This adds the ability for Lua scripts to register heuristic dissectors
for any protocol that has registered a heuristic dissector list, such
as UDP, TCP, and ~50 others. The Lua function can also establish a
conversation tied to its Proto dissector, to avoid having to check the
heuristics for the same flow. The example dissector in the testsuite
has also been enhanced to include a heuristic dissector, to verify
the functionality and provide an example implementation.
Change-Id: Ie232602779f43d3418fe8db09c61d5fc0b59597a
Reviewed-on: https://code.wireshark.org/review/576
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Functions with no parameters must be written func(void). Fixes (some) of the
buildbots.
Change-Id: I1a6e5c0553e032e99419fe67eb4b573bbdfe7fe6
Reviewed-on: https://code.wireshark.org/review/388
Reviewed-by: Evan Huus <eapache@gmail.com>
There are some common things people need to do, such as convert to/from hex or get
the raw binary string in a ByteArray/Tvb/TvbRange. These have been added, as well
as some tests for them in the testsuites. Also, functions have been added to allow
a script to get all the available tap types and filter fields, since they are
not exactly what one can see in the Wireshark gui.
Change-Id: I92e5e4eae713bb90d79b0c024eaa4e55b99cc96b
Reviewed-on: https://code.wireshark.org/review/249
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The OP asked 9169 to be reopened because the capture was spewing ~40GB of output
when dissected with tshark. Investigation showed this was because the HTTP
dissector was requesting ONE_MORE_PACKET reassembly a lot, and TCP was adding
each step as a data-source which was being printed by tshark's hex dump. This
was leading to O(n^2) of output.
To fix, introduce function remove_last_data_source which removes the most recent
data source from the list. If the subdissector in TCP reassembly asks for
ONE_MORE_PACKET, assume it hasn't added any tree items (since it shouldn't have)
and remove the data source since it is unnecessary.
This may break dissectors which add tree items and *then* return
ONE_MORE_PACKET, since they will have their data source removed out from under
them. I believe those cases should be fixed to not add tree items until they're
sure they have enough data.
Change-Id: Iff07f959b8b8bd1acda9bff03f7c8684901ba8aa
Reviewed-on: https://code.wireshark.org/review/38
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
This is a VERY PRELIMINARY version of tfshark. It's an attempt to jumpstart FileShark and its architecture. Right now it's mostly just a very stripped down version of tshark with all of the necessary build modifications (including now building filetap library since tfshark depends on it)
This code has helped me identify what I believe to be all of the necessary layers for a complete fileshark architecture. And those layers will slowly be added in time (patches always welcome!).
svn path=/trunk/; revision=54646
Move COL_* enum to <epan/column-utils.h>
XXX Later we can rename epan/column-info.h to column-int.h (or smth like this)
svn path=/trunk/; revision=54352
from the GTK flavor in two major ways:
- The "Decode As" and "User Specified Decodes" dialog have been unified.
- You can modify the decode as behavior at any time, not just when you
have a packet selected.
Revert part of 53498 so that we can move items marked
/*** THE FOLLOWING SHOULD NOT BE USED BY ANY DISSECTORS!!! ***/
from epan/decode_as.h to ui/decode_as_utils.h.
Move "save" code from decode_as_dlg.c to decode_as_utils.c as well.
In packet-dcerpc.c don't register a table named "ethertype". We might
want to add checks for duplicate table names.
To do:
- Add support for ranges?
- Either add support for DCERPC or make DCERPC use a regular dissector
table.
- Fix string selectors (i.e. BER).
svn path=/trunk/; revision=53910
warning: argument 'data' of command @param is not found in the argument list of dissector_all_tables_foreach_changed(DATFunc func, gpointer user_data)
warning: The following parameters of dissector_all_tables_foreach_changed(DATFunc func, gpointer user_data) are not documented: parameter 'user_data'
svn path=/trunk/; revision=53749
We presumably want "decode as" behavior to be consistent across UIs so
call load_decode_as_entries() from read_prefs().
svn path=/trunk/; revision=53498
The main driving force for this was my new Decode As functionality (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9450) that wants a dissector/subdissector table relationship for all dissectors wanting to use Decode As functionality. The ethertype() function provides the value to the "ethertype" subdissector table, so I think it should be matched to a dissector. Only odd side effect is the display filter of "ethertype" returns no packets because there is no "item" associated with the dissector.
svn path=/trunk/; revision=53443
not finding it, I finally found it in column_info.h
Renamed column_info.h to column-info.h to have consistency
with the column*h files.
svn path=/trunk/; revision=52667
should be freed when it is destroyed. This requires splitting packet_init in
two: the hash table which must be created before protocol registration, and the
caching of common protocol handles, which must happen after registration.
svn path=/trunk/; revision=51329
byte view.
Move the packet_char_enc enum from packet.h to frame_data.h. Make the
encoding flag a packet_char_enc and make it one bit.
Get rid of the "cfile" global in a few places. C++-ize some of the font
code. Clean up some variable names.
svn path=/trunk/; revision=45838
make Save-As/Displayed/All-Packets save not only the displayed packets but
also any other packets needed (e.g., for reassembly) to fully dissect the
displayed packets.
This works only for the "All packets" case; choosing only the Selected packet,
the Marked packets, or a range of packets would require actually storing which
packets depend on which (too much memory) or going through the packet list many
times (too slow). Also, this behavior is always the case: you can't save the
displayed packets without their dependencies (I don't see why this would be
desirable).
So far this is done for SCTP and things using the reassembly routines (TCP has
been tested).
The Win32 dialog was modified but hasn't been tested yet.
One confusing aspect of the UI is that the Displayed count in the Save-As
dialog does not match the number of displayed packets. (I tried renaming the
button "Displayed + Dependencies" but it looked too big.) The tooltip tries
to explain this and the fact that this works only in the All-Packets case;
suggestions for improvement are welcome.
Implementation details:
Dissectors (or the reassembly code) can list frames which were needed to
build the current frame's tree. If the current frame passes the display
filter then each listed frame is marked as "depended upon" (this takes up the
last free frame_data flag).
When performing a Save-As/Displayed/All-Packets then choose packets which
passed the dfilter _or_ are depended upon.
svn path=/trunk/; revision=41216
Hadriel Kaplan