Age | Commit message (Collapse) | Author | Files | Lines |
|
Updated the PDU tags based on Wireshark v4.1.0rc0-197-ge5951765d8 with:
grep -Pe '#define EXP_PDU_TAG\S+?(?<!_LEN)\s+\d+' wsutil/exported_pdu_tlvs.h |
awk '{print $2, $3}' | column -t
Register the Data Link Type (DLT) to fix a warning during wrpcap:
WARNING: Inconsistent linktypes detected! The resulting file might contain invalid packets.
Remove unusd TagField structure.
|
|
Rename DISABLE_WERROR to ENABLE_WERROR, since v3.7.0rc0-920-g119473eab3.
Since Wireshark commit v4.1.0rc0-834-g973748f321, the -Qunused-arguments
flag was dropped which resulted in warnings due to `-fuse-ld=lld` also
being included with compiler commands. Indeed, the option should only be
added to clang invocations when linking .so and executable files. Move
the options over. See also my comment about CMake options here:
https://gitlab.com/wireshark/wireshark/-/merge_requests/8872#note_1303093704
|
|
sudo might be unavailable on the target, do not bother when root.
|
|
|
|
There is a known issue where out-of-order TCP segments breaks HTTP/2
dissection and TLS reassembly, even with the TCP Reassemble out-of-order
segments preference enabled. This utility works around that issue by
sorting TCP segments within a capture.
Requires scapy, install with: pip3 install scapy
|
|
|
|
Before making the reassembly API (epan/reassembly.c) even more
complicated, and to solve TCP reassembly problems with TCP/TLS/HTTP2,
let's have a look at potential solutions, possibly from the literature.
|
|
Avoids malformed packet exception with certain unpadded values.
See also https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16386
|
|
Quick hack that allows me to debug DoH GET requests. See also
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14433
|
|
Tested with macOS 10.15.1 (Catalina). Works with python3 3.7.5 (requests
library) and openssl 1.1.1d (s_client) from Homebrew. Does not work with
curl 7.64.1 in /usr/bin/curl because it is signed and does not allow
DYLD environment variables to be passed when SIP is enabled.
|
|
Actually fragment or coalesce TLS records across TCP segments.
|
|
Dumb fuzzer for verifying that handshake reassembly works.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3303
|
|
Since v2.9.1rc0-449-ga37388fbb6 it is no longer possible to override
CMAKE_INSTALL_RPATH to create relocatable build directories. An attempt
to add this feature in a generic way to older CMake versions failed, see
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15163#c12
I do not really need relocatable builds at the moment and can wait until
CMake 3.14 is released should I need it in the future.
|
|
Based on ssh-tcpdump, but uses dumpcap and supports specifying the
hostname and interface through capture options. Should probably
integrate that with ssh-tcpdump, but I quickly needed something working.
Known issues:
- On exit Wireshark assumes that stderr is an error.
- dumpcap does not exit on the remote server, tracked by
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14431
- Stopping a capture, killing dumpcap and starting a capture again
results in a corrupted dissection (interpreted as ERF). The pcapng
file on the filesystem is ok, it is just a GUI problem.
Tested with Wireshark v2.9.1rc0-558-geec3ce3bb2.
|
|
GCC does not support -fuse-ld=lld and LLD 7.0.1 has a bug that causes
crashes when (statically) linking code that uses thread-local storage
without a PLT.
|
|
Remove ENABLE_xxx options that are enabled by default, check
CMakeOptions.txt instead if you want to see available values.
Skip rebuilding if only tests change. Remove -fsanitize options since
these are set via CMake options.
Use lld instead of gold since it is almost twice as fast as gold:
lld 4.8s
gold 9.2s
bfd 10.8s
Tested (n=3) with lld 7.0.1-1 and binutils 2.31.1-4 on Arch Linux, Linux
4.19.12-arch1-1-ARCH, i7-6700HQ, wireshark v2.9.1rc0-363-g178d81f804.
Commands:
time cmake -GNinja /tmp/wireshark -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_C_FLAGS="-fdiagnostics-color -fuse-ld=lld" \
-DCMAKE_CXX_FLAGS="-fdiagnostics-color -fuse-ld=lld" \
-DDISABLE_WERROR=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1
time ninja && rm -rf run
time ninja # measured this with various -fuse-ld= values.
