Age | Commit message (Collapse) | Author | Files | Lines |
|
Tested with a sample pcap file containing an GSM GM packet (Attach
Request) with an MS Radio Access Capabilities IE containing several entries.
TODO:
* Check if by dropping the ad-hoc decoder we lose support/features.
* Drop de_gmm_ms_radio_acc_cap and replace it with
de_gmm_ms_radio_acc_cap_rlcmac(), since there are other users of that
function in other protocol dissectors. Then all benefit from the
change. More than 1k lines of code can be dropped.
* Some general clean up required
Change-Id: I096eafcb5ca31d0ad1fa63561f43853ee4e7a40f
|
|
|
|
|
|
|
|
|
|
In 3GPP 26.449 Codec for Enhanced Voice Services (EVS); Comfort Noise Generation
(CNG) aspects, Computational details and bit allocation:
For the EVS primary modes, the SID payload consists of 48 bits. The first bit of
the payload determines the CNG scheme, where 0 stands for the LP-CNG and 1 for
the FD-CNG.
|
|
Set all pointers in Proto to NULL and check for valid pointers when
wslua_deregister_protocols().
Fixes #17668
|
|
|
|
Removed the type_id check when dissecting user data. That check avoids
dissection in valid cases.
|
|
|
|
Dissect MCX IE present in 802.11 packets like Beacon, Assoc Req, Assoc Res ...
|
|
Handle uTP payload to the bittorrent dissector.
Implement dissect PDUs to handle more than one bittorrent PDU
in a uTP payload.
Implement basic multisegment PDU tracking; not enough to actually
desegment, but enough to provide a hint to the start offset of the
next PDU when a PDU does span segments. (Provided that they're in
order, but OOO handling isn't implemented yet either.)
Improves #8792.
|
|
In 3GPP 26.449 Codec for Enhanced Voice Services (EVS); Comfort Noise Generation
(CNG) aspects, Computational details and bit allocation:
For the EVS primary modes, the SID payload consists of 48 bits. The first bit of
the payload determines the CNG scheme, where 0 stands for the LP-CNG and 1 for
the FD-CNG.
|
|
Closes #17666
|
|
Related spec: 3GPP TS 24.008 Table 10.5.146
|
|
The APDU information element in Perform Location Request and Perform
Location Information messages is optional and not mandatory, as seen in
3GPP 49.031. This commit fixes a regression introduced in ga6ed603f5c.
Closes #17667
|
|
Updated UUIDs to match new version from 1st October 2021
Change-Id: Ifab0296389fe3815f7ce9b15de841e8675faba32
|
|
|
|
Try to make sure protocolID and saved_protocolID are initialized before
we use them. Another attempt at fixing #16342, #17664, and related bugs.
|
|
This fixes suite_unittests failures when adding new Bluetooth UUID
related contsants
|
|
Fixes #17635.
|
|
Fixes #17661.
|
|
|
|
Should be more obvious that this error is caused
by a string syntax error and not something else.
|
|
Matches is a special case that looks on the RHS and tries
to convert every unparsed value to a string, regardless
of the LHS type. This is not how types work in the display
filter. Require double-quotes to avoid ambiguity, because
matches doesn't follow normal Wireshark display filter
type rules. It doesn't need nor benefit from the flexibility
provided by unparsed strings in the syntax.
For matches the RHS is always a literal strings except
if the RHS is also a field name, then it complains of an
incompatible type. This is confusing. No type can be compatible
because no type rules are ever considered. Every unparsed value is
a text string except if it happens to coincide with a field
name it also requires double-quoting or it throws a syntax error,
just to be difficult. We could remove this odd quirk but requiring
double-quotes for regular expressions is a better, more elegant
fix.
Before:
Filter: tcp matches "udp"
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp.srcport
dftest: tcp and udp.srcport are not of compatible types.
Filter: tcp matches udp.srcportt
Constants:
00000 PUT_PCRE udp.srcportt -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
After:
Filter: tcp matches "udp"
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp
dftest: "udp" was unexpected in this context.
Filter: tcp matches udp.srcport
dftest: "udp.srcport" was unexpected in this context.
Filter: tcp matches udp.srcportt
dftest: "udp.srcportt" was unexpected in this context.
The error message could still be improved.
|
|
It is always an error to chain regexes using the logic for "le" and "eq".
var matches "regex1" matches "regex2"
=> var matches "regex1" and "regex1" matches "regex2"
Before:
Filter: tcp matches "abc$" matches "^cde"
dftest: Neither "abc$" nor "^cde" are field or protocol names.
Filter: "abc$" matches tcp matches "^cde"
dftest: Neither "abc$" nor "tcp" are field or protocol names.
After:
Filter: tcp matches "abc$" matches "^cde"
dftest: "matches" was unexpected in this context.
Filter: "abc$" matches tcp matches "^cde"
dftest: "matches" was unexpected in this context.
|
|
Bluetooth LE SMP protocol uses Little-endian byte order. Convert
Bluetooth LE Secure Connections debug public key to Little-endian
byte order to fix the problem that dissector did not properly
identify debug keys when they were used during the pairing.
|
|
Some enhancements and visual fixes to version 3 dissector are also included.
|
|
This statement is at the top of the function, calls itself recursively
without changing any state, reaches the max recursion level, and then
travels back up the stack adding expert infos and returning -1, and
then at the end always causes a variable to be set to a known value.
