Hi,
This patch allows FT_NONE items to be built into filter expressions
(i.e. testing for their presence or absence rather than comparing with a
value) using the Apply|Prepare a Filter menus. What drove me to add
this was having to type in !tcp.analysis.out_of_order.
Does this seem reasonable?
Regards,
Martin
svn path=/trunk/; revision=18782
Hi,
The attached file should fix the following two bugs in the AJP dissector.
1) The dissector doesn't know about CPING/CPONG
2) The dissector misinterprets multiple requests in one connection if a
prior request has a Body request part.
svn path=/trunk/; revision=18780
The barker preamble bit is set when a station associates
which does not support short preambles. When it is 0, short
preambles are allowed.
Me: Add a reference to the spec stating the above.
svn path=/trunk/; revision=18777
This patch:
- adds headers found in later versions of the msrp drafts
- fixes a problem where wrong length values were used while parsing the
request/status line and it was going beyond linelen
- "Transaktion" -> "Transaction"
- status code now appears as a numerical field
- removes unused parameters from check_msrp_header()
- tidies up some indentation
It has survived some fuzz-testing.
svn path=/trunk/; revision=18766
sip_stats.c and tap_sipstat.c:
adds the code 429 ("Provide Referrer Identity", from RFC 3892) to
SIP stats.
chargecontrol.xml packet-diameter.c :
These patches
- add a few more chargecontrol AVPs, and add the vendor-id where needed
- report as expert info when AVPs' lengths don't match their type
svn path=/trunk/; revision=18743
special case some common special attributes such as DomainSid and DomainGuid
and dissect them as SIDs and GUIDs
examples of these special attributes can be seen in Xiaoguang Liu's email to wireshark dev
svn path=/trunk/; revision=18719
Fix a bug introduced recently in packet-rpc.c.
Replace DISSECTOR_ASSERT() with THROW(ReportedBoundsError) in my recent
checkins, since fuzz-test.sh sets WIRESHARK_ABORT_ON_DISSECTOR_BUG.
svn path=/trunk/; revision=18693
add a generated field telling the user and add an expert info entry
This often happens when the capture misses the binding procedure at the beginning of a conversation "capture start too late".
svn path=/trunk/; revision=18687
packet-pktc.c:
Catch an underflow.
packet-ospf.c:
Don't burn CPU cycles unnecessarily.
packet-rpc.c:
Catch an overflow.
packet-mq.c:
Check a header size.
Fix up whitespace.
svn path=/trunk/; revision=18685
packet-diameter.c
- show vendor ID as a decimal number
diameter/chargecontrol.xml
- add more AVP entries from 3GPP TS 32.299 (6.6.0)
svn path=/trunk/; revision=18679
packet-mount.c:
Don't allocate a huge amount of memory.
packet-ntp.c:
Fix a possible format string bug.
packet-ndps.c:
packet-nmas.c:
Fix an off-by-one buffer error.
svn path=/trunk/; revision=18678
- changes the ISUP dissector preference to follow MTP3's preference
rather than having its own (similar to SCCP, M3UA, etc.). I did not
obsolete the old preference because it was never put out in a release
(only SVN users would have seen it). I can change that if desired.
- add dissection of ANSI CRM message
svn path=/trunk/; revision=18661
this also removes several small memory leaks through get_oid_name and get_oid_str_name where the callers nevber freed the data
svn path=/trunk/; revision=18647
packet-diameter.c
--------------------------
I completely reindented dissect_avps() before I made any changes, but
when ignoring white space (in tkdiff, -w plus checking 'Ignore blanks
when diffing'), its easy to see the small changes I've made:
- when fail to find AVP info, show code in tree parent in decimal (as
specs do)
- add an expert info (undecoded, note) to indicate unknown AVP codes
diameter/imscxdx.xml
-------------------------------
- added 'Associated-Identities'
svn path=/trunk/; revision=18641
activate_secondary_pdp_contex_acc - radio priority missing, QoS wrongly dekoded.
Fault in i detach_req: should be ELEM_OPT_TLV
identiy half-octeten ignored.
