Allow the traffic columns to automatically sort on secondary columns if
applicable. e.g. the address and port column for TCP and UDP, or the
secondary address for conversations
CMake 3.19 added support for CMakePresets.json and
CMakeUserPresets.json, which let you prepopulate various configure,
build, and test options. Add CMakeUserPresets.json to .gitignore as
recommended by the documentation and add an example to the Developer's
Guide. CMake uses 2-space indentation; specify that for CMake*.json in
.editorconfig.
Allow the endpoint and conversation dialogs to have detachable
tabs. At the same time move the tree functionality to a subclass
to better be able to handle the context menu when detached.
Right now, still a lot of tree stuff is in the tabwidget, but
could be moved to the tree for the future
Rename the following build targets, similar to the recent macOS target
name changes:
nsis_package_prep to wireshark_nsis_prep
nsis_package to wireshark_nsis
Rename some NSIS files to reflect that they're specific to Wireshark.
Update the documentation and CI configurations.
Rename the following build targets:
app_bundle to wireshark_app_bundle
dmg_package_prep to wireshark_dmg_prep
dmg_package to wireshark_dmg
Add logwolf_app_bundle, logwolf_dmg_prep, and logwolf_dmg targets and
packaging assets. Update the documentation.
We need to add a set of Logwolf version variables to CMake and
make-version.pl. Add a static logwolf-version attribute to
attributes.adoc in the mean time.
Add the de facto standard Lua regex API to Wireshark. Upstream
code is copied verbatim and the module opened in the "rex" table.
This is just a user convenience and developer quality of life improvement
over the GRegex Lua API because it has always been possible to
load lrexlib-pcre2 as a Lua module from Wireshark.
This code has been unmaintained and does not pass the lrexlib test
suite. GRegex itself has been obsolescent for some time, although GNOME
has recently restarted trying to move it to PCRE2.
Remove it in preparation for a move to lrexlib-pcre2.
Download our third party libraries and drivers from dev-libs.wireshark.org
in win-setup.ps1. Automatically check our state based on our library
filenames and hashes instead of a manually updated tag.
Field infos have a length property that was not stored with the
field value so when using a negative index the end was computed
from the captured length of the frame tvbuff, leading to incorrect
results. The documentation in wireshark-filter(5) describes how
this was supposed to work but as far as I can tell it never worked
properly.
We now store the length and use that (when it is different from -1)
to locate the end of the protocol data in the tvbuff. An extra wrinkle
is that sometimes the length is set after the field value is created.
This is the most common case as the majority of protocols have a
variable length and dissection generally proceeds with a TVB subset from
the current layer (with offset zero) through all remaining layers to the
end of the captured length. For that reason we must use an expedient to allow
changing the protocol length of an existing protocol fvalue, whenever
proto_item_set_len() is called.
Fixes#17772.
For the upcoming 4.0 release, switch the default file format for
text2pcap to pcapng from pcap, to match other tools and the GUI
behavior. Update the documentation and release notes appropriately.
Deprecate the old -n flag; since pcapng is the default this has no
effect. Changing the output capture file format is supported with
the -F option, consistent with the other command line tools.
Related to #18009.
Users might want to download a source tarball and build an RPM
package from it.
Have git-export-release.sh use git-archive's 'export-subst' feature
so that it can detect whether it is being run from a git repository
versus run from source extracted from a tarball produced by git-archive.
In the latter case, produce a helpful console message telling the
user to copy the downloaded tarball into the binary directory so
that the rpm-package target can succeed. Also update the Developer's
Guide to suggest this as well.
We could try to create our own archive using tar, but there are
several possible gotchas, such as in-source builds, excluding a build
directory that is a subdirectory of the source dir, excluding unknown
different build directories from previous builds, dealing with different
options in different versions of tar, etc. This is good enough for
the common case, and anyone who wants something more complicated can
hopefully create their own tarball.
Fix#15167
Add support to display filters for matching a specific layer within a frame.
