- start decoding when we have eapol1+2 packets
Do not insist on a complete captured handshake, decode what we can.
- more robust way to detect eapol #2 packets
At least Win 10 is violating the spec on rekey by setting the secure
bit in #2. Unpatched version shows and handles #2 as #4, breaking
decoding after rekey.
- fixed eapol rekey key handling
Inital patch (see https://code.wireshark.org/review/8268)
is adding redundant keys, since it scans all the time
and not only once.
- ignore tailing garbage after eapol sections in frame
See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9065#c8
Included testcase to test decode for incomplete handshakes and eapol2
packets with secure bit set on rekey.
Ping-Bug: 9065
Change-Id: Id775088db9b5aaa80da9efdeed6902d024b5c0cd
Reviewed-on: https://code.wireshark.org/review/11484
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
It ends up dragging in libwireshark headers, which programs not linking
with libwireshark shouldn't do. In particular, including
<epan/address.h> causes some functions that refer to libwireshark
functions to be defined if the compiler doesn't handle "static inline"
the way GCC does, and you end up requiring libwireshark even though you
shouldn't require it.
Move plurality() to wsutil/str_util.h, so that non-libwireshark code can
get it without include epan/packet.h. Fix includes as necessary.
Change-Id: Ie4819719da4c2b349f61445112aa419e99b977d3
Reviewed-on: https://code.wireshark.org/review/11545
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I8bc9af431e70243b05f4f0ce8c2b8ee451383788
Reviewed-on: https://code.wireshark.org/review/11463
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Icc4bf0149af81c35bc6b615add473168600468fb
Reviewed-on: https://code.wireshark.org/review/11429
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I3e72fddc6ed380780d7e2e1c8df87e580138188d
Reviewed-on: https://code.wireshark.org/review/11271
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Replace CMP_ADDRESS, COPY_ADDRESS, et al with their lower-case
equivalents in the asn1 and epan directories.
Change-Id: I4043b0931d4353d60cffbd829e30269eb8d08cf4
Reviewed-on: https://code.wireshark.org/review/11200
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Assuming *any* of the routines that generate printable strings should be
thought of as "for internal use by libwireshark routines only, not by
dissectors", the ones that *are* used by dissectors obviously shouldn't
be. The ability for dissectors to register address types certainly
expands the list of routines they would use.
Move everything used by dissectors from to_str-int.h into to_str.h, and
have dissectors not include to_str-int.h.
(Perhaps we should just get rid of to_str-int.h altogether.)
Change-Id: I3c583351f038233c9bcd8f9216188f82630267fa
Reviewed-on: https://code.wireshark.org/review/11149
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do not leak the key and SSID. Note that there are still some leaks in
the GTK UI related to get_wireshark_keys(), but I did not track them
down.
Caught by LeakSanitizer.
Change-Id: I639166e6ea457605d6ae0ebd58e56d7594a7b7db
Reviewed-on: https://code.wireshark.org/review/10860
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
At that point, we've calculated COMPOSE_FRAME_TYPE(fcf) and stored it in
frame_type_subtype; use that variable.
Change-Id: Id15f55e77dd3072fa15f270ec02840b4299bd3a0
Reviewed-on: https://code.wireshark.org/review/10770
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix some indentation while we're at it.
Change-Id: Ic25bebadd8c2c3941e6f965b48e22a6a1aac6168
Reviewed-on: https://code.wireshark.org/review/10769
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix "a ,b" to "a, b" in both code and displayed output.
Indent continuation lines of multi-line statements.
Change-Id: Ic2d96a498fbb716fa2be23bcd94bed14b9df7823
Reviewed-on: https://code.wireshark.org/review/10746
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This currently only works for data frames. A Fixme is in place for
managment frames.
Change-Id: I0a72a9a3e40cf8269856fbbcd97b270af422afa2
Reviewed-on: https://code.wireshark.org/review/10322
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
I now read 8.2.4.1.10 "Order field" in 802.11-2012 as saying that, in
management and QoS data frames, the Order bit shouldn't be set for
non-HT, non-VHT frames, so we can just test it for those frame types
without bothering to check the radio metadata to see if the frame is an
HT or VHT frame.
This handles cases where the radio metadata isn't complete, e.g. an HT
frame with a radiotap header but no MCS field.
Handle this for *all* QoS data frames when capturing.
Get rid of the "fixed-length link-layer header" stuff; it's not being
used.
Fix a case where we're appending text to a tree item without a space
separating it from the previous text.
Bug: 11351
Change-Id: I980f5b7509603b0c22c297fddc19434c08817913
Reviewed-on: https://code.wireshark.org/review/10288
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When parsing TDLS direct link packets the ToDS: 0 and FromDS:0
so the wireshark treats the 4th bit in QoS Control as "bit4", but it
should be treated as EOSP.
So changed the default case to EOSP and only when TODS is set
treat it as "bit4".
