- Bug Fixes
The following vulnerabilities have been fixed.
o wnpa-sec-2012-01
Laurent Butti discovered that Wireshark failed to properly
check record sizes for many packet capture file formats. (Bug
6663, bug 6666, bug 6667, bug 6668, bug 6669, bug 6670)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
o wnpa-sec-2012-02
Wireshark could dereference a NULL pointer and crash. (Bug
6634)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
o wnpa-sec-2012-03
The RLC dissector could overflow a buffer. (Bug 6391)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
The following bugs have been fixed:
o "Closing File!" Dialog Hangs. (Bug 3046)
o Sub-fields of data field should appear in exported PDML as
children of the data field instead of as siblings to it. (Bug
3809)
o Incorrect time differences displayed with time reference set.
(Bug 5580)
o Wrong packet type association of SNMP trap after TFTP
transfer. (Bug 5727)
o SSL/TLS decryption needs wireshark to be rebooted. (Bug 6032)
o Export HTTP Objects -> save all crashes Wireshark. (Bug 6250)
o Wireshark Netflow dissector complains there is no template
found though the template is exported. (Bug 6325)
o DCERPC EPM tower UUID must be interpreted always as little
endian. (Bug 6368)
o Crash if no recent files. (Bug 6549)
o IPv6 frame containing routing header with 0 segments left
calculates wrong UDP checksum. (Bug 6560)
o IPv4 UDP/TCP Checksum incorrect if routing header present.
(Bug 6561)
o Incorrect Parsing of SCPS Capabilities Option introduced in
response to bug 6194. (Bug 6562)
o Various crashes after loading NetMon2.x capture file. (Bug
6578)
o Fixed compilation of dumpcap on some systems (when
MUST_DO_SELECT is defined). (Bug 6614)
o SIGSEGV in SVN 40046. (Bug 6634)
o Wireshark dissects TCP option 25 as an "April 1" option. (Bug
6643)
o ZigBee ZCL Dissector reports invalid status. (Bug 6649)
o ICMPv6 DNSSL option malformed on padding. (Bug 6660)
o Wrong tvb_get_bits function call in packet-csn1.c. (Bug 6708)
o [UDP] - Length Field of Pseudo Header while computing CheckSum
is not correct. (Bug 6711)
o pcapio.c: bug in libpcap_write_interface_description_block.
(Bug 6719)
o Memory leaks in various dissectors.
o Bytes highlighted in wrong Byte pane when field selected in
Details pane.
- Updated Protocol Support
BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245
HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS
LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP,
XML ZigBee ZCL
- New and Updated Capture File Support
Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network
Monitor, Novell LANalyzer, PacketLogger, Pcap-ng, Sniffer,
Tektronix K12, WildPackets {Airo,Ether}Peek.
- Bug Fixes
o Patch to fix memory leaks/errors in Lua plugin. (Bug 5575)
o Wireshark crashes if a field of type BASE_CUSTOM is applied as
a column. (Bug 6503)
o Filter Expression dialog can only be opened once. (Bug 6537)
o Wireshark crashes if compiled without GLib thread support.
(Bug 6540)
o 80211 QoS Control: Add Raw TID. (Bug 6548)
o SNMP length check error. (Bug 6564)
o UCP dissector bug of operation 61. (Bug 6570)
- The following vulnerabilities have been fixed.
o wnpa-sec-2011-17
The CSN.1 dissector could crash. (Bug 6351)
Versions affected: 1.6.0 to 1.6.2.
o wnpa-sec-2011-18
Huzaifa Sidhpurwala of Red Hat Security Response Team
discovered that the Infiniband dissector could dereference a
NULL pointer. (Bug 6476)
Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
o wnpa-sec-2011-19
Huzaifa Sidhpurwala of Red Hat Security Response Team
discovered a buffer overflow in the ERF file reader. (Bug
6479)
Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
- The following bugs have been fixed:
o Assertion failed when doing File->Quit->Save during live
capture. (Bug 1710)
o Wrong PCEP XRO sub-object decoding. (Bug 3778)
o Wireshark window takes very long time to show up if invalid
network file path is at recent file list (Bug 3810)
o Decoding [Status Records] Timestamp Sequence Field in Bundle
Protocol fails if over 32 bits. (Bug 4109)
o ISUP party number dissection. (Bug 5221)
o wireshark-1.4.2 crashes when testing the example python
dissector because of a dissector count assertion. (Bug 5431)
o Ethernet packets with both VLAN tag and LLC header no longer
displayed correctly. (Bug 5645)
o SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
o Wireshark crashes when attempting to open a file via drag &
drop when there's already a file open. (Bug 5987)
o Adding and removing custom HTTP headers requires a restart.
(Bug 6241)
o Can't read full 64-bit SNMP values. (Bug 6295)
o Dissection fails for frames with Gigamon Header and VLAN. (Bug
6305)
o RTP Stream Analysis does not work for TURN-encapsulated RTP.
(Bug 6322)
o packet-csn1.c doesn't process CSN_CHOICE entries properly.
(Bug 6328)
o BACnet property time-synchronization-interval (204) name shown
incorrectly as time-synchronization-recipients. (Bug 6336)
o GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
o [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
o ICMPv6 router advertisement Prefix Information Flag R "Router
Address" missing. (Bug 6350)
o Export -> Object -> HTTP -> save all: Error on saving files.
