Currently out-of-order segments will result in cutting a stream into
two pieces while the out-of-order segment itself is ignored. For
example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with
"C" ignored. This behavior breaks TLS decryption or prevent application
layer PDUs (such as HTTP requests/responses) from being reconstructed.
To fix this, buffer segments when a gap is detected.
The proposed approach extends the "multi-segment PDU" (MSP) mechanism
which is normally used for linking multiple, sequential TCP segments
into a single PDU. When a gap is detected between segments, it is
assumed that the segments within this gap are out-of-order and will be
received (or retransmitted) later.
The current implementation has a limitation though, if multiple gaps
exist, then the subdissector will only be called when all gaps are
filled (the subdissector will receive segments later than necessary).
For example with "ACEBD", "ABC" can already be processed after "B" is
received (with "E" still buffered), but due to how MSP are extended, it
must receive "D" too before it reassembles "ABCDE". In practice this
could mean that the request/response times between HTTP requests and
responses are slightly off, but at least the stream is correct now.
(These limitations are documented in the User's Guide.)
As the feature fails at least the 802.11 decryption test where packets
are missing (instead of OoO), hide this feature behind a preference.
Tested with captures containing out-of-order TCP segments from the
linked bug reports, comparing the effect of toggling the preference on
the summary output of tshark, the verbose output (-V) and the two-pass
output (-2 or -2V). Captures marked with "ok" just needed "simple"
out-of-order handling. Captures marked with "ok2" additionally required
the reassembly API change to set the correct reassembled length.
This change does "regress" on bug 10289 though when the preference is
enabled as retransmitted single-segment PDUs are now passed to
subdissectors. I added a TODO comment for this unrelated cosmetic issue.
Bug: 3389 # capture 2907 (HTTP) ok
Bug: 4727 # capture 4590 (HTTP) ok
Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok
Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok
Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok
Bug: 13754 # capture 15593 (MySQL) ok2
Bug: 14649 # capture 16305 (WebSocket) ok
Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56
Reviewed-on: https://code.wireshark.org/review/27943
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows code to initialize them without having to know the details
of the structure; the initializes should, and will, be changed if the
members of the structure are changed.
Change-Id: I93e6ebfcde9ceca17df696fcba4e8410c5afb175
Reviewed-on: https://code.wireshark.org/review/28501
Reviewed-by: Guy Harris <guy@alum.mit.edu>
1. Add new dissector table that allows for registration of CIP Class 2/3 Data
against CIP Class that was used in the Forward Open. This is similar to the
Class 0/1 I/O dissector table. The new logic is this:
a. If there is connection info and a table entry: Call the registered dissector
handle (cip_connection_message_router.pcap).
b. If there is connection info and no table entry, use the CIP implicit
dissector (cip_connection_implicit.pcap)
c. If there is no connection info: Assume Message Router (Class 0x2)
format (cip_no_connection_message_router.pcap)
2. Remove old dissector table for "enip.sud.iface". The specification states that
the Interface Handle "shall be zero" for SendUnitData, so there isn't a need
to have custom handling for different Interface Handle values. SendRRData
does not have the same restriction, so that dissector table (enip.srrd.iface)
will stay.
3. Pull out Class 2/3 data processing into separate function: dissect_cip_class23_data()
4. Remove extra unnecessary tree layer in implicit data dissector.
Bug: 14916
Change-Id: Id53a2031a6064551b3915d8954527a7b3261d222
Reviewed-on: https://code.wireshark.org/review/28496
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Convert our column descriptions to a value_string and sort it by
description. This ensures that they are properly sorted in the UI.
Change-Id: I7d699a1c45906b9c42e443fcdcdcb4d8d49deb77
Reviewed-on: https://code.wireshark.org/review/28492
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Remove IPX items from the default capture, color, and display filter
files. Suggested by Laura Chappell at SharkFest 2018.
Change-Id: I5e14caaa69efc638a5da7c795bf8a9e5e890b3fd
Reviewed-on: https://code.wireshark.org/review/28489
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We still need the "length == 2" behavior.
This reverts commit 622b17a475.
Change-Id: Id3b7ed9231f3fefeeac5fb910b792139c4844ec8
Reviewed-on: https://code.wireshark.org/review/28484
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The output for this case is achieved by the following one.
Change-Id: I585aba39ebb67d65a8f5159217ea8a85ad13e49c
Reviewed-on: https://code.wireshark.org/review/28421
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When the filter label was missing, it would result in a crash
(use-after-free) while reading the next expression. For example:
gui.filter_expressions.label: Not-Junk
gui.filter_expressions.expr: tcp.flags.reset==1
# note: missing label preference
gui.filter_expressions.expr: dns
While at it, do not duplicate the filter expression,
"filter_expression_new" has always been copying it.
Change-Id: I980fd720c9a04b679a71dd2e7e8bf5e53c72ac43
Fixes: 1a046d693b ("Added Filter Toolbar Save functionality.")
