Age | Commit message (Collapse) | Author | Files | Lines |
|
Fields such as 'frame.time_delta' have no byte selection, they are added
with offset 0 and length 0, and evidently 'ws_tvb' is NULL. As
tvb_bytes_to_str expects a non-NULL tvb, explicitly check for this and
add a dummy placeholder. This is intended to be a human-readable string,
so prefer `<EMPTY>` over an empty string.
Change-Id: I32efe4cbefc6bcf0fa9fb94fcf25d7bf1628f3a7
Reviewed-on: https://code.wireshark.org/review/36440
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
CCMP-256 decryption support is only available with libgcrypt >= 1.6 so
skip corresponding test if lib is too old.
Fixes: v3.3.0rc0-733-geed31f13be ("ieee80211: Add CCMP-256 decryption support")
Change-Id: I6145f2ec49e19d1356915b9b1d8da54332a4a16a
Reviewed-on: https://code.wireshark.org/review/36414
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Add support for decrypting GCMP/GCMP-256 encrypted IEEE 802.11 traffic
Bug: 16197
Change-Id: I907d772665141c8be10a9f4a187bd76594c8d2e4
Reviewed-on: https://code.wireshark.org/review/36346
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Add support for decrypting CCMP-256 encrypted IEEE 802.11 traffic
Bug: 16197
Change-Id: I0c9ee09e5b71cb02e6d2381049fd5bbb02686f7f
Reviewed-on: https://code.wireshark.org/review/36344
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Run Wireshark tests on macOS only if SECURITYSESSIONID. If this isn't
reliable enough we might be able to get away with running a small UI
utility, e.g. `pbpaste > /dev/null`.
Change-Id: Ieccb87bcc1312f02c22ec2905a80437bf136d964
Reviewed-on: https://code.wireshark.org/review/36195
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
Update existing tests to the new smb2_seskey_list syntax and add new
tests for decrypting using different combinations of provided keys.
Change-Id: I86fda351ff736cae6029ec2321c45a02c1917226
Reviewed-on: https://code.wireshark.org/review/36137
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
When dissecting a capture made in the middle of an existing encrypted
session we cannot decrypt the traffic because we don't know:
* what SMB dialect and encryption algorithm was picked during the
session establishment
* which host is the server and which host is the client
Since we know the decrypted payload always starts with a valid header
we use this as an heuristic and try all possible decryption settings.
Change-Id: I1daa297ced98e62cf361b9022871c668e56f8f4b
Reviewed-on: https://code.wireshark.org/review/36136
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Previously users could only give a session key via
uat:smb2_seskey_list:<id>,<seskey>
which was used to generate the decryption keys, as long as the trace
contained the session establishement.
Users have often asked about how to decrypt traffic captured in the
middle of an existing session but this wasn't possible.
This commit extends uat:smb2_seskey_list with 2 extra columns to store
decryption keys so that traffic can be decrypted at any point of the
session.
This has the side effect of changing the current syntax from:
... -o uat:smb2_seskey_list:<id>,<seskey>
To:
... -o 'uat:smb2_seskey_list:<id>,<seskey>,"",""'
(make sure the quoting is right)
Change-Id: I810d464b6f3e749de39b4428d73e0d6be29f3152
Reviewed-on: https://code.wireshark.org/review/36135
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
WireGuard decryption requires Gcrypt 1.8 or later.
Change-Id: I4a9e910df61a2d8f375e3f90b22511fe59be922c
Reviewed-on: https://code.wireshark.org/review/36128
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Add software_update_info() to the software update module, which returns
the name of our update library if we have one. Use it to add automatic
update information to the compiled information in `wireshark --version`.
Add a "release" test suite, which contains a test for automatic updates.
Ping-Bug: 16381
Change-Id: I867a96bdcfde8be541eca2dc0e84b5000276e7dd
Reviewed-on: https://code.wireshark.org/review/36107
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
We want things like aes-256 keys to be displayed completely.
Change-Id: I746f3282440c036cfb60263be40e3b3a6ed859c2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/35703
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
XXX comment reworded to be more informative and reflect lack of
consensus on removing RFC 3514.
