At least as I read RFC 5456:
1) non-full-frame time stamps should have high-order bits from
the time stamp of the last full frame ORed into it;
2) "mini voice packets" have a 16-bit time stamp and "mini video
packets" have a 15-bit time stamp;
so adjust the non-full-frame time stamps in that fashion rather than by
adding 32768 until the value looks OK - and don't adjust full-frame time
stamps at all.
Change-Id: I20873a633a99415ac73a7e6baf087e5ec62a4905
Reviewed-on: https://code.wireshark.org/review/28555
Reviewed-by: Guy Harris <guy@alum.mit.edu>
- 0x2A0B Exact Time 100
- 0x2A10 Secondary Time Zone
- 0x2A15 Time Broadcast
- 0x2A1A Battery Power State
- 0x2A1B Battery Level State
Change-Id: I857a8ff6e38b0093d2d746c789d8f33ec59eb553
Reviewed-on: https://code.wireshark.org/review/28553
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The last argument to conversation_new_by_id() is the options for the
conversation, *not* the frame number.
Change-Id: I44e1819123432aa043e82f6b74ebdfad26ce76c0
Reviewed-on: https://code.wireshark.org/review/28545
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Also: Minor style cleanups (some still missing) and add two FP specific WKAs.
Change-Id: I908ec92ba4682caf8e9c9cc4fb44c2f9c336b4e3
Reviewed-on: https://code.wireshark.org/review/28535
Petri-Dish: Jörg Mayer <jmayer@loplof.de>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
The MIKROTIK OUI is actually allocated to Routerboard and should be considered
as such. The IE is utilized by Routerboard, Ubiquiti, Mikrotik, and other
Routerboard derivative device types. Added subtype1 dissection which contains
data element carrying descriptive info no the network, device, or model info.
Bug: 14925
Change-Id: Ic7c091877d5c5eb12a51b17dbd8761efdf242f9c
Reviewed-on: https://code.wireshark.org/review/28510
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Use UPOE instead of four-wire - it's the term everyone knows.
Also provide a link to the "spec".
- Add some more ACI fields I found in some traces.
Guess the function of unknown-CA to be Node Role.
Change-Id: I7bdb4c1f720868da4f502ba43ba9e2b1c072d4e0
Reviewed-on: https://code.wireshark.org/review/28422
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
- Change the defines a bit.
- Update the way the header is handled.
Change-Id: I47fafcbec526ed4147b9202168e349f9b68bed6d
Reviewed-on: https://code.wireshark.org/review/28511
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Packet scope lifetime is too short for it.
Bug: 14923
Change-Id: I4bd5ef8c7382d5d3d98598b797732ba3d88e44fd
Reviewed-on: https://code.wireshark.org/review/28505
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Currently out-of-order segments will result in cutting a stream into
two pieces while the out-of-order segment itself is ignored. For
example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with
"C" ignored. This behavior breaks TLS decryption or prevent application
layer PDUs (such as HTTP requests/responses) from being reconstructed.
To fix this, buffer segments when a gap is detected.
The proposed approach extends the "multi-segment PDU" (MSP) mechanism
which is normally used for linking multiple, sequential TCP segments
into a single PDU. When a gap is detected between segments, it is
assumed that the segments within this gap are out-of-order and will be
received (or retransmitted) later.
The current implementation has a limitation though, if multiple gaps
exist, then the subdissector will only be called when all gaps are
filled (the subdissector will receive segments later than necessary).
For example with "ACEBD", "ABC" can already be processed after "B" is
received (with "E" still buffered), but due to how MSP are extended, it
must receive "D" too before it reassembles "ABCDE". In practice this
could mean that the request/response times between HTTP requests and
responses are slightly off, but at least the stream is correct now.
(These limitations are documented in the User's Guide.)
As the feature fails at least the 802.11 decryption test where packets
are missing (instead of OoO), hide this feature behind a preference.
Tested with captures containing out-of-order TCP segments from the
linked bug reports, comparing the effect of toggling the preference on
the summary output of tshark, the verbose output (-V) and the two-pass
output (-2 or -2V). Captures marked with "ok" just needed "simple"
out-of-order handling. Captures marked with "ok2" additionally required
the reassembly API change to set the correct reassembled length.
