Age | Commit message (Collapse) | Author | Files | Lines |
|
Have the ethernet dissector pass the reported FCS length (which
might be, and probably is, just the value from the Ethernet FCS
preference) to heuristic dissectors on top of Ethernet like
Cisco FabricPath. Heuristic dissectors don't return the consumed
bytes, and non-Ethernet frames with the Ethernet encapsulation
might do something different than what is reported, such as not
have the FCS when real Ethernet frames do, or even have a different
calculations.
In FabricPath, if we know that the FCS is there, calculate it and
slice it off. If it's not, don't. If we don't know, don't slice it
off, because if it's not there, that will cause errors from making
the packet too short. However, also tell the next Ethernet dissector
that we definitely don't have an FCS, because if it _is_ there then
the calculation has to be done including the FabricPath header, and
so the Ethernet dissector can't do it. This will leave it as an
undissected trailer.
In a perfect world, all captures would use formats like pcapng and
indicate for a given interface the expected FCS length in an IDB, and
for particular packets that had a different value than the default
(e.g., an F5 FileInfo packet) would indicate in per-packet flags
the FCS for that packet. That doesn't usually happen.
So probably people who have FabricPath captures _with_ an FCS (#15769)
will need to set the Ethernet FCS preference to get it dissected.
Fix #19989.
|
|
|
|
|
|
Ping #19116
|
|
Ping #19116
|
|
Ping #19116
|
|
It's being calculated on the source MAC address correctly, but
attached to the destination tree item.
Fixup 4995e9a8d5b6f50eb9649d2e680669b196624bd3
|
|
Ping #19116
|
|
Switch the is_filter_valid_func callback to a bool.
Fix the register_tap_listener documentation and remove the
follow_print_line_func typedef while we're here.
Ping #19116
|
|
|
|
|
|
The C standard requires that objects with static storage duration
is initialized to zero.
|
|
With the aid of a script, convert our boolean preferences from gboolean
to bool.
Ping #19116
|
|
Build on !13975 to add human-readable descriptions for all heuristic
dissector tables in Wireshark.
Chosen names are meant to give some info on when a heuristic dissector
lookup will be made. Terms like 'fallback' are used when the heuristic
is only consulted if other checks do not result in dissection, for
example.
People with more intimate knowledge of the protocols and dissectors
involved are encouraged to suggest or implement better descriptions.
|
|
|
|
A tap_id is never 0, so initializing tap variables to -1 is not
necessary.
|
|
Remove init of proto, header field, expert info and subtree variables.
This will reduces the binary size by approximate 1266320 bytes due to
using .bss to zero-initialize the fields.
The conversion is done using the tools/convert-proto-init.py script.
|
|
Pass the "payload_offset" value to add_ethernet_trailer, as
used in ethertype (and generally 14 for full frames). This
allows computing the "frame length including addresses before
any tags or trailers were added" which is often where padding
actually starts. This fixes detection of padding vs trailier
with ISL (see Sample Captures page) as well as a large number
of tag formats (802.1AD, etc.), at least when PADDING_ZERO is set.
For PADDING_ANY, continue to use the old length method.
This also allows passing the payload length post-ethertype/length
field to the trailer subdissectors, which allows the PRP dissector
to be converted from a postdissector to a eth trailer heuristic
dissector.
When we are in "maybe FCS" mode, call the heuristic dissectors
twice if need be, once with and once without the putative FCS.
As these are heuristic dissectors, they can't indicate the number
of bytes consumed, so if there's a trailer but also an FCS later,
returning TRUE for the trailer prevents us from detecting an
FCS. (Some heuristic trailer dissectors have loops to deal with
possible padding after the trailer and will return TRUE the first
time; we still can't deal with this. Perhaps they should only
skip before zeros in their loops; in no case are multiple trailers
handled well, previously or now.)
Fix MACsec padding, trailer, and FCS detection when the short length
field is present by calling set_actual_length. The current workaround
has issues because it's only in effect for the next ethertype call
(where fcs_len is 0), not the previous one.
Don't allow computing the FCS when we don't actually have the
entire frame. Most tag dissectors calling the ethertype dissector
a second time set fcs_len to 0 because of this already.
Fix #15884, #17068, #17067
The first two will work automatically in default auto detect mode.
