In many grammatical contexts fields are only tested for existence
instead of loading the values into a register, because that's all
that is needed to determine if a filter passes or not. Add a
dfilter option to load the field values from the tree and return
them when a field (including field at a certain protocol layer) is
the root of the filter syntax tree.
This is useful for columns, especially for parsing columns defined
with the layer operator, but it can't completely replace the current
custom column handling because we don't yet return exactly which
hfinfo was present, if more than one has the same abbreviation, and
it's possible for fields with the same abbreviation to have different
strings, and hence different "resolved" values.
$ ./run/dftest -s "@ip.proto#1"
Filter:
@ip.proto#1
Syntax tree:
0 FIELD(@ip.proto#[1:1] <FT_BYTES>)
Instructions:
0000 CHECK_EXISTS_R ip.proto#[1:1]
0001 RETURN
$ ./run/dftest -s "@ip.proto#1" --return-vals
Filter:
@ip.proto#1
Syntax tree:
0 FIELD(@ip.proto#[1:1] <FT_BYTES>)
Instructions:
0000 READ_TREE_R @ip.proto#[1:1] -> R0
0001 NO_OP
0002 RETURN R0
Related to #18588
Allow writing display filter plugins in C. Plugins can
register one or more display filter functions.
This should lower the barrier for implementing and sharing
new display feature extensions.
An example plugin will be provided in a follow-up commit.
TODO: Put some work into refactoring display filter headers.
Right now some plugin-related APIs are implemented in dfilter-int.h,
which we'd rather not install to the system.
Document the help and version option handling, including long option
form, the same for all the command line tools, both in the their
help output and in any manpages. Add version option to randpkt.
Fix#15483
Add option to dump runtime data structures in a compiled display
filter. As the comment notes:
/* NOTE: References are loaded during runtime and dftest only does compilation.
* Unless some static reference data is hard-coded at compile time during
* development the --refs option to dftest is useless because it will just
* print empty reference vectors. */
Expressions that start with hyphen clash with command-line options.
In that case we need to pass "--" to dftest to stop processing
options.
Fix the test suite to do this. Fixes failures with dftest and
expressions like:
-2 == tcp.port
Replace the GLib option parser with getopt while at it. The GLib API
is nice but isn't a good fit for this utility and the code appears to
be inconsistent on whether "--" is left in the argv or not.
Return an struct containing error information. This simplifies
the interface to more easily provide richer diagnostics in the future.
Add an error code besides a human-readable error string to allow
checking programmatically for errors in a robust manner. Currently
there is only a generic error code, it is expected to increase
in the future.
Move error location information to the struct. Change callers and
implementation to use the new interface.
If we don't have an offset, don't print anything with underline.
Also it can underline filters using macros correctly now.
$ tshark -Y 'ip and ${private_ipv4:ip.sr}' -r /dev/null
tshark: Left side of "==" expression must be a field or function, not "ip.sr".
ip and ip.sr == 192.168.0.0/16 or ip.sr == 172.16.0.0/12 or ip.sr == 10.0.0.0/8
^~~~~
Add location tracking as a column offset and length from offset
to the scanner. Our input is a single line only so we don't need
to track line offset.
Record that information in the syntax tree. Return the error location
in dfilter_compile(). Use it in dftest to mark the location of the
error in the filter string. Later it would be nice to use the location
in the GUI as well.
$ dftest "ip.proto == aaaaaa and tcp.port == 123"
Filter: ip.proto == aaaaaa and tcp.port == 123
dftest: "aaaaaa" cannot be found among the possible values for ip.proto.
ip.proto == aaaaaa and tcp.port == 123
^~~~~~
Add argument to dfilter_compile_real() to save syntax tree text
representation.
Use it with dftest to print syntax tree.
Misc debug output format improvements.
Rename init_progfile_dir to configuration_init. Add an argument which
specifies our configuration namespace, which can be "Wireshark"
(default) or "Logwolf".
Using quotes is confusing because they are difficult to distinguish
from the actual filter expression itself. Quotes are unnecessary
anyway because whitespace is not significant (except inside brackets).
Instead of receiving the program name from GLib, pass it explicitly
to ws_log_init() instead and use that to initialize the GLib program
name.
ws_log_parse_args() will now exit the program when it encounters an
argument error if exit_failure >= 0.
Have routines to report capture-file errors, using libwireshark error
codes and strings, that call through a pointer, so they can pop up
dialogs in GUI apps, print a message to the standard error on
command-line apps, and possibly do something different on server
programs.
Have init_report_message() take a pointer to structure containing those
function pointers, rather than the function pointers themselves, as
arguments.
Make other API changes to make that work.
Eliminate WTAP_FILE_TYPE_SUBTYPE_ERF and
WTAP_FILE_TYPE_SUBTYPE_SYSTEMD_JOURNAL - instead, fetch the values by
name, using wtap_name_to_file_type_subtype().
This requires that wtap_init() be called before epan_init(); that's
currently the case, but put in comments to indicate why it must continue
to be the case.
In each of our executables we were calling "setlocale(LC_ALL, "")" at
startup. This told Windows that output was encoded using the current
system code page. Unless the code page was 65001 (UTF-8), this was a lie.
We write UTF-8 to stdout and stderr, so call "setlocale(LC_ALL, ".UTF-8)"
at startup on Windows. This lets the CRT translate our output correctly
in more cases.
Clarify and expand the OUTPUT section in the tshark man page.
Bug: 16649
Change-Id: If93231fe5b332c292946c7f8e5e813e2f543e799
Reviewed-on: https://code.wireshark.org/review/37560
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
John Thacker