This change does "regress" on bug 10289 though when the preference is
enabled as retransmitted single-segment PDUs are now passed to
subdissectors. I added a TODO comment for this unrelated cosmetic issue.
Bug: 3389 # capture 2907 (HTTP) ok
Bug: 4727 # capture 4590 (HTTP) ok
Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok
Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok
Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok
Bug: 13754 # capture 15593 (MySQL) ok2
Bug: 14649 # capture 16305 (WebSocket) ok
Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56
Reviewed-on: https://code.wireshark.org/review/27943
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows code to initialize them without having to know the details
of the structure; the initializes should, and will, be changed if the
members of the structure are changed.
Change-Id: I93e6ebfcde9ceca17df696fcba4e8410c5afb175
Reviewed-on: https://code.wireshark.org/review/28501
Reviewed-by: Guy Harris <guy@alum.mit.edu>
1. Add new dissector table that allows for registration of CIP Class 2/3 Data
against CIP Class that was used in the Forward Open. This is similar to the
Class 0/1 I/O dissector table. The new logic is this:
a. If there is connection info and a table entry: Call the registered dissector
handle (cip_connection_message_router.pcap).
b. If there is connection info and no table entry, use the CIP implicit
dissector (cip_connection_implicit.pcap)
c. If there is no connection info: Assume Message Router (Class 0x2)
format (cip_no_connection_message_router.pcap)
2. Remove old dissector table for "enip.sud.iface". The specification states that
the Interface Handle "shall be zero" for SendUnitData, so there isn't a need
to have custom handling for different Interface Handle values. SendRRData
does not have the same restriction, so that dissector table (enip.srrd.iface)
will stay.
3. Pull out Class 2/3 data processing into separate function: dissect_cip_class23_data()
4. Remove extra unnecessary tree layer in implicit data dissector.
Bug: 14916
Change-Id: Id53a2031a6064551b3915d8954527a7b3261d222
Reviewed-on: https://code.wireshark.org/review/28496
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Ethernet checksum offloading seems to be common nowadays, similar to
IPv4, IPv6, TCP, and UDP. Disable FCS validation by default. Suggested
by Laura Chappell at SharkFest US '18.
Change-Id: Icf0e262c65ad328a58da9bd78f3aefbefa2f9394
Reviewed-on: https://code.wireshark.org/review/28477
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change the exported_pdu size from two to the full size of the tag
(including type and length fields) and limit the protocol length to just
the tags (without the PDU data).
Change-Id: I1c20740627ebd74c117bb1735ff4c189d2d750d6
Reviewed-on: https://code.wireshark.org/review/28470
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Fixed initial COL_INFO for associations. It used to 'append' instead of 'set'.
- Changed initial length check from tvb_reported_length() to tvb_captured_length()
- Heuristic Dissection:
o Modified registration, so it can be clearly identified in the Enable/Disable Protocols dialog
o Enabled by default
o Return proper data type
Tested heuristic vs. static on many DICOM captures
Change-Id: I0aa42b91e4f55a6d9fc834657710a6a92c8dadef
Reviewed-on: https://code.wireshark.org/review/27518
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
due to missing mapping from operation number to a string representation
wireshark displays '71' instead of 'CLONE'
Change-Id: Ic5da0a110d5475b2467d6110ea2896332f93288c
Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Reviewed-on: https://code.wireshark.org/review/28447
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
As, fields are hidden items the discrepencies go unnoticed in the Wireshark
tree, however when printin in tshark the displayed fields are inccorect as the
wrong tvb is passed during dissection.
Bug: 14908
Change-Id: If06618b67040b631f153d3e2609583fecc56b5b2
Reviewed-on: https://code.wireshark.org/review/28445
Reviewed-by: Jeremy Martin <boardermartin@gmail.com>
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
When dissecting USBIP packets, the transfer type is not known for every
packet like when dissecting usbmon captures. This patch lifs the
transfer type for the endpoint in the device descriptor and stores it in
the conversation. If the per-packet transfer type is unknown for a
transfer, it tries the one from the descriptor instead. This enables
bulk/iso payload dissectors to work on USBIP packets too.
Change-Id: If0a3e4f3b9598f586fa460d0d07032d22e203122
Reviewed-on: https://code.wireshark.org/review/28412
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris