Split our tests by suite_*.group_* instead of suite_*. There are quite a
few dfilter tests and this should make them more parallelizable.
Change-Id: I52371409618cda70dc99811e8de1fb1ad9d9a3b6
Reviewed-on: https://code.wireshark.org/review/28329
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
- Trivial by just doing it the C++ way
- Non-Trivial where the whole function can be put into the #ifdef instead of the variable use case
Change-Id: I034751b8a3c70211173f0c06c954def94450db46
Reviewed-on: https://code.wireshark.org/review/28311
Petri-Dish: Jörg Mayer <jmayer@loplof.de>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
Mesh frames that are originated at the host where traffic is captured
may have no QoS header, as it is typically added by the wlan firmware.
The dissector was using a bit on that header to indicate the presence of
a Mesh Control Header, and so locally originated mesh frames were
incorrectly dissected.
When QoS header is missing, look ahead into the next header to determine
if a mesh control header is present.
Tested on mesh traffic captured on a monitor interface on ath10k.
Bug: 14629
Change-Id: I64169f9dea79518c8af802f045168180861e9081
Reviewed-on: https://code.wireshark.org/review/27156
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Add dissection of commands:
- LE Periodic Advertising Create Sync
- LE Periodic Advertising Terminate Sync
- LE Add Device To Periodic Advertiser List
- LE Remove Device From Periodic Advertiser List
- LE Write RF Path Compensation
- LE Set Privacy Mode
Add dissection of command complete events:
- LE Read Periodic Advertiser List Size
- LE Read Transmit Power
- LE Read RF Path Compensation
Misc:
- Corrected identity address type decoding in privacy
related commands
- Corrected PHY decoding in LE Set Ext Scan Parameter
and LE Ext Create Connection commands
- Added decoding of missing LE scan filter policy values
- Units added for time parameters where missing
Change-Id: I8d3fa4571f511df2e128877078609c8d112821dd
Signed-off-by: Allan Møller Madsen <almomadk@gmail.com>
Reviewed-on: https://code.wireshark.org/review/28302
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Add new dissector table that allows for registration of CIP Class 0/1 I/O
against CIP Class that was used in the Forward Open. CIP Safety is still
a special case that gets checked before this table. The default handling is
generic CIP Class 0/1 I/O.
2. Changed most I/O items labelled "ENIP" to "CIP I/O". ENIP is a separate
protocol/layer, and all the I/O traffic is actually CIP. It was very
confusing explaining to people they had to look at the wrong protocol
layer in Wireshark before.
3. Add the generic Class 0/1 I/O as a separate tree layer. CIP Motion and
CIP Safety I/O were already doing this.
4. Update CIP conversation filtering naming to be more accurate.
5. Clean up some offset handling
Change-Id: I1c226fe1bd8974ed0e90640c875bef21f15f3095
Reviewed-on: https://code.wireshark.org/review/28290
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It doesn't necessarily produce an FT_BYTES value any more.
Change-Id: I7bad1e328394a829400bd139c48a9538c4892818
Reviewed-on: https://code.wireshark.org/review/28318
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have charconst_to_bytes() take the desired type as an argument, and pass
it to dfilter_fvalue_from_unparsed().
Bug: 14084
Change-Id: I11db417311b9681b18c4a3fca2862b35837194d7
Reviewed-on: https://code.wireshark.org/review/28315
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The value of a string in single quotes in dfilter must fit into one
byte. The parser correctly parsed the beginning of the string,
however it didn't check whether there are more characters to parse.
Bug: 14084
Change-Id: Ifa2d7a31052b2c1020d84c42637b9b7afc57d8c0
Reviewed-on: https://code.wireshark.org/review/28298
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There are some new information elements and message types in the GSUP
protocol which are used for transport of non-call-SS and USSD between
MSC/VLR and HLR.
Change-Id: Idd3bb7ed8d4ba3f958cffcb29c6042c047646f70
Reviewed-on: https://code.wireshark.org/review/28301
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In the reference libosmocore's implementation we have:
OSMO_GSUP_MSGT_PURGE_MS_REQUEST = 0b00001100, // 0x0c
OSMO_GSUP_MSGT_PURGE_MS_ERROR = 0b00001101, // 0x0d
OSMO_GSUP_MSGT_PURGE_MS_RESULT = 0b00001110, // 0x0e
while here we had:
OSMO_GSUP_MSGT_PURGE_MS_REQUEST = 0x0c,
OSMO_GSUP_MSGT_PURGE_MS_ERROR = 0x0e, // != 0x0d
OSMO_GSUP_MSGT_PURGE_MS_RESULT = 0x0f, // != 0x0e
Same problem with the 'OSMO_GSUP_MSGT_LOCATION_CANCEL_RESULT'.
