- start decoding when we have eapol1+2 packets
Do not insist on a complete captured handshake, decode what we can.
- more robust way to detect eapol #2 packets
At least Win 10 is violating the spec on rekey by setting the secure
bit in #2. Unpatched version shows and handles #2 as #4, breaking
decoding after rekey.
- fixed eapol rekey key handling
Inital patch (see https://code.wireshark.org/review/8268)
is adding redundant keys, since it scans all the time
and not only once.
- ignore tailing garbage after eapol sections in frame
See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9065#c8
Included testcase to test decode for incomplete handshakes and eapol2
packets with secure bit set on rekey.
Ping-Bug: 9065
Change-Id: Id775088db9b5aaa80da9efdeed6902d024b5c0cd
Reviewed-on: https://code.wireshark.org/review/11484
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Add a test suite for mergecap (and indirectly capinfos I guess).
This is not exhaustive, but it's a start.
Change-Id: I9442b4c32e31a74b1673961ad6ab50821441de3e
Reviewed-on: https://code.wireshark.org/review/10082
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
SSL traffic from tshark with -o ssl.keys_list.
For example, as used in a new test also added in this commit:
-o "ssl.keys_list: 127.0.0.1,9131,http,$TEST_KEYS_DIR/key.p12,WebAS"
Change-Id: Ia6960fa4ae88182277f6d22d84ec9170ea74d54e
Reviewed-on: https://code.wireshark.org/review/8746
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This patch extends the existing decryption support for WPA to also
handle rekeys by checking each decrypted packet for a 4-way-handshake.
Rekeys can be used for WPA-PSK, but are more common with WPA-Enterprise
(WPA-EAP).
For decrypting WPA-EAP secured packets the user must provide all used PMK's
of the connection (aka PSK's) as WPA-PSK 32 byte hex values to wireshark
via the existing interface.
(The capture must have all 4-way-handshakes included also, starting with
the first unencrypted one.)
Every decrypted unicast packet will habe the used PMK and TK shown in the
CCMP/TKIP section below the key index in the GUI. Group packets will display the
GTK instead.
Additionally this fixes a small issue with group rekey handling, so every packet
can be selected in the GUI in random order, removing the need to manually find
the correct group keying packets prior to that.
It was tested primary with WPA-CCMP, but TKIP is also working.
One section in the code touch bluetooth 802.1X support. It should do
exactly the same, but will now also examine all decypted packets for rekeys.
Ping-Bug: 11172
Change-Id: I19d055581fce6268df888da63485a48326046748
Reviewed-on: https://code.wireshark.org/review/8268
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Provide a way for Lua-based dissectors to invoke tcp_dissect_pdus()
to make TCP-based dissection easier.
Bug: 9851
Change-Id: I91630ebf1f1fc1964118b6750cc34238e18a8ad3
Reviewed-on: https://code.wireshark.org/review/6778
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Hadriel Kaplan <hadrielk@yahoo.com>
This was suggested in review 2297. Capture and key are from bug 7951.
Bug: 7951
Change-Id: I820c5e839b20ec464cc1be438633d5311f657fb2
Signed-off-by: Alex Badea <abadea@ixiacom.com>
Reviewed-on: https://code.wireshark.org/review/4143
Reviewed-by: Evan Huus <eapache@gmail.com>
This adds the ability for a Lua script to register expert info fields,
similar to C-code dissectors. This change also removes the need for
the expert_add_info_format_internal() function. Existing Lua scripts
do not have to change, because the existing expert info function
uses the internal "_ws.lua" protocol instead of nothing; but using
the new functionality provides more benefits since it correctly
registers the expert info fields to the dissector's protocol.
The test suite was amended to generate both old and new forms.
Change-Id: Ib5ae74e927cfa81312baf7b04ff4104b0b4f936e
Reviewed-on: https://code.wireshark.org/review/830
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The testsuite for Lua file reader/writer uses the acme_file.lua script to
generate a pcapng file from an Acme sipmsg.log file. It then compares the
tshark verbose output of this new pcapng file to a sip.pcapng file in
the test/captures directory that was previously made. Unfortunately, the
acme_file.lua script generates a timestamp based on local system timezone,
rather than UTC, so the testsuite fails if not run in the EST timezone where
the sip.pcapng file was originally made. This has now been fixed.
