lintian changed its hint forma to a new "pointed hint" format
with filenames in square brackets, invalidating our overrides
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007002
Try to eliminate the resultant mismatch-override warnings.
Use wtap_free_idb_info() to clean up the idb_inf member, rather than
duplicating what wtap_free_idb_info() does.
Don't call wtap_block_array_free() on the shb_hdrs member and then call
wtap_dump_params_cleanup() on the entire structure - that causes a
double-free of the SHB headers.
In text2pcap.c, have a routine that calls wtap_free_idb_info() and then
calls wtap_dump_params_cleanup(), and replace that sequence of calls
with calls to the routine.
Fixes#19235.
Don't just call get_tcp_conversation_data in the HTTP dissector,
because HTTP is not necessarily over TCP, and that ends up creating
extra TCP streams and conversation data in such cases (e.g., SSDP
over UDP, or HTTP over SCTP, also some proxied connections.)
Instead, just determine the direction the same way that the TCP
dissector does using addresses and ports, because that's all that's
being used here.
Add back the websocket.payload.text field, always displaying the
unmasked payload, so that the entire payload string can be filtered
or added to the info column.
Fix#19220
Last time this value-string was edited in 959a290961, and before
this commit there was only one value (all other values resevred):
case 0x01: str = "According to ITU-T Rec. Q.920 and ITU-T Rec. Q.930";
case 0x02: str = "Reserved: was allocated in earlier phases of the protocol";
case 0x03: str = "Reserved: was allocated in earlier phases of the protocol";
case 0x04: str = "Reserved: was allocated in earlier phases of the protocol";
case 0x05: str = "Reserved: was allocated in earlier phases of the protocol";
case 0x06: str = "Reserved: was allocated in earlier phases of the protocol";
default: str = "Reserved";
This matches the definition of the "Signalling access protocol (octet 5)"
in recent version (17.8.0, 2022-10) of 3GPP TS 24.008. However, the
above-mentioned commit replaced the switch statement with a value-string
conforming neither 3GPP TS 24.008, nor the earlier GSM 04.08.
Let's revert back to the correct description, and additionally take
a chance to specify the old meaning of reserved values (from GSM 04.08).
Handling telnet options by their "tn_opt" structure pointer allows for
elimination of some duplicated logic and will make it easier to add support for
Telnet options which are not consecutively numbered. Unknown options are
handled through a special tn_opt just for that purpose. Behavior should be
unchanged.
While we're here, constify the option table.
The reassemble_streaming_data_and_call_subdissector() of 'epan/reassemble.c'
is originated from the mechanism of HTTP/2 streaming reassembly and have
some enhancements. Making HTTP/2 to use this common helper function is beneficial
for resolving common streaming reassembly issues encountered in the future.
Add '-2' in test/suite_dissection.py because some reassembly issues may
happen in second pass.
To reduce startup external file parsing replce the manuf file with
static arrays compiled into the binary.
Add 3 tables for MA-L, MA-M and MA-S. Add a fourth table to direct
a 24-bit MAC prefix (OUI) to one of these tables.
Adapt the make-manuf.py script to generate the static C data
instead of the text file.
The arrays are sorted and a binary search is performed to map
an OUI (24bit/28bit/36bit) to a short and long name.
offset parameter was not moved forward by 4 bytes, causing ERROR messages not to be parsed properly.
Signed-off-by: Yaniv Kaul <yaniv.kaul@scylladb.com>
"A not in S" is now implemented as "A and A not_in S"
instead of "not (A in S)".
"not A in S" is implemented as "not A or A not_in S".
This is to be consistent with the way inequality has historically
worked, where "A != B" is not the same as "not A == B".
Maybe we should change both propositions to have inequality
be the same as not equality instead.
Fixes#19187.
Make the text of each registered column a FT_STRING field that can be
filtered, prefixed with _ws.col - these work in display filters, filters
in taps, coloring rules, Wireshark read filters, and in the -Y, -R, -e,
and -j options to tshark. Use them as the default "Apply as Filter" value
for the columns that aren't handled by anything else currently.
