This commit increases the maximum size for the JSON commands processed
by `sharkd` from 2048 to 8192 bytes. The primary reason for this
change is to allow larger filters in `filter0`...`filter9` arguments
which, combined with the outer JSON boilerplate, can cause a command
to quickly hit the existing 2048-byte limit.
Add a check box for case sensitivity when finding in follow stream
and show packet bytes.
Note that QPlainTextEdit::find() has a bit unexpected behavior with
QRegularExpression (https://bugreports.qt.io/browse/QTBUG-88721).
Searches are case-insensitive by default there too, respecting
the default options. This is a change from the older QRegExp, where
the option to find was ignored, and only the regex option was used,
so for the last few releases regexp searches have been case-insensitive
as well by default. (?-i) has been available to mode switch.
We might want to move the various keyboard handling from
FollowStreamDialog and ShowPacketBytesDialog and instead have
FindLineEdit install shortcuts on the parents when constructed.
That would be a little cleaner separation.
We might also want to move the buttons and label to a separate
composite widget class, that signals the parent to start a
find.
Fix#3784
In KRB_TOKEN_CFX_WRAP (RFC 4121), for signed-only Wrap tokens
("Wrap tokens without confidentiality"), the plaintext is followed
by the checksum, unlike in other implementations where the all
the GSSAPI bits, including the checksum, precede the plaintext.
For those cases, the calling dissector cannot simply dissect
the entire original tvb after the returned offset, as it's not
all plaintext. Instead, place the plaintext without checksum
subset in gssapi_decrypted_tvb and return it to the caller.
In these cases, gssapi_data_encrypted will be set to FALSE, to
allow dissectors that wish to distinguished signed-and-sealed
from signed-only. For dissectors that do not care to distinguish
the cases, this requires no change.
Update the documentation in the GSSAPI header to describe this.
Fix#9398.
The IFTREE_COL_HIDDEN is in fact a "Show" column (should the
names be changed?) so when saving the data the hidden state
is the opposite of the checked status.
We were doing the inverted logic when writing to the preferences,
but not when changing the device interface_t struct directly.
However, before 6e12e504b9
we always re-read the hidden state from the preferences after
changing it in the Manage Interfaces Dialog, so this bug wasn't
exposed until we stopped doing that and used the current status.
Fix#19672
Add a colorsChanged signal/slot, more precise than the generic
preferencesChanged signal, and only call it when one of the
color related preferences have changed. Connect it to the
packetList::colorsChanged() function, instead of calling that
whenever preferencesChanged() is called. We could eventually
move the signals and slots some of the other GUI widgets to this.
Send that signal before handling preferences that change
dissection and freeze the packet list, so that when we
restore the column widths due to Qt bug 122109 it takes effect.
The packet_list_hover_style preference affects colors, not
the layout, despite its presence in the GUI layout module.
https://bugreports.qt.io/browse/QTBUG-122109
A bug introduced by the fix for https://bugreports.qt.io/browse/QTBUG-116013
causes all visible sections to reset to the default section size whenever a
style sheet is applied (even if defaultSectionSize didn't change.)
Make sure that before applying a style sheet we prevent our recent
column widths from being updated, and then restore column widths
from the recent values afterwards.
This affects versions 6.5.4 (commercial only, 6.5.3 is the last free
release) and 6.6.1 and 6.6.2.
Enforce the requirement, already mentioned in the headers,
that preference and preference module effect flags must be
nonzero so that the application knows that a preference has changed.
(Lua, for example, needs this.)
Use this and avoid sending the PreferencesChanged signal when
preferences have not changed.
Add field expression functions to convert unsigned integer
and char fields to hex or decimal. (BASE_OCT is handled
somewhat different currently now, presumably because it
can't be used in filters, so leave that commented until
it is handled as a display representation.)
Currently string() always converts unsigned integers to their
decimal representation so it is the same as dec(), but possibly in
the future string() might use the native base.
These can be used in columns thanks to the fix for #15990Fix#5308
"extcap" by itself can be the name of a directory that stores
extcap programs, especially if the default profile is being
used. Add an extension to the default file name so it doesn't clash.
Follow up to 4fb2ef8af8
Fix
```
wireshark/epan/dissectors/packet-icmpv6.c:1709:1: warning: function 'dissect_icmpv6_nd_opt' is within a recursive call chain [misc-no-recursion]
1709 | dissect_icmpv6_nd_opt(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree)
| ^
wireshark/epan/dissectors/packet-icmpv6.c:1709:1: note: example recursive call chain, starting from function 'dissect_icmpv6_nd_opt'
wireshark/epan/dissectors/packet-icmpv6.c:2247:30: note: Frame #1: function 'dissect_icmpv6_nd_opt' calls function 'dissect_icmpv6_nd_opt' here:
2247 | opt_offset = dissect_icmpv6_nd_opt(tvb, opt_offset, pinfo, icmp6opt_tree);
| ^
wireshark/epan/dissectors/packet-icmpv6.c:2247:30: note: ... which was the starting point of the recursive call chain; there may be other cycles
```
Fix
```
wireshark/epan/dissectors/packet-dhcpv6.c:1846:1: warning: function 'dhcpv6_option' is within a recursive call chain [misc-no-recursion]
1846 | dhcpv6_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree,
| ^
wireshark/epan/dissectors/packet-dhcpv6.c:1846:1: note: example recursive call chain, starting from function 'dhcpv6_option'
wireshark/epan/dissectors/packet-dhcpv6.c:2052:28: note: Frame #1: function 'dhcpv6_option' calls function 'dhcpv6_option' here:
2052 | temp_optlen += dhcpv6_option(tvb, pinfo, subtree,
| ^
wireshark/epan/dissectors/packet-dhcpv6.c:2052:28: note: ... which was the starting point of the recursive call chain; there may be other cycles
wireshark/epan/dissectors/packet-dhcpv6.c:2958:1: warning: function 'dissect_dhcpv6' is within a recursive call chain [misc-no-recursion]
2958 | dissect_dhcpv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
| ^
```
This change updates references to obsoleted RFCs and I-Ds,
provides human-readable interpretation of kid values, and fixes
the text encoding type in proto_tree_add_cbor_tstr().
