[Wireshark-dev] ESP Patch for Hexadecimal keys

2006-09-07 Thread Frédéric Roudaut 


Hi,

as requested  here is a patch  in order to take into account  Encryption 
and Authentication keys for ESP in hexa. 
You only have to write your key with 0x first. In this case if the key 
is not in 8-bit unit, it will be considered as starting with a "0" (4 bits).
Excepted this case, the key should be completely written, even if it 
starts with "0x00".


Nevertheless, if the box contains a key with white spaces before "0x",  
it will be taken into account. Ie if the ESP preference contains  
"0xff",  it will not be considered  as an hexadecimal key (4 
white spaces before 0x). I do not think it is a problem but please tell 
me if it is, I will correct this.


Moreover I noticed an editorial issue in the Author files ;-). IPsec 
should be written like this and not IP-sec.

could you please update this ?

best regards,

ps : in attachment, you will also get some examples for using 
Hexadecimal keys (preference and capture files, IPsec policy for setkey).

ps2 : sorry for the off-by-one errors ;-(

---
Frederic Roudaut



Filonenko Alexander-AAF013 wrote:

Frederic,
 
Thank you for the response. While adding this feature, do you plan to 
add another checkbox in the ESP preferences so the user can switch 
between ASCII/hex modes for encryption keys?
 
Thank you,

Alex Filonenko
 
 



*From:* Frédéric Roudaut [mailto:[EMAIL PROTECTED]
*Sent:* Tuesday, August 01, 2006 5:19 AM
*To:* Filonenko Alexander-AAF013
*Cc:* Ethereal development; Developer support list for Wireshark
*Subject:* Re: IPsec Dissector to decrypt ESP Payload

Hi,

sorry for my late answer. You're right for the key. To enter binary 
keys you need to modify the dissector. It should easy to adapt. If 
needed, I could easily add this but however not before the beginning 
of september.

Sorry for that.

best regards,

--
Frederic Roudaut


Filonenko Alexander-AAF013 a écrit :

Frederic,

I am using ESP decryption features of your dissector and it is very useful. 
I have one question though. How can I use arbitrary (non-ASCII) encryption key with preferences available for ESP? Is the key limited to ASCII characters only? 


Thank you,
Alex

-Original Message-
From: Filonenko Alexander-AAF013 
Sent: Friday, February 24, 2006 4:43 PM

To: 'Ethereal development'
Subject: RE: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload

Frederic,

I find IPsec functionality you have added to the dissector very useful.
Hope I can provide you with some feedback in a few weeks.

Thank you,
Alex Filonenko 

  

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frederic 
Roudaut

Sent: Friday, February 24, 2006 10:01 AM
To: Ethereal development
Subject: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload


Hi,

finally, I have updated my dissector using libgcrypt.
It does not use openssl anymore.
If gnutls is installed, all should work.
Thus, now it should decrypt and dissect (transport/tunnel/several 
encapsulations ...) :


- NULL Encryption Algorithm
- TripleDES-CBC [RFC2451] : keylen 192 bits.
- AES-CBC with 128-bit keys [RFC3602] : keylen 128 and 192/256 bits.
- AES-CTR [RFC3686] : keylen 160/224/288 bits. The remaining
32 bits will be used as nonce.
- DES-CBC [RFC2405] : keylen 64 bits

I also have added :

- BLOWFISH-CBC : keylen 128 bits.
- TWOFISH-CBC : keylen 128/256 bits.

You have to indicate the Authentication algorithm even if all 
Algorithms since it uses 12 bytes in the Auth field should work (have 
a look to the README to understand why I put it

;-) ). If you consider I have to throw it away please tell me.

HMAC-SHA1-96 [RFC2404]
NULL
AES-XCBC-MAC-96 [RFC3566]
HMAC-MD5-96 [RFC2403]

In the attachment you will get :
- this dissector
- a new README
- some example capture files with associated preferences files (and 
setkey config files)



Best Regards,



Frederic






--
Frédéric ROUDAUT
IRISA-INRIA, Campus de Beaulieu, 35042 Rennes cedex, France
Tl: +33 (0) 2 99 84 71 44, Fax: +33 (0) 2 99 84 71 71




___
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev


  






ESP_example_hex_keys.tgz
Description: application/compressed-tar


packet_ipsec.c.gz
Description: GNU Zip compressed data
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Problem with docbook build process

2006-09-07 Thread Joerg Mayer 
Hello,

for some reasons not really clear to me, the build process for the
documentation tries to download some files from the docbook repository:

 34.327847   192.168.0.3 -> 217.237.150.115 DNS Standard query A 
docbook.sourceforge.net
 34.391786  217.237.150.115 -> 192.168.0.3  DNS Standard query response CNAME 
projects.sourceforge.net A 66.35.250.209

127.636718   192.168.0.3 -> 66.35.250.209 HTTP GET /release/images/draft.png 
HTTP/1.1

Ideas what is going wrong here?

 Ciao
Joerg
-- 
Joerg Mayer   <[EMAIL PROTECTED]>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] tcp_dissect_pdus

2006-09-07 Thread ronnie sahlberg 
Are you using the latest SVN ?I fixed a bug in pdu tracking/reassembly about ~2 weeks agoOn 9/8/06, John R. <
[EMAIL PROTECTED]> wrote:OK, so I'm digging into desegment_tcp.What I find is that when segment B comes it looks for the most recent
prior PDU which it calls msp. It calculates an offset and length forthe last snippet of Segment A. The length is 4, which is the length ofdata at the end of Segment A. It uses this info in a call tofragment_add. Later it gets into the  if (ipfd_head) { and creates
next_tvb based on the data in *ipfd_head, and makes this next_tvb achild of tvb. I'm not sure what the significance of this last step is.So one ofa) tvb_ensure_length_remaining/compute_offset_length are not working
properly and returning 6 (instead of around 1400 bytes that are inSegment B).b) Problem in fragment_add that leaves the length as 6 instead of~1400... does fragment_add actually affect tvb? It is not clear to me
how the fragment_add, which is passed tvb of Segment B and ipfd_head,and the next_tvb/tvb child/parent business relate.It doesn't appear that compute_offset_length peers into child nodes soI guess fragment_add is the culprit. The tvb would have to consist of
the final desegmented pdu (and then some) once fragment_add returns.I'm new to this codebase so this stuff is pretty opaque to me. Isthere an architecture document I should be reading first? Anyway, any
explanation of how this desegmentation stuff is supposed to work wouldbe helpful.Thanks,-- John.___Wireshark-dev mailing list
Wireshark-dev@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread ronnie sahlberg 
Check the WishList on the wiki Analysis item 5.It has been planned for quite a while but there has not yet been any real or urgent need for this.Ill try to implement this sometimes this weekend.The solution I implement will require that you have reassembly enabled.
On 9/8/06, Bryant Eastham <[EMAIL PROTECTED]> wrote:





Thank you! My intent was really not to add more work to 
others, but to investigate how to solve the problem on my own. I appreciate your 
offer. Since that solution is "real", I will not spend any time on my 
"conversation" hack.
 
Thanks again,
Bryant


From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of ronnie 
sahlbergSent: Thursday, September 07, 2006 5:47 PM
To: 
Developer support list for WiresharkSubject: Re: [Wireshark-dev] 
Further HTTP woes...
:-)I have example captures of some x509 related protocols 
running atop http which show this.I will try to look into implementing 
this in the tcp layer this weekend.
On 9/8/06, Bryant 
Eastham <[EMAIL PROTECTED]> wrote:
What 
  nagle algorithm! Did I forget to mention that we *wrote* the TCP/IPstack 
  and that it is running on a small microprocessor? ;-)Seriously, this 
  behavior is coming out of Tomcat Web Server/3.3.1 Final(JSP 1.1; Servlet 
  2.2). We do, however, have our own implementations inwhich nagle is not 
  available. I would have to check with the developerto see if he has 
  disabled anything - I doubt 
  it.Thanks,BryantFrom: 
  [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED] 
  ] On Behalf Of ronniesahlbergSent: Thursday, September 07, 2006 
  5:32 PMTo: Developer support list for WiresharkSubject: Re: 
  [Wireshark-dev] Further HTTP woes..."I now have the following 
  problem. It is common for our implementation todump the headers in one 
  segment and then dump the data in the next, withno 
  Content-Length."Why does it send this as two segments?You have not 
  disabled NAGLE have 
  you?___ Wireshark-dev 
  mailing listWireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev 
  

___Wireshark-dev mailing listWireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread Bryant Eastham 



Thank you! My intent was really not to add more work to 
others, but to investigate how to solve the problem on my own. I appreciate your 
offer. Since that solution is "real", I will not spend any time on my 
"conversation" hack.
 
