We don't yet know what they mean, but we can dissect their TLV
structure from protocol traces.
Change-Id: Ib532e52b686cfd56502de807a60873a9570e5372
Reviewed-on: https://code.wireshark.org/review/35981
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
So far, DEI 0xa8 .. 0xab has not been named nor interpreted. Now we
understand this part better (thanks to Sylvain Munaut), let's add
our knowledge to the wireshark dissector wit this patch.
Change-Id: If6d0927edc9dc9d038355466e2659b1206b81f1b
Reviewed-on: https://code.wireshark.org/review/35980
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
The go test suite for crypto/tls produces a status_request extension
with "dummy ocsp" as extension data. That triggers a Malformed Packet
exception and breaks dissection of the following data.
Fix this by skipping OCSP dissection when disabled.
Change-Id: I9deb4385862503656e6ff316b36c2b55e6903279
Reviewed-on: https://code.wireshark.org/review/35989
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
In the old version, 1 conversation was used for all TFTP exchanges.
(provided that they had the same ip addresses and ports)
Change-Id: Ie19f8a36d1605fdfc66db3cc94a3206a31cd6515
Reviewed-on: https://code.wireshark.org/review/35476
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Dissection of all new HCI commands and events added in
the newly released Bluetooth specification version 5.2.
Bluetooth Device Dialog updated to also show ISO buffer
size and amount.
Change-Id: I3a459760cbe5f6c4f985621cee40dbbe5e473d39
Signed-off-by: Allan Møller Madsen <almomadk@gmail.com>
Reviewed-on: https://code.wireshark.org/review/35957
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Broke by 87973bf516.
RtpStreamDialog allocates its own rtpstream_info_t, and copies the original stream's info.
Then RtpStreamDialog::on_actionExportAsRtpDump_triggered calls
rtpstream_save with this copy.
On save, reset_tap_listeners is called, and it clears all the tree items,
destroying the allocated copy *before* it is used for the actual export.
Trace:
1 rtpstream_info_free_all tap-rtp-common.c 104
2 RtpStreamTreeWidgetItem::~RtpStreamTreeWidgetItem rtp_stream_dialog.cpp 85
3 RtpStreamTreeWidgetItem::~RtpStreamTreeWidgetItem rtp_stream_dialog.cpp 86
4 QTreeModel::clear()
5 RtpStreamDialog::tapReset rtp_stream_dialog.cpp 309
6 rtpstream_reset_cb tap-rtp-common.c 172
7 reset_tap_listeners tap.c 418
8 cf_retap_packets file.c 2243
9 rtpstream_save rtp_stream.c 97
10 RtpStreamDialog::on_actionExportAsRtpDump_triggered rtp_stream_dialog.cpp 515
Bug: 16351
Change-Id: I54d37a2c97997395936df94ee5481b0d6d198aed
Reviewed-on: https://code.wireshark.org/review/35979
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add support for explicit curve parameters according to RFC 3279. This
allows an exploitation attempt of CVE-2020-0601 to be detected through
the pkcs1.specifiedCurve_element filter name. Be aware though that the
certificate is encrypted in TLS 1.3, so a negative match does not imply
that no exploitation has happened.
While these definitions are technically not part of PKCS #1, the
PKIXAlgs module is part of the pkcs1 dissector for historical reasons.
It probably makes sense splitting it into a separate pkixalgs dissector,
but that would result in field name changes. Defer that for now.
Bug: 16340
Change-Id: Ia9d47a8337d6246f52983460580310b12e5709cf
Reviewed-on: https://code.wireshark.org/review/35986
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The feature is Linux-specific, do not suggest an unavailable feature on
macOS and other systems.
Change-Id: If53989749f571ace7397e288e9c06e357d0a96b2
Reviewed-on: https://code.wireshark.org/review/35985
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Since dumpcap was split off tshark, tshark never had the need to use
file capabilities. Remove the unused header.