(Bug 6362)
o Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
o Added cursor type decoding to MySQL dissector. (Bug 6396)
o Incorrect identification of UDP-encapsulated NAT-keepalive
packets. (Bug 6414)
o WPA IE pairwise cipher suite dissector uses incorrect
value_string list. (Bug 6420)
o S1AP protocol can't decode IPv6 transportLayerAddress. (Bug
6435)
o RTPS2 dissector doesn't handle 0 in the octestToNextHeader
field. (Bug 6449)
o packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
o Network Instruments Observer file format bugs. (Bug 6453)
o Wireshark crashes when using "Open Recent" 2 times in a row.
(Bug 6457)
o Wireshark packet_gsm-sms, display bug: Filler bits in TP-User
Data Header. (Bug 6469)
o wireshark unable to decode NetFlow options which have system
scope size != 4 bytes. (Bug 6471)
o Display filter Expression Dialog Box Error. (Bug 6472)
o text_import_scanner.l missing. (Bug 6531)
- Updated Protocol Support
AJP13, ASN.1 PER, BACnet, CSN.1, DTN, Ethernet, ICMPv6, IEEE
802.11, IEEE 802.1q, Infiniband, IPsec, MySQL, PCEP, PN-RT, RTP,
S1AP, SSL
- New and Updated Capture File Support
Endace ERF.
* Bug Fixes
o wnpa-sec-2011-12
A large loop in the OpenSafety dissector could cause a crash.
o wnpa-sec-2011-13
A malformed IKE packet could consume excessive resources.
o wnpa-sec-2011-14
A malformed capture file could result in an invalid root tvbuff and cause a crash.
o wnpa-sec-2011-15
Wireshark could run arbitrary Lua scripts.
o wnpa-sec-2011-16
The CSN.1 dissector could crash.
The major changes since version 1.4.* are:
- Wireshark is now distributed as an installation package rather
than a drag-installer on OS X. The installer adds a startup
item that should make it easier to capture packets.
- Large file (greater than 2 GB) support has been improved.
- Wireshark and TShark can import text dumps, similar to
text2pcap.
- You can now view Wireshark's dissector tables (for example the
TCP port to dissector mappings) from the main window.
- Wireshark can export SSL session keys via File→Export→SSL
Session Keys...
- TShark can show a specific occurrence of a field when using
'-T fields'.
- Custom columns can show a specific occurrence of a field.
- You can hide columns in the packet list.
- Wireshark can now export SMB objects.
- dftest and randpkt now have manual pages.
- TShark can now display iSCSI, ICMP and ICMPv6 service response
times.
- Dumpcap can now save files with a user-specified group id.
- Syntax checking is done for capture filters.
- You can display the compiled BPF code for capture filters in
the Capture Options dialog.
- You can now navigate backwards and forwards through TCP and
UDP sessions using Ctrl+, and Ctrl+. .
- Packet length is (finally) a default column.
- TCP window size is now avaiable both scaled and unscaled. A
TCP window scaling graph is available in the GUI.
- 802.1q VLAN tags are now shown in the Ethernet II protocol
tree instead of a separate tree.
- Various dissectors now display some UTF-16 strings as proper
Unicode including the DCE/RPC and SMB dissectors.
- The RTP player now has an option to show the time of day in
the graph in addition to the seconds since beginning of
capture.
- The RTP player now shows why media interruptions occur.
- Graphs now save as PNG images by default.
- TShark can read and write host name information from and to
pcapng-formatted files. Wireshark can read it. TShark can dump
host name information via
[-z hosts]
.
- TShark's -z option now uses the
[-z <proto>,srt]
syntax instead of
[-z <proto>,rtt]
for all protocols that support service response time
statistics. This matches Wireshark's syntax for this option.
- Wireshark and TShark can now read compressed Windows Sniffer
files.
- New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing
Protocol, Broadcast/Multicast Control, Constrained Application
Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol,
Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB),
Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol
(SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet,
MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol,
MUX27010, Network Monitor 802.11 radio header, OPC UA
ExtensionObjects, openSAFETY, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD
Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP,
SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport
Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
- New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP
OpenVMS TCPTrace, IPFIX (the file format, not the protocol),
Lucent/Ascend debug, Microsoft Network Monitor, Network
Instruments, TamoSoft CommView
- Bug Fixes
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The Lucent/Ascend file parser was susceptible to an infinite
loop.
Versions affected: 1.2.0 to 1.2.17, 1.4.0 to 1.4.7, and 1.6.0.
CVE-2011-2597
o The ANSI MAP dissector was susceptible to an infinite loop.
(Bug 6044)
Versions affected: 1.4.0 to 1.4.7, and 1.6.0.
CVE-2011-????