Thanks again,
Bryant


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of ronnie 
sahlbergSent: Thursday, September 07, 2006 5:47 PMTo: 
Developer support list for WiresharkSubject: Re: [Wireshark-dev] 
Further HTTP woes...
:-)I have example captures of some x509 related protocols 
running atop http which show this.I will try to look into implementing 
this in the tcp layer this weekend.
On 9/8/06, Bryant 
Eastham <[EMAIL PROTECTED]> wrote:
What 
  nagle algorithm! Did I forget to mention that we *wrote* the TCP/IPstack 
  and that it is running on a small microprocessor? ;-)Seriously, this 
  behavior is coming out of Tomcat Web Server/3.3.1 Final(JSP 1.1; Servlet 
  2.2). We do, however, have our own implementations inwhich nagle is not 
  available. I would have to check with the developerto see if he has 
  disabled anything - I doubt 
  it.Thanks,BryantFrom: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
  ] On Behalf Of ronniesahlbergSent: Thursday, September 07, 2006 
  5:32 PMTo: Developer support list for WiresharkSubject: Re: 
  [Wireshark-dev] Further HTTP woes..."I now have the following 
  problem. It is common for our implementation todump the headers in one 
  segment and then dump the data in the next, withno 
  Content-Length."Why does it send this as two segments?You have not 
  disabled NAGLE have 
  you?___ Wireshark-dev 
  mailing listWireshark-dev@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-dev 
  
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread ronnie sahlberg 
:-)I have example captures of some x509 related protocols running atop http which show this.I will try to look into implementing this in the tcp layer this weekend.
On 9/8/06, Bryant Eastham <[EMAIL PROTECTED]> wrote:
What nagle algorithm! Did I forget to mention that we *wrote* the TCP/IPstack and that it is running on a small microprocessor? ;-)Seriously, this behavior is coming out of Tomcat Web Server/3.3.1 Final(JSP 
1.1; Servlet 2.2). We do, however, have our own implementations inwhich nagle is not available. I would have to check with the developerto see if he has disabled anything - I doubt it.Thanks,Bryant
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of ronniesahlbergSent: Thursday, September 07, 2006 5:32 PMTo: Developer support list for WiresharkSubject: Re: [Wireshark-dev] Further HTTP woes..."I now have the following problem. It is common for our implementation
todump the headers in one segment and then dump the data in the next, withno Content-Length."Why does it send this as two segments?You have not disabled NAGLE have you?___
Wireshark-dev mailing listWireshark-dev@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-dev

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread ronnie sahlberg 
That would solve the problem for YOU   but would be the wrong way to solve the issue.We dont want dissectors to start implementing what is essentially tcp reassembly and tcp session tracking in the dissectors themself since this belongs in the tcp dissector   not in the application dissector.
While this issue is most commonly occuring with HTTP based protocols   there are other protocols as well thattransfer only one single PDU per tcp session and which sometimes do not provide a pdu length in the header
Thats another reason why the solution is to add the missing semantics to TCP and not reinvent a solution private to the http layer.Implement the enhancement once and several protocols will benefit.
On 9/8/06, Bryant Eastham <[EMAIL PROTECTED]> wrote:





And what of the solution to pass a zero-data-length buffer 
to the subdissectors and use a conversation?
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] tcp_dissect_pdus

2006-09-07 Thread John R. 
OK, so I'm digging into desegment_tcp.

What I find is that when segment B comes it looks for the most recent
prior PDU which it calls msp. It calculates an offset and length for
the last snippet of Segment A. The length is 4, which is the length of
data at the end of Segment A. It uses this info in a call to
fragment_add. Later it gets into the  if (ipfd_head) { and creates
next_tvb based on the data in *ipfd_head, and makes this next_tvb a
child of tvb. I'm not sure what the significance of this last step is.

So one of
a) tvb_ensure_length_remaining/compute_offset_length are not working
properly and returning 6 (instead of around 1400 bytes that are in
Segment B).
b) Problem in fragment_add that leaves the length as 6 instead of
~1400... does fragment_add actually affect tvb? It is not clear to me
how the fragment_add, which is passed tvb of Segment B and ipfd_head,
and the next_tvb/tvb child/parent business relate.

It doesn't appear that compute_offset_length peers into child nodes so
I guess fragment_add is the culprit. The tvb would have to consist of
the final desegmented pdu (and then some) once fragment_add returns.

I'm new to this codebase so this stuff is pretty opaque to me. Is
there an architecture document I should be reading first? Anyway, any
explanation of how this desegmentation stuff is supposed to work would
be helpful.

Thanks,

-- John.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread Bryant Eastham 
What nagle algorithm! Did I forget to mention that we *wrote* the TCP/IP
stack and that it is running on a small microprocessor? ;-)
 
Seriously, this behavior is coming out of Tomcat Web Server/3.3.1 Final
(JSP 1.1; Servlet 2.2). We do, however, have our own implementations in
which nagle is not available. I would have to check with the developer
to see if he has disabled anything - I doubt it.
 
Thanks,
Bryant



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ronnie
sahlberg
Sent: Thursday, September 07, 2006 5:32 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Further HTTP woes...


"I now have the following problem. It is common for our implementation
to
dump the headers in one segment and then dump the data in the next, with
no Content-Length."

Why does it send this as two segments? 
You have not disabled NAGLE have you?  

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread Bryant Eastham 



And what of the solution to pass a zero-data-length buffer 
to the subdissectors and use a conversation?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of ronnie 
sahlbergSent: Thursday, September 07, 2006 5:27 PMTo: 
Developer support list for WiresharkSubject: Re: [Wireshark-dev] 
Further HTTP woes...
This only affects PDUs that spans multiple tcp segments.This 
can not be solved in the HTTP dissector but requires that the TCP dissector and 
the TCP reassembly code is enhanced to provide an api such as "reassemble tcp 
data from this segment and all the way until a RST or a FIN" TCP reassembly 
does not currently support this and only support the api "reassemble TCP 
until sequence number x"So, the solution is :1, enhance the tcp 
reassembly code to provide the new semantic : reassemble until RST or 
FIN    (most of the work) 2, change the http dissector to 
call this new reassembly api when content-length is missing instead of the 
normal one (a few lines of code at most)
On 9/8/06, Bryant 
Eastham <[EMAIL PROTECTED]> wrote:
It 
  appears that HTTP requests/responses that are not chunked and do 
  notinclude a Content-Length cannot be decoded correctly. The 
  followingcomment appears in the 
  code: * If no content 
  length was supplied (or if a bad content length 
   * was supplied), the 
  amount of data to be processed is 
  theamount * of data 
  remaining in the frame. 
  * * If there was no 
  Content-Length entity header, we 
  should * accumulate all 
  data until the end of the connection. 
   * That'd require that the 
  TCP dissector call 
  subdissectors * for all 
  frames with FIN, even if they contain no 
  data, * which would 
  require subdissectors to deal 
  intelligently * with empty 
  segments. My understanding is that the logic to "accumulate all data 
  until the endof the connection" is not currently possible (or at least not 
  currentlyimplemented).I now have the following problem. It is 
  common for our implementation to dump the headers in one segment and then 
  dump the data in the next, withno Content-Length. Yes, we should set the 
  Content-Length and the problemgoes away, but the engineer didn't, and 
  shouldn't really have to. So:1. The packet with the headers is 
  not passed to my subdissector becausethere is no data. The 'if' statement 
  at line 901 of packet-http.c seesto that.2. The packet without my 
  headers is passed to my subdissector, but without the headers I can't tell 
  that it is mine.A solution would be to create a conversation and 
  attach the headerinformation to it when I notice that it is my protocol, 
  but that doesn'twork because of #1 - I don't get a chance to create the 
  conversation. The solution appears to either be to implement the logic 
  described inthe comments - far beyond my meager knowledge - or to pass 
  packets withno data (but with headers) to subdissectors.Does this 
  make sense, or am I missing something? Would it be acceptable to pass 
  zero-data-length packets to subdissectors?Should I take this offline 
  with the primary HTTP maintainer? And is thatGuy 
  Harris?Thanks,Bryant EasthamChief ArchitectPanasonic 
  Electric Works Laboratory of America, Inc. Salt Lake City Lab4525 
  South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124Phone : 
  801.993.7124 Email: [EMAIL PROTECTED]Fax: 
  801.993.7260 Web: http://slc.mew.com ___Wireshark-dev 
  mailing listWireshark-dev@wireshark.org 
  http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread ronnie sahlberg 
"I now have the following problem. It is common for our implementation todump the headers in one segment and then dump the data in the next, withno Content-Length."Why does it send this as two segments?
You have not disabled NAGLE have you?  
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Further HTTP woes...

2006-09-07 Thread ronnie sahlberg 
This only affects PDUs that spans multiple tcp segments.This can not be solved in the HTTP dissector but requires that the TCP dissector and the TCP reassembly code is enhanced to provide an api such as "reassemble tcp data from this segment and all the way until a RST or a FIN"
TCP reassembly does not currently support this and only support the api "reassemble TCP until sequence number x"So, the solution is :1, enhance the tcp reassembly code to provide the new semantic : reassemble until RST or FIN    (most of the work)
2, change the http dissector to call this new reassembly api when content-length is missing instead of the normal one (a few lines of code at most)On 9/8/06, 
Bryant Eastham <[EMAIL PROTECTED]> wrote:
It appears that HTTP requests/responses that are not chunked and do notinclude a Content-Length cannot be decoded correctly. The followingcomment appears in the code: * If no content length was supplied (or if a bad content length
 * was supplied), the amount of data to be processed is theamount * of data remaining in the frame. * * If there was no Content-Length entity header, we should * accumulate all data until the end of the connection.
 * That'd require that the TCP dissector call subdissectors * for all frames with FIN, even if they contain no data, * which would require subdissectors to deal intelligently * with empty segments.
My understanding is that the logic to "accumulate all data until the endof the connection" is not currently possible (or at least not currentlyimplemented).I now have the following problem. It is common for our implementation to
dump the headers in one segment and then dump the data in the next, withno Content-Length. Yes, we should set the Content-Length and the problemgoes away, but the engineer didn't, and shouldn't really have to.
So:1. The packet with the headers is not passed to my subdissector becausethere is no data. The 'if' statement at line 901 of packet-http.c seesto that.2. The packet without my headers is passed to my subdissector, but
without the headers I can't tell that it is mine.A solution would be to create a conversation and attach the headerinformation to it when I notice that it is my protocol, but that doesn'twork because of #1 - I don't get a chance to create the conversation.
The solution appears to either be to implement the logic described inthe comments - far beyond my meager knowledge - or to pass packets withno data (but with headers) to subdissectors.Does this make sense, or am I missing something? Would it be acceptable
to pass zero-data-length packets to subdissectors?Should I take this offline with the primary HTTP maintainer? And is thatGuy Harris?Thanks,Bryant EasthamChief ArchitectPanasonic Electric Works Laboratory of America, Inc.
Salt Lake City Lab4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124Phone : 801.993.7124 Email: [EMAIL PROTECTED]Fax: 801.993.7260 Web: 
http://slc.mew.com ___Wireshark-dev mailing listWireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Further HTTP woes...

