets.
Trying to parse LUS and LNS files if the protocol version
was "A1" led to them being marked as a malformed packets.
THis is because protocol version A1 LUS and LNS files do
not have the exception timer field. So to fix it, we check if
the protocol version is not A1, and only if it isn't do we try to
parse the exception timer field.
Because completed reassemblies are hashed in the reassembled_table for
all the frame numbers that contributed fragments,
fragment_get_reassembled_id() works wherever fragment_get_reassembled()
does, and also works where the fragment id is not the frame number.
However, since the reassembled_table hash key only depends on the
fragment id and the frame number, it only allows a frame to have
one reassembly with a given fragment id. Some protocols can have
more than one reassembly with a given fragment id (that differ on
addresses or other keys), such as GSM SMS, and the wrong reassembly
is retrieved on the second pass in those cases.
For this reason, we might want to add additional key elements to
reassembled_table, such as layer number. fragment_get_reassembled_id
already takes packet_info as a parameter and can accommodate that
without further changes, but fragment_get_reassembled cannot, so
remove the latter in favor of the former.
If we get into the dissect_tftp call, we must have either matched
a WRQ/RRQ at some point and created a wildcarded UDP conversation,
or we matched the TFTP port. While it is contrary to the spirit
of RFC 1350 for the server not to switch ports, it basically works
and the port is IANA assigned, so it doesn't do harm to process these.
In the heuristic dissector, of course, we don't do this.
The conversation code doesn't automatically fill in wildcarded
ports for UDP (since it's connectionless), and the wildcarded
find_conversation call in the TFTP dissector was twisted around
so it didn't actually fill in the second port before anyway.
Filling in the server port would make sense, but then the necessary
logic to find the right conversations would be more complicated.
(The default find_conversation logic prefers any conversation with
both ports to a wildcarded conversation, but the TFTP dissector would
then want the most recent conversation, whether wildcarded or with
both ports.)
These packets were handled prior to the 3.6 changes. Fix#18122
Unlike most of the FC fields, Track info participant type string file
padding is not considered in the dissector. This causes that all the FC
message dissection fails the string contains padding.
According to ETSI TS 24.380 Section 8.2.3.13:
If the length of the <Participant Type> value is not a multiple
of 4 bytes, the <Participant Type> value is padded to a
multiple of 4 bytes. The value of the padding bytes is set to zero.
The padding bytes are ignored by the receiver.
Use the proper encoding instead of ENC_ASCII when displaying the
individual parts of a reassembled unpacked 7-bit GSM alphabet
SM, just as when displaying each fragment.
SMPP only has the number of octets of the message payload, but
with packed 7-bit GSM with a UDH, there are fill bits after the
UDH before the message (to align the message start with a septet
boundary), and we need to calculate the number of septets.
Handle UDH-like information (ports and fragmentation info) that is sent
in TLVs instead of in a UDH, passing to to the gsm_sms_ud dissector.
Allow message_payload TLV to substitute for short_message when allowed.
Warn with expert info when both fields are present.
Skip over a UDH, if present, when converting the short message to text
using the encoding.
Fix#2161.
Use protocol data to reduce the amount of parameters passed back and
forth.
replace_sm can have a TLV (message_payload) (at least in 5.0), so
check for that.
The UDH parsing in the gsm_sms dissector is much more complete
than the one in gsm_sms_ud, so use that one and get rid of the
redundant fields. Add in the option to pass in the UDH field
data to the dissector instead, since there is an option to transmit
the ports and fragment information as TLVs in SMPP.
Rather than using three mutually exclusive booleans for the
encoding, use the existing enum, adding entries to distinguish
UCS2 from 8 bit binary and to support GSM 7-bit unpacked in a
more natural way.
Update the list of possible UDH IEs. Include some rudimentary decoding
of the Language Shift IEs, though actually implementing the different
encodings is an entirely different beast.
