While we do immediately free it and recompile in rescan_packets,
or if we open a capture file in cf_read, if we start a capture
we go from cf_open to cf_continue_tail, and we want to use this
filter since we don't compile during a capture for each group
of packets (for reasons explained in the previous commit.)
Fixup 08cf0e9553
Saving only the dfilter text and recompiling the code when
[re]dissecting or scanning groups of packets operates on the
explicit assumption that previously validated filter text will
always compile to valid filter code
That assumption is not true; while we invalidate the filter and
replace the text with NULL if display filter macros change or
other aspects of the packet matching expressions change so that
the previous text is no longer valid, display filters that match
FT_IPv4 or FT_IPv6 fields to resolved hostnames require a host
name lookup each time they are compiled, which can timeout, especially
if there are too many requests in flight at once. This is particularly
likely if a recompilation is performed each time additional frames
arrive during a live capture.
It is important to stress that the stronger, implicit assumption that
the display filter will compile to the same code is also false.
1) Display filters that require host name lookup can change even if
it doesn't timeout.
2) Display filter macros can change.
3) Display filters with field references will change if the selected
frame has changed.
In the case of a rescan, redissection, reload, retap, or opening a
new file, we want the new dfcode. For cf_continue_tail and
cf_finish_tail, when a new batch of frames have arrived, we might
be able to cache the host lookup for 1), and a user might want the
new macro definitions in 2) (but in that case, why not a rescan of
all packets?), but almost surely for 3) wants the field references
of the frame selected in the GUI when the filter was applied, not
whatever frame is currently selected when new packets arrive. So
we keep the old dfcode, and also reduce recompilation (which becomes
more important as the default update interval can be reduced, cf.
f0712606a3 ).
Currently filters with field references don't work at all with
newly arrived frames in live captures, because the references
aren't loaded to the code. This fixes that by using the field
references from the original frame.
Cf. 1370d2f738Fix#19612. Fix#12517.
Set `fdata->passed_dfilter = 1` in frame_data_init. This lets us
simplify things slightly in add_packet_to_packet_list, and lets
dissectors force packets to be hidden if needed.
Note that we might want to add a "visible" element to frame_data
instead.
Match multiple occurrence in Find Packet Bytes, both forwards
and backwards.
Also fix an issue highlighting wide strings properly reintroduced by
commit c0885fe390
For backwards searching in string and binary searches, use
the memrchr and backwards mempbrk implementations. For regex,
use PCRE2_ANCHORED to transform the user's regex expression into
one that is anchored at the start byte, and progressively search
backwards.
Fix#11269
The capture file properties dialog already lists the section
comments in the Details section, so it wastes some space to have
them a second time in the edit box.
Have an edit dialog for the capture comments. Have the edit dialog
use tabs so that we can edit multiple comments in a section, and
all sections. Allow adding new comments, removing comments, and
reordering comments.
Fix a few small leaks.
Related to #14599, #16133.
pcapng allows simple packet blocks (which don't have timestamps),
enhanced packet blocks (which do) and custom blocks (which might
or might not have timestamps, and even if they do have timestamps,
libwiretap might not know about them), and so some records may have
timestamps while others do not.
Do not use frames without timestamps in delta time calculations.
Don't use them as reference frames for time calculations, or for
the previously displayed frame for time calculations, where the
previously displayed frame that actually has a timestamp is used.
Have the various _get_frame_ts functions return null instead of
their ts value (that is currently handled; if records without
timestamps set their abs_ts to the special "unset" value of nstime_t
that could work too, except that isn't currently handled.)
Still allow the GUI to set frames without timestamps as "Time
References", because that does still affect the "Cumulative Bytes"
column, so it's not entirely pointless; unset the reference time
so that the timestamp from the next frame that does have a timestamp
will be used as reference time.
The "previous captured frame" will show a 0 time delta when
the previous frame doeesn't have a timestamp. Perhaps a user
would also want "previous captured frame with a timestamp,"
but we'd have to store that in frame data (adding memory to
that struct.)
Fix#19397
As the PCRE2 documentation notes, "Setting startoffset differs from passing
over a shortened string and setting PCRE2_NOTBOL in the case of a pattern
that begins with any kind of lookbehind."