2006-09-07 Thread Bryant Eastham 
It appears that HTTP requests/responses that are not chunked and do not
include a Content-Length cannot be decoded correctly. The following
comment appears in the code:

 * If no content length was supplied (or if a bad content length
 * was supplied), the amount of data to be processed is the
amount
 * of data remaining in the frame.
 *
 * If there was no Content-Length entity header, we should
 * accumulate all data until the end of the connection.
 * That'd require that the TCP dissector call subdissectors
 * for all frames with FIN, even if they contain no data,
 * which would require subdissectors to deal intelligently
 * with empty segments.

My understanding is that the logic to "accumulate all data until the end
of the connection" is not currently possible (or at least not currently
implemented).

I now have the following problem. It is common for our implementation to
dump the headers in one segment and then dump the data in the next, with
no Content-Length. Yes, we should set the Content-Length and the problem
goes away, but the engineer didn't, and shouldn't really have to.

So:

1. The packet with the headers is not passed to my subdissector because
there is no data. The 'if' statement at line 901 of packet-http.c sees
to that.
2. The packet without my headers is passed to my subdissector, but
without the headers I can't tell that it is mine.

A solution would be to create a conversation and attach the header
information to it when I notice that it is my protocol, but that doesn't
work because of #1 - I don't get a chance to create the conversation.

The solution appears to either be to implement the logic described in
the comments - far beyond my meager knowledge - or to pass packets with
no data (but with headers) to subdissectors.

Does this make sense, or am I missing something? Would it be acceptable
to pass zero-data-length packets to subdissectors?

Should I take this offline with the primary HTTP maintainer? And is that
Guy Harris?

Thanks,
Bryant Eastham
Chief Architect
Panasonic Electric Works Laboratory of America, Inc.
Salt Lake City Lab
4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124
Phone : 801.993.7124 Email: [EMAIL PROTECTED]
Fax: 801.993.7260 Web: http://slc.mew.com  

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] query regarding gtp_handlefuntionanddecoderfunction.

2006-09-07 Thread prashanth joshi 
Hi,  My query is :  How to add a string i.e. a string which is part of the gtp packet , to the tree.  I feel proto_tree_add_string ( )  wont work becos:  suppose packet contains an integer value, then val_to_str( ) operates on that value and then returns a string. Now proto_tree_add_string ( ) adds this string to the  tree.  How ever if we have a string itself in the gtp packet, then how we will add that string to the tree. Fopr example, the incoming gtp packets are supposed to contain the names of the customers. Certainly the names will be dynamic and will be varying.  So we can not use proto_tree_add_string ( ).  So what may be the solution for this  regards,  Prashanth   ronnie sahlberg <[EMAIL PROTECTED]> wrote:  you MUST use a hf_ field as the second parameter.you can NOT use NULL since1, NULL is not an integer and is therefore the WRONG type for thesecond parameter and would anyway give you a compiler error if youtried.2, there are plenty of examples on how to use hf_fields in the code.please read the other similar dissectors and also the developers guidethat DOES explain many of these questions.Look at other dissectors that do similar things.On 9/7/06, prashanth joshi <[EMAIL PROTECTED]>wrote:> Hi Anders,> thanks.> But, as u know i've been trying to write a deceder function> So it goes something like this:> My_decoder_fun(..)> {> proto_tree *my_tree;> proto_item *te; te = proto_tree_add_text(tree, tvb, offset, 1,> val_to_str(MY_EXT_VAL, gtp_val, "Unknown
 message"));> my_tree = proto_item_add_subtree(te, my_tree);>> proto_tree_add_item(my_tree, hf_to_be_described, tvb,> offset+1, 2, FALSE);> .. .> .> .. .. .> ..> regards,> Prashanth>>> }> Now i found it difficult to build the definition for hf_to_be_described in> the poto_reg_gtp function and in the array hf_register_info hf_gtp[].> Hence what i want to know is that, is it possible to have a NULL value as> the second argument instead of a hf_ ...> And if a hf_ is very much necessary then how to build it.>> Anders Broman <[EMAIL PROTECTED]>wrote:> Hi,> What you probably want to do is to change the current code to something> like:> static int>
 decode_gtp_priv_ext(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,> proto_tree *tree) {>> guint16 length, ext_id;> proto_tree *ext_tree_priv_ext;> proto_item *te;> tvbuff_t *new_tvb;>> te = proto_tree_add_text(tree, tvb, offset, 1,> val_to_str(GTP_EXT_PRIV_EXT, gtp_val, "Unknown message"));> ext_tree_priv_ext = proto_item_add_subtree(te, ett_gtp_ext);>> offset++;> length = tvb_get_ntohs(tvb, offset);> proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_length, tvb,> offset, 2, FALSE);> offset = offset+2;> if (length >= 2) {> ext_id = tvb_get_ntohs(tvb, offset);> proto_tree_add_uint(ext_tree_priv_ext, hf_gtp_ext_id, tvb,> offset, 2, ext_id);> offset = offset+2;>> /*> * XXX - is this always a text string? Or should it be> * displayed as hex data?> */> if (length > 2)>
 proto_tree_add_item(ext_tree_priv_ext,> hf_gtp_ext_val, tvb, offset, length-2, FALSE);> switch (ext_id){> case MY_MANUFACTURER_ID:> new_tvb = tvb_new_subset(tvb, offset, length-2,> length-2);> dissect_private_ext_manufacturer_id(new_twb, pinfo,> ext_tree_priv_ext)> break;> default:> break;> }> }>> return 3+length;> }>> Brg> Anders> -Ursprungligt meddelande-> Från: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] För prashanth joshi> Skickat: den 6 september 2006 22:52> Till: Developer support list for Wireshark> Ämne: Re: [Wireshark-dev] query regarding> gtp_handlefuntionanddecoderfunction.>> Hi Anders,> how r u...> I have a query Anders.> If we consider for example the following statement,>
 proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_val, tvb, offset+5,> length-2, FALSE);>> So length-2 bytes of data is added in to tree ,starting from the location> number ofset + 5 of tvb.> My query is : is it absolutely necessary to have hf_gtp_ext_> as the second argument when ever we want to add an item?> Can not we do away with it by having a NULL as second argument instead? ( I> found it difficult to understand how the contents of the proto_register_gtp> array are built)> And what would be the limitations if we try to add an item using the> proto_tree_add_text( ) instead ?> regards,> Prashanth>> "Anders Broman (AL/EAB)" wrote:> Hi,> The function val_to_str(GTP_EXT_RAI, gtp_val, "Unknown message"));> searches the svalue_string gtp-val for a match to GTP_EXT_RAI and if found> returns the matching string, in this case> "Routing
 Area Identity" if no match is found it will print "Unknown> message".>> Best regards> Anders>>> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of prashanth joshi> Sent: den 6 september 2006 09:25> To: Developer support list for Wireshark> Subject: Re: [Wireshark-dev] query regarding gtp_handle> funtionanddecoderfunction.> Hi Anders, thanks.> Now the thing

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread LEGO 
On 9/7/06, Guy Harris <[EMAIL PROTECTED]> wrote:
> Gak.  Any idea what package installed its own private libz?  It probably
> shouldn't be doing that, unless it needs 1.2.3 or later and can't work
> with earlier versions.

Darwinports does use its own dependencies for a *lot* of things even
if unnecessary. Happens for openssl which they deliver the same
version that tiger has as well as zlib, iconv and others. I think they
do that because they want it to work from Cheetah to Tiger... I regret
they do not check whether what's already there is OK.

> (Just out of curiosity, are there zlib.h and zconf.h headers in
> /opt/local/include?  If so, does zconf.h define z_off_t and, if so, how
> does it define it?  If it defines it as anything other than "long" under
> all circumstances, it's probably not binary-compatible with the zlib
> that comes with OS X.)

Both OS X's and Darwinports' use the one defined in
/usr/include/sys/_types.h as __int64_t .

> I just looked at the zlib.h on 10.4.7 - there's a zlibCompileFlags()
> routine that returns information including the size of z_off_t; at least
> for versions of zlib that have that routine, we could have wiretap
> check, at run time, whether the size matches the size we were built
> with, and fail if it's not.

I think it has more to do with the binary using offets for symbols of
one dylib on another dylib (as I said I had the same issue in the past
with openssl on my PPC powerbook ).

Honestly I had never understood the obscure magic behind dynamic
linking. What makes it look weird to me is that my PPC powerbook has
both copies of zlib as well but it doesn't misbehave while on the
intel one does...

Luis

> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Guy Harris 
LEGO wrote:

> there's libz.1.2.3 in both /usr/lib and /opt/local/lib

Gak.  Any idea what package installed its own private libz?  It probably 
shouldn't be doing that, unless it needs 1.2.3 or later and can't work 
with earlier versions.

> as soon as I removed that in /opt/local/lib I solved the issue...
> diferent library same mis-bahaviour as I used to have with open-ssl

Hmm.  libz tends to have problems on BSDish systems, courtesy of 
lseek()'s offset argument being 64-bit even on 32-bit platforms (see the 
long comment in wiretap/file_wrappers.c for details); OS X is a BSDish 
system in that regard.

Modern versions of BSDs have fixed the libz problem, although OpenBSD 
did it differently from the way the other BSDs (including OS X) do.

That's often the source of, umm, *surprising* behavior when reading 
capture files with versions of Wireshark built with libz if the version 
with which it was built is different from the version it's linking with 
at run time.

(Just out of curiosity, are there zlib.h and zconf.h headers in 
/opt/local/include?  If so, does zconf.h define z_off_t and, if so, how 
does it define it?  If it defines it as anything other than "long" under 
all circumstances, it's probably not binary-compatible with the zlib 
that comes with OS X.)

I just looked at the zlib.h on 10.4.7 - there's a zlibCompileFlags() 
routine that returns information including the size of z_off_t; at least 
for versions of zlib that have that routine, we could have wiretap 
check, at run time, whether the size matches the size we were built 
with, and fail if it's not.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Win32 build error return code 0x66666666

2006-09-07 Thread Cook, Timothy 
I just did build based on source distribution 0.99.3 (retrieved today)!

