handle the ..._CRC_DROPPED events
use pinfo->p2p_dir to store the direction
pass a boolean 'crc_dropped' to the sub-dissectors for message types
subtree for an ISO1443 message
dissect most components of most messages
Change-Id: I2570dd4d941e5db7fa541723b70ccad6ce70ab49
Reviewed-on: https://code.wireshark.org/review/11912
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
HS20 Release 1 and Release have added some new fields. Decode them
properly.
Change-Id: Ia9bdaa3422d3f10119d42ec53ad6c9e4915578b8
Reviewed-on: https://code.wireshark.org/review/11870
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Picking off "easy" dissectors that only have one or two exit points at most.
Change-Id: I96aa9cf53533cbb07105aa400d42922baf3016b3
Reviewed-on: https://code.wireshark.org/review/11860
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Until now, it is not possible to use the IANA-assigned protocol values in a Wireshark plugin.
This commit exports them for use on Windows machines.
As discussed on http://seclists.org/wireshark/2015/Nov/88
Change-Id: I22adc33accf5d776bd3e5cc0899d3c5b9e9d531c
Reviewed-on: https://code.wireshark.org/review/11874
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
A DTLS capture from Jitsi Videobridge for Windows x64 (v519) using a
(patched?) BouncyCastle 1.51.0 exposed the odd behavior where the
ProtocolVersion from the record layer was always fixed to DTLSv1.2 while
the server agrees to use DTLSv1.0.
This resulted in a Malformed packet dissection of the ServerKeyExchange
message which mistakenly expects a SignatureAndHash field. Fix this
by using the protocol version from the ServerHello. Keep the fallback
in case a capture starts in the middle of a SSL conversation.
(Also display "DTLS" instead of "SSL" when the version is not yet
determined for DTLS packets.)
Bug: 11709
Change-Id: I0719977e3b2208da1960121b01dc109fa76bfcb6
Reviewed-on: https://code.wireshark.org/review/11821
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The SslSession struct contains a "version" field for displaying
purposes in the protocol column while the SslDecryptSession struct
has a "version_netorder" field for use in TLS hash functions (for
secrets calculations).
As these are strongly associated with each other, remove the
version_netorder field and its associated constants, let the SslSession
version field store this value instead. All SSL_VER_* are renamed to
appropriate *_VERSION macros (via search & replace), SSL_VER_UNKNOWN
is kept though.
The PCT and SSLv2 protocols had no wire value (*_VERSION), so
SSL_VER_PCT and SSL_VER_SSLv2 are assigned with some arbitrary values.
Warning: external plugins using the ssl_set_master_secret function
must now pass the wire version (TLSV1_VERSION) instead of the (now
removed) internal macros (SSL_VER_TLSv1).
Change-Id: Icd8ef15adae9c62eb21eab1c3b812166e451936f
Reviewed-on: https://code.wireshark.org/review/11820
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
If we ever change the way file writers work, in a fashion incompatible
with the existing way they work, we'll also rename this member - and get
rid of checks for earlier versions of the Lua interface.
Change-Id: I64065944fa31371f5249cafd930c18f180ad7299
Reviewed-on: https://code.wireshark.org/review/11879
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Picking off "easy" dissectors that only have one or two exit points at most.
Change-Id: Ie514f126352e7598acc4f7c38db9c61d105d5e48
Reviewed-on: https://code.wireshark.org/review/11850
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
A similar issue was discussed and fixed for IP Flags in d051e79a
(svn revision 33264).
Change-Id: I532f51e813aee707b9573537cb8fbdb823158a61
Reviewed-on: https://code.wireshark.org/review/11817
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Added a check for nil valuestring for all ProtoField integer types
to avoid lookup when argument is not set.
Change-Id: Ib4c016b69ee77dbea4bb83ac93c0d9ae9f48f236
Reviewed-on: https://code.wireshark.org/review/11845
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
A zero checksum is not illegal in IPv6/UDP when in a ICMPv6 packet.
Change-Id: I07acc874d2385992089ef3ebc7a82e853904ecfc
Ping-Bug: 6232
Reviewed-on: https://code.wireshark.org/review/11808
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Picking off "easy" dissectors that only have one or two exit points at most.
This concludes a "first pass" over the dissector directory.
Change-Id: If5ce5484214be50fe541cba478da1de62e354297
Reviewed-on: https://code.wireshark.org/review/11830
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
A ProtField type FRAMENUM cannot fetch value from a Tvb.
Change-Id: Iff0f6df8b00445855c9030dcfa753daa62262171
Reviewed-on: https://code.wireshark.org/review/11832
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Picking off "easy" dissectors that only have one or two exit points at most.
Change-Id: I25fe6a0aac93980333217d007702799d16946563
Reviewed-on: https://code.wireshark.org/review/11816
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The ack symbol is for the Address PDU beeing acked.
Also use the DUP_ACK symbol for P_Mul's Ack-Ack.