- The following bugs have been fixed:
o TCP dissector doesn't decode TCP segments of length 1. (Bug
4716)
o Wireshark 1.4.0rc1 and python - spurious message. (Bug 4878)
o Missing LUA function. (Bug 5006)
o Lua API description about creating a new Tvb from a bytearray
is not correct in wireshark's user guide. (Bug 5199)
o sflow decode error for some extended formats. (Bug 5379)
o White space in protocol field abbreviation causes runtime
failure while registering Lua dissector. (Bug 5569)
o "File not found" box uses wrong filename encoding. (Bug 5715)
o capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too
many. (Bug 5803)
o Wireshark crashes if Lua contains "Pref.range()" with missing
arguments. (Bug 5895)
o The "range" field in Lua's "Pref.range()" serves as default
while the "default" field does nothing. (Bug 5896)
o Wireshark crashes when calling TreeItem:set_len() on TreeItem
without tvb. (Bug 5941)
o TvbRange_string(lua_State* L) call a wrong function. (Bug
5960)
o VoIP call flow graph displays BICC APM as a BICC ANM. (Bug
5966)
o H323 rate multiplier wrong. (Bug 6009)
o tshark crashes when loading Lua script that contains GUI
function. (Bug 6018)
o 802.11 Disassociation Packet's "Reason Code" field is
imprecisely decoded/described. (Bug 6022)
o Wireshark crashes when setting custom column's field name with
conditional. (Bug 6028)
o GTS Descriptor count limited to 3 instead of 7. (Bug 6055)
o The SSL dissector can not resemble correctly the frames after
TCP zero window probe packet. (Bug 6059)
o Packet parser takes too long for this trace. (Bug 6073)
o 802.11 Association Response Packet's "Status Code" field is
imprecisely decoded/described. (Bug 6093)
o Wireshark 1.6.0 and Python support: installer fails to create
the wspy_dissectors subdirectory and . (Bug 6110)
o Wireshark crash during RTP stream analysis. (Bug 6120)
o Tshark custom columns: Why don't I get an error message? (Bug
6131)
- Updated Protocol Support
ANSI MAP, GIOP, H.323, IEEE 802.11, MSRP, RPCAP, sFlow, TCP,
- New and Updated Capture File Support
Lucent/Ascend.
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o Large/infinite loop in the DICOM dissector. (Bug 5876)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a corrupted Diameter dictionary file could
crash Wireshark.
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a corrupted snoop file could crash Wireshark.
(Bug 5912)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
o David Maciejak of Fortinet's FortiGuard Labs discovered that
malformed compressed capture data could crash Wireshark. (Bug
5908)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a corrupted Visual Networks file could crash
Wireshark. (Bug 5934)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
- The following bugs have been fixed:
o AIM dissector has some endian issues. (Bug 5464)
o Telephony→MTP3→MSUS doesn't display window. (Bug 5605)
o Support for MS NetMon 3.x traces containing raw IPv6 ("Type
7") packets. (Bug 5817)
o Service Indicator in M3UA protocol data. (Bug 5834)
o IEC60870-5-104 protocol, incorrect decoding of timestamp type
CP56Time2a. (Bug 5889)
o DNP3 dissector incorrect constants AL_OBJ_FCTR_16NF
_FDCTR_32NF _FDCTR_16NF. (Bug 5920)
o 3GPP QoS: Traffic class is not decoded properly. (Bug 5928)
o Wireshark crashes when creating ProtoField.framenum in Lua.
(Bug 5930)
o Fix a wrong mask to extract FMID from DECT packets dissector.
(Bug 5947)
o Incorrect DHCPv6 remote identifier option parsing. (Bug 5962)
- Updated Protocol Support
DICOM, IEC104, M3UA, TCP,
- New and Updated Capture File Support
Network Monitor.
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The NFS dissector could crash on Windows. (Bug 5209)
Versions affected: 1.4.0 to 1.4.4.
o The X.509if dissector could crash. (Bug 5754, Bug 5793)
Versions affected: 1.2.0 to 1.2.15 and 1.4.0 to 1.4.4.
o Paul Makowski from SEI/CERT discovered that the DECT dissector
could overflow a buffer. He verified that this could allow
remote code execution on many platforms.
Versions affected: 1.4.0 to 1.4.4.
The following bugs have been fixed:
o Export HTTP > All - System Appears Hung (but isn't). (Bug 1671)
o Some HTTP responses don't decode with TCP reassembly on. (Bug 3785)
o Wireshark crashes when cancelling a large sort operation. (Bug 5189)
o Wireshark crashes if SSL preferences RSA key is actually a DSA key.
(Bug 5662)
o tshark incorrectly calculates TCP stream for some syn packets.
(Bug 5743)
o Wireshark not able to decode the PPP frame in a sflow
(RFC3176) flow sample packet because Wireshark incorrectly
read the protocol in PPP frame header. (Bug 5746)
o Mysql protocol dissector: all fields should be little endian.
(Bug 5759)
o Error when opening snoop from Juniper SSG-140. (Bug 5762)
o svnversion: command not found. (Bug 5798)
o capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too
many. (Bug 5803)
o Value of TCP segment data cannot be copied. (Bug 5811)
o proto_field_is_referenced() is not exported in
libwireshark.dll. (Bug 5816)
o Wireshark ver. 1.4.4 not displayed "Granted QoS" field in a
A11 packet. (Bug 5822)
- Updated Protocol Support
HTTP, LDAP, MySQL, NFS, sFlow, SSL, TCP
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that Wireshark could free an uninitialized pointer
while reading a malformed pcap-ng file. (Bug 5652)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0538
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a large packet length in a pcap-ng file could
crash Wireshark. (Bug 5661)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
o Wireshark could overflow a buffer while reading a Nokia DCT3
trace file. (Bug 5661)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0713
o Paul Makowski working for SEI/CERT discovered that Wireshark
on 32 bit systems could crash while reading a malformed
6LoWPAN packet. (Bug 5661)
Versions affected: 1.4.0 to 1.4.3.
o joernchen of Phenoelit discovered that the LDAP and SMB
dissectors could overflow the stack. (Bug 5717)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior
versions including 1.0.x are also affected.)
o Xiaopeng Zhang of Fortinet's Fortiguard Labs discovered that
large LDAP Filter strings can consume excessive amounts of
memory. (Bug 5732)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior
versions including 1.0.x are also affected.)