I did find that the file \wireshark\airpcap.h is missing from the
distribution and causes the build to fail.

Before starting the first build, did you execute: "nmake
-fmakefile.nmake distclean" and "nmake -fmakefile.nmake setup"?

My final DOS environment is as follows: (not much setup)


O:\wireshark-0.99.3a>set
ALLUSERSPROFILE=C:\Documents and Settings\All Users
BSIDIR=C:
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\[user name]
INCLUDE=C:\PROGRA~1\MICROS~3\VC98\ATL\INCLUDE;C:\PROGRA~1\MICROS~3\VC98\
INCLUDE;C:\PROGRA~1\MICROS~3\VC98\MFC\INCLUDE;
LIB=C:\PROGRA~1\MICROS~3\VC98\LIB;C:\PROGRA~1\MICROS~3\VC98\MFC\LIB;
MSDevDir=C:\PROGRA~1\MICROS~3\Common\msdev98
MSVCDir=C:\PROGRA~1\MICROS~3\VC98
OS=Windows_NT
PATH=C:\PROGRA~1\MICROS~3\Common\msdev98\BIN;C:\PROGRA~1\MICROS~3\VC98\B
IN;C:\PROGRA~1\MICROS~3\Common\TOOLS\WINNT;C:\PROGRA~1\MICROS~3\Common\T
OOLS;C:\windows\system32
ProgramFiles=C:\Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
windir=C:\WINDOWS

O:\wireshark-0.99.3a>



-Tim

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> VOCAL Technologies, LTD
> Sent: Thursday, September 07, 2006 9:23 AM
> To: wireshark-dev@wireshark.org
> Subject: [Wireshark-dev] Win32 build error return code 0x
> 
> I am building from the source distrobution 0.99.3
> 
> 
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 
> __
> ___
> Scanned by IBM Email Security Management Services powered by 
> MessageLabs. For more information please visit 
> http://www.ers.ibm.com 
> __
> ___
> 
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] win32: nmake setup: can't find cl

2006-09-07 Thread Jacques, Olivier \(OpenCall Test Infra\) 
Hello,
 
I re-installed my PC and I'm trying to re-setup my wireshark build
environment. After a fresh svn checkout, a nmake -f makefile.nmake
distclean, I can't run "nmake -f makefile.nmake setup": win32setup.sh
complains about cl that can't be found:
-- 
C:\transfer\ethereal\winbuild\ethereal>nmake -f makefile.nmake setup
 
Microsoft (R) Program Maintenance Utility   Version 6.00.8168.0
Copyright (C) Microsoft Corp 1988-1998. All rights reserved.
 
Checking for required applications:

ERROR: Can't find cl. This is probably an optional cygwin package not
yet installed. Try to install it using cygwin's setup.exe!
 
NMAKE : fatal error U1077: 'bash' : return code '0x1'
Stop.
 
--
(side note: cl is not part of cygwin, maybe we should change the message
there).
But cl is in the path (I ran vcvars32.bat).
--
C:\transfer\ethereal\winbuild\ethereal>cl
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for
80x86
Copyright (C) Microsoft Corp 1984-1998. All rights reserved.
 
usage: cl [ option... ] filename... [ /link linkoption... ]
--
The issue seems to be that cygwin's "which" can't find "cl". In
win32setup.sh, this piece of code is checking the app:
APP_PATH=`cygpath --unix $APP`
if [ -x "$APP_PATH" -a ! -d "$APP_PATH" ] ; then
APP_LOC="$APP_PATH"
else
APP_LOC=`which $APP_PATH 2> /dev/null`
fi

Running which and cygpath, I get:
-
C:\transfer\ethereal\winbuild\ethereal>which cl
cl: Command not found.

C:\transfer\ethereal\winbuild\ethereal>cygpath --unix cl
cl
-

Is there anyone that encountered the same problem? Any idea?

Thanks a lot,
Olivier.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] win32: nmake setup: can't find cl

2006-09-07 Thread Cook, Timothy 
Have you done the following:

Do you intend to build using MSVC & CYGWIN tools?
Was your Win32 build environment setup using the Developers Guide,
sections 2.3 & 4.6.2?

If you intended to use MSVC & CYGWIN tools, a command prompt [DOS
prompt] is the way to go!

Also ensure that you have run vcvars32.bat before calling nmake.  This
is normally in "Program Files\Microsoft Visual studio\VC98\bin".  This
sets lots of important paths and env vars for MSVC6.

I build using MSVC v6 & CYGWIN tools.


-Tim

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jacques, Olivier (OpenCall Test Infra)
> Sent: Thursday, September 07, 2006 1:42 PM
> To: Developer support list for Wireshark
> Subject: [Wireshark-dev] win32: nmake setup: can't find cl
> 
> Hello,
>  
> I re-installed my PC and I'm trying to re-setup my wireshark 
> build environment. After a fresh svn checkout, a nmake -f 
> makefile.nmake distclean, I can't run "nmake -f 
> makefile.nmake setup": win32setup.sh complains about cl that 
> can't be found:
> --
> C:\transfer\ethereal\winbuild\ethereal>nmake -f makefile.nmake setup
>  
> Microsoft (R) Program Maintenance Utility   Version 6.00.8168.0
> Copyright (C) Microsoft Corp 1988-1998. All rights reserved.
>  
> Checking for required applications:
> 
> ERROR: Can't find cl. This is probably an optional cygwin 
> package not yet installed. Try to install it using cygwin's setup.exe!
>  
> NMAKE : fatal error U1077: 'bash' : return code '0x1'
> Stop.
>  
> --
> (side note: cl is not part of cygwin, maybe we should change 
> the message there).
> But cl is in the path (I ran vcvars32.bat).
> --
> C:\transfer\ethereal\winbuild\ethereal>cl
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for
> 80x86
> Copyright (C) Microsoft Corp 1984-1998. All rights reserved.
>  
> usage: cl [ option... ] filename... [ /link linkoption... ]
> --
> The issue seems to be that cygwin's "which" can't find "cl". 
> In win32setup.sh, this piece of code is checking the app:
>   APP_PATH=`cygpath --unix $APP`
>   if [ -x "$APP_PATH" -a ! -d "$APP_PATH" ] ; then
>   APP_LOC="$APP_PATH"
>   else
>   APP_LOC=`which $APP_PATH 2> /dev/null`
>   fi
> 
> Running which and cygpath, I get:
> -
> C:\transfer\ethereal\winbuild\ethereal>which cl
> cl: Command not found.
> 
> C:\transfer\ethereal\winbuild\ethereal>cygpath --unix cl cl
> -
> 
> Is there anyone that encountered the same problem? Any idea?
> 
> Thanks a lot,
> Olivier.
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 
> __
> ___
> Scanned by IBM Email Security Management Services powered by 
> MessageLabs. For more information please visit 
> http://www.ers.ibm.com 
> __
> ___
> 
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [Patch] epan/make-sminmpec.pl

2006-09-07 Thread Andrew Feren 
--- LEGO <[EMAIL PROTECTED]> wrote:

> Committed revision 19172.
> 
> I modified so that calling it like
>make-sminmpec.pl -gen
> is like calling it
>make-sminmpec.pl -gen \
>  http://www.iana.org/assignments/enterprise-numbers \
>  sminmpec.c

If you try using this default I doubt very much you will get the results you
want.  Attached is a patch to your patch of my patch.  ;-)

changes:
changed -gen to -cp  since I think the name makes more sense

infile always defaults to http://www.iana.org/assignments/enterprise-numbers

with the -cp switch
outfile defaults to enterprise-numbers

without the -cp swith
outfile defaults to sminmpec.c

-Andrew

> Luis
> 
> On 9/7/06, Andrew Feren <[EMAIL PROTECTED]> wrote:
> > This adds some features to update enterprise-numbers from the web.  After
> I
> > submitted a large update for epan/enterprise-numbers yesterday I got to
> > thinking that there ought to be a way to automate keeping the file up to
> > date.
> >
> > As used in the Makefile currently
> >   make-sminmpec.pl  
> >
> > works exactly the same.  Additionally  can be a URL to an infile
> in
> > the expected format.
> >
> > example :
> > make-sminmpec.pl http://www.iana.org/assignments/enterprise-numbers
> > sminmpec.c
> >
> > Using the new "-gen" switch will create a new 
> >
> > example:
> > make-sminmpec.pl -gen \
> > http://www.iana.org/assignments/enterprise-numbers \
> > enterprise-numbers
> >
> > if you use a local file for infile the -gen switch is the moral
> equivalent of
> > just copying the file.  (maybe -cp would be a better switch name)
> >
> > I didn't update any Makefiles since I think in general people don't
> need/want
> > to update off the web for every build.  Perhaps using this to update
> > enterprise-numbers could be run with make-manuf.   (Is manuf run
> > periodically?  If so when?  Just curious.)
> >
> > -Andrew
> >
> > -Andrew Feren
> >  [EMAIL PROTECTED]
> >
> > ___
> > Wireshark-dev mailing list
> > Wireshark-dev@wireshark.org
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> >
> >
> >
> 
> 
> -- 
> This information is top security. When you have read it, destroy yourself.
> -- Marshall McLuhan
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 

-Andrew Feren
 [EMAIL PROTECTED]

my_patch.gz
Description: 3270623545-my_patch.gz
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [Patch] epan/make-sminmpec.pl

2006-09-07 Thread LEGO 
Committed revision 19172.