Change-Id: I76e9d09599a4276d4be5ba105d7c6e28e9dd96da
Reviewed-on: https://code.wireshark.org/review/35984
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
On linux and osx extcap would potentially leave
the external dumper process running after stopping the capture.
With this change the child process will receive a TERM signal
when the capture stops.
Change-Id: I2681a26509c90696c98c7615fbab172604ce6e31
Reviewed-on: https://code.wireshark.org/review/35959
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The old URL was gone and the JSON scheme has changed, so update the
generator accordingly.
Change-Id: I52ae27c7fc7dc0100e8abaa7b95b1769a7413bc6
Reviewed-on: https://code.wireshark.org/review/35983
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This could help diagnosing early implementation errors using
https://github.com/marten-seemann/quic-interop-runner
Tested with capture files based on sample provided by Marten Seemann:
1. Valid Retry packet should not add the "quic.bad_retry" field.
2. Mutated, invalid tag: "Retry Integrity Tag verification failure"
3. A missing Initial: "Cannot verify Retry Packet due to unknown ODCID"
As side-effect, the connection tracking code can now distinguish between
a connection where the server sent an empty SCID and a connection where
the server did not send an Initial.
Bug: 13881
Change-Id: I972acd680b1becc9fb7b9e002b400886a06bc828
Reviewed-on: https://code.wireshark.org/review/35978
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
There is a good chance that the required information is still
valid even with a wrong FCS.
Change-Id: I244b2b4a857b7cefd1f4ef22eb151d5ac3ee4133
Reviewed-on: https://code.wireshark.org/review/35953
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The Microsoft 'variation' of RFC 3004 causes a '[Malformed Packet]' when the
"User Class Length" (dhcp.option.user_class.length) exceeds the total length
of the DHCP option 77 User Class Option (dhcp.option.length) because it is a
character and not a length field.
This stops the dissection of the rest of the DHCP packet, including the Vendor
class identifier when containing "MSFT 5.0" indicates the Microsoft variation.
A simple fix is to treat dhcp.option.user_class.length >= dhcp.option.length
as a non-conformant (text) option.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/fe8a2dd4-1e8c-4546-bacd-4ae10de02058
Bug: 16349
Change-Id: Ia7b90302efd0b84eb508db35a3b246142bf66510
Reviewed-on: https://code.wireshark.org/review/35962
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The resulting ambiguity between EVS Primary 2.8 kbps and EVS AMR-WB IO
SID frames is resolved through the
most significant bit (MSB) of the first byte of the payload. By
definition, the first data bit d(0) of the EVS Primary 2.8
kbps is always set to 0. Therefore, if the MSB of the first
byte of the payload is set to 0 (see Figure A.2), then the
payload is an EVS Primary 2.8 kbps frame in Compact format. Otherwise it
is an EVS AMR-WB IO SID frame in
Header-Full format with one CMR byte.
Change-Id: I16733698e49ea3651f775b774b59569cfa1c89a1
Reviewed-on: https://code.wireshark.org/review/35976
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug at dissection of ARData is fixed. Moreover,
there is also bug in DCP's DHCP suboption and it
is also fixed.
Change-Id: I185e66f957f330dae587fc63b76cd50f567f5f9b
Reviewed-on: https://code.wireshark.org/review/35974
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Issue found by Marten Seemann (on QUIC Slack)
Change-Id: I4b50bae48373758253f21b371025d87d901c0a1d
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/35973
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Final changes for draft -25:
* Update Retry Packet dissection.
* Rename idle_timeout to max_idle_timeout and remove the
TransportParameterId enum that was removed in the spec. Originally the
spec changed it into a varint, but this was reverted to uint16 before
the draft was released. To keep the description short, the original
TLS-style formatting was maintained instead of using ASCII art.
Change-Id: Id72df59de128ab5028727abbbb01c585ec284809
Bug: 13881
Reviewed-on: https://code.wireshark.org/review/35963
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
OM2000 is not only used for the venerable RBS2000 family, but also
for the more modern RBS6000 family, specifically the DUG 20 GSM
baseband unit.
