For efficiency do the comparison in a single function call
instead of trying to preserving exactly the previous semantics.
Still I tried not to deviate much.
All the order operators can be defined in terms of 'lt'
and 'eq' so use that to reduce the number of required
methods from 6 to 2.
Further reduce to one by combining those two into a single
function that has memcmp semantics: negative return is
"less than", positive is "greater than" and zero is equal.
Null frames are frames with invalid data. This patches makes sure that
the invalid data is not further dissected.
Closes#17644
Bug present since Wireshark 3.4.
When UDP-NM was renamed into AUTOSAR-NM (as well as filename changed)
the author of that patch missed the dynamic filters. This patch fixes
this oversight and makes sure all filters of AUTOSAR NM start with
"autosar-nm.".
Fixes#17643
Since the UDP connection switches back and forth between DHT and uTP,
use conversation_set_dissector_from_frame_number so that the dissector
called by try_conversation_dissector in packet-udp.c doesn't change for
a given frame based on the last packet clicked in the GUI.
Split out a heuristic dissector from uTP so that conversation_set_dissector
is only called from the heuristic dissector.
This doesn't make a difference when the heuristics are accurate but
might in some edge cases.
Last version of MS-RDPEUDP2 has detailled the interpretation of ackvec packets. The
patch also adds the interpretation of ack vector items (bitmap or RLE encoded).
The TECMP dissector did not set the length to the correct value but by
accident just used all bytes present. This is not correct.
This bugfix is for Wireshark 3.4 and newer.
Closes#17638
Strengthen the heuristic, including fixing a typo, disabling via
preference the pre-release "Version 0" of the protocol that hasn't been
supported by any clients for a decade, and putting a limit on the maximum
window size by default via preference. This might be enough to enable it
by default, but hold off on doing so for until more testing.
Also fix a couple of typos and add unit strings.
Do the integer conversion for ranges in the parser. This is more
conventional, I think, and allows removing the unnecessary integer
syntax tree node type.
Try to minimize the number and complexity of lexical rules for
ranges. But it seems we need to keep different states for integer
and punctuation because of the need to disambiguate the ranges
[-n-n] and [-n--n].
If we have a STRING value in an expression and a numeric comparison
we must also check if it matches a value string before throwing
a type error.
Add appropriate tests to the test suite.
Fixes 4d2f469212.
If the RPC dissector doesn't have all the bytes of the a fragment
and thus needs to do TCP desegmentation, but can't or won't for some
reason, then don't try to defragment either, regardless of what the
defragmentation preference says. Fix#11198.
A function is grammatically an identifier that is followed by '(' and ')'
according to some rules. We should avoid assuming a token is a function
just because it matches a registered function name.
Before:
Filter: foobar(http.user_agent) contains "UPDATE"
dftest: Syntax error near "(".
After:
Filter: foobar(http.user_agent) contains "UPDATE"
dftest: The function 'foobar' does not exist.
This has the problem that a function cannot have the same name
as a protocol but that limitation already existed before.
Properly support BEP 42: the 'ip' string includes the port, so the
expected length is 6 octets, not 4. That key also appears on the top
level, and sorts before the 'r' key, so add it to heuristics.
Take the opportunity to strengthen the heuristics; certain other keys
never sort before others, and we know the types of several of the keys.
That allows us to go from seven possibilities for the first four bytes
to four possibilities for the first five bytes, which is surely precise
enough to enable the heuristic by default.
Sort the value_strings.
Q_OBJECT is only needed for signals+slots, translations, and other
meta-object services. Remove it in some classes, since having it means
we're generating and compiling code unnecessarily.
Instead of checking for an error return and throwing the exception
then do it where the errors occurs. This takes advantage of the nice
properties of error exceptions to reduce the amount of error
checking code.
Octal escape sequences \NNN can have between 1 and 3 digits. If
the sequence had less than 3 digits the parser got out of sync
with an incorrect double increment of the pointer and errors out
parsing sequences like \0, \2 or \33.
Before:
Filter: ip.proto == '\33'
dftest: "'\33'" is too long to be a valid character constant.
After:
Filter: ip.proto == '\33'
Constants:
00000 PUT_FVALUE 27 <FT_UINT8> -> reg#1
Instructions:
00000 READ_TREE ip.proto -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_EQ reg#0 == reg#1
00003 RETURN
Fixes#16525.
packet-li5g.c used to parse the LI x2/x3 PDU header which defined in ETSI TS 103 221-2
lix2 used to parse the x2 xIRI payload, the ASN.1 defined in 3GPP 33.128.
Add the dissector generated by asnwer
will merge this file in a new request, so, delete it from the 5G LI branch
Add a comment line stating the 3gpp document in lix2.asn
fix the commit warning
Test to see if the start of a packet looks like SMPP before
calling tcp_dissect_pdus, so that we don't calculate a bogus
length (and fail to process many packets) if the capture
starts in the middle of a TCP connection.
When the heuristic dissector has found SMPP, mark it as a
conversation with the SMPP dissector.
There's room for more improvement by scanning through the current
segment to look for the PDU start, but this makes it work
considerably better, at least as well as 1.10.x. Improves #11306.