Column info is tuned for better readability. It containes CAN ID and Length.
The same applies to protocol item within protocol tree.
Entire packet data (payload) should not be printed to column info by default.
So this behaviour is removed.
Per mailing list discussion:
https://www.wireshark.org/lists/wireshark-dev/202107/msg00030.html
Long-term we want to get rid of the wmem_*_scope globals in favour of
passing wmem pools around. Step one is to replace all reasonable uses of
wmem_packet_scope() with pinfo->pool which has effectively the same
lifespan. This converts the TCP dissector as a proof of concept. TCP is
a common enough protocol this should stress-test the idea fairly well.
* The next_byte variable is taken before the pointer moved forward, this lead
to stop parsing get request packets when object is 0. This commit fixes it.
Signed-off-by: Arkady Gilinsky <8351139-ark-g@users.noreply.gitlab.com>
Introduces two new dissector tables can.id and can.extended_id to enable a
more precise control of subdissectors dependent on the can id which is often
used to identify the the payload.
Since standard CAN IDs and extended IDs can be used in the same network and
their ranges overlap it is necessary to have two different dissector tables.
Existing Decode as dissector table can.subdissector stays as is to prevent a
breaking change. But new dissector tables can.id and can.extended_id get
priority over can.subdissector since they are more specific. Id they get a
match can.subdissector won't be called.
New dissector tables can.id and can.extended_id are accessible in lua scripts
via DissectorTable:add() while can.subdissector unfortunately is not.
For related Discussion see MR !3405
We use some private functions from MIT kerberos:
- krb5_free_enc_tkt_part()
- decode_krb5_enc_tkt_part()
- encode_krb5_enc_tkt_part()
but we already do that for krb5int_c_mandatory_cksumtype(),
which is newer than the above functions.
We use all of them only under HAVE_KRB5_PAC_VERIFY,
so we don't seem to need additional configure tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This patch adds support for LIN (Local Interconnect Network) as
well as support for:
- Signal PDUs on LIN
- ISO 15765 (ISO TP) on LIN
- TECMP transported LIN is handle like LIN
LIN is a simple automotive fieldbus to connect for example simple
sensors and actuators to an electronic control unit.
Mark wsutil's includes SYSTEM PRIVATE. This exposed a lot of targets
that were indirectly picking up include paths via the wsutil target, so
add direct includes where needed. The G.722 and G.726 codecs were
implicilty including tiffio.h; find it explicitly instead.
Mark some of wsutil's libraries PRIVATE, but leave commonly-used ones
PUBLIC.
Ping #17477.
Currently there can be multiple dlm messages in one tcp segment and in
some cases dlm message can be overlapped between two segments. The main
fix would be that we can now dissect multiple dlm messages if they
appear in one tcp segment. It's still own as one message in the "packet
flow" but in tree view it will be displayed as multiple messages which
are not visible.
For sctp the problem still exists, although there can't be overlapped messages.
epan/CMakeLists.txt set both SYSTEM PUBLIC and SYSTEM PRIVATE for
GLIB2_INCLUDE_DIRS. The PUBLIC keyword adds it to the
INTERFACE_INCLUDE_DIRECTORIES property, which is only appropriate for
includes that we ship with Wireshark, so remove that one. Make
GLIB2_LIBRARIES private as well.
Fixes#17477.
wmem has many assertions during dissection, these are assumed to have
a measurable performance impact so remove assertions with
WS_DISABLE_ASSERT, like is done elsewhere.
We don't use ws_assert() to avoid a dependency on wsutil.
g_assert_not_reached() does not have a performance impact and for
that reason should not be disabled.
This allows wsutil to depend on wmem without introducing a circular
dependency.
Although wmem is included in epan it is in many ways an independent
library and it should remain so.
Reuse the DIAMETER dissector for 3GPP-ULI for RADIUS as well.
The DIAMETER dissector for 3GPP-ULI IE is more complete than the RADIUS
version. The format of the IE is the same in RADIUS and DIAMETER.
