Pass the "payload_offset" value to add_ethernet_trailer, as
used in ethertype (and generally 14 for full frames). This
allows computing the "frame length including addresses before
any tags or trailers were added" which is often where padding
actually starts. This fixes detection of padding vs trailier
with ISL (see Sample Captures page) as well as a large number
of tag formats (802.1AD, etc.), at least when PADDING_ZERO is set.
For PADDING_ANY, continue to use the old length method.
This also allows passing the payload length post-ethertype/length
field to the trailer subdissectors, which allows the PRP dissector
to be converted from a postdissector to a eth trailer heuristic
dissector.
When we are in "maybe FCS" mode, call the heuristic dissectors
twice if need be, once with and once without the putative FCS.
As these are heuristic dissectors, they can't indicate the number
of bytes consumed, so if there's a trailer but also an FCS later,
returning TRUE for the trailer prevents us from detecting an
FCS. (Some heuristic trailer dissectors have loops to deal with
possible padding after the trailer and will return TRUE the first
time; we still can't deal with this. Perhaps they should only
skip before zeros in their loops; in no case are multiple trailers
handled well, previously or now.)
Fix MACsec padding, trailer, and FCS detection when the short length
field is present by calling set_actual_length. The current workaround
has issues because it's only in effect for the next ethertype call
(where fcs_len is 0), not the previous one.
Don't allow computing the FCS when we don't actually have the
entire frame. Most tag dissectors calling the ethertype dissector
a second time set fcs_len to 0 because of this already.
Fix#15884, #17068, #17067
The first two will work automatically in default auto detect mode.
For #17067 this requires setting the "Fixed ethernet trailer length"
pref in ethernet to the PRP size; the more general problem of
autodetecting any FCS or trailer after the MACsec ICV (for non
short length) continues to need a different solution.
Add some relevant comments about still unsolved issues.
If the quote character appears in a field value, then escape
it by printing the character twice. When escaping whitespace
with the backslash character, also escape the backslash
character itself.
Add a ws_escape_csv function to wsutil and use it for tshark.
Adopt the existing static escape_string_len function so that
ws_escape_csv can use it while maintaining the same output
for the other ws_escape_ functions.
Fix#10284
The units of STmin in the range 0xF1 – 0xF9 are even multiples of 100µs, where parameter
value 0xF1 represents 100µs and parameter value 0xF9 represents 900µs.
Add a border and a border-radius to make the QLineEdit used in
AccordionFrame look better on macOS. This is a similar style as
used in DisplayFilterCombo.
Update AddressEditorFrame, ColumnEditorFrame, FilterExpressionFrame
PreferenceEditorFrame, SearchFrame and GoToPacket.
Store the style_sheet in DisplayFilterEdit to be used in
alignActionButtons().
Add an alternative macro notation as $mymacro(a,b,c,d). For me
this notation is more natural, I have difficulty remembering how
to use macros with ${mymacro:a;b;c} and it makes the filter
expression harder to understand.
For convenience and to simplify the code we also allow
curly braces to open/close macro argument lists and the semicolon
as an argument separator for the new syntax.
This added flexibility may be reevaluated and dropped later if it
turns out to be undesirable for some reason.
Remove the UAT macro usage. The UAT API is nifty for dissectors
but clunky for everything else.
This allows using a hash table to store macros, that is the natural
data structure for the use case (and faster).
It also allows using the existing filter GUI dialog, adapted for
display filter macros. The difference isn't huge but it's better
and less limited than the more generic UAT dialog, with room for
improvement. Changing the UAT dialog for filter specific
use cases is difficult.
The config file is renamed to "dmacros" and uses the same format
as "dfilter", that is more amenable and forgiving for hand-editing
than the UAT storage format.
There is some logic to convert the "dfilter_macros" UAT config
file to a "dmacros" filter config file, for backward-compatibility.
The conversion is only done if there is no existing "dmacros" file
in the profile folder.
When exporting PDUs from TCP, check to see if the subdissector fully
dissected the PDU, or whether it requested further desegmentation.
Only export the bytes that were actually dissected in the current
frame, if any. The rest will presumably be dissected later.
This should only matter on the first pass, e.g. one-pass tshark.
