Add a dissector table indexed by the file type, and, for the
file-type-specific records, have the frame dissector skip the usual
pseudo-header processing, as the pseudo-header has a file-type-specific
record subtype in it, and call the dissector for that file type's
records.
Change-Id: Ibe97cf6340ffb0dabc08f355891bc346391b91f9
Reviewed-on: https://code.wireshark.org/review/1782
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a "record type" field to "struct wtap_pkthdr"; currently, it can be
REC_TYPE_PACKET, for a record containing a packet, or
REC_TYPE_FILE_TYPE_SPECIFIC, for records containing file-type-specific
data.
Modify code that reads packets to be able to handle non-packet records,
even if that just means ignoring them.
Rename some routines to indicate that they handle more than just
packets.
We don't yet have any libwiretap code that supplies records other than
REC_TYPE_PACKET or that supporting writing records other than
REC_TYPE_PACKET, or any code to support plugins for handling
REC_TYPE_FILE_TYPE_SPECIFIC records; this is just the first step for bug
8590.
Change-Id: Idb40b78f17c2c3aea72031bcd252abf9bc11c813
Reviewed-on: https://code.wireshark.org/review/1773
Reviewed-by: Guy Harris <guy@alum.mit.edu>
which can be used to call the found heuristic dissector on the next pass.
Introduce call_heur_dissector_direct() to be used to call a heuristic
dissector which accepted the frame on the first pass.
Change-Id: I524edd717b7d92b510bd60acfeea686d5f2b4582
Reviewed-on: https://code.wireshark.org/review/1697
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
I believe we started taking copies of these names for lua purposes, but we need
to free them afterwards. This accounts for about half the leaked blocks (though
only a tiny fraction of the memory) valgrind reported on a recent run.
Change-Id: I74a656716cbf169905476f6c3e2cbcb0bd5ac0bc
Reviewed-on: https://code.wireshark.org/review/1580
Reviewed-by: Evan Huus <eapache@gmail.com>
Add an FT_STRINGZPAD type, for null-padded strings (typically
fixed-length fields, where the string can be up to the length of the
field, and is null-padded if it's shorter than that), and use it. Use
IS_FT_STRING() in more cases, so that less code needs to know what types
are string types.
Add a tvb_get_stringzpad() routine, which gets null-padded strings.
Currently, it does the same thing that tvb_get_string_enc() does, but
that might change if we don't store string values as null-terminated
strings.
Change-Id: I46f56e130de8f419a19b56ded914e24cc7518a66
Reviewed-on: https://code.wireshark.org/review/1082
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This adds the ability for Lua scripts to register heuristic dissectors
for any protocol that has registered a heuristic dissector list, such
as UDP, TCP, and ~50 others. The Lua function can also establish a
conversation tied to its Proto dissector, to avoid having to check the
heuristics for the same flow. The example dissector in the testsuite
has also been enhanced to include a heuristic dissector, to verify
the functionality and provide an example implementation.
Change-Id: Ie232602779f43d3418fe8db09c61d5fc0b59597a
Reviewed-on: https://code.wireshark.org/review/576
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Functions with no parameters must be written func(void). Fixes (some) of the
buildbots.
Change-Id: I1a6e5c0553e032e99419fe67eb4b573bbdfe7fe6
Reviewed-on: https://code.wireshark.org/review/388
Reviewed-by: Evan Huus <eapache@gmail.com>
There are some common things people need to do, such as convert to/from hex or get
the raw binary string in a ByteArray/Tvb/TvbRange. These have been added, as well
as some tests for them in the testsuites. Also, functions have been added to allow
a script to get all the available tap types and filter fields, since they are
not exactly what one can see in the Wireshark gui.
Change-Id: I92e5e4eae713bb90d79b0c024eaa4e55b99cc96b
Reviewed-on: https://code.wireshark.org/review/249
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The OP asked 9169 to be reopened because the capture was spewing ~40GB of output
when dissected with tshark. Investigation showed this was because the HTTP
dissector was requesting ONE_MORE_PACKET reassembly a lot, and TCP was adding
each step as a data-source which was being printed by tshark's hex dump. This
was leading to O(n^2) of output.
To fix, introduce function remove_last_data_source which removes the most recent
data source from the list. If the subdissector in TCP reassembly asks for
ONE_MORE_PACKET, assume it hasn't added any tree items (since it shouldn't have)
and remove the data source since it is unnecessary.
This may break dissectors which add tree items and *then* return
ONE_MORE_PACKET, since they will have their data source removed out from under
them. I believe those cases should be fixed to not add tree items until they're
sure they have enough data.
