It's arguably an error, as an FT_STRINGZ requires at least one character
position for the terminating NUL, but the way to handle that is to give
it a string value of an empty string and add an expert info indicating
that the terminating NUL is missing. (The same should be done for
FT_STRINGZ fields with a specified non-zero length that don't have a NUL
in the last character position.)
Change-Id: Ie702bf44db36310f0f6e2625a3a64e6424167546
Reviewed-on: https://code.wireshark.org/review/38136
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Add a new top-level view that shows each packet as a series of diagrams
similar to what you'd find in a networking textook or an RFC.
Add proto_item_set_bits_offset_len so that we can display some diagram
fields correctly.
Bugs / to do:
- Make this a separate dialog instead of a main window view?
- Handle bitfields / flags
Change-Id: Iba4897a5bf1dcd73929dde6210d5483cf07f54df
Reviewed-on: https://code.wireshark.org/review/37497
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have the message indicate the problem and the name of the offending field.
Change-Id: I661125814c9ad5585a3e71d14f8407948e2e6d76
Reviewed-on: https://code.wireshark.org/review/38090
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
This commit replaces instances of
(myobj *)wmem_alloc(wmem_X_scope(), sizeof(myobj))
and replaces them with:
wmem_new(wmem_X_scope(), myobj)
to improve the readability of Wireshark's code.
Replacements were made with the following Python script:
import os
import re
import sys
pattern = r'\(([^\s\n]+) ?\*\) ?wmem_alloc(0?)\((wmem_[a-z]+_scope\(\)), sizeof\(\1\)\)'
replacewith = r'wmem_new\2(\3, \1)'
startdir = sys.argv[1]
for root, dirs, files in os.walk(startdir):
for fname in files:
fpath = os.path.join(root, fname)
if not fpath.endswith('.c'):
continue
with open(fpath, 'r') as fh:
fdata = fh.read()
output = re.sub(pattern, replacewith, fdata)
if fdata != output:
print(fpath)
with open(fpath, 'w') as fh:
fh.write(output)
Change-Id: I223cb2fcce336bc99ca21c4a74e4cf758fd00572
Reviewed-on: https://code.wireshark.org/review/38088
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure we use g_warning to print each ENABLE_CHECK_FILTER warning.
g_warning automatically appends a newline, so there's no need for us to
do so.
Change-Id: I4ddb60f0e3e0382fb3ca6e996ad47410fe05d8be
Reviewed-on: https://code.wireshark.org/review/37748
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Say "attempt to XXX", as the attempt might not succeed.
Fix a copied-and-pasted comment to reflect what
proto_is_frame_protocol() does.
Change-Id: Ia16a98064b87001f019fda43f2db2970a89e355e
Reviewed-on: https://code.wireshark.org/review/37486
Reviewed-by: Guy Harris <gharris@sonic.net>
Add proto_item_get_display_repr(), which returns a string, allocated
with a specified wmem scope, containing the display representation of
the value of a proto_item.
Use it in the LLDP dissector, to append that string to the parent
protocol tree item; use packet scope, so it doesn't hang around forever
(the previous code used the NULL scope, meaning explicit freeing was
required, but it wasn't explicitly freeing the value, so it was
leaking).
Change-Id: I146380118833b1daef9dea8bd9463001e5b9325f
Reviewed-on: https://code.wireshark.org/review/36931
Petri-Dish: Guy Harris <gharris@sonic.net>
Reviewed-by: Guy Harris <gharris@sonic.net>
true_false_strings have no helper function to properly retrieve the
string representing the true or false value, much like unit_strings,
even though this is not uncommon in dissectors.
This change introduces the helper function and modifies the dissectors,
so that they use this helper i.s.o. their own expressions.
Change-Id: I477ed2d90a9a529fc5dcfef7e3ea42ec180d27ae
Reviewed-on: https://code.wireshark.org/review/36920
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In proto_tree_add_item_ret_time_string, we should return the result of
proto_tree_add_node directly like other similar functions.