Bug: 11648
Reviewed-on: https://code.wireshark.org/review/28471
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
"output_rrpd" is NULL when the TRANSUM dissector is disabled (which is
the default behavior). When switching to a profile where the dissector
is enabled, redissection happens, but without invoking the init routine.
This leads to a crash when dissect_transum tries to query "output_rrpd".
Fix this by creating the map unconditionally. Use wmem_map_new_autoreset
since its contents should be erased for new capture files.
Bug: 13697
Change-Id: Iea897da8faf8042dffdc74327d9d1221e5fb155f
Fixes: v2.3.0rc0-1887-g78d56e5dd7 ("Cleanup transum post-dissector.")
Reviewed-on: https://code.wireshark.org/review/28474
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Ethernet checksum offloading seems to be common nowadays, similar to
IPv4, IPv6, TCP, and UDP. Disable FCS validation by default. Suggested
by Laura Chappell at SharkFest US '18.
Change-Id: Icf0e262c65ad328a58da9bd78f3aefbefa2f9394
Reviewed-on: https://code.wireshark.org/review/28477
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Adds the Windows 10 (and Server 2016) Release ID to the info in the
About Wireshark blurb.
The ID displayed in parentheses, e.g.
Running on 64-bit Windows 10 (1803), build 17134
Change-Id: I1bbce27e149dbf6da6da7847ad1f7dd861176ece
Reviewed-on: https://code.wireshark.org/review/28475
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change the exported_pdu size from two to the full size of the tag
(including type and length fields) and limit the protocol length to just
the tags (without the PDU data).
Change-Id: I1c20740627ebd74c117bb1735ff4c189d2d750d6
Reviewed-on: https://code.wireshark.org/review/28470
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Remove -DBUILD_WINDOWS and sections of code that we no longer use.
Bug: 14715
Change-Id: Iae1a950e2f52f4ce45fcf0ae5dea06c1172c3a28
Reviewed-on: https://code.wireshark.org/review/28466
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Tshark poorly handles printing when using -T options where a field
contains newline, carriage return, or other special characters such as tab.
Bug: 14907
Change-Id: I94a797bb98b94aac254bcd2e6911b37192e9c91f
Reviewed-on: https://code.wireshark.org/review/28442
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
When dragging on the wrong position in the toolbar, wireshark
crashes
Change-Id: I756e9caebc844d32e99e9fd3e338a872986b9e96
Reviewed-on: https://code.wireshark.org/review/28458
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Remove the pdb_zip_package target's dependency on epan, otherwise we
might end up triggering a build which creates a mismatch.
Change-Id: I1e077e5f119273ee80a89c30f54e29fdb242e082
Reviewed-on: https://code.wireshark.org/review/28457
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
- Fixed initial COL_INFO for associations. It used to 'append' instead of 'set'.
- Changed initial length check from tvb_reported_length() to tvb_captured_length()
- Heuristic Dissection:
o Modified registration, so it can be clearly identified in the Enable/Disable Protocols dialog
o Enabled by default
o Return proper data type
Tested heuristic vs. static on many DICOM captures
Change-Id: I0aa42b91e4f55a6d9fc834657710a6a92c8dadef
Reviewed-on: https://code.wireshark.org/review/27518
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
due to missing mapping from operation number to a string representation
wireshark displays '71' instead of 'CLONE'
Change-Id: Ic5da0a110d5475b2467d6110ea2896332f93288c
Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Reviewed-on: https://code.wireshark.org/review/28447
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
As, fields are hidden items the discrepencies go unnoticed in the Wireshark
tree, however when printin in tshark the displayed fields are inccorect as the
wrong tvb is passed during dissection.
Bug: 14908
Change-Id: If06618b67040b631f153d3e2609583fecc56b5b2
Reviewed-on: https://code.wireshark.org/review/28445
Reviewed-by: Jeremy Martin <boardermartin@gmail.com>
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
If the packet-testing expression for a coloring rule is set to an
invalid expression, disable the filter; this should provide at least
*some* indication to the user that it's not valid, although we should
really pop up a dialog or something - the little small-type notice below
the list of filters is *really* not all that obvious.
Ping-Bug: 14906
Change-Id: I3c036c3509520913db0a64c30bc1c57c0c7667bc
Reviewed-on: https://code.wireshark.org/review/28444
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix the prepare possibility of applying a display filter button
Change-Id: I85364b40272139f0d0c69a2735a876a3a5f5db7a
Reviewed-on: https://code.wireshark.org/review/28440
Petri-Dish: Roland Knall <rknall@gmail.com>
Reviewed-by: Roland Knall <rknall@gmail.com>
Remove all filter toolbar related stuff into a separate class
and away from MainWindow
Change-Id: I36d937be6c2686b16a8d494213dc740d8d28efcb
Reviewed-on: https://code.wireshark.org/review/28432
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>