Age | Commit message (Collapse) | Author | Files | Lines |
|
- removed mptcp.duplicated_dsn in favor of mptcp.reinjection_of/mptcp.reinjected_in
reinjected_in lists the packets where the DSN was later reinjected in.
reinjection_of lists the packets in which this DSN was already transmitted.
- There was a bug where the max_edge property of the interval tree was not
correctly updated. Right now wireshark gives a dsn for every TCP frame (even
empty packets).
- Now displays mappings only for packets with data (seglen > 0).
- Renamed dsn_map to dsn2packet_map and mappings to ssn2dsn_mappings.
- precises the complexity of enabling certain MPTCP options so that the user
better understand their impact on processing speed.
Change-Id: I24adc3161021b7f6a084763a74dc580f1c1f2c2e
Reviewed-on: https://code.wireshark.org/review/28326
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Currently out-of-order segments will result in cutting a stream into
two pieces while the out-of-order segment itself is ignored. For
example, a stream of segments "ABDCE" is interpreted as "AB", "DE" with
"C" ignored. This behavior breaks TLS decryption or prevent application
layer PDUs (such as HTTP requests/responses) from being reconstructed.
To fix this, buffer segments when a gap is detected.
The proposed approach extends the "multi-segment PDU" (MSP) mechanism
which is normally used for linking multiple, sequential TCP segments
into a single PDU. When a gap is detected between segments, it is
assumed that the segments within this gap are out-of-order and will be
received (or retransmitted) later.
The current implementation has a limitation though, if multiple gaps
exist, then the subdissector will only be called when all gaps are
filled (the subdissector will receive segments later than necessary).
For example with "ACEBD", "ABC" can already be processed after "B" is
received (with "E" still buffered), but due to how MSP are extended, it
must receive "D" too before it reassembles "ABCDE". In practice this
could mean that the request/response times between HTTP requests and
responses are slightly off, but at least the stream is correct now.
(These limitations are documented in the User's Guide.)
As the feature fails at least the 802.11 decryption test where packets
are missing (instead of OoO), hide this feature behind a preference.
Tested with captures containing out-of-order TCP segments from the
linked bug reports, comparing the effect of toggling the preference on
the summary output of tshark, the verbose output (-V) and the two-pass
output (-2 or -2V). Captures marked with "ok" just needed "simple"
out-of-order handling. Captures marked with "ok2" additionally required
the reassembly API change to set the correct reassembled length.
This change does "regress" on bug 10289 though when the preference is
enabled as retransmitted single-segment PDUs are now passed to
subdissectors. I added a TODO comment for this unrelated cosmetic issue.
Bug: 3389 # capture 2907 (HTTP) ok
Bug: 4727 # capture 4590 (HTTP) ok
Bug: 9461 # capture 12130 (TLS/HTTP/RPC-over-HTTP +key 12131) ok
Bug: 12006 # capture 14236 (HTTP) ok2; capture 15261 (HTTP) ok
Bug: 13517 # capture 15370 (HTTP) ok; capture 16059 (MQ) ok
Bug: 13754 # capture 15593 (MySQL) ok2
Bug: 14649 # capture 16305 (WebSocket) ok
Change-Id: If3938c5c1c96db8f7f50e39ea779f623ce657d56
Reviewed-on: https://code.wireshark.org/review/27943
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Change-Id: I92c94448e6641716d03158a5f332c8b53709423a
Reviewed-on: https://code.wireshark.org/review/25756
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
The spurious retransmission check operates on the last-seen
acknowledgment in the reverse direction. Adjust the analysis logic so
that it is checked independently of the forward sequence number.
Update the documentation accordingly.
Change-Id: I3714f44398501a581f967c61e119fe95f90209b1
Reviewed-on: https://code.wireshark.org/review/21769
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
This allows for much easier anonymized captures for protocols running
atop TCP/UDP.
Added support for "TCP dissector data" tag within export PDU (34) so that
the tcpinfo struct that TCP dissector normally passes to its subdissectors
can be saved.
