Support for looking for incomplete dissectors.

Change-Id: I03e592dd3d54fc0e1c4af09d5d5336dda93f950e Reviewed-on: https://code.wireshark.org/review/6978 Reviewed-by: Evan Huus <eapache@gmail.com> Petri-Dish: Evan Huus <eapache@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2015-02-04 10:25:16 +01:00 · 2015-02-04 10:25:16 +01:00 · 60cc8b4fd8
parent 207b52a988
commit 60cc8b4fd8
5 changed files with 73 additions and 0 deletions
--- a/epan/dissectors/packet-frame.c
+++ b/epan/dissectors/packet-frame.c
@ -40,6 +40,7 @@
 #include <wsutil/md5.h>

 #include "packet-frame.h"
+#include "log.h"

 #include "color.h"
 #include "color_filters.h"
@ -91,6 +92,7 @@ static gint ett_comments = -1;

 static expert_field ei_comments_text = EI_INIT;
 static expert_field ei_arrive_time_out_of_range = EI_INIT;
+static expert_field ei_incomplete = EI_INIT;

 static int frame_tap = -1;

@ -626,6 +628,32 @@ dissect_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void*
 		pinfo->frame_end_routines = NULL;
 	}

+	if (prefs.enable_incomplete_dissectors_check && tree && tree->tree_data->visible) {
+		gchar* decoded;
+		guint length;
+		guint i;
+		guint byte;
+		guint bit;
+
+		length = tvb_captured_length(tvb);
+		decoded = proto_find_undecoded_data(tree, length);
+
+		for (i = 0; i < length; i++) {
+			byte = i / 8;
+			bit = i % 8;
+			if (!(decoded[byte] & (1 << bit))) {
+				field_info* fi = proto_find_field_from_offset(tree, i, tvb);
+				g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_WARNING,
+					"Dissector %s incomplete in frame %u: undecoded byte number %u "
+					"(0x%.4X+%u)\n",
+					(fi ? fi->hfinfo->abbrev : "[unknown]"),
+					pinfo->fd->num, i, i - i % 16, i % 16);
+				expert_add_info_format(pinfo, tree, &ei_incomplete,
+					"Undecoded byte number: %u (0x%.4X+%u)", i, i - i % 16, i % 16);
+			}
+		}
+        }
+
 	return tvb_captured_length(tvb);
 }

@ -819,6 +847,7 @@ proto_register_frame(void)
 	static ei_register_info ei[] = {
 		{ &ei_comments_text, { "frame.comment.expert", PI_COMMENTS_GROUP, PI_COMMENT, "Formatted comment", EXPFILL }},
 		{ &ei_arrive_time_out_of_range, { "frame.time_invalid", PI_SEQUENCE, PI_NOTE, "Arrival Time: Fractional second out of range (0-1000000000)", EXPFILL }},
+		{ &ei_incomplete, { "frame.incomplete", PI_UNDECODED, PI_WARN, "Incomplete dissector", EXPFILL }}
 	};

 	module_t *frame_module;
--- a/epan/prefs.c
+++ b/epan/prefs.c
@ -2569,6 +2569,11 @@ prefs_register_modules(void)
                                   "Display all byte fields with a space character between each byte in the packet list.",
                                   &prefs.display_byte_fields_with_spaces);

+    prefs_register_bool_preference(protocols_module, "enable_incomplete_dissectors_check",
+                                   "Look for incomplete dissectors",
+                                   "Look for dissectors that left some bytes undecoded.",
+                                   &prefs.enable_incomplete_dissectors_check);
+
    /* Obsolete preferences
     * These "modules" were reorganized/renamed to correspond to their GUI
     * configuration screen within the preferences dialog
--- a/epan/prefs.h
+++ b/epan/prefs.h
@ -204,6 +204,7 @@ typedef struct _e_prefs {
  guint        tap_update_interval;
  gboolean     display_hidden_proto_items;
  gboolean     display_byte_fields_with_spaces;
+  gboolean     enable_incomplete_dissectors_check;
  gpointer     filter_expressions;/* Actually points to &head */
  gboolean     gui_update_enabled;
  software_update_channel_e gui_update_channel;
--- a/epan/proto.c
+++ b/epan/proto.c
@ -6966,6 +6966,36 @@ proto_find_field_from_offset(proto_tree *tree, guint offset, tvbuff_t *tvb)
 	return offsearch.finfo;
 }

+
+static gboolean
+check_for_undecoded(proto_node *node, const gpointer data)
+{
+	field_info *fi = PNODE_FINFO(node);
+	gchar* decoded = (gchar*)data;
+	gint i;
+	guint byte;
+	guint bit;
+
+	if (fi && fi->hfinfo->type != FT_PROTOCOL) {
+		for (i = fi->start; i < fi->start + fi->length; i++) {
+			byte = i / 8;
+			bit = i % 8;
+			decoded[byte] |= (1 << bit);
+		}
+	}
+
+	return FALSE;
+}
+
+gchar*
+proto_find_undecoded_data(proto_tree *tree, guint length)
+{
+	gchar* decoded = (gchar*)wmem_alloc0(wmem_packet_scope(), length / 8 + 1);
+
+	proto_tree_traverse_pre_order(tree, check_for_undecoded, decoded);
+	return decoded;
+}
+
 /* Dumps the protocols in the registration database to stdout.	An independent
 * program can take this output and format it into nice tables or HTML or
 * whatever.
--- a/epan/proto.h
+++ b/epan/proto.h
@ -2235,6 +2235,14 @@ proto_construct_match_selected_string(field_info *finfo, struct epan_dissect *ed
 WS_DLL_PUBLIC field_info*
 proto_find_field_from_offset(proto_tree *tree, guint offset, tvbuff_t *tvb);

+/** Find undecoded bytes in a tree
+ @param tree tree of interest
+ @param offset offset in the tvb
+ @param length the length of the frame
+ @return an array to be used as bitmap of decoded bytes */
+WS_DLL_PUBLIC gchar*
+proto_find_undecoded_data(proto_tree *tree, guint length);
+
 /** This function will dissect a sequence of bytes that describe a bitmask.
 @param tree the tree to append this item to
 @param tvb the tv buffer of the current data