Use the DSI_ defines, rather than the raw hex values for bits, to make
it clearer what's being tested.
Make all of the DSI_ #defines, rather than just some of them, unsigned.
Playing with the sample capture from bugzilla bug 10562, dissection of
packet 491 (ecmp file_info request) brought up an expert info about a
malformed packet.
The request contains a list of requested attributes. For each attribute,
only the attribute ID is part of the request. The current code tries to
dissect each attribute, this fails when we only have a list of
attribute IDs...
Add a subtree for the list of IDs (and the length of that list).
While at it, remove some unnecessary variable initializers.
Commit 873d5980cd improved STUN heuristic to match TURN ChannelData messages.
It was based on the assumption that, looking at the "stun.type.method" field,
it should be trivial to determine if the current packet carries a TURN message
or not. However, at least one STUN/TURN implementation (Facetime) uses
unknown/custom TURN methods to set up a Channel Data. Fortunately, standard
TURN attributes are still used in the replies.
Improve such heuristic taking into account specific TURN attributes, too.
The list attributes have been taken from RFC5766.
Stream Specification: https://www.ilda.com/resources/StandardsDocs/ILDA_IDN-Stream_rev001.pdf
The stream specification only defines IDN messages. The other packet commands
like ping request, ping response, etc. (see line 25 - 31 in packet-idn.c)
are part of the hello specification which is not released yet. We were still
able to implement some hello packets since we received a preliminary version
of the hello specification, because we need the hello packets for our work.
related to #16707
Stream Specification: https://www.ilda.com/resources/StandardsDocs/ILDA_IDN-Stream_rev001.pdf
The stream specification only defines IDN messages. The other packet commands
like ping request, ping response, etc. (see line 25 - 31 in packet-idn.c)
are part of the hello specification which is not released yet. We were still
able to implement some hello packets since we received a preliminary version
of the hello specification, because we need the hello packets for our work.
related to #16707
This adds a protocol post-dissector for Community ID support to
Wireshark/tshark: https://github.com/corelight/community-id-spec
The protocol is disabled by default. It establishes one new filter
value, "communityid".
Includes test cases and baselines to verify correct Community ID
strings based on similar testsuites in the existing Zeek and Python
implementations.
Define a bew type name type-name="OctetStringOrUTF8" type-parent="OctetString"
to be used with OctetStrings that CAN be strings. This is a Wireshark
unique addition to the xml dixtionarys and makes use of BASE_SHOW_ASCII_PRINTABLE.
If a time field uses a standard enconding, we can call proto_tree_add_item()
to add it to the tree. There's no need to parse the time field ourselves.
Update two places in the afs dissector where the manual parsing can
easily be replaced with a proto_tree_add_item() call.
Remove the old posix_v1 code which no clients ever implemented and add
code to dissect current version of the POSIX extensions as implemented
by the Linux kernel client (cifs.ko).
Pass the value of the NDS class definition type to process_multivalues()
as the vflags, rather than the NDS flags, as that's what the
MVTYPE_CLASS_NAMES case in process_multivalues() is expecting.
That way, the class definitions will be dissected correctly.
Even if Q046 is an old version, it is still used by the current QUICHE
implementation.
In this way, the latest Wireshark is able to dissect all GQUIC versions
supported by recent Chrome (Q043,46,50 and T050,51), i.e. all GQUIC versions
that you can find in live traffic right now.
Pcap examples are available in #15984 and in the attachment.
Some Q046 information are available in:
https://docs.google.com/document/d/1FcpCJGTDEMblAs-Bm5TYuqhHyUqeWpqrItw2vkMFsdY/edit#heading=h.32qkkficm7zaClose#15984
FT_STRINGZPAD is for null-*padded* strings, where the field is in an
area of specified length, and, if the string is shorter than that
length, all bytes past the end of the string are NULs.
FT_STRINGZTRUNC is for null-*truncated* strings, where the field is in
an area of specified length and, if the string is shorter than that
length, there's a null character (which might be more than one byte, for
UCS-2, UTF-16, or UTF-32), and anything after that is not guaranteed to
have any particular value.
Use IS_FT_STRING() in some places rather than enumerating all the string
types, so that those places get automatically changed if the set of
string types changes.
In process_multivalues(), we create a protocol item for the attribute
syntax, but we don't fetch its value, and don't pass it to
print_nds_values() as the syntax argument; instead, we pass a variable
that wee initialize to 0, but never set. (One of the disadvantages of
preemptively initializing local variables is that data flow analyzers in
compilers and static analyzers can't point out that you didn't set the
variables in question to *useful* values.)
This fixes the dissection of NDS Read replies.
This field is actually a bitmask of four bits. It's somewhat odd
to decode it using a value_string. In any case, the values were
plain wrong (shifted to the left by '1').
See Figure A.3 of ITU-T Q.933
A related pcap file can be found at
https://people.osmocom.org/laforge/pcap/gsmtap-fr-q933-pvc_status.pcap
The mask applied to the final octet of the PVC Status IE must be 0x0E,
not 0x0A. The current code masks out the active bit, printing a '.'
instead of it.
See Figure A.3 of ITU-T Q.933
A related pcap file can be found at
https://people.osmocom.org/laforge/pcap/gsmtap-fr-q933-pvc_status.pcapc
FCNO Improve field display
FOPA Improve field display
FCMI Support new structure
GMO Support version 4
LPOO Improve field display
ID Initial Data Improve field display
PMO Improve QName display in COL_INFO
CONN Improve field display
To quote the GenDC 1.1 specification, section 2.2.2 "GenDC Container
Header Description":
Unique signature identifying a GenDC Container: a FourCC code
encoded as 4 ASCII characters not null terminated ...
so it's FT_STRING, not FT_STRINGZ.
Give the URL for a page pointing to all GenICam standards, including the
GenDC standards, version 1.0 and 1.1.
According to the Novell IPX Router Specification, Chapter 4 "Service
Advertising Protocol (SAP)":
Server Name
This field contains the 48 byte character string name that is
assigned to a server. The Server Name, in combination with the
Service Type, uniquely identifies a server on an internetwork.
Although SAP response packets always include the full 48 bytes
for this field, typical server names are usually less than 48
characters long and are ASCII NULL terminated. The contents of
the unused bytes which follow the NULL terminator are undefined.
which seems to indicate that a full 48-byte name will not have a null
termintor. It also indicates that the field isn't null-padded, just
"null-terminated if it's not terminated by the end of the field's fixed
length"; perhaps we need to distinguish between the former and the
latter, although it's not clear what would be a good short name for the
latter.
In any case, it sounds as if it's not guaranteed to be null-terminated.
As per IEEE Std 802.1Q-2016, section 13.8 "MST Configuration Identifier
(MCID)",
The Configuration Name, a variable length text string encoded
within a fixed field of 32 octets, conforming to IETF RFC 2271's
definition of SnmpAdminString. If the Configuration Name is
less than 32 characters, the text string should be terminated by
the NUL character, with the remainder of the 32-octet field
filled with NUL characters. Otherwise, the text string is
encoded with no terminating NUL character.
so it's not FT_STRINGZ, it's FT_STRINGZPAD.