For the purposes of finding regex matches starting at a particular
offset in the packet bytes, we will need to handle that properly.
There's a lot of potentially confusing arithmetic from setting
search_pos to the last byte of a match. We can always test
search_len against zero to see if we actually had a match for
hightlighting purposes. (The ordinary byte searches won't find
zero length matches, but the regex search might, and not even
necessarily at the start of the bytes if there's a lookbehind term,
and currently they're handled incorrectly.)
We can't find fields with length zero based on an offset currently
anyway. (If we tried, would we match fields that contained the byte
before or after the zero length offset?)
Perhaps we shouldn't allow zero length regex matches for packet
byte searches at all; PCRE2 has an option to prevent such matches.
The case sensitive exact match of a needle of a given length
in packet bytes is the same whether the value originally came from
a string or a converted hex string. We don't need two static functions
that are exactly the same.
Add GUI support to turning on and off finding multiple occurrences
in a frame.
Also add a checkbox for searching backwards.
This makes the number of controls large, so split it into two rows.
When searching packet details with Find Packet, step through
each field that matches the search, using the currently selected
field as a starting point for searching the current frame before
going onto another frame.
Handle both forwards and backwards, so that backwards searching
initially finds the last match in each frame.
Part of #11269. (Packet bytes searching should presumably also
be handled.)
When rescanning the file, free the filename and array of linktypes
if they already exist.
Reset the wtap record while rescanning the file, so that each block
is freed when we're done with it.
Cleanup the wtap dumper parameters after writing (the new SHB, etc.)
If we don't have the timestamp of the previously displayed packet,
we set the current packet as the previously displayed packet so
that the delta time displayed is zero.
Only do this if the current packet is actually displayed; otherwise,
when setting or unsetting a time reference, the first displayed
packet is given a delta time displayed from the first frame in
the capture, regardless of whether the first frame is displayed
or not. (The rest of the code properly handles cf->provider.prev_dis
being NULL.)
Fix#19324
The first condition was only true if the second condition was also true.
Change the arithmetic to what is presumably intended - if half
PROGBAR_SHOW_DELAY has passed and we are less than half done, show
the progress bar.
Note that since this only gets checked between records, there's still
an issue with frames that take a very long time to dissect, e.g. the
first TLS packet if the SSLKEYLOGFILE is very large (#17051.)
The progress bar won't appear (nor any other GUI indication) while
that packet is being dissected.
Make the text of each registered column a FT_STRING field that can be
filtered, prefixed with _ws.col - these work in display filters, filters
in taps, coloring rules, Wireshark read filters, and in the -Y, -R, -e,
and -j options to tshark. Use them as the default "Apply as Filter" value
for the columns that aren't handled by anything else currently.
Because only the columns formats that actually correspond to columns
get filled in (invisible columns work), register and deregister the
fields when the columns change.
Use the lower case version of the rest of the COL_* define for each
column as the field name.
This adds a number of conditions to "when are the columns needed",
including when the main display filter or any filter on a tap is
using one of these fields.
Custom columns are currently not implemented. For custom columns, the
tree then has to be further primed with any fields used by the custom
columns as well. (Perhaps that should happen in epan_dissect_run() -
are there any cases where we construct the columns and don't want to
prime with any field that custom columns contains? Possibly in taps
that we know only use build in columns.)
Thus, for performance reasons, you're better off matching an ordinary
field if possible; it takes extra time to generate the columns and many
of them are numeric types. (Note that you can always convert a non-string
field to a string field if you want regex matching, consult the
*wireshark-filter(4)* man page.) It does save a bit on typing (especially
for a multifield custom column) and remembering the column title might
be easier in some cases.
The columns are set before the color filters, which means that you
can have a color filter that depends on a built-in column like Info or
Protocol.
Remove the special handling for the -e option to tshark. Note that
the behavior is a little different now, because fixed field names
are used instead of the titles (using the titles allowed illegal
filter names, because it wasn't going through the filter engine.)