Layers are counted sequentially up the protocol stack. Each protocol
(dissector) that appears in the stack is one layer.
LINK-LAYER#1 <-> IP#1 <-> TCP#1 <-> IP#2 <-> TCP#2 <-> etc.
The syntax allows for negative indexes and ranges with the usual semantics
for slices (but note that counting starts at one):
tcp.port#[2-4] == 1024
Matches layers 2 to 4 inclusive.
Fixes#3791.
Sparklines should display to the user, which interfaces are active
and ready for capture. Additionally it should be easy to find active
interfaces, without filtering first.
This change reorders the interface list, in order to sort active
interfaces on top, as well as hide information if no packet has been
received on that interface, to ensure that the user can find active
interfaces faster, making it easier to capture on systems where
the interfaces have very generic names.
The interface context menu has been amended to allow interfaces to be
hidden/unhidden from the main interface list as well
This allows writing moderately complex expressions, for example
a float epsilon test (#16483):
Filter: {abs(_ws.ftypes.double - 1) / max(abs(_ws.ftypes.double), abs(1))} < 0.01
Syntax tree:
0 TEST_LT:
1 OP_DIVIDE:
2 FUNCTION(abs#1):
3 OP_SUBTRACT:
4 FIELD(_ws.ftypes.double)
4 FVALUE(1 <FT_DOUBLE>)
2 FUNCTION(max#2):
3 FUNCTION(abs#1):
4 FIELD(_ws.ftypes.double)
3 FUNCTION(abs#1):
4 FVALUE(1 <FT_DOUBLE>)
1 FVALUE(0.01 <FT_DOUBLE>)
Instructions:
00000 READ_TREE _ws.ftypes.double -> reg#1
00001 IF_FALSE_GOTO 3
00002 SUBRACT reg#1 - 1 <FT_DOUBLE> -> reg#2
00003 STACK_PUSH reg#2
00004 CALL_FUNCTION abs(reg#2) -> reg#0
00005 STACK_POP 1
00006 IF_FALSE_GOTO 24
00007 READ_TREE _ws.ftypes.double -> reg#1
00008 IF_FALSE_GOTO 9
00009 STACK_PUSH reg#1
00010 CALL_FUNCTION abs(reg#1) -> reg#4
00011 STACK_POP 1
00012 IF_FALSE_GOTO 13
00013 STACK_PUSH reg#4
00014 STACK_PUSH 1 <FT_DOUBLE>
00015 CALL_FUNCTION abs(1 <FT_DOUBLE>) -> reg#5
00016 STACK_POP 1
00017 IF_FALSE_GOTO 18
00018 STACK_PUSH reg#5
00019 CALL_FUNCTION max(reg#5, reg#4) -> reg#3
00020 STACK_POP 2
00021 IF_FALSE_GOTO 24
00022 DIVIDE reg#0 / reg#3 -> reg#6
00023 ANY_LT reg#6 < 0.01 <FT_DOUBLE>
00024 RETURN
We now use a stack to pass arguments to the function. The
stack is implemented as a list of lists (list of registers).
Arguments may still be non-existent to functions (this is
a feature). Functions must check for nil arguments (NULL lists)
and handle that case.
It's somewhat complicated to allow literal values and test compatibility
for different types, both because of lack of type information with
unparsed/literal and also because it is an underdeveloped area in the
code. In my limited testing it was good enough and useful, further
enhancements are left for future work.
The same hierarchy of protocols can appear multiple times in a frame,
for example if there are multiple PDUs for a protocol that begin in
that frame. Keep track of the last frame where we incremented our
stat node and use that to only increment it once per frame.
Add a "total number of PDUs with this hierarchy" statistic and
display it as a new final column in the GUI. Update the User Guide.
In the purpose of doing this, get rid of temporary variables and
increment the ph_stats_t members directly, since we pass that
into our functions already, and thus have access to the current
packet count.
