The basic idea behind this design is to have dissectors register with a "decode as list" with their name and dissector table. When "Decode As" dialog is launched, any "registered" dissector found in the packet will cause a tab to be created in the dialog.
This patch includes just the dissector portion of the functionality (minus packet-dcerpc.[ch] because it has hooks to the current GUI)
svn path=/trunk/; revision=53445
The intention is to aid in the removal of pinfo->private_data use as well as static global variables in a dissector. For now, all calls to call_ber_oid_callback have the data parameter set to NULL.
svn path=/trunk/; revision=52994
There seem to be several cases of proto_tree_add_string_format where a "string" value/filter doesn't really make sense because it's always empty, and is just being used as a "filterable subtree header (placeholder)". They appear to be more for "presense" than "value" and should probably be FT_NONE, although I'd almost argue for removing the filter in favor of proto_tree_add_text.
svn path=/trunk/; revision=52296
the same captured and reported lengths so that we don't end up throwing
BoundsErrors ("Packet size limited during capture") when the packet is simply
malformed.
This fixes one of the issues reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8816
svn path=/trunk/; revision=50055
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7359
The BER integer dissection routines take an hf_id, but that can be -1.
Only fetch the type (to check signedness) if hf_id >= 0, as otherwise this
causes a dissector bug. Default to signed if given no hf_id - I don't know
whether this should be unsigned or not, but the old behaviour was that
everything was signed so it's not a regression at least.
svn path=/trunk/; revision=49101
be done on flows from one address to another; reassembly for protocols
running atop TCP should be done on flows from one TCP endpoint to
another.
We do this by:
adding "reassembly table" as a data structure;
associating hash tables for both in-progress reassemblies and
completed reassemblies with that data structure (currently, not
all reassemblies use the latter; they might keep completed
reassemblies in the first table);
having functions to create and destroy keys in that table;
offering standard routines for doing address-based and
address-and-port-based flow processing, so that dissectors not
needing their own specialized flow processing can just use them.
This fixes some mis-reassemblies of NIS YPSERV YPALL responses (where
the second YPALL response is processed as if it were a continuation of
a previous response between different endpoints, even though said
response is already reassembled), and also allows the DCE RPC-specific
stuff to be moved out of epan/reassembly.c into the DCE RPC dissector.
svn path=/trunk/; revision=48491
indentation, whitespace, long-lines, etc.
Also;
- replace two usages of fprintf(stderr,...) by g_warning();
- revert incorrect replacement of FALSE by ENC_BIG_ENDIAN
done a while back (2 cases);
[The incorrect use of ENC_BIG_ENDIAN was benign since
ENC_BIG_ENDIAN is currently defined ad 0x0000000]
svn path=/trunk/; revision=45625
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
Also (for a few files):
- create/use some extended value strings;
- remove unneeded #include files;
- remove unneeded variable initialization;
- re-order fcns slightly so prefs_reg_handoff...() at end, etc
svn path=/trunk/; revision=44438
implicitly by the #define name and string they were defined to; not all
UATs neatly fit into any of the categories, so some of them were put
into categories that weren't obviously correct for them, and one - the
display filter macro UAT - wasn't put into any category at all (which
caused crashes when editing them, as the GUI code that handled UAT
changes from a dialog assumed the category field was non-null).
The category was, in practice, used only to decide, in the
aforementioned GUI code, whether the packet summary pane needed to be
updated or not. It also offered no option of "don't update the packet
summary pane *and* don't redissect anything", which is what would be
appropriate for the display filter macro UAT.
Replace the category with a set of fields indicating what the UAT
affects; we currently offer "dissection", which applies to most UATs
(any UAT in libwireshark presumably affects dissection at a minimum) and
"the set of named fields that exist". Changing any UAT that affects
dissection requires a redissection; changing any UAT that affects the
set of named fields that exist requires a redissection *and* rebuilding
the packet summary pane.
Perhaps we also need "filtering", so that if you change a display filter
macro, we re-filter, in case the display is currently filtered with a
display filter that uses a macro that changed.
svn path=/trunk/; revision=43603
negative integers and integers up to MAXINT64. We still don't support
integers between MAXINT64 and MAXUINT64, which would be 9 bytes long.
svn path=/trunk/; revision=39673
which could be of arbitrary length - even if it's not supposed to be! -
as a value of some other type, by adding them as a registered field,
first check to make sure the length of the field is appropriate for the
type and, if not, show a dissection error, rather than showing a
dissector-bug assertion when we call proto_tree_add_item().
This fixes a bunch of dissector-bug assertions that show up with
malformed BER-encoded packets.
Also, fix a typo, and expand a comment.
svn path=/trunk/; revision=35330
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
the data source does not need to be allocated if (!tree).
Rev 30158 took the if (!tree) check out indicating that the check was invalid.
So: (since packet_add_new_data_source() now only calls add_new_data_source()),
remove packet_add_new_data_source().
svn path=/trunk/; revision=34717
http://seclists.org/bugtraq/2010/Sep/87 .