For default names, this means that they're no longer capitalized,
so "_ws.col.info" instead of "_ws.col.Info" - hopefully a small
price in exchange for the filters working everywhere.
The output format for -T fields remains the same; all that special
handling is removed (except for remembering if someone asked for
a column field to know that columns should be constructed.)
They're also set before the postdissectors, so postdissectors can
have access.
Anything that depends on whether a packet and previous packets are
displayed (COL_DELTA_TIME_DIS or COL_CUMULATIVE_BYTES) doesn't work
the way most people expect, so don't register fields for those.
(The same is already true of color filters that use those, along with
color filters that use the color filter fields.)
Fix#16576. Fix#17971. Fix#4684. Fix#13491. Fix#13941.
Move the protocolfilter map to being a member of output_fields,
consolidating some of the API. The only functions that accept
one accept both, and callers that always pass either as NULL
always pass both as NULL.
When not updating the packet list during a capture, the capture
file structure isn't set up, but there is a pending capture.
We currently treat that as "finished reading", but that means
that other code assumes that all the structures are set up and
can crash, and also don't prompt regarding unsaved packets when
trying to close Wireshark.
Add a state for FILE_READ_PENDING that sometimes should be treated
similar to FILE_CLOSED and sometimes should be treated similar to
FILE_READ_IN_PROGRESS.
This fixes a crash when enabling "update packet list during a capture"
while a capture is in progress, as well a crash when applying a filter
while a capture is in progress but real time packet list updates are
off.
Keep track of the number of packets that the capture child has reported
that haven't been read yet, so that the capture statistics stay accurate
even if the pref is toggled. Also run the main status bar statistics at
the end, so that if any packets are processed in cf_finish_tail() they
are reported.
This also restores status bar statistics for when update packet list
during a capture is off, which 461fb517d1
accidentally disabled.
Fix#4035
Sometimes you have a capture file that has many duplicate frames
because of how the capture was made, and its convenient to ignore
the duplicates so you can concentrate on the data and not all
the TCP warnings.
This adds a preference in the "Protocols" section to ignore
duplicates. This currently only works while reading a capture file
*not* during a live capture.
If a time shift has been applied to frames, save the time-shifted
value to the newly written file.
If we're doing Save/Save As, so that the newly written file replaces
the currently open file, make sure to clear the shift offset from
the frame data, for the same reason that we mark the file as no longer
being modified. If we're Exporting packets and not changing the
currently open capture file, leave the shift offset the same.
If there's color rules based on the frame protocol, recolorize.
We also really should reapply the current filter, if any, if it
depends on something in the frame protocol.
Fix#14306
When rescanning or retapping, if there is a currently selected packet
in the GUI, load any field references in any filters for any tap
listeners.
Note that Lua plugins can register some filtering tap listeners later
after we reset the dissection tree, but those are for field extraction
in the new tree and can't contain field references.
Fix#18912
Exposing the fvalue_t implementation is exposing internal
details of the implementation. Fix that by making the fvalue_t
internal to the ftypes implementation and using setters/getters
where necessary.
The string used to search the selected packet's protocol tree for
the field we already found is leaked.
The function prototype is prone to leaks; all the components of the
match_data are filled in inside the function, and it only needs to
return the field info. Restructure it so that the match_data is
created (and the string freed) inside the function, and only
the field_info is returned.
When searching for string matches in packet list and details, save index of
next possible start location inside a partial match and rewind to that
position if the ongoing match is not successful.
While here, also terminate search when the search string is longer than
the remainder of the text string being matched against.
As suggested by John Thacker, use strstr() for case sensitive search.
Full bug description:
Currently, searching for strings in "Packet list" and "Packet detail" may fail
to find matches if a partial match is encountered. Examples of both are present
in nfsv4.1_pnfs.cap in the Wireshark sample trace collection.
Searching for "Win=29200 Len=0" in Packet list finds frame 1, based on:
880 → 2049 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=360391592 TSecr=0 WS=128
However, searching for jsut "0 Len=0" skips this frame when searching.
Similarly, searching for "netapp-26" in Packet detail will find many frames
(if TCP port 2049 is decoded as RPC) based on the RPC credentials:
Machine Name: netapp-26
Similarly, if searching for "p-26", no frames are found.