"Cause" written as "LLC SAPI"
Decoding of TFT.
svn path=/trunk/; revision=18640
attached a patch for the BGP dissector for correct display of
VPLS NLRIs as per the latest spec (draft-ietf-l2vpn-vpls-bgp-08).
svn path=/trunk/; revision=18638
this break old preference settings but as we havent shipped any win32 version with this feature yet it shouldnt be any drama
see wiki for updates on the new format
(we still need many many updates and cleanups to the code but the non-backward compatible preference change must go in asap)
svn path=/trunk/; revision=18609
This should fix some "differ in signedness" warnings (and maybe will raise new ones, which should be fixed at the calling places then)
svn path=/trunk/; revision=18605
Fix Bug 976
Looking at frame 170 in the trace, it looks like
tvb_get_ephemeral_text() struggles with the null character in the middle
of the 4th parameter (in the WWW-Authenticate header) and returns NULL.
The attached patch uses tvb_format_text() instead which also does a
better job of showing the string.
svn path=/trunk/; revision=18589
The patch avoids the crash for unknown messages, adds the Common Id
message dissection which caused it, and also add dissector name
registration for the 2 other protocols which this file can provide.
svn path=/trunk/; revision=18586
ifdef out a few lines of dead code for a feature that is not yet finished
remove two compiler warnings about uninitialized variables (they are not uninitialized, just gcc being dumb)
svn path=/trunk/; revision=18558
replace overly convoluted code with much simpler code.
stateid is a simple 16 byte structure and there is no need to make it more complex than it is.
svn path=/trunk/; revision=18555
1, (minor) the heuristics are too weak and everyting is always decoded either as netapp filehandles or one of the others even when just capturing ibetween say two classic unix boxens
2, (major) you can not filter on specific subfields of the filehandle
observation: 5 people or less in the world care about implementation specific storage of data inside an opaque blob.
remove the too weak heuristics for nfs filehandles.
make decoding of filehandles accorrding to specific implementations controlled by a preference setting.
default this setting to "unknown"
display unknown filehandles using proto_tree_add_item() FT_BYTES/BASE_HEX to make it fitlerable instead of a useless proto_tree_add_text()
wiki needs to be updated tomorrow
svn path=/trunk/; revision=18530
and the weak heuristics often cause wireshark to mistake some segment containing read/write data to be iscsi.
make the heuristics to check that a packet really is iscsi much stronger
svn path=/trunk/; revision=18523
This fixes a redefine of AF_INET6 on AIX 4.3.3. We pull in <sys/socket.h> so the OS can define it first, nullifying the #define in epan/inet_v6defs.h.
svn path=/trunk/; revision=18522
reuse the recent structure for fid->filename mappings since the problemspace is virtually the same
(go to tired of trying to find the sharename in 10mpacket traces with 1000s of shares)
svn path=/trunk/; revision=18516
This needs to be done for all other Create/Open calls as well but would notmally just be 6 lines tyo add.
I rarely see older methods to open files so others using older clients are encoraged to use these 6 lines to the other places where needed.
svn path=/trunk/; revision=18515
add an expansion to the fid that display which frame itr was opened in and when it was closed.
someone may want to add tracking of actual filenames here as well. i am not sure i need that feature myself so ...
svn path=/trunk/; revision=18512
this bug can not currently trigger but if someone would rename the module
in the future then this could potentially cause a null dereference.
svn path=/trunk/; revision=18494
we used the wrong size which caused emem to complain that the canary value had been stomped upon.
another win for the canary feature. thanks gerald
svn path=/trunk/; revision=18491
everytime a ndmp_[scsi|tape]_open is seen create a new itl
we need an itl structure to be able to know what commandset a certain device is using.
svn path=/trunk/; revision=18490
make dissect_scsi_cdb abort with an assert if called with a null pointer for itl.
