When rescanning or retapping, if there is a currently selected packet
in the GUI, load any field references in any filters for any tap
listeners.
Note that Lua plugins can register some filtering tap listeners later
after we reset the dissection tree, but those are for field extraction
in the new tree and can't contain field references.
Fix#18912
Exposing the fvalue_t implementation is exposing internal
details of the implementation. Fix that by making the fvalue_t
internal to the ftypes implementation and using setters/getters
where necessary.
The string used to search the selected packet's protocol tree for
the field we already found is leaked.
The function prototype is prone to leaks; all the components of the
match_data are filled in inside the function, and it only needs to
return the field info. Restructure it so that the match_data is
created (and the string freed) inside the function, and only
the field_info is returned.
When searching for string matches in packet list and details, save index of
next possible start location inside a partial match and rewind to that
position if the ongoing match is not successful.
While here, also terminate search when the search string is longer than
the remainder of the text string being matched against.
As suggested by John Thacker, use strstr() for case sensitive search.
Full bug description:
Currently, searching for strings in "Packet list" and "Packet detail" may fail
to find matches if a partial match is encountered. Examples of both are present
in nfsv4.1_pnfs.cap in the Wireshark sample trace collection.
Searching for "Win=29200 Len=0" in Packet list finds frame 1, based on:
880 → 2049 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=360391592 TSecr=0 WS=128
However, searching for jsut "0 Len=0" skips this frame when searching.
Similarly, searching for "netapp-26" in Packet detail will find many frames
(if TCP port 2049 is decoded as RPC) based on the RPC credentials:
Machine Name: netapp-26
Similarly, if searching for "p-26", no frames are found.
The problem is how match_summary_line() and match_subtree_text() will start a
comparison against the search string based on the first character and scan
ahead to check if each subsequent character also matches. However, if there is
no match, the search continues only after the partial match.
In practice, if "p-26" is against "Machine Name: netapp-26" will:
- Test against against characters, but find no match until the first 'p'.
- Find that the first 'p' matches the leading 'p' in the search string.
- Compare the second 'p' against '-' in the search string, which fails.
- Continue checking the second 'p' where neither '-', '2' nor '6' match the
leading 'p' in the search string.
The proposed fix will, when a partial match is in progress, store the first
location where a new match might occur. If the partial match is not
successful, the search is restarted at that stored position.
As far as I can tell, other match_xxx functions in file.c do not have
share this problem.
wtap_dump_file_encap_type() could be read as indicating that, given a
handle for an encapsulation type, it returns the encapsulation type for
the file being written, rather than, given a list of encapsulation
types, returning the encapsulation type that would be required for all
of those types, which is what it does.
Rename it to wtap_dump_required_file_encap_type().
Add functions to PacketListRecord to invalidate a single record's
colorization and column strings, used for a record is modified in a
way that needs to trigger redrawing, but we don't need to redraw
all packets.
Move the functionality for adding, deleting, and setting frame comments
into PacketListModel, operating on QModelIndexes (or on all physical
rows in the case of deleting all comments from a file.) Trigger
recolorization of any record with an updated comment.
Only set a block as modified when deleting comments if we actually
deleted comments. This avoids marking a file as modified if we
delete all comments from all frames, or all comments from selected
frames, when those comments do not actually have frames.
If cf_set_modified_block is used to modify a block that is already
modified, it can't update the comment count. In that case, return
false and have the callers update the comment count. (It already
has a return value, which is always true.) This avoids having the
GUI warning about saving into a format that doesn't support comments
when comments have been added and then removed.
Note that, unlike with time references and time shifts, there
are no fields (and hence no columns nor color filters) that depend
on whether other fields have comments. If for some reason some
were added, then the model data for all frames would have to be
updated instead. Since there aren't, we don't need to
redrawVisiblePackets, but we do need to drawCurrentPacket to ensure
the packet details are redissected.
Fix#12519
Store the field filter strings in a wmem_map pointing to the
field flags for each string. This allows specifying multiple
filter options (-j or -J) on the command line, including some
of both.
Fix#17470
Add the ability to cancel sorting. Since we now parse user inputs
during the sort, test and set the capture file read lock. Try to
sort in PacketList::captureFileReadFinished, since now sorting during
thawing won't happen if it's in the middle of a rescan.
Fix#17640
Dependent frames list order does not matter and thus significantly
faster data structure can be used. Replace the list with hash table to
avoid excessive CPU usage when opening files containing reassembled
packets consisting of large number of fragments.
