The table of dependent frames is really a set, not a hash table,
as we never use the value, only the keys / frame numbers. If you
only ever store the key itself as the value, glib optimizes by not
allocating space for the values. This optimization does not occur
if e.g., NULL is always used as the value.
Use the convenience function g_hash_table_add to ensure that we
keep it a set.
That means that a 64-bit ARM version of Wireshark for Windows will
report that it's running on 64-bit Windows.
(A 64-bit x86 version of Wireshark for Windows, running on an ARM64
system, would, as I read the documentation for GetNativeSystemInfo(),
not be able to reprt that, so we don't bother reporting the instruction
set.)
Pull it into a common routine, and get rid of the old workaround for
MSVC 6 - we had other code that required VER_NT_WORKSTATION to be
defined and required an OSVERSIONINFOEX to have a wProductType member
(not to mention required that there be an OSVERSIONINFOEX structure in
the first place), and it's been compiling just fine.
If we have Linux capabilities, and dumpcap gets a permission error,
suggest that the user add the CAP_NET_RAW and CAP_NET_ADMIN capabilities
that dumpcap needs if Wireshark was not installed by a package.
(Distribution packages should set the capabilities.)
Fix#18279
When changing text, don't use the crude method of setting all widgets
where setting of the radio button is sufficient. Setting all widgets
causes the text to be set as well, with cursor at the end of the input.
Closes#19213
Instead of treating one particular build number as W11, for all OS
versions with a "major version number" of 10, treat all build numbers
less than 10240 as some unknown version, treat build numbers in
[10240,22000) as W10, and all build numbers 22000 and above as W11.
Add comments about other ways of obtaining the OS's "product
name"/"brand name"/whatever that let Microsoft code do a lot of the
heavy lifting, rather than requiring us to do it in a fashion that might
require us to update it.
ws_label_strcpy, like strlcpy, returns the number of bytes it
would have written in the case of overflow.
proto_item_fill_display_label needs to return the actual number
of bytes copied (which is what protoo_strlcpy does).
Fix#19212
Add a checkbox to allow users to Export Specified Packets without
including frames which the displayed frames depend upon.
Note that exporting Marked Range and User Range include frames within
the range that any displayed frame depends upon. What we almost surely
want instead is to include any frame that a displayed frame within the
range depends upon. These are often similar, but not the same,
especially at the beginning and end.
Fix#7667
Added an option for checking the expected RTPS message
checksum is the same as the received in the wire if
checksum is CRC-32C or MD5. Also delted unused header filters.
Introduced function proto_tree_add_checksum_bytes.
In PacketRangeGroupBox, we are accidentally showing the number
of marked packets in the entire capture file in the "Displayed"
column as well.
When actually exporting packets, only the displayed market packets
are exported if that column is selected, but the count shown to
the user is wrong. Fix that.
g_path_get_basename() allocates a new string, which means that it is
a waste to strdup the filename before passing it to the tap and calling
that. The least confusing behavior is to to do all the memory
allocations in dcm_eo_packet, since the Export Object window will
free them when it is closed.
We can change some of the allocations from file scoped to packet
scoped memory, since the dicom_eo_t doesn't need to live any longer
than the packet. Also make the string buffers const, since they are
copied in dcm_eo_packet anyway.
Allow lua dissectors to set `pinfo.in_error_pkt`. This allows, for
example, a lua dissector to send an IP header to the IP dissector while
warning it that it is incomplete.
Currently untested!
Pass the wmem_map of format parameters. Use this to decide whether
we have octet-aligned or bandwidth-efficient AMR, and decode
accordingly.
If we don't have a map of format parameters, because the conversation
wasn't set up by SDP but by Decode As, use the default preferences
from the dissector
Fix#17608
After 15013ab136, the expected
time of arrival is compared to the previous packet, in an effort
to handle clock changes better. If we're doing so, then there's
some chance that the expected time arrival moves backwards. That's
not a problem for the calculation, so long as we cast to signed
integers at some point.
Payload data for DICOM export object is allocated on the file scope, meaning it
should be freed automatically on capture file close. When Export Objects window
is closed it will attempt to free payload data memory which was allocated by
the DICOM dissector on the file scope. This results in a program crash.
Copying dissector's payload for the Export Objects window fixes#19207
Store information about more than one reassembly in the given frame.
Don't increment additional_hdlc_data_field_counter on every pass,
but use the value from the first pass in the packet data.
Store the data field item number of the first data field in a
reassembly, to identify the fragment sequence number of when in
the first frame of the reassemble.
This produces a consistent set of fragment sequence numbers that
start at 0 and increment by 1, regardless of if there are more than
two data field fragments in a frame, or if there is data starting
a new reassembly in the same frame as a signal end ending a reassembly.
This still doesn't handle the case where more than one reassembly
begins in the same frame (as opposed to one ending and another beginning
in the same frame.) That would require changing the reassembly ID to
be a value guaranteed to increment for each reassembly, instead of
using the frame number of the first fragment.