I modified so that calling it like
   make-sminmpec.pl -gen
is like calling it
   make-sminmpec.pl -gen \
 http://www.iana.org/assignments/enterprise-numbers \
 sminmpec.c

Luis

On 9/7/06, Andrew Feren <[EMAIL PROTECTED]> wrote:
> This adds some features to update enterprise-numbers from the web.  After I
> submitted a large update for epan/enterprise-numbers yesterday I got to
> thinking that there ought to be a way to automate keeping the file up to
> date.
>
> As used in the Makefile currently
>   make-sminmpec.pl  
>
> works exactly the same.  Additionally  can be a URL to an infile in
> the expected format.
>
> example :
> make-sminmpec.pl http://www.iana.org/assignments/enterprise-numbers
> sminmpec.c
>
> Using the new "-gen" switch will create a new 
>
> example:
> make-sminmpec.pl -gen \
> http://www.iana.org/assignments/enterprise-numbers \
> enterprise-numbers
>
> if you use a local file for infile the -gen switch is the moral equivalent of
> just copying the file.  (maybe -cp would be a better switch name)
>
> I didn't update any Makefiles since I think in general people don't need/want
> to update off the web for every build.  Perhaps using this to update
> enterprise-numbers could be run with make-manuf.   (Is manuf run
> periodically?  If so when?  Just curious.)
>
> -Andrew
>
> -Andrew Feren
>  [EMAIL PROTECTED]
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
>
>


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Http dissector - Am I missing something?

2006-09-07 Thread LEGO 
XML's dissector is called as an heuristic dissector for http, can't
you do like it does?

Luis

On 9/7/06, Bryant Eastham <[EMAIL PROTECTED]> wrote:
> All-
>
> I have done several plugin dissectors in the past for internal
> protocols, all TCP- and UDP-based. I am now trying to add a plugin for a
> protocol that uses HTTP as the transport. Easy, I thought! Well, not so
> easy it appears.
>
> I am confused by the logic in packet-http.c around line 1059:
>
> if (handle == NULL && headers.content_type != NULL) {
> /*
>  * We didn't find any subdissector that
>  * registered for the port, and we have a
>  * Content-Type value.  Is there any
> subdissector
>  * for that content type?
>  */
> save_private_data = pinfo->private_data;
>
> if (headers.content_type_parameters)
> pinfo->private_data =
> ep_strdup(headers.content_type_parameters);
> else
> pinfo->private_data = NULL;
> /*
>  * Calling the string handle for the media type
>  * dissector table will set pinfo->match_string
>  * to headers.content_type for us.
>  */
> pinfo->match_string = headers.content_type;
> handle = dissector_get_string_handle(
> media_type_subdissector_table,
> headers.content_type);
> /*
>  * Calling the default media handle otherwise
>  */
> if (handle == NULL) {
> handle = media_handle;
> }
> }
>
> This seems to imply that if I have a content-type, then I cannot have a
> heuristic subdissector. The reason is the last line, that forces the
> handle to "media_handle".
>
> Here is my issue: our protocol uses content-type as
> "application/octet-stream", the contents being binary. We identify our
> packets (besides the URL) with a type modifier on the content-type that
> is specific to our protocol. Unfortunately, the logic as I understand it
> for handling content-type is too specific to handle this situation (no
> one dissector should handle all "application/octet-stream" packets,
> right?).
>
> This seems like a case for a heuristic subdissector, but that is
> disabled by the forcing of handle to media_handle.
>
> I seem to remember that changes were made to resolve this issue a while
> ago, but maybe I was dreaming...
>
> What am I missing?
>
> Bryant Eastham
> Chief Architect
> Panasonic Electric Works Laboratory of America, Inc.
> Salt Lake City Lab
> 4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124
> Phone : 801.993.7124 Email: [EMAIL PROTECTED]
> Fax: 801.993.7260 Web: http://slc.mew.com 
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] tcp_dissect_pdus

2006-09-07 Thread John R. Hogerhuis 
On Thu, 2006-09-07 at 03:22 -0700, Guy Harris wrote:
> John R. wrote:
> > I have an issue with desegmentation of packets: if the minimal
header
> > required to judge length is broken across TCP segments A and B, at
> > segment A it decides properly to return expecting the remainder of
the
> > minimal header. In my problem case, the next tcp segment to arrive
has
> > the remainder of this packet and several others. It calls my pdu
> > measurement routine which through printf's I've determined is
properly
> > returning the length of the full PDU.
> 
> That length includes the minimal header, right?  I.e., a 30-byte PDU 
> would have a 5-byte minimal header plus 25 bytes of payload after the 
> minimal header; in that case, your routine should be returning 30,
not 
> 25, even if the length is determined by a value in the minimal
header, 
> and that value is the length of data *after* the minimal header
(i.e., 
> 25, in the example I gave).
> 

Right. There is a 5 byte header, and the value returned is the total PDU
length including the header.

> > Once segment B appears should tcp_dissect_pdus stay in the dissect
> > loop until all packets within it are decoded?
> 
> Yes (if by "within it" you mean "fully within it or previous TCP 
> segments"; the last packet might have the start, but not the end, in 
> that segment, in which case it can't dissect the last packet at that
point).
> 

In that case I think the problem is definitely below tcp_dissect_pdus.
The issue seems to be that tvb_ensure_length_remaining (I am not at my
client's but I think that is the name of the routine) called by
tcp_dissect_pdus is returning only the length of the header not the full
length of segment B. So once tcp_dissect_pdus finds out the length of
the PDU (36 bytes) it returns.

> Are TCP segments A and B in order in the capture?

Yes.

> 
> > What function calls my outer dissector that calls tcp_dissect_pdus?
> 
> decode_tcp_ports(), in epan/dissectors/packet-tcp.c.
> 
> It's called from process_tcp_payload(), also in 
> epan/dissectors/packet-tcp.c, and that's called by desegment_tcp()
and 
> dissect_tcp_payload(), also in epan/dissectors/packet-tcp.c. 
> dissect_tcp_payload() is called from dissect_tcp(), and it calls 
> desegment_tcp() if it can do desegmentation.
> 
> 

I've been poking around in the tcp dissector code. I'll let you know if
I come up with something useful.

Thanks,

-- John.


___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Http dissector - Am I missing something?

2006-09-07 Thread Bryant Eastham 
All-

I have done several plugin dissectors in the past for internal
protocols, all TCP- and UDP-based. I am now trying to add a plugin for a
protocol that uses HTTP as the transport. Easy, I thought! Well, not so
easy it appears.

I am confused by the logic in packet-http.c around line 1059: 

if (handle == NULL && headers.content_type != NULL) {
/*
 * We didn't find any subdissector that
 * registered for the port, and we have a
 * Content-Type value.  Is there any
subdissector
 * for that content type?
 */
save_private_data = pinfo->private_data;

if (headers.content_type_parameters)
pinfo->private_data =
ep_strdup(headers.content_type_parameters);
else
pinfo->private_data = NULL;
/*
 * Calling the string handle for the media type
 * dissector table will set pinfo->match_string
 * to headers.content_type for us.
 */
pinfo->match_string = headers.content_type;
handle = dissector_get_string_handle(
media_type_subdissector_table,
headers.content_type);
/*
 * Calling the default media handle otherwise
 */
if (handle == NULL) {
handle = media_handle;
}
}

This seems to imply that if I have a content-type, then I cannot have a
heuristic subdissector. The reason is the last line, that forces the
handle to "media_handle".

Here is my issue: our protocol uses content-type as
"application/octet-stream", the contents being binary. We identify our
packets (besides the URL) with a type modifier on the content-type that
is specific to our protocol. Unfortunately, the logic as I understand it
for handling content-type is too specific to handle this situation (no
one dissector should handle all "application/octet-stream" packets,
right?).

This seems like a case for a heuristic subdissector, but that is
disabled by the forcing of handle to media_handle.

I seem to remember that changes were made to resolve this issue a while
ago, but maybe I was dreaming...

What am I missing?

Bryant Eastham
Chief Architect
Panasonic Electric Works Laboratory of America, Inc.
Salt Lake City Lab
4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124
Phone : 801.993.7124 Email: [EMAIL PROTECTED]
Fax: 801.993.7260 Web: http://slc.mew.com  

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] [Patch] epan/make-sminmpec.pl

2006-09-07 Thread Andrew Feren 
This adds some features to update enterprise-numbers from the web.  After I
submitted a large update for epan/enterprise-numbers yesterday I got to
thinking that there ought to be a way to automate keeping the file up to
date.

As used in the Makefile currently 
  make-sminmpec.pl  

works exactly the same.  Additionally  can be a URL to an infile in
the expected format.

example :
make-sminmpec.pl http://www.iana.org/assignments/enterprise-numbers
sminmpec.c

Using the new "-gen" switch will create a new 

example:
make-sminmpec.pl -gen \
http://www.iana.org/assignments/enterprise-numbers \
enterprise-numbers

if you use a local file for infile the -gen switch is the moral equivalent of
just copying the file.  (maybe -cp would be a better switch name)

I didn't update any Makefiles since I think in general people don't need/want
to update off the web for every build.  Perhaps using this to update
enterprise-numbers could be run with make-manuf.   (Is manuf run
periodically?  If so when?  Just curious.)

-Andrew

-Andrew Feren
 [EMAIL PROTECTED]

my_patch.gz
Description: 3270623545-my_patch.gz
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] ESP Patch for Hexadecimal keys

2006-09-07 Thread Frédéric Roudaut 


Hi,

as requested  here is a patch  in order to take into account  Encryption 
and Authentication keys for ESP in hexa. 
You only have to write your key with 0x first. In this case if the key 
is not in 8-bit unit, it will be considered as starting with a "0" (4 bits).
Excepted this case, the key should be completely written, even if it 
starts with "0x00".


Nevertheless, if the box contains a key with white spaces before "0x",  
it will be taken into account. Ie if the ESP preference contains  
"0xff",  it will not be considered  as an hexadecimal key (4 
white spaces before 0x). I do not think it is a problem but please tell 
me if it is, I will correct this.


