tvb_get_raw_bytes_as_string doesn't check lengths, because it's
used elsewhere when the length is unknown. If we use
tvb_get_string_enc, that checks the offsets and throws an
exception as appropriate, but then we have to use g_utf8_strreverse
due to the possibility of UTF-8 REPLACEMENT CHARACTERs.
To handle embedded nulls properly, we need to be using counted
strings (like wmem_strbuf_t) in more places.
Fix#19621
Stat tap windows can be opened by the GUI (e.g., a
ServiceResponseTimeDialog) when no file is open, and persist
past a file being closed, i.e. outside of wmem_file_scope().
Items concerning the taps should not be created in wmem_file_scope().
This fails an assert, which crashes when built for a Debug target.
To use wmem, we would need to create a scope appropriate for the lifetime
of the ServiceReponseTimeDialog or other Tap dialog (or else add a
callback mechanism to srt table to free items created in epan scope.)
Partially revert 47b310da47
(the part where the stat taps are concerned.)
Related to #19620
Queried DNS names can be enabled for DNS staticstics with a preference.
Due to performance reason this is disabled by default.
Kind of related to #16728 and #16173
When trying to check if syntax in a filter that starts with
"${" is a macro or a field reference, use strpbrk to find the
first of '#' (layer) or '}' (closing the macro or field reference
expression.) Using strchr twice in a row causes incorrect behavior
in a long filter that has a '#' located later past the '}',
referring to a layer of a different field.
Also test for ';' and ':' and return if the string has those before
the other two characters.
Those two characters are illegal in fields but indicate that it is
a macro, as they separate macros from their arguments. Skip the other
processing as unnecessary.
Expand `tshark -G dissector-tables` to also list heuristic dissector
tables. Parallels the output for standard dissector tables with the
following changes:
* Field 3 (ftenum type) is shown as "heuristic"
* Field 4 (base) is omitted, as it always was for non-integer dissector
tables
* Field 6 (decode as) is omitted, since heuristic tables can't be used
with "decode as"
Update the tshark man page to reflect this change. Also clarify that the
first field output from `-G heuristic-decodes` is the heuristic table
name.
Implementation detail: heuristic dissector tables are listed after all
other dissector tables, since they are stored in a separate structure
from the other tables. This results in simpler code than attempting to
commingle the entries for both types in strict alphabetical order.
Add descriptive table name
This patch changes the display order of the IEEE802154 address fields
only for the IEEE802154 tree root. The order of the address fields
for the other trees is not changed. The order is now source address
first. This is not the same as the order in the frame, where the
destination address is first. However, reading it from left to right
makes more sense when the source address is first.
This commit implemements PLDM dissector
for the Platform specification of the protocol
which is done following DMTF guideline
documentation -
https://www.dmtf.org/sites/default/files/standards/documents/DSP0248_1.2.0.pdf
Testing : For verification of dissector
pcap file collected during host poweron
is used as well as used custom pcaps.
Signed-off-by: Riya Dixit <riyadixitagra@gmail.com>
There's a number of variables that are lengths that should probably
be unsigned, but at least make sure negative values don't get assigned
to the chunk size, which can lead to an infinite loop. (It's read from
the packet as an unsigned 32 bit integer, but it should never in
practice have a value in the top half of that range.)
Fix#19617
Saving only the dfilter text and recompiling the code when
[re]dissecting or scanning groups of packets operates on the
explicit assumption that previously validated filter text will
always compile to valid filter code
That assumption is not true; while we invalidate the filter and
replace the text with NULL if display filter macros change or
other aspects of the packet matching expressions change so that
the previous text is no longer valid, display filters that match
FT_IPv4 or FT_IPv6 fields to resolved hostnames require a host
name lookup each time they are compiled, which can timeout, especially
if there are too many requests in flight at once. This is particularly
likely if a recompilation is performed each time additional frames
arrive during a live capture.
It is important to stress that the stronger, implicit assumption that
the display filter will compile to the same code is also false.
1) Display filters that require host name lookup can change even if
it doesn't timeout.
2) Display filter macros can change.
3) Display filters with field references will change if the selected
frame has changed.
In the case of a rescan, redissection, reload, retap, or opening a
new file, we want the new dfcode. For cf_continue_tail and
cf_finish_tail, when a new batch of frames have arrived, we might
be able to cache the host lookup for 1), and a user might want the
new macro definitions in 2) (but in that case, why not a rescan of
all packets?), but almost surely for 3) wants the field references
of the frame selected in the GUI when the filter was applied, not
whatever frame is currently selected when new packets arrive. So
we keep the old dfcode, and also reduce recompilation (which becomes
more important as the default update interval can be reduced, cf.
f0712606a3 ).