The following bugs have been fixed:
o A TCP stream would not always be recognized as the same
stream. (Bug 2907)
o Wireshark Crashing by pressing 2 Buttons. (Bug 4645)
o A crash can occur in the NTLMSSP dissector. (Bug 5157)
o The column texts from a Lua dissector could be mangled. (Bug
5326) (Bug 5630)
o Corrections to ANSI MAP ASN.1 specifications. (Bug 5584)
o When searching in packet bytes, the field and bytes are not
immediately shown. (Bug 5585)
o Malformed Packet: ULP reported when dissecting ULP SessionID
PDU. (Bug 5593)
o Wrong IEI in container of decode_gtp_mm_cntxt. (Bug 5598)
o Display filter does not work for expressions of type BASE_DEC,
BASE_DEC_HEX and BASE_HEX_DEC. (Bug 5606)
o NTLMSSP dissector may fail to compile due to space embedded in
C comment delimiters. (Bug 5614)
o Allow for name resolution of link-scope and multicast IPv6
addresses from local host file. (Bug 5615)
o DHCPv6 dissector formats DUID_LLT time incorrectly. (Bug 5627)
o Allow for IEEE 802.3bc-2009 style PoE TLVs. (Bug 5639)
o Various fixes to the HIP packet dissector. (Bug 5646)
o Display "Day of Year" for January 1 as 1, not 0. (Bug 5653)
o Accommodate the CMake build on Ubuntu 10.10. (Bug 5665)
o E.212 MCC 260 Poland update according to local national
regulatory. (Bug 5668)
o IPP on ports other than 631 not recognized. (Bug 5677)
o Potential access violation when writing to LANalyzer files.
(Bug 5698)
o IEEE 802.15.4 Superframe Specification - Final CAP Slot always
0. (Bug 5700)
o Peer SRC and DST AS numbers are swapped for cflow. (Bug 5702)
o dumpcap: -q option behavior doesn't match documentation. (Bug
5716)
- Updated Protocol Support
ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM
Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow,
NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP
- New and Updated Capture File Support
LANalyzer, Nokia DCT3, Pcap-ng
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
- FRAsse discovered that the MAC-LTE dissector could overflow a
buffer. (Bug 5530)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
- FRAsse discovered that the ENTTEC dissector could overflow a
buffer. (Bug 5539)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
CVE-2010-4538
- The ASN.1 BER dissector could assert and make Wireshark exit
prematurely. (Bug 5537)
Versions affected: 1.4.0 to 1.4.2.
The following bugs have been fixed:
- AMQP failed assertion. (Bug 4048)
- Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
- Fuzz testing reports possible dissector bug: TCP. (Bug 4211)
- Wrong length calculation in new_octet_aligned_subset_bits()
(PER dissector). (Bug 5393)
- Function dissect_per_bit_string_display might read more bytes
than available (PER dissector). (Bug 5394)
- Cannot load wpcap.dll & packet.dll from Wireshark program
directory. (Bug 5420)
- Wireshark crashes with Copy -> Description on date/time
fields. (Bug 5421)
- DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426)
- Information element Error for supported channels. (Bug 5430)
- Assert when using ASN.1 dissector with loading a 'type table'.
(Bug 5447)
- Bug with RWH parsing in Infiniband dissector. (Bug 5444)
- Help->About Wireshark mis-reports OS. (Bug 5453)
- Delegated-IPv6-Prefix(123) is shown incorrect as
X-Ascend-Call-Attempt-Limit(123). (Bug 5455)
- "tshark -r file -T fields" is truncating exported data. (Bug 5463)
- gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet
Flow Identifier. (Bug 5475)
- Improper decode of TLS 1.2 packet containing both
CertificateRequest and ServerHelloDone messages. (Bug 5485)
- LTE-PDCP UL and DL problem. (Bug 5505)
- CIGI 3.2/3.3 support broken. (Bug 5510)
- Prepare Filter in RTP Streams dialog does not work correctly.
(Bug 5513)
- Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517)
- WPS: RF bands decryption. (Bug 5523)
- Incorrect LTP SDNV value handling. (Bug 5521)
- LTP bug found by randpkt. (Bug 5323)
- Buffer overflow in SNMP EngineID preferences. (Bug 5530)
- Updated Protocol Support
AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC,
GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T,
RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS
- New and Updated Capture File Support
Endace ERF, Microsoft Network Monitor, VMS TCPtrace.
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
- Nephi Johnson of BreakingPoint discovered that the LDSS
dissector could overflow a buffer. (Bug 5318)
Versions affected: 1.2.0 to 1.2.12 and 1.4.0 to 1.4.1.
- The ZigBee ZCL dissector could go into an infinite loop. (Bug 5303)
Versions affected: 1.4.0 to 1.4.1.
- The following bugs have been fixed:
- File-Open Display Filter is overwritten by Save-As Filename. (Bug 3894)
- Wireshark crashes with "Gtk-ERROR **: Byte index 6 is off the
end of the line" if click on last PDU. (Bug 5285)
- GTK-ERROR can occur in packets when there are multiple
Netbios/SMB headers in a single frame. (Bug 5289)
- "Tshark -G values" crashes on Windows. (Bug 5296)
- PROFINET I&M0FilterData packet not fully decoded. (Bug 5299)
- PROFINET MRP linkup/linkdown decoding incorrect. (Bug 5300)
- [lua] Dumper:close() will cause a segfault due later GC of the
Dumper. (Bug 5320)
- Network Instruments' trace files sometimes cannot be read with
an error message of "Observer: bad record: Invalid magic
number". (Bug 5330)
- IO Graph Time of Day times incorrect for filtered data. (Bug
5340)
- Wireshark tools do not detect and read some ERF files
correctly. (Bug 5344)
- "editcap -h" sends some lines to stderr and others to stdout.