In RBS6000, there are some protocol extensions which are not yet fully
understood. However, we are understanding some bits around the MCTR
(multi carrier transceiver?), a new MO that appears to be present for
every physical RUS (Radio Unit) attached to the DUG 20.
Let's add what the Osmocom developers have learned so far.
Change-Id: I8027160611a9c33f86945aaa61d9aa1178c3e87c
Reviewed-on: https://code.wireshark.org/review/35960
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
* Describe what sample size == 0 means.
* Show an index next to each table entry.
* Table indices start from 1 according to the specification.
Change-Id: I106188051e6618c3b85fa4945facfe4fedd1987b
Reviewed-on: https://code.wireshark.org/review/35937
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Display movie duration in seconds. The number of duration units in one
second is determined by timescale parameter.
Change-Id: Ie61e4365f7f751a6d23eff0b3bc9b170b499e60a
Reviewed-on: https://code.wireshark.org/review/35935
Reviewed-by: Anders Broman <a.broman58@gmail.com>
'stsz' extends FullBox, so it has 'version' and 'flags' fields.
Change-Id: Ibaf99e80ef0ff17104a81da73c08a06acc011173
Reviewed-on: https://code.wireshark.org/review/35932
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We want things like aes-256 keys to be displayed completely.
Change-Id: I746f3282440c036cfb60263be40e3b3a6ed859c2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/35703
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Avoid repeating code dealing with dissection of version and flags fields
that ISO/IEC 14496-12 defines in FullBox class.
Change-Id: I72cb4072c8bb41a670d41187692dd72697dd1049
Reviewed-on: https://code.wireshark.org/review/35888
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Times before 1970-01-01 should be represented as a negative number of
seconds in nstime_t.
e.g. MP4 creation_time of 0x00000000 (which appears frequently as the
default in mp4 files) was rendered as Feb 6, 2040 07:28:16 CET
Change-Id: I979aeeb8a625caad3dfbce114cff6f9967d59d6e
Reviewed-on: https://code.wireshark.org/review/35904
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Ack overflow data was incorrectly dissected causing checksum errors. For now
just display raw data.
Change-Id: Icdd858bdbeeb4dd40e48c45fc46e5e188d53be69
Signed-off-by: Erwin Rol <erwin@erwinrol.com>
Reviewed-on: https://code.wireshark.org/review/35915
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
With BUILD_androiddump and EXTCAP_ANDROIDDUMP_LIBPCAP enabled, the
linker notices a couple of cases of underlinking:
extcap/androiddump.c:541: error: undefined reference to 'ws_inet_pton4'
extcap/androiddump.c:685: error: undefined reference to 'ws_hexstrtou32'
extcap/androiddump.c:2513: error: undefined reference to 'cmdarg_err_init'
extcap/androiddump.c:2517: error: undefined reference to 'data_file_url'
extcap/androiddump.c:2629: error: undefined reference to 'ws_strtou16'
extcap/androiddump.c:2592: error: undefined reference to 'ws_strtou16'
extcap/androiddump.c:2646: error: undefined reference to 'ws_strtou16'
extcap/androiddump.c:1708: error: undefined reference to 'ws_inet_pton4'
extcap/androiddump.c:1783: error: undefined reference to 'ws_inet_pton4'
Fix that by explicitly linking against libwiretap and libwsutil when the
linker cannot find those symbols by linking to them through libwireshark.
Change-Id: I4db266fe82927c12d18fec06f9d766b9390bcec3
Reviewed-on: https://code.wireshark.org/review/35855
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
IO Graph used to show a value of 0 if there are no relevant
fields/packets when using SUM, MAX, MIN or LOAD. This is an
issue because you can not distinguish if there was a value
of 0 or if there was not even a relevant field/packet. With
this patch IO Graph shows no point in the interval if there
is no relevant field/packet when using SUM, MAX, MIN or LOAD.
Change-Id: I9b17447cb38efe6dbf9299ec67aac999cfa744a3
Reviewed-on: https://code.wireshark.org/review/35859
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>