"User" sounds as if the blocks belong to the user; at most, the current
user might have modified them directly, but they might also have, for
example, run a Lua script that, unknown to them, modified comments.
Also, a file might have "user comments" added by a previous user, who
them wrote the file and and provided it to the current user.
"Modified" seems a bit clearer than "changed".
Mostly functioning proof of concept for #14329. This work is intended to
allow Wireshark to support multiple packet comments per packet.
Uses and expands upon the `wtap_block` API in `wiretap/wtap_opttypes.h`.
It attaches a `wtap_block` structure to `wtap_rec` in place of its
current `opt_comment` and `packet_verdict` members to hold OPT_COMMENT
and OPT_PKT_VERDICT option values.
This functionality has been added in d2a660d8, where its limitations
are described.
Improvements:
* the Substream index menu now properly filters for available stream numbers;
* Follow Stream selects the first stream in the current packet
Known issue (which is still there): if a packet contains multiple QUIC
streams, then we will show data also from streams other than the selected
one (see #16093)
Note that there is no way to follow a QUIC connection.
Close#17453
Clang gives a fatal warning about "explicitly assigning value of
variable of type 'int' to itself". The statement (and the `if` around
it) are redundant, so this removes both.
It is the intention to enable more precise filtering for json. 6 changes were
made for this:
- 'json.member' becomes filterable as a string field with the key of the
member. Before the key was only appended as text but was not filterable.
- Every item gets a field 'path' which allows to filter for elments
which are at a specific position within the json. To make anonymous arrays
visible (no member key) they appear as '[]' in the path. (For example arrays
in arrays)
- Every string, number, true, false, true or null item gets a field
'path_with_value' which combines the path of this element with its value. This
allows a filtering for values of elements at a specific position within the
json.
- Every string, number, true, false, true or null item gets a field
'member_with_value' which combines the key of this element with its value. This
allows a filtering for specific key-values-pairs independently of the position
within the json.
-It is possible to hide 'path', 'path_with_value', 'member_with_value' by
a preference called 'Hide extended path based filtering'.
- If the provided buffer does not start with the json object but has some
leading bytes which does not belong to the json object there is a new option to
ignore these bytes. This behaviour can be enabled by the newly introduced
preference 'Ignore leading non JSON bytes'.
Dependending on version_info is unnecessary and forces an epan
rebuild every time the git commit id changes, which can be slow,
especially with LTO enabled, and again is unnecessary.
Printing the VCS version to the TLS debug log is a minor convenience
that doesn't justify the cost to relink epan with every commit.
It is a common use case to look at the signal raw values in hex.
This patch adds this for uint based values. Since the length of
the signal is not necessary 8, 16, 32, or 64 bit, this is done via
append_text.
The Octet string is an outlier amongst DNP3 objects as the variation
doesn't define a specific type of string but the length.
Presiously the length was not displayed in the packet details,
this change adds the length to the object header.
A sub-tlv has a 2-bytes type and a 2-bytes length, that includes
the stlv header. For this reason the full length of a stlv must be
over 4. This must be checked before converting the payload to a
string by subtracting 4 to the length.
Fix: #17459.
It has been added since its length is signed, while the underlying
bytes_to_str uses a size_t, causing an unwanted cast. Basically
passing a len < 0 is pointless.
Add the mode adaptation protocol to the tree even when it is L.1
(no actual bytes), just with no subtree in that case. This is necessary
in order to access the preferences.
Commit 5b248ac4d0 updated LDAP but
didn't update the comment about the included file line number reference.
Commit the result of running asn2wrs.py to keep things consistent.
A frame can have multiple MPEG2 TS packets, and individual TSPs can have
the end of one fragmented higher level packet and the beginning of another.
The higher level packets can have protocols like MPE that set the
address and ports on packet_info for a given frame.
Thus, in order to properly reassemble fragments togther, don't use the
addresses and ports, but do use the stream (conversation + direction) that
assigns the fragment IDs.