(Bug 5353)
- IP Timestamp Option: "flag=3" variant (prespecified) not
displayed correctly. (Bug 5357)
- AgentX PDU Header 'hex field highlighting' incorrectly spans
extra bytes. (Bug 5364)
- AgentX dissector cannot handle null OID in Open-PDU. (Bug
5368)
- Crash with "Gtk-ERROR **: Byte index 6 is off the end of the
line". (Bug 5374)
- ANCP Portmanagment TLV wrong decoded. (Bug 5388)
- Crash during startup because of Python SyntaxError in
wspy_libws.py. (Bug 5389)
- Updated Protocol Support
AgentX, ANCP, DIAMETER, HTTP, IP, LDSS, MIME, NBNS, PROFINET, SIP,
TCP, Telnet, ZigBee
- New and Updated Capture File Support
Endace ERF, Network Instruments Observer.
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The Penetration Test Team of NCNIPC (China) discovered that
the ASN.1 BER dissector was susceptible to a stack overflow.
(Bug 5230)
[A patch for this bug was already in version 1.4.0 in "pkgsrc".]
- The following bugs have been fixed:
o Incorrect behavior using sorting in the packet list. (Bug
2225)
o Cooked-capture dissector should omit the source address field
if empty. (Bug 2519)
o MySQL dissector doesn't dissect MySQL stream. (Bug 2691)
o Wireshark crashes if active display filter macro is renamed.
(Bug 5002)
o Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
o TCP bytes_in_flight becomes inflated with lost packets. (Bug
5132)
o GTP header is exported in PDML with an incorrect size. (Bug
5162)
o Packet list hidden columns will not be parsed correctly from
preferences file. (Bug 5163)
o Wireshark does not display the t.38 graph. (Bug 5165)
o Wireshark don't show mgcp calls in "Telephony → VoIP calls".
(Bug 5167)
o Wireshark 1.4.0 & VoIP calls "Prepare Filter" problem. (Bug
5172)
o GTPv2: IMSI is decoded improperly. (Bug 5179)
o [NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug
5186)
o Wireshark mistakenly writes "not all data available" for IPv4
checksum. (Bug 5194)
o GSM: Cell Channel Description, range 1024 format. (Bug 5214)
o Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
o The CLDAP attribute value on a CLDAP reply is no longer being
decoded. (Bug 5239)
o [NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
o [NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug
5246)
o NTLMSSP_AUTH domain and username truncated to first letter
with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
o IPv6 RH0: dest addr is to be used i.s.o. last RH address when
0 segments remain. (Bug 5252)
o EIGRP dissection error in Flags field in external route TLVs.
(Bug 5261)
o MRP packet is not correctly parsed in PROFINET multiple write
record request. (Bug 5267)
o MySQL Enhancement: support of Show Fields and bug fix. (Bug
5271)
o [NAS EPS] Fix TFT decoding when having several Packet Filters
defined. (Bug 5274)
o Crash if using ssl.debug.file with no password for
ssl.keys_list. (Bug 5277)
- Updated Protocol Support
ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP,
GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL,
NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP
Approved by Alistair Crooks.
- The following bugs have been fixed:
- Update time display in background. (Bug 1275)
- Tshark returns 0 even with an invalid interface or capture
filter. (Bug 4735)
- The following features are new (or have been significantly
updated) since version 1.2:
- The packet list internals have been rewritten and are now more
efficient.
- Columns are easier to use. You can add a protocol field as a
column by right-clicking on its packet detail item, and you
can adjust some column preferences by right-clicking the
column header.
- Preliminary Python scripting support has been added.
- Many memory leaks have been fixed.
- Packets can now be ignored (excluded from dissection), similar
to the way they can be marked.
- Manual IP address resolution is now supported.
- Columns with seconds can now be displayed as hours, minutes
and seconds.
- You can now set the capture buffer size on UNIX and Linux if
you have libpcap 1.0.0 or greater.
- TShark no longer needs elevated privileges on UNIX or Linux to
list interfaces. Only dumpcap requires privileges now.
- Wireshark and TShark can enable 802.11 monitor mode directly
if you have libpcap 1.0.0 or greater.
- You can play RTP streams directly from the RTP Analysis
window.
- Capinfos and editcap now respectively support time order
checking and forcing.
- Wireshark now has a "jump to timestamp" command-line option.
- You can open JPEG files directly in Wireshark.
- New Protocol Support
3GPP Nb Interface RTP Multiplex, Access Node Control Protocol,
Apple Network-MIDI Session Protocol, ARUBA encapsulated remote
mirroring, Assa Abloy R3, Asynchronous Transfer Mode, B.A.T.M.A.N.
