Move the top-level user-guide.adoc and developer-guide.adoc to their
respective source directores. This is in preparation for a future
toolchain revamp.
Move the wsug_graphics directory to wsug_src/images and wsdg_graphics
directory to wsdg_src/images. Copy common_graphics/* to the each images
directory and remove common_graphics. We only have five admonition
graphics; duplicating them lets us remove some build config overhead.
Rename wsluarm.adoc to wsdg_src/wsdg_lua_support.adoc.
Remove a dummy file.
Tested visually and by enabling `--failure-level=WARN`.
Add a drop-down combobox for UATs, including User DLTs, that
have a choice of dissectors. Make the combobox editable, which
will provide suggestions, and pass things through to the existing
UAT validation for dissectors. (It's a very long list, especially
with 1717 entries, including 530 just from various BT GATT UUIDs,
so being able to still type it in seems useful.)
Dissectors are not protocols. Rename the UAT field from PROTO to
DISSECTOR where used. Update the column names and long descriptions
to use dissector instead of protocol in dissectors that used this.
There may at some point be UATs that want protocols instead of
dissectors, but that's not what the current behavior does and
none of the current dissectors that use the existing types want.
Update the documentation to use "dissector" instead of "protocol."
Put the names of the actual current three Ethernet dissectors.
Clarify that the "ip" dissector actually tries IPv4 and IPv6,
instead of just IPv4.
UAT entries are backwards and forwards compatible with versions
without this change.
Fix#18836.
Dumpcap depends on wsutil.so. The path to the shared library
is encoded in the RPATH (or RUNPATH) property of ELF binaries.
This is currently an absolute path on most Unixy systems.
Dumpcap could not be made to work with a relative RPATH because it
uses elevated privileges and some loaders will ignore relative
RPATHs and non-standard paths under those circumstances, because of
(justified) security concerns.
To enable relocation of the program we link dumpcap statically
with wsutil instead.
This provides a fully working relocatable installation on Linux
and other platforms that support relative RPATHs.
Added the SAP Diag dissector protocol from [SecureAuth's plugin](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/blob/master/src/packet-sapdiag.c).
This is a dissector that implements the Diag protocol. Decompression of packets is not considered as this requires the proprietary LZC/LZH decompression routines still pending to be added in #8973. The Diag packets can be wrapped in an SNC frame, in which case the respective dissector is called. Embedded RFC calls are disabled as this requires the respective dissector to be found, which will be submitted in a separate merge request.
Details about the protocol and example requests can be found in [pysap's documentation](https://pysap.readthedocs.io/en/latest/protocols/SAPDiag.html).
The personal extcap folder $XDG_CONFIG_DIR/wireshark on Linux is
inconsistent with the global extcap folder (lib/wireshark/extcap)
and personal plugins folder (.local/lib/wireshark/plugins) and also
the configuration folder should not contain architecture-specific files.
The extcap personal folder is changed from:
.config/wireshark/extcap
to:
.local/lib/wireshark/extcap
Currently the autocompletion engine always suggests a protocol
field completion, even in places where it isn't syntactically
valid.
Fix that by compiling the preamble to the token under the cursor
and checking the returned error. If it is DF_ERROR_UNEXPECTED_END
that indicates a field or literal value was expected. Otherwise
a field replacement is not valid in this position.
Fixes#12811.
This is the begin of a basic dissection of the proprietary protocol used
by the Mitel OMM/RFP communicatino over TCP. Currently no decryption is
supported so there is the need of external decryption.
This change adds a small dissector for the NVMe-MI protocol, typically
for tunelling Administration commands over an MCTP (over I2C) channel.
We just decode the request and response headers, and leave the payload
as raw data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a very basic dissector for the MCTP control protocol -
just the header fields, leaving the raw payload data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a protocol dissector for the Management Component
Transport Protocol (MCTP). This is a failry simple datagram-based
protocol for messaging between components within a single platform,
typically over I2C, serial or PCIe.
This dissector just implements the header fields, and sequence-number
based message reassembly. Inner protocols will be added as follow-up
changes.
Linux has support for AF_MCTP data, so decode from the MCTP SLL ltype.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Gtk popped up a search box when typing in the tree view.
Most places in Qt, a Search: field was added to the dialog.
Looks possible to buffer keystrokes and do a string search in Qt.
Default value is 400ms (even on Windows). Average typing speed of
200 cpm = 300ms per character = too close to 400ms when searching
the protocol name in Preferences -> Protocols.
This adds new syntax to read a field from the tree as bytes, instead
of the actual type. This is a useful extension for example to match
matformed strings that contain unicode replacement characters. In
this case it is not possible to match the raw value of the malformed
string field. This extension fills this need and is generic enough
that it should be useful in many other situations.
The syntax used is to prefix the field name with "@". The following
artificial example tests if the HTTP user agent contains a particular
invalid UTF-8 sequence:
@http.user_agent == "Mozill\xAA"
Where simply using "http.user_agent" won't work because the invalid byte
sequence will have been replaced with U+FFFD.
Considering the following programs:
$ dftest '_ws.ftypes.string == "ABC"'
Filter: _ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <FT_STRING>)
1 FVALUE("ABC" <FT_STRING>)
Instructions:
00000 READ_TREE _ws.ftypes.string <FT_STRING> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == "ABC" <FT_STRING>
00003 RETURN
$ dftest '@_ws.ftypes.string == "ABC"'
Filter: @_ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <RAW>)
1 FVALUE(41:42:43 <FT_BYTES>)
Instructions:
00000 READ_TREE @_ws.ftypes.string <FT_BYTES> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 41:42:43 <FT_BYTES>
00003 RETURN
In the second case the field has a "raw" type, that equates directly to
FT_BYTES, and the field value is read from the protocol raw data.
Gerald Combs