Fix#12552. Fix#5792.
IPP uses the same well known TCP port, 631, for running atop HTTP
(which can upgrade to TLS, RFC 2817) as well as connections that
start out as HTTP over TLS (IPPS, RFC 7472). RFC 8010 notes that
HTTP/2 is also an OPTIONAL transport type.
Despite the clear admonition of RFC 8010 that:
the "Content-Type" of the message body in each request and response
MUST be "application/ipp"
many IPP implementations (e.g., on HP printers) often fail to include the
Content-Type in their chunked responses.
So we register IPP in the HTTP port-based dissector so that packets
without a Content-Type will still call the IPP dissector. (Note that
IPP servers commonly will respond to normal HTTP and HTTPS requests
on port 631 just as they would on port 80 or 443, which is why it is
good that we check the Content-Type first. At least those non-IPP
requests and responses seem always to have the Content-Type.)
We can only have a single dissector in the TCP dissector table for port
631. If we don't register a fake helper protocol that tries TLS, HTTP/2,
and HTTP in order, then the others will be recognized heuristically. For
now at least, we are better off having TLS be the dissector set to the port,
because the non-heuristic HTTP dissector never rejects packets. Even when
a packet doesn't look like HTTP and HTTP has never been seen, so the HTTP
dissector doesn't add anything to the tree, it still claims to consume all
the bytes.
When TCP calls a heuristic dissector, pinfo->match_uint does not get
set. If pinfo->match_uint is neither the source nor destination port
(and thus is probably set to IP_PROTO_TCP by the IP dissector), check
the HTTP port subdissector table using the source or destination port,
depending upon whether we have a request or a response.
Fix#18825
If the current packet has the same sequence number as the previous
packet in the same direction on the same conversation, don't add a
Malformed expert info complaining about receiving a fragment end
without any pending fragment data. The fragment data was reassembled
in the previous packet.
For T.38, the new "Ignore duplicate frames" Preference (in Protocols)
added by commit d2c9f1824a is highly
recommended.
Part of #5792 and #12552.
Individual frame status codes can differ from overall request status.
For example when one of the two frames in isochronous IN status code is
kIOReturnNotResponding, then the request status will also be set to
kIOReturnNotResponding regardless of which frame did error.
Do not repeat the request status for all frames as it brings no value
and can actually mislead the user if frames do not share the same status
code.
The status values are taken from IOKit IOReturn.h. The value 0xe00002ed
(kIOReturnNotResponding) is reported when timeout occurs on isochronous
IN endpoint.
In the DTLS code path for an unrecognized record type, add a tree item
that labels the otherwise-undissected data. The current behaviour claims
that data as part of the parent tree item but without any dissection.
Also add the value for DTLS 1.3 to the `value_string` for SSL versions.
If we call dissect_http_message() a second time in a segment, that
means that the previous message had a Content-Length and more than
enough data to satisfy that Content-Length (so we didn't just slurp
the entire tvb handed to us). If that's the case (original offset > 0),
and the new data doesn't look like the beginning of a request or reply
(that is, a second pipelined request or response), warn the user.
That's probably a bogus Content-Length value.
Fix#15094
- Add enum preference for autodetecting (or enabling/disabling) Microsoft-
compatibility (default = autodetect)
- Dissect client DHCP scope address (dhcpfo.msclientscope) and hardware address
- Add MS-style IP flags (dhcpfo.msipflags, they do not conform to draft-12)
- Add message digest type 2 as "Microsoft-specific"
- Allow empty message digest (used when message authentication is not
configured)
- Add UTF-16-LE handling for relationship-name and vendor-class options
- Add Microsoft-specific options:
30 = "microsoft-scope-ID" (dhcpfo.msscopeid)
33 = "microsoft-scope-netmask" (dhcpfo.msscopenetmask)
34 = "microsoft-server-IP-address" (dhcpfo.msserverip)
Also show message digest in hex.
ITU-T G.8013/Y.1731 9.14.2 indicates that the Length field of a
Test ID TLV "must be 32" even though the Value is a 4-octet Test
ID, and IEEE 802.1Q 21.5 "TLV Format" indicates that the "16 bits
of the Length field indicate the size, in octets, of the Value field."
For this specific TLV type, then, if it is 32, treat it as 4 and
add a note.
Fix#19198
Add - and + to punctuation exclusion list.
Do not remove the first word as a general term. When an exclusion
term is used as the first word usually it is noa only legalese and
should not be rejected. The exception is "The".
Skip some locations in company names that are just repeated low-value
information. Many different Chinese companies will short to the same
name (Shenzen for example).
This is a heuristic and not 100% reliable but in the vast majority of
cases it cuts down on noise and generates more informative names.
The truncation size of 8 is too short to convey enough information
in many cases. Some experimentation suggests it can be safely
increased for better readability without any other ill effects.
Make a conservative size increase 12. Arguaby it could be larger.
John Thacker