Advanced Protocol, Bluetooth AMP Packet, Bluetooth OBEX, Bundle
Protocol, CIP Class Generic, CIP Connection Configuration Object,
CIP Connection Manager, CIP Message Router, collectd network data,
Control And Provisioning of Wireless Access Points, Controller
Area Network, Device Level Ring, DOCSIS Bonded Initial Ranging
Message, Dropbox LAN sync Discovery Protocol, Dropbox LAN sync
Protocol, DTN TCP Convergence Layer Protocol, EtherCAT Switch
Link, Fibre Channel Delimiters, File Replication Service DFS-R,
Gateway Load Balancing Protocol, Gigamon Header, GigE Vision
Control Protocol, Git Smart Protocol, GSM over IP ip.access CCM
sub-protocol, GSM over IP protocol as used by ip.access, GSM
Radiotap, HI2Operations, Host Identity Protocol, HP encapsulated
remote mirroring, HP NIC Teaming Heartbeat, IEC61850 Sampled
Values, IEEE 1722 Protocol, InfiniBand Link, Interlink Protocol,
IPv6 over IEEE 802.15.4, ISO 10035-1 OSI Connectionless
Association Control Service, ISO 9548-1 OSI Connectionless Session
Protocol, ISO 9576-1 OSI Connectionless Presentation Protocol,
ITU-T Q.708 ISPC Analysis, Juniper Packet Mirror, Licklider
Transmission Protocol, MPLS PW ATM AAL5 CPCS-SDU mode
encapsulation, MPLS PW ATM Cell Header, MPLS PW ATM Control Word,
MPLS PW ATM N-to-One encapsulation, no CW, MPLS PW ATM N-to-One
encapsulation, with CW, MPLS PW ATM One-to-One or AAL5 PDU
encapsulation, Multiple Stream Reservation Protocol, NetPerfMeter
Protocol, NetScaler Trace, NexusWare C7 MTP, NSN FLIP, OMRON FINS
Protocol, packetbb Protocol, Peer Network Resolution Protocol,
PKIX Attribute Certificate, Pseudowire Padding, Server/Application
State Protocol, Solaris IPNET, TN3270 Protocol, TN5250 Protocol,
TRILL, Twisted Banana, UMTS FP Hint, UMTS MAC, UMTS Metadata, UMTS
RLC, USB HID, USB HUB, UTRAN Iuh interface HNBAP signalling, UTRAN
Iuh interface RUA signalling, V5.2, Vendor Specific Control
Protocol, Vendor Specific Network Protocol, VMware Lab Manager,
VXI-11 Asynchronous Abort, VXI-11 Core Protocol, VXI-11 Interrupt,
X.411 Message Access Service, ZigBee Cluster Library
- Updated Protocol Support
There are too many to list here.
- New and Updated Capture File Support
Accellent 5Views, ASN.1 Basic Encoding Rules, Catapult DCT2000,
Daintree SNA, Endace ERF, EyeSDN, Gammu DCT3 trace, IBM iSeries,
JPEG/JFIF, libpcap, Lucent/Ascend access server trace, NetScaler,
PacketLogger, pcapng, Shomiti/Finisar Surveyor, Sun snoop, Symbian
OS btsnoop, Visual Networks
Pkgsrc changes:
A fix for the security vulnerability reported in SA41535 has been
integrated from the Wireshark SVN repository.
- Bug Fixes
o The SigComp Universal Decompressor Virtual Machine could
overrun a buffer. (Bug 4867)
Versions affected: 0.10.8 to 1.0.14, 1.2.0 to 1.2.9
CVE-2010-2287
o The GSM A RR dissector could crash. (Bug 4897)
Versions affected: 1.2.2 to 1.2.9
o Due to a regression the ASN.1 BER dissector could overrun the stack.
Versions affected: 0.10.13 to 1.0.14, 1.2.0 to 1.2.9
CVE-2010-2284
o The IPMI dissector could go into an infinite loop.
Versions affected: 1.2.0 to 1.2.9
- The following bugs have been fixed:
o Wireshark crashes after configuring new Information column.
(Bug 4854)
o Crash triggered when changing display filter from right-mouse
pop-up menu via packet-list. (Bug 4860)
o Wireshark crash selecting Inter-Asterisk exchange v2 packet
data. (Bug 4868)
o zlib-1.2.5 cause tshark to stop live capture. (Bug 4916)
o Crash when adding SNMP users. (Bug 4926)
o Wireshark via ssh -X on ipv6 link-local address fails to allow
capture. (Bug 4945)
o OMAPI dissector fails to parse combined initialization
messages. (Bug 4982)
o QUERY_FS_INFO for Macintosh level 0x301 - MacSupportFlags
decodes wrong. (Bug 4993)
o SCSI dissector misidentifies ATA PASSTHROUGH command as ACCESS
CONTROL IN. (Bug 5037)
o Wrong decoding of GTP Prime (GTP') packets. (Bug 5055)
- Updated Protocol Support
ASN.1 BER, GSM A RR, GTP, IAX2, IPMI, OMAPI, PRES, SCSI, SMB, UNISTIM
(missed those and *emacs* the first time round because they pull
in their png dependencies via default-on options; they were included
in the test bulk build though)
- Bug Fixes
- The following vulnerabilities have been fixed.
- The SMB dissector could dereference a NULL pointer. (Bug 4734)
- J. Oquendo discovered that the ASN.1 BER dissector could overrun
the stack.
- The SMB PIPE dissector could dereference a NULL pointer on some
platforms.