Also, trying to register new weak heuristic readers fails because the GArray
is terminated with a NULL-based row without Glib knowing about that. So this
commit changes it to let Glib handle the NULL-terminated row, so that appending
takes it into account automatically.
Change-Id: I037ce1cfbda03585b3a1e159df78ff8ebb41fc32
Reviewed-on: https://code.wireshark.org/review/741
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This enables a Lua script to implement a brand new capture file format reader/writer, so that for example one could write a script to read from vendor-specific "logs" of packets, and show them as normal packets in wireshark.
Change-Id: Id394edfffa94529f39789844c382b7ab6cc2d814
Reviewed-on: https://code.wireshark.org/review/431
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This adds the ability for Lua scripts to register heuristic dissectors
for any protocol that has registered a heuristic dissector list, such
as UDP, TCP, and ~50 others. The Lua function can also establish a
conversation tied to its Proto dissector, to avoid having to check the
heuristics for the same flow. The example dissector in the testsuite
has also been enhanced to include a heuristic dissector, to verify
the functionality and provide an example implementation.
Change-Id: Ie232602779f43d3418fe8db09c61d5fc0b59597a
Reviewed-on: https://code.wireshark.org/review/576
Reviewed-by: Anders Broman <a.broman58@gmail.com>
rename the existing SSL test to clarify that it uses the server's
private key for decryption
Change-Id: I13598fc4cf724b144a8f27bfa7a3316acfc78728
Reviewed-on: https://code.wireshark.org/review/640
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
Several bugs have been introduced due to changing of perl scripts or #define names, such
that things exported into Lua have dissapeared or changed unintentionally. This commit
adds a test suite which compares the Lua global table with the ones from previous
releases (1.8 and 1.10), to verify nothing has gone missing. New items can be added, but
old ones cannot go away. The added script to verify these things, called 'verify_globals.lua',
also has the ability to display what's new - i.e., what was not in the olrder releases.
Lastly, this commit also fixes a bug: MENU_STAT_ENDPOINT became MENU_STAT_ENDPOINT_LIST
due to a change in the make-init-lua.pl perl script in this 1.11 release.
Change-Id: Iba143d1a436e706970635a5f8cc2b317955392bf
Reviewed-on: https://code.wireshark.org/review/284
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
Several bugs have been introduced due to changing of perl scripts or #define names, such
that things exported into Lua have dissapeared or changed unintentionally. This commit
adds a test suite which compares the Lua global table with the ones from previous
releases (1.8 and 1.10), to verify nothing has gone missing. New items can be added, but
old ones cannot go away. The added script to verify these things, called 'verify_globals.lua',
also has the ability to display what's new - i.e., what was not in the olrder releases.
Lastly, this commit also fixes a bug: MENU_STAT_ENDPOINT became MENU_STAT_ENDPOINT_LIST
due to a change in the make-init-lua.pl perl script in this 1.11 release.
Change-Id: Ic46172904256dc535b0fe4543237c07dddb3b9b5
Reviewed-on: https://code.wireshark.org/review/242
Reviewed-by: Evan Huus <eapache@gmail.com>
This isn't super-fancy, but it runs a simple protocol dissector and verifies the tshark output
matches what it expects. Things like Proto, ProtoField, Field, Tvb, TvbRange, etc., are used
in an example dissector script - it dissects DNS... partially. Enough to make sure things
aren't fundamentally broken. This provides something to add on top of later as well.
Change-Id: Icf3c8e9534944bcf4c4f6150f02a9a43f999cd75
Reviewed-on: https://code.wireshark.org/review/126
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
file. That should be loaded no matter what if we have name resolution
enabled.
Add a name resolution test suite. Currently disabled until I can test it
on Windows.
svn path=/trunk/; revision=49657
Alexander Wetzel