ethernet IG/LG bit changes with minor modifications
(only dissect LG if it is a unicast address
put a hint what locally administered means in the dissect tree
)
svn path=/trunk/; revision=19033
this patch adds support for MPEG2 transport stream packets in RTP (type
MP2T). It currently dissects the headers of the MPEG2 packets
svn path=/trunk/; revision=19023
I found a loop in the q2931 dissector, whereas I was dissecting Ranap
Traces with a bad wireshark configuration.
Wireshark did crash, after eating all the memory.
Make other loop checks more paranoid.
svn path=/trunk/; revision=18992
This patch provide a correction for the element "Channel Needed" in the Paging message. and some improvements for the display of AUTH,SRES,RAND etc..
With some further changes to APDU and LSA Identifier dissection.
svn path=/trunk/; revision=18985
make mms bitstrings easier to read
--
Hi, this is my new mms with some changes in order to display some data in
binary instead of hex.
Excuse me because is not a diff from the repository, but I don't know how to
create a diff.
I also have the compiled packet-mms.c and packet-mms.h if you want it only
mail me.
svn path=/trunk/; revision=18974
use tcp_dissect_pdus() which works insterad of trying to do the pdu tracking and signalling for reassembly manually.
This makes ldap pdu tracking and reassembly work properly for cases when hosts are streaming lpad over tcp and there is little or none alignlemt of pdus to the start of a segment
svn path=/trunk/; revision=18965
new protocol: veritas low latency transport
---
Attached is a patch file that adds a new dissector for the LLT protocol
(Veritas Low Level Transport, used for server clustering). They use
ethertype 0xCAFE even though it isn't assigned to them :(. There are
other fields and possibly other message types directly between servers
it does not yet dissect as no one outside of Veritas knows what they
are. This dissector understands the one people will run across most -
multiple servers broadcasting these heartbeats all over the place. I
figured out these fields through many Internet searches.
I will add the protocol to the Wiki after it is committed.
Thanks,
Steve
svn path=/trunk/; revision=18944
the attached patch removes the
redundant "Cisco Discovery Protocol" from the info column:
Before:
Cisco Discovery Protocol Device ID: myswitch.domain.com Port ID: GigabitEthernet3/17
After:
Device ID: myswitch.domain.com Port ID: GigabitEthernet3/17
svn path=/trunk/; revision=18941
A patch that adds support for dissection of
libpcap DLT_JUNIPER_VP frames. In addition i have fixed
also the indent for DLT_JUNIPER_GGSN.
svn path=/trunk/; revision=18940
most of the relevant code moved to guid_utils
lot of corresponding code cleanup in packet-dcerpc.c
still using GHashTable
still not using a manuf like file
svn path=/trunk/; revision=18939
As per RFC 4090, In the FAST_REROUTE Object, Include-any starts
at the 12th byte and Exclude-any starts at the 16th byte.
Ethereal has inter-changed these two fields in its display.
*Ethereal* bug 1043.
svn path=/trunk/; revision=18938
I think I've changed all corresponding appearances from FT_STRING to FT_GUID, so assert the FT_ type as it should only be a FT_GUID now.
Add a generic implementation in guid_utils.h to have a way to store data about GUID to name resolving (something like value_string for e.g. int). It might be better to have a single registry for all GUID's of all dissectors and implement the GUID name resolving into the proto_tree_add... functions.
svn path=/trunk/; revision=18935
is disabled by default, and can be enabled by setting AIRPCAP_CONFIG
in config.nmake. The code is currently limited to Windows, but should
be adaptable to other platforms.
The official announcement won't come until next week, so you'll have to
read the source for details. :)
svn path=/trunk/; revision=18928
when files are opened using NTCreateAndX and if we recognize the type set the type field to either FILE, DIR or PIPE
This is useful to know when dissecting things like security descriptors since it tells us how to dissect the specific bits of the access mask.
Only do this for NTCreateAndX for now. It is trivial to add similar tracking to some of the older obsolete calls used to open fids but no clients ever use those old calls any more.
svn path=/trunk/; revision=18922
I made a small change in packet-bacapp.c to fix the following:
1. Corrected Signed value decoding for a one octet value.
2. Corrected Priority values to decode as Unsigned values.
svn path=/trunk/; revision=18918
A very tiny patch that corrects decoding of the Next Payload field in
the IKEv2 header. RFC 4306, Sec 3.2 says that a payload type of 0
means "No Next Payload" and not RESERVED. The patch just uses the
same string the dissector uses for IKEv1, namely, "NONE".
svn path=/trunk/; revision=18914
The enclosed patch updates the set of mime types for line oriented text
data per RFC 2046.
