Certain types of Data frames with the To DS and From DS
bits set don't contain a BSSID address. Check for that, and
store null data in that case to the retransmission hash table.
Fix#18648.
When not updating the packet list during a capture, the capture
file structure isn't set up, but there is a pending capture.
We currently treat that as "finished reading", but that means
that other code assumes that all the structures are set up and
can crash, and also don't prompt regarding unsaved packets when
trying to close Wireshark.
Add a state for FILE_READ_PENDING that sometimes should be treated
similar to FILE_CLOSED and sometimes should be treated similar to
FILE_READ_IN_PROGRESS.
This fixes a crash when enabling "update packet list during a capture"
while a capture is in progress, as well a crash when applying a filter
while a capture is in progress but real time packet list updates are
off.
Keep track of the number of packets that the capture child has reported
that haven't been read yet, so that the capture statistics stay accurate
even if the pref is toggled. Also run the main status bar statistics at
the end, so that if any packets are processed in cf_finish_tail() they
are reported.
This also restores status bar statistics for when update packet list
during a capture is off, which 461fb517d1
accidentally disabled.
Fix#4035
Previously this was lib/wireshark/cmake. User lib/cmake/wireshark
instead. Both are standard search paths but the second is more
conventional and inline with expected package behaviour on Unix.
Add hint text when selecting a field in a PacketDialog like
what is added to the MainStatusBar when selecting a field.
Also restore the initial information when leaving the packet
bytes region (if hover highlighting is enabled.)
Half of #18731
* First 4 parameters of NetrServerPasswordSet2 are identical from
NetrServerAuthenticate3
* UNICODE_STRING_512 is 512 bytes long, not 512 wchar_t long
* netlogon_dissect_netrserverpasswordset2_reply parsed the AUTHENTICATOR
incorrectly
This reverts commits:
812f40e470,
6522999276,
c9e91d7290
The changes merged as part of !6493 prevent the sharkd command from
processing either until the input buffer is full or the client sends an
EOF, by convention closing the connection. This renders sharkd unusable
for most applications.
The intended behavior from #17823 is to parse character by character
until a matching set of braces (`{}`) is detected. Until that behavior
can be implemented, reverting to the prior behavior.
Left and right were swapped in the __le and __lt functions, fixed.
Also, since start+length points to the byte *after* the end of the
field, changed the operator in __lt to a <= instead of a <.
This is technically a breaking change, but it does bring the behavior
into line with the documentation.
`my_field().display` uses the first FieldInfo in the multival, so all
question trees would display the type and class from the first question.
Queries with more than one question aren't used on the modern internet,
but let's handle it correctly anyway in the example code.
Previously, the nominal and arrival times are calculated based on first packet
in the RTP stream, but there is a corner case: if the stream codec changes in the
middle, e.g., from AMR-WB to AMR, the nominal time will be calculated using the
current codec frequency, and it is not correct and will affect diff and jitter.
This fix will calculate nominal and arrival times based on previous in-sequence
RTP packet.
Add REASSEMBLE_ITEMS_DEFINE, REASSEMBLE_INIT_HF_ITEMS
and REASSEMBLE_INIT_ETT_ITEMS helper macros to define and
initialize hf and ett items of reassembly much easier.
Make packet-http.c to use these macros.
Storing MCC and MNC as uint can cause loss of info when they are prefixed with 0's.
E.G. MNC=007 or MNC=01 (Prefixed 0's are lost). Storing them as a string fixes this.
Fixes#19114
SequenceDialog::diagramClicked is checking whether the 'event' argument is
null, but later it dereferences 'event' outside the conditional, so if it
was null it would crash anyway. It doesn't seem possible for the event
argument to actually be null, so this commit removes the redundant check
here and in mouseMoved. I'm also adding an assert to document the non-null
assumption.
Bug found by clang static analyzer.
Fixes#17426.
Use "x64" to refer to "Windows running on 64-bit Intel processors". Get
rid of WIRESHARK_TARGET_PROCESSOR_ARCHITECTURE in favor of
WIRESHARK_TARGET_PLATFORM because the latter is shorter.
In order to retrieve the correct set of TLS information, previously
pinfo->curr_layer_num was used. However, this is not a stable
identifier between the first and later passes, as subdissectors that
couldn't dissect data due to fragmentation on the first pass aren't
called on later passes.
To fix issue #16109, the layer number wasn't used at all, which did
break TLS over TLS.
We now have pinfo->curr_proto_layer_num which specifically counts
the number of layers of the current protocol instead of the total
number of layers; using that instead fixes TLS within TLS (in most
situations; some very rare cases, e.g. DVB baseband frames with
multiple TCP PDUs, which might be from the same or from different
TCP connections, might not work, but those don't work currently either)
while not reopening #16109.
Add tests for both cases, the one fixed by the other workaround and
for TLS over TLS.
As noted in the comments to #16109, there are other dissectors that
use curr_layer_num that might break in some cases because it's not stable.
Fix#17977.
Position selected packet at center after setCurrentIndex() when
Go To Packet, after redissect packets and after moving column.
This is better than position at bottom in most cases.
The description of new SRTPS Prefix flag (0x80) currently says
Transport-Specific Message. In the process of standardization,
this use case broadened and it must be reflected in the flag’s
name. The new description of the flag is Vendor-Specific Content.
This adds a FETCH_lua CMake option to download and build a static
lua library as part of Wireshark's build, using CMake's
ExternalProject.
This is useful to avoid having to add a MinGW Lua 5.2 binary package
for every distribution one might want to support for cross-compilation,
for an easy to build project like Lua that was designed specifically
for embedding.
This is opt-in and should be useful for every platform where Lua 5.2
is not packaged (and there are many).
Tested using Arch Linux with cross and non-cross builds using GCC.
The first data source tvb associated with a packet is always freed,
along with its data, at the same time as the associated pinfo->pool
scoped data and the tree, if any, in epan_dissect_cleanup() or
epan_dissect_reset().
Not so for secondary data sources; while the vast majority of data
source tvbs are chained to the first data source and so also freed
at the same time, and almost all of the others are never freed and
just leak (sometimes because of an exception before being set as a
child), it's not uncommon to have a tvb whose real data is at file
scope, with the assumption that this will outlive any packet scope.
(Note that the real data is not copied, for speed and memory usage.)
This is, for example, how epan/reassemble.c works, with the data
freed when a file is closed (although it is not managed by wmem.)
When a PacketDialog persists after the capture file closes, this
assumption is falsified. As we do not have a perfect way to detect
the scope of the real data (we could introduce a function to check
if the free_cb is NULL, which would be suggestive but not absolute),
deep copy the data for secondary data sources when the parent
PacketDialog indicates that the capture file is about to close.
Also, avoid calling API functions thacker examine the real data.
Looking at the offsets is OK, as proto_find_field_from_offset() does.
While it could be possible to clone the data source tvbs located in
edt->pi.data_src, the pointers would need to be updated in each of
the field_infos in the edt's tree as well.
Currently no dissectors (or other code) attach data source tvbs where
the tvb itself, not just the real data, is freed with a file is closed.
If they did, that could still cause a crash.
Fix#14363
Pascal Quantin