Currently filters with field references don't work at all with
newly arrived frames in live captures, because the references
aren't loaded to the code. This fixes that by using the field
references from the original frame.
Cf. 1370d2f738Fix#19612. Fix#12517.
hex_str_to_bytes currently allows an odd number of hex characters
after a separator (including no separator). It parses them in an
entirely unexpected way; taking two characters at a time to form
one byte and then using the last leftover character by itself,
thus adding a missing lead zero to the last hex character instead
of the first.
E.g., 3.109.209.43 is parsed as 0x03 0x10 0x09 0x20 0x09 0x43
Since this interpretation has never been correct, just disallow any
odd number of hex characters 3 or greater. Continue to support a
single hex character after a separator (or by itself.)
It's still probably too accepting, as it allows the separator to
change back and forth, including back and forth from no separator
when force_separators is false (thus allowing the number of hex
digits between separators to vary.)
Fix#19449. Fix#19604.
If a null argument is given to a macro, print an error saying that
is disallowed instead of substituting the null argument (i.e., an
unquoted empty string) into the macro.
The latter almost certainly still produces a grammatical error, but it
will be something mysterious that depends on the macro definition like
"==" was unexpected in this context
instead of a useful error string.
For macros that take strings as argument, substituting a null has
never worked either, "" has always needed to be used.
As a special case, accept a single empty argument as meaning
"a macro with 0 arguments" instead of how it is currently treated,
a "macro with 1 null argument", i.e. $mymacro() for the new
function-like syntax and ${mymacro:} for the original syntax.
See 7d87367e22
Instead of requiring ${macro:arg1;...;argN}, allow the format
${macro;arg1;...;argN}.
The semicolon isn't used anywhere else, it's simple to support,
and already used in the macro syntax. It's easier to remember
if all the separators in a macro are the same.
The colon is allowed in literals, which is why it's not used
between the arguments in the macro argument list, and allowing
it after the name makes the grammar more complicated, including
tokenizing when having pop-ups of potential field matches in
the display filter line edit (#19499.)
Update the documentation for this. Also edit the documentation
for macro syntax in a few places where it implies that whitespace
in macro arguments would be ignored; in fact, it's significant.
If Wi-Fi packet is encapsulated in an UDP payload (IPIP tunneling),
then we can use this functionality to decode it as 802.11.
This is intended primarily for [1].
[1] - https://docs.zephyrproject.org/latest/samples/net/capture/README.html
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
We haven't allowed anything other than alphanumerics or `_`
in macro names since at least 2007
(commit 8e849698a3)
so the better error message if a `-` is included is to say
that it's an invalid character, not that a macro with that
name doesn't exist.
We can also stop parsing at that point, which is more efficient.
That it was allowed at this point was a legacy of when field
references were handled using the macro code instead of separate
lexical elements, pre commit 260942e170.
(#17599)
Just use the same macro for valid characters in a macro name
in the two syntax forms. It's unlikely that we'll start allowing
`.` in macro names, and if we do, we'd have to revisit the
checking for the $macro(args,...) syntax as well.
Fixed dissector cannot parse `zbee_zdp.assoc_device_count`
field error. Thanks to Mohammed Suhel mhs@exegin.com for
original implementation.
Change-Id: I3f65aee3d5cc156b8512b3e877746522439b823b
Add an optional argument to `DissectorTable.heuristic_new()` which can
hold a human-readable name for the newly created heuristic dissector
table.
Closes#19602
Only 1 of the 4 bytes comprising the window field was actually
being read, causing the value to be incorrect. The offset pointer
was correctly increased by 4 on the following line, so this is
clearly just an oversight.
The configure-window-mask field was being dissected using the
"window value mask" bitmasks. It was interpreted correctly when
dissecting the actual fields, though, so this is clearly just
another minor oversight.
Before:
window: 0x00000001
configure-window-mask: 0x0003, background-pixmap, background-pixel
x: 448
y: 156
After:
window: 0x03800001
configure-window-mask: 0x0003, x, y
x: 448
y: 156
This is a little annoying because the OTOA field that determines the
encoding is many fields after the OAdC field. Also annoying because
the encoding is faintly absurd, and not the same as the other
"IRAString" encoding; that one is also a hex string, but uses
*unpacked* GSM 7 bit encoding. Here we have a hex string encoding of
a SMS-like "number of used semi-octets" followed by packed GSM 7 bit
encoding.
