"Follow Stream" functionality assumes that all data in a single packet
belongs to the same stream. That is not true for HTTP2 and QUIC, where
we end up having data from unrelated streams.
Filter out the unwanted data directly in the protocol dissector code with
a custom `tap_handler` (as TCP already does).
Close#16093
Changes:
- epan/follow.c: follow_conv_filter_func has new parameter
epan_dissect_t *edt, so filter can be generated based on decoded tree
of packet below the cursor
- menu Follow/SIP Call is enabled when sip packet is selected
- value of sip.Call-ID is used as filter for SIP call
- for sharkd it generates filter just 'sip.Call-ID' with no value
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
From a recent cppcheck scan:
epan/dissectors/packet-http2.c:1604: warning: The expression 'strcmp(header_name,"<unknown>") != 0' is suspicious. It overlaps 'strcmp(header_name,":method") == 0'.
epan/dissectors/packet-http2.c:1604: warning: The expression 'strcmp(header_name,"<unknown>") != 0' is suspicious. It overlaps 'strcmp(header_name,":status") == 0'.
Change-Id: I373398112ca9e44d848da4a2b21bd7d059fa049c
Reviewed-on: https://code.wireshark.org/review/37352
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
nghttp2_hd_inflate_hd has only been deprecated because its "in" argument
is non-const, aside from this aspect the implementation is equivalent.
For inflate_http2_header_block there is no difference since the buffer
is already non-const. However in fix_partial_header_dissection_support,
the given buffer is const. To avoid new -Wcast-qual warnings while
keeping the buffer read-only, just add a simple wrapper function.
This fixes a build failure reported for libnghttp2-devel
1.7.1-1.15.x86_64 on openSUSE Leap 42.3.
Change-Id: I9ab9305ffc5920f5e3f4866c2f0378d45008b57a
Reviewed-on: https://code.wireshark.org/review/37346
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In incomplete streams the http2 dissector fails to display the content of
a data packet following a header with unknown fields as
reassembly_info->data_initiated_in is not set.
Change-Id: I754bdc92049124bcc722a25f8cf791e36f8f523a
Reviewed-on: https://code.wireshark.org/review/37311
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Populate the dynamic table with dummy entries to ensure that nghttp2
will continue even if previous headers were missing (for example, due to
the capture starting in the middle of a plaintext h2c connection).
Bug: 16496
Change-Id: Ifb2fd4c6b8f3f93babed42e1f803048a695b23e9
Reviewed-on: https://code.wireshark.org/review/37278
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If the packet containing the content type header is missing the stream
can be dissected by using decode as.
Change-Id: I40c57e34971c9eee3d694975262dd7b3c7b3ef89
Reviewed-on: https://code.wireshark.org/review/36852
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Trivial, mostly just redundant assignments or
format specifiers.
Change-Id: Iaf33f24d2af5a48a5e1b797e582bf936914c8daa
Reviewed-on: https://code.wireshark.org/review/36154
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
http2_get_data_reassembly_mode is not used when nghttp2 is not found.
Put compile guards around it to stop the compiler from complaining about
an unused function.
Change-Id: I5f1fa094d0968d3a877127058adc1024c5013fea
Reviewed-on: https://code.wireshark.org/review/34939
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If working in streaming RPC mode, many grpc messages will be
contained in one http2 stream, the stream will end very late
(for example ETCD watch stream).
So we could not rely on old http2 reassembly mode which call
sub-dissector only END_STREAM appeared. We need a reassembly
mode that call subdissector which support streaming mode as
soon as the message in STREAM is available.
Please refer to comments of
reassemble_http2_data_according_to_subdissector() function
of epan/dissectors/packet-http2.c for more detail.
See the linked bug for streaming mode gRPC capture files.
Ping-Bug: 16160
Change-Id: Id9e5337a0e3ca9f8c8119d74d2c1fe4cc263afc3
Reviewed-on: https://code.wireshark.org/review/23988
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
HTTP/2 header decompression requires nghttp2, be more helpful to users
who did not build Wireshark with appropriate support.
Change-Id: I52f79e320cf04bd943e1e8224a613e70ac263579
Reviewed-on: https://code.wireshark.org/review/34584
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HTTP/2 protocol multiplexes a single TCP connection into multiple
independent streams. The Follow TCP output can interleave multiple
HTTP/2 streams, making it harder to analyze a single HTTP/2 stream.
Add the ability to select HTTP/2 Streams within a TCP stream.
Internally, the HTTP/2 dissector now stores the known Stream IDs in a
set for every TCP session which allows an amortized O(n) lookup time for
the previous/next/max Stream ID.
[Peter: make the dissector responsible for clamping the HTTP/2 Stream ID
instead of the Qt code, that should permit future optimizations.]
Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200
Reviewed-on: https://code.wireshark.org/review/32221
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 4234
Change-Id: Ibd59809b2dd9890a7851eb57ef7af384e280a74b
Reviewed-on: https://code.wireshark.org/review/31222
Reviewed-by: Michael Mann <mmann78@netscape.net>
This will present the Header in unescaped format, without percent-coding.
ex.
