HTTP/1.1 chunked Transfer-Encoding doesn't have a overall length,
but requires scanning through variable length chunks to find the
end. If we determine that additional segments are needed, and
we have a sequence number (or other identifier) for the message,
store the position of the last chunk size found.
Use this to start scanning at that same offset when the next
segment arrives, reducing the algorithm for determining if
when we have the complete chunked message from O(N^2) to O(N),
which can be significant on captures with many chunks.
This does most of #14382, reducing the length of time to process
a file with 2 pass tshark from over 8.5 secs to under 3 seconds
on my machine. There is still some O(N^2) contribution from the
reassembly code itself with many small fragments (see #17311).
Other dissectors need some small changes to enable this for
HTTP over other transport layers. (TLS would be fairly easy and
is the other important case.)
Store the cookie length, session IDs, and pseudowire type when
they are carried in Cisco vendor-specific AVPs in the same way
as done with the IETF AVPs. More of #16565.
Read extcap stdout/stderr data when available to prevent extcap hang on
stdout/stderr write. Discard stdout data as it was not used earlier.
Store up to 1024 bytes of stderr and display it to user after capture
stops.
Fixes#17827
Remove ws_read_string_from_pipe() as this function encourages bad design
and is no longer necessary. Extcap stderr is read only after the child
process has finished and thus the read will never block.
Close process information thread handle right away as we don't use it.
Remove unused ws_pipe_t member variables.
Wait up to 30 seconds for extcap process to finish after closing pipes.
The wait is achieved in non-blocking fashion, i.e. the UI is completely
responsive during the wait. Only actions related to capture process like
capture control, file open, save, export are inactive during the wait.
On Windows extcap child watch callback gets called immediately as the
process is forcefully terminated. Prior to this change the extcap was
forcefully terminated on Windows anyway.
The wait is possible on UNIX systems if extcap does handle SIGPIPE and
SIGTERM signals. The defaults handlers for SIGPIPE and SIGTERM simply
terminate the process so for large number of extcaps there is no change.
If extcap does not finish within 30 seconds, it is forcefully terminated
using SIGKILL signal.
Don't have things that substantively affect dissection depend
on whether the tree is present or not. (It's not really necessary
to do all these checks anyway since items are faked.)
Prevents adding "[Malformed Packet]" to the Info column for all
Zero Length Body messages. One of the things mentioned in
issue #16565 (that patch was lost with Gerrit.)
Change the expert info for Exif files that have Exif instead
of JFIF in their first identifier fields from a PI_MALFORMED
to PI_PROTOCOL. It's not the correct protocol spec, but it's
common in Exif files and it doesn't make the dissector give up,
so PI_PROTOCOL is more appropriate.
Since STUN and TURN (and DLTS, RTCP) are multiplexed togther,
using the non-heuristic TURN dissector with Decode As is not
usually the correct choice. However, if we're doing that, and
the packet doesn't look like a TURN packet, don't give a bogus
PDU length to the TCP dissector but instead take until the end
of the packet. Fix#16756
Update the attributes to include four Google undocumented attributes
in the IANA registry. Add a comment about the Unassigned value that
was Data Indication in the TURN draft, and note that MS-TURN still
mentions it and some captures use it.
Remove callback function from pref registrations for dissectors that
don't need a callback. In other dissectors, move registration that
only needs to be done once inside the check for initialization,
avoiding some console messages when preferences are changed
("Duplicate dissectors (anonymous) and (anonymous) for protocol...")
and the like.
Add a couple auto preferences for dissectors missed in previous waves.
Ping #14319
Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION
frames) are compressed by HPACK. Send them to the follow tap only
after decompression. Update the tests to match the new output.
Ping #18239 (There's still the case of gzip and brotli compressed
DATA frames to handle).
Instead of a function call, instantiate the PROTO_REGISTRAR_GET_NTH
macro directly, which contains the subsequent DISSECTOR_ASSERT macro
to test the result anyway.
Allow conversation/endpoint tabs that include IP address and
port number to resolve either or both. Currently IP address
(network) resolution is required to resolve tcp/udp ports.
Convert SCTP port preferences in dissectors starting m-z.
Preferences that were already the name of the table can just
be removed from the dissector and they will migrate. Preferences
with a different name are added to deprecated_port_prefs in
epan/prefs.c (Since that function handles them there is no
need to mark them as obsolete.)
Also change a few TCP and UDP single ports reigstered with
preferences and callbacks that used the sample dissector as
a template.
