Change-Id: Ib583470ba612ef24da4d9360f7bbc0e33fb19bd9
Reviewed-on: https://code.wireshark.org/review/22377
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Don't use DISSECTOR_ASSERT() unless we're in wmem packet scope, see
commit 341b06ce0795ae957627c9174b57e75c7827f028
Change-Id: I509f9197155fe6ea6f46c23c93eb188220b9dd8d
Reviewed-on: https://code.wireshark.org/review/22379
Reviewed-by: Michael Mann <mmann78@netscape.net>
There's a number of protocols whose payload contains yet another
protocol but no criterion to figure out what this next protocol is.
Define a new global function register_decode_as_next_proto() to register
a Decode As entry for this scenario so the user can manually select the
next protocol.
A lot of the housekeeping that is normally required for Decode As is not
applicable to such a scenario. Provide simple data structures and
functions to cover this, make them internal to epan/decode_as.c and
allow them to be shared by multiple of the new simplified Decode As
entries.
(For now, the mechanism is based on an FT_UINT32 dissectore table where
all entries are linked to number 0. We should eventually come up with a
better mechanism.)
Change-Id: I3f81e331d7d04cfdfe9a58732d881652d77fabe2
Reviewed-on: https://code.wireshark.org/review/22376
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
DISSECTOR_ASSERT() can be used only when we're in wmem packet scope. It
cannot be used during startup when address types are registered. In
those cases, we must use g_assert().
If we still use DISSECTOR_ASSERT() and an assert is hit, we'll see a
wmem assertion
**
ERROR:../epan/wmem/wmem_core.c:52:wmem_alloc: assertion failed:
(allocator->in_scope)
Aborted
instead of the actual assert output.
Change-Id: Ife12ca3455d56ba4faa2dd6034df8a091d8641ed
Reviewed-on: https://code.wireshark.org/review/22378
Reviewed-by: Michael Mann <mmann78@netscape.net>
In 082e3e346f, we dropped the prtype
preference in favour of Descode As.
Register prtype as an obsolete preference to make sure that it's not
removed from the preferences file. The way, the preferences file is
still usable with older wireshark versions.
Change-Id: I8feed6080b58dd5443898e2c5b12732b0b3a0a4f
Reviewed-on: https://code.wireshark.org/review/22373
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Make the tcp segment data available on all tcp packets, regardless of
reassembly of higher layer protocols.
Change-Id: I1a5024e427e07b85bfc3a4aad5d0a401beb1049d
Reviewed-on: https://code.wireshark.org/review/22374
Reviewed-by: Sake Blok <sake@euronet.nl>
Petri-Dish: Sake Blok <sake@euronet.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Cope with a space between colon and start of options value.
When there are no constraining modifiers, let match for
next content or pcre field start from beginning of payload
again.
Change-Id: Ie1267a0a38143cbe9f0444945f78708bbefaa270
Reviewed-on: https://code.wireshark.org/review/22365
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Remove the special case for vid 0x072F, pid 0x2200. We should be able to
set Decode As for this (vid, pid) to USB CCID and then use the new
Decode As mechanism to select the next protocol.
Register GSM SIM, ISO7816, PN532 and ACR122 as possible payloads
for USB CCID.
Change-Id: I8237cc9123655d3b289b0564ffb83a32434bebfc
Reviewed-on: https://code.wireshark.org/review/22290
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 13825
Change-Id: Ibda27599739a26a388e1c66ae813ff5c2c8339be
Reviewed-on: https://code.wireshark.org/review/22367
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The commit contains a general framework for parsing NVMe Fabrics data
responses, which contain only "pure" data. These packets are received
as a response for Data requests inside the SGLs in NVMe commands.
Change-Id: I05f8130df6eef37795d258be680f673930ab6e34
Signed-off-by: Nitzan Carmi <nitzanc@mellanox.com>
Reviewed-by: Parav Pandit <parav@mellanox.com>
Tested-by: Nitzan Carmi <nitzanc@mellanox.com>
Reviewed-on: https://code.wireshark.org/review/22207
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That way it can be properly filtered out.
This was broken when pkt_comments was switched to a pino and
wasn't available in the protocol filters list.
Change-Id: Ie3f2b4f25eeb11be57111c98be87e33e0849174b
Reviewed-on: https://code.wireshark.org/review/22363
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Convert the TCP port preference to a range and add Gerrit's default
port.
Change-Id: I13460315e9b312673648a37d5f90955134b3ddbc
Reviewed-on: https://code.wireshark.org/review/22362
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Make the "matches" operator case-insensitive by default. Case
sensitivity can be switched back on using "(?-i)".
