The Access-Network-Information AVP (AVP code 1263) is an instance of the
SIP P-header "P-Access-Network-Info". There is a dissection function for
P-Access-Network-Info in the SIP dissector, add it to the header and use
it for the DIAMETER AVP.
Some example captures of DIAMETER show the IMEISV in User-Equipment-Info
being BCD encoded (as commonly seen in other protocols.) If the number
of octets used is 8, assume it is BCD encoded. If the number of octets
used is 16, assume it is ASCII. Otherwise, set an expert info for the
wrong length like the other types.
Use the defined constants to verify the lengths of the MAC, EUI64, and
MODIFIED_EUI64 types. Correct the length of the Modified EUI64 type,
as it is also 8 bytes, the same as EUI64 (there must have been confusion
with IPv6 addresses, which contain a Modified EUI64 in their 8 least
significant bytes.)
This adds the the ISTA Availability Window elemen, the RSTA Availability
Window element and the Secure LTF Parameters element, as well as the
TB Specific Subelement.
Change-Id: Iaa6517c6dcd4fafc7d588cb69d71ad4b968f1b5a
The LAC, RAC, SAC, and TAC tend to be defined in ASN.1 as OCTET STRINGS
of lengths 1, 2, or 3. It generally makes sense to dissect them as
FT_UINT[8,16,24], as appropriate, with BASE_DEC_HEX instead of as FT_BYTES,
so standardize on that. See commit d6f91a7ca4
for similar work for S1AP.
This conforms more to D3 of 802.11az and I cleaned up the handling of
authentication frames. I also reworked the handling of PASN parameters
since they were not quite right.
Change-Id: I5356561da0fec223090f4c2e9f32de7b920693cb
RTPproxy: update list of errors according to commit
sippy/rtpproxy@b9d7b4ced2.
Change-Id: I885edb02a7e74240627d68ece5c1d12d45081048
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
The GTK key provided in FT BSS Transition IE is encrypted. Update
dot11decrypt engine to return the decrypted key for dissection.
Change-Id: Id31a8cf77e12568f2e449470822a64792895673c
Both subset_find_guint8() and subset_pbrk_guint8() pass the parent
tvbuff to tvb_find_guint8()/tvb_ws_mempbrk_pattern_guint8(), along with
the offset in that tvbuff.
That means that the offset they get back is relative to that tvbuff, so
it must be adjusted to be relative to the tvbuff *they* were handed.
For subsets of frame and "real data" tvbuffs, there's a single lump of
data containing the content of the subset tvbuff, so they go through the
"fast path" and get the offset correct, bypassing the broken code;
that's the vast majority of calls to those routines.
For subsets of *composite* tvbuffs, however, they don't go through the
"fast path", and this bug shows up.
This causes both crashes and misdissection of HTTP if the link-layer is
PPP with Van Jacobson compression, as the decompression uses composite
tvbuffs.
Fixes#17254 and its many soon-to-be-duplicates.
The length specified in a TvbRange is the *actual packet length*, not
the *sliced-to* length, so use tvb_new_subset_length() to cut it short.
This fixes the fix for #15655, and addresses at least some of the issues
in #17255.
Changes:
- epan/follow.c: follow_conv_filter_func has new parameter
epan_dissect_t *edt, so filter can be generated based on decoded tree
of packet below the cursor
- menu Follow/SIP Call is enabled when sip packet is selected
- value of sip.Call-ID is used as filter for SIP call
- for sharkd it generates filter just 'sip.Call-ID' with no value
Add DissectorTable.try_heuristics(name, tvb, pinfo, tree). Previously,
there was no way for a Lua plugin to run an existing heuristic
dissector.
Based on Gerrit change 18718. Closes#17220.
Update display name of the nordic_ble dissector to the release used
by nordic semiconductor for the development tool on the homepage.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Introduce a new TCP preference to allow the user to choose the
precedence between Fast Retransmission or Out-Of-Order. When
performing the SEQ analysis, ambiguous packets will be considered
with the chosen priority, helping in the final interpretation.
Closes#15987
This patch adds a dissector for PDUs based on signals. On CAN,
FlexRay, etc. data is transported in PDUs that are based on
signals. These signals are typically an arbitrary number of bits.
This dissector allows:
- Parsing configured signals (shortened datatypes too)
- Scaling and moving signals values (compu scale)
- Naming signal values (compu consts)
- Filtering on the scaled and raw value
The dissector supports:
- Signal PDUs over CAN
- Signal PDUs over FlexRay
- Signal PDUs over SOME/IP
- Signal PDUs over PDU-Transport
- gvsp: Fixed some GenDC container header related endianess bugs
(flipped bits in dissector)
- gvsp: Added support for GenDC meta-data decoding
- gvsp, u3v: Added support for all newly defined pixel formats
- its: Removed redundant code (possible search and replace error)
Now we ignore random packets and also correctly recognize server
responses in cases where the client uses the same port numbers as
the server for its TFTP or other conversations
As of now a plugin subdissector can register itself for byte or string type only.
This change adds an option to allow a plugin to register a subdissector for any protbuf field.
this subdissector will be able to dissect a protobuf field on top of the existing dissector for that field.
As of now a plugin subdissector can register itself for byte or string type only.