Uses more auto preferences, makes more port preferences ranges,
and reduces the number of preference callbacks. Ping #14319
A few more protocols that have callbacks to retrieve auto preferences
for request/response determination. Convert them to getting ranges,
since all these are ranges now. Ping #14319
Improve the ESP NULL autodetection, and get it closer to the
heuristics in RFC 5879:
Detect multiple ICV lengths - 12, 16, 24, and 32
Check padding length validity
Check padding values
Reject if the subdissector rejects the packet
Still does not attempt to properly detect ENCR_NULL_AUTH_AES_GMAC,
which has a nonzero IV.
Fix#13730.
The signal attached "currentIndexChanged" takes only int as argument,
the correct signal is "currentTextChanged". This also fixes a crash
whenever you changed the visible/nonvisible setting for an interface
_WIN32 is defined by the compiler, and is arguably a more reliable
test that WIN32. Switch to checking for _WIN32 in a couple of places in
the code.
Remove a WIN32 definition from config.h. It was added for the WinPcap
developer pack but we no longer use that.
The flag of unsigned fields is either 0x0 for signed integer fields or
0x80 (128) for unsigned integer fields.
The code expected 0x0 for signed and 0x1 for unsigned to match the right
dissector for the field, causing no match to be found.
Example client code:
```c
int main(int argc, char **argv) {
MYSQL *con = mysql_init(NULL);
if (mysql_real_connect(con, "127.0.0.1", "root", NULL, NULL, 4000, NULL, 0) ==
NULL) {
printf("%s\n", mysql_error(con));
mysql_close(con);
exit(1);
}
MYSQL_STMT *stmt = mysql_stmt_init(con);
mysql_stmt_prepare(stmt, "DO ?", 4);
MYSQL_BIND bind[1];
int my_int = 1;
bind[0].buffer_type = MYSQL_TYPE_TINY;
bind[0].buffer = (void *)&my_int;
bind[0].is_unsigned = 1;
bind[0].is_null = 0;
mysql_stmt_bind_param(stmt, bind);
mysql_stmt_execute(stmt);
mysql_stmt_close(stmt);
}
```
The port pref value is used in a callback, so convert that to
retrieving a range. Also, remove the old preference (it was
converted to use an auto preference some time ago but the
duplicate preference wasn't removed.)
Ping #14319
Update the dns_pkt_addr_resolution, use_external_name_resolver, and
use_custom_dns_servers names to be more consistent. Make it more clear
that use_external_name_resolver uses you're system's DNS settings.
When a single port is added to a dissector along with an auto
preference, make it create a range preference (defaulting to
that single value.) This converts the rest of the auto port
preferences to ranges.
Ping #14319. Still to do are converting other non-auto port
preferences to auto preferences (e.g., sctp ports), and maybe
some minor cleanups.
Libpcap assumes that packet length is greater or equal to captured data
length. However, due to a bug in libpcap, it was possible for libpcap to
generate isochronous URB packets (WTAP_ENCAP_USB_LINUX_MMAPPED) with
captured data length greater than packet length. The discrepancy comes
from slightly different semantics in Linux kernel.
Linux kernel usbmon packet documentation mentions:
unsigned int length; /* 32: Length of data (submitted or actual) */
unsigned int len_cap; /* 36: Delivered length */
Wireshark shows usbmon packet length as URB length (usb.urb_len) and
len_cap as Data length (usb.data_len). For usbmon isochronous IN packets
containing data (URB complete), usbmon length is "actual". Actual length
is the sum of payload packets length received from device. Delivered
length refers to the amount of data associated with usbmon packet, that
is the isochronous descriptors and actual isochronous data. There can be
multiple isochronous descriptors in single URB and the actual payload in
special cases can be noncontiguous (there can be gaps).
Libpcap when reading usbmon capture calculates packet length based on
usbmon packet structure size (64), "actual length" and number of
isochronous descriptors. This gives expected packet length as long as
there are no gaps between isochronous data. If there are gaps, the
calculated packet length will be smaller than delivered length.
Wireshark should show the frame length and captured length as provided
by the capture engine, even if the capture length is greater than frame
length. Silently limiting captured length essentially hides the issue
from the user and allows misbehaving capture engine to go unnoticed.
Passing unmodified Frame Length and Capture Length to dissectors (and
thus complete tvb) allows USB dissector to show all ISO Data fields
captured on Linux usbmon interface using bugged libpcap.
Fixes#18021
John Thacker