Remove all that, and just set the variable to the value it's going to
have anyway. This speeds things up a lot and prevents adding dozens
of expert infos to dictionaries without otherwise changing the
behavior, which does seem to work.
|
|
The handling of unparsed values was rationalized by commits
c484ad0e5c6cadcda02a7079aa53b76be418c391 and
144dc1e2eefbb3e19b78ccb4a8c2c57bba9c212b. Update this comment
to reflect the new behavior.
|
|
Reducing the namespace for protocol names makes the display filter grammar
simpler and less ambiguous and error prone. We can't easily impose
stricter restrictions without breaking backward compatibility but names
starting with '-' are a pathological case because of negative numbers
and byte slices and in the unlikely event that any such names exist
they should be fixed.
|
|
Should be faster.
|
|
Add support for websocket fragmented payload reassembly.
|
|
It won't work with embedded null bytes so don't try. This is
not an additional restriction, it just removes a hidden failure
mode. To support matching embedded NUL bytes we would have
to use an internal string representation other than
null-terminated C strings (which doesn't seem very onerous with
GString).
Before:
Filter: http.user_agent == 41:42:00:43
Constants:
00000 PUT_FVALUE "AB" <FT_STRING> -> reg#1
Instructions:
00000 READ_TREE http.user_agent -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
After:
Filter: http.user_agent == 41:42:00:43
Constants:
00000 PUT_FVALUE "41:42:00:43" <FT_STRING> -> reg#1
Instructions:
00000 READ_TREE http.user_agent -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
|
|
FT_PROTOCOL and FT_BYTES are the same semantic type, but one is
backed by a GByteArray and the other by a TVBuff. Use the same
semantic rules to parse both. In particular unparsed strings
are not converted to literal strings for protocols.
Before:
Filter: frame contains 0x0000
Constants:
00000 PUT_FVALUE 30:78:30:30:30:30 <FT_PROTOCOL> -> reg#1
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_CONTAINS reg#0 contains reg#1
00003 RETURN
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
After:
Filter: frame contains 0x0000
dftest: "0x0000" is not a valid byte string.
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
Related to #17634.
|
|
|
|
In many cases, the "value offset" is actually the value itself.
Handle those cases correctly.
|
|
The Linux SocketCAN header now uses the formerly-reserved byte in the
SocketCAN header after the "payload length" field as an "FD flags"
field, with a flag bit reserved to indicate whether the frame is a
classic CAN frame or a CAN FD frame, with two other bits giving frame
information for FD frames.
For LINKTYPE_CAN_SOCKETCAN, use that flag bit to determine whether the
frame is classic CAN or CAN FD. As some older LINKTYPE_CAN_SOCKETCAN
captures have SocketCAN headers in which the fields after the "payload
length" field were uninitialized, so trust that thge "FD flags" was
filled in, rather than possibly randomly uninitialized, only if the only
bits set in that field are the bits defined to be in that field and the
two reserved bytes after it are zero.
This will be needed when the current main-branch libpcap is released, as
it uses LINKTYPE_CAN_SOCKETCAN rather than LINKTYPE_LINUX_SLL for
ARPHRD_CAN devices; we add it now to future-proof the Wireshark releases
to which this is being committed. It also handles what existing CAN FD
captures using LINKTYPE_CAN_SOCKETCAN exist.
For LINKTYPE_LINUX_SLL frames, we have the protocol field to distinguish
between classic CAN and CAN FD, so we use that to determine the frame
type, rather than looking at the CANFD_FDF flag.
dissect_socketcan_common() now handles both classic CAN and CAN FD
frames.
|
|
The uninitialized memory causes access violations printing
duplicated nodes.
Fixes 5dd90e3b30a98956a9c1db9dfd068964b36d8757.
|
|
|
|
Always use the internal API to access "deprecated" and initialize
the data structure on demand. This fixes a null pointer dereference
introduced previously.
Use reference counting to share the array cleanly and avoid memory
leaks.
Keep the pointer in dfwork_t.
|
|
The lexical rules for fields and unparsed strings are ambiguous,
e.g. "fc" can be the protocol fibre channel or the byte 0xfc.
In general a name is determined to be a protocol field or not by
checking the registry.
Resolving the name in the parser gives more flexibility, for example
to use different semantic rules according to the relation between
LHS and RHS, and allows function names and protocol names to co-exist
without ambiguity.
Before:
Filter: tcp == 1
Constants:
00000 PUT_FVALUE 01 <FT_PROTOCOL> -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
Filter: tcp() == 1
dftest: Syntax error near "(".
After:
Filter: tcp == 1
Constants:
00000 PUT_FVALUE 01 <FT_PROTOCOL> -> reg#1
Instructions:
(same)
Filter: tcp() == 1
dftest: Function 'tcp' does not exist
It's also a goal to make it easier to modify the lexer rules.
Ping #12810.
|
|
|
|
|
|
|
|
|
|
|
|
Fixes #17649.
|
|
Change-Id: Icce8f7a30caf0d52c01b20b8535a1f157a1e4f56
|
|
Change-Id: I914f4aae11b4c459a6db0d7b18ab81b73747fd58
|