epan: ws_debug log for heuristic that claims frame (len != 0)

It's possible for a dissector to claim a frame without adding to the tree or being added to frame.protocols (see !6669) Log a debug message showing the pinfo layers and the dissector that claimed the tvb (frame/packet).
2022-04-15 10:10:51 -05:00 · 2022-04-15 10:10:51 -05:00 · e12954a637
parent 8ac995578c
commit e12954a637
4 changed files with 34 additions and 0 deletions
--- a/epan/packet.c
+++ b/epan/packet.c
@ -2957,6 +2957,10 @@ dissector_try_heuristic(heur_dissector_list_t sub_dissectors, tvbuff_t *tvb,
 			}
 		}
 		if (len) {
+			if (ws_log_msg_is_active(WS_LOG_DOMAIN, LOG_LEVEL_DEBUG)) {
+				ws_debug("Frame: %d | Layers: %s | Dissector: %s\n", pinfo->num, proto_list_layers(pinfo), hdtbl_entry->short_name);
+			}
+
 			*heur_dtbl_entry = hdtbl_entry;

 			/* Bubble the matched entry to the top for faster search next time. */
--- a/epan/proto.c
+++ b/epan/proto.c
@ -7914,6 +7914,29 @@ proto_is_frame_protocol(const wmem_list_t *layers, const char* proto_name)
 	return FALSE;
 }

+gchar *
+proto_list_layers(const packet_info *pinfo)
+{
+	wmem_strbuf_t *buf;
+	wmem_list_frame_t *layers = wmem_list_head(pinfo->layers);
+
+	buf = wmem_strbuf_sized_new(pinfo->pool, 128, 0);
+
+	/* Walk the list of layers in the packet and
+	   return a string of all entries. */
+	while (layers != NULL)
+	{
+		wmem_strbuf_append(buf, proto_get_protocol_filter_name(GPOINTER_TO_UINT(wmem_list_frame_data(layers))));
+
+		layers = wmem_list_frame_next(layers);
+		if (layers != NULL) {
+			wmem_strbuf_append_c(buf, ':');
+		}
+	}
+
+	return wmem_strbuf_finalize(buf);
+}
+
 gboolean
 proto_is_pino(const protocol_t *protocol)
 {
--- a/epan/proto.h
+++ b/epan/proto.h
@ -2674,6 +2674,12 @@ WS_DLL_PUBLIC void proto_get_frame_protocols(const wmem_list_t *layers,
 */
 WS_DLL_PUBLIC gboolean proto_is_frame_protocol(const wmem_list_t *layers, const char* proto_name);

+/** Create a string of all layers in the packet.
+ * @param pinfo Pointer to packet info
+ * @return string of layer names
+ */
+WS_DLL_PUBLIC gchar * proto_list_layers(const packet_info *pinfo);
+
 /** Mark protocol with the given item number as disabled by default.
 @param proto_id protocol id (0-indexed) */
 WS_DLL_PUBLIC void proto_disable_by_default(const int proto_id);
--- a/packaging/debian/libwireshark0.symbols
+++ b/packaging/debian/libwireshark0.symbols
@ -1204,6 +1204,7 @@ libwireshark.so.0 libwireshark0 #MINVER#
 proto_item_set_end@Base 1.9.1
 proto_item_set_len@Base 1.9.1
 proto_item_set_text@Base 1.9.1
+ proto_list_layers@Base 3.7.0
 proto_name_already_registered@Base 2.0.1
 proto_node_group_children_by_json_key@Base 2.5.0
 proto_node_group_children_by_unique@Base 2.5.0