To complete the set of equality operators add an "all equal"
operator that matches a frame if all fields match the condition.
The symbol chosen for "all_eq" is "===".
Add an UAT for configuring fake headers according to the server port, stream
id and direction of the long-lived stream that we start capturing packets
after it is established. That helps to parsing the DATAs captured subsequently.
A testcase also added.
close#17691
For double quoted strings. This is consistent with single quote
character constants and the C standard. It also avoids common
mistakes where the superfluous backslash is silently suppressed.
PCRE2 is mature, widely used and widely available. Supporting two
different RE implementations, one of which is unmaintained, is
unnecessary and counter-productive.
PCRE2 is the future of PCRE. The only advantage of GRegex is that
it comes bundled with GLib, which is not an advantage at all.
PCRE2 is widely available, the GRegex abstractions layer are not a
good fit and abstract things that don't need abstracting or that we
could handle better ourselves, there are open bugs (#12997) and
maintenance is spotty at best.
GRegex comes with many of the problems of bundled code, aggravated by
the fact that it completely falls outside of our control.
Deprecate the usage of significant whitespace to separate set elements
(or anywhere else for that matter). This will make the implementation
simpler and cleaner and the language more expressive and user-friendly.
When OpenReceiveChannel/OpenReceiveChannelAck and
StartMediaTransmission/StartMediaTransmissionAck messages are seen, RTP
streams are created so Wireshark decodes related UDP as RTP.
Note: Multichannel commands (e.g. OpenMultiMediaReceiveChannel) are not
processed as I have no sample to test it.
Wireshark defines the relation of equality A == B as
A any_eq B <=> An == Bn for at least one An, Bn.
More accurately I think this is (formally) an equivalence
relation, not true equality.
Whichever definition for "==" we choose we must keep the
definition of "!=" as !(A == B), otherwise it will
lead to logical contradictions like (A == B) AND (A != B)
being true.
Fix the '!=' relation to match the definition of equality:
A != B <=> !(A == B) <=> A all_ne B <=> An != Bn, for
every n.
This has been the recomended way to write "not equal" for a
long time in the documentation, even to the point where != was
deprecated, but it just wasn't implemented consistently in the
language, which has understandably been a persistent source
of confusion. Even a field that is normally well-behaved
with "!=" like "ip.src" or "ip.dst" will produce unexpected
results with encapsulations like IP-over-IP.
The opcode ALL_NE could have been implemented in the compiler
instead using NOT and ANY_EQ but I chose to implement it in
bytecode. It just seemed more elegant and efficient
but the difference was not very significant.
Keep around "~=" for any_ne relation, in case someone depends
on that, and because we don't have an operator for true equality:
A strict_equal B <=> A all_eq B <=> !(A any_ne B).
If there is only one value then any_ne and all_ne are the same
comparison operation.
Implementing this change did not require fixing any tests so it
is unlikely the relation "~=" (any_ne) will be very useful.
Note that the behaviour of the '<' (less than) comparison relation
is a separate, more subtle issue. In the general case the definition
of '<' that is used is only a partial order.
Matches is a special case that looks on the RHS and tries
to convert every unparsed value to a string, regardless
of the LHS type. This is not how types work in the display
filter. Require double-quotes to avoid ambiguity, because
matches doesn't follow normal Wireshark display filter
type rules. It doesn't need nor benefit from the flexibility
provided by unparsed strings in the syntax.
For matches the RHS is always a literal strings except
if the RHS is also a field name, then it complains of an
incompatible type. This is confusing. No type can be compatible
because no type rules are ever considered. Every unparsed value is
a text string except if it happens to coincide with a field
name it also requires double-quoting or it throws a syntax error,
just to be difficult. We could remove this odd quirk but requiring
double-quotes for regular expressions is a better, more elegant
fix.
Before:
Filter: tcp matches "udp"
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp.srcport
dftest: tcp and udp.srcport are not of compatible types.
Filter: tcp matches udp.srcportt
Constants:
00000 PUT_PCRE udp.srcportt -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
After:
Filter: tcp matches "udp"
Constants:
00000 PUT_PCRE udp -> reg#1
Instructions:
00000 READ_TREE tcp -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_MATCHES reg#0 matches reg#1
00003 RETURN
Filter: tcp matches udp
dftest: "udp" was unexpected in this context.
Filter: tcp matches udp.srcport
dftest: "udp.srcport" was unexpected in this context.