Change-Id: I5f0cdc32ee3e69ecf3c62f1d56cb8278c91c9c45
Reviewed-on: https://code.wireshark.org/review/36716
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Check is enabled by #ifdef ENABLE_CHECK_FILTER
Remaining issues found by this check are fixed here,
along with a documentation note that the entries
are checked in order and the first match is used.
The only issue not yet fixed is in packet-isup.c,
where the spec was not available to me.
Change-Id: Ife747cda9b91a265bc2b81ce0a53f55f3389919e
Reviewed-on: https://code.wireshark.org/review/36708
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Fixed a few instances where fix were obvious, others are
less clear.
The check in proto.c is protected by ENABLE_CHECK_FILTER.
Change-Id: I4edee4e67bd53bbf2eb809d68c87983a7c5a66f3
Reviewed-on: https://code.wireshark.org/review/36645
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Times before 1970-01-01 should be represented as a negative number of
seconds in nstime_t.
e.g. MP4 creation_time of 0x00000000 (which appears frequently as the
default in mp4 files) was rendered as Feb 6, 2040 07:28:16 CET
Change-Id: I979aeeb8a625caad3dfbce114cff6f9967d59d6e
Reviewed-on: https://code.wireshark.org/review/35904
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There are some deltas between the UN*X epoch and other epochs that are
used in a number of places; put them into a header.
Change-Id: Ia2d9d69b9d91352d730d97d9e4897518635b4861
Reviewed-on: https://code.wireshark.org/review/35895
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The S/370-and-later TOD clock counts in microseconds, not seconds.
Change-Id: I0b11586df073ed589d69ffc014e6f8661dff3d31
Reviewed-on: https://code.wireshark.org/review/35891
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Those times are in seconds since January 1, 1904, 00:00:00 (proleptic?)
UTC.
MPEG-4 Part 14 (MP4) is based on QuickTime, so it uses classic Mac OS
time stamps, in seconds.
Change-Id: Ibcd7faf1b119d8acbb294c95b66ca0d1fb70cbb3
Reviewed-on: https://code.wireshark.org/review/35886
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Qt GUI uses proto_get_first_protocol() to find the list of protocols
and build the autocompletion list. As pinfo protocols are stored in
another list, they are kept aside.
Let's add them in the same list as normal protocols.
Bug: 16130
Change-Id: I9ff67ea4198a8cc6baf3ded584c48eadfb097092
Reviewed-on: https://code.wireshark.org/review/34778
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
If a ProtoField object was created, but not linked to a Proto, then the
strings field and all elements (depending on type) would leak.
This is a follow-up to g79fef2ae and fixes the real issue in g44870fb1.
Change-Id: I01880a92bb20fae45f68c754b07daeb07630deec
Reviewed-on: https://code.wireshark.org/review/34872
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Vasil Velichkov <vvvelichkov@gmail.com>
Reviewed-by: Roland Knall <rknall@gmail.com>
Add "native" support for the "zig-zag" version of a varint in proto.[ch] and
tvbuff.[ch]. Convert the use of varint in the KAFKA dissector to use the (new)
"native" API.
Ping-Bug: 15988
Change-Id: Ia83569203877df8c780f4f182916ed6327d0ec6c
Reviewed-on: https://code.wireshark.org/review/34386
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
These environment variables are read very frequently, read them once to
globals for performance improvment.
Change-Id: I4f05a5edca85b370674cc5f85fce40bd1af695cb
Reviewed-on: https://code.wireshark.org/review/34449
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A few dissectors need the functionality of adding a time field to a proto_tree
while also needing the "time to string" value (typically to show on a tree above).
The functionality to do "get value from tvb and convert to string" was being done
in packet-ntp.c.
Instead proto_tree_add_item_ret_time_string can be used with various encoding to
get the necessary functionality with less code duplication.
ENC_TIME_MIP6 was added as a result of the refactoring.
ABSOLUTE_TIME_NTP_UTC was added as another potential "base" type for time fields.
Change-Id: Ie460c33370b0af59ef60bdab893ce9d6eb23b94f
Reviewed-on: https://code.wireshark.org/review/34390
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
packet-frame.c calls proto_item_add_bitmask_tree with a zero length, be
sure not to trigger undefined behavior (right shift by 64). Observed
with the capture from Bug 15247.