It might be nice to make "contains" case-insensitive as well, but we'd
need a caseless version of epan_memmem.
Change-Id: I5e39a52c148477c30c808152bcace08348df815a
Reviewed-on: https://code.wireshark.org/review/22330
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Adds the --no-duplicate-keys option to tshark. If -T json is specified,
this option can be specified in order to transform the duplicate keys
produced by -T json into single keys with as value a json array of all
separate values.
Specifying --no-duplicate-keys changes the function which groups node
children that is passed to write_json_proto_tree. Instead of a function
that puts each node in a separate group (proto_node_group_children_by_unique)
a function is passed that groups children that have the same json key
together (proto_node_group_children_by_json_key). This will lead to
some groups having multiple values. Groups with multiple values are
written to the output as a json array. This includes normal json keys
but also keys with the "_raw" and "_tree" suffix.
If --no-duplicate-keys is specified with an option other than "-T json"
or "-T jsonraw" or without -T an error is shown and tshark will exit.
"Export Packet Dissections -> As JSON" in the GUI is hardcoded to use
the duplicated keys format.
Fixes one regression in the output where a filtered json key (-j) with
both a value and children would not have the "_tree" suffix added to the
json key containing the children.
Includes a little code cleanup (removes one instance of code
duplication and simplifies a while loop).
Fixes a memory leak (I thought this fix was already included in the
previous refactor patch but something must have gone wrong when updating
the patch so I'm including it again in this patch).
Bug: 12958
Change-Id: I401f8fc877b5c590686567c3c44cdb832e9e7dfe
Reviewed-on: https://code.wireshark.org/review/22166
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add dissection of the following IEs:
- Serial-Number
- Warning-Type
- Data-Coding-Scheme
- Warning-Message-Contents
- Message-Identifier
Reuse the code from S1AP wherever possible
Change-Id: Icaf78b21532cf91fc2cd225d687a6a11813a20d8
Reviewed-on: https://code.wireshark.org/review/22352
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit reassembles data frames to build up the full entity body. It does
this for both client/server request and responses. Additionally, it also
decompresses bodies if they have the correct content-encoding header provided
and are not partial bodies.
Bug: 13543
Change-Id: I1661c9ddd09c1f6cf5a08b2b1921f95103aebb52
Reviewed-on: https://code.wireshark.org/review/20737
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Put custom column field settings in quotes in the recent file to
support multi custom columns which contains space. Otherwise the
space will be removed in prefs_get_string_list() and the field will
not match when reading the recent file.
Change-Id: Ic6e2b1e02d68970a4e11fbecbe55a7b10f8b10dd
Reviewed-on: https://code.wireshark.org/review/22349
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The broadcast message page content is always converted to UTF-8 in the
dissect_cbs_data function using tvb_get_string_enc(...)
Change-Id: I5fe3d421917b38ccb07438f01f3c4d4ea8cbd787
Reviewed-on: https://code.wireshark.org/review/22315
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
With RFC7770 the Opaque ID for Router Information is not longer be zero
Change-Id: I22f9917ac5b5b0261e36b1097765dab6ce216a46
Ping-Bug: 13823
Reviewed-on: https://code.wireshark.org/review/22329
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
During the esPcape challenge at SharkFest 2017 US, we had a SSL
decryption challenge. Normally you have to use Decode As to recognize
the custom port number, but the latest development branch has a feature
that automatically recognizes TLS (heuristics dissector).
SSL 2.0 Client Hello messages were however not recognized by this
heuristics which totally broke TLS decryption. Add some very strong
heuristics to detect these. "Mosterd na de maaltijd" :p
Change-Id: I0ac6aa666393335bb191e395faa1d32d3588ded7
Reviewed-on: https://code.wireshark.org/review/22337
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Added displaying of raw data for unknown ASDU type
Change-Id: I17e2ae048dbec61718610dd86d6878cdc0563ef0
Reviewed-on: https://code.wireshark.org/review/22341
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Filter expressions needs support for a checkbox (bool) and
string field that verifies display filters.
Change-Id: Idfbffd6cdb5abaee8914126a05d890e834c17306
Reviewed-on: https://code.wireshark.org/review/22340
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
While you can add both the sequence number and next sequence number as
columns, the latter would remain empty if it was the same. This disrupts
the user reading flow who would have to look left and right, so just
display the field unconditionally.