Filter: tcp matches udp.srcportt
dftest: "udp.srcportt" was unexpected in this context.
The error message could still be improved.
It won't work with embedded null bytes so don't try. This is
not an additional restriction, it just removes a hidden failure
mode. To support matching embedded NUL bytes we would have
to use an internal string representation other than
null-terminated C strings (which doesn't seem very onerous with
GString).
Before:
Filter: http.user_agent == 41:42:00:43
Constants:
00000 PUT_FVALUE "AB" <FT_STRING> -> reg#1
Instructions:
00000 READ_TREE http.user_agent -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
After:
Filter: http.user_agent == 41:42:00:43
Constants:
00000 PUT_FVALUE "41:42:00:43" <FT_STRING> -> reg#1
Instructions:
00000 READ_TREE http.user_agent -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
FT_PROTOCOL and FT_BYTES are the same semantic type, but one is
backed by a GByteArray and the other by a TVBuff. Use the same
semantic rules to parse both. In particular unparsed strings
are not converted to literal strings for protocols.
Before:
Filter: frame contains 0x0000
Constants:
00000 PUT_FVALUE 30:78:30:30:30:30 <FT_PROTOCOL> -> reg#1
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_CONTAINS reg#0 contains reg#1
00003 RETURN
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
After:
Filter: frame contains 0x0000
dftest: "0x0000" is not a valid byte string.
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
Related to #17634.
Store all user specified values from the "Import from Hex Dump"
dialog in a profile import_hexdump.json file.
Set default ExportPDU dissector to "data".
Fixed a minor typo in a help text.
This patch adds support for the ISO 10681-2 protocol, which is similar
to the ISO 15765-2 protocol (see packet-iso15765.c).
This patch also add support for registering combined FlexRay IDs to
register the new dissector.
This patch adds support for LIN (Local Interconnect Network) as
well as support for:
- Signal PDUs on LIN
- ISO 15765 (ISO TP) on LIN
- TECMP transported LIN is handle like LIN
LIN is a simple automotive fieldbus to connect for example simple
sensors and actuators to an electronic control unit.
Add support for a literal string specification copied from Python
raw strings[1].
Raw string literals are enclosed with r"..." or R"...". Double quotes
can be include in the string but they must be escaped with backslash.
In escape sequences backslashes are preserved in the final result.
So for example the string "a\\\"b" is the same as r"a\"b".
r"\\\a" is the same as "\\\\\\a".
Raw strings should be used for convenience wherever a regular expression
is used in a display filter expression.
[1]https://docs.python.org/3/reference/lexical_analysis.html#string-and-bytes-literals
Default to taking the VLAN ID into account when reassembling only
for private IPv4 addresses as defined by RFC 1918 and for link-local
addresses. Otherwise, do not take the VLAN ID into account unless
the "Enable stricter conversation tracking heuristics" preference
is enabled. Fixes#14356.
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
Run
git diff --name-only --diff-filter=A v3.5.0rc0.. epan/dissectors/{file,packet}-*.c plugins
and add any missing dissectors to the release notes. Take the liberty of
fixing up some dissector names and clean up some whitespace.
Added documentation on the Regular Expression import mode
Added documentation for the associated ui-fields
Updated the screenshot for the import-from-hexdump dialog
Added a screenshot of the Regular expression mode tab
Updated the documentation for the updated Timestamp format
Added an entry in the release notes about this new/updated feature
Here's a grab bag of trivial cleanup to the documentation. This change:
- Cleans up some comments in the asciidoctor macros which are no longer
accurate (and do not appear in the build products anyway).
- Fixes a missing space in the text "Wireshark Q&A" in the release notes.
- Allows the "docbook" backend to produce hyperlinks too... That seems to be
necessary if we want to start using our custom link macros in WSDG, which
seems like a reasonable thing to do. And fixes up a wrong variable name in
the handling of the case where we are not able to produce a hyperlink.
This pull request includes:
* The "Follow DCCP stream" feature.
* Updated docbook documentation for the "Follow DCCP stream" feature.
* Test for the feature.
* Corresponding packet trace for the test.
Also modified eCPRI dissector to call it for payloads. This dissector will
claim the "IQ Data" and "Real-Time Control Data" message types - others
are still handled by eCPRI.
