Several of the constant length string built in address types don't
check to see if the buf_len passed in is long enough to write
the string.
This can cause buffer overflows, e.g. with a custom column with
many FT_ETHER fields.
Allow checking if a slice exists. The result is true if the
slice has length greater than zero.
The len() function is implemented as a DFVM instruction instead.
The semantics are the same.
Port 45564 is not IANA registered for Apache. The heartbeat
messages all start with the same 8 character ASCII delimiter
string, so use that for heuristics.
This removes unparsed name resolution during the semantic
check because it feels like a hack to work around limitations
in the language syntax, that should be solved at the lexical
level instead.
We were interpreting unparsed differently on the LHS and RHS.
Now an unparsed value is always a field if it matches a
registered field name (this matches the implementation in 3.6
and before).
This requires tightening a bit the allowed filter names for
protocols to avoid some common and potentially weird conflicting
cases.
Incidentally this extends set grammar to accept all entities.
That is experimental and may be reverted in the future.
Treat all 4 octets of the control field as a single little-endian value
divided into bitfields. We already showed *some* subfields as
bitfields; this means we show *all* of them that way.
That makes the display more clearly show which bits in those octets
correspond to which fields.
It also fixes the dissection of the type field; we have separate
bitfields for I frames (1-bit bitfield) and S and U frames (2-bit
bitfield).
Use proto_tree_add_item_ret_uint() to fetch the values other than the
frame type value.
Fixes#18167.
Strengthen the DCP-ETSI (TS 102 821) heuristic from matching
two bytes to matching four bytes. Split the heuristic and
non-heuristic dissector pieces, and add the non-heuristic
dissector for Decode As.
KNX/IP has an IANA registered port, 3671, and some other ports commonly
used but unregistered (or registered to other services). It also has
no heuristics. Add a port range preference defaulting to the registered
port.
tplink-smarthome uses a port registered by IANA to another application.
At least add a heuristic; since the message is always JSON, we
can decode and test the first two characters.
USB 2.0/1.1/1.0 devices (or 3.x and newer when connected to hosts that
are not Super-Speed capable) operate at one of three speeds:
* Low-Speed (1.5 Mbps)
* Full-Speed (12 Mbps)
* High-Speed (480 Mbps)
Supporting speed specific linktypes allows speed specific dissection
without the need for user to manually set the speed.
After implementing RFC 7983, the STUN dissector will reject
DTLS and [S]RTP packets even in non-heuristic mode. Since
the dissector is more discriminating, it is safe to set
the conversation dissector after receiving any valid STUN
packet, not just specifically a TURN packet.
This makes dissection work better on some captures that have
some TURN ChannelData messages along with STUN packets in
the other direction, but lack the packets that set up the
TURN Channel. In turn, that allows the Decode As setting to
be configured for RTP, which has a weaker heuristic dissector
than STUN. Fix#18148.
Port the script that creates init.lua to Python3. The generated init.lua
removes one newline and adds another, otherwise the output is identical
to the Perl version.
Ping #18152.
Port the script that creates taps_wslua.c and taps.txt to Python3. The
generated taps_wslua.c has one less newline, otherwise the output is
identical to the Perl version. Make the "taps" configuration file an
ConfigParser / .ini file.
Ping #18152.
This code adds more robust handling of smaller issues with PTP messages,
like a missing 2-step flag of a not quite correct implementation of
802.1AS and improves 1-step support.
Changes:
- Handle 1-step syncs in analysis.
- Handle missing 2-step flag on pDelay more robust and warn in analysis.
- Handle missing F'up TLV in 802.1AS Sync more robust and warn.
Reject the previous reserved and unassigned TURN channels and
STUN methods restricted by RFC 5764 and RFC 7983 to allow
multiplexing of STUN with DTLS-SRTP (and ZRTP) on the same
addresses and ports. (As an exception, allow the special MS
Multiplex TURN channel value.) Earlier versions of the specs
had these as unassigned (or did not support TURN Channels), and
no implementation has used them.
This prevents the STUN dissector from claiming RTP packets
going to the same port as set for STUN by Decode As, and should
allow us to set the STUN dissector as the dissector for a conversation
on UDP if we see any STUN message, not just a TURN message type.