Fix#15686
We have to call findChild to find the QDialogButtonBox after setting
the option to use the Qt dialog instead of the native dialog, not
before. Otherwise, we might not find the QDialogButtonBox.
Fixes adding the Help button to the Export Packet Dissections
dialog, and enabling the validity checks that disable the
save button when, e.g. an illegal range is entered.
Do not read the capture filter list unless needed.
Do not use a static list because the capture filter list can change during program execution
and we want to be able to read multiple copies whenever.
Improve the public API function names.
As noted in #17923, commit c4731738 broke timereferences and displayed
delta time (`frame.time_delta_displayed`) in the `frames` method of
`sharkd`. This commit adds back to `sharkd_session_process_frames`
the local variables `prev_dis_num`, `current_ref_frame` and
`ref_frame` which are used to determine the `frame_ref_num` and
`prev_dis_num` arguments to each call to `sharkd_dissect_request` in
the main loop of `sharkd_session_process_frames`.
Below is an example on `master` (`b7cc44eb34`, specifically) of a
`frames` request for packets 1 and 800 of the capture
`./test/captures/logistics_multicast.pcapng` where we ask for columns
`frame.time_relative`, `frame.time_delta` and
`frame.time_delta_displayed`:
# ./cmake-build-debug/run/sharkd -
Running as user "root" and group "root". This could be dangerous.
Hello in child.
{"jsonrpc":"2.0","id":1,"method":"load","params":{"file":"./test/captures/logistics_multicast.pcapng"}}
load: filename=./test/captures/logistics_multicast.pcapng
{"jsonrpc":"2.0","id":1,"result":{"status":"OK"}}
{"jsonrpc":"2.0", "id":2, "method":"frames","params":{"filter":"frame.number==1||frame.number==800","column0":"frame.time_relative:1","column1":"frame.time_delta:1","column2":"frame.time_delta_displayed:1"}}
{"jsonrpc":"2.0","id":2,"result":[{"c":["0.000000000","0.000000000","0.000000000"],"num":1},{"c":["191.872111000","0.193716000","0.193716000"],"num":800}]}
Note that the `frame.time_delta_displayed` column value for packet 800
is `0.193716000`, which is time difference between it and packet 799,
not packet 1.
Compare this to the same `frames` request using the changes from this
commit:
# ./cmake-build-debug/run/sharkd -
Running as user "root" and group "root". This could be dangerous.
Hello in child.
{"jsonrpc":"2.0","id":1,"method":"load","params":{"file":"./test/captures/logistics_multicast.pcapng"}}
load: filename=./test/captures/logistics_multicast.pcapng
{"jsonrpc":"2.0","id":1,"result":{"status":"OK"}}
{"jsonrpc":"2.0", "id":2, "method":"frames","params":{"filter":"frame.number==1||frame.number==800","column0":"frame.time_relative:1","column1":"frame.time_delta:1","column2":"frame.time_delta_displayed:1"}}
{"jsonrpc":"2.0","id":2,"result":[{"c":["0.000000000","0.000000000","0.000000000"],"num":1},{"c":["191.872111000","0.193716000","191.872111000"],"num":800}]}
Note that the `frame.time_delta_displayed` column value for packet 800
is now `191.872111000`, the time difference between it and packet 1.
This is the expected value since only packets 1 and 800 are visible
due to the request's `filter` parameter.
A new `test_sharkd_req_frames_delta_times` unit test has been added to
verify this fix and prevent it the bug from being accidentally
sneaking in again. If this fix is accepted, this change should
probably be cherry-picked to the `release-4.2` branch.
Fixes#17923.
FLUSH and ATOMIC Write were newly added in IBTA Specification 1.5. This
patch adds the definitions of these new operations. Wireshark can now
distinguish the packets just like this:
RRoCE 78 RC Flush QP=0x000017
RRoCE 82 RC Atomic Write QP=0x000017
Signed-off-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
Change checks for valid hf values to include 0 as not valid.
This will prepare the dissectors for a change to initialize
proto values to 0 instead of -1.
Don't blitz the temporary directory to make test results more
traceable and conform to pytest best practice.
Prefer the pytest method of creating a temporary directory in
the system tmpdir with roll-over, that won't be immediately destroyed.