This means scsi over ndmp will be aborted by an assert sicne ndmp passes a null pointer here always but at least is better than a segv since some cdb's require itl to decode properly.
next checkin will fix ndmp in this regard.
svn path=/trunk/; revision=18489
have neither. For those with MAP_ANON but not MAP_ANONYMOUS, use
MAP_ANON; for those with neither, add some code to use "/dev/zero".
svn path=/trunk/; revision=18488
HP-UX doesn't have MAP_ANON but it does have MAP_ANONYMOUS. Moreoever,
according to mmap(2) on RHEL:
MAP_ANONYMOUS
The mapping is not backed by any file; the fd and offset argu-
ments are ignored. This flag in conjunction with MAP_SHARED is
implemented since Linux 2.4.
MAP_ANON
Alias for MAP_ANONYMOUS. Deprecated.
svn path=/trunk/; revision=18486
to format into a buffer and then pass that buffer.
Make a count an "int" rather than a "size_t" to squelch a (valid)
compiler warning.
svn path=/trunk/; revision=18482
ldap and ldap+sasl
remove a recent ber length validation in packet-ber.c that cant work and breaks reassembly and also makes all ber pacvket sspanning multiple segments show up as malformed packets.
svn path=/trunk/; revision=18465
Check for libgcrypt 1.1.0 (note: I don't know which version
is required, so maybe the version number needs to be changed
for this test to work reliably).
packet-ipsec.c:
- Replace __USE_LIBGCRYPT__ by HAVE_LIBGCRYPT to follow
conventions.
- Warning fixes: signedness in sscanf (%i -> %u)
- Warning fixes: mixed declaration and code
svn path=/trunk/; revision=18460
make the display of the filters more similar to how the ldap c api represents
filters and how they are commonly represented in documentation and other texts.
svn path=/trunk/; revision=18449
Check for printable ASCII - 0x7F is >= 0x20, but it's not printable, and
0x80 through 0xFF aren't ASCII.
Note that we should perhaps be using RFC 2252-style schemas to figure
out which attribute and assertion values are text and which are binary.
svn path=/trunk/; revision=18447
So make the field "frame.marked" visible and tag it as generated.
Move both "time reference" and "marked frame" fields towards the end of the "frame" protocol fields.
Should be copied over to trunk-1.0
svn path=/trunk/; revision=18435
This patch:
- treats the variant field as a variable-length string field. This is
needed for some of the more complicated protocols where the variant
number of the embedded protocol is also represented
- the patch to Makefile.am was not applied from
http://www.wireshark.org/lists/wireshark-dev/200606/msg00009.html
svn path=/trunk/; revision=18427
Added option "ANSI MAP" in Preferences menu, that ansi_map protocol dissector can parse packets with non-standart SSN.
svn path=/trunk/; revision=18358
- shows profile-specific extension data at the end of SR/RR reports (if
packet length has not yet been reached after parsing normal data) and
advances offset (further packets were not recognised+dissected as this
data wasn't being skipped).
- checks that the length of the RTCP data in the whole frame matches the
combined length from the length fields (the last check in RFC 3550, "A.2
RTCP Header Validity Checks") with a generated field and expert info
when wrong.
- reports the length field in all of the message types consistently (the
length was confusingly shown multiplied by 4 only in APP packets...)
svn path=/trunk/; revision=18357
- while parsing fmtp lines, the dissector looks for the MPEG4 'profile-level-id' parameter. If there is no '=' present, it was throwing an exception and the frame marked as malformed (see e.g. the attached
capture)
- I've added a few comments where the code wasn't obvious to me...
svn path=/trunk/; revision=18332
Q.931:I
mprovesthe dissection of Q.931 Channel
Identification information elements, by using proper (filterable) header
fields rather than text tree items.