Total build time is about 21s for cmake, 3m18s for the initial ninja.
Ignoring the noise, a full build somehow takes about the same time as
with gold, but incremental builds with lld are consistently faster.
|
|
Support the POSIX tar format only and not other dialects.
|
|
Tested in a clean Win7 SP1 x64 image.
|
|
Tested with MSVC 2015 (Win64). Use Fedora packages as Debian does not
have MinGW packages for GnuTLS.
|
|
Do not try to dissect its data as COFF, it could be something else.
|
|
|
|
Add Storage Classes dissection and fix for llvm-dlltool output which has
a large "//" archive member (longnames) that are newline-terminated
instead of null-terminated.
Tested against the output .lib file from LLVM 7.0.0-1:
llvm-dlltool -m i386:x86-64 -d libgnutls-30.def -l libgnutls-30.lib -D libgnutls-30.dll
|
|
Created in order to compare libgcrypt-20.dll.a as created by MinGW
versus libgcrypt-20.lib as created by MSVC.
Based on file-zip.lua.
|
|
When libssl.so.1.1.1 was not yet loaded, it would assume that an older
library was already loaded and avoid the new API. That assumption is not
correct, it is also possible that no library was loaded at all as is the
case with Python. Test:
./sslkeylog.sh python -c \
'import requests;print(requests.head("https://wireshark.org"))'
Before this fix it would output all zeroes as secret (a sign that
something is wrong).
|
|
OpenSSL 1.1.1 adds TLS 1.3 support which uses a new secrets format.
Previously it resulted in garbage keylog files, this has been fixed now.
OpenSSL 1.1.1 also introduces a new API for secrets extraction.
Consumers can use it like this (curl uses this code for example):
static void keylog_callback(const SSL *ssl, const char *line) {
/* write line and terminating '\n' */
}
{
SSL_CTX *ctx;
...
SSL_CTX_set_keylog_callback(ctx, keylog_callback);
SSL *ssl = SSL_new(ctx);
}
In case you cannot change the source code for an application, you can
use sslkeylog.c again. This will basically perform the above step, set
the key log callback before calling SSL_new.
Since the new OpenSSL 1.1.1 API requires no further interception of
SSL_read and other functions, a new NO_OPENSSL_110_SUPPORT macro was to
avoid intercepting these. Additionally, a NO_OPENSSL_102_SUPPORT macro
avoids the need for OpenSSL development headers.
Caveat: when building with OpenSSL <= 1.0.2, libsslkeylog.so will not be
compatible with runtime OpenSSL 1.1.0. OpenSSL 1.1.1 still works though.
Use of SSL_new and interception via SSL_CTX_set_keylog_callback was
initially proposed by Derick Rethans, thanks for the suggestion!
|
|
Apparently the undocumented pagination limit is 100.
|
|
Large artifacts may be accumulated and at the moment hits the 50GB
limit. Deleting them one by one is cumbersome, so here is a way to
automate it. Motivation: https://code.wireshark.org/review/30268
|
|
|
|
If the final 1.3 version is not supported, negotiation could fail if
TLS 1.2 is not allowed. This is the case with tls13.crypto.mozilla.org.
|
|
|
|
Source is from April 3rd, 2018 or before.
|
|
Ensure that files are put within a subdirectory within the zip. Remove
extra info (timestamps/uid/gid) and sort the URLs while at it.
|
|
Tested with MSVC 2015 (Win64) and the WireGuard patches on top of
v2.9.0rc0-1338-g9b9a0d0f88. The decryption suite (43 tests) passes.
README.Wireshark is based on Pascal's instructions from
libgcrypt-1.7.6-win64ws.zip
|
|
Do not wake up on running tests (which might touch __pycache__ and
pytest files).
|
|
Change from 2018-07-19 13:03 +0200
|
|
|
|
As present in frame 3 of 25.pcap from
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523
|
|
While working on improving handling of reassembly in presence of
retransmissions, it would be very helpful to have a tool that tells the
correct interpretation. This tool does that. It can probably not
directly be implemented in Wireshark due to the additional memory
requirements.