- Declare a separate type for the IPv6 TLV MAC address, otherwise its
filter key is `ieee1905.ipv4_type.mac_addres` instead of the expected
`ieee1905.ipv6_type.mac_addres` one which is confusing
- Fix label for `hf_ieee1905_ipv6_type_count` to read "IPv6 address count"
instead of the wrong "IPv4 address count"
- Parse the IPv6 link local address which appears between the EUI-48 and
the IPv6 address count in IPv6 type TLVs, without that, valid IPv6 TLVs
are wrongly parsed and reported as malformed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MS-IMPLEMENTATION-VERSION is not a duplicate of MS-VERSION, and
has a different interpretation. MS-VERSION is the version number
of MS-TURN, its values described in 2.2.2.17 of its spec, and
MS-IMPLEMENTATION-VERSION is the version of MS-ICE2, its values
described in section 3.1.5.2 of its spec.
The latter indicates whether the STUN message format must be that of
Internet-Draft behave-rfc3489bis-02 (that is, roughly the final
form of classic STUN, also used in MS-TURN) or whether that of
RFC 5389 is also supported.
HTTP chunked transfer encoding can have lots of chunks, and calling
the data dissector for each individual chunk adds a large number of
layers to the frame and doesn't really make sense. (As opposed to
calling the data dissector on the reassembled data if we can't handle
the content type, which does make sense.) In particular, this can
cause a failed assertion by adding more layers than
PINFO_LAYER_MAX_RECURSION_DEPTH.
Just add each data chunk as a FT_BYTES item. Fix#18130.
This adds support for using the layers filter
with field references.
Before:
$ dftest 'ip.src != ${ip.src#2}'
dftest: invalid character in macro name
After:
$ dftest 'ip.src != ${ip.src#2}'
Filter: ip.src != ${ip.src#2}
Syntax tree:
0 TEST_ALL_NE:
1 FIELD(ip.src <FT_IPv4>)
1 REFERENCE(ip.src#[2:1] <FT_IPv4>)
Instructions:
00000 READ_TREE ip.src <FT_IPv4> -> reg#0
00001 IF_FALSE_GOTO 5
00002 READ_REFERENCE_R ${ip.src <FT_IPv4>} #[2:1] -> reg#1
00003 IF_FALSE_GOTO 5
00004 ALL_NE reg#0 != reg#1
00005 RETURN
This requires adding another level of complexity to references.
When loading references we need to copy the 'proto_layer_num'
and add the logic to filter on that.
The "layer" sttype is removed and replace by a new
field sttype with support for a range. This is a nice
cleanup for the semantic check and general simplification.
The grammar is better too with this design.
Range sttype is renamed to slice for clarity.
Use "True" or "TRUE" instead of "true" and remove case insensivity.
Same for false. This should serve to differentiate booleans a bit
more from protocol names, which should be using lower-case.
This change fixes a segmentation fault core dump in tshark/Wireshark
when loading a pcapng file that contains the packet verdict option.
This problem got introduced in the commit mentioned below.
Fixes: 030b06ba3c ("pcapng: write packet and Netflix custom blocks the same as other blocks.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This dissector is for the control messages of the GRE bonding protocol by
Huawei. These messages are encapsulated in GRE and can appear on both/all
bonding links.
During development, I made heavy use of traffic for Deutsche Telekom Hybrid
service. There fore, it also supports the first version which did not have an
IEEE assigned ethertype.
By adding signal aggregation the time to change profiles changed
dramatically. This is due to unregistering header fields being a very
slow operation and for aggregation each signal line did not lead to 2
but to 5 hfs.
Unregistering header fields for 150k signal example config (debug build):
- 3.6: 50s
- 3.7: 592s (9:52!!!)
This patch brings the time back to 50s, if no aggregation is configured.
Use host byte-order with AT_NUMERIC to make it more generic
and practical.
Change openSAFETY to pass addresses in host byte-order (the
previous code assumed they were in little-endian).
Plus a few cleanups.
The previous output was missing some fields under some conditions, and
some output text was wrong. This ended up in big confusion when looking
at the fields. Let's add the missing fields, fix the existing ones and
provide better formatting of the strings to understand which exact field
provides the info.
ETSI TS 24.380 section 8.2.3.4 specifies that:
"The <Reject Phrase> value is a text string encoded the text string
in the SDES item CNAME as specified in IETF RFC 3550."
