I was hoping to avoid this, since the ptvcursor should already be
implicitly scoped to the tree it is working on. But there are a bunch of
call sites where the passed tree can be NULL (?) and a few places where
the tree is explicitly set/reset after creation, so requiring an
explicit scope is safer.
Avoids global memory pools in favour of ones the compiler can verify.
Avoids the use of the global memory pool in favour of one the compiler
actually knows must be in scope.
Also delete a few-hundred lines of if-0ed code that hadn't been active
in 15+ years.
IEC 61850 is directly over Ethernet, so use set_actual_length
like other such protocols so that the Ethernet dissector has a
chance to detect and dissect trailers / FCS.
And do it in the template from which packet-sv.c is generated, rather
than in packet-sv.c, so that it doesn't get overwritten if somebody
regenerates the sv dissector.
Added decoding and display of "Number of Schedule Slots"
and "Number of Packets" parameters contained in Request-Session
message in TWAMP Control protocol, in accordance with RFC-4656.
Added decoding and display of Conf-Sender and Conf-Receiver
parameters contained in Request-Session message in TWAMP
Control protocol, in accordance with RFC-4656 (OWAMP RFC
which is baseline for TWAMP).
Updated call to dissect_DIS_PARSER_IFF_PDU so that it contains the DIS version.
Updated info column so that it appends text in the right order. Added
System Designator and System Specific Information to DIS v7 IFF PDUs.
Add a new option to use websocket as heuristic dissector for TCP.
This is useful when the connection setup of a HTTP connection which got
upgraded to a websocket was not recorded.
If this option is disabled via preference the resulting behaviour should be
the same as prior. It is disabled by default.
"Follow Stream" functionality assumes that all data in a single packet
belongs to the same stream. That is not true for HTTP2 and QUIC, where
we end up having data from unrelated streams.
Filter out the unwanted data directly in the protocol dissector code with
a custom `tap_handler` (as TCP already does).
Close#16093
Added support for RFC 9104 "Distribution of Traffic Engineering
Extended Administrative Groups Using the Border Gateway Protocol
- Link State (BGP-LS)"
Replace the "assume_fcs" preference with a "fcs" tri-state preference
that has three options: use the FCS preference (still the default),
assume no FCS, and assume FCS is present. Fix#10457, #11597, #15303.
Also fix previous behavior where the assume_fcs preference always
overrode wiretap even if the pseudoheader indicated that there
definitely was no FCS on the packet.
Add a preference to VSS Monitoring for dissecting packets that
lack a timestamp and only have port stamping, and set it to false
by default. There's no heuristic for port stamping, so it defaults
to accepting all trailers with 1, 2, 5, or 6 bytes (1 or 2 byte
port stamp plus optional 4 bytes for Ethernet FCS.) That's too
indiscriminate, especially if there are other possible trailers
(e.g., if the PRP-1 dissector is eventually changed to a eth.trailer
dissector, see #17066 which this helps with).
Also, VSS Monitoring has never actually supported two byte port stamps,
and recent product releases have dropped port stamping in favor of
VLAN tagging for port tagging, so only support 1 byte port stamps by
default and add a preference for 2 byte port stamps.
With these changes by default the VSS Monitoring heuristic dissector
only dissects trailers that pass the timestamp heuristic, greatly
reducing the number of false positives. This does much of #8997,
though the timestamp heuristic could be tightened as well.
The Ubuntu build commented on some spelling errors in executable code
files. Fix the errors that don't come from external files containing
the spelling errors (USB product and vendor IDs, PCI IDs, ASN.1
specifications), and fix some errors that don't show up in the
executable code files (e.g., in comments and variable names).
6caf24e966 uncovered a bug
in the h225 dissector where h245_list was used in a path that wasn't
guaranteed to be initialized. It wasn't causing fuzz errors before
because the memory was at least being zeroed, although that state was
still technically invalid.
Initialize and call the tvb_lists in dissect_h225_h225_RasMessage, which
is the other h225 entrypoint, just like dissect_h225_H323UserInformation
(the other dissector entrypoint) was already doing.
IEC 61850 is directly over Ethernet, so use set_actual_length
like other such protocols so that the Ethernet dissector has a
chance to detect and dissect trailers / FCS.
Usage, Usage Minimum and Usage Maximum can be "Extended" Usages. When
parsing report descriptor, respect page encoded in extended usage value.
Remove arbitrary usage count limit, as the usage ranges are limited to
16-bit value and thus the usages array can grow by up by 256 KiB with
single usage range.