The DCS in SMPP has many reserved values, and only can take a few
possiblities from the GSM DCS (and cannot be interpreted as Cell
Broadcast DCS.) Remove unused DCS fields and add others that are
missing.
Determine the proper text encoding for the values from 3GPP TS 23.038
DCS with the high two bits set.
Add support for EUC-KR. Add a preference for GSM 7-bit alphabet packed
versus unpacked for the DCS values that unambiguously indicate the
7 bit alphabet (unlike DCS 0).
If the SOME/IP-SD message is broken, it could have happend that the
parsing stopped on the option and did not go back to the entry parsing.
This patch makes this code more robust.
Some AT commands and responses need context to be parsed correctly.
For example AT+CGMI's and AT+CGSN's responses are arbitrary strings
without "AT+" or "+" prefix (So saving the command is needed).
Another use case is when a command/response is followed by its data in
the following line, like AT+CGML (SMS content's listed in the line after
the "+CGML" line).
The implementation utilizes the USB conversation of the session to
pass information between packets.
Every new packets takes a 'snapshot' of the data stored in the conversation
before starting to parse and re-uses it when parsing & re-parsing of
that packet occurs.
When desegmenting, don't add [TCP segment of a reassembled PDU] to
the INFO column if we've already dissected a complete PDU in this
frame. This is for the same reasons that we set a fence in the INFO
column and set the PROTOCOL column to be not writable. It's not
of particular interest that this frame also contains the start of
a new PDU when the INFO column has information about a complete
higher level PDU. The information about the other PDU is contained
in the tcp tree elements.
Fix#15494
In the case where the beginning of a TCP segment does not continue
a higher-level PDU, but the end of the segment is the beginning of
another PDU, we don't need to create the MSP for the second PDU
after the first time we visit the packet. However, we do want to
retrieve that MSP for determining in which frame the second PDU
was reassembled.
Make "Reassembled PDU in frame:" messages be added in that case
like it already is for other frames with MSPs.
TCP can contain multiple PDUs of the next layer protocol, and the
subdissector (or further subdissectors called from it) can change
the addresses and ports. However, the addresses and ports are used
for the desegmentation tables at the TCP level, as well as for
various purposes in encapsulated protocols.
Restore the addresses and ports values of packet_info before each PDU,
and in desegment_tcp after returning from a subdissector. When leaving
desegment_tcp ensure that the addresses and ports are set to whatever
they were after the last subdissector call that successfully
desegmented a PDU.
Fix#2345. Fix#9782.
The test for "old_len" with a reassembled MSP has never been accurate
for out of order reassembly, where it caused additional data requested
to be taken from the end of the current frame instead of from the
correct portion of the reassembled MSP, which could be from an
out of order frame (later in sequence, but arrived earlier.)
The test is unnecessary - the other case, where we need more data
but there's more in the current frame is already handled by looping again.
This fixes reassembly where TCP is out of order and those out of order
segments don't align on PDU boundaries. Fix#13317.
Also fix a minor issue in the same situation where the length of the
current segment was indicated incorrectly for out of order frames
contributing to multiple MSPs.
When processing segments out of order in TCP, it is possible to
get new segments that fill a sequence gap and be able to dissect
at least one PDU but need more data for additional PDUs (that have
data from the contiguous stream bytes.) We can only determine this
after passing the reassembled segments to the subdissector first.
To keep dissection and layer numbers consistent between passes,
split the multisegment PDU, keeping the already dissect PDU(s) in
the current reassembly and creating a new MSP for the parts not yet
dissected.
Update the dissection test to enable the currently skipped test that
require MSP splitting and remove test_tcp_out_of_order_twopass_with_bug
Introduce Wireshark specific enum to facilitate USB speed specific
dissection. Any similarity of actual enum values with any protocol
is coincidence and should not be relied upon.
Rename speed defines in USBIP dissector to not collide with Wireshark
USB speed enum. The values used in USBIP are implementation specific.
