EAP identities can be of different kind. This change adds a sort
of heuristic that dissects the wlan identity in the form of
<imsi>@wlan.mnc<mnc>.mcc<mcc>.3gppnetwork.org. A general purpose
dissection function, acting as a proxy, has been created to make
room for other specific dissections.
Bug: 12921
Change-Id: Ic48aee004fa7df5ee4dbeca091ed31616d155890
Reviewed-on: https://code.wireshark.org/review/17796
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add an FT_CHAR type, which is like FT_UINT8 except that the value is
displayed as a C-style character constant.
Allow use of C-style character constants in filter expressions; they can
be used in comparisons with all integral types, and in "contains"
operators.
Use that type for some fields that appear (based on the way they're
displayed, or on the use of C-style character constants in their
value_string tables) to be 1-byte characters rather than 8-bit numbers.
Change-Id: I39a9f0dda0bd7f4fa02a9ca8373216206f4d7135
Reviewed-on: https://code.wireshark.org/review/17787
Reviewed-by: Guy Harris <guy@alum.mit.edu>
In one of the two cases where we treat the first byte of an identity as
a prefix, we know it's EAP-AKA. (In the other, we do *not* know that!)
Change-Id: I16625f7193eb3ab0840739ec37dbd64e2a5a0fb5
Reviewed-on: https://code.wireshark.org/review/17767
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There's no guarantee that the identity is a string whose first character
is a prefix indicating the type of identity; only display it as a prefix
if it's one of the known types. We really may need some other mechanism
to determine how to parse the identity, perhaps based on what the
protocol layers below it are.
Put back the display of the full string in one case where that was
inadvertently removed.
Change-Id: I2e3324f964fa25ebd7065ddb0de82ffae6597509
Reviewed-on: https://code.wireshark.org/review/17764
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This used to be string item, its value was not 0-terminated. This
resulted in out-of-bounds mem acceess when eap_identity_prefix was used
by proto_tree_add_string_format().
==14744== Conditional jump or move depends on uninitialised value(s)
==14744== at 0x4C294F8: strlen (mc_replace_strmem.c:390)
==14744== by 0xC19C97F: g_strdup (gstrfuncs.c:355)
==14744== by 0x739CA75: string_fvalue_set_string (ftype-string.c:51)
==14744== by 0x67136A9: proto_tree_add_string (proto.c:3515)
==14744== by 0x6713870: proto_tree_add_string_format (proto.c:3547)
==14744== by 0x69BB494: dissect_eap (packet-eap.c:838)
==14744== by 0x66FD0B4: call_dissector_work (packet.c:649)
As the content is a number anyway, the simplest solution is to make
eap_identity_prefix a numeric item and use
proto_tree_add_uint_format_value().
Bug: 12913
Change-Id: I907b1d3555a96e9662b1d8253d17d35adfdada48
Reviewed-on: https://code.wireshark.org/review/17760
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Use new heuristics based on the EAP Code field to determine whether a
field originates from the client or server. This is more reliable than
using "pinfo->match_uint" for two reasons: (1) the heuristics dissector
does not set "match_uint" (resulting in an arbitrary match on the
previous value) and (2) with EAP over EAPOL, there is no matching port
number (resulting in two conversations with different addresses and port
number zero).
To fix TLS decryption, make sure to create a single conversation for
both direction and allow the port type to be PT_NONE (to avoid reporting
all packets as originating from the server).
Bug: 12879
Change-Id: I7b4267a27ffcf68bf9d3f6a90d6e6e2093733f51
Reviewed-on: https://code.wireshark.org/review/17703
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Started by grepping call_dissector_with_data, call_dissector_only and call_dissector and traced the handles passed into them to a find_dissector within the dissector. Then replaced find_dissector with find_dissector_add_dependency and added the protocol id from the dissector.
"data" dissector was not considered to be a dependency.
Change-Id: I15d0d77301306587ef8e7af5876e74231816890d
Reviewed-on: https://code.wireshark.org/review/14509
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It's not tied to the frame_data structure any more, so it belongs by
itself.
Clean up some #includes while we're at it; in particular, frame_data.h
doesn't use anything related to tvbuffs, so don't have it gratuitiously
include tvbuff.h.