H253:
make the h.263 dissector dissect the group-of-block
number which comes after a GOB start code.
svn path=/trunk/; revision=18323
H225.cnf
I noticed is that the voip call flow graph does not have a label for the setupAck packet. I traced this to the empty frame_label.
voip_calls.c
It seems to me that in gtk/voip_calls.c tmp_h323info->guid is pointer itself, therefore:
memcmp(&tmp_h323info->guid
should in fact read:
memcmp(tmp_h323info->guid
svn path=/trunk/; revision=18304
if the interval spans the entire 32 bit range.
special case the two common cases when this may happen until a real fix is included.
if the range variable becomes 0 due to 32bit overflow do a g_assert_not_reached to prevent an infinite loop.
this function should be enhanced to work with 64 bit integers.
svn path=/trunk/; revision=18299
- shows profile-specific extension data at the end of SR/RR reports (if
packet length has not yet been reached after parsing normal data) and
advances offset (further packets were not recognised+dissected as this
data wasn't being skipped).
svn path=/trunk/; revision=18245
This version of the patch won't look for the authentication scheme (it
just skips that part for Authentication-Info headers). I tested it
using the enclosed file (pasted from the RFC and fed through
od/text2pcap, then messed around with so I could test the other new
parameters, even if they don't really belong in that header...).
svn path=/trunk/; revision=18244
- h245.asn renamed to MULTIMEDIA-SYSTEM-CONTROL.asn
- rollback changes in .asn sources to keep them in original ITU-T form and put necessary changes into .cnf files
- PER dissectors regenerated
svn path=/trunk/; revision=18238
While in 3GPP spec, the last two (Down/up nextPDCP-PDU seq. no.) would be 2
BYTES. So ethreal could not read the message correctly. We have to modify the
log to make Ethreal analysis it.
Add disection of TargetID.
svn path=/trunk/; revision=18228
doing the reassembly internally in acl instead of calling reassembly.c since the fragmentation is so simple and packets are so small anyway so full reassembly.c support would be overkill.
svn path=/trunk/; revision=18223
this dissector will not yet detect when ppp is passed over the rfcomm link
but the old code to detect and deescapt the ppp data is still in the dissector, though ifdeffed out to serve as inspiration when ppp over rfcomm captures are made available.
the only captures i have with rfcomm are for raw serial communications so they dont contain any ppp frames. :-(
svn path=/trunk/; revision=18221
higher layer protocols need the chandle, cid and direction (from pinfo) in order to identify packets for the same "conversation"
(it is not a conversation per se in bluetooth butn one unidirectional flow that we track)
svn path=/trunk/; revision=18220
acl chandle + direction + l2cap-CID to uniquely identify a single specific
flow of PDU packets.
So we need to pass the chandle upp from acl to l2cap at least.
It would have been nice to handle this using "conversations" but the bluetooth
stack does not eaily map to the idiom host:port<->host:port
instead in bluetooth you have unidirectional flows that are identified by ACL-chandle:L2CAP-CID:direction and additional state held inside l2cap would attach two such flows together into a "conversation".
Bluetooth packets themself only indentify "half" of the two way conversation.
svn path=/trunk/; revision=18218
The UMA-message Handover From UMAN Command includes the complete L3-message (and header) and not only the handover-IE's.
svn path=/trunk/; revision=18215
- Many DCT2000 protocols can be embedded within an IP primitive
message. Add a heuristic to see if we can find the protocol payload
within in IP primitive message, and look for an ethereal dissector
matching the DCT2000 protocol name (this is useful for simple protocol
testing where no physical links are involved)
- Make some more of these protocols (diameter, http, mgcp) findable by name
- Adds protocol 'variant' number to stub and dissector
- Break the duplicated writing of the stub header out into a separate
function
svn path=/trunk/; revision=18212
- step to new ASN.1 API - pass asn_ctx_t* through PER dissectors instead of packet_info*
- PER ALIGNED/UNALIGNED flag moved to asn_ctx_t
- PER created tree item pointer moved to asn_ctx_t
- add nbap into PER dissectors in asn1/Makefile.nmake
- use add_oid_str_name() instead of register_ber_oid_name() in H.225 and H.245
- export asn_ctx_init from library
- PER dissectors regenerated
svn path=/trunk/; revision=18209
buffer argument is a mallocated buffer, so sizeof doesn't return its
size, it returns the size of the pointer to the buffer. Fixes bug 907.
svn path=/trunk/; revision=18186
955 UMA: Handover Command message not decoded.
956 UMA: multirate-configuration not decoded correctly .
957 UMA: Received Signal Level List not decoded.
svn path=/trunk/; revision=18179
if the GetVersionEx() call fails, force the dwPlatformId to VER_PLATFORM_WIN32_WINDOWS so the return value from VirtualProtect() won't trigger an assert.
