It looks like there was a cut&paste error a long time ago resulting
in the wimaxasncp.message_type field being incorrectly detected as
unused and commented out. Closes#18424.
They're of type FT_NONE, meaning that they do not have values, they're
just present or not.
Handle the TCP analysis fields "tcp.analysis.retransmission" and
"tcp.analysis.keep_alive", both of which are expert infos, by just
seeing if they're present or not.
Fixes a problem mentioned in a comment in merge request !8412.
As of a change many years ago, Boolean values are stored as 64-bit (the
change was made to handle Boolean bitfields in 64-bit fields). Fix the
extractor for Boolean values to fetch from the 64-bit unsigned integer
field, and, while we're at it, add a change that the field in question
really *is* a Boolean field (the functions used to fetch the value in
the other extractors do such a check).
The TRANSUM post-dissector performs timing analysis, and does not
dissect any of the packet data; all its calls to `proto_tree_add_foo()`
claim 0 bytes. So this fix claims 0 bytes for the overall TRANSUM
protocol tree as well.
Fixes#18241
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Remove the redundant BASE_FLOAT field display type. The name
BASE_FLOAT is meaningless and the value aliased to BASE_NONE.
Require BASE_NONE instead of BASE_FLOAT (corresponding to
the printf() %g format).
Add new float display types using BASE_DEC, BASE_HEX and BASE_EXP
corresponfing to %f, %a and %e respectively.
Add support for BASE_CUSTOM with floats.
Switch to the name "Logray" for the log analyzer. Rays are biological
cousins of sharks and more people like the name "Logray" in a completely
unscientific survey here. Apologies for any inconvenience this might
cause.
When the field width was corrected by commit
b240d5baa0, the masks got messed
up. There's 4 reserved bits that don't have fields and the bits
are in Little Endian order. Fix#18132.
Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.
Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.
Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
libsinsp currently only supports string and unsigned 64-bit integer
field types. For string fields that might contain a parseable address,
add ".v4" and ".v6" subtree items with a corresponding field type.
For example, the ct.srcip field now dissects as
Sysdig Event 1: 880 bytes
Falco Bridge
cloudtrail Plugin
[ ... ]
Source IP: 3.92.225.50
[Source IP (IPv4): 3.92.225.50]
The extract_fields struct and calling convention changed, so update to
match. Extract all of our fields at once, which noticeably speeds up
dissection here.
Convert our conversation protocols to a dynamic list and add
add_conversation_filter_protocol(). Use it in the Falco Bridge plugin to
add protocols with conversation filters.
Split the counts of IO data objects and IOCS between
input and output. Remove increment of IO data objects
in station information, sometimes leading to extremely
high and invalid number of IO data objects.
Remove unused header definitions in packet-falco-bridge.h and move the
remaining content to packet-falco-bridge.c and conversation-macros.h.
Explicitly set our header files in CMakeLists.txt.
Fix
../plugins/epan/falco_bridge/packet-falco-bridge.c: In function ‘register_conversation_filters_mappings’:
../plugins/epan/falco_bridge/packet-falco-bridge.c:105:1: error: old-style function definition [-Werror=old-style-definition]
register_conversation_filters_mappings()
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Sysdig Bridge plugin loads Falco plugins, so rename it to Falco
Bridge.
Make it optional and dependent on libsinsp+libscap, similar to our codec
plugins.
Remove some unused code.
Add a FindSinsp CMake module, and use it in the Sysdig Bridge plugin
CMakeLists.txt. It still needs work, but should at least be usable on
more machines.
Conflicts:
plugins/epan/sysdig_bridge/CMakeLists.txt