Convert our conversation protocols to a dynamic list and add
add_conversation_filter_protocol(). Use it in the Falco Bridge plugin to
add protocols with conversation filters.
Use proto_registrar_is_protocol instead of directly comparing
hfinfo->parent to -1 when determining if the field info is related
to a protocol or not.
This avoids adding the special case text only field, which does not
have a parent protocol id, to the protocol hierarchy. These fields are
merely strings on the GUI tree, not actual protocols.
They were checking for --help in an unusual manner that failed when
run with no arguments.
I've checked that --help works for each script, and that debian-setup.sh
actually works.
NOTE: bsd-setup.sh and rpm-setup.sh seem to have sometimes-broken
formatting, because they try to pass escape sequences to echo, which
POSIX says is implementation-defined (except on XSI-conformant systems).
These changes were mostly made using the following script, with a
manual fix in bsd-setup.sh because it isn't using "switch case".
```python
#!/bin/env python3
import sys
import re
usage_p = re.compile(r'^if \[ "\$1" = "--help" \]\nthen\n((?:\t(?:printf|echo) .*\n)*)\texit 1\nfi$',
re.MULTILINE)
case_p = re.compile(r'(^\tcase \$arg in$)',
re.MULTILINE)
root_check_p = re.compile(r'(\n# Check if the user is root(?:\n|.)*?fi\n)',
re.MULTILINE)
done_p = re.compile(r'(^done\n)',
re.MULTILINE)
def fix_setup(name: str):
assert name.endswith('-setup.sh')
with open(name, 'r') as fin:
s = fin.read()
s = usage_p.sub(r'function print_usage() {\n\1}', s)
s = case_p.sub(r'''\1
\t\t--help)
\t\t\tprint_usage
\t\t\texit 0
\t\t\t;;''', s)
m1 = root_check_p.search(s)
if m1:
root_check = m1[0]
s = root_check_p.sub('', s)
pos = done_p.search(s).end() # type: ignore[union-attr]
s = s[:pos] + root_check + s[pos:]
with open(name, 'w') as fout:
fout.write(s)
if __name__ == '__main__':
for name in sys.argv[1:]:
fix_setup(name)
```
This allows writing moderately complex expressions, for example
a float epsilon test (#16483):
Filter: {abs(_ws.ftypes.double - 1) / max(abs(_ws.ftypes.double), abs(1))} < 0.01
Syntax tree:
0 TEST_LT:
1 OP_DIVIDE:
2 FUNCTION(abs#1):
3 OP_SUBTRACT:
4 FIELD(_ws.ftypes.double)
4 FVALUE(1 <FT_DOUBLE>)
2 FUNCTION(max#2):
3 FUNCTION(abs#1):
4 FIELD(_ws.ftypes.double)
3 FUNCTION(abs#1):
4 FVALUE(1 <FT_DOUBLE>)
1 FVALUE(0.01 <FT_DOUBLE>)
Instructions:
00000 READ_TREE _ws.ftypes.double -> reg#1
00001 IF_FALSE_GOTO 3
00002 SUBRACT reg#1 - 1 <FT_DOUBLE> -> reg#2
00003 STACK_PUSH reg#2
00004 CALL_FUNCTION abs(reg#2) -> reg#0
00005 STACK_POP 1
00006 IF_FALSE_GOTO 24
00007 READ_TREE _ws.ftypes.double -> reg#1
00008 IF_FALSE_GOTO 9
00009 STACK_PUSH reg#1
00010 CALL_FUNCTION abs(reg#1) -> reg#4
00011 STACK_POP 1
00012 IF_FALSE_GOTO 13
00013 STACK_PUSH reg#4
00014 STACK_PUSH 1 <FT_DOUBLE>
00015 CALL_FUNCTION abs(1 <FT_DOUBLE>) -> reg#5
00016 STACK_POP 1
00017 IF_FALSE_GOTO 18
00018 STACK_PUSH reg#5
00019 CALL_FUNCTION max(reg#5, reg#4) -> reg#3
00020 STACK_POP 2
00021 IF_FALSE_GOTO 24
00022 DIVIDE reg#0 / reg#3 -> reg#6
00023 ANY_LT reg#6 < 0.01 <FT_DOUBLE>
00024 RETURN
We now use a stack to pass arguments to the function. The
stack is implemented as a list of lists (list of registers).
Arguments may still be non-existent to functions (this is
a feature). Functions must check for nil arguments (NULL lists)
and handle that case.
It's somewhat complicated to allow literal values and test compatibility
for different types, both because of lack of type information with
unparsed/literal and also because it is an underdeveloped area in the
code. In my limited testing it was good enough and useful, further
enhancements are left for future work.
Conversations start at SMD-S and are continued with SMD-C frames
Added CRC information to proto_data of conversation for mCRC calculation
Continue checksum calculation for faulty fragments
Reassembly information added to info column
Reworked packet_direction
Split the counts of IO data objects and IOCS between
input and output. Remove increment of IO data objects
in station information, sometimes leading to extremely
high and invalid number of IO data objects.
This implements parsing the packets in tls-crypt mode. Parsing is very
limited since tls-crypt encrypts the packets. Since detecting tls-crypt
is not easy apart from two tls-crypt-v2 specific opcodes, it is preference
that needs explicitly set.
Add the length check of dissecting BER integers, int64, and booleans, the expert info is added for bad lengths, includes the name of the field and actual length.
Related to #18005
Needed to format timestamp in #18038 - packet-cql.c
Mirrors changes made in !1924 - Add ENC_TIME_NSECS timestamp encoding
Documentation in README.dissector, proto.c, proto.h - could use
refresh in a different merge request.