Change-Id: Icd63c049162332e5bcb2720159e5cf8aac893788
Reviewed-on: https://code.wireshark.org/review/16285
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
The preference is disabled by default and saves a little
bit of memory for those that don't get process information
from IPFIX.
Change-Id: I4b6a106d156862a8d53bf2ad5ee88ea857637815
Reviewed-on: https://code.wireshark.org/review/15139
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
sequence analysis.
That way they only need to be allocated if analysis is being done.
Inspired by https://www.wireshark.org/lists/wireshark-dev/201604/msg00218.html
Ping-Bug: 12367
Change-Id: I797e5b305133d85a2a89688109cc3a218d0a9e88
Reviewed-on: https://code.wireshark.org/review/15138
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Adds options that control depth of MPTCP analysis, notably:
- if mptcp_relative_seq is enabled, can display relative MPTCP sequence
numbers
- if mapping analysis is allowed, can tell in which packets the DSS
mappings covering this data was sent
- if intersubflow checks are enabled, it can check for retransmissions
over other subflows
Change-Id: I82b934513c9f16affb60c066a1fbcca234ffc999
Reviewed-on: https://code.wireshark.org/review/12316
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Added tcp.analysis.push_bytes_sent to see how many bytes sent since the last PSH flag. Can be useful when analyzing application behavior and performance and bytes_in_flight gets altered by ACKs
Change-Id: I8c6348de43cdb1545169d3a04773885d2411eb00
Reviewed-on: https://code.wireshark.org/review/9822
Reviewed-by: Jasper Bongertz <jasper@packet-foo.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
There are no longer any "old" dissectors, so "new_" is redundant.
Change-Id: I5fee51228c2a8562166f5991e1f30c2c697e45c8
Reviewed-on: https://code.wireshark.org/review/13273
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Create a "registration" system for Follow functionality so most of the work can be abstracted into a dissector and GUI can just be responsible for "display".
This also removes the global variables in follow.c to open up multithreading possibilities.
TCP, UDP and HTTP all have the same "tap interface" for Follow functionality (passing a tvb with byte data to "follow"). SSL still has it's own behavior, so Follow structures have to take that into account.
TShark through the Follow registration now has support for HTTP.
The only thing possibly missing is dynamic menu generation to further reduce explicit knowledge of Follow "type" (and rely on registration)
Bug: 11988
Change-Id: I559d9ee1312406ad0986d4dce9fa67ea2103b339
Reviewed-on: https://code.wireshark.org/review/13161
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Have subdissectors do the bit math checking for particular flag bits.
Change-Id: Ie6350e316f79af879be9fc512ce215f24449a7e5
Reviewed-on: https://code.wireshark.org/review/13071
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Have the TCP dissector pass FIN bit to subdissectors (HTTP only one currently using it) so subdissector can use information to determine that no more segments are coming.
Bug: 9848
Change-Id: I4aebb5141f41d99598e4776bf25e74101016f5d1
Reviewed-on: https://code.wireshark.org/review/12984
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Change-Id: Idb4e4d6d19169d6cacd98664232fd1fbd2cc2dca
Reviewed-on: https://code.wireshark.org/review/11534
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Change-Id: Ib08036ce72bf84c4cca0b30f53d7f953aea379e1
Reviewed-on: https://code.wireshark.org/review/11054
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Matthieu Coudron <matthieu.coudron@lip6.fr>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Similar to TCP:
- Maps TCP connections to their respective MPTCP stream (mptcp.stream)
based on the token/key.
- Ability to distinguish master subflow and to list subsequent subflows
- Can display relative MPTCP data sequence signal (DSS) sequence numbers/acks
(mptcp.dss.dsn/mptcp.dss.ack), or absolute values
(tcp.options.mptcp.rawdataack)
- Adds an MPTCP panel in Preferences
- fixes RM_ADDR analysis (i.e., it can contain several address ids)
- adds an MPTCP tap to list conversations in tshark -z "conv,mptcp"
Change-Id: I2766aa2f534c25b0f583ef84c20e74c7b2fa496e
Reviewed-on: https://code.wireshark.org/review/10577
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
If we're seeing only one side of a conversation (we're not seeing any ACKs)
then things get really, really slow as the number of unacked segments grows.