Keep name resolution information as mandatory elements for
NRBs, and when the ipv4 or ipv6 callback is set, have name
resolution entries from already read NRBs sent to the callback.
rescan_packets can use this when redissecting to reobtain the
name resolution entries from the NRB, similar to what is done
with Decryption Secrets Blocks. (This can also later be used
if we read NRBs and DSBs in pcapng_open before the first packet,
and before the callbacks are set.)
This doesn't yet make the changes to wtap_dumper to write them out,
but is a step towards that too. (It's not clear in cases where we
dissect packets whether we want to copy the entire NRB, or only
write out actually used addresses as done now. For copying without
reading a file, like with editcap, we presumably do want to copy them.)
Fix#13425. Ping #15502
Save all dependent frames when there are multiple levels
of reassembly.
This is a retry of !6329, combined with the fix in !6509 which
were reverted in !6545.
epan: fix a segfault, introduced in !6329
Return an struct containing error information. This simplifies
the interface to more easily provide richer diagnostics in the future.
Add an error code besides a human-readable error string to allow
checking programmatically for errors in a robust manner. Currently
there is only a generic error code, it is expected to increase
in the future.
Move error location information to the struct. Change callers and
implementation to use the new interface.
Add -Werror=unused-but-set-variable to our default compiler flags and fix
```
epan/dissectors/packet-dcerpc-frsrpc.c:709:10: error: variable 'nb_chunk' set but not used [-Werror,-Wunused-but-set-variable]
guint32 nb_chunk = 0;
^
```
```
epan/dissectors/packet-dcom-oxid.c:175:13: error: variable 'u32ItemIdx' set but not used [-Werror,-Wunused-but-set-variable]
guint32 u32ItemIdx;
^
```
```
epan/dissectors/packet-l2tp.c:1775:104: error: parameter 'ccid' set but not used [-Werror,-Wunused-but-set-parameter]
static int dissect_l2tp_ericsson_avps(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 ccid)
^
```
```
epan/dissectors/packet-ldp.c:1922:19: error: variable 'ix' set but not used [-Werror,-Wunused-but-set-variable]
guint8 ix;
^
```
```
epan/dissectors/packet-nas_5gs.c:4757:14: error: variable 'curr_len' set but not used [-Werror,-Wunused-but-set-variable]
guint i, curr_len;
^
```
```
epan/dissectors/packet-per.c:1769:6: error: variable 'extension_addition_entries' set but not used [-Werror,-Wunused-but-set-variable]
int extension_addition_entries;
^
```
```
epan/dissectors/packet-rtitcp.c:618:11: error: variable 'messages_count' set but not used [-Werror,-Wunused-but-set-variable]
guint messages_count, offset;
^
```
```
epan/dissectors/packet-tcp.c:2130:9: error: variable 'ackcount' set but not used [-Werror,-Wunused-but-set-variable]
int ackcount;
^
epan/dissectors/packet-tcp.c:3317:12: error: variable 'nbOptionsChanged' set but not used [-Werror,-Wunused-but-set-variable]
guint8 nbOptionsChanged = 0;
^
```
```
epan/dissectors/packet-zbee-zcl-se.c:11802:15: error: variable 'i' set but not used [-Werror,-Wunused-but-set-variable]
for (gint i = 0; tvb_reported_length_remaining(tvb, *offset) >= 5; i++) {
^
```
```
ui/iface_lists.c:142:23: error: variable 'linktype_count' set but not used [-Werror,-Wunused-but-set-variable]
gint linktype_count;
^
```
```
ui/voip_calls.c:456:15: error: variable 'item_num' set but not used [-Werror,-Wunused-but-set-variable]
guint item_num;
^
```
```
file.c:572:17: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
guint32 count = 0;
^
```
```
file.c:3667:24: warning: cast from 'const unsigned char *' to 'unsigned char *' drops const qualifier [-Wcast-qual]
pd = (guint8 *)ws_mempbrk_exec(pd, buf_end - pd, pattern, &c_char);
^
```
```
ui/qt/io_graph_dialog.cpp:1932:60: error: variable 'mavg_right' set but not used [-Werror,-Wunused-but-set-variable]
unsigned int mavg_in_average_count = 0, mavg_left = 0, mavg_right = 0;
^
```
```
ui/qt/stats_tree_dialog.cpp:166:9: error: variable 'node_count' set but not used [-Werror,-Wunused-but-set-variable]
int node_count = 0;
^
```
```
ui/qt/models/profile_model.cpp:1142:13: error: variable 'entryCount' set but not used [-Werror,-Wunused-but-set-variable]
int entryCount = 0;
^
```
Add a function to get the column text of the nth column, taking
into account whether the column is resolved or unresolved. Use
this function in the GUI, as well as in tshark, when writing
PSML, exporting dissection to PSML, etc., instead of accessing
col_data directly.
