and following packet order for field
Change-Id: I724f3d87e02d182021e53eb9f78644420843e593
Reviewed-on: https://code.wireshark.org/review/29936
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
* UCC-REQ does not contain any Annex C TLVs
* Align INFO field for UCC REQ and RSP to similar DOCSIS packets
Change-Id: I2cdad12aaf5036b9130c8af3d131ee3a6b317923
Reviewed-on: https://code.wireshark.org/review/29948
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For Data frames with ToDs=1|FromDS=1 and a Frame body containing A-MSDU,
the Addr3 and Addr4 fields are not Destination/Source addresses (DA/SA),
but BSSID/BSSID. Use the RA/TA fields for the Hw Dest/Src columns and
add another BSSID field for Addr4 (should match Addr3, but in theory the
wire format could have different values).
While at it, fix the A-MSDU case for other cases to match 802.11-2016
Table 9-26 Address field contents. The "Short A-MSDU" case as used by
DNG STAs are not handled here though.
Tested against a capture with MSDU frames (all but ToDS=1|FromDS=1) and
the test case from the linked bug.
Bug: 15144
Change-Id: Ic832d7cd7b8e05a1408353cb79c07efed0fb19cc
Reviewed-on: https://code.wireshark.org/review/29935
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The returned offset must be non-zero or the data dissector is invoked.
Change-Id: Iaff6e1f19fc94e17b41ad06a8be491fbec4835ba
Fixes: v2.9.0rc0-1797-g91c5942c93 ("QUIC: implement packet coalescing (draft >= 11)")
Reviewed-on: https://code.wireshark.org/review/29945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's a blob of bytes, so the right type is guint8 *, not guchar *.
Change-Id: I74afa95da1e14866af68f1580cfbccd55f08ed65
Reviewed-on: https://code.wireshark.org/review/29944
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's a blob of bytes, so the right type is guint8 *, not guchar *.
(Yes, in practice, they're both typedefs for "unsigned char" - sadly,
C's data types didn't make a distinction between "byte-sized integral
value" and "character" - but given that we have different names, let's
use them to make it clearer what's being done.)
Change-Id: Idb10a208877c84df0432043d69d4aff5a2b2f803
Reviewed-on: https://code.wireshark.org/review/29943
Reviewed-by: Guy Harris <guy@alum.mit.edu>
We use the per-file encapsulation everywhere else; use it there as well.
Change-Id: I3e3df234a9f541a9d90e54a3c0f41b5019e00bb3
Reviewed-on: https://code.wireshark.org/review/29940
Reviewed-by: Guy Harris <guy@alum.mit.edu>
See https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03
the value is TEMPORARY registered to IANA (registered 2018-05-23, expires 2019-05-23
Change-Id: I5a91ad4f1366cd7f0fa077677f227a66591494b6
Reviewed-on: https://code.wireshark.org/review/29796
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When saving the colorfilters file, keep and disable unknown coloring
rules instead of removing them. The user may want to correct the syntax.
Change-Id: Ib27612a0601276b6ebbb467d7d253f3f72103d1c
Reviewed-on: https://code.wireshark.org/review/29908
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reset prefs.unknown_colorfilters in the beginning of read_filters_file()
to avoid a situation when the preference is set and never cleared.
This will end up with an error message in UI even when not having
unknown color filters.
Change-Id: I835dbc2a57f0be6889eb5bce250987dabd796e30
Reviewed-on: https://code.wireshark.org/review/29904
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
That way, we don't need a chunk of code in epan/prefs.c that knows about
various preference module mappings; individual dissectors can register
aliases as appropriate.
(The Nortel Discovery Protocol never *had* any preferences, even when
it was the SynOptics Network Management Protocol, so there's no need for
it to register an alias.)
Change-Id: I4a718dac6bb06801cc06a6ee5a28d7ed81e67e5d
Reviewed-on: https://code.wireshark.org/review/29914
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make them obsolete preferences; if they had any use, it was with the
now-removed GTK+ UI.
Change-Id: I2b514148c8066c5c79cb402493f47a21d3679819
Reviewed-on: https://code.wireshark.org/review/29912
Reviewed-by: Guy Harris <guy@alum.mit.edu>
They're no longer used by any of the printing code; mark them as
obsolete.
Change-Id: Iceaf14f48f1bd35757a9a158a5348f6202b90fc7
Reviewed-on: https://code.wireshark.org/review/29911
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Issue was spotted because the bit used by wireshark in this field
didn't make sense, as same bit was being used by MS Power field.
According to spec "3GPP TS 44.004" section "7.2 SACCH uplink block format",
the field is located in bit 6 of the 1st octet.