Moreover I noticed an editorial issue in the Author files ;-). IPsec 
should be written like this and not IP-sec.

could you please update this ?

best regards,

ps : in attachment, you will also get some examples for using 
Hexadecimal keys (preference and capture files, IPsec policy for setkey).

ps2 : sorry for the off-by-one errors ;-(

---
Frederic Roudaut



Filonenko Alexander-AAF013 wrote:

Frederic,
 
Thank you for the response. While adding this feature, do you plan to 
add another checkbox in the ESP preferences so the user can switch 
between ASCII/hex modes for encryption keys?
 
Thank you,

Alex Filonenko
 
 



*From:* Frédéric Roudaut [mailto:[EMAIL PROTECTED]
*Sent:* Tuesday, August 01, 2006 5:19 AM
*To:* Filonenko Alexander-AAF013
*Cc:* Ethereal development; Developer support list for Wireshark
*Subject:* Re: IPsec Dissector to decrypt ESP Payload

Hi,

sorry for my late answer. You're right for the key. To enter binary 
keys you need to modify the dissector. It should easy to adapt. If 
needed, I could easily add this but however not before the beginning 
of september.

Sorry for that.

best regards,

--
Frederic Roudaut


Filonenko Alexander-AAF013 a écrit :

Frederic,

I am using ESP decryption features of your dissector and it is very useful. 
I have one question though. How can I use arbitrary (non-ASCII) encryption key with preferences available for ESP? Is the key limited to ASCII characters only? 


Thank you,
Alex

-Original Message-
From: Filonenko Alexander-AAF013 
Sent: Friday, February 24, 2006 4:43 PM

To: 'Ethereal development'
Subject: RE: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload

Frederic,

I find IPsec functionality you have added to the dissector very useful.
Hope I can provide you with some feedback in a few weeks.

Thank you,
Alex Filonenko 

  

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frederic 
Roudaut

Sent: Friday, February 24, 2006 10:01 AM
To: Ethereal development
Subject: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload


Hi,

finally, I have updated my dissector using libgcrypt.
It does not use openssl anymore.
If gnutls is installed, all should work.
Thus, now it should decrypt and dissect (transport/tunnel/several 
encapsulations ...) :


- NULL Encryption Algorithm
- TripleDES-CBC [RFC2451] : keylen 192 bits.
- AES-CBC with 128-bit keys [RFC3602] : keylen 128 and 192/256 bits.
- AES-CTR [RFC3686] : keylen 160/224/288 bits. The remaining
32 bits will be used as nonce.
- DES-CBC [RFC2405] : keylen 64 bits

I also have added :

- BLOWFISH-CBC : keylen 128 bits.
- TWOFISH-CBC : keylen 128/256 bits.

You have to indicate the Authentication algorithm even if all 
Algorithms since it uses 12 bytes in the Auth field should work (have 
a look to the README to understand why I put it

;-) ). If you consider I have to throw it away please tell me.

HMAC-SHA1-96 [RFC2404]
NULL
AES-XCBC-MAC-96 [RFC3566]
HMAC-MD5-96 [RFC2403]

In the attachment you will get :
- this dissector
- a new README
- some example capture files with associated preferences files (and 
setkey config files)



Best Regards,



Frederic






--
Frédéric ROUDAUT
IRISA-INRIA, Campus de Beaulieu, 35042 Rennes cedex, France
Tl: +33 (0) 2 99 84 71 44, Fax: +33 (0) 2 99 84 71 71




___
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev


  







ESP_example_hex_keys.tgz
Description: application/compressed-tar


packet_ipsec.c.gz
Description: GNU Zip compressed data
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Win32 build error return code 0x66666666

2006-09-07 Thread VOCAL Technologies, LTD 
I am building from the source distrobution 0.99.3


___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Win32 build error return code 0x66666666

2006-09-07 Thread Cook, Timothy 
What are you using as source (e.g. SVN tip or source distribution
0.99.3)?  I usually build from SVN tip.  However, I haven't applied
updates for couple months.  Maybe I'll have time to update & do a clean
build.

-Tim 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> VOCAL Technologies, LTD
> Sent: Thursday, September 07, 2006 8:53 AM
> To: wireshark-dev@wireshark.org
> Subject: [Wireshark-dev] Win32 build error return code 0x
> 
> Thank you Tim, I reinstalled Cygwin tools, and I was able to 
> compile, but am now unable to link.  I checked my path to 
> make sure I am using the MSVC linker, and I get this error:
> 
> ftype-ipv4.c(108) : error C2065: 'fvalue_t_free_list' : 
> undeclared identifier
> 
> I am working on tracking this bug down, but any other tips 
> wouldbe helpful.
> 
> Thanks again.
> 
> 
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 
> __
> ___
> Scanned by IBM Email Security Management Services powered by 
> MessageLabs. For more information please visit 
> http://www.ers.ibm.com 
> __
> ___
> 
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Andreas Fink 
Oh thats interesting. I think my wireshark was built with the source  
of libz as well but really what whould have been needed was a export  
LDFLAGS -lz for most of the tools. I'm rebuilding it currently on a  
new MacPro. Will report if that fixes it too.


On 07.09.2006, at 13:57, LEGO wrote:

> Found!
>
> there's libz.1.2.3 in both /usr/lib and /opt/local/lib
> as soon as I removed that in /opt/local/lib I solved the issue...
> diferent library same mis-bahaviour as I used to have with open-ssl
>
> "Solved" by
> [pociccio:~/src/trunk] lego% sudo mv /opt/local/lib/libz.1.2.3.dylib
> /opt/local/lib/=libz.1.2.3.dylib=
> [pociccio:~/src/trunk] lego% sudo ln -s /usr/lib/libz.1.2.3.dylib
> /opt/local/lib/libz.1.2.3.dylib
>
> Luis
> -- 
> This information is top security. When you have read it, destroy  
> yourself.
> -- Marshall McLuhan
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Win32 build error return code 0x66666666

2006-09-07 Thread VOCAL Technologies, LTD 
Thank you Tim, I reinstalled Cygwin tools, and I was able to compile, but am
now unable to link.  I checked my path to make sure I am using the MSVC
linker, and I get this error:

ftype-ipv4.c(108) : error C2065: 'fvalue_t_free_list' : undeclared
identifier

I am working on tracking this bug down, but any other tips wouldbe helpful.

Thanks again.


___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread LEGO 
Found!

there's libz.1.2.3 in both /usr/lib and /opt/local/lib
as soon as I removed that in /opt/local/lib I solved the issue...
diferent library same mis-bahaviour as I used to have with open-ssl

"Solved" by
[pociccio:~/src/trunk] lego% sudo mv /opt/local/lib/libz.1.2.3.dylib
/opt/local/lib/=libz.1.2.3.dylib=
[pociccio:~/src/trunk] lego% sudo ln -s /usr/lib/libz.1.2.3.dylib
/opt/local/lib/libz.1.2.3.dylib

Luis
-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] display filter on a field that appears more than once in a message

2006-09-07 Thread Andrew Schweitzer 
Guy Harris wrote:
> ronnie sahlberg wrote:
> 
>>The difference is the difference between the upside down A (==For ALL it 
>>is true)
>>and the mirrored E (==there EXISTS at least one)
> 
> 
> I.e.:
> 
>   payload.packet.a_field != 1
> 
> means "there exists at least one instance of payload.packet.a_field in 
> the packet that has a value not equal to 1", not "all instances of 
> payload.packet.a_field in the packet have values not equal to 1", and 
> the negation of that is "all instances of payload.packet.a_field in the 
> packet have values equal to 1".
> 
>   payload.packet.a_field == 1
> 
> means "there exists at least one instance of payload.packet.a_field with 
> a value equal to 1", which is not the opposite of "there exists at least 
> one instance of payload.packet.a_field in the packet that has a value 
> not equal to 1", i.e. it's not the opposite of
> 
>   payload.packet.a_field != 1

Thanks, this is very helpful. I can see now that the doc says this as well.

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] display filter on a field that appears more than once in a message

2006-09-07 Thread Guy Harris 
ronnie sahlberg wrote:
> The difference is the difference between the upside down A (==For ALL it 
> is true)
> and the mirrored E (==there EXISTS at least one)

I.e.:

payload.packet.a_field != 1

means "there exists at least one instance of payload.packet.a_field in 
the packet that has a value not equal to 1", not "all instances of 
payload.packet.a_field in the packet have values not equal to 1", and 
the negation of that is "all instances of payload.packet.a_field in the 
packet have values equal to 1".

payload.packet.a_field == 1

means "there exists at least one instance of payload.packet.a_field with 
a value equal to 1", which is not the opposite of "there exists at least 
one instance of payload.packet.a_field in the packet that has a value 
not equal to 1", i.e. it's not the opposite of

payload.packet.a_field != 1
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] query regarding gtp_handlefuntionanddecoderfunction.

2006-09-07 Thread ronnie sahlberg 
you MUST use a hf_ field as the second parameter.

you can NOT use NULL since
1, NULL is not an integer and is therefore the WRONG type for the
second parameter and would anyway give you a compiler error if you
tried.
2, there are plenty of examples on how to use hf_fields in the code.


please read the other similar dissectors and also the developers guide
that DOES explain many of these questions.
Look at other dissectors that do similar things.