Change-Id: Ie2a73320dc9921aed4547e32836e6cd7d89ef109
Reviewed-on: https://code.wireshark.org/review/10250
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
If you know the actual data length, use tvb_new_subset_length(); it will
use that as the *reported* length, which is how it *should* be used, and
will calculate the *captured* length for you as appropriate.
Change-Id: I86dde999f59fdfec58b118729b7b881737983033
Reviewed-on: https://code.wireshark.org/review/10260
Reviewed-by: Guy Harris <guy@alum.mit.edu>
being used to determine if we are dissecting 802.11ad in several places.
Since we now have a macro for testing that and the frequency is in the phdr
we really should use that. This also prevents problems during display filter
execution with respect to fields that are only present for 802.11ad.
Change-Id: Id04a31c15b04378b6b0f056baa1f37d94a65b71c
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-on: https://code.wireshark.org/review/10234
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Extracted from Joerg Mayer's Ixia-derived patch to 1.12 in bug 11464.
Most of the changes there are already in the trunk.
Change-Id: I90ba04e145ffb2b164810320e3510a5bed847ed4
Ping-Bug: 11464
Reviewed-on: https://code.wireshark.org/review/10243
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Instead of splitting the stats into two lists as with the GTK+ UI, add
everything to an expandable tree. This allows viewing nodes on more than
one network.
Rename the top-level Bluetooth menu item to Wireless and put the WLAN
stats dialog there.
The Qt UI matches SSIDs (WlanNetworkTreeWidgetItem::isMatch) a bit
differently than the GTK+ UI. Try to make the logic as plain as possible
since we'll likely have to update it in the future.
The addition of a custom BSSID address types means that we can't assume
that everything is AT_ETHER. Add routines for checking for broadcast
BSSIDs and comparing only the data portions of addresses.
Move PercentBarDelegate into its own module. Use it in
WlanStatisticsDialog.
Change-Id: Ie4214eb00671a890871380c4a07213ebfb7585c6
Reviewed-on: https://code.wireshark.org/review/10171
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Specifically:
- Replace/remove much of 'dissect_qos_capability()' code to use
existing 'fixed field' code to dissect QoS_Info field.
Note: Much of the code added in g40d6131 to dissect the QoS Info
field duplicated already existing (but unused) "fixed field"
code to do same.
- Rework some QoS Info field filter names, variable names and
value-strings to better match the text used in 802.11-2012.
- Rename 'dissect_qos_info()' to 'dissect_wme_qos_info()' to
reflect the fact that this code is only for the (now preumably obsolete)
original WME(WMM) specification for the QoS Info field.
Change-Id: Id89780dfe60b2e4c63332bdb946cc29c67b5127a
Reviewed-on: https://code.wireshark.org/review/9903
Petri-Dish: Bill Meier <wmeier@newsguy.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Bill Meier <wmeier@newsguy.com>
802.11 is overwhelmingly little-endian; change all 1-byte fields that
were ENC_BIG_ENDIAN to ENC_LITTLE_ENDIAN.
Change one ENC_BIG_ENDIAN MAC address to ENC_NA; byte order doesn't
apply to them.
The remaining ENC_BIG_ENDIANs should be checked.
Change-Id: I3dc51a5555b99c25dce0d3b7f3be4c441b13d1a3
Reviewed-on: https://code.wireshark.org/review/9890
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix spelling, get rid of period at end of some field names.
Change-Id: I1963cdc92657dca8708133796f8835bdffee0c47
Reviewed-on: https://code.wireshark.org/review/9888
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make all the multi-byte fields, except for OUIs, little-endian -
including fields that contain bitfields. Make the bits in the bitfields
little-endian as well.
For the "number of taps" bitfields, interpret the values.
Fix a typo ("pseduo" -> "pseudo").
The length of an OCT MMPDU is 16 bits, not 8 bits, and it's not a text
string, it's an octet string.
The Beacon Interval Control is 48 bits, not 64 bits.
Handle the beam refinement UI as a 2-byte field that overlaps with a
4-byte field - *none* of the bitfields align on nice 8-bit boundaries,
so that's the best we can do.
Bug: 11419
Change-Id: Ib00ad030ecb33cf676bec23c05b15a4211c75c07
Reviewed-on: https://code.wireshark.org/review/9886
Reviewed-by: Guy Harris <guy@alum.mit.edu>
though the spec (802.11ad-2012) says they are optional.
Communicated to me by the WiFi Alliance. I have captures. Not sure if I can
share them.
Change-Id: Id5998594214ac4b6a1d3baf3cb2f0d4fe6227b40
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-on: https://code.wireshark.org/review/9785
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
And only take into account management, non null data and or extension frames
in WLAN traffic statistics, as previously
Bug: 11318
Change-Id: I32c059a2594331c4e317380b9de43fb582f7f8cb
Reviewed-on: https://code.wireshark.org/review/9566
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Change-Id: Id9409109ffe667d1f8b3201792f7b4146b1f73f5
Reviewed-on: https://code.wireshark.org/review/9582
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 89c24ee8e8.