Change-Id: If15b8f5d7c450192b1b6ebbfa463b19f27de177c
Reviewed-on: https://code.wireshark.org/review/35934
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
|
|
Bug: 16344
Change-Id: I0fe0bec606a103e0cb96c6b6da0f98f9b12097b7
Fixes: v3.1.0rc0-916-g237ec1349f ("IP: Make dissection of ip.frag_offset RFC 791 compliant")
Reviewed-on: https://code.wireshark.org/review/35918
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
A filter for payload makes it easier to exoprt it.
Change-Id: I0732c60c7fac37283fcbe6508d5e27bcd3c603fd
Reviewed-on: https://code.wireshark.org/review/35519
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
dpauxmon relies on libnl that is linux specific. Skip the test
for other platforms.
Fix skip message while here.
Change-Id: I744d83d0a56e41e1c32e45ade8ca0d9dd29876e1
Reviewed-on: https://code.wireshark.org/review/35525
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Fixes:
- sdjournal is available on linux only.
- The systemd library has been put in the right group in debian-setup.
Change-Id: Ie022f29da4313d17d55201b6e7ea1ab2ae740e18
Reviewed-on: https://code.wireshark.org/review/35478
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
All the shipped extcaps will be tested against:
--help
--extcap-interfaces
--extcap-interface <IFACE> --extcap-dtls
--extcap-interface <IFACE> --extcap-config
Bug: 16268
Change-Id: I7949103940c95c9c23fc5dd3743c15995d3a152d
Reviewed-on: https://code.wireshark.org/review/35409
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Change-Id: I71a28535f2c9081e965004f02ec85ff500f9278b
Reviewed-on: https://code.wireshark.org/review/35428
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
Bug: 16207
Change-Id: I95047f76430f5e83083b950a8ed7400e6cdd40ec
Reviewed-on: https://code.wireshark.org/review/35117
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Add a test to verify that PTK can be derived for WPA3 SuiteB-192
captures and that encrypted keydata field is decrypted so that
GTK can be dissected.
NOTE: Capture file contains no encrypted data frames as currently
Wireshark does not support decrypting GCMP-256 encrypted data.
Ping-Bug: 16197
Change-Id: I57fbc14a4b4bca58790c4edcee14f1ef73d73fd5
Reviewed-on: https://code.wireshark.org/review/35068
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Ping-Bug: 16187
Change-Id: Ie8d6dd1a8ff203bd6270dcfcbbeda953d57733f3
Reviewed-on: https://code.wireshark.org/review/35046
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
According to https://www.elastic.co/guide/en/elasticsearch/reference/6.7/date.html
a timestamp can be string or integer. Print the absolute times as string and the
relative times as integers.
The format for the time will be "date_nanos" as described here
https://www.elastic.co/guide/en/elasticsearch/reference/current/date_nanos.html
Ping-Bug: 15784
Change-Id: I430939961767fa65d11f2d3c939b203c8c84e88e
Reviewed-on: https://code.wireshark.org/review/34166
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Support Extended Key ID for Individually Addressed Frames from
IEEE 802.11 - 2016.
Extended Key ID allows unicast (PTK) keys to also use key ID 1 and has
an additional RSN attribute "KeyID" in EAPOL #3.
Add the additional attribute KeyID to the RSN parser, stop assuming
unicast keys are only using key ID 0 and add a test case to verify
Extended Key ID parsing and decoding.
Change-Id: I43005c74df561be5524fa3738149781f50dafa14
Reviewed-on: https://code.wireshark.org/review/34883
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
|
|
If a ProtoField object was created, but not linked to a Proto, then the
strings field and all elements (depending on type) would leak.
This is a follow-up to g79fef2ae and fixes the real issue in g44870fb1.
Change-Id: I01880a92bb20fae45f68c754b07daeb07630deec
Reviewed-on: https://code.wireshark.org/review/34872
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Vasil Velichkov <vvvelichkov@gmail.com>
Reviewed-by: Roland Knall <rknall@gmail.com>
|
|
Add the newly create ProtoField to the test_proto.fields in order to be freed.
ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x55e041f5ef86 in realloc (/home/vasko/sources/wireshark/build_clang/run/tshark+0x222f86)
#1 0x7fd8e0919e7d in g_realloc gmem.c:164:16
#2 0x7fd8e08e457b in g_array_maybe_expand garray.c:820:21
#3 0x7fd8e08e4b49 in g_array_append_vals garray.c:428:3
#4 0x7fd8ef112b6e in value_string_from_table /home/vasko/sources/wireshark/epan/wslua/wslua_proto_field.c:294:9
#5 0x7fd8ef10ee10 in ProtoField_new /home/vasko/sources/wireshark/epan/wslua/wslua_proto_field.c:646:24
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x55e041f5ef86 in realloc (/home/vasko/sources/wireshark/build_clang/run/tshark+0x222f86)
#1 0x7fd8e0919e7d in g_realloc gmem.c:164:16
#2 0x7fd8e08e457b in g_array_maybe_expand garray.c:820:21
#3 0x7fd8e08e4b49 in g_array_append_vals garray.c:428:3
#4 0x7fd8ef111e2e in range_string_from_table /home/vasko/sources/wireshark/epan/wslua/wslua_proto_field.c:226:17
#5 0x7fd8ef10e43f in ProtoField_new /home/vasko/sources/wireshark/epan/wslua/wslua_proto_field.c:642:24
Fixes: v3.1.1rc0-497-g0371994223 ("wslua: Improve parameter check in ProtoField.new()")
Change-Id: I05b8bf3d78c8a540c6cf33d11dc3f3e01f83b8c5
Reviewed-on: https://code.wireshark.org/review/34834
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Improve paremeter check in ProtoField.new() when using ftypes.CHAR:
- Check valid base types and give an error when not supported instead of
terminate in a g_error() (base.DEC is not supported).
- Give an error if used with base.UNIT_STRING instead of silently remove
the flags.
- Support base.RANGE_STRING instead of removing the flag.
Support using base.NONE with a valuestring.
Add ftypes.CHAR to the list of supported types.
Change-Id: I0e3f9698074c807f5da0de23ccd1be7446271135
Reviewed-on: https://code.wireshark.org/review/34783
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
pytest 5.2.0 added support for callable scopes. In order to distinguish
those (`@pytest.fixture(scope=fn)`) from decorators (`@pytest.fixture`),
it added extra arguments which was not expected by our wrapper. See
https://github.com/pytest-dev/pytest/pull/5776 for the change.
Fixes the following error:
ImportError while loading conftest 'test/conftest.py'.
test/conftest.py:42: in <module>
from fixtures_ws import *
test/fixtures_ws.py:198: in <module>
@fixtures.fixture
test/fixtures.py:36: in fixture
return pytest.fixture(scope, params, autouse, ids, name)
E TypeError: 'bool' object is not iterable
We do not use non-keyword arguments, so it is safe to use `*` instead of
`*args` in the prototype.
Change-Id: I96220e0e85249ad58880e5de75f8987a0fdc16ef
Reviewed-on: https://code.wireshark.org/review/34672
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
The HTTP/2 protocol multiplexes a single TCP connection into multiple
independent streams. The Follow TCP output can interleave multiple
HTTP/2 streams, making it harder to analyze a single HTTP/2 stream.
Add the ability to select HTTP/2 Streams within a TCP stream.
Internally, the HTTP/2 dissector now stores the known Stream IDs in a
set for every TCP session which allows an amortized O(n) lookup time for
the previous/next/max Stream ID.
[Peter: make the dissector responsible for clamping the HTTP/2 Stream ID
instead of the Qt code, that should permit future optimizations.]
Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200
Reviewed-on: https://code.wireshark.org/review/32221
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Bug: 15393
Change-Id: I931813ce3492557a5673e6bbd0269d34c0d550b2
Reviewed-on: https://code.wireshark.org/review/31416
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Dumpcap doesn't support fifos with streams created on a machine with
different endianess. Until dumpcap will support that, we need to skip
some tests so the whole test suite can pass.
Ping-Bug: 15754
Change-Id: Ia7fdf833715bf975fcee76968a7c1d75d084bd6f
Reviewed-on: https://code.wireshark.org/review/34173
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
The local and group address flags are shared between destination and
source addresses. This makes filtering difficult sometimes. Create
unique fields for them, while moving the existing fields into hiding.
This breaks the output format tests, so the baseline files need to be
updated as well. At the same time document how this can be done.
Bug: 15955
Change-Id: I849bb306f044c09d4ed0836fe92fef8981912500
Reviewed-on: https://code.wireshark.org/review/34139
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Change-Id: Ice2e1e2e4d94f6c9da7c651866cfa1a8ac4a31d8
Reviewed-on: https://code.wireshark.org/review/34096
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Some dissectors populate pinfo->p2p_dir with a packet's direction
(incoming / outgoing). Make this info available to lua dissectors.