On 9/7/06, prashanth joshi <[EMAIL PROTECTED]> wrote:
> Hi Anders,
>   thanks.
>   But, as u know i've been trying to write a deceder function
>   So it goes something like this:
>   My_decoder_fun(..)
>   {
>   proto_tree  *my_tree;
>   proto_item  *te;
>
>
>
> te = proto_tree_add_text(tree, tvb, offset, 1,
> val_to_str(MY_EXT_VAL, gtp_val, "Unknown message"));
> my_tree = proto_item_add_subtree(te, my_tree);
>
>proto_tree_add_item(my_tree, hf_to_be_described, tvb,
> offset+1, 2, FALSE);
>   .. .
> .
>   .. .. .
> ..
>   regards,
>   Prashanth
>
>
>   }
>   Now i found it difficult to build the definition for hf_to_be_described in
> the poto_reg_gtp function and in the array hf_register_info hf_gtp[].
>   Hence what i want to know is that, is it possible to have a NULL value as
> the second argument instead of a hf_ ...
>   And if a hf_ is very much necessary then how to build it.
>
> Anders Broman <[EMAIL PROTECTED]> wrote:
>   Hi,
> What you probably want to do is to change the current code to something
> like:
> static int
> decode_gtp_priv_ext(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
> proto_tree *tree) {
>
> guint16 length, ext_id;
> proto_tree *ext_tree_priv_ext;
> proto_item *te;
> tvbuff_t *new_tvb;
>
> te = proto_tree_add_text(tree, tvb, offset, 1,
> val_to_str(GTP_EXT_PRIV_EXT, gtp_val, "Unknown message"));
> ext_tree_priv_ext = proto_item_add_subtree(te, ett_gtp_ext);
>
> offset++;
> length = tvb_get_ntohs(tvb, offset);
> proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_length, tvb,
> offset, 2, FALSE);
> offset = offset+2;
> if (length >= 2) {
> ext_id = tvb_get_ntohs(tvb, offset);
> proto_tree_add_uint(ext_tree_priv_ext, hf_gtp_ext_id, tvb,
> offset, 2, ext_id);
> offset = offset+2;
>
> /*
> * XXX - is this always a text string? Or should it be
> * displayed as hex data?
> */
> if (length > 2)
> proto_tree_add_item(ext_tree_priv_ext,
> hf_gtp_ext_val, tvb, offset, length-2, FALSE);
> switch (ext_id){
> case MY_MANUFACTURER_ID:
> new_tvb = tvb_new_subset(tvb, offset, length-2,
> length-2);
> dissect_private_ext_manufacturer_id(new_twb, pinfo,
> ext_tree_priv_ext)
> break;
> default:
> break;
> }
> }
>
> return 3+length;
> }
>
> Brg
> Anders
> -Ursprungligt meddelande-
> Från: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] För prashanth joshi
> Skickat: den 6 september 2006 22:52
> Till: Developer support list for Wireshark
> Ämne: Re: [Wireshark-dev] query regarding
> gtp_handlefuntionanddecoderfunction.
>
> Hi Anders,
> how r u...
> I have a query Anders.
> If we consider for example the following statement,
> proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_val, tvb, offset+5,
> length-2, FALSE);
>
> So length-2 bytes of data is added in to tree ,starting from the location
> number ofset + 5 of tvb.
> My query is : is it absolutely necessary to have hf_gtp_ext_
> as the second argument when ever we want to add an item?
> Can not we do away with it by having a NULL as second argument instead? ( I
> found it difficult to understand how the contents of the proto_register_gtp
> array are built)
> And what would be the limitations if we try to add an item using the
> proto_tree_add_text( ) instead ?
> regards,
> Prashanth
>
> "Anders Broman (AL/EAB)" wrote:
> Hi,
> The function val_to_str(GTP_EXT_RAI, gtp_val, "Unknown message"));
> searches the svalue_string gtp-val for a match to GTP_EXT_RAI and if found
> returns the matching string, in this case
> "Routing Area Identity" if no match is found it will print "Unknown
> message".
>
> Best regards
> Anders
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of prashanth joshi
> Sent: den 6 september 2006 09:25
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] query regarding gtp_handle
> funtionanddecoderfunction.
> Hi Anders, thanks.
> Now the things are much clearer. Now i understand why the return value from
> the decoder function is 3 + length.
> But yeah inval_to_str(GTP_EXT_XXX, gtp_val, "UNKNOWN") , is the string
> "UNKNOWN" concatenated with GTP_EXT_XXX and returned ?
> regards,
> Prashanth.
>
> "Anders Broman (AL/EAB)" wrote:
> Hi,
> Are you trying to add something thats defined in 3GPP TS 29.060 or to do
> someting for a nonstandard extension to the protocol?
> ( 0x7F is also allready used (define GTP_EXT_CHRG_ID  0x7F)).
>
> The code:
> w

Re: [Wireshark-dev] tcp_dissect_pdus

2006-09-07 Thread Guy Harris 
John R. wrote:
> I have an issue with desegmentation of packets: if the minimal header
> required to judge length is broken across TCP segments A and B, at
> segment A it decides properly to return expecting the remainder of the
> minimal header. In my problem case, the next tcp segment to arrive has
> the remainder of this packet and several others. It calls my pdu
> measurement routine which through printf's I've determined is properly
> returning the length of the full PDU.

That length includes the minimal header, right?  I.e., a 30-byte PDU 
would have a 5-byte minimal header plus 25 bytes of payload after the 
minimal header; in that case, your routine should be returning 30, not 
25, even if the length is determined by a value in the minimal header, 
and that value is the length of data *after* the minimal header (i.e., 
25, in the example I gave).

> Once segment B appears should tcp_dissect_pdus stay in the dissect
> loop until all packets within it are decoded?

Yes (if by "within it" you mean "fully within it or previous TCP 
segments"; the last packet might have the start, but not the end, in 
that segment, in which case it can't dissect the last packet at that point).

Are TCP segments A and B in order in the capture?

> What function calls my outer dissector that calls tcp_dissect_pdus?

decode_tcp_ports(), in epan/dissectors/packet-tcp.c.

It's called from process_tcp_payload(), also in 
epan/dissectors/packet-tcp.c, and that's called by desegment_tcp() and 
dissect_tcp_payload(), also in epan/dissectors/packet-tcp.c. 
dissect_tcp_payload() is called from dissect_tcp(), and it calls 
desegment_tcp() if it can do desegmentation.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] A plugin dissector and fragmented messages

2006-09-07 Thread Still Life 
> Check out doc/README.developer chapter 2.7 Reassembly/desegmentation for
> protocols running atop TCP.
> Thanx,
> Jaap

Thank you Jaap!
I resolved my problem with the second method exposed in chapter
2.7. Now things seems to work.
Cheers
 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Ascolta tutta la musica che vuoi gratis!
* Clicca su www.radiosnj.com
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5176&d=7-9
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Guy Harris 
Andreas Fink wrote:

> I'm capturing data on a linux machine (fedora5) with tcpdump -s0 
> -wdumpfile.cap. Transfer the file to the mac and try to open it with 
> wireshark. I get weird errors saying it couldnt open it because packet 
> size is bigger than 65k or something like that. Same is if I capture 
> with ethereal on that linux box and transfer the file to the mac.

What happens if you try to read those files with tcpdump on the Mac?

> Is this a endian problem maybe?

Not if the Linux machine is an x86-based PC, because an x86-based Mac 
and an x86-based PC are both little-endian.  (The Wireshark binary is 
either x86-only, or universal with an x86 binary included, right?)
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Guy Harris 
LEGO wrote:

> I just tried to open some files with my intel
> based minimac and they do not work...

Where were the capture files created, and what application wrote them?

> oddly enough capture works only
> if you are seeing packets in real-time, if instead you try to capture
> without it fails to open them.

What does "wireshark -v" print?

And is Wireshark built from source?

> The issue here is that it doesn't appear to be an endianess issue,

No, it's almost certainly not an endianness issue; as Jeff noted, 
libpcap and wiretap both determine the endianness of a libpcap file from 
the magic number (which is written in *host* byte order, as are other 
values in the file header and packet record header), and use that when 
reading other values from the file and packet record headers.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] query regarding gtp_handlefuntionanddecoderfunction.

2006-09-07 Thread prashanth joshi 
Hi Anders,  thanks.  But, as u know i've been trying to write a deceder function   So it goes something like this:  My_decoder_fun(..)  {  proto_tree  *my_tree;  proto_item 
 *te;       te = proto_tree_add_text(tree, tvb, offset, 1, val_to_str(MY_EXT_VAL, gtp_val, "Unknown message"));    my_tree = proto_item_add_subtree(te, my_tree);       proto_tree_add_item(my_tree, hf_to_be_described, tvb, offset+1, 2, FALSE);  .. .  .  .. ..
 .   ..  regards,  Prashanth        }  Now i found it difficult to build the definition for hf_to_be_described in the poto_reg_gtp function and in the array hf_register_info hf_gtp[].  Hence what i want to know is that, is it possible to have a NULL value as the second argument instead of a
 hf_ ...  And if a hf_ is very much necessary then how to build it.Anders Broman <[EMAIL PROTECTED]> wrote:  Hi,What you probably want to do is to change the current code to somethinglike:static intdecode_gtp_priv_ext(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,proto_tree *tree) {guint16 length, ext_id;proto_tree *ext_tree_priv_ext;proto_item *te;tvbuff_t *new_tvb;te = proto_tree_add_text(tree, tvb, offset, 1,val_to_str(GTP_EXT_PRIV_EXT, gtp_val, "Unknown message"));ext_tree_priv_ext = proto_item_add_subtree(te,
 ett_gtp_ext);offset++;length = tvb_get_ntohs(tvb, offset);proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_length, tvb,offset, 2, FALSE);offset = offset+2;if (length >= 2) {ext_id = tvb_get_ntohs(tvb, offset);proto_tree_add_uint(ext_tree_priv_ext, hf_gtp_ext_id, tvb,offset, 2, ext_id);offset = offset+2;/** XXX - is this always a text string? Or should it be* displayed as hex data?*/if (length > 2)proto_tree_add_item(ext_tree_priv_ext,hf_gtp_ext_val, tvb, offset, length-2, FALSE);switch (ext_id){case MY_MANUFACTURER_ID:new_tvb = tvb_new_subset(tvb, offset, length-2,length-2);dissect_private_ext_manufacturer_id(new_twb, pinfo,ext_tree_priv_ext)break;default:break;}}return 3+length;}BrgAnders-Ursprungligt meddelande-Från: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] För
 prashanth joshiSkickat: den 6 september 2006 22:52Till: Developer support list for WiresharkÄmne: Re: [Wireshark-dev] query regardinggtp_handlefuntionanddecoderfunction.Hi Anders,how r u...I have a query Anders.If we consider for example the following statement,proto_tree_add_item(ext_tree_priv_ext, hf_gtp_ext_val, tvb, offset+5,length-2, FALSE); So length-2 bytes of data is added in to tree ,starting from the locationnumber ofset + 5 of tvb.My query is : is it absolutely necessary to have hf_gtp_ext_as the second argument when ever we want to add an item?Can not we do away with it by having a NULL as second argument instead? ( Ifound it difficult to understand how the contents of the proto_register_gtparray are built)And what would be the limitations if we try to add an item using theproto_tree_add_text( ) instead ?regards,Prashanth"Anders Broman (AL/EAB)"
 <[EMAIL PROTECTED]>wrote:Hi,The function val_to_str(GTP_EXT_RAI, gtp_val, "Unknown message")); searches the svalue_string gtp-val for a match to GTP_EXT_RAI and if foundreturns the matching string, in this case"Routing Area Identity" if no match is found it will print "Unknownmessage". Best regardsAndersFrom: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of prashanth joshiSent: den 6 september 2006 09:25To: Developer support list for WiresharkSubject: Re: [Wireshark-dev] query regarding gtp_handlefuntionanddecoderfunction.Hi Anders, thanks.Now the things are much clearer. Now i understand why the return value fromthe decoder function is 3 + length. But yeah in    val_to_str(GTP_EXT_XXX, gtp_val, "UNKNOWN") , is the string"UNKNOWN" concatenated with GTP_EXT_XXX and returned
 ?regards,Prashanth."Anders Broman (AL/EAB)" <[EMAIL PROTECTED]>wrote:Hi,Are you trying to add something thats defined in 3GPP TS 29.060 or to dosometing for a nonstandard extension to the protocol?( 0x7F is also allready used (define GTP_EXT_CHRG_ID  0x7F)). The code:while (gtpopt[++i].optcode) if (gtpopt[i].optcode == ext_hdr_val)  break;offset = offset + (*gtpopt[i].decode)(tvb, offset, pinfo, gtp_tree); Will call the function pointed out by the Extension type (GTP_EXT_XXX) witha tvb containing the GTP message and the offset parameter pointing to theExtension type(octet 1 in the IE descriptions of TS 29.060)in the function you'll have to increase offset to pont to the byte you wantto "access".Best regardsAnders From:
 [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of prashanth joshiSent: den 5 september 2006 17:35To: Developer support list for WiresharkSubject: Re: [Wireshark-dev] query regarding gtp_handle funtionanddecoderfunction.Hi Anders, Thanks for the reply.But I'm affraid i did not put the whole thing very clearly.I should have been more specific.Actually i need to ha

