As requested [here][1] by @eapache, help with removing calls to
`wmem_packet_scope()` in favour of references to `pinfo->pool`.
* Plugins chosen semi-randomly.
* When a calling function already has a `pinfo` argument, use that.
* Remove `_U_` from its signature if it was there.
* If a function seems narrowly focused on getting and (possibly)
returning memory, change the function signature to take a
`wmem_allocator_t *`.
* If it seems more focused on packet-based operations, pass in a
`packet_info *` instead and use `pinfo->pool` within.
* If there are several functions defined with the same call
signature, add `pinfo _U_` to the argument list of similar
functions in order to maintain clarity/symmetry.
[1]: https://www.wireshark.org/lists/wireshark-dev/202107/msg00052.html
It's not in the response message, it's taken from the request message,
so display it with a zero offset and length, so it doesn't match any
bytes in the packet.
It's a 32-bit field, so make it an FT_UINT32.
Add strings with proto_tree_add_item instead of tvb_memcpy,
appending a null, and a proto_tree_add_string so that the
strings are validated for encoding, trailing nulls, etc.
Fix#18847
When retrieving a string, don't just use tvb_memcpy, even if
expected to be ASCII (because it might have errors.)
This doesn't get truncated, even if all replacement characters,
because the eventual returned buffer is 200 octets long and the
max filename is 49.
Fix#18800
Falco plugins don't yet have a standard installation location, and even
when they do we might not want to install all of them. Remove plugin
detection from FindSinsp.cmake and note that you should just pass the
paths to your plugins in SINSP_PLUGINS.
Rename flex macros using parenthesis (mostly a style issue):
DIAG_OFF_FLEX -> DIAG_OFF_FLEX()
DIAG_ON_FLEX -> DIAG_ON_FLEX()
Use the same kind of construct with lemon generated code using
DIAG_OFF_LEMON() and DIAG_ON_LEMON(). Use %include and %code
directives to enforce the desired order with generated code
in the middle in between pragmas.
Fix a clang-specific pragma to use DIAG_OFF_CLANG().
DIAG_OFF(unreachable-code) -> DIAG_OFF_CLANG(unreachable-code).
Apparently GCC is ignoring the -Wunreachable flag, that's why
it did not trigger an unknown pragma warning. From [1}:
The -Wunreachable-code has been removed, because it was unstable: it
relied on the optimizer, and so different versions of gcc would warn
about different code. The compiler still accepts and ignores the
command line option so that existing Makefiles are not broken. In some
future release the option will be removed entirely. - Ian
[1] https://gcc.gnu.org/legacy-ml/gcc-help/2011-05/msg00360.html
Separate fragment_head and fragment_item into two
different types of structs.
Remove "offset" from fragment_head, which was unused,
making fragment heads 4 bytes smaller.
Remove fragment_nr_offset, datalen, reassembled_in,
reas_in_layer_num, and error from fragment_item,
making them 24 bytes smaller.
Change a few dissectors which were using fragment_head
and fragment_item indistinguishably.
Ping #17311
It looks like there was a cut&paste error a long time ago resulting
in the wimaxasncp.message_type field being incorrectly detected as
unused and commented out. Closes#18424.
They're of type FT_NONE, meaning that they do not have values, they're
just present or not.
Handle the TCP analysis fields "tcp.analysis.retransmission" and
"tcp.analysis.keep_alive", both of which are expert infos, by just
seeing if they're present or not.
Fixes a problem mentioned in a comment in merge request !8412.
As of a change many years ago, Boolean values are stored as 64-bit (the
change was made to handle Boolean bitfields in 64-bit fields). Fix the
extractor for Boolean values to fetch from the 64-bit unsigned integer
field, and, while we're at it, add a change that the field in question
really *is* a Boolean field (the functions used to fetch the value in
the other extractors do such a check).
The TRANSUM post-dissector performs timing analysis, and does not
dissect any of the packet data; all its calls to `proto_tree_add_foo()`
claim 0 bytes. So this fix claims 0 bytes for the overall TRANSUM
protocol tree as well.
Fixes#18241
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Remove the redundant BASE_FLOAT field display type. The name
BASE_FLOAT is meaningless and the value aliased to BASE_NONE.
Require BASE_NONE instead of BASE_FLOAT (corresponding to
the printf() %g format).
Add new float display types using BASE_DEC, BASE_HEX and BASE_EXP
corresponfing to %f, %a and %e respectively.
Add support for BASE_CUSTOM with floats.
Switch to the name "Logray" for the log analyzer. Rays are biological
cousins of sharks and more people like the name "Logray" in a completely
unscientific survey here. Apologies for any inconvenience this might
cause.
When the field width was corrected by commit
b240d5baa0, the masks got messed
up. There's 4 reserved bits that don't have fields and the bits
are in Little Endian order. Fix#18132.
Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.
Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.
Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
David Perry