Because only the columns formats that actually correspond to columns
get filled in (invisible columns work), register and deregister the
fields when the columns change.
Use the lower case version of the rest of the COL_* define for each
column as the field name.
This adds a number of conditions to "when are the columns needed",
including when the main display filter or any filter on a tap is
using one of these fields.
Custom columns are currently not implemented. For custom columns, the
tree then has to be further primed with any fields used by the custom
columns as well. (Perhaps that should happen in epan_dissect_run() -
are there any cases where we construct the columns and don't want to
prime with any field that custom columns contains? Possibly in taps
that we know only use build in columns.)
Thus, for performance reasons, you're better off matching an ordinary
field if possible; it takes extra time to generate the columns and many
of them are numeric types. (Note that you can always convert a non-string
field to a string field if you want regex matching, consult the
*wireshark-filter(4)* man page.) It does save a bit on typing (especially
for a multifield custom column) and remembering the column title might
be easier in some cases.
The columns are set before the color filters, which means that you
can have a color filter that depends on a built-in column like Info or
Protocol.
Remove the special handling for the -e option to tshark. Note that
the behavior is a little different now, because fixed field names
are used instead of the titles (using the titles allowed illegal
filter names, because it wasn't going through the filter engine.)
For default names, this means that they're no longer capitalized,
so "_ws.col.info" instead of "_ws.col.Info" - hopefully a small
price in exchange for the filters working everywhere.
The output format for -T fields remains the same; all that special
handling is removed (except for remembering if someone asked for
a column field to know that columns should be constructed.)
They're also set before the postdissectors, so postdissectors can
have access.
Anything that depends on whether a packet and previous packets are
displayed (COL_DELTA_TIME_DIS or COL_CUMULATIVE_BYTES) doesn't work
the way most people expect, so don't register fields for those.
(The same is already true of color filters that use those, along with
color filters that use the color filter fields.)
Fix#16576. Fix#17971. Fix#4684. Fix#13491. Fix#13941.
The `sizeof(bool)` is 1 byte whereas `prefs_register_bool_preference`
expects a `gboolean` of size 4 bytes. Caught by ASAN at startup.
Fixes: v4.1.0rc0-3228-g261c2f24cc ("Add Zabbix protocol dissector")
Fix the "all X in S" expression to be implemented as
(x1 in S) AND (x2 in S) AND ... AND (xn in S)
Previously it was implemented as
(X all_eq s1) OR (X all_eq s2) OR ... OR (X all_eq sn)
which does not implement set membership semantics correctly.
The implementation uses a list to build the set and the
set membership test is done with a SET_*_IN instruction
that tests if a register belongs to the set (list contents).
Example:
Filter:
all tcp.port in {10..15,20,30}
Instructions:
0000 READ_TREE tcp.port -> R0
0001 IF_FALSE_GOTO 7
0002 SET_ADD_RANGE 10 .. 15
0003 SET_ADD 20
0004 SET_ADD 30
0005 SET_ALL_IN R0
0006 SET_CLEAR
0007 RETURN
Fixes #19188.
Use a GPtrArray of length one to store fvalues in a
dfvm_value_t. This simplifies our internal logic by
using the same underlying representation for register
contents and constant values and allows us to take
advantage of the existing reference counting support
of GPtrArray.
Features:
- Supports also compressed and TLS-encrypted Zabbix connections as well
as TCP desegmenting
- Dissects both passive agent connections (10050/tcp, plaintext-based)
and active agent, proxy and sender/trapper connections (10051/tcp,
JSON-based), ports are configurable
- Detects passive agent conversations by checking the request being
non-JSON (not depending on the well-known TCP ports)
- Calculates response times using protocol data saved in conversations
- Detects the connection type (proxy, agent, sender/trapper) and shows
tree and Info column information accordingly
- Dissects protocols up to Zabbix version 6.4 (currently latest) and
7.0 (currently in alpha)
- Does not support passive agent connections in Zabbix 3.x or earlier
(it does not have the normal Zabbix header; note that Zabbix 4.0 was
released in 2018)
João Valverde
Vadim Yanitskiy