Starting with 3.0 there is a new non backwards compatible Web-Sec-Protocol for BLIP, so the plugin should handle both (the differences are irrelevant from Wireshark's standpoint)
Have the IEEE 1722 AVTP dissector call the MP2T dissector when that
is the payload type. Comment out the "if (tree)" statement since
the MP2T dissector needs to be called on the first pass regardless
to handle fragmentation.
Since there is a 4 octet source packet header timestamp before each
MPEG2-TS packet when carried on AVTP, the MP2T dissector has to be
called multiple times per frame. Since the fragmentation data is
indexed by the offset in the tvb passed to the MP2T dissector, create
a table for each MP2T layer in the packet via pinfo->curr_layer_num.
Fix#10702.
Allocate the root node in the same pool as the list itself, and make
that pool explicit so we can pass the pinfo scope instead of using the
global packet pool.
Fix support for IEEE 1722-2016 Annex J IP Encapsulation.
Dissect extra 4-octet encapsulation_sequence_num field that
is present when carried on UDP/IP. Perform rudimentary sequence
analysis with it. Fix#17389.
When written by hand, it’s difficult to have a fully functional
subdissector for a given command if the structures in it contain at lot
of fields and/or numerous level of sub-structures, making the definition
of all sub-structures mandatory before we have all sub-structures fully
defined before we can dissect anything.
This patch makes it easy not to defined some structure fields and let
the generic Thrift dissector handle them.
If you care only about some fields for your analysis or you have some
obsolete fields that may appear in your captures due to old client but
are no longer defined in the .thrift files, you can still write the sub-
dissector for your protocol just by omitting the obsolete field.
For example:
static const thrift_member_t tcustom_data[] = {
{ &hf_tcustom_data_id, 1, TRUE, DE_THRIFT_T_I64, TMFILL },
{ &hf_tcustom_data_name, 2, TRUE, DE_THRIFT_T_BINARY, TMUTF8 },
{ &hf_tcustom_data_content, 3, TRUE, DE_THRIFT_T_STRUCT, &ett_tcustom_resource, { .members = tcustom_resource } },
{ NULL, 0, FALSE, DE_THRIFT_T_STOP, TMFILL }
};
could become:
static const thrift_member_t tcustom_data[] = {
{ &hf_tcustom_data_id, 1, TRUE, DE_THRIFT_T_I64, TMFILL },
{ &hf_tcustom_data_name, 2, TRUE, DE_THRIFT_T_BINARY, TMUTF8 },
{ NULL, 3, TRUE, DE_THRIFT_T_GENERIC, TMFILL },
{ NULL, 0, FALSE, DE_THRIFT_T_STOP, TMFILL }
};
and avoid the need to define the extremely complex "resource" struct.
In this case, the structured data would be dissected by the generic
dissector while keeping the possibility for the user to filter on the
resource id or name.
This patch adds support to SOME/IP to be dissected on top of DTLS. This
can be used via the Decode As feature of Wireshark.
This extends the existing support for DTLS.
Add an expert info for more protocol issues:
- Thrift protocol exceptions.
- Thrift application exceptions.
- Negative field id that are now prohibited in new interfaces.
- Out-of-order field ids (not prohibited but unusual).
packet-erldp.c:403:13: warning: Although the value stored to 'buf_ptr' is used in the enclosing expression, the value is never actually read from 'buf_ptr' [deadcode.DeadStores]
packet-erldp.c:922:9: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-erldp.c:928:7: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-json.c:365:7: warning: Value stored to 'is_valid_unicode_character' is never read [deadcode.DeadStores]
packet-json.c:371:7: warning: Value stored to 'is_valid_unicode_character' is never read [deadcode.DeadStores]
packet-json.c:383:8: warning: Value stored to 'is_valid_unicode_character' is never read [deadcode.DeadStores]
packet-json.c:389:8: warning: Value stored to 'is_valid_unicode_character' is never read [deadcode.DeadStores]
packet-rdp.c:1600:3: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-rdp.c:1614:3: warning: Value stored to 'offset' is never read [deadcode.DeadStores]
packet-thrift.c:1382:17: warning: Value stored to 'len_pi' is never read [deadcode.DeadStores]
packet-thrift.c:1388:9: warning: Value stored to 'len_pi' is never read [deadcode.DeadStores]
According to IEEE 802.15.4-2020 Section 7.3.5.1 Destination PAN ID field is
present when PAN ID Present bit is set. Therefore we should check for the bit.
