Add support for display filter binary addition and subtraction.
The grammar is intentionally kept simple for now. The use case
is to add a constant to a protocol field, or (maybe) add two
fields in an expression.
We use signed arithmetic with unsigned numbers, checking for
overflow and casting where necessary to do the conversion.
We could legitimately opt to use traditional modular arithmetic
instead (like C) and if it turns out that that is more useful for
some reason we may want to in the future.
Fixes#15504.
This change implements a unary minus operator.
Filter: tcp.window_size_scalefactor == -tcp.dstport
Instructions:
00000 READ_TREE tcp.window_size_scalefactor -> reg#0
00001 IF_FALSE_GOTO 6
00002 READ_TREE tcp.dstport -> reg#1
00003 IF_FALSE_GOTO 6
00004 MK_MINUS -reg#1 -> reg#2
00005 ANY_EQ reg#0 == reg#2
00006 RETURN
It is supported for integer types, floats and relative time values.
The unsigned integer types are promoted to a 32 bit signed integer.
Unary plus is implemented as a no-op. The plus sign is simply ignored.
Constant arithmetic expressions are computed during compilation.
Overflow with constants is a compile time error. Overflow with
variables is a run time error and silently ignored. Only a debug
message will be printed to the console.
Related to #15504.
Add support for masking of bits. Before the bitwise operator
could only test bits, it did not support clearing bits.
This allows testing if any combination of bits are set/unset
more naturally with a single test. Previously this was only
possible by combining several bitwise predicates.
Bitwise is implemented as a test node, even though it is not.
Maybe the test node should be renamed to something else.
Fixes#17246.
A literal value is a value that cannot be interpreted as a
registered protocol. An unparsed value can be a literal or
an identifier (protocol/field) according to context and the
current disambiguation rules.
Strictly literal here is to be understood to mean "numeric
literal, including numeric arrays, but not strings or character
constants".
Invalid character constants should be handled in the lexical scanner.
Todo: See if some code could be shared to parse double quoted strings.
It also fixes some unintuitive type coercions to string. Character
constants should be treated as characters, or maybe integers, or
maybe even throw an invalid comparison error, but coverting to a
literal string or byte array is surprising and not particularly
useful:
'\xFF' -> "'\xFF'" (equals)
'\xFF' -> "FF" (contains)
Before:
Filter: http.request.method contains "\x63"
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method contains '\x63'
Constants:
00000 PUT_FVALUE "63" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == "\x63"
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == '\x63'
Constants:
00000 PUT_FVALUE "'\\x63'" <FT_STRING> -> reg#1
(...)
After:
Filter: http.request.method contains '\x63'
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == '\x63'
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
The implementation is pre-computing the length and using that
to allocate a buffer. This doesn't have any practical advantage
and is inefficient because the code is mostly doing the same work
twice. Remove the unnecessary length pre-computation step.
All the order operators can be defined in terms of 'lt'
and 'eq' so use that to reduce the number of required
methods from 6 to 2.
Further reduce to one by combining those two into a single
function that has memcmp semantics: negative return is
"less than", positive is "greater than" and zero is equal.
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Delete get_value_ptr from struct _ftype_t, make it
part of the get_value union.
Change-Id: I947331069662a7043bd838e622d286629cc7be9a
Reviewed-on: https://code.wireshark.org/review/20647
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_uinteger from struct _ftype_t, make it
part of the get_value union.
Change-Id: I4a6c8341676c442e2bf8ae3b8f771b72161d133c
Reviewed-on: https://code.wireshark.org/review/20640
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_sinteger from struct _ftype_t, make it
part of the get_value union.
Change-Id: I3127252cafc62389ce426639992f1d59f7ac9731
Reviewed-on: https://code.wireshark.org/review/20637
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_uinteger64 from struct _ftype_t, make it
part of the get_value union.
Change-Id: I2b06efb7691c1bd4089994849373ab8b5ff0bcc7
Reviewed-on: https://code.wireshark.org/review/20618
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_sinteger64 from struct _ftype_t, make it
part of the get_value union.
Change-Id: I0113f70ab0aadd1aa655466e896e3acce6c8faeb
Reviewed-on: https://code.wireshark.org/review/20617
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I6bbaf6a7c8a3124e5eab7a7b97c6be082fe8beff
Reviewed-on: https://code.wireshark.org/review/20611
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is in preparation for introducing a get_value union, similar to
set_value.
Change-Id: Id0cf913a616e0314638f1531836c3136ed02631d
Reviewed-on: https://code.wireshark.org/review/20610
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Delete set_value_floating from struct _ftype_t, make it
part of the set_value union.
Change-Id: Ic00e1c70488ddc4422c34657c62af7dc07db02d9
Reviewed-on: https://code.wireshark.org/review/20556
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_sinteger64 from struct _ftype_t, make it
part of the set_value union.
Change-Id: I76668f0a6455c5d75c703cd4f440757601246bdb
Reviewed-on: https://code.wireshark.org/review/20551
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_uinteger64 from struct _ftype_t, make it
part of the set_value union.
Change-Id: I12407b7336282daa60fe6e0e742d65e205dc84fd
Reviewed-on: https://code.wireshark.org/review/20539
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_sinteger from struct _ftype_t, make it part of the
set_value union.
Change-Id: I084c4c9beba9978b538d359ebaac21391ebd7f82
Reviewed-on: https://code.wireshark.org/review/20523
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_uinteger from struct _ftype_t, make it part of the
set_value union.