Replace all instances of "Nordic BLE Sniffer" with
"nRF Sniffer for Bluetooth LE" which is the name used by
nordic semiconductor for the development tool on the homepage.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Make sure that the packet has an S101 header, before setting the protocol name
with col_set_str(). Otherwise, all TCP packets on port 9000 may be
misidentified as S101 packets.
AEAD ciphers should behave in the same way as the classical
cipher+hmac methods: the ICV should be calculated and verified
if the user has enabled the authentication check in the ESP
protocol options.
This commit fixes the alignment check for the encrypted payload data
which prevented the decryption of ESP packets for 'stream ciphers'
like AES-GCM and AES-CTR, and adds an error indicator to the dissection
tree in case the check fails. The encrypted payload data needs to satisfy
the following two conditions:
- The ciphertext length needs to be a multiple of the cipher block size.
- the ciphertext needs to terminate on a 4-byte boundary.
(RFC 2406, section 2.4)
g618661b22e introduced a free for a so called memory leak (which wasn't
a real leak due to the pinfo->pool garbage collector) but used the wrong
free function. Let's keep the explicit free but use the right function.
Closes#17462
This includes as little as possible in the assertion header, so
that it can be included globally in every file without pulling
any unwanted definitions. In particular pulling stdlib.h is
avoided because that can have side effects if it wants to
include non-portable extensions.
It is possible to have side-effects from include glib.h too, for
example because of G_LOG_DOMAIN.
These side-effects are usually avoidable with careful ordering
of pre-processor directives but with multiple levels of indirections
it can be hard to track. Better to make it robust to these kinds
of failures in the first place.
Also integrate with our logger for a cohesive experience (but
keep it a private dependency).
I'm not sure in what OSes we'd get the really old name for strchr(),
index(), defined, causing compiler whining about a local variable
shadowing a function declaration, but the source checking script
complains about it, so use the name offset instead (that's the name
typically used for offsets into a tvbuff).
Fix parsing of extended advertising when the extended advertising header
is empty. The flag field is excluded when none of the fields are present
and the extended header length field is 0.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix parsing of the CTE Info field in the extended advertising header.
The bit-mask of the different fields was wrongly placed.
The text of the different fields all said "CTE Info".
The CTE Time field was added twice.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
In the fairly rare case where we have multiple MP2T streams in
opposite directions on the same UDP (or other) conversation, keep
their analysis stats and assigned fragment IDs separate. Otherwise
the fragment IDs will be incremented at the wrong time and reassembly
will fail in edge cases.
After all the previous refactoring, the ICV verification for AEAD
ciphers is rather straightforward.
Currently, the only supported AEAD cipher is AES-GCM.
Adding full support for AEAD ciphers like AES-GCM (including the
verification of the ICV) turned out to be difficult with the
current implementation of the ipsec dissector, because it does not
separate the dissection and decryption steps well enough and has
too many special cases depending on the crypto algorithms.
From a dissector's viewpoint there shouldn't be much difference
between an authenticated encryption method and a combination of
a classical encryption method with an authentication method.
What matters is how the data is structured, so much how it is
calculated.
HEADER || IV || ENCRYPTED DATA || ICV (Frame Data)
|
v
DECRYPTED DATA (Decrypted Data)
This commit tries to refactor the implementation with the goal to
minimize the differences between the different crypto operations,
in particular their operation modes (like AES-CBC,AES-CTR,AES-GCM).
It follows the example of the isakmp dissector for IKEv2 packets,
which already has a functional AES-GCM support.
The most significant changes are:
- Display the IV and ICV as part of the original Frame Data, not
as part of the Decrypted Data.
- Display the location of the encrypted data, together with
information about encryption and authentication algorithms.
- Use gcry_cipher_setiv() to set the IV for AES-CBC instead of
copying the IV into the decryption buffer as a prefix which
subsequently gets discarded.
- Don't copy the ICV into the decryption buffer where it gets
"decrypted" accidentally and needs to be restored afterwards.
- Strip the nonce from the encryption key for AES-GCM and AES-CTR
at an early stage, to reduce special treatment for those modes
due to the different key lengths.