svn path=/trunk/; revision=18178
- complete dissector for greeting/login packets
- nearly complete dissector for requests, except:
+ parameters for COM_EXECUTE
+ requests from replication slave
- added some features to response dissectors
svn path=/trunk/; revision=18174
- adds application/xpidf+xml as a media type known to be xml
- appends /xml to the protocol column (as SDP does). It would be nice
to append the top-level element, or the name taken from a matching DTD,
but this will do for now (at least its a short name).
- corrects the help text for the preference. I can see that it is
registered as a heuristic for "http", "sip" and "media"
I've also included a slightly updated version of reginfo.dtd (RFC 3680)
for the dtds folder.
svn path=/trunk/; revision=18173
zero-length - oid_to_subid_buf() can be called when we're not in the
middle of a dissection, and throwing a "dissector bug" assertion in that
case is itself a bug.
svn path=/trunk/; revision=18164
bigger than an 8-bit value in it, and guint is too big as we pass
something based on it to a routine expecting a guint16.
svn path=/trunk/; revision=18152
the fragment reassembly from the old patch is commented out since it has to be redone completely using emem and se_trees the proper way.
but to do this i would need example captures of fragmented bluetooth traffic first.
svn path=/trunk/; revision=18149
we need this in order to be able to provide proper itlq structures to the scsi dissector so that response data from scsi is dissected properly.
svn path=/trunk/; revision=18104
Fix bug 833 (remove 'dead' code flagged by Coverity);
Update defines based upon current version of FreeTDS tds.h; Reformat defines for readability;
svn path=/trunk/; revision=18103
Make teh msb of the cmdset variable indicate whether we detected the commandset from the trace or whether we used the default value from preferences.
indicate in the dissection of the packet whether the command set is "known" or whether we are using the default one.
make scsi srt stats work even for when we are using the "default" dommandset. Previously scsi srt would ignore all pdus for itl sessions where the "default" command set was used.
svn path=/trunk/; revision=18098
Most of the time AssertionValue will contain an ascii string so make it always display as a string to make the display "correct" most of the time insterad of being "wrong" most of the time.
There are situations when AssertionValue contains binary data though and in those cases the display will be "wrong" (but not more wrong than the old dissector anyway)
What someone really should do (someone interested in ldap that is) to make it more correct would be to implement a dissector for AssertionValue in the template file and having the dissector check if any of the bytes of the octet string has a value <32 and if so display it in hex as 0x.....
It all bytes have values >=32 then it shoudlk display it as a string "...
instead.
Someone interested in ldap may spend time on this refinement.
svn path=/trunk/; revision=18089
Two more Kerberos error codes where it has been witnessed that the payload contains a PA-DATA structure with the magic salt containing an nt status code
svn path=/trunk/; revision=18088
authesserre samuel <sauthess@gmail.com> kindly pointed out an issue with session renegotiation in the current ssl decryption code.
Encrypted handshake message are decrypted, but the dissector try to interpret the encrypted code. Renegotiation messages are therefore ignored. The attached pcap trace and key can be used to trigger the issue.
The attached patch fix the problem storing the decrypted version of encrypted handshake message and dissecting it when available. The patch also fix bad issue with des cipher (alike the issue fixed in my previous post)
svn path=/trunk/; revision=18081
I attached patch to add preferences in SDP for RTP stream detection. By default SDP decodes RTP stream but now I can disable it.
svn path=/trunk/; revision=18080
structs/unions (GCC supports it "for compatibility with other
compilers"; presumably that's not for compatibility with the version of
Sun C that rejected it - was that a PCCism?).
svn path=/trunk/; revision=18072
programs, by reporting it with a dialog box that at least attempts to
indicate what the problem is, and by giving up early on running dumpcap.
svn path=/trunk/; revision=18051
"struct tcp_multisegment_pdu"; that lets it be used in one case where
the code in it was duplicated.