- The SigComp Universal Decompressor Virtual Machine could go into an
infinite loop. (Bug 4826)
- The SigComp Universal Decompressor Virtual Machine could overrun
a buffer. (Bug 4837)
- The following bugs have been fixed:
- Cannot open file with File -> Open. (Bug 1791)
- Application crash when changing real-time option. (Bug 4035)
- Crash in filter autocompletion. (Bug 4306)
- The XML dissector doesn't allow dots (".") in tags. (Bug 4405)
- Live capture stops when using zlib 1.2.5. (Bug 4708)
- Want to be able to apply decode as to Data Portion of Lan Trace.
(Bug 4721)
- SABP short pdu (packet_per.c). (Bug 4743)
- Kerberos pre-auth type constants - MS extensions are wrong. (Bug 4752)
- Check HTTP Content-Length parsing for overflow. (Bug 4758)
- Wrong variable used for proto_tree_add_text() in ptp dissector.
(Bug 4773)
- Crash when close window frame of gtk file chooser. (Bug 4778)
- Wrong decoding for BGP ORF. (Bug 4782)
- Crash when Ctrl-Backspacing the display filter. (Bug 4797)
- Acker AFI field incorrect size in PGM dissector. (Bug 4798)
- Fedora 13: wireshark fails to build (linking problem). (Bug 4815)
- The NFS FH hash (nfs.fh.hash) incorrectly matches multiple filehandles.
(Bug 4839)
- AES-CTR decoding not working, (dissectors/packet_ipsec.c using gcrypt).
(Bug 4838)
- Updated Protocol Support
ASN.1 BER, BGP, HTTP, IGMP, IPsec, Kerberos, NFS, PGM, PTP, SABP, SigComp,
SMB, TCAP, XML,
- Updated Capture File Support
ERF, PacketLogger.
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The DOCSIS dissector could crash. (Bug 4644), (bug 4646) -->
Versions affected: 0.9.6 to 1.0.12, 1.2.0 to 1.2.7
- The following bugs have been fixed:
o HTTP parser limits with Content-Length. (Bug 1958)
o MATE dissector bug with GOGs. (Bug 3010)
o Changing fonts and deleting system time from preferences,
results in wireshark crash. (Bug 3387)
o ERF file starting with record with timestamp=0,1 or 2 not
recognized as ERF file. (Bug 4503)
o The SSL dissector can not correctly resemple SSL records when
the record header is spit between packets. (Bug 4535)
o TCP reassembly can call subdissector with incorrect TCP
sequence number. (Bug 4624)
o PTP dissector displays big correction field values wrong. (Bug
4635)
o MSF is at Anthorn, not Rugby. (Bug 4678)
o ProtoField __tostring() description is missing in Wireshark's
Lua API Reference Manual. (Bug 4695)
o EVRC packet bundling not handled correctly. (Bug 4718)
o Completely unresponsive when run very first time by root user.
(Bug 4308)
- Updated Protocol Support: DOCSIS, HTTP, SSL
- Updated Capture File Support: ERF, PacketLogger.
Bug fixes:
- SNMPv3 Engine ID registration. (Bug 2426)
- Open file dialog always displayed when clicking anywhere on
Wireshark. (Bug 2478)
- tshark reports wrong number of bytes on big dumpfiles with -z
io,stat. (Bug 3205)
- Negative INTEGER number displayed as positive number in SNMP
dissector. (Bug 3230)
- Add support for FT_BOOLEAN fields to wslua FieldInfo. (Bug 4049)
- Wireshark crashes w/ GLib error when trying to play RTP
stream. (Bug 4119)
- Windows 2000 support has been restored. (Bug 4176)
- Wrong dissection on be_cell_id_list for bssmap. (Bug 4437)
- I/O Graph dropdown boxes not working correctly. (Bug 4487)
- Runtime Error when right-clicking field and selecting "Filter
Field Reference". (Bug 4522)
- In GSM SMS PDU TPVPF showing wrong. (Bug 4524)
- Profinet: May be wrong defined byte meaning. (Bug 4525)
- GLib-CRITICAL ** Message. (Bug 4547)
- Certain EDP display filters trigger Wireshark/tshark runtime
error. (Bug 4563)
- Some NCP frames trigger "Dissector bug, protocol NCP". (Bug 4565)
- The encapsulation abbreviation "bluetooth-h4" is ambiguous.(Bug 4613)
Updated Protocol Support:
- BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP
Requested by Alistair Crooks.
Changes since 1.2.4:
Bugfixes:
* The following vulnerabilities have been fixed. See the security advisory
for details and a workaround.
* The Daintree SNA file parser could overflow a buffer. (Bug 4294)
* The SMB and SMB2 dissectors could crash. (Bug 4301)
* The IPMI dissector could crash on Windows. (Bug 4319)
* Wireshark does not graph rtp streams. (Bug 3801)
* Wireshark showing extraneous data in a TCP stream. (Bug 3955)
* Wrong decoding of gtp.target identification. (Bug 3974)
* TTE dissector bug. (Bug 4247)
* Upper case in Lua pref symbol causes Wireshark to crash. (Bug 4255)
* OpenBSD 4.5 build fails at epan/dissectors/packet-rpcap.c. (Bug 4258)
* Incorrect display of stream data using "Follow tcp stream" option. (Bug 4288)
* Custom RADIUS dictionary can cause a crash. (Bug 4316)
Updated Protocol Support:
* DAP, eDonkey, GTP, IPMI, MIP, RADIUS, RANAP, SMB, SMB2, TCP, TTE, VNC,
X.509sat
Updated Capture File Support:
* Daintree SNA.
