wireshark SHOULD be able to filter on multiple hf's with the
same field-name, BUT there is a little bug in the code. I have pinpointed it to
the following in epan/dfilter/dfvm.c:
...
It actually loops through all the hf's with the same name, but only checks
against the original (first) hf.
svn path=/trunk/; revision=21372
this primarily removes code and simplifies (==eliminates) the need to track the data that is allocated and should potentially be slightly faster than a slab allocator.
however these functions are called A LOT so there might be a performance hit when using emem with full debugging canary values and all the bells and whistles activated.
this change also makes any future attempt to parallellize dissection of frames easier if we just make the ep allocator allocate from a threads specific ep pool.
(something we would have to do anyway to make ep allocations multithreaded)
this works in all my tests so far but needs more test coverage.
svn path=/trunk/; revision=20194
print register numbers as unsigned (they're guint32);
when printing a PUT_FVALUE instruction, show the value as well
as the type of the value.
That requires that a bunch of types get to_repr methods; add them for
PCRE (FTREPR_DFILTER-only - show the regular expression as text),
tvbuffs (FTREPR_DFILTER_only - show the data as a hex string), integral
types, string types other than FT_STRING, and FT_IPv6.
That means we can use fvalue_to_string_repr() for FT_IPXNET and FT_IPv6
in proto_construct_dfilter_string(), and that we don't need to handle
integer and floating types specially in MATE.
Fix some problems with the PCRE execution code for tvbuff types.
svn path=/trunk/; revision=16369
they have LF at the end of the line on UN*X and CR/LF on Windows;
hopefully this means that if a CR/LF version is checked in on Windows,
the CRs will be stripped so that they show up only when checked out on
Windows, not on UN*X.
svn path=/trunk/; revision=11400
New "matches" operater in display filter language. Uses PCRE.
If a "matches" operator is found in a dfilter
while libpcre has not been used to build the binary, then an
exception is thrown after using dfilter_fail() to set an apporporiate
error message.
svn path=/trunk/; revision=9182
structure, rather than separately allocating "fvalue_t"s and having the
"field_info" structure point to them - this appears to speed up protocol
tree construction a bit.
svn path=/trunk/; revision=9146
This function is also very small, so small that teh overhead for the actual function call and return is likely to be a significant part
of its execution time.
change it into a macro and make it thus slightly faster by eliminating the function call overhead.
svn path=/trunk/; revision=9083
the same name (abbreviation). Thus, if multiple protocols or fields
are registered with the same name, you can still filter on the name
and have the filtering work as expected.
svn path=/trunk/; revision=6434
A little work still needs to be done on the new NCP dissector -- make
some of the COL_INFO texts more useful, handle a Unicode issue, and
modify some of the cases that use "request conditions".
But the NCP dissector as it stands is very usable now.
Note: I didn't merge in the PROTO_LENGTH_UNTIL_END macro... I wanted
to think about the various possible macros and review an email conversation
I had with Guy on the subject.
svn path=/trunk/; revision=5432
Put a hash-table of "interesting" fields in the per-proto-tree data.
The dfilter code records which fields/protocols are "interesting" (by which
I mean, their value or existence is checked). Thus, the proto_tree routines
can create special arrays of field_info*'s that are ready for the dfilter
engine to use during a filter operation.
Also store the "proto_tree_is_visible" boolean, renamed "visible", in
the per-proto-tree data.
Move epan_dissect_t to its own header file to make #include dependencies
easier to handle.
Provide epan_dissect_fill_in_columns(), which accepts just the epan_dissect_t*
as an argument.
epan_dissect_new() needs to be followed by epan_dissect_run() for the
dissection to actually take place. Between those two calls,
epan_dissect_prime_dfilter() can be run 0, 1, or multiple times in order to
prime the empty proto_tree with the "intersesting" fields from the dfilter_t.
svn path=/trunk/; revision=4422
into epan/ftypes.
Re-write display filter routines using Lemon parser instead of yacc.
Besides using a different tool, the new grammar is much simpler, while
the display filter engine itself is more powerful and more easily extended.
Add dftest executable, to test display filter "bytecode" generation.
Add option to "configure" to build dftest or randpkt, both of which are not
built by default.
Implement Ed Warnicke's ideas about dranges in the new display filter and
ftype code.
Remove type FT_TEXT_ONLY in favor of FT_NONE, and have protocols registered
as FT_PROTOCOL. Thus, FT_NONE is used only for simple labels in the proto tree,
while FT_PROTOCOL is used for protocols. This was necessary for being
able to make byte slices (ranges) out of protocols, like "frame[0:3]"
Win32 Makefile.nmake's will be added tonight.
svn path=/trunk/; revision=2967
Bill Meier