&requester-plmn=%7B%22mcc%22%3A%22240%22%2C%20%22mnc%22%3A%2201%22%7D&
to
&requester-plmn={"mcc":"240", "mnc":"01"}&
Change-Id: I44296bf564a9dd75bf172503a277d48f116d26fd
Reviewed-on: https://code.wireshark.org/review/31119
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ie900a70477a21b82650e6504d3b2f175f20c7caa
Reviewed-on: https://code.wireshark.org/review/30725
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
current_stream_id is only defined when built with HAVE_NGHTTP2. One
option is to create the session with stream ID unconditionally. As the
subdissector (DoH) is chosen based on the Content-Type header and
parsing of such headers is only possible with nghttp2, don't bother.
Change-Id: Iefee65210974bf5b8b75c6870a0476567b6830e5
Fixes: v2.9.0rc0-2007-gcc69e09981 ("HTTP2: allow subdissectors to query the Stream ID")
Reviewed-on: https://code.wireshark.org/review/29896
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will be used by the DNS dissector to distinguish different
request/response pairs over the same connection (for DoH).
Change-Id: I53721904b007847861807faa1a2137e696639428
Reviewed-on: https://code.wireshark.org/review/29888
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Rename the "ssl" protocol to "tls" and add an "ssl" alias. Prefer "TLS"
over "SSL" in user interface text and in the documentation.
Fix the test_tls_master_secret test while we're here.
Bug: 14922
Change-Id: Iab6ba2c7c4c0f8f6dd0f6d5d90fac5e9486612f8
Reviewed-on: https://code.wireshark.org/review/29649
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Based on an idea from David M. Lloyd, let subdissectors register
themselves with the HTTP dissector based on the Upgrade header instead
of the other way round.
Tested with SSTP (bug 82390), WebSocket (bug 13889), HTTP2 PRI without
Upgrade (bug 11331), h2c (from HTTP2 wiki), spdy/3.1 (bug 12874).
Change-Id: I1425b7119d4d85e626032408504fc2c6b2f2eeb8
Reviewed-on: https://code.wireshark.org/review/29112
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Don't assume that the amount of data remaining in the packet is greater
than or equal to the amount of padding; it might not be. Throw an
exception if it isn't.
Make sure data eists before allocating a buffer for it and copying with
tvb_memcpy(), in case the length is too big.
Change-Id: Icde8b8cc687b7b9229756aabddb246f9b98c3a22
Ping-Bug: 14999
Reviewed-on: https://code.wireshark.org/review/28810
Reviewed-by: Guy Harris <guy@alum.mit.edu>
With HTTP2 heuristics to identify the conversation, a packet can be
skipped on first pass and then decoded as HTTP2 on subsequent ones.
Check that header data is available before attempting header
decompression.
Bug: 14869
Change-Id: I8ef7669ca33835b509acb38d797e33d6167a1bd1
Reviewed-on: https://code.wireshark.org/review/28257
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Have dissectors register with their protocol ID string in that table,
rather than having a table in epan/dissectors/packet-ssl-utils.c that
has to be updated for new protocols.
Have a table of protocol ID string prefixes, to handle the case of
protocols such as SPDY and HTTP2 drafts, where multiple protocol IDs are
used for different versions.
Change-Id: I363d04895a88e779fbbca7dc8e1f31aa1970a31a
Reviewed-on: https://code.wireshark.org/review/27836
Reviewed-by: Guy Harris <guy@alum.mit.edu>
[packet-ber.c:2687]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-erf.c:2475]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-fmp.c:378]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-http2.c:2050]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-obd-ii.c:643]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
[packet-yami.c:244]: (error) Shifting signed 32-bit value by 31 bits is undefined behaviour
Change-Id: Ie71f9f7c8f863d1e9c693bd56444f00bdad48042
Reviewed-on: https://code.wireshark.org/review/27019
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Headers field "name" is used in the hash table for matching
field type while processing data. Browsers use dash as
delimiter while in the code we use underscore.
Change-Id: I6342af9328118b41a8c71e034ef5913a83a84459
Reviewed-on: https://code.wireshark.org/review/25478
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Make HTTP2 headers filterable.
Change-Id: I1a1a42ccdb41461f048e9ae462421ecad79da61b
Reviewed-on: https://code.wireshark.org/review/24475
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The "Decompressed header" tab contains some human-readable text, but no
field was associated with it. Instead, the fields were attached to raw
compressed headers which, all with the same offset and length.
Ensure that each byte in the decompressed header tab is accounted for.
The only fields that are still pointing to the raw compressed buffer is
the http2.header field (covering a full raw header), the representation
type (a few bits, at most 1 octet) and the index length (guessed length,
an exact value is probably not worth the cpu cycles).
Change-Id: Ic0118e9ed583841a2d353f8b8c28dcafea3401f2
Reviewed-on: https://code.wireshark.org/review/24660
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Store all packets' headers indexes of oneway stream in its header_stream_info struct.
(Just store pointers refer to each HEADERS or CONTINUATION packets' header arrays)
Add http2_get_header_value() function to allow other dissectors to get HTTP2
headers of this stream later in DATA frames.
Ping-Bug: 13932
Change-Id: I9f623f66045845c338cd6233d4c6da3f6875fc69
Reviewed-on: https://code.wireshark.org/review/22859
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Nardi Ivan