1000 is, of course, an arbitrary limit.
Bug: 11589
Change-Id: I42652965b736da50122c722e6ac386c4d481e57f
Reviewed-on: https://code.wireshark.org/review/10971
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Originally suggested by Bill Meier for the MQTT protocol[1], but the
Websocket protocol can also benefit from this. Since
DESEGMENT_ONE_MORE_SEGMENT is a valid packet length, use the zero length
instead as an indicator that the length is not yet known.
Updated documentation too and remove the function documentation from
packet-tcp.c since it is duplicated in packet-tcp.h.
A noteworthy WSDG change is that the get_pdu_len parameter of
tcp_dissect_pdus gained another void pointer since
v1.99.2rc0-890-gceb8d95 ("Lua: Expose tcp_dissect_pdus() to Lua").
[1]: https://www.wireshark.org/lists/wireshark-dev/201405/msg00044.html
Change-Id: I4eba380e00cd757635eb5639c2857356dae3171e
Reviewed-on: https://code.wireshark.org/review/7279
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
|
|
Provide a way for Lua-based dissectors to invoke tcp_dissect_pdus()
to make TCP-based dissection easier.
Bug: 9851
Change-Id: I91630ebf1f1fc1964118b6750cc34238e18a8ad3
Reviewed-on: https://code.wireshark.org/review/6778
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Hadriel Kaplan <hadrielk@yahoo.com>
|
|
-z "follow,udp" tshark cli command now supports a stream index
It is now possible to select the UDP stream displayed in Qt GUI (like for TCP)
Change-Id: Ia367f36ea4f60db0fddb997a7e0903c09e172f2d
Reviewed-on: https://code.wireshark.org/review/6083
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
|
|
restore it.
Change-Id: I13197cc48068bb35ee12a7023cfe5f76bbc4e264
Reviewed-on: https://code.wireshark.org/review/5486
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
enabled
tcp_analysis::base_seq could be set several times when the
TCP ISN was set to 0, thus inducing some undesired wraps such as 0-1
Bug: 10713
Change-Id: I69a0dfe677e93bf51015bf7a39ebf888631b12a4
Reviewed-on: https://code.wireshark.org/review/5387
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
|
|
Change-Id: I4497f1b8b6eab0e576d9dd31b732965f9a6679c6
Reviewed-on: https://code.wireshark.org/review/4124
Reviewed-by: Bill Meier <wmeier@newsguy.com>
|
|
This (if it works well) will let us do much more accurate out-of-order
detection, which is currently otherwise hardcoded to 3ms. Ask Jörg for details.
Change-Id: Ie0662723946edeaea1e43958bf7f5158f09dde71
Reviewed-on: https://code.wireshark.org/review/2367
Reviewed-by: Evan Huus <eapache@gmail.com>
|
|
Change-Id: Ibce3f3351bfc89c069a02380c776680a1c78e12c
Reviewed-on: https://code.wireshark.org/review/1926
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Fixes the following clang warning:
epan/follow.c:397:20: error: equality comparison with extraneous parentheses [-Werror,-Wparentheses-equality]
if ( ((sequence) == (seq[src_index])) ) {
~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
epan/follow.c:397:20: note: remove extraneous parentheses around the comparison to silence this warning
if ( ((sequence) == (seq[src_index])) ) {
~ ^ ~
epan/follow.c:397:20: note: use '=' to turn this equality comparison into an assignment
if ( ((sequence) == (seq[src_index])) ) {
^~
=
Change-Id: Ic257bbc598e17f854b671056887ca1a13dcea850
Reviewed-on: https://code.wireshark.org/review/928
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
"new" style dissectors.
Now that "bytes consumed" can be determined, should tcp_dissect_pdus() take advantage of that?
