To allow an arithmetic expressions without spaces, such as "1+2",
we cannot match the expression in other lexical rules using "+". Because
of longest match this becomes the token LITERAL or UNPARSED with semantic value
"1+2". The same goes for all the other arithmetic operators.
So we need to remove [+-*/%] from "word chars" and add very specific
patterns (that won't mistakenly match an arithmetic expression) for
those literal or unparsed tokens we want to support using these characters.
The plus was not a problem but right slash is used for CIDR, minus for
mac address separator, etc.
There are still some corner case. 11-22-33-44-55-66 is a mac
address and not the arithmetic expression with six terms "eleven
minus twenty two minus etc." (if we ever support more than two terms
in the grammar, which we don't currently).
We lift some patterns from the flex manual to match on IPv4 and
IPv6 (ugly) and add MAC address.
Other hypothetical literal lexical values using [+-*/%] are already
supported enclosed in angle brackets but the cases of MAC/IPv4/IPv6 are
are very common and moreover we need to do the utmost to not break backward
compatibily here.
Before:
$ dftest "_ws.ftypes.int32 == 1+2"
dftest: "1+2" is not a valid number.
After:
$ dftest "_ws.ftypes.int32 == 1+2"
Filter: _ws.ftypes.int32 == 1+2
Instructions:
00000 READ_TREE _ws.ftypes.int32 -> reg#0
00001 IF_FALSE_GOTO 4
00002 ADD 1 <FT_INT32> + 2 <FT_INT32> -> reg#1
00003 ANY_EQ reg#0 == reg#1
00004 RETURN
In most, if not all, programming languages logical AND has
higher precedence than logical OR. Apply the principle of
least surprise and do the same for Wireshark display
filters.
Before: ip and tcp or udp => ip and (tcp or udp)
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 5
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
After: ip and tcp or udp => (ip and tcp) or udp
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 4
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
Rename LogsharkApplication to LogwolfApplication. Rename other Logshark
references in ui/qt_logshark to Logwolf. Update our CMake target and
variable names.
Rename init_progfile_dir to configuration_init. Add an argument which
specifies our configuration namespace, which can be "Wireshark"
(default) or "Logwolf".
Rename the main_window class and UIC files to wireshark_main_window and
the MainWindow class to WiresharkMainWindow. Copy wireshark_main_window
/ WiresharkMainWindow to logwolf_main_window / LogwolfMainWindow.
Remove the Wireless menu from Logwolf.
Move WiresharkApplication.{cpp,h} to MainApplication.{cpp,h}. Add back
WiresharkApplication as a thin superclass of MainApplication, similar to
LogsharkApplication. Change all of our wsApp references to mainApp. We
will likely have to change many or most of them back, but that's a
commit for another time.
Add a separate UI application named "Logshark". It's currently a very
thin superclass of Wireshark, but that will change over time. Based on
work by Loris Degioanni.
Port 3389 is IANA assigned for RDP, but on TCP it can appear over
TPKT with or without underlying TLS, depending on the RDP Security
Settings. Add a heuristic dissector for TPKT. The heuristic is a
little weak so disable it by default for the general case, but
register it as a PINO specifically for the IANA assigned port.
On port 3389, by default Wireshark now tries heuristics for TPKT
and TLS (ordering depending on whether "Try heuristic sub-dissectors
first" is enabled for TCP). Once it finds a packet that passes
the heuristics, it sets the conversation dissector and from then
on will desegment/report Continuation Data as appropriate. This
is nicer than having to manually configure Decode As for RDP
standard encryption (without TLS). Related to #17952, #17437.
Fix a failed assertion with constant arithmetic expressions.
Because we do not parse constants on the lexical level it is
more complicated to handle constant expressions with unparsed
values.
We need to handle missing type information gracefully for any
kind of arithmetic expression, not just unary minus.
ssl_dissector_add registers TLS as the dissector for TCP for the given
port. We can't use it, since on port 3389 TPKT (for RDP) can be over TLS
or directly over TCP, depending on the RDP security settings.
Fix#17952.
Use the actual maximum table table size, which may have been set to
a value other than the default 4096, to fill the table with dummy
entries. Fix#17936
Gerald Combs