Me:
Remove application/postscript, as it may be binary.
svn path=/trunk/; revision=18913
I have developed a plugin for Pro-MPEG FEC packets over RTP (see
previous posts on ethereal-dev). I have added a page and example capture
file to the Wiki (http://wiki.wireshark.org/2dParityFEC). The source and
Windows makefile for the plugin are attached. Unfortunately I do not
have access to other systems so this plugin has been tested on Windows
only.
The attached version of my plug-in has only had the copyright header
added.
I will translate this into a proper dissector rather than a plug-in as
requested, but this may take a little time as I have a lot of other
things
to do at the moment.
Me:
Convert into a normal dissector
Reorder / reformat code a bit
Added Marks name to the top of the file.
svn path=/trunk/; revision=18908
- add a generic guid register to dissect UUID's (move this to a seperate file?)
- this enables us to set some known names for special UUID's
- use standard DCOM fields for IID and alike in remunk.c
- cleanup dcom_protseq_vals handling
- some FT_STRING to FT_GUID changes
svn path=/trunk/; revision=18904
protocol has a lot of preference items. Change the number of
configurable ESP SAs to 16 (in case someone needs do decrypt many
sessions in a single trace file). Fix up whitespace.
svn path=/trunk/; revision=18903
Attached is a patch to packet-http.c that calls a subdissector for
traffic flowing through a proxy via the HTTP CONNECT method. Most
protocols, especially SSL, can be tunneled through an HTTP proxy.
Wireshark currently says this traffic is "Continuation or non-HTTP
traffic" but this patch turns the payload over to the dissector for the
protocol being tunneled. This is similar to how the Socks dissector
works.
svn path=/trunk/; revision=18901
Please find attached a patch with updates to l2tpv3's l2_sublayer_vals
and pw_types_vals numbers (and pw type decoding).
The previous values belong to a different number space, "MPLS Pseudowire
Types Registry" in http://www.iana.org/assignments/pwe3-parameters, used
by LDP. The new values belong to the correct number space, "L2TPv3
Pseudowire Types" in http://www.iana.org/assignments/l2tp-parameters,
used by L2TPv3. Note that one is a 15-bit number while the other is a
16-bit number. So it's not really removing half of the values; even
though there are some numerical "matches" in the two registries, there
are differences (see for example 12 and 13, and some name changes). From
my knowledge the values not registered are also not used (and part of
the intention of the patch is that they are not misused); a fair
assumption is that it was a clerical error mis-assuming the two
protocols, LDP and L2TPv3, used the same space for "PW Types".
svn path=/trunk/; revision=18900
change all accessor functions to be defines to the emem_tree_ functions.
now to create a tree with a different scope we only need to create a new
..._tree_create() function and set up the appropriate defines
(it was a mistake to call the functions se_tree_create and se_tree_create_non_persistent, they should be the other way around i.e. se_tree_create_persistent and se_tree_create )
svn path=/trunk/; revision=18895
teh tree management and to use trees with different storage scope without too much code duplication.
it would be useful with a tree that had indefinite storage instead of the emem functions which commonly have ep or se storage scope.
indefinite storage scope would be useful for example for managing a global and static set of well known guid to name mappings(not yet implemented) and also for
oid to name mappings.
svn path=/trunk/; revision=18886
add a lot more PROFINET CBA dissection output based on these DCOM context information
still need some improvements, e.g. dissection uses a simple (slow) linear list search
changes are fuzz-tested
svn path=/trunk/; revision=18882
I've attached a patch to the "wlan capture header" dissector to bring it
in line with the current frame format, and a proper URL to obtain said
format. Nothing major, just the addition of a couple of fields and
definitions. The dissector remains backwards-compatible with the older
format.
svn path=/trunk/; revision=18878
I've just had a bug in one of our private dissectors which meant
that the handle passed to call_dissector was null. This seemed to give
varying behavior - on some Windows installations it hit wireshark's
in-built exception handling, and displayed that the dissector had an
error (correct), but on some installations it just crashed wireshark
(not helpful). I _think_ the difference was whether MSVC was installed
or not, but on a sample of only 3 machines.