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Jeff Morriss 


Andreas Fink wrote:
>>>
>>> Most frequently that's due to using FTP and not setting binary mode.
>>> Does the file's checksum change from machine to machine after copying it?
> 
> no.  iIuse scp to copy from machine to machine.

Well, you know, had to ask.  Just in case...  :-)

>> The issue here is that it doesn't appear to be an endianess issue, the
>> file header is read ok, so it is the first packet's, with the second
>> packet I see a very odd thing:
>>
>> pcapio.c writes this:
>>
>> ts_sec 7D91FF44 44FF917D
>> ts_usec 5BE20800 0008E25B
>> incl_len 5601 0156
>> orig_len 5601 0156
>>
>> wiretap's libpcap.c reads this:
>>
>> ts_sec 07010016 16000107
>> ts_usec CB05E505 05E505CB
>> incl_len 32040A00 000A0432
>> orig_len 01053304 04330501
> 
> 
> Uh. thats odd.

Yes, very!

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Portability issue of capture files.

2006-09-07 Thread Andreas Fink 
Most frequently that's due to using FTP and not setting binary mode.Does the file's checksum change from machine to machine after copying it?no.  iIuse scp to copy from machine to machine.The PCAP/Wiretap library is supposed to figure out the endianism of thehost where the file was generated automatically so normally there's noproblem with that.  (I frequently look at capture files from SPARCmachines on my Intel laptop, including with 0.99.3.)I did that too in the past. Which is not the case... I just tried to open some files with my intelbased minimac and they do not work... oddly enough capture works onlyif you are seeing packets in real-time, if instead you try to capturewithout it fails to open them.Same behaviour here. I look at them in real time usually, even over remote X connection.The issue here is that it doesn't appear to be an endianess issue, thefile header is read ok, so it is the first packet's, with the secondpacket I see a very odd thing:pcapio.c writes this:ts_sec 7D91FF44 44FF917Dts_usec 5BE20800 0008E25Bincl_len 5601 0156orig_len 5601 0156wiretap's libpcap.c reads this:ts_sec 07010016 16000107ts_usec CB05E505 05E505CBincl_len 32040A00 000A0432orig_len 01053304 04330501Uh. thats odd.So there's an issue here but it has nothing to do with endianity...neither it does with FTP which BTW i didn't use.Ok. so we spotted a real bug. is this one in libwiretap?  I don't think so as libwiretrap is the same as when I tried it before.Andreas FinkFink Consulting GmbH---Tel: +41-61-332 Fax: +41-61-331  Mobile: +41-79-2457333Address: Clarastrasse 3, 4058 Basel, SwitzerlandE-Mail:  [EMAIL PROTECTED]Homepage: http://www.finkconsulting.com---ICQ: 8239353MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfinkYahoo: finkconsulting SMS: +41792457333 ___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] A plugin dissector and fragmented messages

2006-09-07 Thread Still Life 
ronnie sahlberg wrote:
> Why did they implement a hard realtime application using TCP?
> This what UDP is for.
[...]

What you said is right, in this case, if I understood well,
TCP is not used for streams but only for control messages...
Some suggestion about the dissection?

 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Vinci 100 giorni di Sheba: In palio tanti set di prodotti Sheba per la gioia 
del tuo gatto! 
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5267&d=7-9
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] question about RTP Streams - [ SPAM - Bayesian] Bayesian Filter detected spam

2006-09-07 Thread Miha Jemec 

> " looking at the
> packets you could see a delay of 100ms, which is long but
> acceptable"where in the RTP Streams window you look at the
> delay? The only parameters I see are:
>   * Src IP addr,Src port,Dest IP addr,Dest
> port,SSRC,Payload,Packets,Lost,Max Delta (ms),Max Jitter
> (ms),Mean Jitter (ms),Pb?,

Hi Angelina, 

wireshark can not measure end-to-end delay, nor the
end-to-capture_destination delay. At least not using the RTP protocol or
better said, this information is not provided inside RTP protocol.

The timestamp inside RTP header increments monotonically, that is true,
but this is the information for the receiver side, to know when a sample
should be played. This is not (absolute!) time reference.

If you take a look inside whole RTP packet you can see, there is no
other time information. Nor in the RTP header nor in the ETH/IP/UDP
headers. It means you can not know when this packet was sent on the
wire. And you can not know when the voice sample was made. And even if
this information would be there, would you trust it? How would you know
that the clock inside VoIP transmitter and your capture device are well
synchronized? Don't forget, we are talking about milliseconds here.

Of course there are procedures how to measure ONE WAY END TO END DELAY
and all include devices on both sides which are time synchronized (using
GPS clock f.e.) but using only wireshark and RTP protocol this is not
possible. 

A simple demonstration of this problem would be:

I can send you over the Internet an RTP stream from my VoIP phone or PC.
Speech coded with g.711 and 20ms packetization. Let's say, the network
will work perfectly today and no jitter will be inserted. It means you
will receive one packet every 20ms. No jitter, what about the delay?

Now, where do you come from? I'm from Europe, if you live somewhere near
me, the delay (the difference in the time between my PC will put a
packet on the link and the time you will receive this packet) will be
relatively small, let's say 50ms. What about if you come from the other
part of the world. Just because of the distance the propagation time
will increase and the delay will be higher. In both cases, if you
capture this RTP stream and analyze it, you will get exactly the same
values inside RTP stream analysis. And if I put a special device after
my phone, which will delay every packet for exact 3s before sending it
over to you, you will still get exactly the same results. And in all
three cases, there is now way for you to know, how much time a packet
needed from me to you. 

I hope this clarifies why only analyzing RTP streams can not give you
the information you want. As some already said, there are other ways how
to get it.

Regards, Miha

> Now I understand what end-to-end means, so I can calculate an average
> for maximum delay looking at the packages depending on the jitter
> buffer in order to get a delay<150ms?, would  that be a good estimate?
>  
> thanks!
> Regards,
> Andreina
> 
>  
> On 9/6/06, Jaap Keuter <[EMAIL PROTECTED]> wrote: 
> Hi,
> 
> "End-to-End" means from the speech source (mic) to the speech
> destination
> (loudspeaker). Now Wireshark can capture half way in that
> path, so it 
> cannot predict how the destination endpoint will deliver the
> speech to the
> listner. This is due to the fact that the destination endpoint
> has a
> jitter buffer which delays playout of the media stream. This
> is internal 
> to the destination endpoint and not known to Wireshark. So
> looking at the
> packets you could see a delay of 100ms, which is long but
> acceptable. But
> if the jitter buffer is another 70ms you end up with 170ms
> End-to-End 
> delay which is too long
> 
> Thanx,
> Jaap
> 
> 
> On Wed, 6 Sep 2006, Andreina Toro wrote:
> 
> > Thanks Miha for your answers, they were really helpful, I
> have a different
> > question now. You said that *"Wireshark can not calculate
> this end-to-end 
> > delay since the only information is has are the timestamps
> of the packets as
> > they were captured", *I´ve read that in the RTP Header in
> bytes 5 to 8 there
> > is the timestamp which "reflects the sampling instant of
> the* first* octet 
> > in the RTP data packet. The sampling instant must be derived
> from a clock
> > that increments monotonically and linearly in time to allow
> synchronization
> > and jitter calculations", so I don´t have clear why there is
> no way to 
> > calculate the end-to-end Delay, the timestamp you refered to
> is the same I´m
> > talking about? or we can access manually the time of
> creation of tha package
> > and wir