Allow user to set capture speed in USBLL dissector preferences. Use the
selected speed in USB dissector to sanitize endpoint maximum packet size
value based on speed specfic requirements from USB 2.0 specification.
Close#18062
Switch the non-endpoint *_by_id conversation routines to use element
lists. Change the ID type from guint32 to guint64. None of them used the
address+port option flag arguments, so remove them.
The new TECMP release renames as follows:
- Capture Module -> Device
- Channel -> Interface
Header fields (incl. filters) and Config UATs are affected.
This patch updates the TECMP dissector with 1.6 and 1.7 changes.
Changes:
- Multiple new flags for CAN, CAN-FD, FlexRay, LIN, Analog, etc.
- Reordering of flags
- Additional data units for Analog
- New Header CRC and Frame CRC for FlexRay (1.6 change)
- New CRCs for CAN and CAN-FD (1.6 change)
- Deprecated the removed Analog Threshold Undershot/Exceeded flags,
since they were removed
This patch does not include the renaming to Device and Interface.
packet-smc.c:722:4: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-smc.c:887:4: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:1099:13: warning: Value stored to 'tag' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:1100:13: warning: Value stored to 'len' is never read [deadcode.DeadStores]
packet-catapult-dct2000.c:3076:21: warning: Value stored to 'sub_dissector_result' is never read [deadcode.DeadStores]
Extract Method for multiple message of SDP Media Attribute to simplify things and Make processes clearer.
dissect_sdp_media_attribute_rtpmap
dissect_sdp_media_attribute_fmtp
dissect_sdp_media_attribute_path
dissect_sdp_media_attribute_h248_item
dissect_sdp_media_attribute_crypto
The original function remain unchanged.
When there are a lot of if-else branch judgments, the table-driven method can be used to optimize to facilitate subsequent maintenance.
The original function remain unchanged.
DVB-S2X has two possible meanings of the rolloff factor, with
different value strings. Only add the correct one as part of the bitmask,
instead of always adding it twice, once with the low value string and once
with the appropriate value string.
In some cases the available information on packets were not displayed.
This change displays this information. Some code formatting and
variable renaming was also done.
Using a similar strategy to ce087027ef we
group conversation and pdata use by the layer depth we are decoding.
This now decodes EAP-TLS within TEAP (and should work for TTLS and PEAP)
More fine tuning of the SMC-Rv2 support, and add the support to show
the GID list in a CLC proposal message.
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Add SMCRv2 clc proposal/accept/confirm and decline support.
Proposal and decline parsing routines are used by SMC-R(v2) and SMC-D(v2).
Enhance the existing SMC protocol dissector in such
a generic way that it supports both SMC-R(v2) and SMC-D(v2)
protocols. These two protocols are similar to each other.
SMC-D and SMC-R has a version 1 and version 2.
Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
The existing PEAP support does not decode the inner attributes, this
commit adds that support by introducing packet-peap.c which recreates
a 'pseudo' EAP header before looping the TVB back into the EAP dissector.
Decode TEAP's O-flag.
We also update the diagram and references as PEAPv0 has a different view
of how the flags are used compared to the RFCs and drafts.
Prepare for adding reusing code where only descriptive name differs.
But the numbers are encoded using the same rules.
"E.164 number (MSISDN)" & "E.164 number (ISDN)" for example.
The End of LLDPDU TLV is optional, should not as malformed even if missing.
Resolve it by checking whether the total length of each TLV reaches the total length of TVB.
Close#18029
- The latest version of the Wi-SUN FAN specification has added
a number of Information Elements that need to be supported by
the dissector.
- Following changes and additions have been included:
- New Header IEs: LUTT, LBT, NR, LUS, FLUS, LBS, LND, LTO, PANID
and RT.
- New Payload IEs: POM, LCP, LFNVER and LGTKHASH
- New frame types: LFN PAN Advertisements, Solicits and time
synchronization frame types.