The problem is how match_summary_line() and match_subtree_text() will start a
comparison against the search string based on the first character and scan
ahead to check if each subsequent character also matches. However, if there is
no match, the search continues only after the partial match.
In practice, if "p-26" is against "Machine Name: netapp-26" will:
- Test against against characters, but find no match until the first 'p'.
- Find that the first 'p' matches the leading 'p' in the search string.
- Compare the second 'p' against '-' in the search string, which fails.
- Continue checking the second 'p' where neither '-', '2' nor '6' match the
leading 'p' in the search string.
The proposed fix will, when a partial match is in progress, store the first
location where a new match might occur. If the partial match is not
successful, the search is restarted at that stored position.
As far as I can tell, other match_xxx functions in file.c do not have
share this problem.
wtap_dump_file_encap_type() could be read as indicating that, given a
handle for an encapsulation type, it returns the encapsulation type for
the file being written, rather than, given a list of encapsulation
types, returning the encapsulation type that would be required for all
of those types, which is what it does.
Rename it to wtap_dump_required_file_encap_type().
Add functions to PacketListRecord to invalidate a single record's
colorization and column strings, used for a record is modified in a
way that needs to trigger redrawing, but we don't need to redraw
all packets.
Move the functionality for adding, deleting, and setting frame comments
into PacketListModel, operating on QModelIndexes (or on all physical
rows in the case of deleting all comments from a file.) Trigger
recolorization of any record with an updated comment.
Only set a block as modified when deleting comments if we actually
deleted comments. This avoids marking a file as modified if we
delete all comments from all frames, or all comments from selected
frames, when those comments do not actually have frames.
If cf_set_modified_block is used to modify a block that is already
modified, it can't update the comment count. In that case, return
false and have the callers update the comment count. (It already
has a return value, which is always true.) This avoids having the
GUI warning about saving into a format that doesn't support comments
when comments have been added and then removed.
Note that, unlike with time references and time shifts, there
are no fields (and hence no columns nor color filters) that depend
on whether other fields have comments. If for some reason some
were added, then the model data for all frames would have to be
updated instead. Since there aren't, we don't need to
redrawVisiblePackets, but we do need to drawCurrentPacket to ensure
the packet details are redissected.
Fix#12519
Store the field filter strings in a wmem_map pointing to the
field flags for each string. This allows specifying multiple
filter options (-j or -J) on the command line, including some
of both.
Fix#17470
Add the ability to cancel sorting. Since we now parse user inputs
during the sort, test and set the capture file read lock. Try to
sort in PacketList::captureFileReadFinished, since now sorting during
thawing won't happen if it's in the middle of a rescan.
Fix#17640
Dependent frames list order does not matter and thus significantly
faster data structure can be used. Replace the list with hash table to
avoid excessive CPU usage when opening files containing reassembled
packets consisting of large number of fragments.
Keep name resolution information as mandatory elements for
NRBs, and when the ipv4 or ipv6 callback is set, have name
resolution entries from already read NRBs sent to the callback.
rescan_packets can use this when redissecting to reobtain the
name resolution entries from the NRB, similar to what is done
with Decryption Secrets Blocks. (This can also later be used
if we read NRBs and DSBs in pcapng_open before the first packet,
and before the callbacks are set.)
This doesn't yet make the changes to wtap_dumper to write them out,
but is a step towards that too. (It's not clear in cases where we
dissect packets whether we want to copy the entire NRB, or only
write out actually used addresses as done now. For copying without
reading a file, like with editcap, we presumably do want to copy them.)
Fix#13425. Ping #15502
Save all dependent frames when there are multiple levels
of reassembly.
This is a retry of !6329, combined with the fix in !6509 which
were reverted in !6545.
epan: fix a segfault, introduced in !6329
Return an struct containing error information. This simplifies
the interface to more easily provide richer diagnostics in the future.
Add an error code besides a human-readable error string to allow
checking programmatically for errors in a robust manner. Currently
there is only a generic error code, it is expected to increase
in the future.
Move error location information to the struct. Change callers and
implementation to use the new interface.