Should tcp_dissect_pdus return length (bytes consumed)? There are many dissectors that just call tcp_dissect_pdus() then return tvb_length(tvb). Seems like that could all be rolled into one.
svn path=/trunk/; revision=53198
|
|
pinfo->private_data.
svn path=/trunk/; revision=53036
|
|
svn path=/trunk/; revision=52591
|
|
Add get_tcp_stream_count() to the TCP dissector and modify
graph_segment_list_get() to allow matching based solely on a stream.
Use text instead of icons for the mouse click behavior buttons. Remove
their PNG resources since we aren't using them any more. Fix setting the
cursor in the graph widget.
svn path=/trunk/; revision=51989
|
|
svn path=/trunk/; revision=51043
|
|
feature in Qtshark
svn path=/trunk/; revision=50819
|
|
data stream", only the first FIN segment is reported with the
reassembled packet.
Show the TCP fragment tree *before* processing the payload, so it's
shown even if processing the payload throws an exception.
svn path=/trunk/; revision=48915
|
|
Also remove old WS_VAR_IMPORT define and related Makefile magic
everywhere in the project.
svn path=/trunk/; revision=47992
|
|
number of SACK ranges found in the SACK option.
This involved extending the IP options framework to include an extra
void* data field, which in the case of TCP is filled in with the tap
struct - other users currently pass NULL.
I first implemented the graph to sort the SACK ranges and show (in red)
the unacknowledged regions between them, but this became confusing where
the number of ranges is limited by TCP padding bytes. i.e. you can't
tell how many SACKs could have been encoded, so some of the gaps between
ranges may already have been received.
svn path=/trunk/; revision=46006
|
|
(COPYING will be updated in next commit)
svn path=/trunk/; revision=43536
|
|
The Wireshark and tshark TCP conversations stats tables aggregate reused connections into a single line item
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7248
svn path=/trunk/; revision=42806
|
|
TCP picks wrong sub-dissector if both dissector choices have the same "minimum segment size"
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7008
svn path=/trunk/; revision=41954
|
|
ack number to the lookup key (which was previously just the frame number).
This helps with situations where multiple segments of the same TCP
conversation can be found in the same frame in a capture (e.g. with LTE
user-plane traffic carried in logged MAC or RLC frames).
svn path=/trunk/; revision=41788
|
|
are present. However, still only create the graph for the first/only
one.
LTE MAC or RLC frames often contain multiple SDUs that are segments of
the same TCP conversation - this avoids the need to find a frame with
only one SDU.
svn path=/trunk/; revision=41721
|
|
bits, so its type needs to be changed from an FT_UINT8 to an FT_UINT16. This should avoid the crash experienced by Lanell Allen as reported on -dev: http://article.gmane.org/gmane.network.wireshark.devel/24846 (although in my testing on Windows XP SP3 (32-bit), Wireshark did not crash).
svn path=/trunk/; revision=40949
|
|
numbering is causing to many questions. Also, numbering could be different for the same file when viewed on different Wireshark versions, which could lead to confusion too.
(see also: http://ask.wireshark.org/questions/5056/how-does-wireshark-calculate-the-tcp-stream-index)
svn path=/trunk/; revision=38056
|
|
Introduced a new tcp state variable: maxseqtobeacked, this is the
maximum seq number that can be acked by the rev party in normal case.
This new state variable only serves the proper detection of
tcp.analysis.ack_lost_segment indicator, and decouples it from the detection of
tcp.analysis.lost_segment indicator.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6081
svn path=/trunk/; revision=37922
|
|
the discussion in bug 5541. Since we now have the window size value as
well as the scaled window size, there is no need anymore for the
tcp preference "tcp_window_scaling".
svn path=/trunk/; revision=35425
|
|
the header length in the high nibble. The only new flag is nonce (NS);
the remaining three bits are still reserved.
svn path=/trunk/; revision=34084
|
|
TCP bytes_in flight becomes inflated with lost packets
This patch suspends Bytes-in-Flight calculation when missing packets are detected.
svn path=/trunk/; revision=33994
|
|
svn path=/trunk/; revision=33930
|
|
svn path=/trunk/; revision=32972
|
|
svn path=/trunk/; revision=29499
|