Make "desegment_tcp()" loop rather than recursing - not all compilers
will necessarily recognize the tail recursion.
Catch heuristic dissectors that reject a packet but also request
(whether deliberately or accidentally) that more data be added.
svn path=/trunk/; revision=18050
reassembly. UDP has no notion of reassembly - that's done at the IP
layer - and SCTP has its own notions of reassembly which it currently
doesn't provide. As such, TCP-style reassembly isn't possible for
JXTA-over-UDP or JXTA-over-SCTP.
As for TCP, a heuristic dissector for a TCP-based protocol can't request
more data if it's rejecting a packet; make it not do so. That should
fix the recent buildbot crash, although there are still some reassembly
problems with that capture (c05-http-reply-r1.pcap.gz in the menagerie
and on the SampleCaptures page of the Wiki) that aren't fixed yet.
svn path=/trunk/; revision=18049
use tcp_multisegment_pdu and se_tree_lookup32_le() to track pdu boundaries for tcp reassembly just as this structure is used for the same purpose when reassembly is not enabled.
get rid of a hashtable and two memchunks we no longer need
tcp_segment_table tcp_segment_key_chunk and tcp_segment_address_chunk
This makes tcp reassembly work for out-of-order segments as well as when reassembly completes in one segment and when the tail of the segment contains the head of the next pdu which we did not handle before.
tcp reassembly should be much better and efficient now modulo introduced regressions.
svn path=/trunk/; revision=18046
enough to have a non-BVLC packet from or to port 47808, we're likely to
reject it and let another dissector try it. Fixes bug 855 (in which an
MS Messenger packet was unlucky enough to have come from that port).
Add value_string tables to some fields, and just use
proto_tree_add_uint() to add them to the protocol tree, rather than
generating our own text for them.
svn path=/trunk/; revision=18033
Save the media encoding name in the transport_info_t structure rather
than in a global variable. Allocate it with tvb_get_ephemeral_string()
so it's released after the packet is completely processed. Do *NOT*
assume it's necessarily non-null in decode_sdp_fmtp(), as the code flow
doesn't guarantee that to be true.
proto_tree_add_string() now suffices for adding a particular SDP item -
strings are now displayed "safely", with escaping of non-printable
characters done.
Update a comment (we no longer have the Big Transfer Vector to allow
plugins to call dissector functions in Windows, we have those functions
in a DLL).
svn path=/trunk/; revision=18031
want to have a dissector capable of rejecting packets, you need to
reject the packet before you call tcp_dissect_pdus() - once you're doing
reassembly, etc., it's too late to reject the packet.)
svn path=/trunk/; revision=18029
now that we have se_tree_lookup32_le we can do the tracking of pdu boundaries much more efficiently.
track pdu boundaries by a new tcp_multisegment_pdu structure that is indexed by sequence numbers and let this structure replace the older tcp_next_pdu structure.
with se_tree_lookup32_le we no longer need to track segment by segment and can get rid of the two hash tables
tcp_pdu_tracking_table
tcp_pdu_skipping_table
Neither do we need the tree tcp_pdu_time_table anymore so that one is gone as well.
remove various other functions that are no longer needed due to removing the structure and the tables/tree
this part of the code shoul;d be much more readable now and also a bit faster
svn path=/trunk/; revision=18024
the amount of data left in the radiotap header after the fields we've
processed so far, not the total length of the header, so it couldn't be
used to skip past the radiotap header and get a tvbuff of the packet
data. Fix that.
svn path=/trunk/; revision=18020
The code was incorrectly bounds checking AndXOffset. AndXOffset is only
relevant when AndXCommand is not 0xFF. This patch corrects erroneous
"Malformed packet" exceptions.
svn path=/trunk/; revision=18015
rename the preference to DEFAULT protocol version to indicate it is only used for those conversation where we have not automatically detected the version used.
svn path=/trunk/; revision=18003
scsi_mmc_val DATA
scsi_sbc2_val DATA
scsi_ssc2_val DATA
BTW: these values should be renamed to ..._vals as in every other dissector I know!
svn path=/trunk/; revision=17989