Change-Id: I80efb972eaa9a16813a87ac0fdf6a045a3eb9d2f
Suggested-by: Laura Chappell
Reviewed-on: https://code.wireshark.org/review/22307
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
We were downloading gmp-*.lz, but checking for gmp-*.gz instead.
Change-Id: I3c9a29400d389555db7b5f003919ce22aaacf3a1
Reviewed-on: https://code.wireshark.org/review/22338
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Format tcp.hdr_len in the tree similar to ip.hdr_len. Add comments
noting that they should be consistent.
Change-Id: Ic64282d8386c8ed339811bc9c22b5962c707d292
Reviewed-on: https://code.wireshark.org/review/22314
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It needed to be done:
https://github.com/shirriff/pup-wireshark
(And, yes, there really *is* a DLT_/LINKTYPE_ for it! The original DLT_
values were ARP hardware types, and 3MB Ethernet was assigned an ARP
hardware type of 2.)
Change-Id: I60d96c28e67854adcb28c7e3579ae5dd1f07df4b
Reviewed-on: https://code.wireshark.org/review/22336
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Absolute and Relative time fields could not be converted to seconds
without converting to string and parsing to number.
Fixed conversion in generated code that was subject to precision loss
Usage:
f=Field.new("frame.delta_time")
delta=f().value:tonumber()
Change-Id: I6ef91c6238a6c2ed9adf6cae03f8913f0a09332e
Reviewed-on: https://code.wireshark.org/review/22316
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fields like "dns.time || http.time || smb.time" were sorted by column
number before. Recognize when all fields are numeric values and then try
to sort by number and otherwise fallback to a value comparison.
In theory sorting should now also be a bit faster for custom columns
because the columnn type is looked up once.
Change-Id: Id40d7cce8080d05823d74459fc493ec6ebf80956
Reported-by: Laura Chappell
Reviewed-on: https://code.wireshark.org/review/22317
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Due to the use of HTML, whitespace (including newline) are shown as
single horizontal space. Add a special case for newlines.
Bug: 13819
Change-Id: Iefa2af7d2948ed18a3b7f8f4ee8cb90100bf3460
Reviewed-on: https://code.wireshark.org/review/22306
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This file will contain all personal config files which will be
fetched from a profile.
Change-Id: I430ca84ccefc17f0e21c8efb93a92602ab8d5661
Reviewed-on: https://code.wireshark.org/review/22303
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Reused TCP connections with multiple HTTP requests/responses (in
particular: HTTP request/response and HTTP proxy request/response)
exhibit the following problem: the first response sets "startframe" such
that the proxy response accidentally assumes that the proxy response
starts in that first response.
Fix this by only setting startframe if there is actually a transport
upgrade. Tested with original capture and the Websocket dissection still
works while Christian's capture has no longer the reported problem.
Change-Id: I8a7878b9a2a98878a9e5be4f680d4f109fd8ab55
Fixes: 94ae27661e ("WebSocket dissector improvements")
Reported-by: Christian Landström
Reviewed-on: https://code.wireshark.org/review/22294
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Issue reported by Bo-Han Liao
Bug: 13821
Change-Id: I74641bef723e747bfe5fa87e946b7f4f74b94bf6
Reviewed-on: https://code.wireshark.org/review/22299
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Define a dissector that can handle both requests and responses.
Look at pino->p2p_dir to detect if we have a request or repsonse.
(At the moment, there's a dissector for request+response in one packet
and two other dissectors for request and response messages.)
Use the new mechanism for USB CCID.
Change-Id: I7eb9861802b4244f92770602179f39642eb28641
Reviewed-on: https://code.wireshark.org/review/22289
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
More than one packet could be meant by that
Change-Id: Ie751a282c927608414673c2cd48b11dc5e6d5ea6
Reviewed-on: https://code.wireshark.org/review/22283
Reviewed-by: Roland Knall <rknall@gmail.com>
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Make two minor adjustments to allow building on Windows when the source
directory is specified in UNC notation (\\server\volume\directory)
instead of mapping such a directory to a drive letter.
Cmake's add_custom_command() calls "cd <work_dir>" if a working
directory is define as part of the rule. However,
cd \\server\volume\directory
is not allowed.
Modify the two occassions where the working directory is derived from
CMAKE_SOURCE_DIR.
For copying some install files, we can get away with using the absolute
path for each source file to be copied.
The perl script that creates the tap listing for lua does not depend on
a working directory at all. We can simply remove the WORKING_DIRECTORY
parameter.
Change-Id: Iac8e0addc44650692c1263fdca11f68315f50c63
Reviewed-on: https://code.wireshark.org/review/22236
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Martin Kaiser