FragmentBoundsErrors aren't malformed, but add an expert warning
at the PI_NOTE level to hint to users that they may want to turn
on reassembly preferences.
Fix parsing of some IPv6 addresses and add tests.
Also pass tokens as unparsed unless the user was specfic about
the semantic type. For example the IPv4 address 1.1.1.1 is also a
valid field, but 1.1.1.1/128 is not (because of the slash). However
choose not to enforce the distinction in the lexical scanner and pass
everything as unparsed unless the meaning is explicit in the syntax
with leading dot, colon, or between angle branckets.
RTP dialogs can stay opened, therefore calls of its functions are
protected by locks. There was issue that same mutex was used during
construction of the dialog and calling functions. It created possible
deadlock.
Change separates lock used for dialog creation and lock for function calls.
When function call lock is locked, new calls are ignored and warning is
printed to STDERR. Showing a dialog with warning looks too intrusive to me.
Fixes#18025
PDUs on TCP streams can fail to be reassembled for a variety of reasons,
most of which can be determined by the TCP dissector before calling
a subdissector. However, individual subdissectors can have their own
preference indicating not to desegment, and this cannot be handled until
the subdissector calls tcp_dissect_pdus(). Fix#18027.
Restores support for filters such as "mac-lte", that was broken
in 330d408328.
This means we are not able to support arithmetic expressions with binary
minus without spaces.
$ dftest 'tcp.port == 1-2'
dftest: "1-2" is not a valid number.
The format and meaning of the bits in the Capability information field
has been different than what was implemented since at least 802.11-2016.
Defined in 9.4.1.4 Capability Information field.
After some experimentation I don't think these two existence tests
belong in the grammar, it's an implementation detail and removing it
might avoid some artificial constraints.
Add argument to dfilter_compile_real() to save syntax tree text
representation.
Use it with dftest to print syntax tree.
Misc debug output format improvements.
Fix
../plugins/epan/falco_bridge/packet-falco-bridge.c: In function ‘register_conversation_filters_mappings’:
../plugins/epan/falco_bridge/packet-falco-bridge.c:105:1: error: old-style function definition [-Werror=old-style-definition]
register_conversation_filters_mappings()
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To allow an arithmetic expressions without spaces, such as "1+2",
we cannot match the expression in other lexical rules using "+". Because
of longest match this becomes the token LITERAL or UNPARSED with semantic value
"1+2". The same goes for all the other arithmetic operators.
So we need to remove [+-*/%] from "word chars" and add very specific
patterns (that won't mistakenly match an arithmetic expression) for
those literal or unparsed tokens we want to support using these characters.
The plus was not a problem but right slash is used for CIDR, minus for
mac address separator, etc.
There are still some corner case. 11-22-33-44-55-66 is a mac
address and not the arithmetic expression with six terms "eleven
minus twenty two minus etc." (if we ever support more than two terms
in the grammar, which we don't currently).
We lift some patterns from the flex manual to match on IPv4 and
IPv6 (ugly) and add MAC address.
Other hypothetical literal lexical values using [+-*/%] are already
supported enclosed in angle brackets but the cases of MAC/IPv4/IPv6 are
are very common and moreover we need to do the utmost to not break backward
compatibily here.
Before:
$ dftest "_ws.ftypes.int32 == 1+2"
dftest: "1+2" is not a valid number.
After:
$ dftest "_ws.ftypes.int32 == 1+2"
Filter: _ws.ftypes.int32 == 1+2
Instructions:
00000 READ_TREE _ws.ftypes.int32 -> reg#0
00001 IF_FALSE_GOTO 4
00002 ADD 1 <FT_INT32> + 2 <FT_INT32> -> reg#1
00003 ANY_EQ reg#0 == reg#1
00004 RETURN
In most, if not all, programming languages logical AND has
higher precedence than logical OR. Apply the principle of
least surprise and do the same for Wireshark display
filters.
Before: ip and tcp or udp => ip and (tcp or udp)
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 5
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
After: ip and tcp or udp => (ip and tcp) or udp
Filter: ip and tcp or udp
Instructions:
00000 CHECK_EXISTS ip
00001 IF_FALSE_GOTO 4
00002 CHECK_EXISTS tcp
00003 IF_TRUE_GOTO 5
00004 CHECK_EXISTS udp
00005 RETURN
Rename LogsharkApplication to LogwolfApplication. Rename other Logshark
references in ui/qt_logshark to Logwolf. Update our CMake target and
variable names.
Rename init_progfile_dir to configuration_init. Add an argument which
specifies our configuration namespace, which can be "Wireshark"
(default) or "Logwolf".
Rename the main_window class and UIC files to wireshark_main_window and
the MainWindow class to WiresharkMainWindow. Copy wireshark_main_window
/ WiresharkMainWindow to logwolf_main_window / LogwolfMainWindow.
Remove the Wireless menu from Logwolf.
Move WiresharkApplication.{cpp,h} to MainApplication.{cpp,h}. Add back
WiresharkApplication as a thin superclass of MainApplication, similar to
LogsharkApplication. Change all of our wsApp references to mainApp. We
will likely have to change many or most of them back, but that's a
commit for another time.
Add a separate UI application named "Logshark". It's currently a very
thin superclass of Wireshark, but that will change over time. Based on
work by Loris Degioanni.
Port 3389 is IANA assigned for RDP, but on TCP it can appear over
TPKT with or without underlying TLS, depending on the RDP Security
Settings. Add a heuristic dissector for TPKT. The heuristic is a
little weak so disable it by default for the general case, but
register it as a PINO specifically for the IANA assigned port.
On port 3389, by default Wireshark now tries heuristics for TPKT
and TLS (ordering depending on whether "Try heuristic sub-dissectors
first" is enabled for TCP). Once it finds a packet that passes
the heuristics, it sets the conversation dissector and from then
on will desegment/report Continuation Data as appropriate. This
is nicer than having to manually configure Decode As for RDP
standard encryption (without TLS). Related to #17952, #17437.
Fix a failed assertion with constant arithmetic expressions.
Because we do not parse constants on the lexical level it is
more complicated to handle constant expressions with unparsed
values.
We need to handle missing type information gracefully for any
kind of arithmetic expression, not just unary minus.
