be done on flows from one address to another; reassembly for protocols
running atop TCP should be done on flows from one TCP endpoint to
another.
We do this by:
adding "reassembly table" as a data structure;
associating hash tables for both in-progress reassemblies and
completed reassemblies with that data structure (currently, not
all reassemblies use the latter; they might keep completed
reassemblies in the first table);
having functions to create and destroy keys in that table;
offering standard routines for doing address-based and
address-and-port-based flow processing, so that dissectors not
needing their own specialized flow processing can just use them.
This fixes some mis-reassemblies of NIS YPSERV YPALL responses (where
the second YPALL response is processed as if it were a continuation of
a previous response between different endpoints, even though said
response is already reassembled), and also allows the DCE RPC-specific
stuff to be moved out of epan/reassembly.c into the DCE RPC dissector.
svn path=/trunk/; revision=48491
Fix indentation.
Fix a proto_tree_add_uint_format_value() call not to include the name of
the field - proto_tree_add_uint_format_value() will add that for you.
Have dte_address_util() take the offset of the address as an argument;
it's not always at the same offset from the beginning of the facility.
Have it return the pointer to the generated string directly, rather than
through a pointer argument.
Create only one subtree for each facility, and give it a text description
of the facility code rather than the numerical value of the facility
code. Make the top-level item for the facility cover all the bytes of
the facility, including code, length if present, and parameters.
Dissect the end-to-end transit delay and priorities facilities
completely. Also, fix an incorrect use of "transmit delay" to say
"transit delay".
Get rid of the last of the spaces preceding colons in "Field: value"
descriptions and in a "default:" case label.
Do the data vs. non-data packet thing ith
if (PACKET_IS_DATA(pkt_type)) {
...
} else {
...
}
rather than, in effect, doing the "else" with a break; that makes the
code a bit clearer.
Put the logical channel number into the protocol tree in common code for
the default case, rather than doing it separately for data and non-data
packets. Clean up the dissection of non-data packets to add entries
before updating the columns, so that we don't throw an exception
updating the columns before we get to add items that wouldn't throw
exceptions. Clear the Info column early in the dissection, in case we
throw an exception before getting to set it and thus leave behind the
column information for the protocol atop which we're running.
svn path=/trunk/; revision=48093
I wanted to just remove the decode_numeric_bitfield calls, but the dissector needs some MAJOR work. Cleaned up some with the power of value_strings, but I just got overwhelmed. There has got to be existing APIs to make this dissection simpler (besides being more filterable).
svn path=/trunk/; revision=45165
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
packet-ax25.c and packet-arp.c.
Add an "ax25.pid" dissector table for those protocol IDs, use it in the
AX.25 dissector, and have dissectors register in that table with their
protocol IDs.
Get rid of some unneeded includes.
Clean up some "AX25"s in user-visible strings - say "AX.25" instead.
Clean up some indentation.
svn path=/trunk/; revision=44235
in the reassembly information both here and, for example, IPv4 fragment
reassembly, but perhaps those are redundant as well.)
svn path=/trunk/; revision=42321
Specifically: Replace FALSE|0 and TRUE|1 by ENC_BIG_ENDIAN|ENC_LITTLE_ENDIAN as
the encoding parameter for proto_tree_add_item() calls which directly reference
an item in hf[] which has a type of:
FT_UINT8
FT_UINT16
FT_UINT24
FT_UINT32
FT_UINT64
FT_INT8
FT_INT16
FT_INT24
FT_INT32
FT_INT64
FT_FLOAT
FT_DOUBLE
svn path=/trunk/; revision=39288
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
The decoded value of Size Packet shown as "From the calling DTE" is the value
of "From the called DTE".
When the size packet to negotiate has any of 512, 1024, 2048 or 4096 bytes, the
value shown decoded is erroneus.
The patch attached also includes new decoded facilities:
- Extended CUG selection.
- Extended access outgoing CUG selection.
- Extended RPOA selection.
- NUI selection.
- Charging info selection.
- Call dureation.
- Segment Count.
- Monetary Unit.
svn path=/trunk/; revision=24932
Add "Assume COTP" prefererence instead of hard coding
If there is no current dissector registered for X25 and there is no hints in
the call packets, X25 tries to look at user data, then try heuristics. See end
of dissect_x25_common
This means that if the call data happens to start with 0x45, IP is assumed as
the data format even if the packet cannot be handled as IP (for instance too
short).
It is better to try the heuristics first as they should have more complete tests.
svn path=/trunk/; revision=24655
Fixed an offset for diagnostic in COL_INFO.
This file should really be rewritten to use more proto_tree_add_item's
instead of proto_tree_add_text's.
svn path=/trunk/; revision=22552
I've changed all settings I could find to TRUE. It might be reasonable to change some protocol settings back to FALSE, if reassembling fails very often.
svn path=/trunk/; revision=16048
directory to the epan directory. Some of them should perhaps ultimately
be moved to epan/dissectors, if they pertain only to stuff exported by a
particular dissector.
Fix Gerald's e-mail address in files we're moving.
svn path=/trunk/; revision=15844
Guy Harris