This applies to other configuration names as well.
The Aeron specification says nothing about it being null-terminated, and
in at least some captures, it's not null terminated.
Make it an FT_STRING, rather than an FT_STRINGZ.
Clean up a comment so that more of the URL is visible in a narrower
window.
MariaDB and MySQL are not longer drop-in compatible, they differ in very
different directions
for protocol and api. This patch contains support for MariaDB specific
commands and extensions:
- MariaDB specific character sets and collations (also updated MySQL
collations)
- MariaDB extended capabilities in greeting and login packets
- Support for MARIADB_STMT_BULK_EXECUTE command
- Removal of "5.5.5-" prefix in the version string.
These parameters are used by latest GQUIC versions.
Pcap examples are available in #16825
I noticed that gquic::dissect_gquic_tag() and gquic::dissect_gquic_tags()
don't really need the gquic_info parameter: remove it
Both osmocom and TTCN3 Titan are parsing Handover Request with an IPv6
Transport layer Address just fine, but wireshark was showing it as
malformed. Parsing the address similar to what is done in IPv4 fixes the
issue.
Remove the --check-addtext and --build flags. They were used for
checkAddTextCalls, which was removed in e2735ecfdd.
Add the sources in ui/qt except for qcustomplot.{cpp,h}. Fix issues in
main.cpp, rtp_audio_stream.cpp, and wireshark_zip_helper.cpp.
Rename "index"es in packet-usb-hid.c.
Done by scanning the asan1 template files. If there are spelling
mistakes in the specifications, we should ignore. Note that for z3950, I had
already found and accidentally fixed the same errors in the generated
file (before I taught my script to ignore gnerated dissector files).
In the T11 version of FCOE, the length field was removed. If the last
four reported bytes don't look like the EOF plus padding, but the four
bytes before that do, then the Ethernet FCS is almost surely present so
treat it that way. Closes the other case of #4594
Now that we're setting the C-language locale to use the UTF-8 code page,
they're already *in* UTF-8; g_locale_to_utf8() doesn't treat the
C-language locale's code page as the "locale" code page, it uses the
system code page, so it reads a UTF-8 string as being in some local code
page's encoding and proceeds to mangle it in the process of converting
it to UTF-8.
Closes#16811 (closed)
Otherwise it triggers an assert when adding the column as the field is
defined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value
(not in proto_checksum_vals[)array) cannot be represented.
Mark the checksum as bad even if we process the packet.
Closes#16816
The pre-T11 (pre August 2007) version of FCOE has a frame length, so it's
possible to set the length in order to help the Ethernet dissector determine
if a capture includes the Ethernet FCS, like how other dissectors do it.
This isn't possible in the standardized version, since the length field
was removed. Closes#4594.
Fix the following compiler warnings
packet-cl3.c:120:39: warning: 'tree' was marked unused but was used [-Wused-but-marked-unused]
ti = proto_tree_add_protocol_format(tree, proto_cl3, tvb, 0, header_length, "CableLabs Layer-3 Protocol (CL3) Version %u", (guint)version);
packet-cl3.c:136:32: warning: 'tree' was marked unused but was used [-Wused-but-marked-unused]
dissect_cl3_v1(tvb, pinfo, tree, ti, cl3_tree, header_length);
There will likely be one for for this pass. Further improvements to the
script are possible, i.e. filtering out (usually filter) strings such
as 'onetwothree' - may not be worth it though.
By default, ITS messages are send based on the geonetworking protocol.
Several tools send these messages via UDP as well
This patch enables "Decode As ITS" for UDP packets
A second batch of spelling errors, detected using a script
that uses pyspellcheck and a Wireshark-specific dictionary file.
I will take at least one more pass through the dissectors, as
further improvements are made to the script.
Python's lstrip apparently doesn't strip a prefix but instead strips
all supplied characters from beginning of a string. Using lstrip
in generate-nl80211-fields.py script to remove the 'nl80211_' prefix
happened to work for everything but a few NAN related enums.
Introduce a remove_prefix function and regenerate the nl80211
dissector code to fix the abbreviated field names for NAN.
Notes:
1. There are no functionality changes with this delivery
2. This change is to reduce manual copying between structs. This will make it easier to add upcoming feature changes, and fix some connection handling issues (future merge requests).
3. Combine enip_conn_val_t and cip_conn_info_t. Previously, there were 2 different structs to track information about an overall CIP Connection.
Notes:
1. There are no functionality changes with this delivery
2. cip_connID_info_t describes a one-way connection. Each CIP Connection includes 2 of these. Previously, each operation was duplicated for each direction.
3. This change is to reduce copypaste, simplify logic, and make it easier to add upcoming feature changes, and fix some connection handling issues (future merge requests)
Changes:
1. Extract Method: get_conversation_info_one_direction
2. dissect_net_param16/dissect_net_param32: Parse and set data into cip_connID_info_t
FT_STRINGZ means "terminated by a null character", so there can't be
non-null characters following the terminating null.
FT_STRINGZPAD doesn't only mean "padded with nulls"; there are protocols
where a string that's not the full length of the part of the packet for
the string has a null terminator but isn't guaranteed to be fully padded
with nulls. We can later add a separate type for fields where we really
*should* check that the padding is all nulls.
Change-Id: I5964817b4b847cb4db73f8ac673141052e8ef92c
Reviewed-on: https://code.wireshark.org/review/38230
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Section D.2.4.3 "protocol identity" of IEEE 802.1Q-2018 says:
The protocol identity field shall contain the first n octets of the
protocol after the layer 2 addresses (i.e., for example, starting
with the EtherType field) that the sender would like to advertise.
Show it as FT_BYTES, not FT_STRINGZ.
Add a comment explaining that, and expand a comment to indicate what
specifications there are for LLDP and some Organizationally Specific
TLVs.
Change-Id: I8c41026379731d1c05134d6e7ad563227f9fbfde
Reviewed-on: https://code.wireshark.org/review/38229
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Fix some Wayback Machine URLs that no longer work because the
wayback.archive.org domain name no longer works.
Update some Microsoft URLs that used to go through the Wayback Machine
to point to the current versions at docs.microsoft.com.
Update a comment to reflect the disappearance of a Network Associates
document and its absence from the Wayback Machine.
Change-Id: I27a5b19fa7747a8f601fd9e6c0bf75aba0a3528e
Reviewed-on: https://code.wireshark.org/review/38225
Reviewed-by: Guy Harris <gharris@sonic.net>
Add URLs from newer versions of the protocol documentation.
Change-Id: I03d6b4d34ce7f7b831a4eda3075b65b026f96526
Reviewed-on: https://code.wireshark.org/review/38224
Reviewed-by: Guy Harris <gharris@sonic.net>
Update one URL to a newer location and newer version of the document;
change the other one to use HTTPS.