Fixes: wireshark/wireshark#17496
The transport feedback definition, from
(https://datatracker.ietf.org/doc/html/draft-holmer-rmcat-transport-wide-cc-extensions-01#section-3.1)
has the third bit as the padding bit (as any RTCP feedback message). However,
the transport feedback dissector was consuming the padding (if present),
leaving the outer RTCP dissector with a padding bit set, but no padding to
analyze/show. That resulted in a "Malformed packet" error.
With this patch, any padding that is consumed in the transport feedback
dissection clears the outer padding bit set, leaving the RTCP dissector happy.
AVBTP was used in drafts, but the name has officially been AVTP
in all releases, IEEE Std 1722-2011 and -2016. Change AVBTP to
AVTP and remove "Bridging" where it appears.
Call existing MJPEG and H.264 dissectors for those subtypes,
and remove duplicate fields. Use common true_false_string.
Warn about invalid length, and only process the payload length
show in the payload field, allowing for Ethernet FCS autodetection,
among other things. Register the MJPEG dissector by name so
that AVTP CVF can call it. Add some value string entries to the
MJPEG dissector.
When the format value is reserved, ignore the subtype field
and add expert info and show the payload as data. (IEEE 1722-2016
8.3.2) Fix#12490
- Handle 'Category' field under 'Encapsulated Frame' field inside 1905 Encap DPP TLVs
![incorrect](/uploads/be54a9e6757aacbccb3625b4aa11db9b/incorrect.png)
![correct](/uploads/285b14d3945c2821ba3606e7da7ae94d/correct.png)
It violates the tvb_composite API to create composite TVBs if
they're not going to have at least one TVB put in them. Prevent
dissector bug failed assertions in the case of packets incorrectly
identified as DVB Baseband frames carrying TS by the heuristic
dissector.
A few of them just needed scratch memory, so allocate and free it
manually after doing any exception-raising checks.
A few others were returning memory, and needed conversion to accept a
wmem scope argument.
Handle multiple PDUs per TCP segment or UDP datagram. Add
preference for handling PDUs that span multiple TCP segments.
Fix nested depth handling so as not to clear COL_INFO in the
second PDU of a segment (and also make dissect_knxip have the
standard signature.) Fix#17545.
On the first packet of the conversation, the MPA layer is
dissected correctly followed by the DDP, RDMAP, RPC-over-RDMA,
RPC and NFS layers. The MPA layer sets the TCP conversation as
MPA protocol but when it dissects the RPC layer it also sets
the TCP conversation as RPC protocol thus overwriting the previous
protocol.
Added new port type PT_IWARP_MPA so that when the RPC layer
is dissected it does not overwrite the default protocol for
the TCP conversation which has already been set to MPA.
Fixes#15869.
This patch adds support for the ISO 10681-2 protocol, which is similar
to the ISO 15765-2 protocol (see packet-iso15765.c).
This patch also add support for registering combined FlexRay IDs to
register the new dissector.
This patch adds support to DoIP and ISO15765 to pass the diagnostic
address or addresses to UDS. UDS takes the relevant address into account
for the data identifier and routine identifier name resolution.
Use correct offset for P1 and P2 when showing channel operation
and channel number.
According to TS 102 221 V14.2.0 the Open channel operation is using
P2 for channel, and let UICC assign when this is 0. Show P3 as Le.
Make P3 optional because it's not present in at least Close channel
operation.
Change text in Info column to avoid "Channel Channel: x".
Add git dissection test cases to existing testing suite for: finding git
packets, finding the Git Protocol version, finding the right amount of
Flush and Delimiter packets, not finding Malformed packets.
Part of #17093
Update channel to include index to clear up possible confusion if this
is RF channel, or channel index.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Update channel to include index to clear up possible confusion if this
is RF channel, or channel index.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
New HCI commands/event dissected:
- LE Set Data Related Changes Command
- LE Set Default Subrate Command
- LE Subrate Request Command
- LE Subrate Change Event
5.3 version number added, LE event mask, supported commands and
LE feature bitmaps updated.
A packet that has been received by the sniffer with CRC errors will not
decrypted properly by the sniffer. Mark the decrypt failure reason as
CRC error instead of MIC error.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use "flags" for the OPT_PKT_FLAGS option value, as we do elsewhere. Use
"lapd_flags" for the variable holding the LAPD flags.
We don't need to initialize flags, as we extract the OPT_PKT_FLAGS
option into it immediately after initializing it (if the attempt to get
that option fails, it's not set, but it's not used, either).
Remove unnecessary initializations.
Rename the variable for the packet ID option to match the name of the
option (it's epb_packetid in the pcapng spec, with no underscore between
"packet" and "id").