Change-Id: Iff07f959b8b8bd1acda9bff03f7c8684901ba8aa
Reviewed-on: https://code.wireshark.org/review/38
Reviewed-by: Evan Huus <eapache@gmail.com>
Tested-by: Evan Huus <eapache@gmail.com>
This is a VERY PRELIMINARY version of tfshark. It's an attempt to jumpstart FileShark and its architecture. Right now it's mostly just a very stripped down version of tshark with all of the necessary build modifications (including now building filetap library since tfshark depends on it)
This code has helped me identify what I believe to be all of the necessary layers for a complete fileshark architecture. And those layers will slowly be added in time (patches always welcome!).
svn path=/trunk/; revision=54646
from the GTK flavor in two major ways:
- The "Decode As" and "User Specified Decodes" dialog have been unified.
- You can modify the decode as behavior at any time, not just when you
have a packet selected.
Revert part of 53498 so that we can move items marked
/*** THE FOLLOWING SHOULD NOT BE USED BY ANY DISSECTORS!!! ***/
from epan/decode_as.h to ui/decode_as_utils.h.
Move "save" code from decode_as_dlg.c to decode_as_utils.c as well.
In packet-dcerpc.c don't register a table named "ethertype". We might
want to add checks for duplicate table names.
To do:
- Add support for ranges?
- Either add support for DCERPC or make DCERPC use a regular dissector
table.
- Fix string selectors (i.e. BER).
svn path=/trunk/; revision=53910
knowledge of particular types of plugins. Instead, let particular types
of plugins register with the common plugin code, giving a name and a
routine to recognize that type of plugin.
In particular applications, only process the relevant plugin types.
Add a Makefile.common to the codecs directory.
svn path=/trunk/; revision=53710
We presumably want "decode as" behavior to be consistent across UIs so
call load_decode_as_entries() from read_prefs().
svn path=/trunk/; revision=53498
protocol IDs. This is substantially more efficient, which means we can build it
all the time rather than only if tree (in my benchmarks the extra time taken is
not large enough to be statistically significant even over tens of thousands of
packets).
This fixes what was probably a bug in btobex that relied on layer_names for
non-tree dissection. It also enables a much simpler fix for
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9303
svn path=/trunk/; revision=53089
string (and pass g_free to g_hash_table_new_full to free it).
This means callers don't have to worry about the scope of the memory they pass
in, and fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9296
svn path=/trunk/; revision=52977
It'd be actually good idea to seperate packet_info data (packet.c) from epan_dissect_t (epan.c),
but this rule is already violated.
Strict seperation could allow for example allow multiple dissection on the same epan_dissect_t
(I think it was idea behind it), but it's not working.
svn path=/trunk/; revision=52705
a typedef of a *pointer* to the struct, not the struct itself, which are
different sizes.
This doesn't show up under valgrind because the length isn't checked in that
case, everything gets subsumed in valgrind's malloc/free hooks.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9264
svn path=/trunk/; revision=52560
should be freed when it is destroyed. This requires splitting packet_init in
two: the hash table which must be created before protocol registration, and the
caching of common protocol handles, which must happen after registration.
svn path=/trunk/; revision=51329
the various name resolvers; put those two routines next to each other.
Add generic addr_resolv_init() and addr_resolv_cleanup() routines which call
all of those internal routines.
Call the generic init/cleanup routine from epan_init() and epan_cleanup().
Create the hash tables for each name resolver in those initialization routines
in order to avoid having to repeatedly check if the table is already created
or not (and to avoid glib warnings if we neglected to perform that check):
http://www.wireshark.org/lists/wireshark-dev/201308/msg00012.html
Don't clean up hostnames in init_dissection(): it's done already in cleanup_dissection().
Don't initialize hostnames in cleanup_dissection(): it's done already in init_dissection().
svn path=/trunk/; revision=51191
Original (read from file) comments can be accessed by pkthdr->opt_comment
Keep user comments in seperated BST, add new method for epan session to get it.
svn path=/trunk/; revision=51090
Remove ->prev_cap, for testing purpose also replace ->prev_dis with number of previously displayed frame number.
This patch reduce size of frame_data by 8B (amd64)
This is what (I think) was suggested by Guy in comment 13 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5821#c13)
svn path=/trunk/; revision=50765
Expert info "fields" can now be registered/addressed by name. Right now, the basic framework allows expert info fields to become "display filters". However more could be done, like user preferences overriding default severity level, speeding up expert info dialog load time by not needing to redissect a file, etc.
Long term goal is to have all expert_info filterable and have the functionality of expert_add_info_format() include the "registered index". expert_add_info_format_text() is the workaround until all current calls to expert_add_info_format() have been updated with either expert_add_info() or expert_add_info_format_text(). Then the remaining expert_add_info_format_text() will be renamed to expert_add_info_format().
svn path=/trunk/; revision=49559
Bill Meier