Age | Commit message (Collapse) | Author | Files | Lines |
|
Add README because this stuff is somewhat obscure and move XSLT
file to DOCDIR because it is not used by wireshark directly.
|
|
Install documentation to DOCDIR instead of DATADIR.
The code must be fixed to open the Help URLs from
this new path.
This only affects Unix-like FHS platforms. Windows
installation does its own thing.
Needs testing with macOS packaging.
|
|
DFTest is a private test utility and isn't installed anywhere.
I don't think it makes sense to maintain a man page. Certainly
doesn't make sense to ship it.
The doc file is understandably minimal so just nuke it.
|
|
Set our ld library path and our data, extcap, and plugin directories.
Document WIRESHARK_EXTCAP_DIR and WIRESHARK_PLUGIN_DIR. Note that we
might want to set our various directories relative to the program path.
|
|
Add a section about FRAMENUM_TYPE to the 'strings' field
section of README.dissector
|
|
When reading a packet capture with capinfos on a system with
FIPS 140-2 enabled, libgcrypt will abort for any non approved
algorithm. In this case the RIPEMD 160.
|
|
Assertions can be enabled/disabled using WS_DISABLE_DEBUG. The extra
granularity afforded by WS_DISABLE_ASSERT seems unnecessary.
|
|
Unused bytes in SLL Link Layer address can be random bytes.
Which makes the duplicate check think the packets are different.
Even if the unused bytes was the only difference.
This flag enables editcap to set the unused bytes to zeros to enable
the duplicate check to detect duplicates.
|
|
Update manuf, services enterprise numbers, translations, and other items.
|
|
|
|
|
|
|
|
|
|
Copy over the "layer operator" section from the wireshark-filter man
page.
Fix the "at operator" level in the wireshark-filter man page.
|
|
|
|
This adds new syntax to read a field from the tree as bytes, instead
of the actual type. This is a useful extension for example to match
matformed strings that contain unicode replacement characters. In
this case it is not possible to match the raw value of the malformed
string field. This extension fills this need and is generic enough
that it should be useful in many other situations.
The syntax used is to prefix the field name with "@". The following
artificial example tests if the HTTP user agent contains a particular
invalid UTF-8 sequence:
@http.user_agent == "Mozill\xAA"
Where simply using "http.user_agent" won't work because the invalid byte
sequence will have been replaced with U+FFFD.
Considering the following programs:
$ dftest '_ws.ftypes.string == "ABC"'
Filter: _ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <FT_STRING>)
1 FVALUE("ABC" <FT_STRING>)
Instructions:
00000 READ_TREE _ws.ftypes.string <FT_STRING> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == "ABC" <FT_STRING>
00003 RETURN
$ dftest '@_ws.ftypes.string == "ABC"'
Filter: @_ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <RAW>)
1 FVALUE(41:42:43 <FT_BYTES>)
Instructions:
00000 READ_TREE @_ws.ftypes.string <FT_BYTES> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 41:42:43 <FT_BYTES>
00003 RETURN
In the second case the field has a "raw" type, that equates directly to
FT_BYTES, and the field value is read from the protocol raw data.
|
|
Fixes: #18507
|
|
The function tvb_get_const_stringz() does not check for a string
encoding and returns a pointer to a byte array. For this reason
it should not be used. Prefer other functions that return a
valid UTF-8 string from a source encoding or use tvb_get_ptr()
to fetch a byte pointer.
|
|
Make the cloudtrail-aws-profile and cloudtrail-aws-region settings
prefilled selection lists. Make them editable as well.
|
|
Add an "editselector" argument type, which lets the user override a
predefined selection list with a custom value.
|
|
|
|
If a plugin has an "enum" + array in its configuration, convert it to a
selector option.
Start adding plugin sections to the falcodump man page.
|
|
Add a command line option --log-fatal-domains= and environment variable
WIRESHARK_LOG_FATAL_DOMAINS that aborts the programs if a domain in
the list is logged to.
Negative matches for fatal log domains not implemented for now,
pending a relevant use-case.
|
|
Add a Service Response Time table for GTPv2, similar to that
for GTPv1. Update the tshark docs to mention it.
|
|
|
|
A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
|
|
Split our macOS application bundle variables into Wireshark- and
Logray-specific ones. Make sure Logray's PkgInfo and CFBundleSignature
match.
|
|
Add an extcap that fetches a scap from a Falco/libsinsp plugin. Tested
using the cloudtrail plugin.
|
|
|
|
|
|
Update the sample dissector for some best practices,
and avoid some deprecated behavior.
Use register_protocol instead of creating an anonymous
dissector handle, so that Lua, Export PDU, custom
User DLT disection, etc. can find it. (See #5612)
Use auto preferences and prefer port ranges when possible
(See #14319)
|
|
|
|
Make sure we captitalize Python and use its HTTPS URL.
|
|
Remove the redundant BASE_FLOAT field display type. The name
BASE_FLOAT is meaningless and the value aliased to BASE_NONE.
Require BASE_NONE instead of BASE_FLOAT (corresponding to
the printf() %g format).
Add new float display types using BASE_DEC, BASE_HEX and BASE_EXP
corresponfing to %f, %a and %e respectively.
Add support for BASE_CUSTOM with floats.
|
|
|
|
Dependencies need to be set via add_custom_command.
|
|
Update fvalue_t definition in README.display_filter.
|
|
Port the script that creates docbook/wsluarm_src/*.adoc to Python3.
Ping #18152.
|
|
Changes:
- The tool now recognizes which software is running on a device - IOS, IOS XE
or ASA. Based on it, it uses correct sequence of commands to setup
capture, read captured packets and clear the capture.
- The tool reads packets on the fly so you don't have to wait till
--remote-count of packets is reached.
- The tool reads timestamps from capture on the device for IOS and ASA (on
IOS-XE, there is no timestamp in dump).
- Except Windows platform the tool handles early stop of capture on the device
and clear of capture buffer on the device (it finish the capture).
- There are special interface names to allow the tool to generate
specific capture types.
- Documentation updated.
Closes #17672.
|
|
Harden the code a little and alternate the mac address to allow
the code to be used for testing conversation and endpoint dialog.
Also transmit integer values not as ascii representations and include
a data packet that allows for reassembly to be tested
|
|
|
|
Make some scripts executable and use the shebang line recommended at
https://docs.python.org/3/using/unix.html#miscellaneous
|
|
Port the script that creates init.lua to Python3. The generated init.lua
removes one newline and adds another, otherwise the output is identical
to the Perl version.
Ping #18152.
|
|
Port the script that creates taps_wslua.c and taps.txt to Python3. The
generated taps_wslua.c has one less newline, otherwise the output is
identical to the Perl version. Make the "taps" configuration file an
ConfigParser / .ini file.
Ping #18152.
|
|
Use "True" or "TRUE" instead of "true" and remove case insensivity.
Same for false. This should serve to differentiate booleans a bit
more from protocol names, which should be using lower-case.
|
|
Port the script that creates AUTHORS-SHORT to Python3.
Ping #18152.
|
|
Port the script that creates
declare_wslua.h and register_wslua.c
to Python3.
Ping #18152.
|
|
Update a couple of ftype descriptions and update the list in the
wireshark-filter man page.
|
|
|
|
|