Fix#19599
Add Huffman decoding from libngttp2 library (MIT licensed),
and use it in HTTP/3 to display the decoded QPACK bytes.
(HTTP/2 and HTTP/3 use the same Huffman encoding.) These
files are not part of the public libnghttp2 library but
normally internal.
Note that libnghttp3 does not supply a function to inflate
headers like nghttp2_hd_inflate_h2.
Related to #16761
Correcting offset miss in !13077
Due to offset for octet 4 is skipped earlier, the remaining lenght becomes wrongly.
To correct the fault, offset for octet 4 is need to be added after IE has been decoded
Build on !13975 to add human-readable descriptions for all heuristic
dissector tables in Wireshark.
Chosen names are meant to give some info on when a heuristic dissector
lookup will be made. Terms like 'fallback' are used when the heuristic
is only consulted if other checks do not result in dissection, for
example.
People with more intimate knowledge of the protocols and dissectors
involved are encouraged to suggest or implement better descriptions.
Add a field to `struct heur_dissector_list` to hold a human-readable
description of the heuristic dissector list. The field is named
`ui_name` to parallel `struct dissector_table`.
Add `register_heur_dissector_list_with_description()` to register a new heuristic
dissector list with a description as well as a name. Change
`register_heur_dissector_list()` to be a thin wrapper which passes a
null description.
Add `heur_dissector_list_get_description()` to get the description from
a `heur_dissector_list_t` (which is an opaque type).
Modify the Qt user interface so that heuristic tables listed in *View →
Internals → Dissector Tables* show the description in the left column
and the short name in the right column, as is the case for other
dissector table types. For heuristic dissector lists which do not have a
description, repeat the short name in the left column to resemble how
the dialog was presented before this change.
Revise function name based on feedback
X.75 is not the same thing as LAPB, and we already *have* a LAPB
dissector that registers for WTAP_ENCAP_LAPB. Two dissectors
registering for a value in the wtap_encap table means one of them will
lose, so it does not work; in this case, the LAPB dissector loses.
Fixes#19595.
If the supported_versions extension is provided in the Client Hello,
display the mimimum supported version given in the extension in the
Protocol column if the session TLS version is unknown. Use the minimum
version because we don't know what the server will agree to, but it
must be at least this version.
This only affects when the Server Hello or other authoritative
messages haven't been seen, so in first-pass dissection (live
capture or one pass tshark) or a capture that doesn't contain
authoritative messages at all.
Fix#16114
If we have a packet that isn't long enough to fit an entire header,
but the first byte does look like a message type, and we can do
reassembly, ask for reassembly.
Fix#19593
For RTMP connections where we get the handshake, continue to use
the initial value of 128 as done in the protocol; we should get
any Set Chunk Size messages.
For connections where we don't get the initial handshake, i.e.
the connection is already in progress when the capture is started,
allow setting a different default chunksize. Note that both too
large and too small values will cause problems, but the since the
initial bytes of chunks can have any value, it's very difficult
to do this heuristically.
Fix#12403 (by setting the preference to a large value, e.g. 60000,
everything is dissected correctly in that capture.)
Some systems repeatedly send out SDP setup information for the same
RTP conversation. We end up setting up multiple conversations
(it's not clear we need to, since most of the information we copy
to per-packet info for subsequent passes.)
When doing so, copy the per-SSRC number space information that
determines what cycle number we're on for extended sequence numbers
and timestamps (since those fields can and do wrap.)
This doesn't hurt at all if the setup information is for different
conversations, even ones using the same SSRC; it aligns the cycle
number but that's fine. It helps a lot in cases where the RTP
sequence number has already overflowed and then we get a duplicate
SETUP message; we need to stay on the same cycle.
Fix#19592
RTMPT doesn't use the native reassembly API, so store the frames that
are involved in reassembly of a packet and mark the depended upon
frames itself so that exporting selected packets doesn't omit them.
Dissect the X.509 v3 Certificates used in OPC UA.
Use proto_tree_add_bytes_with_length for adding NULL bytes to
the tree with a (0) length different than the length taken up
in the tvb. It's somewhat nicer than changing the item length later.
