This is required for the latest version. The message type "dns/message"
was briefly used in draft -06, but it was changed in the next version.
Change-Id: If26e367b71b7e270cad2f61eaee76041f530273c
Ping-Bug: 14433
Reviewed-on: https://code.wireshark.org/review/29887
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Development-related files (header files, cmake files, the pkg-config file)
don't belong in the base RPM. This moves those ~600 files (~4 MiB) to a
separate RPM for those who may want them.
Also clean up a few other things in the SPEC file while here to make things
more readable and consistent.
Change-Id: I89f93a8696c54b9117595f1da9f856c080853dce
Reviewed-on: https://code.wireshark.org/review/29814
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When (1) a frame has multiple TLS application data records and (2) two
of them request reassembly of a new PDU, then the second fragment would
be considered conflicting with the first one since the PDUs (MSPs) are
identified by the frame number of the starting frame.
This behavior was observed in a firefox-http2-frag.pcap
(attachment 16616) which uses tcp_dissect_pdus to trigger reassembly:
Frame 19: 8694 bytes on wire (69552 bits), 8694 bytes captured (69552 bits)
...
Transport Layer Security (8640 bytes)
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 7/7 last segment of previous PDU
SSL segment data (1203 bytes) <-- 1/5 first segment of new PDU
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 2/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 3/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 4/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (976 bytes) <-- 5/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 1/? first segment of another PDU
[5 Reassembled TLS segments (6286 bytes): #19(1203), #19(1369), #19(1369), #19(1369), #19(976)]
[7 Reassembled TLS segments (8201 bytes): #17(1190), #17(1369), #17(1369), #18(1369), #18(1369), #18(1369), #19(166)]
HyperText Transfer Protocol 2 (8201 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 8192 (partial entity body)
...
(7/7 finishes previous reassembly, see "7 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1203 bytes, start of new PDU)
HyperText Transfer Protocol 2 (6286 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 6277 (partial entity body)
...
(all fragments are in this frame, see "5 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1369 bytes, start of another PDU)
[Reassembly error, protocol SSL: Frame already added in first pass]
TLS records for fragments 1/5 and 1/? both start a new PDU and would
thus invoke fragment_add with the same identifier. That results in the
Reassembly error which breaks further decryption. Reduce the probability
of this issue by mixing in the TLS stream position of the fragment.
Bug: 11173
Change-Id: I5536f3010b156555f1d7ae6dc98e08c030c8f771
Reviewed-on: https://code.wireshark.org/review/29871
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
proto_tree_add_item with a zero length argument could end up calling
tvb_get_ptr to retrieve the (empty) backing buffer. This empty tvb was
possibly the result of bad reassembly, but let's gracefully handle it to
avoid a dissector exception.
Call trace for the original exception (only present on the first pass):
proto_report_dissector_bug (format=0x7ffffffecea0 "") at epan/proto.c:1368
ensure_contiguous_no_exception (tvb=0x6060001a5460, offset=0, length=0, pexception=0x7ffffffed060) at epan/tvbuff.c:775
ensure_contiguous (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:906
subset_get_ptr (tvb=0x607000194b90, abs_offset=0, abs_length=0) at epan/tvbuff_subset.c:58
ensure_contiguous_no_exception (tvb=0x607000194b90, offset=0, length=0, pexception=0x7ffffffed3c0) at epan/tvbuff.c:773
ensure_contiguous (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:906
proto_tree_set_bytes_tvb (fi=0x608000535ca0, tvb=0x607000194b90, offset=0, length=0) at epan/proto.c:3862
proto_tree_new_item (new_fi=0x608000535ca0, tree=0x604000543150, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:2318
proto_tree_add_item_new (tree=0x604000543150, hfinfo=0x7ffff30e91f8, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3381
proto_tree_add_item (tree=0x604000543150, hfindex=65120, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3391
dissect_body_data (tree=0x604000543150, pinfo=0x614000000a58, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/dissectors/packet-http2.c:1974
Change-Id: Icfae83d61ddcc9e26f16eab7f6e0e84e2f0d73ac
Reviewed-on: https://code.wireshark.org/review/29851
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The frame.protocols list does not contain "ssl" and thus the expert info
"Unencrypted HTTP protocol detected over encrypted port, could indicate
a dangerous misconfiguration" was shown even for the normal HTTPS port.
This also renames the http.ssl_port to http.tls_port with no backwards
compatibility, hopefully that is reasonable.
Change-Id: I5c8481693ff63dc0a19b4dc1de431680bdda3244
Reviewed-on: https://code.wireshark.org/review/29828
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
In the long run, we'd like to remove the time stamp from the frame_data
structure, as, in Wireshark, and in TShark in two-pass mode, there's one
allocated for every frame in the file, and shrinking the size of that
structure reduces the memory usage.
This removes one obstacle to that.
Change-Id: Ia8f87522cd974555c57e0ac1e742b097e8b0f2fc
Reviewed-on: https://code.wireshark.org/review/29881
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Either pcap_process_pseudo_header() returns -1, in which case we fail,
or it returns the exact same value as pcap_get_phdr_size(). If we don't
fail, don't bother to check whether the values are the same.
Change-Id: I18191cc3de2a1c2144ca9b508ed17b2f593fc835
Reviewed-on: https://code.wireshark.org/review/29879
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Keeping them together might increase the likelihood that all of them get
updated when a new pcap/pcapng link-layer type whose pseudo-header is
first processed here rather than by a dissector.