Should call_dissector include explicit null handle checks, and if so,
should it:-
a) g_assert - the simple patch attached
b) fallback to doing a data decode (as disabled protocols do)
c) try to invoke the wireshark exception handling for the packet
Or is the correct answer none of the above - the exception handler
should already cope ?
svn path=/trunk/; revision=18869
provided by markdrago@mail.com.
Me: Patch template files instead and regenerate the dissector files.
Fix Makefiles to use the correct asn filenames.
svn path=/trunk/; revision=18866
a new bit 0x00020000 is usde in the TGS-REQ packets and this results in a return of a PAC containing an unknown type 11 field.
the blob in the pac is 200 bytes and NDR encoded. its structure is obvious since it contains 2 conformant and varying arrays and three unique pointers.
enable decoding of this new KDCOptions bit and call it "constrained delegation"
svn path=/trunk/; revision=18857
libgcrypt, enable it in the Windows build.
In packet-ipsec.c:
- Remove non-constants from variable declaration initializations.
- Use ep_alloc() in a couple of places.
- Fix an off-by-one error.
- Reduce the number of SAs in the preferences from 4 to 2. 4 made the
preferences window absolutely enormous. This is probably the wrong
way to fix this.
- Fix up whitespace.
svn path=/trunk/; revision=18856
also change the name of one of the strings we keep around since it is more generic than just used for attributeassertions
svn path=/trunk/; revision=18841
I was looking at the dissector I wrote recently, packet-exec.c, to remember
how to handle conversations and I noticed a comment that isn't clear.
It would throw someone off because it isn't how the dissector was finally written :).
svn path=/trunk/; revision=18833
the supplied patch fixes a problem where the options value should really be used from the conversation found (using
conversation_lookup_hashtable(...) to create a new conversation based on the already stored conversation template (the CONVERSATION_TEMPLATE bit is set in the stored conversation) rather from the options argument passed to the function(s).
This solves a problem that otherwise shows itself where "DISSECTOR_ASSERT(!(conv->options & CONVERSATION_TEMPLATE) && "Use the conversation_create_from_template function when the CONVERSATION_TEMPLATE bit is set in the options mask");" fails sometimes.
svn path=/trunk/; revision=18825
This patch adds a new dissector for the daytime protocol (like the time
protocol, but the date and time is send as a text string). This protocol and
dissector work s over TCP or UDP.
svn path=/trunk/; revision=18823
The time protocol (port 37) dissector (packet-time.c) currently only supports
UDP. The protocol has an identical implementation over TCP as well. This
patch adds support to the dissector for TCP time in addition to the UDP time
packets
svn path=/trunk/; revision=18822
This patch adds the most commonly referenced items from CDP frames to the info
column: the device id (hostname) and port id. For example:
Cisco Discovery Protocol Device ID: myswitch.me.com Port ID:
GigabitEthernet7/12
svn path=/trunk/; revision=18821
- updated to the current (approved) spec. I'm not sure how backwards-compatible this is with older drafts...
- prettified the existing code, including more details in the info column
Also included is a fix to the way the offset at the end of an RTCP BYE packet is calculated (taking into account the NULL. This avoids the 'length wrong' expert item)
svn path=/trunk/; revision=18820
- Add a preference to try to find messages within sctp primitive messages (tries renaming of known mismatches)
- Add outhdr to stub protocol (getting ready for IuB FP)
svn path=/trunk/; revision=18818
A disassembly module I wrote for Pegasus Lightweight Stream Control, a protocol used by some cable set-top boxes for video-on-demand.
svn path=/trunk/; revision=18807
- allow SDP to parse the IP address + port for the MSRP session from the
path attribute
- setup an MSRP conversation using this address, whose data points back
to the SDP frame
- link to the SDP setup frame while dissecting MSRP (can be switched off
by a preference)
- I also changed sdp.media.port to be a numeric field
svn path=/trunk/; revision=18806
fix for h450 to prevent an assertion for uninitialized hffields
Thanks for the capture, Keith. The problem was with h450 hf fields that
weren't initialised sucessfully (at all in one case, or with non-unique
filter strings in several others) - it was hitting an assertion in proto.c
when an attempt was made to use those fields.