Add -Werror=unused-but-set-variable to our default compiler flags and fix
```
epan/dissectors/packet-dcerpc-frsrpc.c:709:10: error: variable 'nb_chunk' set but not used [-Werror,-Wunused-but-set-variable]
guint32 nb_chunk = 0;
^
```
```
epan/dissectors/packet-dcom-oxid.c:175:13: error: variable 'u32ItemIdx' set but not used [-Werror,-Wunused-but-set-variable]
guint32 u32ItemIdx;
^
```
```
epan/dissectors/packet-l2tp.c:1775:104: error: parameter 'ccid' set but not used [-Werror,-Wunused-but-set-parameter]
static int dissect_l2tp_ericsson_avps(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 ccid)
^
```
```
epan/dissectors/packet-ldp.c:1922:19: error: variable 'ix' set but not used [-Werror,-Wunused-but-set-variable]
guint8 ix;
^
```
```
epan/dissectors/packet-nas_5gs.c:4757:14: error: variable 'curr_len' set but not used [-Werror,-Wunused-but-set-variable]
guint i, curr_len;
^
```
```
epan/dissectors/packet-per.c:1769:6: error: variable 'extension_addition_entries' set but not used [-Werror,-Wunused-but-set-variable]
int extension_addition_entries;
^
```
```
epan/dissectors/packet-rtitcp.c:618:11: error: variable 'messages_count' set but not used [-Werror,-Wunused-but-set-variable]
guint messages_count, offset;
^
```
```
epan/dissectors/packet-tcp.c:2130:9: error: variable 'ackcount' set but not used [-Werror,-Wunused-but-set-variable]
int ackcount;
^
epan/dissectors/packet-tcp.c:3317:12: error: variable 'nbOptionsChanged' set but not used [-Werror,-Wunused-but-set-variable]
guint8 nbOptionsChanged = 0;
^
```
```
epan/dissectors/packet-zbee-zcl-se.c:11802:15: error: variable 'i' set but not used [-Werror,-Wunused-but-set-variable]
for (gint i = 0; tvb_reported_length_remaining(tvb, *offset) >= 5; i++) {
^
```
```
ui/iface_lists.c:142:23: error: variable 'linktype_count' set but not used [-Werror,-Wunused-but-set-variable]
gint linktype_count;
^
```
```
ui/voip_calls.c:456:15: error: variable 'item_num' set but not used [-Werror,-Wunused-but-set-variable]
guint item_num;
^
```
```
file.c:572:17: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
guint32 count = 0;
^
```
```
file.c:3667:24: warning: cast from 'const unsigned char *' to 'unsigned char *' drops const qualifier [-Wcast-qual]
pd = (guint8 *)ws_mempbrk_exec(pd, buf_end - pd, pattern, &c_char);
^
```
```
ui/qt/io_graph_dialog.cpp:1932:60: error: variable 'mavg_right' set but not used [-Werror,-Wunused-but-set-variable]
unsigned int mavg_in_average_count = 0, mavg_left = 0, mavg_right = 0;
^
```
```
ui/qt/stats_tree_dialog.cpp:166:9: error: variable 'node_count' set but not used [-Werror,-Wunused-but-set-variable]
int node_count = 0;
^
```
```
ui/qt/models/profile_model.cpp:1142:13: error: variable 'entryCount' set but not used [-Werror,-Wunused-but-set-variable]
int entryCount = 0;
^
```
Add a function to get the column text of the nth column, taking
into account whether the column is resolved or unresolved. Use
this function in the GUI, as well as in tshark, when writing
PSML, exporting dissection to PSML, etc., instead of accessing
col_data directly.
This removes the direct accesses of col_data from outside
column.c and column-utils.c
Fix#18168.
To implement loading a packet list, a lot of helper
methods are required. Those prototypes where split up
over two places and have been moved to packet_list_utils.h
to ensure a single place for lookup
Remove unneeded row number in capture file. The packet list is
the only object that should know the correct number, propagating
it further only complicates things. At the same time, rework
cf_select_packet to select the packet based on frame_data not on
the row (which can be unreliable).
Martin Mathieson