Change-Id: I26de15be8ea0ede76236a8f8a4958bfd97ad9d52
Reviewed-on: https://code.wireshark.org/review/20521
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_protocol from struct _ftype_t, make it part of the
set_value union.
Change-Id: Iae55388b8a2c965944028499619282c3232c31f3
Reviewed-on: https://code.wireshark.org/review/20475
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_string from struct _ftype_t, make it part of the
set_value union.
Change-Id: Ia3a57245330ed0d158c8c3e4552ec5d80752fe0f
Reviewed-on: https://code.wireshark.org/review/20474
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_time from struct _ftype_t, make it part of the
set_value union.
Change-Id: Ieee3b083d52afdd608e31e8ca75b50016fec8a69
Reviewed-on: https://code.wireshark.org/review/20442
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Delete set_value_guid from struct _ftype_t, make it part of the
set_value union.
Change-Id: I3a04ff6b1ab179063ef77a3c475809df0bde5c68
Reviewed-on: https://code.wireshark.org/review/20441
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Delete set_value_bytes from struct _ftype_t, make it part of the
set_value union.
Change-Id: I3ee6a9f68b269ee083794947816e13ea6c1b9d29
Reviewed-on: https://code.wireshark.org/review/20440
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
struct _ftype_t contains a number of pointers to set_value_...()
functions. For each pre-defined ftype_t, only one of these pointers
is != NULL.
As the comment already says, we should move these functions into a
union. ftenum_t ftype will be used for selecting the correct function
pointer from the union.
Create a set_value union and move the FvalueSetByteArrayFunc pointer
into the union. Update fvalue_set_byte_array() accordingly. Check
that the fvalue_t parameter is of the correct type.
Change-Id: I6568d8f47108311289c0cd425f28ea8b38046141
Reviewed-on: https://code.wireshark.org/review/20433
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
As noted in https://www.wireshark.org/lists/wireshark-dev/201604/msg00103.html
a protocol field isn't really a tv_buff, so allow for the possibility
of a NULL tv_buff in a "protocol type". If the tvb is NULL, use the
string of the protocol field for comparison
Bug: 12335
Change-Id: Ie12a5f7b31c7293c61006b0f70135d100a97c4e0
Reviewed-on: https://code.wireshark.org/review/15261
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I57354c309ecf3a0c8f0c7cff485638027f30bb19
Reviewed-on: https://code.wireshark.org/review/5813
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(Using sed : sed -i '/^ \* \$Id\$/,+1 d')
Fix manually some typo (in export_object_dicom.c and crc16-plain.c)
Change-Id: I4c1ae68d1c4afeace8cb195b53c715cf9e1227a8
Reviewed-on: https://code.wireshark.org/review/497
Reviewed-by: Anders Broman <a.broman58@gmail.com>
appropriate for particular FT_ types. This lets us do some more type
checking and lets us use const pointers when appropriate.
Constify a bunch of stuff, and don't cast away constness.
svn path=/trunk/; revision=54811
descriptions. Captitalize and fix up the descriptions. Use its output to
create the field type list in the wireshark-filter man page.
svn path=/trunk/; revision=40306
32-bit numbers. Separate signed and unsigned accessors have been
added and used where appropriate.
Definitely not for 0.99.5.
svn path=/trunk/; revision=20472
integers.
Make FT_INT64 and FT_UINT64 add numerical values, rather than byte-array
values, to the protocol tree, and add routines to add specified 64-bit
integer values to the protocol tree.
Use those routines in the RSVP dissector.
svn path=/trunk/; revision=11796
they have LF at the end of the line on UN*X and CR/LF on Windows;
hopefully this means that if a CR/LF version is checked in on Windows,
the CRs will be stripped so that they show up only when checked out on
Windows, not on UN*X.
svn path=/trunk/; revision=11400
New "matches" operater in display filter language. Uses PCRE.
If a "matches" operator is found in a dfilter
while libpcre has not been used to build the binary, then an
exception is thrown after using dfilter_fail() to set an apporporiate
error message.
svn path=/trunk/; revision=9182
Besides "STRING", there is now "UNPARSED_STRING", where the distinction
is that "STRING" was a double-quoted string and "UNPARSED_STRING" is just
a sequence of characters that the scanner didn't know how to scan/parse,
so it's up to the Ftype to parse it.
This gives us more flexibility and prepares the dfilter parsing engine
for the upcoming addition of the "contains" operator.
In the process of doing this, I also re-did the double-quoted string
support in the scanner, so that instead of the naively-simple support we
used to have, double-quoted strings now can have embedded dobule-quotes,
embedded octal sequences, and embedded hexadecimal sequences:
"\"" embedded double-quote
"\110" embedded octal
"\x48" embedded hex
Enhance the dfilter unit test script to be able to run a single collection
of tests instead of having to run all of them all the time.
svn path=/trunk/; revision=8083
of their value. Provide such a method for FT_BYTES, FT_UINT_BYTES,
and FT_ETHER. Have proto_alloc_dfilter_string() use the new methods.
This is part of a movement of ftype-related code out of proto.c and
into the ftype code. The immediate effect is that generated display
filters for long byte sequences don't incorrectly have trailing periods
("...") to indicate continuation.
svn path=/trunk/; revision=7100
João Valverde