I was able to test by editing packet-h450.c directly, I couldn't regenerate
it from packet-h450-template.c. I'm attaching a patch to
packet-h450-template.c that hopefully does the same thing. If someone can
generate and check it packet-h450.c in for me I'll retest.
svn path=/trunk/; revision=18804
Hi,
This patch allows FT_NONE items to be built into filter expressions
(i.e. testing for their presence or absence rather than comparing with a
value) using the Apply|Prepare a Filter menus. What drove me to add
this was having to type in !tcp.analysis.out_of_order.
Does this seem reasonable?
Regards,
Martin
svn path=/trunk/; revision=18782
Hi,
The attached file should fix the following two bugs in the AJP dissector.
1) The dissector doesn't know about CPING/CPONG
2) The dissector misinterprets multiple requests in one connection if a
prior request has a Body request part.
svn path=/trunk/; revision=18780
The barker preamble bit is set when a station associates
which does not support short preambles. When it is 0, short
preambles are allowed.
Me: Add a reference to the spec stating the above.
svn path=/trunk/; revision=18777
This patch:
- adds headers found in later versions of the msrp drafts
- fixes a problem where wrong length values were used while parsing the
request/status line and it was going beyond linelen
- "Transaktion" -> "Transaction"
- status code now appears as a numerical field
- removes unused parameters from check_msrp_header()
- tidies up some indentation
It has survived some fuzz-testing.
svn path=/trunk/; revision=18766
sip_stats.c and tap_sipstat.c:
adds the code 429 ("Provide Referrer Identity", from RFC 3892) to
SIP stats.
chargecontrol.xml packet-diameter.c :
These patches
- add a few more chargecontrol AVPs, and add the vendor-id where needed
- report as expert info when AVPs' lengths don't match their type
svn path=/trunk/; revision=18743
special case some common special attributes such as DomainSid and DomainGuid
and dissect them as SIDs and GUIDs
examples of these special attributes can be seen in Xiaoguang Liu's email to wireshark dev
svn path=/trunk/; revision=18719
Fix a bug introduced recently in packet-rpc.c.
Replace DISSECTOR_ASSERT() with THROW(ReportedBoundsError) in my recent
checkins, since fuzz-test.sh sets WIRESHARK_ABORT_ON_DISSECTOR_BUG.
svn path=/trunk/; revision=18693
add a generated field telling the user and add an expert info entry
This often happens when the capture misses the binding procedure at the beginning of a conversation "capture start too late".
svn path=/trunk/; revision=18687
packet-pktc.c:
Catch an underflow.
packet-ospf.c:
Don't burn CPU cycles unnecessarily.
packet-rpc.c:
Catch an overflow.
packet-mq.c:
Check a header size.
Fix up whitespace.
svn path=/trunk/; revision=18685
packet-diameter.c
- show vendor ID as a decimal number
diameter/chargecontrol.xml
- add more AVP entries from 3GPP TS 32.299 (6.6.0)
svn path=/trunk/; revision=18679
packet-mount.c:
Don't allocate a huge amount of memory.
packet-ntp.c:
Fix a possible format string bug.
packet-ndps.c:
packet-nmas.c:
Fix an off-by-one buffer error.
svn path=/trunk/; revision=18678
- changes the ISUP dissector preference to follow MTP3's preference
rather than having its own (similar to SCCP, M3UA, etc.). I did not
obsolete the old preference because it was never put out in a release
(only SVN users would have seen it). I can change that if desired.
- add dissection of ANSI CRM message
svn path=/trunk/; revision=18661
this also removes several small memory leaks through get_oid_name and get_oid_str_name where the callers nevber freed the data
svn path=/trunk/; revision=18647
packet-diameter.c
--------------------------
I completely reindented dissect_avps() before I made any changes, but
when ignoring white space (in tkdiff, -w plus checking 'Ignore blanks
when diffing'), its easy to see the small changes I've made:
- when fail to find AVP info, show code in tree parent in decimal (as
specs do)
- add an expert info (undecoded, note) to indicate unknown AVP codes
diameter/imscxdx.xml
-------------------------------
- added 'Associated-Identities'
svn path=/trunk/; revision=18641
activate_secondary_pdp_contex_acc - radio priority missing, QoS wrongly dekoded.
Fault in i detach_req: should be ELEM_OPT_TLV
identiy half-octeten ignored.
"Cause" written as "LLC SAPI"
Decoding of TFT.
svn path=/trunk/; revision=18640
attached a patch for the BGP dissector for correct display of
VPLS NLRIs as per the latest spec (draft-ietf-l2vpn-vpls-bgp-08).
svn path=/trunk/; revision=18638