Unfortunately no one from the NCNIPC pen test team has contacted us or
provided a sample capture so the fix hasn't been verified.
svn path=/trunk/; revision=34111
back to and including my attempt to make it iterative. Move its guts
back into try_get_ber_length() and add a recursion level check.
This should fix CVE-2010-2284 and preserve existing behavior without
introducing any new regressions (such as bug 5000).
svn path=/trunk/; revision=33505
that out_tvb will always be set (the H.248 dissector does this, at
least). Make sure we do so. Do the same for
dissect_ber_constrained_octet_string().
svn path=/trunk/; revision=33354
GKeyFile (which is not available on Sparc Solaris) to a User Accessible
Table(UAT).
This also allows the user to manage the configuration from the Wireshark GUI
and select the associated syntax from a drop down list.
svn path=/trunk/; revision=33344
It allows the user to:
* Add names and/or syntaxes for OIDs that Wireshark doesn't natively understand
* Override the built-in OID names (e.g. change 'id-at-organization' to 'o')
* Use a special syntax, "ASN.1", that allows a value associated with an OID
to be dissected as "unknown ber". (This is a effectively a selective
version of the "Decode unexpected tags as BER encoded data" BER option.)
The configuration file is a glib key-value file, with the dotted OID used as
the group, and two keys defined, "name" and "syntax".
A configuration option is added to the BER preferences page. A single
configuration file may be specified, or a directory may be specified. If a
directory is specified, then the files with a ".oid" extension will be loaded.
An example configuration file:
[2.5.21.5]
name=attributeTypes
syntax=ASN.1
[2.5.21.6]
name=objectClasses
[2.5.21.7]
name=nameForms
[1.2.840.10040.4.3]
name=id-dsa-with-sha1
[2.5.4.6]
name=c
[2.5.4.10]
name=o
[2.5.4.11]
name=ou
[2.5.4.3]
name=cn
[1.3.32.0.2.0.4.66]
name=Unknown OID
syntax=PrintableString
[0.9.2342.19200300.100.1.10]
name=unknown dn
syntax=DistinguishedName
----
The list of known syntaxes is shown in the "Decode As ..." dialog when
examining a BER file.
svn path=/trunk/; revision=33300
Introduced some state to remember last dissected Tag/Length so that they can be recalled if an IMPLICIT tag is encountered and stripped. This allows its to be determined if the value has a constructed value - and so can be reassembled.
In this case, it is a IMPLICIT constructed OCTET STRING at the presentation layer.
Many thanks to Fred Gruman for identifying - and apologies for the delay in commiting.
svn path=/trunk/; revision=33048
col_clear.diff
Remove calls to col_clear :
- called twice.
- before functions which also clear the column
- by replacing col_clear + col_append_xxx with col_add_xxx
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4394
svn path=/trunk/; revision=31517
enumerated, sequence-of and set-of types.
Added BER functions to check for SIZE constraints and give expert info warnings.
svn path=/trunk/; revision=31309
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
meaning "to the end of the tvbuff"; we'd like to get rid of the "-1
means to the end of the tvbuff" convention, as in many cases the length
comes from a 32-bit length field in the packet, and we want 0xFFFFFFFF
to be treated, even on ILP32 platforms, as meaning "2^32-1 bytes",
probably giving an exception, rather than as "to the end of the packet".
svn path=/trunk/; revision=27945
The current dissection of GeneralizedTime in packet-ber does not consider all
the possibilities how this field can be constructed.
According to ITU-T X.680 this field can be encoded as
YYYYMMDDhhmmss([\.,]f{1,3})?(([+-]hhmm)|Z)?
This is a regex-like expression where each letter except the literal 'Z'
represents an ASCII encoded digit.
So far only the first 14 digits are dissected and the 15th character is put
into parentheses. This may not show all available information.
svn path=/trunk/; revision=24071
dissect_ber_boolean() to return a value and update asn2wrs to generate the new signature.
Regenerate all BER dissectors.
svn path=/trunk/; revision=24015
Uses the ber_callback mechanism to call the rtse oid callbacks, rather than the default ber oid callback list.
A couple of fixes to packet-ber.c to mark [in]direct references as present and call the ber_callback if it has been specified.
svn path=/trunk/; revision=23450
Since the use of the function 'dissect_ber_tagged_type' for DialoguePortion,
the file tcap.cnf must be updated to remove the decoding of the tag and length.
This decoding is now done in the new function 'dissect_ber_tagged_type'.
The file tcap.cnf has been updated to take into account this change.
But this leads to a change in tcap.asn too, for the definition of the
ExternalPDU.
I think this part of the ASN1 file is specific to Wireshark and can be
modified.
In the meantime, I did update the DEBUG part for packet_ber.c for the function
(dissect_ber_tagged_type)
svn path=/trunk/; revision=23442
- if offset is 0, tvb_length is the same as tvb_length_remaining, just faster.
Replace
- col_append_fstr() with faster col_append_str()
- col_add_str() with col_set_str()
when it's safe
svn path=/trunk/; revision=23252