X.75 is not the same thing as LAPB, and we already *have* a LAPB
dissector that registers for WTAP_ENCAP_LAPB. Two dissectors
registering for a value in the wtap_encap table means one of them will
lose, so it does not work; in this case, the LAPB dissector loses.
Fixes#19595.
Only show the "Displayed: x (y%)" packet list info if we have a display
filter set, similar to the other statistics. This avoids showing the
same number twice followed by "100.0%".
QObject::tr() returns a QString, so there's no need to wrap it in
QString(). (We do this a *lot*, which is probably my fault.)
Clean up some QString::arg calls.
Use the modern signal + slot syntax.
libssh 0.10.0 removed SHA-1 based keys and algorithms from its
default configuration, though they are still supported. We
ship with 0.10.5 in Windows and macOS now, and many Linux
distributions are on 0.10.x as well.
Add the ability to re-enable SHA-1 RSA keys, MAC, and KEX algorithms
with a preference to ciscodump, sshdump, and wifidump.
This will be a little easier in 0.11.0, where it's possible to
just specify the algorithms you want to add to the default list,
instead of having to specify the entire list.
Fix#19510. Fix#19594
Add buttons to select the infix pattern in multiple file mode,
using the new option for having the date and time before the
file index number (which provides more natural sorting, and
keeps different groups of captures together) added for tshark
and the capture options in 8bc52f542bFix#12371
interface_t contains an if_info_t as its member. It
doesn't need to copy the friendly name, vendor description,
and type from the if_info_t into separate members. The vast
majority of the time, we're already using the member from
the embedded if_info_t, but change a couple of cases.
The display name is a unique transformation of the name, friendly
name (OS name), and vendor description (hardware name) that depends
somewhat on the OS, so that needsto be seprate. The addresses and
links are also transformed from the if_info format. The name is
copied as well, but at least that's the primary key for the interface.
If the supported_versions extension is provided in the Client Hello,
display the mimimum supported version given in the extension in the
Protocol column if the session TLS version is unknown. Use the minimum
version because we don't know what the server will agree to, but it
must be at least this version.
This only affects when the Server Hello or other authoritative
messages haven't been seen, so in first-pass dissection (live
capture or one pass tshark) or a capture that doesn't contain
authoritative messages at all.
Fix#16114
If we have a packet that isn't long enough to fit an entire header,
but the first byte does look like a message type, and we can do
reassembly, ask for reassembly.
Fix#19593
For RTMP connections where we get the handshake, continue to use
the initial value of 128 as done in the protocol; we should get
any Set Chunk Size messages.
For connections where we don't get the initial handshake, i.e.
the connection is already in progress when the capture is started,
allow setting a different default chunksize. Note that both too
large and too small values will cause problems, but the since the
initial bytes of chunks can have any value, it's very difficult
to do this heuristically.
Fix#12403 (by setting the preference to a large value, e.g. 60000,
everything is dissected correctly in that capture.)
Some systems repeatedly send out SDP setup information for the same
RTP conversation. We end up setting up multiple conversations
(it's not clear we need to, since most of the information we copy
to per-packet info for subsequent passes.)
When doing so, copy the per-SSRC number space information that
determines what cycle number we're on for extended sequence numbers
and timestamps (since those fields can and do wrap.)
This doesn't hurt at all if the setup information is for different
conversations, even ones using the same SSRC; it aligns the cycle
number but that's fine. It helps a lot in cases where the RTP
sequence number has already overflowed and then we get a duplicate
SETUP message; we need to stay on the same cycle.
Fix#19592
When rescanning the interface list (e.g. when manually refreshing
or a new device is added or removed), do not destroy old devices
but instead reuse it and preserve the user-set options.
Do check the monitor mode and active dlt setting against the
retrieved values to make sure that they are still supported.
In particular this means that the capture filter is not reset.
For many of the options, the value when creating a new device is
taken from the prefs, and the prefs are updated when the Capture
Options Dialog is closed (monitor mode, promiscuous mode, link layer
type, snapshot length, buffer size), or when the Manage Interfaces
Dialog is closed (hidden, user description), which mostly worked,
unless a refresh occurred when those dialogs were open and changes
had not been saved to prefs.
Fix#16418
Even though these files are generated and warn not to change
them, the generator is not working currently, so patch them.
(See the disscussion in !14000)
RTMPT doesn't use the native reassembly API, so store the frames that
are involved in reassembly of a packet and mark the depended upon
frames itself so that exporting selected packets doesn't omit them.
This is the reassembly API call for fragments that start at a
different value. This is better than examining the entire
chain, and also would have a better chance of working with
out of order fragments (though TCP should handle that for us.)
Dissect the X.509 v3 Certificates used in OPC UA.
Use proto_tree_add_bytes_with_length for adding NULL bytes to
the tree with a (0) length different than the length taken up
in the tvb. It's somewhat nicer than changing the item length later.
Due to how QSortFilterProxyModel, when sorting, creates its own
mapping from proxy columns to source coumns instead of using
mapToSource, and that mapping, while omitting columns that are
not visible, is always done in order, it is much easier if all
View of the InterfaceTreeModel omit columns but do not reorder
them. (If the order really needs to be changed,
QHeaderView::swapSections() is available.)
Reorder the InterfaceTreeColumns to put the columns used by
ManageInterfaceDialog localView in relative order. Otherwise,
when enabling sorting clicking on the "Hide/Show" column actually
sorts via the device name, and clicking on the device name does
nothing because it maps to column six (and ManageInterfaceDialog
only uses 4 columns).
Then enable sorting.
Fix#16425
Add a new hfi reference type for when we're printing items,
that supersedes direct reference - in addition to ensuring that
we don't fake an item, it also defaults the item to visible
(doesn't mark it as hidden when the tree isn't visible), so
that the string representation isn't faked either for fields
that have non-default formats.
Use it when fields are specified with -e; instead of setting
the entire tree as visible, only mark visible the items that
we want to print. This speeds up tshark -e output with all the
-T options that support it, sometimes by 2 to 4 times.
Part of #19573
This reverts commit 3aafecb7b9.
The problem in #17781 was caused by udpdump not flushing after writing
the header, meaning that when no packets were captured, the capture
file wasn't written yet and thus the check in testCaptureFileClose
wouldn't do anything.
This was a workaround for the issue, but the underlying problem
was solved by 9ad1ec1651 which ensures
that udpdump and other extcaps flush after writing the pcap header.
The workaround had the downside of requiring the user to enter
the Quit command again (particularly confusing in the case where
closing the capture doesn't result in a dialog, as there's relatively
little notification of what happened outside the icons.)
Fix#19572
Dissector is improved as follows:
- Code cleanup
- Added comments
- Offset calculations more obvious
- Segment data is put into segment hf instead of data dissector
- Padding is calculated and shown to fix incomplete dissector warnings
Manually revert cd9f7b64c7 and update it to match the changes in
537b49ee41.
Disable the packet list and detail follow menus if we don't have any
matching protocols.
Previously, the errno message obtained from dumpcap would be overwritten
by the call to sync_pipe_close_command, so no information about the
failure would be passed on. This is fixed by ignoring the message from
sync_pipe_close_command, as it is probably less useful than the message
we already have.