AMQP calls a subdissector table before tcp_dissect_pdus() is used to
desegment PDUs (see commit 27c10ed72e),
so pinfo->can_desegment needs to be restored before it is decremented
a second time. Fixes#14217.
Windows can allow Unicode in filenames now, and export_object.c
has its own eo_massage_str function that the GUI and CLI already
call to create safe filenames when they are saved. There's no need
for an individual dissector like SMB to have its own (worse)
implementation of the same functionality, and to call it before
filenames are displayed. Fix#17530
- Make sure reassembly requests & errors are properly propagated from
any point in the PDU, no matter how many sub-structure levels.
- Handle the sub-dissection methods as well:
- Ensure the sub-dissection methods handle errors from previous calls.
- Reduce the error handling needed in sub-dissector implementations.
- Add missing sub-dissection methods for list, set, and map.
- Add the handling of sub-structure.
- Handle Compact protocol in addition to the existing binary protocol.
- Include and improve MR !3171
- Handle reassembly the same way as for binary protocol.
- Handle sub-dissection with the same functions.
=> Sub-dissectors only depend on .thrift files.
Additional changes:
- Use of constants instead of hard-coded values.
- Removed U64 support (never supported by thrift code generator, only
referenced in the C++ thrift library header but not supported in reality.
- Removed references to UTF-8 and UTF-16 string for the same reason.
- Replaced references to UTF-7 string with just string (same reason).
- Replaced references to byte with i8 as the documentation explicitly
states that byte is a compatibility name.
Documentation reference:
- https://thrift.apache.org/developers
- https://thrift.apache.org/docs/idl.html
- https://github.com/apache/thrift/blob/master/doc/specs/thrift-compact-protocol.md
- https://erikvanoosten.github.io/thrift-missing-specification/
- https://diwakergupta.github.io/thrift-missing-guide/Closes#16244
Additional changes:
- Add authors and improve consistency
- Fix typo and clarify documentation
Create pseudo URB and pass the reassembled data to USB URB dissector.
Reassembly for control transfers is not problematic as the transfer
length is known. For bulk transfers assume the transfer can span across
multiple transactions, however for periodic (interrupt and isochronous)
assume the transfer never spans across multiple transactions.
Rely on USB dissector to provide endpoint maximum packet size. Actual
interface/configuration handling in USB dissector needs to be reworked
as the code assumes that there is only one configuration and alternate
interface configurations have matching endpoints.
While the reassembly bulk transfers and never reassemble periodic
transfers result in pretty good dissection, the USB class dissectors
need a mechanism to provide transfer size hints to USBLL dissector.
Such hint is not needed for software USB capture as software sniffers
essentially capture URBs and every transfer is associated with one URB.
The problem can be seen for example in Mass Storage Class where it is
common for data transfers length to be multiple of endpoint maximum
packet size. Because USBLL dissector doesn't know expected transfer
size, it combines together data and status transport.
Related to #15908
Add support for decoding instruction byte 78 (GET IDENTITY) from
TS 102 221 v15.11.0 and instruction byte CA (GET DATA) which is used to
retrieve the EID for eSIMs according to GSMA SGP.02 v4.2 available from
https://www.gsma.com/esim/esim-m2m-specifications/.
Closes#17548.
All fields with GSN address were decodes as common hf_gsn_addr. But if
ETSI order is used, it's possible to specify alternative decoder
depending on message type and field position.
Alternative decoder for GSN address was added for mandatary fields and
optional/conditional field in the case there is single GSN address in
message.
Added new function as common dissector for all addr types.
This patch speeds up the dissection of signal pdus, if not filtering.
With an example trace file full of signal PDUs, I gained about a 4x
speed up in opening the trace.
Define dissect_http3_settings only if HAVE_LIBGCRYPT_AEAD is defined.
This should hopefully fix
```
epan/dissectors/packet-http3.c: In function 'dissect_http3_settings':
epan/dissectors/packet-http3.c:212:9: error: implicit declaration of function 'http3_is_reserved_code' [-Werror=implicit-function-declaration]
if (http3_is_reserved_code(settingsid)) {
^
epan/dissectors/packet-http3.c: At top level:
epan/dissectors/packet-http3.c:200:1: warning: 'dissect_http3_settings' defined but not used [-Wunused-function]
dissect_http3_settings(tvbuff_t* tvb, packet_info* pinfo _U_, proto_tree* http3_tree, guint offset)
^
cc1: some warnings being treated as errors
```
on the CentOS 7 builds.
