Re: [Wireshark-dev] SCTP association analysis & selection does not work correctly

2024-02-22 Thread Cristian Constantin via Wireshark-dev 
Hi,
How to figure out if a fix for an issue like the one mentioned by John
above is part of a Wireshark release? And what Wireshark release is
part of...

Thank you,
Cristian

On Sat, Dec 23, 2023 at 4:45 AM John Thacker  wrote:
>
> On Thu, Dec 7, 2023 at 3:32 AM Cristian Constantin via Wireshark-dev 
>  wrote:
>>
>> Hi Jeff,
>>
>> Yes, after enabling the respective protocol decoding option, SCTP
>> association analysis works.
>> SCTP association analysis is _quite_ slow, though. I'll check why it
>> is so slow when I have some spare time.
>
>
> If you have some time, can you see if 
> https://gitlab.com/wireshark/wireshark/-/merge_requests/13786
> works for you and if it's faster (at least the dissection part, this doesn't 
> affect the tapping)? It works
> on my samples, and it uses hashmaps instead of lists so it should be better 
> on large files.
>
> Thanks,
> John
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] SCTP association analysis & selection does not work correctly

2024-02-13 Thread Cristian Constantin via Wireshark-dev 
Hi,

I have checked the pull request and saw that it was merged into master
one month ago...
I shall eventually compile wireshark from master and test it with
_very large_ pcaps containing lots of SCTP associations :-)
I'll let you know.

Thanks a lot,
Cristian

On Sat, Dec 23, 2023 at 4:45 AM John Thacker  wrote:
>
> On Thu, Dec 7, 2023 at 3:32 AM Cristian Constantin via Wireshark-dev 
>  wrote:
>>
>> Hi Jeff,
>>
>> Yes, after enabling the respective protocol decoding option, SCTP
>> association analysis works.
>> SCTP association analysis is _quite_ slow, though. I'll check why it
>> is so slow when I have some spare time.
>
>
> If you have some time, can you see if 
> https://gitlab.com/wireshark/wireshark/-/merge_requests/13786
> works for you and if it's faster (at least the dissection part, this doesn't 
> affect the tapping)? It works
> on my samples, and it uses hashmaps instead of lists so it should be better 
> on large files.
>
> Thanks,
> John
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Sorting "Number of Packets" / SCTP Associations as strings ?!...

2024-02-12 Thread Cristian Constantin via Wireshark-dev 
Hi,

Now, come on guys, really?? Sorting this field as strings?...

OS: Ubuntu
cco@DEU1145:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"

Wireshark version as shown by "About Wireshark":
Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Copyright 1998-2022 Gerald Combs  and
contributors. License GPLv2+: GNU GPL version 2 or later
 This is free software; see
the source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 11.2.0, with Qt 5.15.2, with libpcap, with
POSIX capabilities (Linux), with libnl 3, with GLib 2.71.2, with zlib
1.2.11, with Lua 5.2.4, with GnuTLS 3.7.3 and PKCS #11 support, with
Gcrypt 1.9.4, with MIT Kerberos, with MaxMind DB resolver, with
nghttp2 1.43.0, with brotli, with LZ4, with Zstandard, with Snappy,
with libxml2 2.9.12, with libsmi 0.4.8, with QtMultimedia, without
automatic updates, with SpeexDSP (using system library), with Minizip.

Running on Linux 6.5.0-15-generic, with 12th Gen Intel(R) Core(TM)
i7-1270P (with SSE4.2), with 31753 MB of physical memory, with GLib
2.72.4, with zlib 1.3, with Qt 5.15.3, with libpcap 1.10.1 (with
TPACKET_V3), with c-ares 1.18.1, with GnuTLS 3.7.3, with Gcrypt 1.9.4,
with nghttp2 1.43.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard
1.4.8, with libsmi 0.4.8, with light display mode, without HiDPI, with
LC_TYPE=en_US.UTF-8, binary plugins supported (19 loaded).

Wireshark is Open Source Software released under the GNU General Public License.

Thanks,
Cristian Constantin
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] SCTP association analysis & selection does not work correctly

2023-12-07 Thread Cristian Constantin via Wireshark-dev 
Hi Jeff,

Yes, after enabling the respective protocol decoding option, SCTP
association analysis works.
SCTP association analysis is _quite_ slow, though. I'll check why it
is so slow when I have some spare time.