Change-Id: Ia4390b79d9d2b3966c4ca69eda0bf1ae10be7398
Reviewed-on: https://code.wireshark.org/review/29893
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
current_stream_id is only defined when built with HAVE_NGHTTP2. One
option is to create the session with stream ID unconditionally. As the
subdissector (DoH) is chosen based on the Content-Type header and
parsing of such headers is only possible with nghttp2, don't bother.
Change-Id: Iefee65210974bf5b8b75c6870a0476567b6830e5
Fixes: v2.9.0rc0-2007-gcc69e09981 ("HTTP2: allow subdissectors to query the Stream ID")
Reviewed-on: https://code.wireshark.org/review/29896
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Continue dissecting if we find an empty line. Add an entry for the
_SYSTEMD_USER_SLICE field.
Change-Id: Id6e970b785e359095fbd8101e071f2d8cabcaf53
Reviewed-on: https://code.wireshark.org/review/29897
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Handle DoH messages specially, use the HTTP/2 Stream ID for matching
requests with responses. Fixes misleading "retransmission" expert infos
and properly link (successive) requests with (out-of-order) responses.
Change the "Protocol" column to "DoH" while at it.
Change-Id: I42b22c5c8560ee029051dcb3561e188572a4245f
Ping-Bug: 14433
Reviewed-on: https://code.wireshark.org/review/29889
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Add the new elements introduced for OWE:
- OWE DH Parameter in the association request/response as specified in RFC 8110
- OWE Transition Mode element as specified in "Opportunistic Wireless Encryption Specification version 1.0" by the WiFi Alliance
Bug: 15146
Change-Id: I9b6c6de459899ce28c909bf79bdde431e50679c9
Reviewed-on: https://code.wireshark.org/review/29850
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In case the TLS key log file is provided by means other than a file,
split the file reading part from the contents processing part. Adjust
the line handling logic to allow immutable strings. Stick to fgets to
avoid partial lines in case the read buffer is full.
Rename some SSL -> TLS while at it.
Change-Id: I28da96834833e6096074ce122a6ebc3484655d9f
Reviewed-on: https://code.wireshark.org/review/29890
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will be used by the DNS dissector to distinguish different
request/response pairs over the same connection (for DoH).
Change-Id: I53721904b007847861807faa1a2137e696639428
Reviewed-on: https://code.wireshark.org/review/29888
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This is required for the latest version. The message type "dns/message"
was briefly used in draft -06, but it was changed in the next version.
Change-Id: If26e367b71b7e270cad2f61eaee76041f530273c
Ping-Bug: 14433
Reviewed-on: https://code.wireshark.org/review/29887
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When (1) a frame has multiple TLS application data records and (2) two
of them request reassembly of a new PDU, then the second fragment would
be considered conflicting with the first one since the PDUs (MSPs) are
identified by the frame number of the starting frame.
This behavior was observed in a firefox-http2-frag.pcap
(attachment 16616) which uses tcp_dissect_pdus to trigger reassembly:
Frame 19: 8694 bytes on wire (69552 bits), 8694 bytes captured (69552 bits)
...
Transport Layer Security (8640 bytes)
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 7/7 last segment of previous PDU
SSL segment data (1203 bytes) <-- 1/5 first segment of new PDU
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 2/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 3/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 4/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (976 bytes) <-- 5/5
TLSv1.3 Record Layer: Application Data Protocol: http2
SSL segment data (1369 bytes) <-- 1/? first segment of another PDU
[5 Reassembled TLS segments (6286 bytes): #19(1203), #19(1369), #19(1369), #19(1369), #19(976)]
[7 Reassembled TLS segments (8201 bytes): #17(1190), #17(1369), #17(1369), #18(1369), #18(1369), #18(1369), #19(166)]
HyperText Transfer Protocol 2 (8201 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 8192 (partial entity body)
...
(7/7 finishes previous reassembly, see "7 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1203 bytes, start of new PDU)
HyperText Transfer Protocol 2 (6286 bytes, reassembled PDU)
Stream: DATA, Stream ID: 17, Length 6277 (partial entity body)
...
(all fragments are in this frame, see "5 Reassembled TLS segments")
HyperText Transfer Protocol 2 (1369 bytes, start of another PDU)
[Reassembly error, protocol SSL: Frame already added in first pass]
TLS records for fragments 1/5 and 1/? both start a new PDU and would
thus invoke fragment_add with the same identifier. That results in the
Reassembly error which breaks further decryption. Reduce the probability
of this issue by mixing in the TLS stream position of the fragment.