Change-Id: I18bb2a14722c4e340a3e5f1afe0198def9d4fceb
Reviewed-on: https://code.wireshark.org/review/38223
Reviewed-by: Guy Harris <gharris@sonic.net>
The original document no longer appears to be available; point to the
Wayback Machine version.
Change-Id: I9f0b0742339cc7a982e638cbae5155e9ac6c1d20
Reviewed-on: https://code.wireshark.org/review/38222
Reviewed-by: Guy Harris <gharris@sonic.net>
Don't just pass ENC_NA, pass ENC_ASCII|ENC_NA, to mark all string
fetches with the encoding to use.
Change-Id: Icbe533b8e36d6df25841049950512cecd4c247a1
Reviewed-on: https://code.wireshark.org/review/38221
Reviewed-by: Guy Harris <gharris@sonic.net>
Don't just pass ENC_NA, pass ENC_ASCII|ENC_NA, to mark all string
fetches with the encoding to use.
Change-Id: If834f216a49787ff09b3b714d755d9467848e5a5
Reviewed-on: https://code.wireshark.org/review/38220
Reviewed-by: Guy Harris <gharris@sonic.net>
GSMTAP has recently gained support for wrapping E1/T1 protocol traces.
This is very useful as contrary to pcap/wtap file based protocol traces,
GSMTAP can be streamed in real-time.
The GSMTAP pseudo-header encodes information such as
* the E1/T1 timeslot number
* the E1/T1 subeslot number (if I.460 is used)
* the E1/T1 line/span number (somewhat awkwardly as 'antenna number')
* the payload (LAPD, Frame Relay, TRAU, ...)
In this first implementation in wireshark, only FR and LAPD
sub-dissectors are added. The other payloads (TRAU) do not have any
wireshark dissectors so far.
Change-Id: Ib699e9231ef7b9e6c5053e6b920954b3e7b0a4a4
Reviewed-on: https://code.wireshark.org/review/38213
Reviewed-by: Vadim Yanitskiy <vyanitskiy@sysmocom.de>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
I cannot find any mention in Q.933 that those two information elements
should not be present in CS0. In fact, multiple real-world traces
I just recently took from Cisco and Ericsson equipment encodes
those IEs in normal codset 0.
This appears to have been broken since commit
bafebc7b80 in 2005, when the code was
first introduced.
Change-Id: I4c0ad080447d492b541cf7abd1e3f24a0e85084a
Reviewed-on: https://code.wireshark.org/review/38212
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
3GPP TS 48.016 specifies GPRS-NS over Frame Reley. In Section
6.1.1 it explicitly states that ITU-T Q.933 Annex A for FR PVC
must be supported. In real-world Gb-over-FR protocol traces I also
see related LMI messages on DLCI=0.
Hence, let's not dispatch DLCI=0 messages to the GPRS-NS dissector,
where they are all detected wrongly. Only non-zero DLCI are NS-VC.
Change-Id: I6ce3557cda0da31323a851008bf648047ba1f926
Reviewed-on: https://code.wireshark.org/review/38211
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There is IPv4 Address/ 6 null bytes / IPv4 Address
IPv4 Address is client ? DC ?
Bug: 16657
Change-Id: Ie09f4598e18e26c95d297e3c622c80d3395d25d4
Reviewed-on: https://code.wireshark.org/review/38196
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I2fad824ca417dcd089fabfdf06f28529c7ee9e87
Signed-off-by: Filipe Laíns <lains@archlinux.org>
Reviewed-on: https://code.wireshark.org/review/37949
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
'couchbase.flex_frame_extras' exists multiple times with incompatible types: FT_STRING and FT_UINT8
Change-Id: Ide607ca786e19015f4aae3cfbe85675581968267
Reviewed-on: https://code.wireshark.org/review/38011
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There can be multiple PDV segments in the same frame that belong to
different reassemblies. Change the reassembly_id used for the
reassembly tables so that it is not identical for all segments in
the same presentation context (but still unique for a given reassembly),
so that that case can be handled properly. Otherwise fragment_add_seq_next
will retrieve the wrong reassembly for one of the segments (especially
on the second pass.)
Bug: 13110
Change-Id: Ib967fc7f6b7b591b9e3494d81d3b5d4ecc43cac1
Reviewed-on: https://code.wireshark.org/review/38200
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Domain ID in non participant discovery packets is deduced from the port.
This is valid only when using UDP. If using TCP that values must be
taken from the discovery or otherwise mark it as unknown.
Change-Id: I8fe64f5f67d86412edefdccdca8ded63193f6e14
Reviewed-on: https://code.wireshark.org/review/38003
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If one field uses a report ID, all other should too. Otherwise we don't
know if the first byte is a report ID or a data value.
Change-Id: I84f5cde3f08c26d904d7c5f66e8d622b820b3f6c
Signed-off-by: Filipe Laíns <lains@archlinux.org>
Reviewed-on: https://code.wireshark.org/review/37781
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There cases where we may want to pre-allocate some memory before
appending all the fields.
Change-Id: Ic46e83733d4338dbda45b2ca3ff2d533c5b44026
Signed-off-by: Filipe Laíns <lains@archlinux.org>
Reviewed-on: https://code.wireshark.org/review/38122
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
format_text(alloc, string, strlen(string)) is a common idiom; provide
format_text_string(), which does the strlen(string) for you. (Any
string used in a %s to set the text of a protocol tree item, if it was
directly extracted from the packet, should be run through a format_text
routine, to ensure that it's valid UTF-8 and that control characters are
handled correctly.)
Update comments while we're at it.
Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e
Reviewed-on: https://code.wireshark.org/review/38202
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
- use segment size during sdo (write by index) payload decoding process
- set mapping-sections of sdo objects one level lower
Bug: 16792
Change-Id: Iae3f2095142ad076f7cde6266493e7308c65a51f
Reviewed-on: https://code.wireshark.org/review/38199
Reviewed-by: Christian Krump <christian.krump@br-automation.com>
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
it is possible to have multiple range port for TSAgent
Change-Id: I7b45f30a1d1cf974ffcf62d2f19dbc30b621ec4e
Reviewed-on: https://code.wireshark.org/review/38186
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Update the data related to ITU-T E.212 with the latest released information
as found in the ITU-T Operational Bulletins, amended with some other online
resources where the ITU-T seem not be informed yet.
Also retain the UTF-8 encoding of the registered data.
Bug: 16755
Change-Id: I13ba306558c0768379fa0e82db84e30f57af8259
Reviewed-on: https://code.wireshark.org/review/38159
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
With commit f8a394022b the Unassigned
entries were put in with off-by-one values. This changes puts them
in their right place.