For #17067 this requires setting the "Fixed ethernet trailer length"
pref in ethernet to the PRP size; the more general problem of
autodetecting any FCS or trailer after the MACsec ICV (for non
short length) continues to need a different solution.
Add some relevant comments about still unsolved issues.
|
|
Create a public function in `epan/proto.c` to dissect a single MAC-48
address. Encapsulates the name and OUI resolution, and the LG and IG
bit parsing.
Created after observing that `packet-ieee80211.c` does not resolve the
OUI or IG/LG bits for WLAN fields (`wlan.ra`, `wlan.da`, `wlan.sa`,
`wlan.bssid`) the way that `packet-eth.c` does.
This change modifies `packet-eth.c` and `packet-ieee80211.c`
to use the new function.
Add IG/LG bits
|
|
With Data or Ethernet for the moment...
|
|
Add user data to conversation filters. Use it to provide necessary data
in the Falco Bridge dissector.
|
|
This change adds support for trivially-encapsulated MCTP protocols,
starting with NCSI-over-MCTP.
We need to handle this slightly different from the existing MCTP-based
protocols (MCTP control protocol and NVMe-MI), as the inner protocol is
unaware of the type byte and (optional) checksum tailer. So, add a new
dissector table, "mctp.encap-type" for these, meaning we can just hook
into the raw NC-SI dissector.
We also add the type definition for MCTP-over-ethernet, as defined in
the NCSI-over-MCTP specification.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
|
|
|
|
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
|
|
More {host, hostlist} -> endpoint.
|
|
It's an endpoint table, not a table of hosts.
|
|
The "conversation table" mechanism supports two types of tables, one for
the "Conversations" menu item under "Statistics" and one for the
"Endpoints" menu item under "Statistics". The first of them shows
statistics for conversations at various layers of the networking stack;
the second of them shows statistics for endpoints at various layers of
the networking stack.
The latter is *not* a table of hosts; an endpoint might be a host,
identified by an address at some network level (MAC, IP, etc.), or it
might be a port on a host, identified by an address/port pair.
Some data types, function names, etc. use "host" or "hostlist" or other
terms that imply that an endpoint is a host; change them to speak of
endpoints rather than hosts, using names similar to the corresponding
functions for conversations.
Provide wrapper functions and typedefs for backwards source and binary
compatibility; mark them as deprecated in favor of the new names.
Clean up some comment errors found in the process.
|
|
Instead of registering subdissectors to arbitrary Wireshark
assigned numbers, register them to the actual pseudowire type
number assigned by IANA and present in the Pseudowire Type AVP.
Half of the previously registered types were never used, because
the dissector table could not be called with their Wireshark
internal number.
This makes it easier to add dissectors to support currently
unsupported but assigned types, and also makes it more intuitive
to use Decode As when the PW Type AVP is not present. Previously,
the dissector for the "default" type of CHDLC had to be changed to
a different subdissector.
|
|
Allows packets to be filtered but marked and not removed from the
tap listing. Additionally a total is calculated for all rx/tx frames
and bytes
|
|
This allows flags to be passed by the registering listener
to the collection of information
|
|
Allow export PDU taps to be registered with a wiretap encapsulation
instead of always using WTAP_ENCAP_WIRESHARK_UPPER_PDU. This allows
creating normal capture files that aren't tied to wireshark without
having to do a "editcap -C -L -T", as well as creating files in
formats other than pcapng and pcap with tshark.
Provide a couple sample implementations in Ethernet (WTAP_ENCAP_ETHERNET)
and IP (v4 and v6, WTAP_ENCAP_RAW_IP) that are the most common use cases.
(I can imagine a few others; WTAP_ENCAP_MPEG_2_TS could probably be
useful, for example.) Fixes #15141
|
|
Use macros from inttypes.h.
|
|
|
|
Replace the "assume_fcs" preference with a "fcs" tri-state preference
that has three options: use the FCS preference (still the default),
assume no FCS, and assume FCS is present. Fix #10457, #11597, #15303.
Also fix previous behavior where the assume_fcs preference always
overrode wiretap even if the pseudoheader indicated that there
definitely was no FCS on the packet.
|
|
Automated find/replace of wmem_packet_scope() with pinfo->pool in all
files where it didn't cause a build failure.
|
|
Different header, with a different size, an additional field, and with
fields being in a different order.