Fixes#19659
Aligning the data type with the 802.1AS specs the data type is
now INT32 instead of UINT32.
Also added a generated field where the scale and offset is removed
to easier interpret the actual accumulated rate ratio.
For our test in check_dcid_on_coalesced_packet, check the *last*
QUIC packet in the frame so far, not the first packet in the
frame.
Only create the quic_packet structure after checking for a coalesced
packet, so that the last QUIC packet in the frame is the previous
one, not the current one.
What happens if 0-RTT packets are lost and resent? There's an
alternative suggestion featuring checking if the ciphers are
initialized on the first pass that might work too, but if we
did that, what happens if the server Handshake is fragmented,
reassembled, and the server sent some "0.5-RTT" data after the
last fragment but then had to resend a different Handshake fragment
later? We'd still get some 1-RTT data before the handshake was done.
Fix#19665 while still not upsetting #19503.
The uplink and downlink bit rate items, and the maximum SDU size,
are contained in a single octet but added to the tree using
proto_tree_add_uint_format[_value] after multiplying by various factors,
so the values don't actually fit in a FT_UINT8. The fields need
to be large enough to fit the largest value added after transformation.
The filter engine won't allow filters for values outside the field
range, e.g.
$ ./run/dftest -s 'gtp.qos_max_sdu_size == 1500'
Filter:
gtp.qos_max_sdu_size == 1500
Error: "1500" too big for this field, maximum 255.
gtp.qos_max_sdu_size == 1500
^~~~
After:
$ ./run/dftest -s 'gtp.qos_max_sdu_size == 1500'
Filter:
gtp.qos_max_sdu_size == 1500
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(gtp.qos_max_sdu_size <FT_UINT16>)
1 FVALUE(1500 <FT_UINT16>)
Instructions:
0000 READ_TREE gtp.qos_max_sdu_size -> R0
0001 IF_FALSE_GOTO 3
0002 ANY_EQ R0 == 1500
0003 RETURN
Allow matching against 64-bit extended value strings the same
way as other value strings.
The IAX2 sample capture on the Wiki is a good test of this. Previously
the matches operator would never match, and comparison operators we not
allowed.
Before:
$ ./run/dftest -s 'iax2.voice.codec == "GSM compression"'
Filter:
iax2.voice.codec == "GSM compression"
Error: "GSM compression" cannot be found among the possible values for iax2.voice.codec.
iax2.voice.codec == "GSM compression"
^~~~~~~~~~~~~~~~~
After:
$ ./run/dftest -s 'iax2.voice.codec == "GSM compression"'
Filter:
iax2.voice.codec == "GSM compression"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(iax2.voice.codec <FT_UINT64>)
1 FVALUE(2 <FT_UINT64>)
Instructions:
0000 READ_TREE iax2.voice.codec -> R0
0001 IF_FALSE_GOTO 3
0002 ANY_EQ R0 == 2
0003 RETURN
Rework the changes from 428f222853
a little bit to restore the ability to start a capture from
the extcap options dialog.
When the the dialog is opened for configuration, present both the
Save and the Start button. Continue to only have Start when the
dialog was spawned because the user wanted to start a capture
but a mandatory parameter was not configured.
Use the default QDialogButtonBox "Discard/Close without Saving"
button when closing the dialog without saving the user input
for new preferences.
Fix#19199
Reduce false positives of the CLTP on UDP dissector (RFC 1240)
by looking at the parameters as well and also ruling out length
indicator zero.
See https://ask.wireshark.org/question/31455/i-see-a-malformed-packet-in-wireshark-from-a-google-ip-address-on-port-2400-using-r-goose-protocol-what-could-this-be/
RFC 1240 was rendered Historic by RFC 2556, which noted that
"at this time there do not seem to be any implementations" and
recommended TPKT (ISO on TCP) instead.
However, R-GOOSE does use RFC 1240. In practice, it seems like
R-GOOSE uses the IANA registered port for ISO-TSAP, 102, just like
TPKT does on TCP. Perhaps we should register the dissector to that
port instead of a heuristic dissector if someone can confirm that.
Move the dissector from goose to ositp. This doesn't cause any
preference issues because heuristic dissectors are saved in the
preference file by name and the name won't change.
The documentation, both man page and help, claims that text2pcap
automatically sets the encapsulation to WIRESHARK_UPPER_PDU if
-P is given. Make the behavior match the documentation.
The TPNCP dissector depends upon a resource file, tpncp.dat, being loaded
during initialization. If a non-default tpncp.dat was used, the TPNCP
dissector could potentially perform some operations beyond the bounds of a
fixed-size array while loading tpncp.dat.
If a non-default tpncp.dat was used and an attempt was made to dissect
malformed TPNCP traffic, the TPNCP dissector could potentially perform a read
beyond the end of an array.
This change adds explicit bounds-checks to eliminate these possible OOB
accesses.
There is zero chance of this being triggered in a default unmodified
installation of Wireshark: Loading of the tpncp.dat file is conditional on a
preference setting which defaults to FALSE, and even if it is configured to
TRUE, the included tpncp.dat does not trigger either of these OOB operations.
It still seems worthwhile to make the parser and dissector generally more
robust.
Niels Widger