Add a simple test for Pinfo's new p2p_dir attribute to the wslua
test suite. It checks that p2p_dir is unknown for dhcp packets.
(The dhcp dissector does not set p2p_dir).
Change-Id: I8cc39a11cff840d10ef7fa94d30cbac8bf9b533f
Reviewed-on: https://code.wireshark.org/review/33935
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
|
|
The latest iteration of Microsoft updates to SMB3 added compression to
the protocol. This commit implements decompressing and dissecting
compressed payloads.
The compression algorithms that can be used are "Plain LZ77",
"LZ77+Huffman" and "LZNT1" which you can read more about in the
[MS-XCA] documentation. This set of algorithm is sometimes referred to
as XPRESS.
This commit reuses the existing uncompression API scheme already in
place with zlib and brotli and adds 3 tvb_uncompress_*() function
implemented in:
* epan/tvbuff_lz77.c
* epan/tvbuff_lz77huff.c
* epan/tvbuff_lznt1.c
A new function wmem_array_try_index() was added to the wmem_array API
to make bound checked reads that fail gracefully. New tests for it
have been added as well.
Since both reads (tvb) and writes (wmem_array) are bound checked the
risk for buffer overruns is drastically reduced. LZ77+Huffman has
decoding tables and special care was taken to bound check these.
Simplified versions of the implementations were succesfully tested
against AFL (American Fuzzy Lop) for ~150 millions executions each.
The SMB2/3 dissector was changed to deal with the new transform header
for compressed packets (new protocol_id value) and READ request
flags (COMPRESSED). Badly compressed or encrypted packets are now
reported as such, and the decryption test suite was changed to reflect
that.
This commit also adds a test capture with 1 packet compressed with
each algorithm as returned by Windows Server 2019, along with 3
matching tests in test/suite_dissection.py
Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7
Reviewed-on: https://code.wireshark.org/review/33855
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
epan/dissectors/packet-smb2.c:
- factor out decryption code from transform header dissector
- rewrite CCM decryption to use the proper gcrypt cipher
- add GCM support
- change weird 1 element CCM bitmask to value_string
test/suite_decryption.py: add smb2 GCM decryption test
- add one test
- add a new capture to test smb3.1.1 AES-128-GCM decryption
Change-Id: Id5ab75e1830bc24ace9f9b2f2dbd5a3c20666d52
Reviewed-on: https://code.wireshark.org/review/33600
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
pcapng spec update is here: https://github.com/pcapng/pcapng/pull/62
Bug: 15571
Change-Id: I2f1921b1da70ac0bab8c38dd5138a9dfe7843fea
Reviewed-on: https://code.wireshark.org/review/33300
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
The v2.5.0rc0-478-g558fe23226, the dissection of ip.frag_offset changed
to be listed under "Flags", this is not correct. The Fragmentation
Offset is a separate field according to the RFC. This change corrects
that behavior. Also, the raw value from the header was shown instead of
the real byte offset, this is also corrected.
Change-Id: I1d6dfc4314091eb6f3eef418c5a17ed37f7a1200
Fixes: v2.5.0rc0-478-g558fe23226 ("[IP] Simplify paring of flags field by using proto_tree_add_bitmask_with_flags().")
Reviewed-on: https://code.wireshark.org/review/33422
Petri-Dish: Sake Blok <sake.blok@SYN-bit.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Sake Blok <sake.blok@SYN-bit.nl>
|
|
Ping-Bug: 15784
Change-Id: I2d8d01465718239e55787f56c35524614d4db5cf
Reviewed-on: https://code.wireshark.org/review/33265
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
The outputs of -T ek and -G elastic-mapping don't match. To be effective
the fields in the mapping report and the fields in the traffic output must
be the same.
2 issues have been fixed. The elastic-mapping requires the parent protocol
to be prepended to the field to match the traffic output. The field "dns.a"
has been changed to "dns_dns_a".
The traffic output prints some fields with a leading "text_". This happens
for some fields that have been created under a text only field. One example
is "dns.a", that was printed as "text_dns_a". This has been fixed by accessing
the parent hfinfo resulting in "dns_dns_a" as other fields for the dns
protocol.
