Use proto_registrar_is_protocol instead of directly comparing
hfinfo->parent to -1 when determining if the field info is related
to a protocol or not.
This avoids adding the special case text only field, which does not
have a parent protocol id, to the protocol hierarchy. These fields are
merely strings on the GUI tree, not actual protocols.
They were checking for --help in an unusual manner that failed when
run with no arguments.
I've checked that --help works for each script, and that debian-setup.sh
actually works.
NOTE: bsd-setup.sh and rpm-setup.sh seem to have sometimes-broken
formatting, because they try to pass escape sequences to echo, which
POSIX says is implementation-defined (except on XSI-conformant systems).
These changes were mostly made using the following script, with a
manual fix in bsd-setup.sh because it isn't using "switch case".
```python
#!/bin/env python3
import sys
import re
usage_p = re.compile(r'^if \[ "\$1" = "--help" \]\nthen\n((?:\t(?:printf|echo) .*\n)*)\texit 1\nfi$',
re.MULTILINE)
case_p = re.compile(r'(^\tcase \$arg in$)',
re.MULTILINE)
root_check_p = re.compile(r'(\n# Check if the user is root(?:\n|.)*?fi\n)',
re.MULTILINE)
done_p = re.compile(r'(^done\n)',
re.MULTILINE)
def fix_setup(name: str):
assert name.endswith('-setup.sh')
with open(name, 'r') as fin:
s = fin.read()
s = usage_p.sub(r'function print_usage() {\n\1}', s)
s = case_p.sub(r'''\1
\t\t--help)
\t\t\tprint_usage
\t\t\texit 0
\t\t\t;;''', s)
m1 = root_check_p.search(s)
if m1:
root_check = m1[0]
s = root_check_p.sub('', s)
pos = done_p.search(s).end() # type: ignore[union-attr]
s = s[:pos] + root_check + s[pos:]
with open(name, 'w') as fout:
fout.write(s)
if __name__ == '__main__':
for name in sys.argv[1:]:
fix_setup(name)
```
This allows writing moderately complex expressions, for example
a float epsilon test (#16483):
Filter: {abs(_ws.ftypes.double - 1) / max(abs(_ws.ftypes.double), abs(1))} < 0.01
Syntax tree:
0 TEST_LT:
1 OP_DIVIDE:
2 FUNCTION(abs#1):
3 OP_SUBTRACT:
4 FIELD(_ws.ftypes.double)
4 FVALUE(1 <FT_DOUBLE>)
2 FUNCTION(max#2):
3 FUNCTION(abs#1):
4 FIELD(_ws.ftypes.double)
3 FUNCTION(abs#1):
4 FVALUE(1 <FT_DOUBLE>)
1 FVALUE(0.01 <FT_DOUBLE>)
Instructions:
00000 READ_TREE _ws.ftypes.double -> reg#1
00001 IF_FALSE_GOTO 3
00002 SUBRACT reg#1 - 1 <FT_DOUBLE> -> reg#2
00003 STACK_PUSH reg#2
00004 CALL_FUNCTION abs(reg#2) -> reg#0
00005 STACK_POP 1
00006 IF_FALSE_GOTO 24
00007 READ_TREE _ws.ftypes.double -> reg#1
00008 IF_FALSE_GOTO 9
00009 STACK_PUSH reg#1
00010 CALL_FUNCTION abs(reg#1) -> reg#4
00011 STACK_POP 1
00012 IF_FALSE_GOTO 13
00013 STACK_PUSH reg#4
00014 STACK_PUSH 1 <FT_DOUBLE>
00015 CALL_FUNCTION abs(1 <FT_DOUBLE>) -> reg#5
00016 STACK_POP 1
00017 IF_FALSE_GOTO 18
00018 STACK_PUSH reg#5
00019 CALL_FUNCTION max(reg#5, reg#4) -> reg#3
00020 STACK_POP 2
00021 IF_FALSE_GOTO 24
00022 DIVIDE reg#0 / reg#3 -> reg#6
00023 ANY_LT reg#6 < 0.01 <FT_DOUBLE>
00024 RETURN
We now use a stack to pass arguments to the function. The
stack is implemented as a list of lists (list of registers).
Arguments may still be non-existent to functions (this is
a feature). Functions must check for nil arguments (NULL lists)
and handle that case.
It's somewhat complicated to allow literal values and test compatibility
for different types, both because of lack of type information with
unparsed/literal and also because it is an underdeveloped area in the
code. In my limited testing it was good enough and useful, further
enhancements are left for future work.
Conversations start at SMD-S and are continued with SMD-C frames
Added CRC information to proto_data of conversation for mCRC calculation
Continue checksum calculation for faulty fragments
Reassembly information added to info column
Reworked packet_direction
Split the counts of IO data objects and IOCS between
input and output. Remove increment of IO data objects
in station information, sometimes leading to extremely
high and invalid number of IO data objects.
This implements parsing the packets in tls-crypt mode. Parsing is very
limited since tls-crypt encrypts the packets. Since detecting tls-crypt
is not easy apart from two tls-crypt-v2 specific opcodes, it is preference
that needs explicitly set.
Add the length check of dissecting BER integers, int64, and booleans, the expert info is added for bad lengths, includes the name of the field and actual length.
Related to #18005
Needed to format timestamp in #18038 - packet-cql.c
Mirrors changes made in !1924 - Add ENC_TIME_NSECS timestamp encoding
Documentation in README.dissector, proto.c, proto.h - could use
refresh in a different merge request.
Changes the function calling convention to pass the first register
number plus the number of registers after that sequentially. This
allows function with any number of arguments. Functions can still
only return one value.
Adds max() and min() function to select the maximum/minimum value
from any number of arguments, all of the same type. The functions
accept literals too. The return type is the same as the first argument
(cannot be a literal).
Remove unused header definitions in packet-falco-bridge.h and move the
remaining content to packet-falco-bridge.c and conversation-macros.h.
Explicitly set our header files in CMakeLists.txt.
Move the assumption for WHOIS responses to UTF-8 (which is backwards
compatible with ASCII), and add an expert info regarding that
assumption. There is no indication for encoding in the protocol.
Using Show Packet Bytes is sufficient for most purposes, but someone
could add a preference if desired.
Instead of using a heuristic to decide whether the form ${...} is
a macro or not, try to resolve the name to a registered protocol
field and use that instead.
This increases somewhat the surface for clobbering existing macro
names with new field registrations but we'll cross that bridge when
we get to it.
Rejecting protocol field types reduces this probability again but it
may not be intuitive to the user trying to mistakenly use a reference
to a protocol why it is parsed as a macro. The reasons for rejecting
FT_PROTOCOL types as not interesting field references are not
very strong but it seems reasonable.
$ dftest 'frame.number != ${frame.number}'
Filter: frame.number != ${frame.number}
Instructions:
00000 READ_TREE frame.number -> reg#0
00001 IF_FALSE_GOTO 5
00002 READ_REFERENCE ${frame.number} -> reg#1
00003 IF_FALSE_GOTO 5
00004 ALL_NE reg#0 != reg#1
00005 RETURN
$ dftest 'frame != ${frame}'
dftest: macro 'frame' does not exist
Jack Kaplan