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The Paltalk dissector could crash on alignment-sensitive
processors. (Bug 3689)
Versions affected: 1.2.0 to 1.2.2
o The DCERPC/NT dissector could crash.
Versions affected: 0.10.10 to 1.2.2
o The SMB dissector could crash.
Versions affected: 1.2.0 to 1.2.2
- The following bugs have been fixed:
o Wireshark memory leak with each file open and/or display
filter change. (Bug 2375)
o DHCP Dissector displays negative lease time. (Bug 2733)
o Invalid advertised window line on tcptrace style graph. (Bug
3417)
o SMB get_dfs_referral referral entry is not dissected
correctly. (Bug 3542)
o Error dissecting eMule sourceOBFU message. (Bug 3848)
o Typos in Diameter XML files. (Bug 3878)
o RSL dissector for MS Power IE is broken. (Bug 4017)
o Manifest problem in 1.2.2 Win64 build. (Bug 4024)
o FIP dissector throws assertion. (Bug 4046)
o TCAP problem with indefinite length 'components' SEQ OF. (Bug
4053)
o GSM MAP: an-APDU not decoded. (Bug 4095)
o Add "Drag and Drop entries..." message on Columns preferences
page. (Bug 4099)
o Editcap -t and -w option parses fractional digits incorrectly.
(Bug 4162)
- Updated Protocol Support
DCERPC NT, DHCP, Diameter, E.212, eDonkey, FIP, IPsec, MGCP, NCP,
Paltalk, RADIUS, RSL, SBus, SMB, SNMP, SSL, TCP, Teamspeak2, WPS
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
- The GSM A RR dissector could crash.
Versions affected: 1.2.0 to 1.2.1
- The OpcUa dissector could use excessive CPU and memory.
Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
- The TLS dissector could crash on some platforms.
Versions affected: 1.2.0 to 1.2.1
- The following bugs have been fixed:
- The "Capture->Interfaces" window can't be closed. (Bug 1740)
- tshark-1.0.2 (dumpcap) signal abort core saved. (Bug 2767)
- Memory leak fixes. (Bug 3330)
- Display filter autocompletion doesn't work for some RADIUS and
WiMAX ASNCP fields. (Bug 3538)
- Wireshark Portable includes wrong WinPcap installer. (Bug
3547)
- Crash when loading a profile. (Bug 3640)
- The proto,colinfo tap doesn't work if the INFO column isn't
being printed. (Bug 3675)
- Flow Graph adds too much unnecessary garbage. (Bug 3693)
- The EAP Diameter dictionary file was missing in the
distribution. (Bug 3761)
- Graph analysis window is behind other window. (Bug 3773)
- IKEv2 Cert Request payload dissection error. (Bug 3782)
- DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified
domain-name. (Bug 3792)
- Malformed RTCP Packet error while sending Payload specific
RTCP feedback packet( as per RFC 4585). (Bug 3800)
- 802.11n Block Ack packet Bitmap field missing. (Bug 3806)
- Wireshark doesn't decode WBXML/ActiveSync information
correctly. (Bug 3811)
- Malformed packet when IPv6 packet has Next Header == 59. (Bug
3820)
- Wireshark could crash while reading an ERF file. (Bug 3849)
- Minor errors in gsm rr dissectors. (Bug 3889)
- WPA Decryption Issues. (Bug 3890)
- GSM A RR sys info dissection problem. (Bug 3901)
- GSM A RR inverts MEAS-VALID values. (Bug 3915)
- PDML output leaks ~300 bytes / packet. (Bug 3913)
- Incorrect station identifier parsing in Kingfisher dissector.
(Bug 3946)
- DHCPv6, Vendor-Specific Informantion, SubOption"Option
Request" parser incorrect. (Bug 3987)
- Wireshark could leak memory while analyzing SSL.
- Wireshark could crash while updating menu items after reading
a file in some cases.
- The Mac OS X ChmodBPF script now works correctly under Snow
Leopard.
- Updated Protocol Support
DCERPC, DHCPv6, DNS, E.212, GSM A RR, GTPv2, H.248, IEEE 802.11,
IPMI, ISAKMP/IKE, ISUP, Kingfisher, LDAP, OpcUA, RTCP, SCTP, SIP,
SSL, TCP, WBXML, ZRTP
- Updated Capture File Support
ERF
New features:
- Wireshark has a spiffy new start page.
- Display filters now autocomplete.
- Support for the c-ares resolver library has been added. It has many
- advantages over ADNS.
- Many new protocol dissectors and capture file formats have been added.
- Macintosh OS X support has been improved.
- GeoIP database lookups.
- OpenStreetMap + GeoIP integration.
- Improved Postscript(R) print output.
- The preference handling code is now much smarter about changes.
- Support for Pcap-ng, the next-generation capture file format.
- Support for process information correlation via IPFIX.
- Column widths are now saved.
- The last used configuration profile is now saved.
- Protocol preferences are changeable from the packet details context menu.
- Support for IP packet comparison.
- Capinfos now shows the average packet rate.
Security fixes:
- The AFS dissector could crash.
- The Infiniband dissector could crash on some platforms.
this pkg can be built against a gnutls which was built without
"openssl emulation". We build against the real openssl anyway, and
having both the real openssl and one emulated by gnutls has some
potential for namespace collisions, thus I'm considering to build
the pkgsrc gnutls w/o openssl emulation.
(This is just a build issue as far as wireshark is concerned, so
no PKGREV bump is needed.)