Change-Id: Ie49fd2fca8298d97c21e03649935704309015324
Reviewed-on: https://code.wireshark.org/review/28297
Reviewed-by: Harald Welte <laforge@gnumonks.org>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
See https://tools.ietf.org/html/rfc7862#section-12.2.3
As far as I can tell these were zero-based even in the earliest protocol
drafts, so this was just a mistake in the original wireshark submission
that nobody caught because change_attr_type hasn't been widely
implemented.
While we're here, move the defines before the array for better
readability.
Change-Id: Ie721250748fe77098aee4e2cc502ae43fc497a2d
Reviewed-on: https://code.wireshark.org/review/28271
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Don't assume that the 3-digit code we got was followed by a blank, and
display the code followed by a blank followed by the parameters..
Instead, just put the raw text of the entire line into the Info column.
Bug: 14878
Change-Id: I1e081366bf859723158a36f10e86614fe52f124d
Reviewed-on: https://code.wireshark.org/review/28292
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Acccording to 3GPP TS 29.244
ch5.6.3 Modifying the Rules of an Existing PFCP Session
- updating the Rule including the IEs to be removed with a null length,
e.g. by including the Update URR IE in the PFCP Session Modification Request
with the IE(s) to be removed with a null length.
Change-Id: Ib8928edc24e72c25f6d608bee874c1d8603c8620
Reviewed-on: https://code.wireshark.org/review/28264
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Extract it into title_length before checking it, and then check the
value of title_length.
Change-Id: I7f2c334dbce5eeaa12cd5d8bb8e289852fd15c4f
Reviewed-on: https://code.wireshark.org/review/28282
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The number being compared against is the amount of data *remaining* in
the comment information, not the *size* of the comment information.
And it's unsigned, so format it with %u.
Change-Id: I5f02302ad4acbc3b27655ff5518e6e56d464020d
Reviewed-on: https://code.wireshark.org/review/28280
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix indentation, and note that the comment "description" (contents) are
RTF (as opposed to plain text).
Change-Id: I668a08c06e39a32318454d2ee73933083c5cb516
Reviewed-on: https://code.wireshark.org/review/28279
Reviewed-by: Guy Harris <guy@alum.mit.edu>
utf_16_to_utf_8() just ignores the extra octet.
Change-Id: I7bf003b674e5d9b0fb0265b0e8c6c142107084e3
Reviewed-on: https://code.wireshark.org/review/28277
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Pathnames are not limited to 260 characters in recent versions of
Windows; boost the limit to handle up to 32767 UTF-16 octet pairs worth
of path.
The pathname is in UTF-16-encoded Unicode; convert it to UTF-8 for our
internal use.
Bug: 14876
Change-Id: I4ef19fd47c7dbdd74dcaf31a7a80f432d57dbb0d
Reviewed-on: https://code.wireshark.org/review/28273
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The command tshark -G values gave the error:
** (process:26713): WARNING **: Extended value string 'nas_5gs_mm_message_type_vals' forced to fall back to linear search:
that caused regression tests to fail.
Fixes: v2.9.0rc0-947-g587b5a7.
Change-Id: I6c8b8c7e93838f407a363390ba2385603dc62338
Reviewed-on: https://code.wireshark.org/review/28270
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure that the filter for VoIP calls includes RTP streams when calling
Prepare filter.
Bug: 13440
Change-Id: Ia55073151817b88b3fa6a3fd30f98fdf683621a4
Reviewed-on: https://code.wireshark.org/review/27955
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In 3GPP TS 44.018 version 14.4.0 Release 14 both Immediate assigment
extended (9.1.19) and Immediate assignment reject (9.1.20) have Feature
Indicator (10.5.2.76) half octet right after the Page Mode (10.5.2.26)
The Feature Indicator is part of GSM_A_PDU_TYPE_RR and not
GSM_A_PDU_TYPE_COMMON so previously it was not decoded correctly in the
Immediate assigment extended
Change-Id: I117d1ee42d43d01d77da67eea506c28ca0ae3056
Reviewed-on: https://code.wireshark.org/review/28263
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For the 'Infinite value', tree header is now
"Graceful Release Period: Infinite (<val>)"
instead of
"Graceful Release Period: <val> Infinite"
Change-Id: I130e997ffbb3503078e1364fd64c11ead28111b1
Reviewed-on: https://code.wireshark.org/review/28262
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With HTTP2 heuristics to identify the conversation, a packet can be
skipped on first pass and then decoded as HTTP2 on subsequent ones.
