When reading memory-mapped Linux capture files, fix up the "real" length
field, in case the file was written by a program doing a capture done
with a version of libpcap with a bug that causes it to incorrectly set
the "real" length for isochronous transfers.
Update the sample dissector for some best practices,
and avoid some deprecated behavior.
Use register_protocol instead of creating an anonymous
dissector handle, so that Lua, Export PDU, custom
User DLT disection, etc. can find it. (See #5612)
Use auto preferences and prefer port ranges when possible
(See #14319)
That should never be the case; if you slice off part of a sausage, the
remainder of the sausage cannot be longer than the original sausage.
Warn about that.
If ssl_add_vector is called with a offset past offset_end,
add the malformed buffer too small expert info and return
failure instead of failing an assertion. Malformed packets
can cause this to happen, so it's not necessarily a dissector
bug.
Also change the other assertion to output the result of the
comparison to aid in debugging.
Related to #17890.
The semantics behind ws_pipe_close() were broken since its introduction.
Forcing process termination on Windows, while simply setting variable on
other systems results in more OS specific code sprinkled all over the
place instead of less. Moreover ws_pipe_close() never handled standard
file handles. It is really hard to come up with sensible ws_pipe_close()
replacement, as process exit is actually asynchronous action. It is
recommended to register child watch using g_child_watch_add() instead.
Do not call ws_pipe_close() when deleting capture interface. Things will
break if extcap is still running when interface opts are being freed and
terminating process won't help.
Rework maxmind shutdown to rely on GIOChannel state. For unknown reason
TerminateProcess() is still needed on Windows. The actual root cause
should be identified and fixed instead of giving up hope that it will
ever work correctly on Windows. In other words, TerminateProcess()
should not be used as a pattern, but rather as a last resort.
Move all the declarations of routines that are internal and
not for use by dissectors from column-utils.h column-info.h
Move the column max length defines into column-utils.h because
dissectors might need that
Since packet.h already includes column-utils.h, dissectors don't
need to include column-utils.h anymore.
Remove or downgrade a few other column header includes that are
unnecessary.
Send SIGTERM on UNIX systems to all extcap processes when user requests
capture stop. Wait up to 30 seconds for extcaps to finish. If extcaps do
not finish in time, send SIGKILL to remaining extcaps.
Do not call TerminateProcess() on Windows in the same place where UNIX
SIGTERM is sent. Instead schedule extcap termination timeout to happen
as soon as control returns back to the event loop.
There is no universally agreed replacement for SIGTERM on Windows, so
just keep things simple (forcefully terminate like always) until we
have agreed on something.
The ECN-Echo flag is abbreviated in RFC 3168 using ECE, not ECN.
In addition, when displaying the flags, no abbreviations are
used. Therefore, do the same for the CWR flag.
Any time an expert info is added to the Expert Info tap, the
Expert Info GUI tap listener needs to set TAP_PACKET_REDRAW.
draw_tap_listeners(FALSE) is called from MainApplication::updateTaps()
on a timer (controlled by a preference, defaulting to 3 seconds),
and that clears the Expert Info tap's need_redraw flag. The larger
a capture and the more expert infos, the more likely that the timer
can trigger while epan_dissect_run_with_taps() is still generating
more EI entries, but has already generated EIs of all severities
that are present in the capture. This prevents the expertInfoTreeView
from being redrawn at the end when the captureEvent is finished
retapping the packets.
Fix#18232. Fix#16591.
Extcap child watch callback assumed that the stderr pipe is broken.
However the stdout and stderr pipes are not necessarily broken if the
child process spawned new processes that inherited standard handles.
Do not drain stderr in busy loop to prevent UI freeze. Stop capture
session only when all extcap watches are removed. Remove stdout and
stderr watches on capture stop timer (30 seconds) expiration, even if
the pipes are not broken.
Do not rely only on 0 bytes read to cease reading stdout and stderr.