Bug: 15759
Change-Id: Ibd000c865102ca49bb6a6394019a475483eae4cc
Reviewed-on: https://code.wireshark.org/review/33099
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
Newer versions of elastic are using 'doc' as type. Change the code
according to that.
Fix point (4) of the linked bug.
Bug: 15763
Change-Id: Ia28102a0914c6308eb3516daa57af2e49ce9a4e5
Reviewed-on: https://code.wireshark.org/review/33111
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
This is the new standard in recent Elastic versions.
Fix point (3) of the linked bug.
Bug: 15763
Change-Id: I64ef085c2a8ad9d25ced30a337287c8cb77903e4
Reviewed-on: https://code.wireshark.org/review/33112
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
|
|
The string type is the default in elasticsearch, then there is no
need to put those entries in the mapping report. This shortens a lot
the list.
Small indentation fix, while here.
Change-Id: If304d409a3ee2c30f24b5de4d90be522bbfae41e
Ping-Bug: 15719
Reviewed-on: https://code.wireshark.org/review/33053
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Lack of handshake reassembly caused Certificate handshake messages to be
reported as "Encrypted Handshake Messages" and broke decryption in some
cases. Fix this by properly tracking handshake fragments and delay
dissection until all fragments are available.
Now when a fragmented Handshake message is found:
* The first fragment will have "(fragmented)" appended to the record
tree item as well as the "Handshake Protocol" item.
* "Reassembled Handshake Message in frame: X" is added for fragments.
* The last reassembled handshake message will be displayed together with
a fragment list.
Note: Previously, handshake records with a message length larger than
the available data was assumed to be encrypted. This restriction had to
be lifted, but can now cause false positives (reporting encrypted data
as unencrypted handshake fragments).
The provided capture is not minimal but should be comprehensive as it is
generated with randomly sized TLS record and TCP segment lengths using
`./tls-handshake-fragments.py hs-frag.pcap --seed=1337 --count=100` and
https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/tls-handshake-fragments.py
(A copy of this script is attached to bug 3303.)
Bug: 3303
Bug: 15537
Bug: 15625
Change-Id: I779925aba30548a76c20e0e37b39d01d2c88a764
Reviewed-on: https://code.wireshark.org/review/32857
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Change-Id: I9c09f55673187f6fee723fcd72798fb6b9958b03
Reviewed-on: https://code.wireshark.org/review/32745
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
The WIRESHARK_EXTCAP_DIR environment variable is currently only used on
Windows, and on UN*X when not running from the build directory. In order
to avoid copying the sampleif.py test utility to the program directory,
let's prioritize the environment variable over the build directory.
Update the outdated comments while at it, the version directory has been
removed long time ago. (The comments are based on the one for plugins.)
This also fixes the test suite on macOS where the extcap subdirectory is
located in the appbundle directory and not the build directory.
Change-Id: I329bb233b1dd0b9c1422c2ebd60a6455347e1d62
Reviewed-on: https://code.wireshark.org/review/32890
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Setting PYTHONIOENCODING=utf-8 would also work, but only if it is done
for every test that could possibly invoke the extcap. Let's patch the
script instead to force UTF-8 for its output encoding. Thanks to Greg
for the suggestion at https://stackoverflow.com/a/4374457/427545
Change-Id: I2e39e65e49465392c5b077c8b13ed931073661fb
Reviewed-on: https://code.wireshark.org/review/32868
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Fix tests without pcap.
Change-Id: Ib3057d072bd8ced3d1c04b862f6fd7cc07400aa8
Reviewed-on: https://code.wireshark.org/review/32837
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Check for utf8 valid line instead. Add a testcase that shows
how the former code was buggy on special characters extcap sentences.
Bug: 15668
Change-Id: Ic045c4791388af98705916e6ea84be8fc9b3c5b8
Reviewed-on: https://code.wireshark.org/review/32754
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
PTK key derivation algorithm for WPA1 uses SHA1 not MD5.
MD5 is used for MIC only.
To avoid regression also add a decrypt test for WPA1 with
GTK rekeying.
Change-Id: Iabcf40c2f74d5dbc1d72cba0718c77020d97f61f
Fixes: v3.1.0rc0-342-g9cf77ec5e1 ("ieee80211: Support decrypting WPA3-Personal / SAE captures")
Reviewed-on: https://code.wireshark.org/review/32691
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|