Rename init_progfile_dir to configuration_init. Add an argument which
specifies our configuration namespace, which can be "Wireshark"
(default) or "Logwolf".
Rename the main_window class and UIC files to wireshark_main_window and
the MainWindow class to WiresharkMainWindow. Copy wireshark_main_window
/ WiresharkMainWindow to logwolf_main_window / LogwolfMainWindow.
Remove the Wireless menu from Logwolf.
Move WiresharkApplication.{cpp,h} to MainApplication.{cpp,h}. Add back
WiresharkApplication as a thin superclass of MainApplication, similar to
LogsharkApplication. Change all of our wsApp references to mainApp. We
will likely have to change many or most of them back, but that's a
commit for another time.
Add a separate UI application named "Logshark". It's currently a very
thin superclass of Wireshark, but that will change over time. Based on
work by Loris Degioanni.
Port 3389 is IANA assigned for RDP, but on TCP it can appear over
TPKT with or without underlying TLS, depending on the RDP Security
Settings. Add a heuristic dissector for TPKT. The heuristic is a
little weak so disable it by default for the general case, but
register it as a PINO specifically for the IANA assigned port.
On port 3389, by default Wireshark now tries heuristics for TPKT
and TLS (ordering depending on whether "Try heuristic sub-dissectors
first" is enabled for TCP). Once it finds a packet that passes
the heuristics, it sets the conversation dissector and from then
on will desegment/report Continuation Data as appropriate. This
is nicer than having to manually configure Decode As for RDP
standard encryption (without TLS). Related to #17952, #17437.
Fix a failed assertion with constant arithmetic expressions.
Because we do not parse constants on the lexical level it is
more complicated to handle constant expressions with unparsed
values.
We need to handle missing type information gracefully for any
kind of arithmetic expression, not just unary minus.
ssl_dissector_add registers TLS as the dissector for TCP for the given
port. We can't use it, since on port 3389 TPKT (for RDP) can be over TLS
or directly over TCP, depending on the RDP security settings.
Fix#17952.
Use the actual maximum table table size, which may have been set to
a value other than the default 4096, to fill the table with dummy
entries. Fix#17936
Add support for display filter binary addition and subtraction.
The grammar is intentionally kept simple for now. The use case
is to add a constant to a protocol field, or (maybe) add two
fields in an expression.
We use signed arithmetic with unsigned numbers, checking for
overflow and casting where necessary to do the conversion.
We could legitimately opt to use traditional modular arithmetic
instead (like C) and if it turns out that that is more useful for
some reason we may want to in the future.
Fixes#15504.
By the time we are using the reference fvalue the tree may have gone
away and with it the fvalue. We need to duplicate the reference
fvalues and take ownership of the memory.
This replaces the current macro reference system with
a completely different implementation. Instead of a macro a reference
is a syntax element. A reference is a constant that can be filled
in the dfilter code after compilation from an existing protocol tree.
It is best understood as a field value that can be read from a fixed
tree that is not the frame being filtered. Usually this fixed tree
is the currently selected frame when the filter is applied. This
allows comparing fields in the filtered frame with fields in the
selected frame.
Because the field reference syntax uses the same sigil notation
as a macro we have to use a heuristic to distinguish them:
if the name has a dot it is a field reference, otherwise
it is a macro name.
The reference is synctatically validated at compile time.
There are two main advantages to this implementation (and a couple of
minor ones):
The protocol tree for each selected frame is only walked if we have a
display filter and if the display filter uses references. Also only the
actual reference values are copied, intead of loading the entire tree
into a hash table (in textual form even).
The other advantage is that the reference is tested like a protocol
field against all the values in the selected frame (if there is more
than one).
Currently the reference fields are not "primed" during dissection, so
the entire tree is walked to find a particular reference (this is
similar to the previous implementation).
If the display filter contains a valid reference and the reference is
not loaded at the time the filter is run the result is the same as a
non existing field for a regular READ_TREE instruction.
Fixes#17599.
This usage devalues a mechanism for warning users that deserves more
attention than this minor suggestion.
The warning is inconvenient for intermediate and advanced users.
Gerald Combs