Bug: 11173
Change-Id: I5536f3010b156555f1d7ae6dc98e08c030c8f771
Reviewed-on: https://code.wireshark.org/review/29871
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
proto_tree_add_item with a zero length argument could end up calling
tvb_get_ptr to retrieve the (empty) backing buffer. This empty tvb was
possibly the result of bad reassembly, but let's gracefully handle it to
avoid a dissector exception.
Call trace for the original exception (only present on the first pass):
proto_report_dissector_bug (format=0x7ffffffecea0 "") at epan/proto.c:1368
ensure_contiguous_no_exception (tvb=0x6060001a5460, offset=0, length=0, pexception=0x7ffffffed060) at epan/tvbuff.c:775
ensure_contiguous (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x6060001a5460, offset=0, length=0) at epan/tvbuff.c:906
subset_get_ptr (tvb=0x607000194b90, abs_offset=0, abs_length=0) at epan/tvbuff_subset.c:58
ensure_contiguous_no_exception (tvb=0x607000194b90, offset=0, length=0, pexception=0x7ffffffed3c0) at epan/tvbuff.c:773
ensure_contiguous (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:785
tvb_get_ptr (tvb=0x607000194b90, offset=0, length=0) at epan/tvbuff.c:906
proto_tree_set_bytes_tvb (fi=0x608000535ca0, tvb=0x607000194b90, offset=0, length=0) at epan/proto.c:3862
proto_tree_new_item (new_fi=0x608000535ca0, tree=0x604000543150, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:2318
proto_tree_add_item_new (tree=0x604000543150, hfinfo=0x7ffff30e91f8, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3381
proto_tree_add_item (tree=0x604000543150, hfindex=65120, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/proto.c:3391
dissect_body_data (tree=0x604000543150, pinfo=0x614000000a58, tvb=0x607000194b90, start=0, length=0, encoding=0) at epan/dissectors/packet-http2.c:1974
Change-Id: Icfae83d61ddcc9e26f16eab7f6e0e84e2f0d73ac
Reviewed-on: https://code.wireshark.org/review/29851
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Treat systemd journal entries filetype-specific events instead of
packets.
Add support for reading and writing systemd journal entries to pcapng.
Note that pcapng IDBs should be optional.
Add support for REC_TYPE_FT_SPECIFIC_EVENT where needed.
Change-Id: Ided999b1732108f480c6c75323a0769a9d9ef09f
Reviewed-on: https://code.wireshark.org/review/29611
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The frame.protocols list does not contain "ssl" and thus the expert info
"Unencrypted HTTP protocol detected over encrypted port, could indicate
a dangerous misconfiguration" was shown even for the normal HTTPS port.
This also renames the http.ssl_port to http.tls_port with no backwards
compatibility, hopefully that is reasonable.
Change-Id: I5c8481693ff63dc0a19b4dc1de431680bdda3244
Reviewed-on: https://code.wireshark.org/review/29828
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
In the long run, we'd like to remove the time stamp from the frame_data
structure, as, in Wireshark, and in TShark in two-pass mode, there's one
allocated for every frame in the file, and shrinking the size of that
structure reduces the memory usage.
This removes one obstacle to that.
Change-Id: Ia8f87522cd974555c57e0ac1e742b097e8b0f2fc
Reviewed-on: https://code.wireshark.org/review/29881
Reviewed-by: Guy Harris <guy@alum.mit.edu>
it is the first release to start to follow IETF QUIC (draft-12)
Update also the heuristic to detect Q044
Bug: 15131
Change-Id: Ieec7d75a2a0a7ab1ddacfb88d86cb9856cd67164
Reviewed-on: https://code.wireshark.org/review/29572
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
RFC 6887 states that options have to be padded to a multiple
of 4 octets. This commit adds missing padding.
Bug: 14950
Change-Id: I68a0631ecdd2f30e24e83b1a6e8dfc55856c9c94
Reviewed-on: https://code.wireshark.org/review/29832
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's not just for X.25, it's for anything that has the notion of Data
Terminal Equipment and Data Communications Equipment; call it "dte_dce",
not "x25".
Change-Id: I3d51fec8b424e91ffd6d59895f50fc5ece791b08
Reviewed-on: https://code.wireshark.org/review/29834
Reviewed-by: Guy Harris <guy@alum.mit.edu>
gcd95e197ca renamed a bunch of "<proto>.ssl.port" preferences to
"<proto>.tls.port" but neglected to add obsolete entries for the old
preferences. Do so here.
Rename couchbase.tls_port to couchbase.tls.port to be in line with the
other TLS port preferences.
Change-Id: Ie23d6be0a5cb3616f37e41dbfbf13ad1b7206473
Reviewed-on: https://code.wireshark.org/review/29829
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>