Stop reading if the status is anything else than G_IO_STATUS_NORMAL
(especially it can be G_IO_STATUS_EOF).
Since version 10.2.0 (2011-03) of 3GPP TS 44.018, unused octets of the
SI6 Rest Octets IE (see 10.5.2.35a) may optionally contain random bits
instead of the standard repeating sequence of '00101011'.
This is a counter-measure making the known-plaintext attack on encrypted
channels slower (and thus harder). For more details, see GP-110384 [1].
[1] http://portal.3gpp.org/ngppapp/DownloadTDoc.aspx?contributionUid=GP-110384
Without this patch Wireshark would warn about an unknown or potentially
malformed PDU if the network is using random padding bits:
SI 6 Rest Octets
L... .... = PCH and NCH Info: Not Present
.L.. .... = VBS/VGCS options: Not Present
..L. .... = DTM: Not Supported in Serving cell
...L .... = Band Indicator: 1800
.... L... = GPRS MS PWR MAX CCCH: Not Present
.... .L.. = MBMS Procedures: Not supported
.... ..L. = Additions in Rel-7: Not Present
Padding Bits: Unknown extension detected or malformed PDU (Not decoded)
With this patch, value of the random bit stream indicator is used to
determine presence of random bit stream (padding):
SI 6 Rest Octets
L... .... = PCH and NCH Info: Not Present
.L.. .... = VBS/VGCS options: Not Present
..L. .... = DTM: Not Supported in Serving cell
...L .... = Band Indicator: 1800
.... L... = GPRS MS PWR MAX CCCH: Not Present
.... .L.. = MBMS Procedures: Not supported
.... ..L. = Additions in Rel-7: Not Present
.... ...H = Random Bit Stream: Present
Padding Bits: random bit stream
Add a generated item showing the pseudowire type for the session
to L2TP data packets.
Use ccid instead of tunnel id in the info column for L2TPv3
Consistently use hex for SIDs and CCIDs in L2TPv3 instead of a mix
of hex and decimal.
Remove some unnecessary whitespace in info column
Include the L2-Specific Sublayer length in the L2TP length
Put the L2-Specific Sublayer in the L2TP tree instead of the root tree
Along with previous commits, fix#16565.
since we define DIG_MD5(0x40) to DIG_SM3(0x45) in
epan/dissectors/packet-tls-utils.h
and in ssl_cipher_suite_dig,
we use cs->dig - DIG_MD5 to retrive from digests,
so we should add SM3 to digests
A few of the minor usability improvements mentioned in #16565.
Account for the cookie length in the protocol length, and
simplify some of the accounting.
Rename the "Packet Type" item as "Flags" because it contains
several different boolean flags. Add it as a bitmask instead
of with a separate tree, which provides a better summary.
Remove the l2tp.session_id field that duplicated l2tp.sid
(but only in L2TP over IP data messages)
Instead of registering subdissectors to arbitrary Wireshark
assigned numbers, register them to the actual pseudowire type
number assigned by IANA and present in the Pseudowire Type AVP.
Half of the previously registered types were never used, because
the dissector table could not be called with their Wireshark
internal number.
This makes it easier to add dissectors to support currently
unsupported but assigned types, and also makes it more intuitive
to use Decode As when the PW Type AVP is not present. Previously,
the dissector for the "default" type of CHDLC had to be changed to
a different subdissector.
RFCs 2661 and 3931 say that L2TPv2 and L2TPv3 use a TFTP-like method
of selecting ports. The initiator picks a source port (which may or
may not be 1701, the IANA assigned L2TP port), and sends a message to
1701; the recipient picks a free port (which may or may not be 1701)
and replies to the initiator's chosen port and address, and the
conversation from then on uses the chosen ports.
In practice, due to NAT, firewalls, etc., most implementations just
use a symmetric predetermined L2TP port. To support both methods
we use one-sided conversations with one port omitted. Fix the lookup
of the reverse conversation. Part of #16565.