Change-Id: Ia6f45c38e9530b7c6a53d006fbc01b3040e9a014
Reviewed-on: https://code.wireshark.org/review/29868
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Sort the cases to match the order in other routines.
That turned up a missing case for WTAP_ENCAP_NFC_LLCP, so add it.
Change-Id: I500731322ae93c6d2efc368f16cf468f589910f3
Reviewed-on: https://code.wireshark.org/review/29858
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix JSON generation:
- add lookup table to encode all required control characters (0x00 - 0x1F),
- don't output comma just after opening object in iograph.
Change-Id: Ib53af9c37f4d7785cafc5f9a8d0e71b214c7f349
Reviewed-on: https://code.wireshark.org/review/29852
Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Have pcap_read_erf_pseudoheader() do all the work of reading an ERF
pseudo-header.
Add pcap_write_erf_pseudoheader() as a routine to do all the work of
writing an ERF pseudo-header.
Change-Id: If53ae50fcee35a45113ca0f0c64f69848e044cbd
Reviewed-on: https://code.wireshark.org/review/29847
Reviewed-by: Guy Harris <guy@alum.mit.edu>
it is the first release to start to follow IETF QUIC (draft-12)
Update also the heuristic to detect Q044
Bug: 15131
Change-Id: Ieec7d75a2a0a7ab1ddacfb88d86cb9856cd67164
Reviewed-on: https://code.wireshark.org/review/29572
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
RFC 6887 states that options have to be padded to a multiple
of 4 octets. This commit adds missing padding.
Bug: 14950
Change-Id: I68a0631ecdd2f30e24e83b1a6e8dfc55856c9c94
Reviewed-on: https://code.wireshark.org/review/29832
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Put the cases in pcap_write_phdr() into the same order as the cases in
pcap_process_pseudo_header().
Doing so revealed that there wasn't a case for WTAP_ENCAP_NFC_LLCP in
pcap_write_phdr(), so NFC LLCP captures wouldn't be saved correctly.
Add pcap_write_llcp_pseudoheader() and use it.
Change-Id: I2728a96e63d2e0606ae0bb480f97fe124ab48d17
Reviewed-on: https://code.wireshark.org/review/29841
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For each pseudo-header type, put a routine to write the pseudo-header
after the routine to read it.
Change-Id: Iffc010c1bf97acc5eb834a388e328ad3c2310351
Reviewed-on: https://code.wireshark.org/review/29840
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not as if 0 means received, 1 means sent, and anything else is
invalid; treat all non-zero values as meaning "sent" when reading, and
write out 1 for "sent".
Change-Id: Iaf5eb327a6b87b893a203475c8730452c51a38e9
Reviewed-on: https://code.wireshark.org/review/29839
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Put all the #defines and structure declarations for a particular
pseudo-header before the function to read the pseudo-header.
Change-Id: I11013ff99d72832f49e9bea56dbc07f5cd8618f3
Reviewed-on: https://code.wireshark.org/review/29838
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That centralizes knowledge of the particular pseudo-header into its read
routine.
Change-Id: I4931d03a20a1b648af3ab6b92a034659c55d1ba3
Reviewed-on: https://code.wireshark.org/review/29837
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Either it's TRUE, meaning sent, or it's FALSE, meaning received. Make
it a gboolean and get rid of the #defines for it. ("Unknown" is handled
by the WTAP_ENCAP_ value not *having* a p2p pseudo-header.)
Change-Id: I650d7213523b49e7531d9555a98cde1be519a294
Reviewed-on: https://code.wireshark.org/review/29836
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For file formats, say "pcap/pcapng" or "pcap and pcapng" instead; this
code handles both formats. Use just "pcap_" in structure types.
Change-Id: I2c0e096855ac3736bbfd72480ed4221b3a2f25d1
Reviewed-on: https://code.wireshark.org/review/29835
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's not just for X.25, it's for anything that has the notion of Data
Terminal Equipment and Data Communications Equipment; call it "dte_dce",
not "x25".
Change-Id: I3d51fec8b424e91ffd6d59895f50fc5ece791b08
Reviewed-on: https://code.wireshark.org/review/29834
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We always tell pcap_process_pseudo_header() to check to make sure the
pseudo-header isn't bigger than the captured data; no need for a flag
argument to tell it to do so.
Change-Id: I8310bb06a390a7f4a7a232ad140ae07955d52da1
Reviewed-on: https://code.wireshark.org/review/29833
Reviewed-by: Guy Harris <guy@alum.mit.edu>
gcd95e197ca renamed a bunch of "<proto>.ssl.port" preferences to
"<proto>.tls.port" but neglected to add obsolete entries for the old
preferences. Do so here.
Rename couchbase.tls_port to couchbase.tls.port to be in line with the
other TLS port preferences.
Change-Id: Ie23d6be0a5cb3616f37e41dbfbf13ad1b7206473
Reviewed-on: https://code.wireshark.org/review/29829
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Rename packet-ssl{,-utils}.[ch] to packet-tls{,-utils}.[ch].
Change-Id: I4732162ec131ddf0734b3dd191ccc9e48a76ce06
Reviewed-on: https://code.wireshark.org/review/29659
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Peter Wu