If a "NT Password" value is provided by the user, the NTLMSSP decryption
should take place, whether or not Kerberos decryption option is enabled
(disabled by default).
NT Accounts may have empty passwords; this allows the dissector to try
decrypting the NTLMSSP session using an empty password (when "NT
Password" preference is left blank).
Rewrite storage and retrieval of `endpoint_guid`s to use private proto
data instead of `pinfo->private_table` which was meant solely for Lua
use.
Closes#17156
Small payload packets that fit into a single TSP without
fragmentation are dissected without ever being placed in
the reassembly table, so fragment_get_reassembled_id returns
NULL even on the second pass and later. Handle them (and
distinguish that case from packets not reassembled because they
were at the end of a capture.)
Add a few comments to clarify what's going on.
Use the non-stub versions even if we don't have libgcrypt 1.6.0 or
newer; yes, it's code that won't ever be used, but if you want to
eliminate waste, remove all the fields that aren't used if we don't have
libgcrypt 1.6.0 or later.
This avoids the need to create stub routines, making the code a bit less
confusing (and avoiding the risk of using those fields with
non-functional formatting routines).
It also eliminates "function argument unused" warnings when building
with an older version of libgcrypt, and does so more cleanly than adding
a bunch of _U_s to the stub functions.
Introduced new submessage DATA_FRAG_ASESSION (id 0x81). It is the same
as a DATA_FGRAG_submessage but with an extra sequence number field
called "virtualSeqNum".
This is a new check added to check_typed_item_calls.py --label
Ignoring cases where item type is FT_NONE, as fpr tjpse
text was appended that otherwise would lack a colon.
Fix the description in wsutil/exported_pdu_tlvs.h to reflect reality
(i.e., to match what the code in Wireshark that reads the exported PDU
TLVs, and all code that writes them, does).
In the code that dissects them, treat all strings as FT_STRINGZPAD, as
any null bytes at the end of the string are padding, not part of the
string.
See merge request !3895 and issue #17535.
Have wsutil/exported_pdu_tlvs.h define the LINKTYPE_WIRESHARK_UPPER_PDU
TLV type and length values, as well as the port type values written to
files in EXP_PDU_TAG_PORT_TYPE TLVs.
Update the comment that describes the LINKTYPE_WIRESHARK_UPPER_PDU TLVs
to more completely and correctly reflect reality (it was moved from
epan/exported_pdu.h to wsutil/exported_pdu_tlvs.h).
Rename those port type values from OLD_PT_ to EXP_PDU_PT_; there is
nothing "old" about them - yes, they originally had the same numerical
values as the PT_ enum values in libwireshark, but that's no longer the
case, and the two are now defined independently. Rename routines that
map between libwireshark PT_ values and EXP_PDU_PT_ values to remove
"old" from the name while we're at it.
Don't include epan/exported_pdu.h if we only need the
LINKTYPE_WIRESHARK_UPPER_PDU definitions - just include
wsutil/exported_pdu_tlvs.h.
In extcap/udpdump.c, include wsutil/exported_pdu_tlvs.h rather than
defining the TLV types ourselves.
Only use value of Content-Format to dissect the content in the
current packet. Accept is used to tell which format is expected
in the reply.
Fixes: #17536
We prefer pinfo->pool over the global wmem_packet_scope() now. Convert a
few more asn1 dissectors. After this commit, just three asn1 dissectors
remain.
Protocol BSSGP has option in GUI to enable decoding NRI when SGSN pool
is used. But this configuration option is not used in code.
I have marked this option as obsolete and add new single option to protocol dissector gsm_a_rr
where TLLI is decoded and added code for processing NRI.
While X11 Events are generally fixed-length, GenericEvents extend the protocol
to provide a length field, similar to Replies. As noted in the extension spec,
if a GenericEvent longer than 32 bytes is sent to a client unable to process it,
"future interpretation of replies and events by this client will fail." See
https://www.x.org/releases/current/doc/xextproto/geproto.html
This patch merely prevents that failure case. It does not attempt to
meaningfully dissect the contents of such packets, which in any case will vary
depending on the relevant X11 extension.
Fix clock accuracy field offset in the sync info information in the
extended advertising header.
The field was placed at offset 4 instead of the current offset + 4.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use PACK_FLAGS_DIRECTION() rather than making with
PACK_FLAGS_DIRECTION_MASK. They happen to be at the bottom of the flags
option, so no shifing is needed, but it's cleaner to use the macro.
Make the packet flags variable local to the code that uses it, and fix
indentation (don't use tabs - they're not used elsewhere), while we're
at it.