Add a new hfi reference type for when we're printing items,
that supersedes direct reference - in addition to ensuring that
we don't fake an item, it also defaults the item to visible
(doesn't mark it as hidden when the tree isn't visible), so
that the string representation isn't faked either for fields
that have non-default formats.
Use it when fields are specified with -e; instead of setting
the entire tree as visible, only mark visible the items that
we want to print. This speeds up tshark -e output with all the
-T options that support it, sometimes by 2 to 4 times.
Part of #19573
Dissector is improved as follows:
- Code cleanup
- Added comments
- Offset calculations more obvious
- Segment data is put into segment hf instead of data dissector
- Padding is calculated and shown to fix incomplete dissector warnings
This patch does:
- clean up the address handling and limit to guint16 (see UDS)
- add address length to the data exchanged to UDS
- make UDS show the correct length in the protocol line instead of 2
- show address in UDS as generated as they are passed to UDS
Fix
```
wireshark/epan/crypt/dot11decrypt.c:1109:1: warning: function 'Dot11DecryptRecurseCleanSA' is within a recursive call chain [misc-no-recursion]
1109 | Dot11DecryptRecurseCleanSA(
| ^
```
RF4CE NWK heuristics should not attempt to verify the command ID from a command frame type when security is enabled, since in such case the command ID will be encrypted
A problem with the RTMP dissector is that it allocates space up
front for messages based on a 24 bit message length field, and if
that length is bogus (e.g., fuzzed data), that can easily lead to
memory exhaustion. (#6898) However, the real value can be quite large,
and limiting the value with a preference causes real data to fail to
dissect and report as malformed (#3790).
An ideal solution would be to use the standard reassembly API, possibly
by having the TCP dissector do it via setting pinfo->desegment_offset
or pinfo->desegment_len, or possibly by having reassembly tables within
the dissector. Quirks about the protocol make this a bit difficult.
In the meantime, instead of allocating all the memory for a reassembled
packet upfront upon reading the message length, limit the initial
allocation size, and call wmem_realloc if needed. In the cases where
the length is bogus and we don't actually get message bytes later,
we don't allocate nearly as much memory, but in the cases where the
message really is that large, dissection will work without having to
fiddle with a preference.
Mark the preference as obsolete, because users shouldn't need to change it.
(We can reduce the initial max allocation size from this if need be
with little penalty, saving some memory when there's bogus values in
exchange for more reallocation for legitimate large messages.)
Fix#3790.
This check should be for when the maximum number of iterations
reaches zero, rather than declaring a loop the first time it is reached.
AMF dissection is being aborted and never succeeding.
Fixup 24403a9a35
A zeroed sessionkey is the failure state that is checked, but we
can return early from the function if there are problems with
the challenge response. Move the memset to the top of the function,
as is already done with v2.
Fix#19570
Set `fdata->passed_dfilter = 1` in frame_data_init. This lets us
simplify things slightly in add_packet_to_packet_list, and lets
dissectors force packets to be hidden if needed.
Note that we might want to add a "visible" element to frame_data
instead.
If hashing a newly created GBytes, unref the GBytes after computing
the hash (and before returning it.)
Fix#19558 (in combination with 45b929a1b6
and 6f17dcd67d)
If the full checksum and partial checksum are the same (because
the contribution from the TCP payload doesn't change it), don't
call it a partial checksum.
This is already done in UDP.
If we're replacing the principal, unref the current one, if it
exists.
Push a cleanup function to free the principal and label in case
of hitting an exception dissecting the packet.
Related to #19557
maxmind_db tries to quit mmdbresolve by closing the pipe that
it uses to write to mmdbresolve, so that mmdbresolve will exit
when it tries to read and the pipe is broken.
However, if mmdbresolve is started, and then later dumpcap is
spawned via fork() and exec*(), either to capture or for capture
stats (sparklines), then the dumpcap process will have open ends
of the pipe, and so mmdbresolve will not exit when disabled
via Preferences->Name Resolution->Enable IP Geolocation.
Instead, Wireshark will hang on waitpid().
Fix the hang by setting FD_CLOEXEC on the pipe's stdin and stdout
file descriptors after spawning the mmdbresolve process, so that
dumpcap does not inherit them.
Extended EH Elements, which are still not defined as of DOCSIS 4.0
and must be ignored (CM-SP-MULPIv4.0-I08-231211), are not recursive
but instead have a full byte each for type and length instead of
a nibble, allowing specifying more than 15 extended header types or
extended header types with length longer than 15.
Increment the position for the first type/length byte to make the
logic more straightforward.