This change adds an option to allow a plugin to register a subdissector for any protbuf field.
this subdissector will be able to dissect a protobuf field on top of the existing dissector for that field.
SASL Buffer starts after the SASL Buffer Length field. Therefore
we should only mark the bytes without the Length field.
Sample capture can be found in wireshark/wireshark#15128
As of now GTP dissector provides option to decode T-PDU data ether, async, and with some heuristics.
But there is no option present to decode a new protocol with a plugin.
This change adds an option to decode T-PDU data with a plugin, to help develop and test new protocols that are
encapsulated as GTP T-PDU data.
* Since c3342930 we don't free anymore the entries in the files hashtables.
The cleanest solution is probably to convert these hashtables into two
wmem_map_t structures and let the wmem core handling any cleanup.
* b0f5b2c174 added supported for chained compression; the uncompressed
tvb must be freed
guint64 is *not* guaranteed to be an unsigned long int; on an ILP32
platform, it *can't* be a long, as that's only 32 bits. Use
G_GUINT64_FORMAT to format guint64 values.
The Linux kernel includes a module called psample which sends sampled
packets to user-space over generic netlink.
This patch adds a dissector for these netlink packets.
The dissector is expected to be invoked by the generic netlink dissector and
during its hand off routine it adds an entry in the 'genl.family' dissector
table.
The various netlink attributes are dissected by calling
dissect_netlink_attributes(), in a similar fashion to the rtnetlink and
net_dm dissectors. The sampled packet itself is encoded in the netlink
attribute 'PSAMPLE_ATTR_DATA' and dissected by invoking a dissector from the
'sll.ltype' dissector table based on the packet's protocol which is
encoded in the 'PSAMPLE_ATTR_PROTO' attribute.
Signed-off-by: Amit Cohen <amcohen@nvidia.com>
Extended sequence number added to info structures.
Extended timestamp (from 32 to 64 bit) calculation added and added to
info structures.
Both values simpifies calculations in rest of the code - we don't have
to care about wraparound. Code will be adapted later.
It is invalid to assume that every unknown and/or vendor specific
traffic is IPPUSB. If a vendor specific class is indeed IPPUSB then
the dissector should be selected based on VID/PID.
The way IPPUSB was registering caused packets from devices without
corresponding dissector in Wireshark (majority of the devices in the
wild) being dissected as IPPUSB and shown as Malformed Packets. For
example the Silicon Labs CP210x UART Bridge was dissected as IPPUSB.
Now that FT_PCRE is gone, a GRegex is not a valid value for a field. (A
field can be a *string* field whose value is supposed to be a PCRE, but
that's just FT_STRING/FT_STRINGZ/FT_STRINGZPAD/FT_STRINGZTRUNC, and the
value is the string text.)
In rare circumstances Spurious Retransmissions are not detected
and the SEQ analysis would instead conclude with a Fast Retransmit
or an Out-Of-Order. As Spurious Retransmissions are more certain
than the latter ones, their respective precedences are changed.
The documentation is updated accordingly. Closes#13863.
IXFR and AXFR queries can have multiple DNS responses. As all responses
belong to one transaction, they have the same transaction ID.
We shouldn't handle them as retransmits.
Fix: wireshark/wireshark#17293
It's not a valid field type, it's only a hack to support regular
expression matching in packet-matching expressions.
Instead, in the packet-matching code, have a separate syntax tree type
for Perl-compatible regular expressions, and a separate instruction to
load one into a register, and have the "matching" operator for field
types take a GRegex * as the second argument.
RFC 7230 Section 3.3.3 case 7 allows a (discouraged) behavior
for HTTP responses of desegmenting until connection FIN when the
Content-Length is not given.
(See commit 69e50be150 for details.)
There is an even rarer subcase not currently handled- if the headers
are split aross multiple segments, then we won't know we need to
desegment until FIN until after than the first segment.
In such a case, msp->nxtpdu still needs to get set to some appropriately
large offset, since it didn't happen when processing the first segment.
It's a fake "field" type, used only for "field" values in
packet-matching expressions to do regular-expression matching. There is
*no* reason to allow fields of that type.
Don't bother checking the representation type when generating the string
representation of a field value. If a developer manages to get past all
the tests for FT_PCRE to register and add an instance of that field to
the protocol tree, either 1) the one and only string representation of
an FT_PCRE value is what they want, in which case, whatever, or 2) it's
*not* what they want, in which case, if they file a bug, ask a question
on a mailing list, or ask a question on the Q&A site, we can explain to
them that what they're doing is bogus.
msp->nxtpdu might wrap around (particularly if DESEGMENT_UNTIL_FIN
is set), so use the wrap around aware sequence number comparisons
when seeing if seq is in the interval [msp->seq, msp->nextpdu).
Note that with wraparound, we have to take the minimum after subtracting
to get the length desired.
If a header declares a function, or anything else requiring the extern
"C" decoration, have it wrap the declaration itself; don't rely on the
header itself being included inside extern "C".
Support decrypting captures with Fast BSS Transition roaming present
by now also scanning (re)association frames for relevant information
elements and feeding it into the dot11decrypt engine.
Both (re)association request and response frames are scanned to allow
for potentially missing one frame and still be able to derive PTKs
needed for successful decryption.
Closes#17145
Change-Id: I08436582e4f83695dc606ddb92ff442d6258ef9b
Joerg Mayer