Register the data dissector to all dissector tables that support
Decode As. This provides a way to disable decoding for table
entries that have a default dissector registered to a value.
It is particularly useful when a dissector is registered by default
to several values (e.g. HTTP), to be able to disable decoding
for one port without disabling the dissector in general.
It is also useful to prevent payloads from being handed off
to heuristic dissectors, and is thus distinguished from the
fallback to data when no dissector is set. N.B.: that this has no
effect on dissectors that have a "Try heuristic sub-dissectors first"
preference set to TRUE.
It does not solve a second issue for table entries with a default
dissector - setting the dissector to "none" in order to force
payloads to be sent to heuristic dissectors without setting a
preference as above. (Note that in some cases one will wish to
send dissection on some ports to heuristics without enabling
heuristics first for _all_ ports.)
Fix#17518. Fix#15717. Related to #12098, which also needs the
last issue mentioned above addressed.
It's possible for a dissector to claim a frame without adding to
the tree or being added to frame.protocols (see !6669)
Log a debug message showing the pinfo layers and the dissector that
claimed the tvb (frame/packet).
Convert the address+port conversation code to element lists. Make our
conversation keys element lists. Document more of the conversation API.
Update the Conversation Hash Table dialog to use the new API.
Describe an alternative key type and data structure at the top of
conversation.c.
Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.
Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.
Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
Packet info already contains the notion of layer depth for the
current protocol, among all the protocols in the frame. This
adds an extra layer number for the protocols that are the same
as the current one. Obviously this will only go above one if
the protocol is repeated in the stack, such as with IP tunneling.
Adds extra logic to track numbers for each protocol in the frame
and update them when calling a dissector.
The total layer number and protocol layer number are store in
the field info structure so they can be used after dissection,
namely by display filters.
Rcv.Wind.Shift and Snd.Wind.Shift were not displayed correctly by
the BBLog dissector and the TCP dissector was not using the
information about the shift values available in the BBLog file.
When the user has manually registered to a port a dissector other than
the default subdissector (through Decode As, or the preferences
registered via dissector_add_uint_[range_]with_preference), try
those ports with a custom dissector first.
There's a few dissectors (e.g., GTP) that have port preferences
that haven't been migrated to use the DECODE_AS_ preferences for
various reasons; this won't change anything when their preferences
are changed from the default, though it can still work via Decode As.
Fixes#6223 and #12168.
Add the heur_dtbl_entry_t entry as deregistered when deleting a
heuristics dissector. The UDP dissector is storing a pointer to
this in proto_data and may access the entry during reload Lua
plugins until all packets are redissected.
Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
"User" sounds as if the blocks belong to the user; at most, the current
user might have modified them directly, but they might also have, for
example, run a Lua script that, unknown to them, modified comments.
Also, a file might have "user comments" added by a previous user, who
them wrote the file and and provided it to the current user.
"Modified" seems a bit clearer than "changed".
Mostly functioning proof of concept for #14329. This work is intended to
allow Wireshark to support multiple packet comments per packet.
Uses and expands upon the `wtap_block` API in `wiretap/wtap_opttypes.h`.
It attaches a `wtap_block` structure to `wtap_rec` in place of its
current `opt_comment` and `packet_verdict` members to hold OPT_COMMENT
and OPT_PKT_VERDICT option values.
The name of the block, in the pcapng specification is the systemd
Journal Export Block; add "export" after "journal" in various
variable/enum/define names.
Replace most instances of ws_debug_printf() except in
epan/dissectors and dissector plugins.
Some replacements use printf(), some use ws_debug(), and
some were removed because they were dead or judged to be
temporary.
Adds a pre-commit hook for detecting and replacing
occurrences of `g_malloc()` and `wmem_alloc()` with
`g_new()` and `wmem_new()`, to improve the
readability of Wireshark's code, and
occurrences of
`g_malloc(sizeof(struct myobj) * foo)`
with
`g_new(struct myobj, foo)`
to prevent integer overflows
Also fixes all existing occurrences across
the codebase.
Systemd journal entries aren't file-type-specific; they're found in both
systemd journal entry blocks in pcapng files and in systemd journal
export files. Give it a record type, for use with both file types.
This fixes#16955.
It also means that you can open a systemd journal export file and save
it as a pcapng file.
Move the maximum number of tree items and maximum tree depth to
preferences instead of hardcoded values. Refer to issue #12584 for
an example VNC capture where real data exceeds the current limit.
FT_STRINGZPAD is for null-*padded* strings, where the field is in an
area of specified length, and, if the string is shorter than that
length, all bytes past the end of the string are NULs.
FT_STRINGZTRUNC is for null-*truncated* strings, where the field is in
an area of specified length and, if the string is shorter than that
length, there's a null character (which might be more than one byte, for
UCS-2, UTF-16, or UTF-32), and anything after that is not guaranteed to
have any particular value.