Change-Id: I77c6eb4c47f17b8fba2dd662d3589ff63855e55f
Reviewed-on: https://code.wireshark.org/review/38179
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Implement updates of the following lists:
List of Signalling Area/Network Codes (SANC), based on
Annex to the ITU Operational Bulletin No. 1125 - 1.VI.2017
List of International Signalling Point Codes (ISPC), based on
Annex to ITU Operational Bulletin No. 1199 - 1.VII.2020
Also retain the UTF-8 encoding of the registered data.
Change-Id: I8c0ff7107a9489d7ec6ed1cc272717f06e2e7599
Reviewed-on: https://code.wireshark.org/review/38073
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The hf field was already created, but it was just not used anywhere.
Change-Id: I7af885911093d6a7a57a408c6d4d11bda155e6f6
Reviewed-on: https://code.wireshark.org/review/38178
Reviewed-by: Kenneth Soerensen <knnthsrnsn@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
SI symbol for kilohertz is kHz, not KHz.
Ping-Bug: 11743
Change-Id: Ie6cafd242b2e479783ecd8ab8a04c08effe23413
Reviewed-on: https://code.wireshark.org/review/38168
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Set I/O to only drive on a '0' and tristate on a '1' command essentially
sets each I/O output type to either Open-Drain or Push-Pull.
Ping-Bug: 11743
Change-Id: I580d63c80114ad8f4a7cb1fc82a3c40720cc71e6
Reviewed-on: https://code.wireshark.org/review/38167
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
'check_tfs.py --common' can look for tfs values that appear multiple times.
Current output prior to these dssector changes was:
('No Extension', 'Extension') appears 3 times in: ['epan/dissectors/packet-bssap.c', 'epan/dissectors/packet-camel.c', 'epan/dissectors/packet-gsm_map.c']
('Optimised for signalling traffic', 'Not optimised for signalling traffic') appears 3 times in: ['epan/dissectors/packet-gsm_a_gm.c', 'epan/dissectors/packet-gsm_map.c', 'epan/dissectors/packet-gtp.c']
('Data PDU', 'Control PDU') appears 3 times in: ['epan/dissectors/packet-pdcp-lte.c', 'epan/dissectors/packet-pdcp-nr.c', 'epan/dissectors/packet-rlc-nr.c']
('Message sent to originating side', 'Message sent from originating side') appears 3 times in: ['epan/dissectors/packet-q2931.c', 'epan/dissectors/packet-q931.c', 'epan/dissectors/packet-q933.c']
('User', 'Provider') appears 3 times in: ['epan/dissectors/packet-q2931.c', 'epan/dissectors/packet-q931.c', 'epan/dissectors/packet-q933.c']
The first and last ones were made common, the others seem a little too specialised.
Checking some of the existing items in tfs.c (using QtCreator's 'Find Usages'),
some of the common items are used a lot, but many of them are not referenced.
Change-Id: Ia4006d2c4fa7cafbc3b004dc7a367a986dbeb0c4
Reviewed-on: https://code.wireshark.org/review/38177
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also fix packet-ieee1905.c to include packet-wifi-dpp.h for the definition
it needs.
Change-Id: Iebb290ffb3112161605d6065123cfc54b921f2eb
Reviewed-on: https://code.wireshark.org/review/38163
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The names for files extracted from data PDVs depend on information in the tags.
Need to read the tags for data PDVs if the Export Objects tap has a listener
even if there isn't a tree (so that tshark works) and need to send data to
Export Objects only after reading the tags (so that it works on the first pass).
This makes the tshark single pass behavior match wireshark GUI behavior.
Bug: 16771
Change-Id: I6cfa792e7b86f205290ff92c9f5e09fd94a25f9f
Reviewed-on: https://code.wireshark.org/review/38164
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Detected by check_typed_item_calls.py.
Change-Id: I08081c6619f3e1cd1b6733c8a2864bf9ac2a16aa
Reviewed-on: https://code.wireshark.org/review/38162
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Correct endianess for Max PDU field in LE Set CIG Parameters and LE
Create BIG Test Command. Correct endianes for BIS handle and remove
PHY field from LE Create BIG Sync Established Event.
Add SDU interval field to LE BIGInfo Advertising Report Event.
Change-Id: Ic276aceb5a2e1cd6e1c08ae20303bfbe6bdc1286
Signed-off-by: Allan Møller Madsen <almomadk@gmail.com>
Reviewed-on: https://code.wireshark.org/review/38157
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The Google/Apple Exposure Notification protocol is designed to aid
contact tracing efforts by allowing users to broadcast changing
identifiers, derived from longer-term (24 hour) keys; in the event that
a user receives a positive diagnosis, they upload their longer-term keys
to a key server, and all other users can use those long-term keys to
generate all the potential changing identifiers, and compare those to
their logs to determine if they were in contact with the infected user.
This protocol was developed in response to SARS-CoV-2, but is not
inherently limited to it.
This patch adds a "bluetooth.gaen" filter, with two data fields in the
periodic (changing identifier) broadcast:
- bluetooth.gaen.rpi: The Rolling Proximity Identifier
- bluetooth.gaen.aemd: The Associated Encrypted Metadata
Links to Protocol Documents:
- Google: https://www.google.com/covid19/exposurenotifications/
- Apple: https://www.apple.com/covid19/contacttracing
This change also adds the Bluetooth SIG-assigned 16-bit UUID for GAEN,
0xFD6F, to the list of Wireshark-recognizable 16-bit UUIDs.
These changes are licensed under the same license as Wireshark itself.
Change-Id: I3af14b225a35d0670433a9a89901d4d37895b3bd
Reviewed-on: https://code.wireshark.org/review/38064
Reviewed-by: Anders Broman <a.broman58@gmail.com>
new BMP Message type (Section 2.1).
o Type = TBD: Route Policy and Attribute Trace Message. (100)
new TLV types for the Route Policy and Attribute Trace Message (Section 2.3).
o Type = TBD1 (2 Byte): VRF/Table TLV. (0)
o Type = TBD2 (2 Byte): Policy TLV. (1)
o Type = TBD3 (2 Byte): Pre Policy Attribute TLV. (2)
o Type = TBD4 (2 Byte): Post Policy Attribute TLV. (3)
o Type = TBD5 (2 Byte): String TLV. (4)
Bug: 16749
Change-Id: I9858c94fb8fe5a9f3341204646030e59e13509bf
Reviewed-on: https://code.wireshark.org/review/37911
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Uli Heilmeier <openid@heilmeier.eu>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
tokens[] contains two tokens - the part of the identity before @ and the
part of the identity after @.
realm_tokens[] contain five tokens - the "."-separated parts of the part
of the identity after @.
The latter include "mncNNN" and "mncNNN".
This fixes a crash.