Fix#17553. Fix#18034. Fix#12565.
This removes the limitation of having only two terms in an
arithmetic expression and allows setting the precedence using
curly braces (like any basic calculator).
Our grammar currently does not allow grouping arithmetic expressions
using parenthesis, because boolean expressions and arithmetic
expressions are different and parenthesis are used with the former.
If we're running in the Logwolf configuration namespace, look for
extcaps in a directory named "extlog". This paves the way for adding
log-specific capture utilities.
Instead of saying a leading colon will make any token a literal
value, say it is part of the syntax of bytes arrays. This is
useful to write bytes without a separator, and other potentially
ambiguous formats.
The restriction in meaning to bytes and simple numeric values
should make the rules for handling a leading colon (specifically
ommiting it or not) saner without much loss of functionality.
In most, if not all, programming languages logical AND has
higher precedence than logical OR. Apply the principle of
least surprise and do the same for Wireshark display
filters.
Before: ip and tcp or udp => ip and (tcp or udp)
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 5
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
After: ip and tcp or udp => (ip and tcp) or udp
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 4
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
Add support for display filter binary addition and subtraction.
The grammar is intentionally kept simple for now. The use case
is to add a constant to a protocol field, or (maybe) add two
fields in an expression.
We use signed arithmetic with unsigned numbers, checking for
overflow and casting where necessary to do the conversion.
We could legitimately opt to use traditional modular arithmetic
instead (like C) and if it turns out that that is more useful for
some reason we may want to in the future.
Fixes#15504.
Release (uncomment) text added in 9b074122
Add popup menu text
Add screen shots and pngcrush per 9ed7568f
Update View menu screenshot to include Packet Diagram
If USE_qt6 is enabled, set CMAKE_PREFIX_PATH to WIRESHARK_QT6_PREFIX_PATH
if it's defined. This lets you more easily switch between Qt 5 and
6 builds. Note that we have experimental support for Qt 6 in the
Developer's Guide.
Add support for masking of bits. Before the bitwise operator
could only test bits, it did not support clearing bits.
This allows testing if any combination of bits are set/unset
more naturally with a single test. Previously this was only
possible by combining several bitwise predicates.
Bitwise is implemented as a test node, even though it is not.
Maybe the test node should be renamed to something else.
Fixes#17246.
The representation "~= has been superseded by "!==" with the same
meaning, making it superfluous and somewhat confusing. Deprecate
"~=" and recommend "!==" instead.
* Add missing commas and hyphens
* Remove extra apostrophes
* Use consistent spelling for some
* English words like gray/grey
and behavior/behaviour
* Remove that "Control" is "Strg" in German.
* Correct usage of a vs an
* Minor rephrasing in a few locations
Create a Wireshark.dSYM bundle for our debugging symbols. Create a
separate .dmg for the dSYM bundle, similar to what we do for Windows.
`dwarfdump --uuid run/Wireshark.dSYM` returns what app
This reduces the size of the application bundle and .dmg quite a bit
(sizes measured with `du -sm`):
51 Wireshark 3.7.0 Intel 64.dmg
81 Wireshark dSYM 3.7.0 Intel 64.dmg
182 Wireshark.app
262 Wireshark.dSYM
Comparisons require a field-like value on one of the sides,
or both. Change this to require on the LHS or both. There is
realy no reason that I can see to allow the relation to commute,
and it allows removing a lot of unnecessary code and extra tests.
The syntax for protocols and some literals like numbers
and bytes/addresses can be ambiguous. Some protocols can
be parsed as a literal, for example the protocol "fc"
(Fibre Channel) can be parsed as 0xFC.
If a numeric protocol is registered that will also take
precedence over any literal, according to the current
rules, thereby breaking numerical comparisons to that
number. The same for an hypothetical protocol named "true",
etc.
To allow the user to disambiguate this meaning introduce
new syntax.