This removes the direct accesses of col_data from outside
column.c and column-utils.c
Fix#18168.
To implement loading a packet list, a lot of helper
methods are required. Those prototypes where split up
over two places and have been moved to packet_list_utils.h
to ensure a single place for lookup
Remove unneeded row number in capture file. The packet list is
the only object that should know the correct number, propagating
it further only complicates things. At the same time, rework
cf_select_packet to select the packet based on frame_data not on
the row (which can be unreliable).
Remove duplicate functionality for jumping to packet and
remove unused function to move to the end. Furthermore
move the code for redraws of visible packets directly
into the calling code
If we do a save with copy, so that we just copied the binary
file, everything in the wtap structure should be the same except
for the filename and the file descriptors, so just change that
instead of closing wtap and reopening it.
The current behavior of calling wtap_open_offline does not work
for files that have blocks (SHBs, IDBs, NRBs, DSBs, ISBs, etc.) in
the middle of the file instead of at the beginning, but we shouldn't
have to waste time rescanning the entire file either.
In the case where a specific file format reader was manually selected,
this will keep the same file format as selected instead of switching to
the auto-detection when opening the copy, just as SAVE_WITH_MOVE already
does and presumably what the user wants.
Update wtap_fdreopen to change the wtap struct's pathname if
wtap_fdreopen is called with a different filename than currently.
Fix#17472
This replaces the current macro reference system with
a completely different implementation. Instead of a macro a reference
is a syntax element. A reference is a constant that can be filled
in the dfilter code after compilation from an existing protocol tree.
It is best understood as a field value that can be read from a fixed
tree that is not the frame being filtered. Usually this fixed tree
is the currently selected frame when the filter is applied. This
allows comparing fields in the filtered frame with fields in the
selected frame.
Because the field reference syntax uses the same sigil notation
as a macro we have to use a heuristic to distinguish them:
if the name has a dot it is a field reference, otherwise
it is a macro name.
The reference is synctatically validated at compile time.
There are two main advantages to this implementation (and a couple of
minor ones):
The protocol tree for each selected frame is only walked if we have a
display filter and if the display filter uses references. Also only the
actual reference values are copied, intead of loading the entire tree
into a hash table (in textual form even).
The other advantage is that the reference is tested like a protocol
field against all the values in the selected frame (if there is more
than one).
Currently the reference fields are not "primed" during dissection, so
the entire tree is walked to find a particular reference (this is
similar to the previous implementation).
If the display filter contains a valid reference and the reference is
not loaded at the time the filter is run the result is the same as a
non existing field for a regular READ_TREE instruction.
Fixes#17599.
This allows the "needs to be reloaded" indication to be set in the close
process, as is the case for ERF; having a routine that returns the value
of that indication is not useful if it gets seet in the close process,
as the handle for the wtap_dumper is no longer valid after
wtap_dump_close() finishes.
We also get rid of wtap_dump_get_needs_reload(), as callers should get
that information via the added argument to wtap_dump_close().
Fixes#17989.
Split the match functions in twain, one for case-sensitive and
one for case-insensitive, so we can use memchr to search for the
first byte in the case-sensitive version and ws_mempbrk for the
case-insensitive version. They are highly optimized on most systems
and considerably faster on large files.
Also fix a few issues regarding wide strings, such as false positives
and the length to highlight when matching. Fix#12908
Add a checkbox to the packet format group box to allow the
hexdump to only have the main frame instead of secondary data
sources as well, so that Print and Export Packet Dissections can
be used for input to text2pcap.
Without that, you could add a comment to a record in a file format the
reading code for which doesn't allocate blocks, but the comment doesn't
get saved, as there's no block in which to save the comment option.
This simplifies some code paths, as we're either using the record's
modified block or we're using the block as read from the file, there's
no third possibility.
If we attempt to read a record, and we get an error, and a block was
allocated for the record, unreference it, so the individual file readers
don't have to worry about it.
Bug 17478 was caused by `wtap_rec.block` being allocated for each
packet, but not freed when it was done being used -- typically at the
end of a loop.
Rather than requiring each caller of `wtap_read()` to know to free a
member of `rec`, I added a new function `wtap_rec_reset()` for a
slightly cleaner API. Added calls to it everywhere that seemed to make
sense.
Fixes#17478
"User" sounds as if the blocks belong to the user; at most, the current
user might have modified them directly, but they might also have, for
example, run a Lua script that, unknown to them, modified comments.
Also, a file might have "user comments" added by a previous user, who
them wrote the file and and provided it to the current user.
"Modified" seems a bit clearer than "changed".
João Valverde