Change-Id: I4b13dd90977a626a823cb53958412301abf8addb
Reviewed-on: https://code.wireshark.org/review/38158
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The IPv4 or IPv6 address was not added properly to the tree
Bug: 16777
Change-Id: Ic28138cc1d4c2dc350fb5ff95aa3a5496a293c91
Reviewed-on: https://code.wireshark.org/review/38153
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Error: epan/dissectors/packet-docsis.c filter= docsis.ehdr.rsvd FT_UINT8 so field_width= 8 but mask is 0x3FFF which is 14 bits wide!
Error: epan/dissectors/packet-ixveriwave.c filter= ixveriwave.contextp.agc FT_BOOLEAN so field_width= 1 but mask is 0x0038 which is 3 bits wide!
N.B. The ixveriwave field was not in use, so was deleted.
Change-Id: Ife73eb9204f7339cc0fe2b4e991f0df553823ffe
Reviewed-on: https://code.wireshark.org/review/38140
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Make it more obvious that the time value is Zero.
Change-Id: Idca96185d869f10cf0d2b8ab6aaccb879dfc1ec2
Reviewed-on: https://code.wireshark.org/review/38135
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's arguably an error, as an FT_STRINGZ requires at least one character
position for the terminating NUL, but the way to handle that is to give
it a string value of an empty string and add an expert info indicating
that the terminating NUL is missing. (The same should be done for
FT_STRINGZ fields with a specified non-zero length that don't have a NUL
in the last character position.)
Change-Id: Ie702bf44db36310f0f6e2625a3a64e6424167546
Reviewed-on: https://code.wireshark.org/review/38136
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The documentation mentioned looks more like API/ABI documentation than
"data on the wire" documentation, but the strings all look like counted
strings, with no trwminating NUL. Use FT_STRING, not FT_STRINGZ.
Add a URL for the MQ PCF documentation and replace no-longer-working
URLs for the MQ documentation with a working URL.
Change-Id: Id656a3e6cd75bff34d1a5a650229b4ba749ef365
Reviewed-on: https://code.wireshark.org/review/38134
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Make sure to set the GSS Data subtree length properly when
the packet has been truncated so at least the rest of the
packet could be partially dissected.
Change-Id: I0b41137aea47c2512d15d28ed620542decd31904
Reviewed-on: https://code.wireshark.org/review/38086
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Add rfc8489 to differences table
- Add expert items for attributes exceeding packet length and attributes with trailing data
- Remove unused and "#if 0"ed attributes_properties_p (never used since added in 2009
Change-Id: If7f804a5ee8ea057765f2d55b04181c644cc3d0c
Reviewed-on: https://code.wireshark.org/review/38059
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In the main dissector, check the first 2/3 bytes for recognized
Byte-Order Marks (BOM) and decode if detected.
In the heuristic check, when unicode heuristics are enabled, check the
first 2 bytes for a recognized BOM instead of assuming UCS-2LE. (Still
falls back on that if no BOM detected.)
Bug: 9069
Change-Id: I7c6510221ef9257a9c3030715906e07b88af6aa7
Reviewed-on: https://code.wireshark.org/review/38076
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Update URL for the TACACS+ I-D - point to the IETF site.
Fix code indentation.
Use proto_tree_add_item_ret_uint() to get string lengths when adding
them to the protocol tree.
Put the username and password under the top-level tree item, rather than
at the top level themselves.
The username and password are counted strings, and are not
null-terminated; make them FT_STRING rather than FT_STRINGZ.
Change-Id: Ia974937ade5908f98c0b527586e8ac15c3ffb907
Reviewed-on: https://code.wireshark.org/review/38130
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Those routines do more checking than strtoul(), and get passed a pointer
to a guint32(), so you don't have to worry about 32-bit vs. 64-bit longs
(which causes warnings on macOS builds, courtesy of Apple throwing in
"narrowing 64-bit value to 32 bits" warnings when they introduced their
first 64-bit machines, to help developers 64-bitifying their
applications, causing macOS builds to fail).
If the checks fail, note that in the formatted value.
(XXX - assign units to the fields, so we don't have to add them in our
formatting?)
Change-Id: I35945a3f1eaedc88e5b2ebf500c06fb7cf022753
Reviewed-on: https://code.wireshark.org/review/38119
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Bug: 16764
Change-Id: Iff902150491c984d3069c1b83acef9c2c8ce12c7
Reviewed-on: https://code.wireshark.org/review/38106
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Export proto_item_set_bits_offset_len and fix
In file included from ../epan/dfilter/dfilter.h:18:
../epan/proto.h:1113:11: warning: parameter 'bits_offset' is already documented [-Wdocumentation]
* @param bits_offset The new length in bits.
^~~~~~~~~~~
../epan/proto.h:1112:5: note: previous documentation
* @param bits_offset The number of bits from the beginning of the field.
^ ~~~~~~~~~~~
Change-Id: Ib171ce38607b9656baea5eb7a3e6aee3b99ddbac
Reviewed-on: https://code.wireshark.org/review/38115
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
To quote RFC 4251, "The Secure Shell (SSH) Protocol Architecture",
section 5 "Data Type Representations Used in the SSH Protocols":
string
Arbitrary length binary string. Strings are allowed to contain
arbitrary binary data, including null characters and 8-bit
characters. They are stored as a uint32 containing its length
(number of bytes that follow) and zero (= empty string) or more
bytes that are the value of the string. Terminating null
characters are not used.
Strings are also used to store text. In that case, US-ASCII is
used for internal names, and ISO-10646 UTF-8 for text that might
be displayed to the user. The terminating null character SHOULD
NOT normally be stored in the string. For example: the US-ASCII
string "testing" is represented as 00 00 00 07 t e s t i n g. The
UTF-8 mapping does not alter the encoding of US-ASCII characters.
"Terminating null characters are not used." means "these aren't
null-terminated strings; FT_STRINGZ is for null-terminated strings, but
these are counted strings, for which FT_STRING si the right type.
Change-Id: I217d527847a20b640bf141a5d8d56f31456af04c
Reviewed-on: https://code.wireshark.org/review/38118
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
It's used in a number of source files; don't force each of them to test
GCRYPT_VERSION_NUMBER independently.
Make sure every file that uses HAVE_LIBGCRYPT_AEAD includes
wsutil/wsgcrypt.h.
Also do some other definitions that are based on the libgcrypt version
there as well.
This requires that the Qt UI code be given the include directory for
libgcrypt, as the follow stream code includes
epan/dissectors/packet-quic.h, which includes wsutil/wsgcrypt.h to get
HAVE_LIBGCRYPT_AEAD defined, and wsutil/wsgcrypt.h includes <gcrypt.h>.
Change-Id: I9cb50f411f5b2b6b9e28a38bfd901f4a66d9cc8f
Reviewed-on: https://code.wireshark.org/review/38116
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
http3_is_reserved_code() is only used if HAVE_LIBGCRYPT_AEAD is defined;
only define http3_is_reserved_code() if HAVE_LIBGCRYPT_AEAD is defind.