Change-Id: I3da616e95e9c2cf889b1e4e4c0570ab0c276a2d2
Reviewed-on: https://code.wireshark.org/review/11819
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The ack symbol is for the Message, Report or Notification beeing acked.
Change-Id: I5ef99b9e7830f437278af18e681f8200fab6c3d4
Reviewed-on: https://code.wireshark.org/review/11818
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Change-Id: I0d0c1a3dde14d9817aef28352081dfbfbac6c9fb
Reviewed-on: https://code.wireshark.org/review/11774
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Picking off "easy" dissectors that only have one or two exit points at most.
Change-Id: I3d5e576b796556ef070bb36d8b55da0b175dcba8
Reviewed-on: https://code.wireshark.org/review/11805
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
CMake's Visual C++ generator creates projects that compile with the
Debug configuration by default, which defines _DEBUG. Fix DEBUG_DUMP's
declaration so that we compile in that case.
While we're here note that the "airpd" prefix isn't limited to AirPcap,
so we might want to change it accordingly.
Change-Id: I5476f28c63020f0f66ee9128731bc4b3dc720765
Reviewed-on: https://code.wireshark.org/review/11787
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If we encounter the wrong ftype, print its name.
Change-Id: I7405ccdd3e099f533c6a8aaf81b60faf4093741a
Reviewed-on: https://code.wireshark.org/review/11790
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
also sets the last_field flag to true if it's the end of the buffer.
Change-Id: I135d052fce04807ce61b5feb9af121ff4528f595
Reviewed-on: https://code.wireshark.org/review/11731
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This is a dissector for the ISO14443 protocols between a contactless
smartcard and a card reader.
The overall approach is similar to DVB-CI. We have a pseudo-header in
front of the captured data that has information about the type of the
captured data and the direction.
For now, the dissector registers itself by name so it can be linked to a
user-DLT. I am applying for an official DLT.
Change-Id: I9c4a28ef5b220f205baf58381bf1962996887a9d
Reviewed-on: https://code.wireshark.org/review/11663
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
format_text() is specifically intended to handle strings when displaying
them to the user; code such as AirPDCap, which doesn't display strings
to the user, should be handed the raw SSID.
Put in a comment indicating what we probably *should* be doing here.
Bug: 11685
Change-Id: Ic30114c35d1d8f3d791ae904e33a4d81ddc215ec
Reviewed-on: https://code.wireshark.org/review/11757
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug:11685
Change-Id: Ibe7a2909f0aed33fa35685ac5c8e0e1a8a626742
Reviewed-on: https://code.wireshark.org/review/11652
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The functions str_to_ip() and str_to_ip6() are not yet exposed to plugins so
they cannot be used there.
Now they are added to the plugin API.
Change-Id: I9df267934ad43887a6326c8c9a1a666f263c08a2
Reviewed-on: https://code.wireshark.org/review/11728
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I7f5724e263ab81d42421d0cfcb1fc4b63a55d79e
Reviewed-on: https://code.wireshark.org/review/11590
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
accept the node key as a first parameter.
wmem_tree accepts all sort of keys (strings, integers, soon ranges),
thus it is of interest for various purposes (testing, greedy search) to
know the key of the node.
Change-Id: Ie748b917bef91f0b1ba8cce15bd1b471922641dc
Reviewed-on: https://code.wireshark.org/review/11683
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I24185128e664a0f7cc2b59d5d653582cddd04df1
Reviewed-on: https://code.wireshark.org/review/11686
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Added IP address and port number to the comp_req_list_entry so
get_mfn_from_fn_and_reqid can check for matching IP and port number
when searching for the reply to a request.
Change-Id: Iad00bca5c1104cf8c335001f84264fe55d2e45fc
Reviewed-on: https://code.wireshark.org/review/11599
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Checking WIRESHARK_ABORT_ON_DISSECTOR_BUG here looks somewhat redundant but it's not:
it's needed to prevent REPORT_DISSECTOR_BUG() from throwing an exception when
we're not dissecting (when nobody's going to catch the exception).
Change-Id: I4dfc484bdf13bca236bfff1388d4399e26880ad7
Reviewed-on: https://code.wireshark.org/review/11272
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ib9719ac893288b9f26acabb81158ed42b2351fb5
Reviewed-on: https://code.wireshark.org/review/11572
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ie6f28fd749219ddadc53820f94866e91cca297cb
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/11596
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It doesn't actually *close* any handle, so it's best called a "finish"
routine rather than a "close" routine.
In libwiretap modules, don't bother setting the finish routine pointer
to null - it's already initialized to null (it's probably best not to
require modules to set it).
Change-Id: I19554f3fb826db495f17b36600ae36222cbc21b0
Reviewed-on: https://code.wireshark.org/review/11659
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I28ce51f3c06f78b85792bce4a13ef39eb75d7890
Reviewed-on: https://code.wireshark.org/review/11648
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Martin Kaiser