Use IS_FT_STRING() in some places rather than enumerating all the string
types, so that those places get automatically changed if the set of
string types changes.
The matched entry is bubbled to the head of the list for
faster future search.
Change-Id: I47375515f43387adbe0652556c03f0979a8dbe85
Reviewed-on: https://code.wireshark.org/review/37395
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This is done to limit parsing errors.
Update documentation of function parameters to remove confusion with dissectors.
Bug: 16106
Change-Id: I6b2cd0badaaf6217fb80bdc411a86cad5e6b07ca
Reviewed-on: https://code.wireshark.org/review/35267
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
These environment variables are read very frequently, read them once to
globals for performance improvment.
Change-Id: I4f05a5edca85b370674cc5f85fce40bd1af695cb
Reviewed-on: https://code.wireshark.org/review/34449
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add a simple helper function to get the dissector handle that's
currently selected in a given payload dissector table.
We have similar functions already for string and uint dissector tables.
Change-Id: Ia1092fe2b8d038bae2b26db99fd08cd9d6979fcd
Reviewed-on: https://code.wireshark.org/review/33933
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Some patches have done one same thing, that is checking the
existence of both handle and dissector before further operating.
Based on this, one missed spot was found.
Bug: 15852
Change-Id: I11ef51aa1aa3fab305203df931882a19cd6670f8
Reviewed-on: https://code.wireshark.org/review/33706
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The TLS dissector relies on a stable value for pinfo->curr_layer_num
between passes to enable handshake reassembly and decryption. A mismatch
could occur if the subdissector accepted the data (len is non-zero), but
did not add any tree items (tree->tree_data->count remains unchanged).
The original change added the check for tree->tree_data->count in order
to remove protocol names that are not visible in the tree. This could
for example occur when the HTTP dissector accepts the data but requests
more data for reassembly.
This desire to hide protocols is understandable, so simply reverting the
change would not be ok. Checking pinfo->desegment_offset is also not
stable. So that leaves the current approach.
Change-Id: I247adafbaa6d23ab9397eadacabaed9e1bfde997
Ping-Bug: 15625
Fixes: v2.5.0rc0-1206-gcd90f732a1 ("Improve frame.protocols accuracy.")
Reviewed-on: https://code.wireshark.org/review/32919
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to specify maximum function counts for each group to
checkAPIs. Add maximum counts for the "termoutput" and "abort" groups
where needed. Show summaries in various checkAPI targets.
Switch uses of ws_g_warning back to plain g_warning.
Change-Id: I5cbddc8c671729e424eed8551f69116d16491976
Reviewed-on: https://code.wireshark.org/review/29721
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
IPv4 and v6 name resolution are bound to a capture file. Using a lua
script, it is possible to trigger a name resolution when no capture file
is open. This crashes Wireshark as the hash tables for name resolution
are not initialized at this time.
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ip(\"1.1.1.1\"))" > bla.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla.lua
Segmentation fault
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ipv6(\"::1\"))" > bla6.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla6.lua
Segmentation fault
Make sure that the hash tables are available as long as the epan library
is initialized. Add a new function host_name_lookup_reset(), call this
function every time we set up dissection for a new capture file. This
way, we keep the name resolution results separate per capture file.
Reorder the steps in init_dissection(). Host name lookup is now
available at all times, there's no need to be in file scope when it's
initialized.
Change-Id: I9599100d5f378b6a0f73dc630e4c8af3b3ffb2cc
Reviewed-on: https://code.wireshark.org/review/29398
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a "contained length" to tvbuffs. For non-subset tvbuffs, that's the
same as the reported length. For a subset tvbuff, that's the amount of
the reported data that was actually present in the "contained data" of
the parent tvbuff.
This is unaffected by the *captured* length of any tvbuff; that differs
from the contained length only if the capture was cut short by a
snapshot length.
If a reference is within the reported data, but not within the contained
data, a ContainedBoundsError exception is thrown. This exception
represents a protocol error, rather than a reference past the captured
data in the packet; we treat it as such.
Change-Id: Ide87f81238eaeb89b3093f54a87bf7f715485af5
Reviewed-on: https://code.wireshark.org/review/27039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Iff833bf5c197959c8decb62d6ce794c6d0415fb7
Reviewed-on: https://code.wireshark.org/review/26978
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
pinfo->pkt_encap is jsut a copy of pinfo->phdr->pkt_encap; no need for
the copy.
Expand a comment while we're at it.
Change-Id: I5fcfe694ecba42507f1d629d01440da0a0989501
Reviewed-on: https://code.wireshark.org/review/25643
Reviewed-by: Guy Harris <guy@alum.mit.edu>