(Then there's the issue that HAVE_LIBGCRYPT_AEAD is *NOT* defined as a
result of CMake tests, it's defined in packet-tls-utils.c based on the
libgcrypt version, so it's not as if it can be used outside
packet-tls-utils.c, but that's another bug to fix.)
Change-Id: Ibecdf6e12fde27d75fcd7849ca0cd62f4129f5c2
Reviewed-on: https://code.wireshark.org/review/38114
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Replaced tvb_captured_length_remaining() with
tvb_reported_length_remaining().
Change-Id: I87c07488590cd82ca8a945ac6f13efa45807e55b
Reviewed-on: https://code.wireshark.org/review/37098
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Apparently, it's possile for ssh_keylog_compute_hash() to be called with
a struct ssh_flow_data structure with a null kex_e; if it is, give up on
computing the hash before we try dereferencing global_data->kex_e.
See, for example, the capture at
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Example1.pcap
which crashed if I ran a TShark, built from the tip of the master branch::
TShark (Wireshark) 3.3.0 (v3.3.0rc0-1806-g79e43ef98d59)
Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and
contributors. License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see
the source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap (including remote capture support),
without POSIX capabilities, with GLib 2.37.6, with zlib 1.2.11, with SMI
0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.4.17, with
Gcrypt 1.7.7, with MIT Kerberos, with MaxMind DB resolver, with nghttp2
1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.9.9.
Running on Mac OS X 10.15.6, build 19G73 (Darwin 19.6.0), with Intel(R)
Core(TM) i9-9980HK CPU @ 2.40GHz (with SSE4.2), with 65536 MB of
physical memory, with locale en_US.UTF-8, with libpcap version
1.10.0-PRE-GIT, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with brotli
1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.3 (clang-1103.0.32.62).
with "tshark -n -V -r Example1.pcap".
Change-Id: Icc534b488e5b486597162e54c725afb54ad61c05
Reviewed-on: https://code.wireshark.org/review/38113
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add a new top-level view that shows each packet as a series of diagrams
similar to what you'd find in a networking textook or an RFC.
Add proto_item_set_bits_offset_len so that we can display some diagram
fields correctly.
Bugs / to do:
- Make this a separate dialog instead of a main window view?
- Handle bitfields / flags
Change-Id: Iba4897a5bf1dcd73929dde6210d5483cf07f54df
Reviewed-on: https://code.wireshark.org/review/37497
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
PAA is a variable length IE, but it is not extendable (see Table 8.1-1 in
3GPP TS 29.274). For a give type the length therefore has to match and
can not exceed the defined length.
Change-Id: Id65842a7f25018fd3864efd73f74ae583102a681
Reviewed-on: https://code.wireshark.org/review/37984
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
These are the final issues currently seen by check_typed_item_calls.py
Error: proto_tree_add_none_format(.., hf_authentication_parameter, ...) called at epan/dissectors/packet-obex.c:1840 with type FT_UINT8
(allowed types are {'FT_NONE'} )
Error: proto_tree_add_none_format(.., hf_authentication_parameter, ...) called at epan/dissectors/packet-obex.c:1887 with type FT_UINT8
(allowed types are {'FT_NONE'} )
Error: proto_tree_add_none_format(.., hf_session_parameter, ...) called at epan/dissectors/packet-obex.c:2058 with type FT_UINT8
(allowed types are {'FT_NONE'} )
Change-Id: If6772a72e01c7afd774a7b673d5775fd598bace3
Reviewed-on: https://code.wireshark.org/review/38095
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This patches adds support to parse the TX flags of the radiotap header,
including a new DONT_ORDER Tx flag.
Bug: 16732
Change-Id: Ia57c079e020a32219a3e3fcfb7da5ef260360b7e
Reviewed-on: https://code.wireshark.org/review/37944
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Removed WLAN from the EAP identity fields because
it is additional and unnecessary. Added fields for
the full identity string and the identity type.
Removed the pseudo and reauth identity types by
collapsing all identity values into one field
(eap.identity) so the values may be filtered easier
by users in tshark and the GUI. Omitting
encrypted IMSI code until this patch and Change
37250 get merged since the encrypted IMSI logic
depends on these two patches.
Bug: 16537
Change-Id: If359756c1949aff2510b822b70e0e79df85213d0
Reviewed-on: https://code.wireshark.org/review/37257
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Routine "dhcpv6_domain()" of packet-dhcpv6.c has the following
issues:
a. It is unaware of partial (relative) domain names which unlike
FQDNs must *not* be root terminated(0); otherwise, the resolver
interprets them as top-level domains (TLDs) such as "com." and
"org.".
b. Malformed errors are not thrown when they should be and when
thrown, it does so for the wrong reason.
c. No detail is provided as to the nature of a malformation.
d. The routine does not know the difference between an "empty"
and "root-only" domain name.
Routine "dhcpv6_option():
The meanings of flags octet of the in the OPTION_CLIENT_FQDN
option sent by the client are different that those of the server.
These differences are not reflected in the display. In addition,
the description of the 'N' bit is incorrect in either case. The
sender type must be determined in order to label them correctly
and to detect conflicts among them.
These changes fully address the above issues. Six types of
domain name errors are now detected. I believe the unusually
large amount of detailed comments with RFC references and
explanations were needed in this case due to the introduction
of concepts such as partial domain names that were not
recognized as such and thus improperly handled and labelled.
The subtree option headers have been converted from "Text only"
to named fields (dhcpv6.option.type_str). Example captures are
attached to the bug report.
Bug: 16627
Change-Id: I5ef3ee4261b9ab1f331ae2b9b0aa9e3d5e4a5566
Reviewed-on: https://code.wireshark.org/review/37678
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Code to fetch the field (metadata length) was correct, but the item
displayed would be wrong. Fix mask, and use _ret_uint() variant
to avoid fetching the value separately.
Described in RFC 8300, section 2.5.1.
Change-Id: I87cdca489392e1baa6c51bbab303c77a803d204e
Reviewed-on: https://code.wireshark.org/review/38099
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have the message indicate the problem and the name of the offending field.
Change-Id: I661125814c9ad5585a3e71d14f8407948e2e6d76
Reviewed-on: https://code.wireshark.org/review/38090
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Very rough support for dissecting the framing on unidirectional and
bidirectional streams. Support for dissecting QPACK contents will be
added later.
Thanks to Omer Shapira for identifying an important issue that broke
reassembly and blocked proper HTTP/3 support.