Check that header data is available before attempting header
decompression.
Bug: 14869
Change-Id: I8ef7669ca33835b509acb38d797e33d6167a1bd1
Reviewed-on: https://code.wireshark.org/review/28257
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
dissect_cpf was huge and too hard to read and update.
This change pulls out item parsing into individual functions to make
it easier to read, help troubleshoot a bug related to ENIP TLS
connection filtering (Still investigating), and prep for future features.
There are no functional changes.
Main changes:
1. Pulled out the following code into separate functions:
dissect_item_list_identity
dissect_item_cip_security_information
dissect_item_list_services_response
dissect_item_sockaddr_info
dissect_item_sequenced_address
dissect_item_connected_address
dissect_item_unconnected_message_over_udp
dissect_generic_io
dissect_cip_class01_io
2. More documentation. It was a little hard to follow before.
3. Corrected offset inside the while loop in dissect_cpf(). Previously,
offset pointed to 2 bytes *before* the item actually being processed.
Change-Id: I47894fd5c50b4c3d07f916f81e1b21f8890c8396
Reviewed-on: https://code.wireshark.org/review/28205
Reviewed-by: Dylan Ulis <daulis0@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
AT-commands:
+XAPL
+IPHONEACCEV
+APLSIRI
+APLEFM
Add UUID128:
Apple Notification Center Service
Based on: https://developer.apple.com/hardwaredrivers/BluetoothDesignGuidelines.pdf
While adding new UUID remove also tabs from packet-bluetooth.
Change-Id: Ic29b028338a21464fe018f8145ade82297ccd146
Reviewed-on: https://code.wireshark.org/review/28222
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(In retrospect, signed offsets probably were the wrong choice; we
rarely, if ever, use them to signify offsets from the end of the packet.
Let's not do so any more in the future.)
Change-Id: I7ace539be8bf927e21148c34b71e9c2b7535581e
Reviewed-on: https://code.wireshark.org/review/28245
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Do more checks to make sure we don't run past the end of the data we're
handed, and don't do a DISSECTOR_ASSERT(), as there may well be packets
that don't have enough data to pass the assertion - that was causing
some errors to show up in the 2.6 buildbot when doing 802.11 decryption
tests. Those errors should instead be reported as "sorry, we can't do
decryption" errors by the decryption code.
(XXX - the 802.11 *dissector* should probably be extracting the relevant
fields and doing the relevant checks, and hand the data to the
decryption code, so that we don't duplicate 802.11 frame parsing with
code that might not do as much necessary work as the 802.11 dissector.)
Tweak some comments while we're at it.
Change-Id: I1d230e07cec2fca8c23f265b5875a0bf83f79432
Reviewed-on: https://code.wireshark.org/review/28240
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Wiretap imposes an arbitrary limit on the maximum packet size, to
prevent it from trying to allocate a huge packet buffer and possibly
running out of address space on ILP32 platforms or just eating too much
backing store on LP64/LLP64 platforms. Don't write packets with a
length greater than that limit.
Bug: 14107
Change-Id: Iba4fe3b008b044215647ba3f838ae7b3ac66c585
Reviewed-on: https://code.wireshark.org/review/28232
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't treat the count+blob as itself a blob of bytes; use FT_NONE.
Create it with an unknown length (-1, meaning "to end of packet, for
now"), and set its length once we've finished dissecting it. Dissect
the raw bytes of a prefixed-bytes item regardless of whether we're
building a protocol tree or not.
This means we do a better job of handling a too-large length; instead of
overflowing the offset, we throw an exception and stop dissecting, so we
don't run the risk of looping infinitely.
Bug: 14841
Change-Id: I593be9b6ba9aa15d8529f96458e53b85ace6402a
Reviewed-on: https://code.wireshark.org/review/28228
Reviewed-by: Guy Harris <guy@alum.mit.edu>