Thanks,
Cristian

On Wed, Dec 6, 2023 at 7:56 PM Jeff Morriss  wrote:
>
>
>
> On Wed, Dec 6, 2023 at 12:15 PM Cristian Constantin via Wireshark-dev 
>  wrote:
>>
>> Hi,
>>
>> I am trying to look at all SCTP associations (lots of them) in an pcap.
>> However, none of the "Analyse/SCTP/..." menu options work correctly.
>> It shows only _one_ association whereas there are many in the pcap.
>>
>> Pls. see an attachment with a screenshot of "Analyse/SCTP/Show All...".
>> What happened? This used to work perfectly...
>
>
> You may (I'm not sure) need to enable Association Indexing (in the SCTP 
> protocol preferences).  This used to be the default behavior but it was made 
> optional for performance reasons.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] SCTP association analysis & selection does not work correctly

2023-12-06 Thread Cristian Constantin via Wireshark-dev 
Hi,

I am trying to look at all SCTP associations (lots of them) in an pcap.
However, none of the "Analyse/SCTP/..." menu options work correctly.
It shows only _one_ association whereas there are many in the pcap.

Pls. see an attachment with a screenshot of "Analyse/SCTP/Show All...".
What happened? This used to work perfectly...
Wireshark version as reported by the GUI:

3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Compiled (64-bit) using GCC 11.2.0, with Qt 5.15.2, with libpcap, with POSIX
capabilities (Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.12, with libsmi 0.4.8, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with Minizip.

Running on Linux 6.2.0-36-generic, with 12th Gen Intel(R) Core(TM) i7-1270P
(with SSE4.2), with 31754 MB of physical memory, with GLib 2.72.4, with zlib
1.2.11, with Qt 5.15.3, with libpcap 1.10.1 (with TPACKET_V3), with c-ares
1.18.1, with GnuTLS 3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli
1.0.9, with LZ4 1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with light
display mode, without HiDPI, with LC_TYPE=en_US.UTF-8, binary plugins supported
(19 loaded).

Thank you,
Cristian
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Crash in RDP/EGFX dissector

2023-01-13 Thread Cristian Constantin via Wireshark-dev 
Hi Uli,


> > 1. Is this issue known? I tried to look it up on gitlab but I did not
> > find anything relevant. Should I file an issue on gitlab?
>
> Yes, please open a new issue for this using the bug template. Please attach a 
> sample capture to reproduce the bug.

The biggest problem with the capture is that it contains credentials
used to log on to the server and I cannot filter out the EGFX traffic
because wireshark crashes (90% of the time)... Let me see what I can
do.

Thanks,
Cristian
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Crash in RDP/EGFX dissector

2023-01-13 Thread Cristian Constantin via Wireshark-dev 
Hi!

Wireshark crashes while decoding relatively large (~20 MBytes)
captures with RDP traffic.

Here is how the stack trace looks like (only frames 0-26, since there
are 90 frames in the core dump):