Distinguish between V1 and V2 by giving the version.
That means we can no longer use the "ethertype" dissector as it stands,
because the packet type field isn't at the end of the header, right
before the payload; pull the "add the type field to the protocol tree"
functionality out of the "ethertype" dissector and leave it up to the
dissector calling it.
Change-Id: I72b8a2483c0a539919fbe5d35fd7e60bff4bf75a
Reviewed-on: https://code.wireshark.org/review/37169
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
|
|
wiretap/erf_record.h has declarations for records in ERF files and in
LINKTYPE_ERF packets in pcap and pcapng files.
wiretap/erf-common.h has declarations of routines to be called by
pcap/pcapng reader code when processing LINKTYPE_ERF packets.
wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with
the tables of file readers and writers.
Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa
Reviewed-on: https://code.wireshark.org/review/37021
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
|
|
Ethernet frame padding for short frames _should_ be zeros. Replace
the assume_padding preference with the padding preference that by default
will only consider consecutive zeros long enough to reach the minimum
ethernet length to be padding. The old behaviors are preserved.
Never (old FALSE) and Any (old TRUE - old default)
The old behavior broke some trailer dissectors when the trailer was
added before the determination of needing padding was made. Thus the
ethernet dissector would consume some of the trailer as padding.
Bug: 16481
Change-Id: I6b9e1d26d07d84cb768eece5e44412e23dfe37ca
Reviewed-on: https://code.wireshark.org/review/36691
Reviewed-by: Jason Cohen <kryojenik2@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
ACDR is a protocol over UDP that is used by AudioCodes devices for
recording traffic to and from the device.
It adds a header to each packet that contains extra data about the packet.
For some packet types (like SIP), it also appends the IP and UDP/TCP
headers of the sent/received packet.
The dissector unwraps the ACDR header, and displays the packets with the
original type (and when available, with the original addresses).
Bug: 16275
Change-Id: I19ad90053a2ef73da80881dc5e94aa362de23ea3
Reviewed-on: https://code.wireshark.org/review/35417
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
For the same reason as in g89c9d909.
Change-Id: I5e344ebdf8ba05d169484aa32b409d84edc6124f
Reviewed-on: https://code.wireshark.org/review/34943
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Bug: 15393
Change-Id: I931813ce3492557a5673e6bbd0269d34c0d550b2
Reviewed-on: https://code.wireshark.org/review/31416
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
The local and group address flags are shared between destination and
source addresses. This makes filtering difficult sometimes. Create
unique fields for them, while moving the existing fields into hiding.
This breaks the output format tests, so the baseline files need to be
updated as well. At the same time document how this can be done.
Bug: 15955
Change-Id: I849bb306f044c09d4ed0836fe92fef8981912500
Reviewed-on: https://code.wireshark.org/review/34139
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Convert our various PROTO_ITEM_ macros to inline functions and document
them.
Change-Id: I070b15d4f70d2189217a177ee8ba2740be36327c
Reviewed-on: https://code.wireshark.org/review/32706
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Ethernet checksum offloading seems to be common nowadays, similar to
IPv4, IPv6, TCP, and UDP. Disable FCS validation by default. Suggested
by Laura Chappell at SharkFest US '18.
Change-Id: Icf0e262c65ad328a58da9bd78f3aefbefa2f9394
Reviewed-on: https://code.wireshark.org/review/28477
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Change-Id: I7c0a92eaa914a48a2ccdf77ba867f6673767a671
Reviewed-on: https://code.wireshark.org/review/28333
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
At the moment, Lua dissectors always pass a NULL data parameter, so
dissectors like eth should gracefully handle that.
Bug: 14293
Change-Id: Ida4d0530a9c417db5960475274315d4acc3704a8
Fixes: v2.1.0rc0-1575-g8ec153f938 ("Have the "maybe an FCS" version of the Ethernet dissector take a data argument.")
Reviewed-on: https://code.wireshark.org/review/26431
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change-Id: I6604c764d4b354653280891c8bf50a73954370b3
Reviewed-on: https://code.wireshark.org/review/25994
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
|
|
Change-Id: I92c94448e6641716d03158a5f332c8b53709423a
Reviewed-on: https://code.wireshark.org/review/25756
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|