Part of #19557
Make sure we fully initialize an endpoint_guid struct. Blind attempt
at fixing
```
==23447== Use of uninitialised value of size 8
==23447== at 0xDAF0816: wmem_map_lookup (wsutil/wmem/wmem_map.c:264)
==23447== by 0x7DE388C: get_domain_id_from_tcp_discovered_participants (epan/dissectors/packet-rtps.c:6518)
==23447== by 0x7DE33AB: dissect_rtps (epan/dissectors/packet-rtps.c:13741)
```
in #19558.
Callers of the service lookup functions, like col_append_ports,
might call it with a nonstandard port type. This might be a
dissector issue, but it's not the sort of thing that should
trigger a ws_assert that crashes Wireshark.
Some dissectors just want the nice looking port column information
even for port types where lookups aren't possible. Dissectors
shouldn't have to know which port types can be looked up.
Related to #19557.
Update IAX2 handling for 2a9bc63325
and b61c0ac536.
Since a non-existent header field in the array is now 0 instead of -1,
change the test.
Fixes warnings like:
** (tshark:166575) 04:45:49.318472 [Epan WARNING] -- Dissector bug, protocol IAX2, in packet 4903: epan/proto.c:10972: failed assertion "n > 0 && (guint)n < gpa_hfinfo.len" (Unregistered hf!)
Related to #19557
Try dissecting with usb.protocol both using device class triple and
interface class triple. This allows dissecting Bluetooth requests on
composite devices and/or when Device Descriptor class code is not one
of the Bluetooth codes.
Set URB transfer type in USB conversation info when handling control
requests. Set endpoint to magic NO_ENDPOINT8 value when control request
is directed to interface to prevent using whatever value was last stored
there (do not set endpoint to 0 to prevent clear_usb_conv_tmp_data()
from clearing interface class, subclass and protocol values).
Mostly just passing pinfo around a little bit more, but in rf4ce-nwk we
weren't doing anything with the allocated value anyway, so just use the
regular proto_tree_add_item.
According to IEEE 802.1Q 21.5.3.2, if the Chassis ID Length field is 0,
then the Chassis ID Subtype is not present. Thus the number of octets
used for the Chassis ID is 1 (the length field itself) if the length is
0, and 2 plus the length value if the length is > 0.
According to 21.5.3.6, the Management Address Length field should not
be present if the Management Address Domain Length has the value zero.
If it is present anyway (as in the file provided in #13720), handle it
but add an expert info.
Fix#13720
The length values given to proto_tree_add_item for SBAS MT1 - MT5
dissection did not always correctly match the bitmask in
hf_register_info causing a retrieval of wrong values. Align the length
values and bitmasks for a correct retrieval of field values.
Update to the latest specification, which specifies the currently used
value for 'invalid' as 'backward compatible (do not use)'.
See
IEC 61850-9-2 Edition 2.1 2020-02,
Section 8.6 Definitions for basic data types – Presentation layer functionality,
Table 21
Be aware that in the specification the bits are numbered in reverse (it
specifies the least significant bit as bit 31 instead of as bit 0)!
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
With the growth of the member registry they became part of the
protocol registrations for use with decode as.
Extend the code space reserved for member registrations, to
exclude these and new members for the foreseeable future.
Instead of storing all found SCTP associations in one linked list,
use maps.
Store associations where only one vtag is known in one map, hashed
by the ports. (This effectively is a list indexed by the ports.) Store
associations where both vtags are known in another map, hashed by the
vtags. After an association has been setup, most lookups should be
fast, using the vtags. This should be much faster than searching the
entire list of associations each time for captures with many
associations.
Assume vtag collisions are rare. When we have INIT ACK packets, the only
packets that have both vtags in a single packet, do not require that
addresses match. Otherwise, when matching two half associations into
a full association, require that addresses match as well as ports.
Requiring address matching for cases lacking INIT ACK packets (such as
a stream of DATA frames back and forth) prevents false positives
(especially in cases where ephemeral ports are not used and source and
destination ports are the same.)
Eventually we ought to track the additional addresses given in INIT,
INIT ACK, and ASCONF packets and use those as well.
Fix#19544
Always send the association information to the SCTP tap, if
we've filled in at least one tvb. Always add it to the tree
as well, by using the association index calculated for the
first chunk.
Note in a comment that we should only need to calculate the
association index for the first chunk of bundled chunks; while
there are some chunk types with exception verification tag
handling (RFC 9260 8.5.1), they shouldn't be bundled with other
chunk types. We should have an expert info for that situation.