- Update to the channel spacing names to incorporate the new
ones defined in FAN 1.1
The handshake hash is used to derive TLS decryption keys when the
Extended Master Secret (EMS) extension is in use.
ssl_calculate_handshake_hash updates this hash only when the master
secret has not been determined yet.
During TLS renegotiation, there are two master secrets: one before, and
one after. Before this fix, the second calculated master secret is
wrong because the second Client Hello is missing in the handshake hash.
It was missing because the handshake hash was not being updated since
the master secret for the first handshake was still present, and the
decryption state was only reset after that hash update.
To fix this, make sure to clear the SSL_MASTER_SECRET flag before
updating the handshake hash when needed. Additionally, clear the
handshake hash when processing the Client Hello just to make sure that
any previous state is gone.
Fixes#18059
All currently supported Linux distributions have a version greater
than 1.11.0 (and our macOS and Windows versions are also much greater),
and this allows us to use nghttp2_hd_inflate_hd2(), which replaced the
deprecated nghttp2_hd_inflate_hd()
Add a "section number" field to wtap_rec, with a presence flag, and
provide the section number (0-based) for pcapng files.
Display it (1-based) if present.
Extract Method for multiple message parsing for tpdus to simplify things for future bug fixes and to make the code logic clearer.
Encapsulate the following functions:
dissect_gtp_tpdu_by_handle
dissect_gtp_tpdu_as_pdcp_lte_info
dissect_gtp_tpsu_as_pdcp_nr_info
Note: The original code function is not changed.
Libgcrypt 1.8.x is required for a large amount of decryption
support and is the current LTS version of libgcrypt. The 1.6 and
1.7 series have been end-of-life since 2017-06-30 and 2019-06-30,
respectively.
The Linux distributions that have versions of libgcrypt before 1.8.0
are nearing or at end of support (RHEL7, SLES 12, Debian stretch,
Ubuntu 16.04LTS) and can be supported by the Wireshark 3.6 LTS release
series.
Remove an enormous amount of ifdefs based on libgcrypt versions
1.6.0, 1.7.0, and 1.8.0. There will be a second pass for the
commons defines HAVE_LIBGCRYPT_AEAD, HAVE_LIBGCRYPT_CHACHA20, and
HAVE_LIBGCRYPT_CHACHA20_POLY1305, which are now always defined.
The ISAKMP dissector has some comments noting that some workarounds
were used for libgcrypt 1.6 that aren't needed with 1.7; perhaps
that could be updated now.
Conversations start at SMD-S and are continued with SMD-C frames
Added CRC information to proto_data of conversation for mCRC calculation
Continue checksum calculation for faulty fragments
Reassembly information added to info column
Reworked packet_direction
This implements parsing the packets in tls-crypt mode. Parsing is very
limited since tls-crypt encrypts the packets. Since detecting tls-crypt
is not easy apart from two tls-crypt-v2 specific opcodes, it is preference
that needs explicitly set.
Add the length check of dissecting BER integers, int64, and booleans, the expert info is added for bad lengths, includes the name of the field and actual length.
Related to #18005
Move the assumption for WHOIS responses to UTF-8 (which is backwards
compatible with ASCII), and add an expert info regarding that
assumption. There is no indication for encoding in the protocol.
Using Show Packet Bytes is sufficient for most purposes, but someone
could add a preference if desired.
The WHOIS and finger dissectors wait to dissect at FIN, but they
need to actually dissect at FIN (or at reassembled out of order
segments after FIN) on the first pass instead of returning without
dissecting.
Only add data reassembled at FIN to the tree if it was actually
reassembled at the FIN frame; if it was reassembled in the first pass
at a later frame due to out of order segments, it will be added there.
In addition to fixing first pass dissection, this also fixes the
case where the FIN segment is the first segment with data. Fix#18037.
Joakim Karlsson
Pau Espin