The extract_fields struct and calling convention changed, so update to
match. Extract all of our fields at once, which noticeably speeds up
dissection here.
Convert our conversation protocols to a dynamic list and add
add_conversation_filter_protocol(). Use it in the Falco Bridge plugin to
add protocols with conversation filters.
Split the counts of IO data objects and IOCS between
input and output. Remove increment of IO data objects
in station information, sometimes leading to extremely
high and invalid number of IO data objects.
Remove unused header definitions in packet-falco-bridge.h and move the
remaining content to packet-falco-bridge.c and conversation-macros.h.
Explicitly set our header files in CMakeLists.txt.
Fix
../plugins/epan/falco_bridge/packet-falco-bridge.c: In function ‘register_conversation_filters_mappings’:
../plugins/epan/falco_bridge/packet-falco-bridge.c:105:1: error: old-style function definition [-Werror=old-style-definition]
register_conversation_filters_mappings()
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Sysdig Bridge plugin loads Falco plugins, so rename it to Falco
Bridge.
Make it optional and dependent on libsinsp+libscap, similar to our codec
plugins.
Remove some unused code.
Add a FindSinsp CMake module, and use it in the Sysdig Bridge plugin
CMakeLists.txt. It still needs work, but should at least be usable on
more machines.
Conflicts:
plugins/epan/sysdig_bridge/CMakeLists.txt
Switch from loading the cloudtrail plugin directly to doing so
indirectly via libsinsp. This should let us start leveraging the rich
functionality offered by libsinsp.
Fix
logshark/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c:86:39: error: this old-style function definition is not preceded by a prototype [-Werror,-Wstrict-prototypes]
register_conversation_filters_mappings()
^
1 error generated.
Prior versions had a dedicated plugin API function for this, but we
removed it from the plugin API, so just use the plugin name.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
avoid moving plugin states around the address space by mallocing all of the memory at the beginning instead of using realloc every time a plugin is detected. This prevents crashes and other types of bad behavior that were caused by plugins accessing garbage memory.
register_cleanup_routine is called after reading a single capture
file. Since the async extraction is set up per plugin instead of
per-instance, we want register_shutdown_routine().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Update to reflect newest API changes (single extract_fields
func). This simplifies dissect_plg_bridge a bit, as the setup/calling
plugin function can mostly be unified based on the field type, with
just looking at the res_str/res_u64 part of the field struct
afterward.
Although not used by wireshark directly, update
plugin_next/plugin_next_batch to note they return structs for events
instead of pointers + lens + timestamps.
Extract functions now use field names, so no need to extract or keep
track of field ids. The a "abbrev" property of header_field_info
contains the field name e.g. ct.xxx.
This commit introduces a new wireshark plugin which is able to act as proxy to sysdig plugins, loading them into Wireshark and transforming their output into dissectors that Wireshark can use to display the data.
Fix two calls of proto_tree_add_item() when proto_tree_add_uint()
was meant. Passing the actual value of a field instead of an encoding
into proto_tree_add_item() has unexpected results. Fix#17909.
(The whole area of this dissector would probably be cleaner with
more calls to add_item(), but this is a smaller change consistent
with the rest.)
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
Currently used to define ssize_t on platforms that lack it.
Fix some Windows build errors caused by moving the definition into a
separate header.
Fix some narrowing warnings on Windows x64 from changing the definition
of ssize_t from long int to int64_t.
The casts in dumpcap are ugly but necessary. The whole code needs
to be rewritten for portability, or the warnings disabled.
Try to retrieve the per packet info data first, and create it if
it doesn't exist, rather than assuming it is there on the second
pass. Prevents segfaults in cases with strange TCP sequence issues
(that still show up as bugs in the TCP dissector.) Fix#17737.
There are a bunch of near-identical macros here, but I'm gonna change
one at a time or else the builder times out at the number of files
changed in one merge.
A few of them just needed scratch memory, so allocate and free it
manually after doing any exception-raising checks.
A few others were returning memory, and needed conversion to accept a
wmem scope argument.
Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.
DCP Frames with Reserved Option dissection changed
short time ago. There isn't a predefined suboption
for Reserved option in the standard. But in this
implementation it dissected like control suboption.
This is not true and creates malformed frames in some
dcp pcaps. This implementation is reverted.
Wireshark will dissect undefined bytes as paddings
just like before.
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
Automated find/replace of wmem_packet_scope() with pinfo->pool in all
files where it didn't cause a build failure.
I also tweaked a few of the docs which got caught up.
Fixes pre-commit warning
"wimax.dcd.dl_burst_profile_multiple_fec_types doesn't match PROTOABBREV"
All the other fields of this dissector use `wmx` not `wimax`.
Mark wsutil's includes SYSTEM PRIVATE. This exposed a lot of targets
that were indirectly picking up include paths via the wsutil target, so
add direct includes where needed. The G.722 and G.726 codecs were
implicilty including tiffio.h; find it explicitly instead.
Mark some of wsutil's libraries PRIVATE, but leave commonly-used ones
PUBLIC.
Ping #17477.
GSML parsing has a bug related to multiple submodules,
such that, the first submodule found in the GSDML needs
to be the PROFIsafe element, otherwise the description
is not parsed.
If there is DCP SET block with 0 block length, it is dissected
as erroneous block since DCP SET block can not have 0 block
length. Moreover, DCPBlockLength is not decoded if DCP option
and suboption is 0. However, each DCP block must have
Option/Suboption/DCPBlockLength. This is also fixed.