Change-Id: Ic32922d4a3840bac47007c5d4c546b8842245e0c
Reviewed-on: https://code.wireshark.org/review/13518
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That removes most of the uses of the frame number field in the
frame_data structure.
Change-Id: Ie22e4533e87f8360d7c0a61ca6ffb796cc233f22
Reviewed-on: https://code.wireshark.org/review/13509
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Ie39ef054a4a942687bd079f3a4d8c2cc55d5f22c
Reviewed-on: https://code.wireshark.org/review/12485
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch adds reassembly_table_destroy calls as cleanup function for
dissectors which have a simple init routine that just calls
reassembly_table_init (comments are ignored).
The changes were automatically generated using
https://git.lekensteyn.nl/peter/wireshark-notes/diff/one-off/cleanup-rewrite.py?id=4cc0aec05dc67a51926a045e1955b7a956757b5e
(with the if and assignment parsers disabled).
The only difference from the autogenerated output is that the XXX
comments from the init routines in smb-pipe and tds dissectors are kept.
Change-Id: I64aedf7189877247282b30b0e0f83757be6199e7
Reviewed-on: https://code.wireshark.org/review/9222
Reviewed-by: Michael Mann <mmann78@netscape.net>
Specifically:
- Set packet.h to be the first wireshark #include after
config.h and "system" #includes.
packet.h added as an #include in some cases when missing.
- Remove some #includes included (directly/indirectly) in
packet.h. E.g., glib.h.
(Done only for those files including packet.h).
- As needed, move "system" #includes to be after config.h and
before wireshark #includes.
- Rework various #include file specifications for consistency.
- Misc.
Change-Id: Ifaa1a14b50b69fbad38ea4838a49dfe595c54c95
Reviewed-on: https://code.wireshark.org/review/5923
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Other minor cleanup while in the area.
Change-Id: Id8d957d3d68a2e3dd5089f490bd59d773e1be967
Reviewed-on: https://code.wireshark.org/review/3427
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I525ac2aae2bdbfd5f3a2f3b35f1bf10dde053f66
Reviewed-on: https://code.wireshark.org/review/2667
Tested-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
obvious that the returned string is ephemeral, and opens up the original names
in the API for versions that take a wmem pool (and thus can work in any scope).
svn path=/trunk/; revision=54249
I'm not sold on the name or module the proto_data functions live in, but I believe the function arguments are solid and gives us the most flexibility for the future. And search/replace of a function name is easy enough to do.
The big driving force for getting this in sooner rather than later is the saved memory on ethernet packets (and IP packets soon), that used to have file_scope() proto data when all it needed was packet_scope() data (technically packet_info->pool scoped), strictly for Decode As.
All dissectors that use p_add_proto_data() only for Decode As functionality have been converted to using packet_scope(). All other dissectors were converted to using file_scope() which was the original scope for "proto" data.
svn path=/trunk/; revision=53520
be done on flows from one address to another; reassembly for protocols
running atop TCP should be done on flows from one TCP endpoint to
another.
We do this by:
adding "reassembly table" as a data structure;
associating hash tables for both in-progress reassemblies and
completed reassemblies with that data structure (currently, not
all reassemblies use the latter; they might keep completed
reassemblies in the first table);
having functions to create and destroy keys in that table;
offering standard routines for doing address-based and
address-and-port-based flow processing, so that dissectors not
needing their own specialized flow processing can just use them.
This fixes some mis-reassemblies of NIS YPSERV YPALL responses (where
the second YPALL response is processed as if it were a continuation of
a previous response between different endpoints, even though said
response is already reassembled), and also allows the DCE RPC-specific
stuff to be moved out of epan/reassembly.c into the DCE RPC dissector.
svn path=/trunk/; revision=48491
- Use/create extended value strings as appropriate;
- Reformat hf[] entries;
- Do whitespace, & etc changes to use a consistent formatting style;
- Reformat some long lines;
- Localize some variables; remove some unneeded initializers;
- expert...() shouldnt be called under 'if (tree)' (packet-wimaxasncp);
- Move proto_register...() & etc to the end of the file (packet-ieee80211);
- Misc.
svn path=/trunk/; revision=46489
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
Dario Lombardo