Make Protobuf fields that are not serialized on the wire (missing in
capture files) to be displayed with default values by setting the new
'add_default_value' preference. The default values might be explicitly
declared in 'proto2' files, or false for bools, first value for enums,
zero for numeric types.
Default values are generated in epan/protobuf_lang_tree.c during the
nodes of fields are created. The default_value_xxx() methods of field
descriptor are added into epan/protobuf-helper.c/h and
epan/protobuf_lang_tree.c/h files.
close#17000
The google.protobuf.Timestamp is a standard protobuf message type and
consists of seconds and nanos fields. We dissect protobuf field in
google.protobuf.Timestamp type as wireshark FT_ABSOLUTE_TIME field.
And add tvb_get_protobuf_field_uint() to make it easy to get a
Protobuf field of varint type from the tvb.
close#16927
Added a dissector to reassemble IPP Over USB packets and pass them to
the HTTP dissector. Added a display filter so IPPUSB packets can be
filtered. Dissector checks to ensure semgent is IPPUSB and supports
reassembly of send-documents and print-job documents. It also supports
the reassembly and dissection of packets that are truncted or
incomplete.
Change-Id: Icc9525592c07b00baaac887a70bc9e7568273016
It's possible to play opus payload with libopus (https://opus-codec.org/).
Closes#16882.
Helped-by: Pascal Quantin <pascal.quantin@gmail.com>
Signed-off-by: Lin Sun <lin.sun@zoom.us>
Signed-off-by: Yuanzhi Li <ryanlee@mail.ustc.edu.cn>
Stream Specification: https://www.ilda.com/resources/StandardsDocs/ILDA_IDN-Stream_rev001.pdf
The stream specification only defines IDN messages. The other packet commands
like ping request, ping response, etc. (see line 25 - 31 in packet-idn.c)
are part of the hello specification which is not released yet. We were still
able to implement some hello packets since we received a preliminary version
of the hello specification, because we need the hello packets for our work.
related to #16707
Bug: 16764
Change-Id: Iff902150491c984d3069c1b83acef9c2c8ce12c7
Reviewed-on: https://code.wireshark.org/review/38106
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a new top-level view that shows each packet as a series of diagrams
similar to what you'd find in a networking textook or an RFC.
Add proto_item_set_bits_offset_len so that we can display some diagram
fields correctly.
Bugs / to do:
- Make this a separate dialog instead of a main window view?
- Handle bitfields / flags
Change-Id: Iba4897a5bf1dcd73929dde6210d5483cf07f54df
Reviewed-on: https://code.wireshark.org/review/37497
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Id33135d82f30f0d88910b994492b4a64ac170d84
Reviewed-on: https://code.wireshark.org/review/38105
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It is send from DCAgent to FSSO collector using UDP 8002 packet
It is based on analysis of protocol (and log)
Bug: 16657
Change-Id: I2e23a403a103c25820d714446d4e3245af04e876
Reviewed-on: https://code.wireshark.org/review/37547
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
sshdump can now be copied in multiple instances. Each instance will
show up a different interface and will have its own profile.
This will help users connecting to different hosts. Instead of changing
profiles, sshdump can be cloned, and each instance will be used for a
single host.
Change-Id: If4fb42cf78021c6f16213ae91cbf41ec7f61ca77
Reviewed-on: https://code.wireshark.org/review/37883
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The Technically Enhanced Capture Module Protocol (TECMP) allows the
transport of data recorded on different technologies (e.g. Ethernet,
CAN, LIN, FlexRay). A typical usage scenario is data recording in
vehicles, e.g. for validating and testing autonomous driving.
Bug: 16661
Change-Id: If7c08529049cc1d30d9a5640b4216eac83546800
Reviewed-on: https://code.wireshark.org/review/37610
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a new button to the Decode As dialog to copy entries from
another profile.
Change-Id: Ia04edd063bd2eba14b2b14acfd53b03111646f7e
Reviewed-on: https://code.wireshark.org/review/37616
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Add a dissector for Asphodel (https://bitbucket.org/suprocktech/asphodel).
Asphodel is a protocol for streaming real-time data from sensors in industrial
environments. This protocol dissector supports complete dissection of the UDP
advertisment packets, and simple dissection of the TCP command and stream data.
Sample Capture:
https://wiki.wireshark.org/SampleCaptures#Asphodel_Protocol
Change-Id: I6a7f730a4ce5349ac48b4fd86e61429983af5bf9
Reviewed-on: https://code.wireshark.org/review/37318
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>