This does not mean that SDES tipe and length files are necessary,
only applies in the enconding of the text string.
Make the default UI layout "packet list on top, packet detail and bytes
side by side". This is more space efficient on modern displays and is
the first thing I change when using the default profile.
After parsing a Topology Descriptor at the start of a request
or reply command, reset the left and right bracket counters
before going back to the top of the loop to parse the next
command, just like how done at the end of the while loop with
a normal command.
Prevents marking as malformed packets which have a Topology Descriptor
followed by a single command (e.g. Move) without any trailing
descriptors, and hence no more left brackets.
Add a numeric address type analog to StringZ for
protocols who only use numeric values as addresses
with no further handling.
e.g. IAT protocols which only enumerate the devices
Since the endpoint_by_id code uses elements and not the old
endpoint structure, it shouldn't set pinfo->use_endpoint to
TRUE when creating, and it should check if pinfo->conv_elements
is NULL, not pinfo->conv_endpoint.
Trying to parse LUS and LNS files if the protocol version
was "A1" led to them being marked as a malformed packets.
THis is because protocol version A1 LUS and LNS files do
not have the exception timer field. So to fix it, we check if
the protocol version is not A1, and only if it isn't do we try to
parse the exception timer field.
Because completed reassemblies are hashed in the reassembled_table for
all the frame numbers that contributed fragments,
fragment_get_reassembled_id() works wherever fragment_get_reassembled()
does, and also works where the fragment id is not the frame number.
However, since the reassembled_table hash key only depends on the
fragment id and the frame number, it only allows a frame to have
one reassembly with a given fragment id. Some protocols can have
more than one reassembly with a given fragment id (that differ on
addresses or other keys), such as GSM SMS, and the wrong reassembly
is retrieved on the second pass in those cases.
For this reason, we might want to add additional key elements to
reassembled_table, such as layer number. fragment_get_reassembled_id
already takes packet_info as a parameter and can accommodate that
without further changes, but fragment_get_reassembled cannot, so
remove the latter in favor of the former.
If we get into the dissect_tftp call, we must have either matched
a WRQ/RRQ at some point and created a wildcarded UDP conversation,
or we matched the TFTP port. While it is contrary to the spirit
of RFC 1350 for the server not to switch ports, it basically works
and the port is IANA assigned, so it doesn't do harm to process these.
In the heuristic dissector, of course, we don't do this.
The conversation code doesn't automatically fill in wildcarded
ports for UDP (since it's connectionless), and the wildcarded
find_conversation call in the TFTP dissector was twisted around
so it didn't actually fill in the second port before anyway.
Filling in the server port would make sense, but then the necessary
logic to find the right conversations would be more complicated.
(The default find_conversation logic prefers any conversation with
both ports to a wildcarded conversation, but the TFTP dissector would
then want the most recent conversation, whether wildcarded or with
both ports.)
These packets were handled prior to the 3.6 changes. Fix#18122
Unlike most of the FC fields, Track info participant type string file
padding is not considered in the dissector. This causes that all the FC
message dissection fails the string contains padding.
According to ETSI TS 24.380 Section 8.2.3.13:
If the length of the <Participant Type> value is not a multiple
of 4 bytes, the <Participant Type> value is padded to a
multiple of 4 bytes. The value of the padding bytes is set to zero.
The padding bytes are ignored by the receiver.
Use the proper encoding instead of ENC_ASCII when displaying the
individual parts of a reassembled unpacked 7-bit GSM alphabet
SM, just as when displaying each fragment.
SMPP only has the number of octets of the message payload, but
with packed 7-bit GSM with a UDH, there are fill bits after the
UDH before the message (to align the message start with a septet
boundary), and we need to calculate the number of septets.
Handle UDH-like information (ports and fragmentation info) that is sent
in TLVs instead of in a UDH, passing to to the gsm_sms_ud dissector.
Allow message_payload TLV to substitute for short_message when allowed.
Warn with expert info when both fields are present.
Skip over a UDH, if present, when converting the short message to text
using the encoding.
Fix#2161.
Use protocol data to reduce the amount of parameters passed back and
forth.
replace_sm can have a TLV (message_payload) (at least in 5.0), so
check for that.