Bug: 16761
Change-Id: Ib7f87c824f1dca70967b82943e18d5afee39fa0b
Reviewed-on: https://code.wireshark.org/review/38084
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Load private key exchange keys (curve25519-sha256) provided by the user
Find matching public keys in the dissected data
Compute symmetric keys for decrypting encrypted Transport Layer Protocol
data
Bug: 16054
Change-Id: I83481bff6b1206ce222b0120ad9021e1607f7f97
Reviewed-on: https://code.wireshark.org/review/37936
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Error: proto_tree_add_string(.., hf_ansi_a_lai_mcc, ...) called at epan/dissectors/packet-ansi_a.c:3656 with type FT_UINT8
(allowed types are {'FT_STRINGZPAD', 'FT_STRINGZ', 'FT_STRING'} )
Error: proto_tree_add_string(.., hf_ansi_a_lai_mnc, ...) called at epan/dissectors/packet-ansi_a.c:3666 with type FT_UINT8
(allowed types are {'FT_STRINGZPAD', 'FT_STRINGZ', 'FT_STRING'} )
Error: proto_tree_add_none_format(.., hf_bthci_evt_vendor_codecs_item, ...) called at epan/dissectors/packet-bthci_evt.c:4712 with type FT_UINT32
(allowed types are {'FT_NONE'} )
Error: proto_tree_add_string(.., hf_kademlia_tag_hash, ...) called at epan/dissectors/packet-edonkey.c:1100 with type FT_BYTES
(allowed types are {'FT_STRINGZPAD', 'FT_STRINGZ', 'FT_STRING'} )
Error: proto_tree_add_string(.., hf_msmms_data_timing_pair, ...) called at epan/dissectors/packet-ms-mms.c:680 with type FT_NONE
(allowed types are {'FT_STRINGZPAD', 'FT_STRINGZ', 'FT_STRING'} )
Error: proto_tree_add_float_format_value(.., hf_fp_tpc_po, ...) called at epan/dissectors/packet-umts_fp.c:2405 with type FT_UINT8
(allowed types are {'FT_FLOAT'} )
Change-Id: I1ed0276ad9c810ca6b1b01d581c3d73ae28fb9ad
Reviewed-on: https://code.wireshark.org/review/38081
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
It is send from DCAgent to FSSO collector using UDP 8002 packet
It is based on analysis of protocol (and log)
Bug: 16657
Change-Id: I2e23a403a103c25820d714446d4e3245af04e876
Reviewed-on: https://code.wireshark.org/review/37547
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit replaces instances of
(myobj *)wmem_alloc(wmem_X_scope(), sizeof(myobj))
and replaces them with:
wmem_new(wmem_X_scope(), myobj)
to improve the readability of Wireshark's code.
Replacements were made with the following Python script:
import os
import re
import sys
pattern = r'\(([^\s\n]+) ?\*\) ?wmem_alloc(0?)\((wmem_[a-z]+_scope\(\)), sizeof\(\1\)\)'
replacewith = r'wmem_new\2(\3, \1)'
startdir = sys.argv[1]
for root, dirs, files in os.walk(startdir):
for fname in files:
fpath = os.path.join(root, fname)
if not fpath.endswith('.c'):
continue
with open(fpath, 'r') as fh:
fdata = fh.read()
output = re.sub(pattern, replacewith, fdata)
if fdata != output:
print(fpath)
with open(fpath, 'w') as fh:
fh.write(output)
Change-Id: I223cb2fcce336bc99ca21c4a74e4cf758fd00572
Reviewed-on: https://code.wireshark.org/review/38088
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Graham reported a shadowed variable issue with the variable index.
Changed the variable name so it no longer shadows index. That seems
to be an issue on Macs.
Change-Id: I2a6e9b6d70811aaf7b9f910ddc87ab926b3a0cec
Reviewed-on: https://code.wireshark.org/review/38058
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Prepare for adding HTTP/3 support which depends on QUIC to provide an
stream of data. Reassembly code is mostly lifted from the TCP dissector
which shares similar characteristics.
Bug: 13881
Ping-Bug: 16761
Change-Id: Iba07dade111b740418b8b315d0485e200cdfe9f0
Reviewed-on: https://code.wireshark.org/review/38083
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Found using tools/check_tfs.py, included in this commit.
Here are the reports that were fixed here:
Examining:
All dissector modules
epan/dissectors/packet-assa_r3.c tfs_mortisepins_flags - could have used tfs_high_low from tfs.c instead: {High,Low}
epan/dissectors/packet-btle.c tfs_present_bit - could have used tfs_present_not_present from tfs.c instead: {Present,Not Present}
epan/dissectors/packet-dhcp.c tfs_fqdn_s - could have used tfs_server_client from tfs.c instead: {Server,Client}
epan/dissectors/packet-docsis-macmgmt.c mdd_tfs_on_off - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-docsis-macmgmt.c mdd_tfs_en_dis - could have used tfs_enabled_disabled from tfs.c instead: {Enabled,Disabled}
epan/dissectors/packet-docsis-macmgmt.c req_not_req_tfs - could have used tfs_requested_not_requested from tfs.c instead: {Requested,Not Requested}
epan/dissectors/packet-docsis-tlv.c on_off_tfs - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-docsis-tlv.c activation_tfs - could have used tfs_active_inactive from tfs.c instead: {Active,Inactive}
epan/dissectors/packet-docsis.c ena_dis_tfs - could have used tfs_enabled_disabled from tfs.c instead: {Enabled,Disabled}
epan/dissectors/packet-ecmp.c tfs_not_expected_expected - could have used tfs_odd_even from tfs.c instead: {Odd,Even}
epan/dissectors/packet-erf.c erf_link_status_tfs - could have used tfs_up_down from tfs.c instead: {Up,Down}
epan/dissectors/packet-h263.c on_off_flg - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-h263.c cpm_flg - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-interlink.c flags_set_notset - could have used tfs_set_notset from tfs.c instead: {Set,Not set}
epan/dissectors/packet-ip.c tos_set_low - could have used tfs_low_normal from tfs.c instead: {Low,Normal}
epan/dissectors/packet-ip.c tos_set_high - could have used tfs_high_normal from tfs.c instead: {High,Normal}
epan/dissectors/packet-isakmp.c flag_r - could have used tfs_response_request from tfs.c instead: {Response,Request}
epan/dissectors/packet-isis-lsp.c tfs_metric_supported_not_supported - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-kerberos.c supported_tfs - could have used tfs_supported_not_supported from tfs.c instead: {Supported,Not supported}
epan/dissectors/packet-kerberos.c set_tfs - could have used tfs_set_notset from tfs.c instead: {Set,Not set}
epan/dissectors/packet-mac-lte.c mac_lte_scell_status_vals - could have used tfs_activated_deactivated from tfs.c instead: {Activated,Deactivated}
epan/dissectors/packet-p_mul.c no_yes - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-pgm.c opts_present - could have used tfs_present_not_present from tfs.c instead: {Present,Not Present}
epan/dissectors/packet-rsl.c rsl_ms_fpc_epc_mode_vals - could have used tfs_inuse_not_inuse from tfs.c instead: {In use,Not in use}
epan/dissectors/packet-sita.c tfs_sita_on_off - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-vines.c tfs_vine_rtp_no_yes - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-vnc.c button_mask_tfs - could have used tfs_pressed_not_pressed from tfs.c instead: {Pressed,Not pressed}
27 issues found
Change-Id: I7e53b491f20289955c9e9caa8357197d9010a5aa
Reviewed-on: https://code.wireshark.org/review/38087
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Microsoft Network Monitor lets you capture on an 802.11 adapter either
in monitor mode or in non-monitor mode; frames captured in non-monitor
mode may have the Protected bit set in the 802.11 header, but are
decrypted and don't incclude encryption information, and may have the
A-MSDU Present flag set in the QoS Control field, but have just a
regular frame payload, not a sequence of A-MSDUs, in the payload field.