Change-Id: I5b5b7f920a37365295603be7b915f51b39d99faf
Fixes: v2.1.0rc0-1776-gb9fb2ceb88 ("Add heuristic dissectors for the variable part of COTP CR and CC PDUs.")
Reviewed-on: https://code.wireshark.org/review/34108
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Note that even strings fetched with ENC_ASCII may contain them - bytes
with the 8th bit set get mapped to REPLACEMENT CHARACTER.
This means we can format STR_UNICODE fields with format_text(); do so.
Bug: 1372
Change-Id: Ia32c3a92d220ac5174ecd25f33e2d1f85cfb8cb8
Reviewed-on: https://code.wireshark.org/review/34080
Reviewed-by: Guy Harris <guy@alum.mit.edu>
proto_tree_add_item() does no validation if ENC_UTF_8 is used as the
encoding, so there's no guarantee that the value of a string field is
valid UTF-8, and in some dissectors UTF-8 strings are fetched with other
mechanisms and then added with proto_tree_add_string().
We need to do some cleanup on string handling.
Bug: 15848
Change-Id: Ifc43111dbb47c478fa11280f2f771d90202499fa
Reviewed-on: https://code.wireshark.org/review/33677
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It can't be null, and it must never be passed a null pointer.
Fixes Coverity CID 1445961.
Change-Id: Ifad962c51e23706fdc544326a45543fe11b73fd1
Reviewed-on: https://code.wireshark.org/review/33572
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That way, even if we're not building a protocol tree, so that you don't
get protocol tree items, you can get the display string, e.g. to use in
a column.
Replace the use of the "get display string" routines with calls to those
routines.
Change-Id: I23e3e88838bdf837d8660c271f78c79b7d1c5620
Reviewed-on: https://code.wireshark.org/review/33519
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a BASE_SHOW_ASCII_PRINTABLE flag for the "display" field, to use
with FT_BYTES and FT_UINT_BYTES fields; it specifies that, if the field
consists solely of printable ASCII characters, its value be displayed as
a string, in quotes. Have a routine hfinfo_format_bytes() to do that
formatting, depending on the display field value.
Add routines to fetch the display value of string and
FT_BYTES/FT_UINT_BYTES fields; for strings, it's the result of
hfinfo_format_text(), and for byte arrays, it's the result of
hfinfo_format_bytes().
Use BASE_SHOW_ASCII_PRINTABLE for extended attribute data in SMB and
SMB2. Use the routines in question for extended attribute names
(string) and data (bytes). That keeps us from displaying non-text
extended attribute data as if it were text.
Document BASE_SHOW_ASCII_PRINTABLE.
Change-Id: I24dcf459c14f00985e4daaf9b58f5933964eabd8
Reviewed-on: https://code.wireshark.org/review/33517
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's a rule for interpretation of the length field of counted-string and
counted-octet-string fields. This means it's 1) not a general rule for
interpreting integers and 2) not a character encoding, as it also
applies to octet strings and, even for character strings, it's
*orthogonal* to the character encoding.
Therefore, it should *not* be one of the character encoding values; it
should be a bit flag.
Make it so. This means that
1) a character encoding can be specified for Zigbee Cluster Library
strings (they appear to have multiple character encodings possible);
2) the test of it that tested it as if it were a flag will no longer get
confused by character encodings that set one or more of the bits in the
old encoding value;
3) you don't have to special-case the encoding value passed to
get_uint_value().
Put in a comment emphasizing that values that aren't character encodings
should *not* be placed in the set of character encodings.
Change-Id: I8f50aaee8ca60b0781044287e9b38111de38c81f
Reviewed-on: https://code.wireshark.org/review/33341
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The outputs of -T ek and -G elastic-mapping don't match. To be effective
the fields in the mapping report and the fields in the traffic output must
be the same.
2 issues have been fixed. The elastic-mapping requires the parent protocol
to be prepended to the field to match the traffic output. The field "dns.a"
has been changed to "dns_dns_a".
The traffic output prints some fields with a leading "text_". This happens
for some fields that have been created under a text only field. One example
is "dns.a", that was printed as "text_dns_a". This has been fixed by accessing
the parent hfinfo resulting in "dns_dns_a" as other fields for the dns
protocol.