(Previously, we were calculating the association index for all
chunks and using for the packet the last one calculated.)
Initialize the association index and direction when beginning
dissection, in case we throw an exception when getting the
chunk type to see if RFC 9260 8.5.1 applies.
Part of #19544
Otherwise the dissected fields shown up are really misleading.
It is totally fine sending len=0, as explained in TS 29.060 sec 7.7.28:
"If MS Network Capability is not included, its Length field value shall
be set to 0."
proto_tree_add_text_valist_internal calls proto_tree_add_text_node,
which calls proto_tree_add_pi() with the internal hf_text_only FT_NONE
item, which calls get_hfi_length which does the adjustment of the
length to be either everything in the tvbuff (if length is -1), or
the minimum of what's in the tvbuff and the length (if length is not -1
and we have the tvbuff.)
This proto_tree_add_text_valist_internal doesn't need to do its own
version of the check. In particular, this means when adding a
text-only subtree with a tvb truncated with capture, the subtree
will be added truncated and the exception will be thrown when
retrieving the first unavailable item, instead of throwing the
exception immediately.
This is the behavior already done when adding FT_PROTOCOL and FT_NONE
items via other methods.
Related to #19544
In Quic Connection Migrations are possible even without source
connection IDs. Currently, after connection migration Wireshark fails to
associate answers with zero length CIDs for the new address to the
original connection.
After migration when the client sends data from the new IP
the connection data needs to be associated with the new conversation.
So when the server answers and the connection is identified by the
conversation a connection is found.
Fix slot definition subfield format to give an 8 bit slot duration if set to 0, update the 11 bit mask to be 11 bits,
and add a custom formatter to print the slot duration in uS
epan/proto.c:9468 -- proto_register_field_init(): 'rdpudp.flags.ack' exists multiple times with incompatible types: FT_UINT16 and FT_BOOLEAN
epan/proto.c:9468 -- proto_register_field_init(): 'rdpudp.flags.data' exists multiple times with incompatible types: FT_UINT16 and FT_BOOLEAN
The wslua plugin folder is recursive and contains the binary plugins
folder. Avoid descending into those folders that should not contain
any *.lua files.
Move the libwireshark pkgconfig file to the resource directory.
Set the various paths in our .pc files based on the `pcfiledir` variable
instead of using absolute paths. This should make it possible to install
using a DESTDIR that differs from CMAKE_INSTALL_PREFIX.
Allow epan plugins to push descriptions for each individual
plugin or extension managed by the epan plugin interface.
For example a Lua or Python epan plugin can push
descriptions for each *.lua or *.py script it registers.
Similar to other changes to the dissection and display of UTC Time, changed
Smart Energy time fields to display both UTC text time and UTC Time as a
number with the number as the field value for t-shark. As UTC Time is used
elsewhere, broke that functionality out into the main ZCL file, but Smart
Energy applies a special meaning where the value 0 means 'now' independant
of the actual time, this is restricted to Smart Energy uses of UTC Time.
Thanks to Cole Wu <colewu9712@gmail.com> for the original implementation and
support.
The non-Huffman encoded QPACK bytes are added to the tree as
FT_BYTES, and they are expected to be probably printable
ASCII but treated as opaque data if not. That's
BASE_SHOW_ASCII_PRINTABLE, which makes the values a little more
useful in the tree.
Move some of the less useful messages to ws_noisy, the rest to
ws_debug. (A few of the errors could be ws_info, which isn't
displayed by default either.)
Part of #19519
Return the number of bytes decoded and placed in the tree and
set pinfo->desegment_offset and desegment_len so that the QUIC
disssector can desegment the HTTP3 Encoder stream.
Pass that number of bytes to the nghttp3 decoder so that we don't
end up passing the same bytes twice with reassembly.
Make it so the QUIC data stream desegmenting code puts a link
to the frame data was reassembled in for segments that begin
an MSP as well in more cases, as the TCP dissector does.
(There are a few more cases TODO to produce results similar to
TCP.)
Fix#19475
See
1. https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
2. The `nla_put(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts))`
call in net/netfilter/nfnetlink_log.c in the Linux kernel source.
Add support for 16-byte and 12-byte seconds/microseconds time stamp, to
match what we already have for seconds/nanoseconds time stamps, in
`proto_tree_add_item()` etc., and use that.
Fixes#19525.