Any value prefixed with ':' or enclosed in <,> will be treated
as a literal value only. The value :fc or <fc> will always
mean 0xFC, under any context. Never a protocol whose filter
name is "fc".
Likewise any value prefixed with a dot will always be parsed
as an identifier (protocol or protocol field) in the language.
Never any literal value parsed from the token "fc".
This allows the user to be explicit about the meaning,
and between the two explicit methods plus the ambiguous one
it doesn't completely break any one meaning.
The difference can be seen in the following two programs:
Filter: frame == fc
Constants:
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF-FALSE-GOTO 5
00002 READ_TREE fc -> reg#1
00003 IF-FALSE-GOTO 5
00004 ANY_EQ reg#0 == reg#1
00005 RETURN
--------
Filter: frame == :fc
Constants:
00000 PUT_FVALUE fc <FT_PROTOCOL> -> reg#1
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
The filter "frame == fc" is the same as "filter == .fc",
according to the current heuristic, except the first form
will try to parse it as a literal if the name does not
correspond to any registered protocol.
By treating a leading dot as a name in the language we
necessarily disallow writing floats with a leading dot. We
will also disallow writing with an ending dot when using
unparsed values. This is a backward incompatibility but has
the happy side effect of making the expression {1...2}
unambiguous.
This could either mean "1 .. .2" or "1. .. 2". If we require
a leading and ending digit then the meaning is clear:
1.0..0.2 -> 1.0 .. 0.2
Fixes#17731.
Add a separate menu for Strip Headers (similar to Export PDU, but exporting
to an encapsulation other than WIRESHARK_UPPER_PDU everything for
that encapsulation). Add to the usage output of tshark for the "-U"
option which encapsulation a export tap will produce.
Allow export PDU taps to be registered with a wiretap encapsulation
instead of always using WTAP_ENCAP_WIRESHARK_UPPER_PDU. This allows
creating normal capture files that aren't tied to wireshark without
having to do a "editcap -C -L -T", as well as creating files in
formats other than pcapng and pcap with tshark.
Provide a couple sample implementations in Ethernet (WTAP_ENCAP_ETHERNET)
and IP (v4 and v6, WTAP_ENCAP_RAW_IP) that are the most common use cases.
(I can imagine a few others; WTAP_ENCAP_MPEG_2_TS could probably be
useful, for example.) Fixes#15141
Update the text2pcap man page and the Import from Hexdump WSUG
page to clarify how to use it, for grammar, and to remove a few
things that are no longer relevant. (E.g., it's no longer the case that
files without an EOL don't work.)
Fix#15563, #15564.
We keep our various packaging assets in the "packaging" directory. Move
the Debian assets there. dpkg-buildpackage doesn't seem appear to have a
"debian directory path" option, but symlinking worked in my test
container.
Add an option to text2pcap to specify the encapsulation type
via wiretap encapsulation type short names instead of pcap
link layer types, similar to editcap.
Update the documentation to reflect this.
In text2pcap and Import from Hex Dump, allow fake IP headers with
the appropriate versions when the Raw IP, Raw IPv4, and Raw IPv6
encapsulations are specified. In such cases, do not add a dummy
Ethernet header.
Continue to reject other encapsulations besides these, Ethernet,
and Wireshark Upper PDU when appropriate. Add some checks for the
encapsulation type in text_import as well, instead of just assuming
that the callers handle it correctly.
(Yes, the top-level page calls it the "User's Guide", but it has a
section called the "User's Guide", as well as an "Introduction" and
sections about development with Npcap and about the Npcap internals.)
It's not obvious that making a GitLab fork private will disassociate it
from the upstream repository, and it seems to have tripped up a couple
of people. Add a warning to the "Creating Merge Requests" section.
Support all possible file formats that wiretap writes, using the
same "-F" flag that other CLI tools like editcap, mergecap, and tshark
support. Default is still pcap for now; a future commit will switch
to pcapng and remove the "-n" option, to match other CLI tools.
Chuck Craft