Dissect those frames correctly.
Bug: 16758
Change-Id: I42b7e9ce52faa80222692403fa7276c039644343
Reviewed-on: https://code.wireshark.org/review/38082
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
In dcm_export_create_object(), don't assume that assoc->ae_calling and
assoc->ae_called are non-null; if we don't have an A-ASSOCIATE request
earlier in the capture, which we are not guaranteed to have, the called
and called AE titles won't be set.
Bug: 16748
Change-Id: I7d6d22d1c23e28b1f0967a803d0d89609a421712
Reviewed-on: https://code.wireshark.org/review/38077
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
The "monitor mode" flag was called "netmon_802_11.op_mode.on", not
"netmon_802_11.op_mode.mon". Fix that.
Change-Id: I4a712c1d5fa7c7e43335d83c0f40ace4358a881c
Reviewed-on: https://code.wireshark.org/review/38069
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
I haven't been able to find the appropriate spec, but either there is a
limit to the number of features bytes to add and this patch is needed,
or the (i < 8) part should be dropped. As it is the other data and
expert info for 'unknown' fields will never be reached.
Detected by cppcheck:
epan/dissectors/packet-bthci_cmd.c:9183:72: warning: Condition 'i<8' is always true [knownConditionTrueFalse]
while (tvb_captured_length_remaining(tvb, offset) > 0 && i < 8) {
^
epan/dissectors/packet-bthci_cmd.c:9181:25: note: Assignment 'i=0', assigned value is 0
guint8 i = 0;
^
epan/dissectors/packet-bthci_cmd.c:9183:72: note: Condition 'i<8' is always true
while (tvb_captured_length_remaining(tvb, offset) > 0 && i < 8) {
Change-Id: Icfef0e9142a58aa1c525df9b7daf0aa820039167
Reviewed-on: https://code.wireshark.org/review/38049
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also, take into account length of GUID before
adding expert info for not-decoded data afterwards.
Change-Id: I3e3ee2fc014bc7ace477015b21b2d6ca9127a6be
Reviewed-on: https://code.wireshark.org/review/38062
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This matches the description at
https://www.museek-plus.org/wiki/SoulseekProtocol,
where some fields are uint32 but many are just 'int'.
Change-Id: I192aaf9ca84ccee7b52d266083bbbd8baef28685
Reviewed-on: https://code.wireshark.org/review/38060
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Some heuristic functions (example: dtls over stun) perform exact checks on
paylaod length, so we need to skip any padding added by TURN layer
(RFC 5766, 11.5).
Bug: 16756
Change-Id: Iaaf3dc83fbc5f5f8d0af1cabfe94861480fe7c98
Reviewed-on: https://code.wireshark.org/review/38042
Tested-by: Petri Dish Buildbot
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
Change-Id: Ibaa5b074a1d98a5be17e5f1514c5666a64fefafb
Reviewed-on: https://code.wireshark.org/review/38050
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
code to dissect PASSWORD-ALGORITHMS and PASSWORD-ALGORITHM attributes is
ready to go.
Change-Id: I6fcfb1da49c596a11b3c5b0e3dce51e47f1f7c1c
Reviewed-on: https://code.wireshark.org/review/38047
Reviewed-by: Guy Harris <gharris@sonic.net>
The current TECMP code shows embedded CAN or FlexRay frames but
does not allow other dissectors to further dissect them. This
patch adds this feature.
Bug: 16738
Change-Id: I7f886c8d42a52c4bd55bdb14aed7459eed1af42d
Reviewed-on: https://code.wireshark.org/review/37972
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dr. Lars Völker <lars.voelker@technica-engineering.de>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Autokey was not properly supported, the v2 version check looked at the
wrong field (Code instead of Field Type). Since nobody noticed it, let's
remove it to simplify the code.
Improve the Extension Field (EF) heuristics to ensure that larger digest
sizes such as SHA-512 are recognized, and to support messages without
MAC. Previously only MD5 and SHA-1 were supported as these are the only
ones that are defined by the RFCs.
The ntp_ext_field_types array was generated by:
curl -s https://www.iana.org/assignments/ntp-parameters/ntp-parameters-3.csv |
awk -F, 'NR>=2{printf "{ %s, \"%s\" },\n", $1, $2}' | sort -n
Tested with md5_dgrams.pcapng and sha1_dgrams.pcapng (Bug 11580) and
NTP-with-mac.pcap (Bug 16640). Also checked against the NTS capture
(go_embeded.pcapng, bug 16222), but TCP reassembly is not supported so
the last part of the first segment is wrongly dissected as MAC.
Bug: 16640
Change-Id: I07fc46c6d8995e6c791952dd7cd84d798cddd21a
Reviewed-on: https://code.wireshark.org/review/38037
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bellcore (now Telcordia) GR-317 and GR-394 are used in the U.S. and are
more similar to ANSI ISUP than ITU Standard ISUP. This fixes decoding
the Jurisdiction (aka JIP) optional parameter.
"gr317" is listed in RFC 3204, Table 1 on Page 2. Telcordia's name for
this standard is "LSSGR: Switching System Generic Requirements for Call
Control Using the Integrated Services Digital Network User Part
(ISDNUP)".
"gr394" is the value used by our Ribbon (formerly Genband) C15 switch.
Telcordia's name for GR-394 is "LSSGR: Switching System Generic
Requirements for Interexchange Carrier Interconnection (ICI) Using The
Integrated Services Digital Network User Part (ISDNUP)". The difference
from GR-317 is "Call Control" vs "Interexchange Carrier Interconnection
(ICI)". These calls are indeed interexchange calls.
Given that only "gr317" is listed in RFC 3204, arguably our Ribbon C15
should be sending this as "version=gr394; base=gr317" or just as
"version=gr317", but I have no control over that and would like to
decode the traffic as seen in the wild.
Bug: 16752
Change-Id: I24c7b2e175606e1c91bcb2e96a3372f62055e293
Reviewed-on: https://code.wireshark.org/review/38038
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the DCE/RPC heuristics a bit more discriminating by checking
a few more header fields for illegal values. Reduces false positives.
Change-Id: Ic3d6c7ce62b64b2042922adb104294600b0db673
Reviewed-on: https://code.wireshark.org/review/38028
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Include stdlib.h for bsearch(). This is needed when building on RPi.
Change-Id: Ia0969d7785b59b4adfd10a332a20beb26a99fcb7
Reviewed-on: https://code.wireshark.org/review/38036
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>