TCP: Add (generated) field with first letter of TCP Flags

from help TCP Troubleshooter Based on http://blog.didierstevens.com/2014/04/28/tcp-flags-for-wireshark/ Change-Id: I115717f738a77dd1b22cefa8f646bcdbe9884ec2 Reviewed-on: https://code.wireshark.org/review/8733 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2015-06-02 11:36:43 +02:00 · 2015-06-02 11:36:43 +02:00 · c365dffd26
parent a365fb8316
commit c365dffd26
1 changed files with 39 additions and 1 deletions
--- a/epan/dissectors/packet-tcp.c
+++ b/epan/dissectors/packet-tcp.c
@ -108,6 +108,7 @@ static int hf_tcp_flags_push = -1;
 static int hf_tcp_flags_reset = -1;
 static int hf_tcp_flags_syn = -1;
 static int hf_tcp_flags_fin = -1;
+static int hf_tcp_flags_str = -1;
 static int hf_tcp_window_size_value = -1;
 static int hf_tcp_window_size = -1;
 static int hf_tcp_window_size_scalefactor = -1;
@ -4298,6 +4299,36 @@ tcp_flags_to_str(const struct tcpheader *tcph)

    return buf;
 }
+static const char *
+tcp_flags_to_str_first_letter(const struct tcpheader *tcph)
+{
+    static const char flags[][4] = { "F", "S", "R", "P", "A", "U", "E", "C", "N" };
+    const int maxlength = 16; /* Max Flags length*/
+
+    char *pbuf;
+    const char *buf;
+
+    int i;
+
+    buf = pbuf = (char *) wmem_alloc(wmem_packet_scope(), maxlength);
+    *pbuf = '\0';
+
+    for (i = 9; i > 0; i--) {
+        if (tcph->th_flags & (1 << i)) {
+            pbuf = g_stpcpy(pbuf, flags[i]);
+        } else {
+            pbuf = g_stpcpy(pbuf, "*");
+        }
+    }
+
+    if (tcph->th_flags & TH_RES) {
+        g_stpcpy(pbuf, "RRR");
+    } else {
+        g_stpcpy(pbuf, "***");
+    }
+
+    return buf;
+}

 static void
 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
@ -4310,7 +4341,7 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
    proto_item *options_item;
    proto_tree *options_tree;
    int        offset = 0;
-    const char *flags_str;
+    const char *flags_str, *flags_str_first_letter;
    guint      optlen;
    guint32    nxtseq = 0;
    guint      reported_len;
@ -4523,6 +4554,7 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
        tcph->th_have_seglen = FALSE;

    flags_str = tcp_flags_to_str(tcph);
+    flags_str_first_letter = tcp_flags_to_str_first_letter(tcph);

    col_append_lstr(pinfo->cinfo, COL_INFO,
        " [", flags_str, "]",
@ -4609,6 +4641,8 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
        tf_syn = proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
        tf_fin = proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);

+        tf = proto_tree_add_string(field_tree, hf_tcp_flags_str, tvb, offset + 12, 2, flags_str_first_letter);
+        PROTO_ITEM_SET_GENERATED(tf);
        /* As discussed in bug 5541, it is better to use two separate
         * fields for the real and calculated window size.
         */
@ -5167,6 +5201,10 @@ proto_register_tcp(void)
        { "Fin",            "tcp.flags.fin", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_FIN,
            NULL, HFILL }},

+        { &hf_tcp_flags_str,
+        { "TCP Flags",          "tcp.flags.str", FT_STRING, BASE_NONE, NULL, 0x0,
+            NULL, HFILL }},
+
        { &hf_tcp_window_size_value,
        { "Window size value",        "tcp.window_size_value", FT_UINT16, BASE_DEC, NULL, 0x0,
            "The window size value from the TCP header", HFILL }},