Used to investigate bugs such as
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13061
|
|
Used for crafting the capture in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523#c1
|
|
For testing various issues such as
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14944
Code coverage checked with Clang 6.0.0 by building packet-tcp.c with
options from https://clang.llvm.org/docs/SourceBasedCodeCoverage.html
# link.sh is the command to link libwireshark.so with the two profiling options
eval $(jq -r '.[] | select(.file | contains("packet-tcp.c")) | .command' compile_commands.json | sed 's/^[^ ]\+/clang -fprofile-instr-generate -fcoverage-mapping/') && time bash link.sh
llvm-profdata merge -sparse tcp.profraw -o tcp.profdata && llvm-cov show epan/dissectors/CMakeFiles/dissectors.dir/packet-tcp.c.o -instr-profile=tcp.profdata /tmp/wireshark/epan/dissectors/packet-tcp.c -name-regex='check_follow_fragments|follow_tcp_tap_listener'
Tested against https://code.wireshark.org/review/#/c/28614/4 with log:
1c6dc6d31f (master) Some fixes.
777dac163a Follow Stream: ensure linear performance with many packets
b853858e84 tcp: remove repetitive "follow_record->is_server"
98c33f532e tcp: fix Follow TCP Stream with missing (but ACKed) segments
8f4abb0346 tcp: fix Follow TCP Stream for overlapping data
9219c4b1b6 tcp: ignore zero-length payloads for Follow TCP Stream
9499a15a4a Qt: fix wrong Follow Stream text position after changing mode
All cases are covered, except for one:
1122| 1| data_offset = follow_info->seq[is_server] - sequence;
1123| 1| if (data_length <= data_offset) {
1124| 0| data_length = 0;
1125| 1| } else {
To reach that situation, the IP header probably needs to be modified, or
the pcap snaplen/caplen fields. Too much work for now and a visual
inspection shows that the case does not hurt, so just go for it.
|
|
Can be imported as Python module or used separately.
Created at 2017-04-23 for converting oss-fuzz reproducers into an actual
pcap.
|
|
GCRYPT is enabled by default, the option is gone since 2.4. Enable the
ASAN option via CMake to ensure that building lemon does not fail if
detect_leaks is not set.
|
|
And remove the unnecessary nothing() function, it was there to test a
crash issue.
|
|
Added in 2015-09-27, contains a minimal dissector that does not use
fields.
|
|
Lookup SSL_SESSION_get_master_key and SSL_get_client_random at runtime
too after intercepting a call instead of a link-time dependency.
|
|
Since the previous OpenSSL 1.1.0 compatibility patch, addition of the
SSL_get_session and SSL_SESSION_get_master_key required them to be
available at load time. Since applications are not necessarily linked
with -lssl, this can fail.
Avoid this dependency by looking up the symbols at runtime. Tested with
OpenSSL 1.0.2.k (using python+requests) and
OpenSSL_1_1_0-pre6-1439-g0e2c7b3ee (openssl s_client).
|
|
These steps were used for creating the tests for
https://code.wireshark.org/review/19850
("test: add (D)TLS test for AEAD ciphers")
|
|
These were not supposed to be exposed in the actual filters, but are
used internally because a table value could not act as both a ProtoField
and a table of other ProtoFields.
|
|
The previous implementation took 8.9 seconds with this command:
tshark -Xlua_script:file-zip.lua -r TechnicLauncher.jar -Vx -ozip_archive.decompress:FALSE
If the signature was not optional, we could optimize and avoid a linear
search, using string.find with steps of four bytes on negative match.
This would take 5.6 seconds (but does not handle a missing signature).
The combined approach that first scans with string.find (assuming a
signature) and then falling back to a linear search (assuming no
signature) would take 14.4 seconds (terrible in the worst case).
So try another approach, doing a byte for byte search (as before), but
then delaying the signature check until the length is valid. This
improves the running time to 7.5 seconds.
|
|
Reduce time to process TechnicLauncher.jar from 20 to 9 seconds (ASAN
build with tshark -Vx) by reducing TvbRange allocations.
|