Further investigation of unused functions required ....
Change-Id: I0c015cf067eaa0ce5bdafa0bce29bed373e9a82f
Reviewed-on: https://code.wireshark.org/review/9565
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Primarily:
Call fixed_field functions directly instead of doing a
linear search by "function number" in a large table
of dissector addresses to determine the function address
for each function call.
As part of this change, the order of certain fixed_field
functions was changed to fix any forward references.
Also:
Spelling
Whitespace
Change-Id: I9bb7e239086f9b65044929f2cb7e7f9d9b9adaee
Reviewed-on: https://code.wireshark.org/review/9563
Reviewed-by: Bill Meier <wmeier@newsguy.com>
This patch adds reassembly_table_destroy calls as cleanup function for
dissectors which have a simple init routine that just calls
reassembly_table_init (comments are ignored).
The changes were automatically generated using
https://git.lekensteyn.nl/peter/wireshark-notes/diff/one-off/cleanup-rewrite.py?id=4cc0aec05dc67a51926a045e1955b7a956757b5e
(with the if and assignment parsers disabled).
The only difference from the autogenerated output is that the XXX
comments from the init routines in smb-pipe and tds dissectors are kept.
Change-Id: I64aedf7189877247282b30b0e0f83757be6199e7
Reviewed-on: https://code.wireshark.org/review/9222
Reviewed-by: Michael Mann <mmann78@netscape.net>
Move a bunch of #defines that involve the frame control field to
packet-ieee80211.h and have the WLAN statistics tap use them rather than
hardcoded numbers.
Change-Id: I893cc50e546af67c910755357cefd86c39a1c783
Reviewed-on: https://code.wireshark.org/review/9476
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The low-order bit of the field indicates whether it's the HT or VHT
version.
Show subfields as part of a 32-bit bitfield; few subfields begin and end
on a byte boundary (the Link Adaptation Control field no longer does so;
its low-order reserved bit became the VHT flag).
Update references to the 11n spec.
Update a comment.
Change-Id: I9fcb99a5517afb319b67d4deb2355c7cb0be73b6
Reviewed-on: https://code.wireshark.org/review/9191
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rather than having a separate "802.11 HT" dissector, just look for the
802.11n (HT) PHY.
(As a side-effect, This also causes PPI HT frames to have the radio
information dissected by the wlan_radio dissector, as is the case with
other 802.11 frames accompanied by radio information.)
Change-Id: I854c42e19481a17767e64a3b92222b09dbaa02dd
Reviewed-on: https://code.wireshark.org/review/9185
Reviewed-by: Guy Harris <guy@alum.mit.edu>
parse_key_string reads from rec->string and rec->key (without
modifying those parameters), then returns a newly allocated
decryption_key_t struct which is not used except for reading the
type field. Release memory after copying that single field!
Change-Id: Iac19bea23dedb73cab9dd1ea09f98cc83556e96c
Reviewed-on: https://code.wireshark.org/review/9025
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Have dissectors of various forms of radio information headers in the
packets fill in a struct ieee_802_11_phdr with radio information as
appropriate, and call the "802.11 radio information" dissector rather
than the raw 802.11 dissector.
This means that the radio information can be found in a
protocol-independent and encapsulation-independent form when you're
looking at the packet; that information can be presented in a form
somewhat easier to read than the raw metadata header format.
It also enables having a single "radio information" tap that allows
statistics to handle all different sorts of radio information
encapsulation.
In addition, it lets us clean up some of the arguments passed to the
common 802.11 dissector routine, by having it pull that information from
the struct ieee_802_11_phdr.
Ensure that the right structure gets passed to that routine, and that
all the appropriate parts of that structure are filled in.
Rename the 802.11 radio protocol to "wlan_radio", rather than just
"radio", as it's 802.11-specific. Give all its fields "wlan_radio."
names rather than "wlan." names.
Change-Id: I78d79afece0ce0cf5fc17293c1e29596413b31c8
Reviewed-on: https://code.wireshark.org/review/8992
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Rather than accessing it through pinfo->pseudo_header, have it passed as
an argument.
This means we no longer tweak the pseudo-header filled in by libwiretap,
but instead construct our own pseudo-header, which is a bit cleaner.
It also opens up the possibility of other dissectors passing radio
information down to the 802.11 dissector, so it can display it in a
better-organized format than the raw metadata headers for
radiotap/PPI/Prism/AVS/etc., and having some of the options for 802.11
dissection (Atheros padding, Centrino stuff, etc.) also passed in
through that pseudo-header so we have fewer arguments to
dissect_ieee80211_common().
Change-Id: I470300a0407ebf029c542f7ca5878593563a70a9
Reviewed-on: https://code.wireshark.org/review/8980
Reviewed-by: Guy Harris <guy@alum.mit.edu>