Bug: 15759
Change-Id: Ibd000c865102ca49bb6a6394019a475483eae4cc
Reviewed-on: https://code.wireshark.org/review/33099
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Newer versions of elastic are using 'doc' as type. Change the code
according to that.
Fix point (4) of the linked bug.
Bug: 15763
Change-Id: Ia28102a0914c6308eb3516daa57af2e49ce9a4e5
Reviewed-on: https://code.wireshark.org/review/33111
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
This is the new standard in recent Elastic versions.
Fix point (3) of the linked bug.
Bug: 15763
Change-Id: I64ef085c2a8ad9d25ced30a337287c8cb77903e4
Reviewed-on: https://code.wireshark.org/review/33112
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Elastic integer fields are:
integer: signed 32 bit
long: signed 64 bit
Fix values in mapping. uint64 is not handled by elastic, but still
mapped on 'long'.
Fix point (2) of the linked bug.
Bug: 15763
Change-Id: I14afa1cb7fcb6ad98d44707a8b506420e29ceb83
Reviewed-on: https://code.wireshark.org/review/33109
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The string type is the default in elasticsearch, then there is no
need to put those entries in the mapping report. This shortens a lot
the list.
Small indentation fix, while here.
Change-Id: If304d409a3ee2c30f24b5de4d90be522bbfae41e
Ping-Bug: 15719
Reviewed-on: https://code.wireshark.org/review/33053
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Fixing some "implicit conversion loses integer precision" warnings
reported by clang with -Wshorten-64-to-32 option
Change-Id: Icd641d5f4fd8ff129f03f1b9e1da0fc86329f096
Reviewed-on: https://code.wireshark.org/review/31901
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Proto objects were only freed while reloading Lua plugins, be sure to
release these on program exit too. Fix missing deallocation of heur_list
(matches per-protocol cleanup in proto_cleanup_base).
Be sure to keep a reference to the "Pref" object after registering it to
a Proto, otherwise it could be garbage-collected early, resulting in
memleaks (because the preference was still in use).
Fixes a lot of memory leaks reported by ASAN for tests, ten tests were
affected by Proto_new leaks, four were affected by the new_pref leaks.
Change-Id: Ica52718849a33eda614775f533dc0fcefec9cc74
Reviewed-on: https://code.wireshark.org/review/31746
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Found by scan-build.
Change-Id: I467e56bfa4f20f5c87efa47823d54691503de318
Reviewed-on: https://code.wireshark.org/review/31486
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Found by clang-tidy.
Change-Id: Iaf6cf84c33b03ddfcd39a333b49f4987002afa56
Reviewed-on: https://code.wireshark.org/review/31338
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The (optional) JSON-GLib library adds dependencies on GObject, GIO. For
statically linked oss-fuzz builds it also adds libffi and more. To avoid
these dependencies, replace JSON-GLib by some custom code. This allows
`tshark -G elastic-mapping` to be enabled by default without extra deps.
API design goals of the new JSON dumper library:
- Small interface without a lot of abstraction.
- Avoid memory allocations if possible (currently none, but maybe
json_puts_string will be replaced to improve UTF-8 support).
- Do not implement parsing, this is currently handled by jsmn.
Methods to open/close array/objects and to set members are inspired by
the JsonGlib interface. The interfaces to write values is inspired by
the sharkd code (json_puts_string is also borrowed from that).
The only observed differences in the tshark output:
- JSON-GLib ignores duplicates, json_dumper does not and may produce
duplicates and currently print two "ip.opt.sec_prot_auth_unassigned".
- JSON-GLib adds a space before a colon (unimportant formatting detail).
- (Not observed, but UTF-8 strings will be wrong like bug 14948.)
A test was added to catch changes in the tshark output. I also fuzzed
json_dumper with libFuzzer + UBSAN/ASAN and fixed an off-by-one error.
Change-Id: I0c85b18777b04d1e0f613a3d59935ec59be87ff4
Link: https://www.wireshark.org/lists/wireshark-dev/201811/msg00052.html
Reviewed-on: https://code.wireshark.org/review/30732
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>