- Add some missing dissection tree items to get full coverage
of all bytes in the Frame Data and Decrypted Data.
- Don't report dissector bugs to stderr. Instead, use the
REPORT_DISSECTOR_BUG() macro which will raise an exception.
(If the WIRESHARK_ABORT_ON_DISSECTOR_BUG environment variable
is set, the program will call abort() instead, to make it easier
to get a stack trace.)
With these changes, AES-GCM encrypted payloads now get dissected
correctly after decryption, provided the ICV length is specified
correctly. The ICV verification is still missing, it will be added
in a followup commit.
The renamings serve the purpose to improve the readability of the
code and make it more consistent with the names in packet-isakmp.c.
They are part of the refactoring but where split off into a
separate commit in order to reduce the diff noise in the following
commit, which contains the important changes of the refactoring.
The current "AES-GCM" encryption type in the `esp_sa` uat file does
not specify an ICV length, contrary to the `ikev2_decryption_table`.
The ICV does not get stripped from the encrypted data before
decrypting and dissecting it, whence the protocol type of the
decrypted frame is looked up at the wrong location. In most cases,
an invalid protocol number is found and the dissection stops, in
other cases the wrong protocol is dissected, showing garbage.
This commit adds the following new encryption types
IPSEC_ENCRYPT_AES_GCM_8: "AES-GCM with 8 octet ICV [RFC4106]"
IPSEC_ENCRYPT_AES_GCM_12: "AES-GCM with 12 octet ICV [RFC4106]"
IPSEC_ENCRYPT_AES_GCM_16: "AES-GCM with 16 octet ICV [RFC4106]"
which are currently mapped to IPSEC_ENCRYPT_AES_GCM. In other words,
the new entries load without errors but the ICV is ignored.
The rationale is to have an unchanged reference implementation for
testing which does not bail out on the new uat encryption types.
Only call fragment_get() on the first pass when determining in
progress fragment length. Since we're using fragment_add_check, on
subsequent passes call fragment_get_reassembled_id(). Otherwise
dangling fragments at the end of the capture will be returned on the
second pass, causing unusual behavior and inconsistencies from the
first pass to subsequent ones.
Don't free a TVB returned from fragment_get; that can cause segfaults
when a single TSP contributes to two different reassemblies.
Also check for a too short length to prevent exceptions in cases of
dropped or out of order that would disturb the fragmentation analysis.
In some cases, the fds parameter of frame_data_sequence_find is invalid,
causing the software to crash, For example, this command
echo'{"req":"frame","bytes":"yes","proto":"yes","frame":"1" }'|sharkd-
Historically Wireshark evaluated the TCP in-flight value from the
payload actually seen all along the traffic captured.
We introduce another method to meet an observer paying greater
interest in the in-flight deduced from a ponctual SEQ analysis. It
may result in another value when analyzing incomplete conversations,
particularly when the beginning is missing.
The latter is activated by a User Preference setting added in this
release. Closes#7703.
The debug log levels used in dot11decrypt are pretty much random.
Cleanup how the different levels are used and at the same time change
to standard wslog log levels.
With this change log levels are used as follows:
WARNING - Allocation failures or unexpected (but handled) errors.
DEBUG - Debug messages mainly related to key derivation.
NOISY - Debug messages related to packet decryption.
ws_warning() logs the source file name, source line number, and calling
function name for the ws_warning() call; for errors reported by
REPORT_DISSECTOR_BUG() and macros that call it, the message isn't
reported directly by the macro - the macro formats the error message
into a string, saves the string, and throws a DissectorError exception,
to terminate the dissection, and the exception handler uses the
formatted string in its messages.
Thus, the location in the exception handler isn't interesting; it's not
where the error occurred, it's just where the message is logged, which i
the same for all such errors.
Don't use ws_warning(); instead, directly call ws_log() with
WS_LOG_DOMAIN and LOG_LEVEL_WARNING, which doesn't log the location of
the ws_log() call.
Developer Alexander