(gdb) bt
#0  __memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:880
#1  0x7f3f7b0061c7 in memcpy (__len=74141568, __src=, __dest=)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2  zgfx_write_from_history (count=293605376, distance=, zgfx=0x5638bbfd2060)
at ./epan/tvbuff_rdp.c:311
#3  rdp8_decompress_segment (zgfx=zgfx@entry=0x5638bbfd2060,
tvb=)
at ./epan/tvbuff_rdp.c:441
#4  0x7f3f7b006657 in rdp8_decompress
(zgfx=0x5638bbfd2060, allocator=0x5638b94b9450,
tvb=tvb@entry=0x5638c20a2d80, offset=1,
offset@entry=0) at ./epan/tvbuff_rdp.c:478
#5  0x7f3f7b882cdf in dissect_rdp_egfx
(tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788,
parent_tree=0x7f3f68011470, data=)
at ./epan/dissectors/packet-rdp_egfx.c:385
#6  0x7f3f7afb5558 in call_dissector_through_handle
(handle=handle@entry=0x5638ba6133a0, tvb=tvb@entry=0x5638c20a2d80,
pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eac00,
data=data@entry=0x0) at ./epan/packet.c:757
#7  0x7f3f7afb642d in call_dissector_work
(handle=0x5638ba6133a0, tvb=0x5638c20a2d80,
pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eac00, add_proto_name=1,
data=0x0) at ./epan/packet.c:850
#8  0x7f3f7afb8887 in call_dissector_with_data
(handle=, tvb=0x5638c20a2d80, pinfo=0x7ffc1d3a9788,
tree=0x5638c08eac00, data=) at ./epan/packet.c:3283
#9  0x7f3f7b8822cc in dissect_rdp_drdynvc
(tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788, parent_tree=, data=)
at ./epan/dissectors/packet-rdp_drdynvc.c:438
#10 0x7f3f7afb5558 in call_dissector_through_handle
(handle=handle@entry=0x5638ba613340, tvb=tvb@entry=0x5638c2013ca0,
pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x5638c08eab20,
data=data@entry=0x0) at ./epan/packet.c:757
#11 0x7f3f7afb642d in call_dissector_work
(handle=0x5638ba613340, tvb=0x5638c2013ca0,
pinfo_arg=0x7ffc1d3a9788, tree=0x5638c08eab20, add_proto_name=1,
data=0x0) at ./epan/packet.c:850
#12 0x7f3f7afb8887 in call_dissector_with_data
(handle=, tvb=0x5638c2013ca0, pinfo=0x7ffc1d3a9788,
tree=0x5638c08eab20, data=) at ./epan/packet.c:3283
#13 0x7f3f7b87ed63 in dissect_rdp_channelPDU
(tree=0x5638c08eab20, pinfo=, offset=, tvb=0x5638c1ef3e80)
at ./epan/dissectors/packet-rdp.c:1399
#14 dissect_rdp_SendData
(tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x5638c08eab20,
data=)
at ./epan/dissectors/packet-rdp.c:2162
#15 0x7f3f7afb5558 in call_dissector_through_handle
(handle=handle@entry=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80,
pinfo=pinfo@entry=0x7ffc1d3a9788, tree=tree@entry=0x7f3f68011470,
data=data@entry=0x0) at ./epan/packet.c:757
#16 0x7f3f7afb642d in call_dissector_work
(handle=0x5638bbd83110, tvb=tvb@entry=0x5638c1ef3e80,
pinfo_arg=pinfo_arg@entry=0x7ffc1d3a9788,
tree=tree@entry=0x7f3f68011470, add_proto_name=add_proto_name@entry=1,
data=data@entry=0x0)
at ./epan/packet.c:850
#17 0x7f3f7afb6fc2 in dissector_try_uint_new
(sub_dissectors=, uint_val=1007,
tvb=0x5638c1ef3e80, pinfo=0x7ffc1d3a9788, tree=0x7f3f68011470,
add_proto_name=add_proto_name@entry=1, data=0x0) at
./epan/packet.c:1450
#18 0x7f3f7afb7035 in dissector_try_uint
(sub_dissectors=, uint_val=,
tvb=, pinfo=, tree=) at
./epan/packet.c:1474
#19 0x7f3f7bfb3bfa in dissect_t124_T_userData_01
(tvb=, offset=6616, actx=0x7ffc1d3a7920,
tree=, hf_index=) at
./asn1/t124/t124.cnf:187
#20 0x7f3f7b80b792 in dissect_per_sequence
(tvb=0x5638c1f76f70, offset=44, actx=0x7ffc1d3a7920,
parent_tree=, hf_index=,
ett_index=, sequence=0x7f3f7decb5a0
)
at ./epan/dissectors/packet-per.c:1925
#21 0x7f3f7bfb2c4c in dissect_t124_SendDataIndication
--Type  for more, q to quit, c to continue without paging--
(tvb=, offset=, actx=, tree=, hf_index=) at
./asn1/t124/t124.cnf:208
#22 0x7f3f7b80b394 in dissect_per_choice
(tvb=tvb@entry=0x5638c1f76f70, offset=6,
offset@entry=0, actx=actx@entry=0x7ffc1d3a7920,
tree=tree@entry=0x5638c08ea8b0, hf_index=188090, ett_index=49148,
choice=0x7f3f7deca660 , value=0x7ffc1d3a791c)
at ./epan/dissectors/packet-per.c:1768
#23 0x7f3f7bfb4570 in dissect_t124_DomainMCSPDU
(offset=0, hf_index=, tree=0x5638c08ea8b0,
actx=0x7ffc1d3a7920, tvb=0x5638c1f76f70)
at ./asn1/t124/t124.cnf:195
#24 dissect_DomainMCSPDU_PDU
(tvb=tvb@entry=0x5638c1f76f70, pinfo=pinfo@entry=0x7ffc1d3a9788,
tree=tree@entry=0x5638c08ea8b0)
at ./asn1/t124/packet-t124-template.c:102
#25 0x7f3f7bfb4b71 in dissect_t125
(tvb=tvb@entry=0x5638c1f76f70, pinfo=pinfo@entry=0x7ffc1d3a9788,
parent_tree=parent_tree@entry=0x7f3f68011470, data=data@entry=0x0) at
./asn1/t125/packet-t125-template.c:78
#26 0x7f3f7bfb4dcc in dissect_t125_heur

Details about frames 2, 3:

(gdb) f 2
#2  zgfx_write_from_history